Re: [one-users] CentOS 7 image from marketplace.
Similar problem here. It works better if you disable NetworkManager. The vmcontext rpm used in this image is still using basic network service. You are free to adapt it. Le Thu Feb 26 2015 at 13:19:09, Leszek Master keks...@gmail.com a écrit : I've downloaded CentOS 7 image from market place and i noticed that there is problem with contextualizing it. After i start a VM with this image it doesn't get contextualized by the first boot time. After I manually run init scripts everything works, it gave my network interfaces ip address and set up my hostname, even restart my VM with cloud-init config. But it's annoying that after i create my VM i need to log in to it using vnc and then contextualize it manually. Anyone had similiar problems? ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] wrong gateway detected by vm-context
I have found the solution. GATEWAY_IFACE must be set, but in upper case. I don't know why. Any idea? If I put GATEWAY_IFACE=eth1 (eth1 is the real name) it doesn't work, but GATEWAY_IFACE=ETH1 works... Le Fri Feb 13 2015 at 10:03:33, Madko madk...@gmail.com a écrit : Hi, It seems vmcontext scripts try to guess the gateway IP as soon as any interface has a gateway set. Here is my case: one vm with eth0 to internal admin network, and eth1 to wan. Only eth1 has a gateway set. When init script vmcontext start, it found out that there is a gateway (but on eth1), and so is_gateway function on eth0 seems to returns true. After that the gateway is guessed with NETWORK_ADDRESS.1 but I don't know why? here is my context: ETH0_IP='192.168.199.109' ETH0_MAC='02:00:c0:a8:c7:6d' ETH1_DNS='10.156.255.245' ETH1_GATEWAY='10.156.0.1' ETH1_IP='10.156.24.93' ETH1_MAC='02:00:0a:9c:18:5d' ETH1_MASK='255.255.224.0' ETH1_NETWORK='10.156.0.0' Here is the ifcfg-eth0 written by vmcontext init script: DEVICE=eth0 BOOTPROTO=none ONBOOT=yes TYPE=Ethernet NETMASK=255.255.255.0 IPADDR=192.168.199.109 GATEWAY=192.168.199.1 ifcfg-eth1 is good and has its gateway correctly set. Here is my vnet template where no gateway is set (same problem if I remove the empty GATEWAY key): VIRTUAL NETWORK TEMPLATE BRIDGE=br0 DESCRIPTION=réseau admin vm GATEWAY= PHYDEV= ROLE=admin VLAN=YES VLAN_ID=199 is it a bug? Attached here is the vmcontext network script log best regards, Edouard ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] about firewall
Hi, Is there any documentation about the ports and network traffic in use with OpenNebula? To go in production we need to have a firewall between our oned admin server and the hypervisors nodes. So I need to know if there is any network traffic to be initiated (state NEW) from the hypervisor nodes to the oned admin server? So far I found the UDP port 4124 for collectd, with metrics comming from the hypervisors. What is not clear is about the tm driver. An ssh connection is open from oned admin server to the hypervisors, to run the clone/cp/etc actions. I need to know if the hypervisor will in those actions initiate some SSH connection back to the oned admin server? (we are using ssh, shared, and lvm drivers). We want to block this king of traffic (ssh to oned admin server from the nodes). To sum up, here is what we know for sure: oned 4124/udp = nodes oned = 22/tcp nodes We need to know what traffic and who initiate it. I don't see anything about it in the documentation. If anyone has this information that would be of great help. Untill then I will try to find it out myself by playing with iptables. Best regards ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] how to overload context for one specific vm in oneflow template
Sorry I don't think it fit our use case. We'd like to have 4 VMs 1 VM with role LVS, no problem here, using a lvs VM template 3 VM with role WEB, using a web VM template. I need to set explicitly their hostnames, no digit allowed (let's say obfuscated-vm-name-a, obfuscated-vm-name-b and obfuscated-vm-name-ab) how do I set each hostname in the service template? Le Fri Jan 23 2015 at 12:11:07, Carlos Martín Sánchez cmar...@opennebula.org a écrit : Hi there, On Thu, Jan 22, 2015 at 2:18 PM, Madko madk...@gmail.com wrote: How do you set hostname to VMs inside roles when you can't use numeric hostname (ie hostname%i)? You can use the VM ID inside the context, the following works for me: CONTEXT = [ HOSTNAME = TEST_$VMID ] Or the VM name. This VM name can be changed the vm_name_template option in oneflow-server.conf [1]. CONTEXT = [ HOSTNAME = $NAME ] Does it fit your use case? Regards [1] http://docs.opennebula.org/4.10/advanced_administration/application_flow_and_auto-scaling/appflow_configure.html -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula http://twitter.com/opennebula cmar...@opennebula.org On Thu, Jan 22, 2015 at 2:18 PM, Madko madk...@gmail.com wrote: That's what we were doing untill now, service template with 10 or more VM and therefor 10 or more roles (1:1 ratio) are not really convenient. But thanks for your suggestion. Maybe I'm missing something. Is it possible to change vm_template_contents to some sort of array? How do you set hostname to VMs inside roles when you can't use numeric hostname (ie hostname%i)? best regards Le Thu Jan 22 2015 at 11:25:29, Carlos Martín Sánchez cmar...@opennebula.org a écrit : Hi, On Wed, Jan 21, 2015 at 3:29 PM, Madko madk...@gmail.com wrote: Hi, is there a way to overload the vm_template_contents of only one specific VM in a role? I'd like to fix the hostnames. I only manage to overload the context of all the VMs in one role. best regards, Maybe you can create a new role with the same template, and cardinality 1. Would that work for you? Regards -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org http://www.opennebula.org/ | cmar...@opennebula.org | @OpenNebula http://twitter.com/opennebula cmar...@opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] After upgrade to 4.10.2 unable to login using any users including oneadmin
