Hi Jure,
It's okbut what about if user will spoof the ip on the eth0:0then
the mac address will be same as eth0 ?? how we can control this ??
Thanks,
Punit D
On Wed, Jul 9, 2014 at 3:38 PM, Jure Kranjc wrote:
> Hi,
>
> I don't know if this is much help but here is our setup which wor
Hi,
I don't know if this is much help but here is our setup which
works in a way that users cannot spoof public IP from inside VM.
We've set up a MAC pool range on engine and a DHCP server on one
VM, this server assigns IPs according to VMs MACs.
We u
Hi Dan,
If i use openstack neutron and integrate with ovirtcan it help to
prevent the ip spoof ??
If yes...is there any good howto for install the neutron & integrate
neutron with ovirt ??
Thanks,
Punit
On Wed, Jul 2, 2014 at 4:55 PM, Punit Dambiwal wrote:
> Hi Dan,
>
> Even now i instal
Hi Dan,
I didn't understand about this,would you mind to more elaborate this :-
-
Remind me, does
PYTHONPATH=/usr/share/vdsm /usr/libexec/vdsm/hooks/
before_device_create/50_noipspoof.py --test
work for you?
-
I have this file in before_device_create
Hi Dan,
Even now i install the noipspoof on all the hosts...but still the same
result...user can be spoof
On Wed, Jul 2, 2014 at 4:44 PM, Dan Kenigsberg wrote:
> On Wed, Jul 02, 2014 at 09:55:19AM +0800, Punit Dambiwal wrote:
> > Hi Dan,
> >
> > I didn't understand about this,would you mind to
On Wed, Jul 02, 2014 at 09:55:19AM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> I didn't understand about this,would you mind to more elaborate this :-
>
> -
> Remind me, does
>
> PYTHONPATH=/usr/share/vdsm /usr/libexec/vdsm/hooks/
> before_device_create/50_noipspoof.py --t
On Mon, Jun 30, 2014 at 06:17:25PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Yes...i already removed the macspoofi have 3 hosts in the cluster...but
> i have applied this hook on one server only..not all,but at the time of VM
> deployment i assign the specific host for the VM,so that the VM s
Hi Dan,
Yes...i already removed the macspoofi have 3 hosts in the cluster...but
i have applied this hook on one server only..not all,but at the time of VM
deployment i assign the specific host for the VM,so that the VM should
deploy on the same host that has the hook.
Do i need to install the
On Mon, Jun 30, 2014 at 10:11:21AM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> I did the same as you suggested...please find the attached logs and
> domainxml
And now, the log does not mention any hook at all. Have you removed the
macspoof hook which you had there before? How many hosts do you
On Fri, Jun 27, 2014 at 05:36:49PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Please find the below :-
>
> [root@gfs1 ~]# su - vdsm -s /bin/bash
> -bash-4.1$ cd /usr/share/vdsm; python -c 'import hooks;print
> hooks._scriptsPerDir("before_device_create")'
> ['/usr/libexec/vdsm/hooks/before_devic
Well selinux is not your problem as you run
it in permissive mode, this means
selinux violations will get logged but
not be forbidden.
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
Hi,
I found below messages in the audit log :-
[root@gfs1 ~]# grep "avc" /var/log/audit/audit.log
type=AVC msg=audit(1403834461.442:266685): avc: denied { read } for
pid=27958
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log
rota
Well I doubt this is a solution to this,
anyway, if you want to check if it's a permission error
due to not correctly configured selinux you
could do:
grep "avc" /var/log/auditd/auditd.log
and configure your selinux correctly, no need to disable it.
But I doubt that the "VM can spoof the ip addr
Hi Dan,
Please find the below :-
[root@gfs1 ~]# su - vdsm -s /bin/bash
-bash-4.1$ cd /usr/share/vdsm; python -c 'import hooks;print
hooks._scriptsPerDir("before_device_create")'
['/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof']
-bash-4.1$
Antoni @ selinux already in the permissive m
On Fri, Jun 27, 2014 at 05:07:56PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Still the sameVM can spoof the ip address...attached is the VM domain
> xml file
yep, the hook script did not come into action.
