On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote: > On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote: > > Hi, > > > > I have setup Ovirt with glusterfs...I have some concern about the network > > part.... > > > > 1. Is there any way to restrict the Guest VM...so that it can be assign > > with single ip address...and in anyhow the user can not manipulate the IP > > address from inside the VM (that means user can not change the ip address > > inside the VM). > > I am afraid that oVirt does not let you do that out-of-the-box. By > default, the vdsm-no-mac-spoofing filter is applied to vNICs, which > indeed allows IP spoofing. > > This behavior can be changed by writing a vdsm hook that changes the > default filterref to > > <filterref filter='clean-traffic'> > <parameter name='CTRL_IP_LEARNING' value='dhcp'/> > </filterref> > > If your VM is assigned with its address not via dhcp, life is more > complicated, since the hook needs to have access to this address before > boot. > > I would love to assist you in writing such a hook; please take the > vmfex_dev hook as a reference. To read more about vdsm hooks, please see > http://www.ovirt.org/Vdsm_Hooks .
I've posted a hook like that to http://gerrit.ovirt.org/#/c/29093/1 Maybe you can try it out, by placing http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py on your /usr/libexec/vdsm/hooks/before_device_create on each of your hosts, and setting a custom property named "noipspoof" to a list of valid IP addresses. Please report if it does what it should. It would obviously be nicer if we integrate this with cloud-init, so that each VM would have its list of valid addresses defined once. Care to open an RFE? Regards, Dan. _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