done :) http://dev.opennebula.org/issues/3520 Le Wed Jan 21 2015 at 23:19:07, Jaime Melis jme...@opennebula.org a écrit : Can you open a feature request? On Wed, Jan 21, 2015 at 6:48 PM, Madko madk...@gmail.com wrote: Here is the documentation on this point: http://fedoraproject.org/wiki/Packaging:Guidelines#Configuration_files Should be great to have this on 4.12, thanks :) Le Wed Jan 21 2015 at 17:53:42, Jaime Melis jme...@opennebula.org a écrit : Hi Madko, I think we could do that for 4.12. Anyone else agrees with this? I'd like to get a bunch more +1s on this ;-) cheers, Jaime On Wed, Jan 21, 2015 at 5:13 PM, Madko madk...@gmail.com wrote: Hi, Had the same problem about conf files renamed to .rpmsave, and therefor opennebula was enable to start. Hopefully I saw this thread ;) Is it possible to change this behavior and have .rpmnew instead, to prevent breaking everything after an upgrade? %config(noreplace) in the spec file should do the trick, and it's a good practice. best regards Le Mon Jan 19 2015 at 19:45:48, Jaime Melis jme...@opennebula.org a écrit : Hi, as Joaquin mentioned the configuration files were replaced, so you simply need to restore them (merge the conf changes you did on the *.rpmsave files into the main files). However the files under /var/lib/one/.one should not be replaced automatically, I believe there was something in your manual procedure that removed those files. Anyways, to recover the files under /var/lib/one/.one you have to do as follows, as oneadmin: echo serveradmin:newpass /var/lib/one/.one/sunstone_auth echo serveradmin:newpass /var/lib/one/.one/occi_auth echo serveradmin:newpass /var/lib/one/.one/ec2_auth echo serveradmin:newpass /var/lib/one/.one/onegate_auth echo serveradmin:newpass /var/lib/one/.one/oneflow_auth oneuser passwd --sha1 serveradmin newpass cheers, Jaime On Mon, Jan 19, 2015 at 12:01 PM, kiran ranjane kiran.ranj...@gmail.com wrote: Hi Joaqui, I fixed it but in a different way, I did not had the .one folder backup however I had another setup of opennebula and I copied sunstone_auth from that setup to the non-working setup then retrived the password from mysql (user_pool table) (Serveradmin user) from working setup and inserted it into the non working setup using command oneuser passwd serveradmin encrypted-password-from-mysql, Restarted one and sunstone and then I was able to login. Serveradmin password is generated by openebula, If I could have known the password then it would be much easier as I coud have encodeded the password using oneuser encode username password and saved it in sunstone_auth. Is there any other procedure if I do not have .one folder backup? Regards Kiran Ranjane On Sat, Jan 17, 2015 at 5:41 PM, Joaquin Villanueva jvillanu...@acb.es wrote: Hi Kiran, I'm missed the important files for auth failing: restore the /var/lib/one/.one auth files (one_auth, one_key,sunstone_auth, etc) from your backup. Seems these files were also replaced by the package updates. Regards, Joaquin Villanueva El 17/01/15 a las 04:52, kiran ranjane escribió: Hi, I upgraded opennebula from 4.10.1 to 4.10.2 using ubuntu repo and after upgrade I am unable to login to any users. tried running onedb fsck and getting error - You need to specify the SQLite or MySQL connection options. Attached logs to this mail Any idea how do I fix this issue. Regards Kiran Ranjane ___ Users mailing listUsers@lists.opennebula.orghttp://lists.opennebula.org/listinfo.cgi/users-opennebula.org *Asociación Clubs de Baloncesto* Tel. +34 93 417 24 04 - Fax +34 93 418 23 94 C/ Iradier, 37 - 08017 – Barcelona http://www.acb.com -- *Advertencia de privacidad: Este mensaje y los documentos que en su caso consten como anexos, son confidenciales. Así pues, si lo reciben por error, les solicitamos nos lo comuniquen y se abstengan de realizar copias del mismo o entregarlo a otro destinatario. A los efectos de la Ley 15/1999, de Protección de Datos de Carácter Personal, les informamos que los datos de carácter personal que figuran en esta comunicación están incluidos en un fichero automatizado cuyo responsable es ACB. Si desea ejercitar los derechos de acceso, rectificación, cancelación y oposición, diríjanse por escrito a la dirección de c/ Iradier, 37 – 08017 (Barcelona) o al siguiente correo electrónico:secreta...@acb.es secreta...@liga-acb.es* *Privacy warning: This message and any attachments are confidential. Therefore, if you are not the intended addressee of this message, please delete it immediately without copying or forwarding it and inform the sender. For the purpose of the Law 15/1999, about protection of personal data, we inform you that the personal data contained in this message are included in a database, responsibility of ACB
Re: [one-users] how to overload context for one specific vm in oneflow template