>
>
>
>
>
>
>
>
>f
- Original Message -
> From: "Punit Dambiwal"
> To: "Antoni Segura Puimedon" , "Dan Kenigsberg"
>
> Cc: "Sven Kieske" , users@ovirt.org
> Sent: Friday, June 27, 2014 11:07:56 AM
> Subject: Re: [ovirt-users] Ip spoofing
>
; > To: users@ovirt.org
>> > Sent: Thursday, June 26, 2014 9:12:31 AM
>> > Subject: Re: [ovirt-users] Ip spoofing
>> >
>> > Well this is strange, and this should not be the reason
>> > but can you attach a ".py" ending to the file names (may
l Message -
> > From: "Sven Kieske"
> > To: users@ovirt.org
> > Sent: Thursday, June 26, 2014 9:12:31 AM
> > Subject: Re: [ovirt-users] Ip spoofing
> >
> > Well this is strange, and this should not be the reason
> > but can you attach a ".py"
- Original Message -
> From: "Sven Kieske"
> To: users@ovirt.org
> Sent: Thursday, June 26, 2014 9:12:31 AM
> Subject: Re: [ovirt-users] Ip spoofing
>
> Well this is strange, and this should not be the reason
> but can you attach a ".py" endi
Well this is strange, and this should not be the reason
but can you attach a ".py" ending to the file names (maybe vdsm performs
some strange checks)?
your permissions look good.
the only other thing I can think of are selinux
restrictions, can you check them with:
#this gives you the actual used s
On Thu, Jun 26, 2014 at 12:22:23PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> The permission looks ok...
>
>
> [root@gfs1 ~]# su - vdsm -s
> /bin/bash
> -bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
> total 8
> -rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
> -rwxr-xr-x. 1
On Wed, Jun 25, 2014 at 06:03:50PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Please find the attach logs.
>
> 1. vdsm.log (VM Creation)
> 2. vdsm1.log (when add custom property)
> 3. vdsm2.log (Start the VM)
I see no reference there to /usr/libexec/vdsm/hooks/before_device_create
(but other hoo
On Wed, Jun 25, 2014 at 10:16:12AM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> I try the following way :-
>
> 1. I placed your script in the following location
> :- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof &
> /usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof
>
> 2. Then ru
Here's a workaround:
define one logical network per vm
assign IPs to these networks from a central instance
assign one broadcast domain per logical network.
so in other words: do correct subnetting.
if you got a router who can't get spoofed you should be fine.
HTH
Am 25.06.2014 04:16, schrieb P
On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote:
> Hi Den,
>
> Thanks for the updates...but still the user can spoof the another ip
> address by manually edit the ifcfg-eth0:0 file
>
> Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
> the VM bootup u
Am 24.06.2014 11:52, schrieb Punit Dambiwal:
> Hi Den,
>
> Thanks for the updates...but still the user can spoof the another ip
> address by manually edit the ifcfg-eth0:0 file
>
> Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
> the VM bootup user can login to
Hi Den,
Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user can login to VM and create another virtual ethernet
device and add another
On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote:
> On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> > Hi,
> >
> > I have setup Ovirt with glusterfs...I have some concern about the network
> > part
> >
> > 1. Is there any way to restrict the Guest VM...so that i
On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> Hi,
>
> I have setup Ovirt with glusterfs...I have some concern about the network
> part
>
> 1. Is there any way to restrict the Guest VM...so that it can be assign
> with single ip address...and in anyhow the user can not mani
Hi,
I have setup Ovirt with glusterfs...I have some concern about the network
part
1. Is there any way to restrict the Guest VM...so that it can be assign
with single ip address...and in anyhow the user can not manipulate the IP
address from inside the VM (that means user can not change the i
30 matches
Mail list logo