That's what we were doing untill now, service template with 10 or more VM and therefor 10 or more roles (1:1 ratio) are not really convenient. But thanks for your suggestion. Maybe I'm missing something. Is it possible to change vm_template_contents to some sort of array? How do you set hostname to VMs inside roles when you can't use numeric hostname (ie hostname%i)? best regards Le Thu Jan 22 2015 at 11:25:29, Carlos Martín Sánchez cmar...@opennebula.org a écrit : Hi, On Wed, Jan 21, 2015 at 3:29 PM, Madko madk...@gmail.com wrote: Hi, is there a way to overload the vm_template_contents of only one specific VM in a role? I'd like to fix the hostnames. I only manage to overload the context of all the VMs in one role. best regards, Maybe you can create a new role with the same template, and cardinality 1. Would that work for you? Regards -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org http://www.opennebula.org/ | cmar...@opennebula.org | @OpenNebula http://twitter.com/opennebula cmar...@opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] After upgrade to 4.10.2 unable to login using any users including oneadmin
Hi, Had the same problem about conf files renamed to .rpmsave, and therefor opennebula was enable to start. Hopefully I saw this thread ;) Is it possible to change this behavior and have .rpmnew instead, to prevent breaking everything after an upgrade? %config(noreplace) in the spec file should do the trick, and it's a good practice. best regards Le Mon Jan 19 2015 at 19:45:48, Jaime Melis jme...@opennebula.org a écrit : Hi, as Joaquin mentioned the configuration files were replaced, so you simply need to restore them (merge the conf changes you did on the *.rpmsave files into the main files). However the files under /var/lib/one/.one should not be replaced automatically, I believe there was something in your manual procedure that removed those files. Anyways, to recover the files under /var/lib/one/.one you have to do as follows, as oneadmin: echo serveradmin:newpass /var/lib/one/.one/sunstone_auth echo serveradmin:newpass /var/lib/one/.one/occi_auth echo serveradmin:newpass /var/lib/one/.one/ec2_auth echo serveradmin:newpass /var/lib/one/.one/onegate_auth echo serveradmin:newpass /var/lib/one/.one/oneflow_auth oneuser passwd --sha1 serveradmin newpass cheers, Jaime On Mon, Jan 19, 2015 at 12:01 PM, kiran ranjane kiran.ranj...@gmail.com wrote: Hi Joaqui, I fixed it but in a different way, I did not had the .one folder backup however I had another setup of opennebula and I copied sunstone_auth from that setup to the non-working setup then retrived the password from mysql (user_pool table) (Serveradmin user) from working setup and inserted it into the non working setup using command oneuser passwd serveradmin encrypted-password-from-mysql, Restarted one and sunstone and then I was able to login. Serveradmin password is generated by openebula, If I could have known the password then it would be much easier as I coud have encodeded the password using oneuser encode username password and saved it in sunstone_auth. Is there any other procedure if I do not have .one folder backup? Regards Kiran Ranjane On Sat, Jan 17, 2015 at 5:41 PM, Joaquin Villanueva jvillanu...@acb.es wrote: Hi Kiran, I'm missed the important files for auth failing: restore the /var/lib/one/.one auth files (one_auth, one_key,sunstone_auth, etc) from your backup. Seems these files were also replaced by the package updates. Regards, Joaquin Villanueva El 17/01/15 a las 04:52, kiran ranjane escribió: Hi, I upgraded opennebula from 4.10.1 to 4.10.2 using ubuntu repo and after upgrade I am unable to login to any users. tried running onedb fsck and getting error - You need to specify the SQLite or MySQL connection options. Attached logs to this mail Any idea how do I fix this issue. Regards Kiran Ranjane ___ Users mailing listUsers@lists.opennebula.orghttp://lists.opennebula.org/listinfo.cgi/users-opennebula.org *Asociación Clubs de Baloncesto* Tel. +34 93 417 24 04 - Fax +34 93 418 23 94 C/ Iradier, 37 - 08017 – Barcelona http://www.acb.com -- *Advertencia de privacidad: Este mensaje y los documentos que en su caso consten como anexos, son confidenciales. Así pues, si lo reciben por error, les solicitamos nos lo comuniquen y se abstengan de realizar copias del mismo o entregarlo a otro destinatario. A los efectos de la Ley 15/1999, de Protección de Datos de Carácter Personal, les informamos que los datos de carácter personal que figuran en esta comunicación están incluidos en un fichero automatizado cuyo responsable es ACB. Si desea ejercitar los derechos de acceso, rectificación, cancelación y oposición, diríjanse por escrito a la dirección de c/ Iradier, 37 – 08017 (Barcelona) o al siguiente correo electrónico:secreta...@acb.es secreta...@liga-acb.es* *Privacy warning: This message and any attachments are confidential. Therefore, if you are not the intended addressee of this message, please delete it immediately without copying or forwarding it and inform the sender. For the purpose of the Law 15/1999, about protection of personal data, we inform you that the personal data contained in this message are included in a database, responsibility of ACB. In order to access, rectify, cancel and opposite any of these data, please write to C/ Iradier, 37 – 08017 (Barcelona) or to secreta...@acb.es secreta...@acb.es.* ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Jaime Melis Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | jme...@opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list
[one-users] how to overload context for one specific vm in oneflow template
Hi, is there a way to overload the vm_template_contents of only one specific VM in a role? I'd like to fix the hostnames. I only manage to overload the context of all the VMs in one role. best regards, ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] After upgrade to 4.10.2 unable to login using any users including oneadmin
Here is the documentation on this point: http://fedoraproject.org/wiki/Packaging:Guidelines#Configuration_files Should be great to have this on 4.12, thanks :) Le Wed Jan 21 2015 at 17:53:42, Jaime Melis jme...@opennebula.org a écrit : Hi Madko, I think we could do that for 4.12. Anyone else agrees with this? I'd like to get a bunch more +1s on this ;-) cheers, Jaime On Wed, Jan 21, 2015 at 5:13 PM, Madko madk...@gmail.com wrote: Hi, Had the same problem about conf files renamed to .rpmsave, and therefor opennebula was enable to start. Hopefully I saw this thread ;) Is it possible to change this behavior and have .rpmnew instead, to prevent breaking everything after an upgrade? %config(noreplace) in the spec file should do the trick, and it's a good practice. best regards Le Mon Jan 19 2015 at 19:45:48, Jaime Melis jme...@opennebula.org a écrit : Hi, as Joaquin mentioned the configuration files were replaced, so you simply need to restore them (merge the conf changes you did on the *.rpmsave files into the main files). However the files under /var/lib/one/.one should not be replaced automatically, I believe there was something in your manual procedure that removed those files. Anyways, to recover the files under /var/lib/one/.one you have to do as follows, as oneadmin: echo serveradmin:newpass /var/lib/one/.one/sunstone_auth echo serveradmin:newpass /var/lib/one/.one/occi_auth echo serveradmin:newpass /var/lib/one/.one/ec2_auth echo serveradmin:newpass /var/lib/one/.one/onegate_auth echo serveradmin:newpass /var/lib/one/.one/oneflow_auth oneuser passwd --sha1 serveradmin newpass cheers, Jaime On Mon, Jan 19, 2015 at 12:01 PM, kiran ranjane kiran.ranj...@gmail.com wrote: Hi Joaqui, I fixed it but in a different way, I did not had the .one folder backup however I had another setup of opennebula and I copied sunstone_auth from that setup to the non-working setup then retrived the password from mysql (user_pool table) (Serveradmin user) from working setup and inserted it into the non working setup using command oneuser passwd serveradmin encrypted-password-from-mysql, Restarted one and sunstone and then I was able to login. Serveradmin password is generated by openebula, If I could have known the password then it would be much easier as I coud have encodeded the password using oneuser encode username password and saved it in sunstone_auth. Is there any other procedure if I do not have .one folder backup? Regards Kiran Ranjane On Sat, Jan 17, 2015 at 5:41 PM, Joaquin Villanueva jvillanu...@acb.es wrote: Hi Kiran, I'm missed the important files for auth failing: restore the /var/lib/one/.one auth files (one_auth, one_key,sunstone_auth, etc) from your backup. Seems these files were also replaced by the package updates. Regards, Joaquin Villanueva El 17/01/15 a las 04:52, kiran ranjane escribió: Hi, I upgraded opennebula from 4.10.1 to 4.10.2 using ubuntu repo and after upgrade I am unable to login to any users. tried running onedb fsck and getting error - You need to specify the SQLite or MySQL connection options. Attached logs to this mail Any idea how do I fix this issue. Regards Kiran Ranjane ___ Users mailing listUsers@lists.opennebula.orghttp://lists.opennebula.org/listinfo.cgi/users-opennebula.org *Asociación Clubs de Baloncesto* Tel. +34 93 417 24 04 - Fax +34 93 418 23 94 C/ Iradier, 37 - 08017 – Barcelona http://www.acb.com -- *Advertencia de privacidad: Este mensaje y los documentos que en su caso consten como anexos, son confidenciales. Así pues, si lo reciben por error, les solicitamos nos lo comuniquen y se abstengan de realizar copias del mismo o entregarlo a otro destinatario. A los efectos de la Ley 15/1999, de Protección de Datos de Carácter Personal, les informamos que los datos de carácter personal que figuran en esta comunicación están incluidos en un fichero automatizado cuyo responsable es ACB. Si desea ejercitar los derechos de acceso, rectificación, cancelación y oposición, diríjanse por escrito a la dirección de c/ Iradier, 37 – 08017 (Barcelona) o al siguiente correo electrónico:secreta...@acb.es secreta...@liga-acb.es* *Privacy warning: This message and any attachments are confidential. Therefore, if you are not the intended addressee of this message, please delete it immediately without copying or forwarding it and inform the sender. For the purpose of the Law 15/1999, about protection of personal data, we inform you that the personal data contained in this message are included in a database, responsibility of ACB. In order to access, rectify, cancel and opposite any of these data, please write to C/ Iradier, 37 – 08017 (Barcelona) or to secreta...@acb.es secreta...@acb.es.* ___ Users mailing list
[one-users] ip not correctly freed in AR
Hi, Here is my use case: I have 2 groups (a and b) of VM. 5 VMs in each group. Each group uses 3 vnet (admin, appli, data). Each vnet has it's own VLAN_ID (openvswitch) but can have the same AR. The problem is that after deploying my VMs and deleting them. 2 IP get stuck in the leases. They are still marked as used and therefor I'm unable to delete their related vnets. Could it be because this 2 IP from 2 different VM have the same MAC address AND the same IP address? [oneadmin@pvidgsh101 oneflow]$ onevnet list ID USERGROUPNAMECLUSTERBRIDGE LEASES 0 oneadminoneadmin admin - br0 32 1 oneadminoneadmin wan_fake- br0 0 2 oneadminoneadmin appli - br0 0 3 oneadminoneadmin data- br0 2 4 oneadminoneadmin projet_01 - br0 2 116 oneadminoneadmin x0005.data - br0 1 126 oneadminoneadmin x0010.data - br0 1 147 oneadminoneadmin WAN - br0 0 [oneadmin@pvidgsh101 oneflow]$ onevnet show 126 ... LEASES AR OWNERMAC IP IP6_GLOBAL 0 VM : 1147 02:00:c0:a8:02:12192.168.2.18 ... [oneadmin@pvidgsh101 oneflow]$ onevm show 1147 VIRTUAL MACHINE 1147 INFORMATION ID : 1147 NAME: appli0.x0010 USER: oneadmin GROUP : oneadmin STATE : DONE LCM_STATE : LCM_INIT RESCHED : No START TIME : 12/03 11:42:50 END TIME: 12/03 11:50:39 DEPLOY ID : - ... VM NICS ID NETWORK VLAN BRIDGE IP MAC 0 admin yes br0 192.168.199.3 02:00:c0:a8:c7:03 1 x0010.appli yes br0 192.168.1.1902:00:c0:a8:01:13 2 x0010.datayes br0 192.168.2.1802:00:c0:a8:02:12 [oneadmin@pvidgsh101 oneflow]$ onevnet delete 126 [VirtualNetworkDelete] Cannot delete virtual network. Can not remove a virtual network with leases in use I have the script to reproduce this use case. But I can't replay it because I'd like to clean those vnet before. So I don't know yet if this situation is reproductible. Is there a way to force those IP (192.168.2.18 from vnet 116 and 126) to be freed? Or to force the deletion of the vnet (id 116 and 126)? Best regards, ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Network contextualization VM
I had a similar problem on CentOS 5, and perhaps 6 too. What do you have in /dev/disk/by-label/ ? Do you have the link to the cd iso labeled CONTEXT? Not sure it's the same bug, here is a patch http://dev.opennebula.org/issues/3365 best regards Le Wed Dec 03 2014 at 15:02:08, Manuel Alfonso López Rourich alfonso.lo...@cenits.es a écrit : Good morning Jose Ángel, Thank you very much for your response. udev rules within the vm in /etc/udev/rules create eth0 or 1 depending on the MAC. In /dev/sr0 a file named context.sh contains the IP and the gw among other data but I don't understand why eth0 doesn't have the IP associated or the route table is empty. I've tried to run a command on vm boot which executes ifconfig eth0 IP and route add default gw dir. The problem is that on boot the directory containing context.sh is not mounted and I cannot access the contextualization data. I've also tried to execute a script in /etc/one-context.d/ but it doesn't seem to execute. Thank you very much, Best regards 2014-12-02 15:18 GMT+01:00 Jose Angel Diaz joseangel.d...@cenatic.es: Hi Manuel Have you test that the udev is not conflicting with your context interfaces? After install the context packages it's necesary to clean the resol.conf, delete some ifcfg-ethxx scripts on the system to make the context correctly change the info in the machine. Some time the /etc/udev/rules.d/70-persistent-net.rules To add some scripts to execute on the context stage you could add some scripts in the /etc/one-context.d dir with a correct secuential number and it could be launched inside the VM when is starting. Hope it helps.. Enviado con MailTrack https://mailtrack.io/install?source=signaturelang=esreferral=joseangel.d...@cenatic.esidSignature=23 2014-12-02 15:01 GMT+01:00 Manuel Alfonso López Rourich alfonso.lo...@cenits.es: Good morning, I'd like to ask you a question about network contextualization of VMs. I had created a template with CentOS (in Contextualization tag Add network contextualization and Add SSH contextualization is enabled. After deploying a VM, I can see that there is a context.sh file with the content of some network parameters (ETH0_GATEWAY, etc.) but network is not configured correctly after the deployment of a vm (to fix it I have to execute (1) *ifconfig eth0 some_ip* and (2) *route add default gw*) How could I modify some script so that after booting a vm those commands are executed automatically? Thank you very much Best regards ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Jose Angel Diaz Diaz Coordinador Tecnologico CENATIC - Correo Corporativo Fundación Cenatic Este email ha sido enviado desde una plataforma perteneciente a la Fundación Cenatic Cualquier duda o modificacion contactar con Fundación Cenatic +34 924 67 73 16 i...@cenatic.es ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] blacklist ports with openvswitch
Ok now I understand what you meant by out_port in openflow. Maybe we have to wait for conntrack support in OpenFlow. Because right now I don't see how I could drop traffic to all tcp ports except some specificed in the WHITE_TCP_PORTS (that part works) without blocking all the outbound tcp traffic from my VM or any tcp responses. By the way I have found why the opennebula openflow rules are not working here, that's because of the dl_vlan indicated in the drop rule. I guess it's never matched because I'm ussing access port and therefor my ethernet frames are not taggued. I will check that to be sure. 2014-11-26 17:32 GMT+01:00 Madko madk...@gmail.com: 2014-11-26 17:12 GMT+01:00 Jaime Melis jme...@opennebula.org: It would be great if we could figure out a way to provide this functionality for Open vSwitch. It is a top priority in OpenNebula's roadmap, so any ideas are very welcome! What do you mean by adapting OpenvSwitch.rb? What changes do you need in the short-term? Right now I'm trying to add white_ports support to block incomming traffic on the VM except for a few ports. I will certainly face the same conclusion as you. However it's just a good way for me to learn ruby (and OpenNebula). Thanks for your help On Wed, Nov 26, 2014 at 4:59 PM, Madko madk...@gmail.com wrote: Thanks Jaime for this explaination. Right now openflow is not really a top priority for us and OpenNebula 4.12 seems quite interesting. So we could wait for this release. We will certainly switch from OpenStack to OpenNebula because of all this mess they have done on the network stack (ovs = bridge = iptables + network namespace etc). Your Keep It Simple approach is very reconforting. But we really need openvswitch support, so I will try to adapt OpenvSwitch.rb. 2014-11-26 16:04 GMT+01:00 Jaime Melis jme...@opennebula.org: Hi, Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch drivers (see here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering ) We'd like very much to be able to provide this feature, but as far as we know there's no way to do this satisfactorily. There is nothing similar to 'in_port' but that matches the outgoing switch port, i.e. there's no 'out_port'. We are currently re-evaluating this, because in OpenNebula 4.12 we're going to provide a new resource type: Security Groups, and you can define a lot of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC) ICMP_TYPE, Port ranges, and best of all, specific networks, so for example you can block out all the traffic to port 22 except if they're on the same network. And we can't do this for Open vSwitch. AFAIK OpenStack does this by sending the traffic to an ad-hoc linux bridge, running iptables rules on it, and sending it back to Open vSwitch. Which is something we would like to avoid at all costs! With regard to your first message, it's very strange, the rules look perfectly fine, not sure why it's not working... On Wed, Nov 26, 2014 at 3:53 PM, Madko madk...@gmail.com wrote: Hi, I also have tested WHITE_PORTS_TCP but it seems worse since I don't have any specific openflow rules: cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134, idle_age=798, priority=4,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=NORMAL cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168, idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323, idle_age=803, priority=0 actions=NORMAL cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168, idle_age=803, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5 actions=NORMAL cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0, idle_age=819, priority=39000,in_port=3 actions=drop Only the icmp drop rule is added. Is it normal? Is there anyone here using OpenNebula with OpenVswitch? 2014-11-21 9:33 GMT+01:00 Madko madk...@gmail.com: Hi, I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network filtering. I'm following the documentation found here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch Here is my VM network definition: NIC=[ AR_ID=0, BLACK_PORTS_TCP=80, BRIDGE=br0, ICMP=drop, IP=192.168.2.50, MAC=02:00:c0:a8:02:32, NETWORK=LAN, NETWORK_ID=0, NETWORK_UNAME=oneadmin, NIC_ID=0, VLAN=YES, VLAN_ID=2 ] But on my hypervisor where this VM is running, here are the openflows rules: [root@node02 ~]# ovs-ofctl dump-flows br0 NXST_FLOW reply (xid=0x4): cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration
[one-users] problem when attachin volatile disks
Hi, When I add a new disk to a running instance, I type raw (or anything else) in the FS format, qcow2 in the driver field and choose vd as device prefix. I then have an error that the disk.2 is not a qcow2 format. Qemu-img shows that in fact it's a raw format image that have been created. So I retry with a raw format and then it works. So how do we attach a disk in qcow2 format? Moreover, if I choose read only, I still can write/format this disk in the VM. Is it normal? best regards, -- Edouard Bourguignon ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] blacklist ports with openvswitch
Hi, I also have tested WHITE_PORTS_TCP but it seems worse since I don't have any specific openflow rules: cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134, idle_age=798, priority=4,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=NORMAL cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168, idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323, idle_age=803, priority=0 actions=NORMAL cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168, idle_age=803, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5 actions=NORMAL cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0, idle_age=819, priority=39000,in_port=3 actions=drop Only the icmp drop rule is added. Is it normal? Is there anyone here using OpenNebula with OpenVswitch? 2014-11-21 9:33 GMT+01:00 Madko madk...@gmail.com: Hi, I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network filtering. I'm following the documentation found here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch Here is my VM network definition: NIC=[ AR_ID=0, BLACK_PORTS_TCP=80, BRIDGE=br0, ICMP=drop, IP=192.168.2.50, MAC=02:00:c0:a8:02:32, NETWORK=LAN, NETWORK_ID=0, NETWORK_UNAME=oneadmin, NIC_ID=0, VLAN=YES, VLAN_ID=2 ] But on my hypervisor where this VM is running, here are the openflows rules: [root@node02 ~]# ovs-ofctl dump-flows br0 NXST_FLOW reply (xid=0x4): cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693, idle_age=4, priority=4,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL cookie=0x0, duration=4295.078s, table=0, n_packets=1444549, n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84, idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462, idle_age=559, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50 actions=NORMAL cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0, idle_age=1893, priority=39000,in_port=3 actions=drop is it correct? I can see the relevant rule here: cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop but packets never pass thru this rule (n_packets=0), and port 80 is not blocked. ➜ ~ curl -s http://192.168.2.50 -o /dev/null echo success success If anyone can help :) what am I missing? Best regards -- Edouard Bourguignon -- Edouard Bourguignon ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] blacklist ports with openvswitch
Thanks Jaime for this explaination. Right now openflow is not really a top priority for us and OpenNebula 4.12 seems quite interesting. So we could wait for this release. We will certainly switch from OpenStack to OpenNebula because of all this mess they have done on the network stack (ovs = bridge = iptables + network namespace etc). Your Keep It Simple approach is very reconforting. But we really need openvswitch support, so I will try to adapt OpenvSwitch.rb. 2014-11-26 16:04 GMT+01:00 Jaime Melis jme...@opennebula.org: Hi, Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch drivers (see here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering ) We'd like very much to be able to provide this feature, but as far as we know there's no way to do this satisfactorily. There is nothing similar to 'in_port' but that matches the outgoing switch port, i.e. there's no 'out_port'. We are currently re-evaluating this, because in OpenNebula 4.12 we're going to provide a new resource type: Security Groups, and you can define a lot of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC) ICMP_TYPE, Port ranges, and best of all, specific networks, so for example you can block out all the traffic to port 22 except if they're on the same network. And we can't do this for Open vSwitch. AFAIK OpenStack does this by sending the traffic to an ad-hoc linux bridge, running iptables rules on it, and sending it back to Open vSwitch. Which is something we would like to avoid at all costs! With regard to your first message, it's very strange, the rules look perfectly fine, not sure why it's not working... On Wed, Nov 26, 2014 at 3:53 PM, Madko madk...@gmail.com wrote: Hi, I also have tested WHITE_PORTS_TCP but it seems worse since I don't have any specific openflow rules: cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134, idle_age=798, priority=4,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=NORMAL cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168, idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323, idle_age=803, priority=0 actions=NORMAL cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168, idle_age=803, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5 actions=NORMAL cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0, idle_age=819, priority=39000,in_port=3 actions=drop Only the icmp drop rule is added. Is it normal? Is there anyone here using OpenNebula with OpenVswitch? 2014-11-21 9:33 GMT+01:00 Madko madk...@gmail.com: Hi, I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network filtering. I'm following the documentation found here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch Here is my VM network definition: NIC=[ AR_ID=0, BLACK_PORTS_TCP=80, BRIDGE=br0, ICMP=drop, IP=192.168.2.50, MAC=02:00:c0:a8:02:32, NETWORK=LAN, NETWORK_ID=0, NETWORK_UNAME=oneadmin, NIC_ID=0, VLAN=YES, VLAN_ID=2 ] But on my hypervisor where this VM is running, here are the openflows rules: [root@node02 ~]# ovs-ofctl dump-flows br0 NXST_FLOW reply (xid=0x4): cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693, idle_age=4, priority=4,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL cookie=0x0, duration=4295.078s, table=0, n_packets=1444549, n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84, idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462, idle_age=559, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50 actions=NORMAL cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0, idle_age=1893, priority=39000,in_port=3 actions=drop is it correct? I can see the relevant rule here: cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop but packets never pass thru this rule (n_packets=0), and port 80 is not blocked. ➜ ~ curl -s http://192.168.2.50 -o /dev/null echo success success If anyone can help :) what am I missing? Best regards -- Edouard Bourguignon -- Edouard Bourguignon
Re: [one-users] problem when attachin volatile disks
I will try that. Do you now what is the distinction between FS Format and Driver ? FS Format is the actual format on the datastore passed to qemu-img create? And driver is the part that goes in the domain xml? 2014-11-26 16:06 GMT+01:00 Jaime Melis jmelis@opennebula.systems: You would need: - FS format: qcow2 - Driver: qcow2 - Device prefix: vd On Wed, Nov 26, 2014 at 3:35 PM, Madko madk...@gmail.com wrote: Hi, When I add a new disk to a running instance, I type raw (or anything else) in the FS format, qcow2 in the driver field and choose vd as device prefix. I then have an error that the disk.2 is not a qcow2 format. Qemu-img shows that in fact it's a raw format image that have been created. So I retry with a raw format and then it works. So how do we attach a disk in qcow2 format? Moreover, if I choose read only, I still can write/format this disk in the VM. Is it normal? best regards, -- Edouard Bourguignon ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- OpenNebula - Flexible Enterprise Cloud Made Simple -- Jaime Melis Senior Infrastructure Architect at OpenNebula Systems (formerly C12G Labs) jmelis@opennebula.systems | @OpenNebula -- Confidentiality Warning: The information contained in this e-mail and any accompanying documents, unless otherwise expressly indicated, is confidential and privileged, and is intended solely for the person and/or entity to whom it is addressed (i.e. those identified in the To and cc box). They are the property of OpenNebula.Systems S.L.. Unauthorized distribution, review, use, disclosure, or copying of this communication, or any part thereof, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify us immediately by e-mail at abuse@opennebula.systems and delete the e-mail and attachments and any copy from your system. OpenNebula's thanks you for your cooperation. -- Edouard Bourguignon ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] blacklist ports with openvswitch
2014-11-26 17:12 GMT+01:00 Jaime Melis jme...@opennebula.org: It would be great if we could figure out a way to provide this functionality for Open vSwitch. It is a top priority in OpenNebula's roadmap, so any ideas are very welcome! What do you mean by adapting OpenvSwitch.rb? What changes do you need in the short-term? Right now I'm trying to add white_ports support to block incomming traffic on the VM except for a few ports. I will certainly face the same conclusion as you. However it's just a good way for me to learn ruby (and OpenNebula). Thanks for your help On Wed, Nov 26, 2014 at 4:59 PM, Madko madk...@gmail.com wrote: Thanks Jaime for this explaination. Right now openflow is not really a top priority for us and OpenNebula 4.12 seems quite interesting. So we could wait for this release. We will certainly switch from OpenStack to OpenNebula because of all this mess they have done on the network stack (ovs = bridge = iptables + network namespace etc). Your Keep It Simple approach is very reconforting. But we really need openvswitch support, so I will try to adapt OpenvSwitch.rb. 2014-11-26 16:04 GMT+01:00 Jaime Melis jme...@opennebula.org: Hi, Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch drivers (see here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering ) We'd like very much to be able to provide this feature, but as far as we know there's no way to do this satisfactorily. There is nothing similar to 'in_port' but that matches the outgoing switch port, i.e. there's no 'out_port'. We are currently re-evaluating this, because in OpenNebula 4.12 we're going to provide a new resource type: Security Groups, and you can define a lot of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC) ICMP_TYPE, Port ranges, and best of all, specific networks, so for example you can block out all the traffic to port 22 except if they're on the same network. And we can't do this for Open vSwitch. AFAIK OpenStack does this by sending the traffic to an ad-hoc linux bridge, running iptables rules on it, and sending it back to Open vSwitch. Which is something we would like to avoid at all costs! With regard to your first message, it's very strange, the rules look perfectly fine, not sure why it's not working... On Wed, Nov 26, 2014 at 3:53 PM, Madko madk...@gmail.com wrote: Hi, I also have tested WHITE_PORTS_TCP but it seems worse since I don't have any specific openflow rules: cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134, idle_age=798, priority=4,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=NORMAL cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168, idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323, idle_age=803, priority=0 actions=NORMAL cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168, idle_age=803, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5 actions=NORMAL cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0, idle_age=819, priority=39000,in_port=3 actions=drop Only the icmp drop rule is added. Is it normal? Is there anyone here using OpenNebula with OpenVswitch? 2014-11-21 9:33 GMT+01:00 Madko madk...@gmail.com: Hi, I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network filtering. I'm following the documentation found here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch Here is my VM network definition: NIC=[ AR_ID=0, BLACK_PORTS_TCP=80, BRIDGE=br0, ICMP=drop, IP=192.168.2.50, MAC=02:00:c0:a8:02:32, NETWORK=LAN, NETWORK_ID=0, NETWORK_UNAME=oneadmin, NIC_ID=0, VLAN=YES, VLAN_ID=2 ] But on my hypervisor where this VM is running, here are the openflows rules: [root@node02 ~]# ovs-ofctl dump-flows br0 NXST_FLOW reply (xid=0x4): cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693, idle_age=4, priority=4,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL cookie=0x0, duration=4295.078s, table=0, n_packets=1444549, n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84, idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462, idle_age=559, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50 actions=NORMAL cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp
[one-users] blacklist ports with openvswitch
Hi, I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network filtering. I'm following the documentation found here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch Here is my VM network definition: NIC=[ AR_ID=0, BLACK_PORTS_TCP=80, BRIDGE=br0, ICMP=drop, IP=192.168.2.50, MAC=02:00:c0:a8:02:32, NETWORK=LAN, NETWORK_ID=0, NETWORK_UNAME=oneadmin, NIC_ID=0, VLAN=YES, VLAN_ID=2 ] But on my hypervisor where this VM is running, here are the openflows rules: [root@node02 ~]# ovs-ofctl dump-flows br0 NXST_FLOW reply (xid=0x4): cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693, idle_age=4, priority=4,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL cookie=0x0, duration=4295.078s, table=0, n_packets=1444549, n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84, idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32 actions=drop cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462, idle_age=559, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50 actions=NORMAL cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0, idle_age=1893, priority=39000,in_port=3 actions=drop is it correct? I can see the relevant rule here: cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop but packets never pass thru this rule (n_packets=0), and port 80 is not blocked. ➜ ~ curl -s http://192.168.2.50 -o /dev/null echo success success If anyone can help :) what am I missing? Best regards -- Edouard Bourguignon ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
