[PATCH] INSTALL.OpenNebula: New instructions for using with OpenNebula.
Jaime Melis
jmelis at opennebula.org
Wed Dec 5 11:33:40 UTC 2012
---
INSTALL.OpenNebula | 177
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Makefile.am | 1 +
README | 2 +
3 files changed, 180 insertions(+)
create mode 100644 INSTALL.OpenNebula
diff --git a/INSTALL.OpenNebula b/INSTALL.OpenNebula
new file mode 100644
index 0000000..927a8bc
--- /dev/null
+++ b/INSTALL.OpenNebula
@@ -0,0 +1,177 @@
+ How to Use Open vSwitch with OpenNebula
+ =======================================
+
+This document describes how to use Open vSwitch with OpenNebula 3.8.1 or
+later.This document assumes that you followed INSTALL or installed Open
vSwitch
+from distribution packaging such as a .deb or .rpm.
+
+This guide will address the usage of VLAN tagging and OpenFlow filtering of
+OpenNebula Virtual Machines. On top of that any other Open vSwitch feature
may
+be used by tuning and extending the Open vSwitch drivers in OpenNebula.
+
+Setup
+-----
+
+You need to install Open vSwitch on each OpenNebula Host. Please refer to
the
+INSTALL guide to do so.
+
+It is also necessary to install the Open vSwitch compatibility layer for
Linux
+bridging. Please refer to the INSTALL.bridge guide.
+
+The sudoers file must be configured so oneadmin can execute `ovs_vsctl` in
the
+hosts.
+
+Next, create an Open vSwitch bridge by using the ovs-vsctl utility (this
+must be done with administrative privileges):
+
+ % ovs-vsctl add-br ovsbr
+
+An Open vSwitch bridge should be created in each host, preferably with the
same
+name, and the name of this bridge should be specified in the network
definition
+template with the `BRIDGE` parameter.
+
+OpenNebula Configuration
+------------------------
+
+The Open vSwitch driver (ovswitch) is enabled by default in OpenNebula. To
make
+use of it, simply associate a host to that network driver (as oneadmin).
+
+ $ onehost create <hostname> im_kvm vmm_kvm tm_shared ovswitch
+
+Driver Actions
+--------------
+
+
+- Pre: Not enabled for Open vSwitch.
+- Post: Performs the appropriate Open vSwitch commands to tag the virtual
tap
+ interface (network isolation) and applies traffic filtering rules.
+- Clean: It doesn't do anything. The virtual tap interfaces will be
+ automatically discarded when the VM is shut down.
+
+Network Isolation
+-----------------
+
+The driver will be automatically applied to every Virtual Machine deployed
in
+the Host. Only the virtual networks with the attribute `VLAN="YES"` will be
+isolated. There are no other special attributes required.
+
+ NAME = "ovswitch_net"
+ TYPE = "fixed"
+
+ # "ovsbr" is an Open vSwtich bridge
+ BRIDGE = "ovsbr"
+
+ VLAN = "YES"
+
+ # Optional
+ VLAN_ID = 50
+
+ # Lease information
+ LEASES = 10.0.0.10
+ LEASES = 10.0.0.11
+ LEASES = ...
+
+Any user with Network creation/modification permissions may force a custom
vlan
+id with the ''VLAN_ID'' parameter in the network template. In that
scenario, any
+user may be able to connect to another network with the same network id.
+Techniques to avoid this are explained under the Tuning & Extending
section.
+
+Traffic Filtering
+-----------------
+
+The first rule that is always applied when using the Open vSwitch drivers
is the
+MAC-spoofing rule, that prevents any traffic coming out of the VM if the
user
+changes the MAC address.
+
+The firewall directives must be placed in the network section of the
Virtual
+Machine template. These are the possible attributes:
+
+- BLACK_PORTS_TCP = iptables_range: Doesn't permit access to the VM
through the
+ specified ports in the TCP protocol.
+- BLACK_PORTS_UDP = iptables_range: Doesn't permit access to the VM
through the
+ specified ports in the UDP protocol.
+- ICMP = drop: Blocks ICMP connections to the VM. By default it's set to
accept.
+
+iptables_range: a list of ports separated by commas, e.g.: 80,8080.
+Currently no ranges are supported, e.g.: 5900:6000 is not supported.
+
+Example:
+
+ NIC = [
+ NETWORK_ID = 3,
+ BLACK_PORTS_TCP = "80,8080",
+ ICMP = drop
+ ]
+
+Tuning and Extending
+--------------------
+
+Remember that any change in the /var/lib/one/remotes directory won't be
+effective in the Hosts until you execute `onehost sync` (as oneadmin).
+
+ $ onehost sync
+
+The vlan id is calculated by adding the network id to a constant defined in
+`/var/lib/one/remotes/vnm/OpenNebulaNetwork.rb`. You can customize that
value to
+your own needs:
+
+ CONF = {
+ :start_vlan => 2
+ }
+
+Restricting the VLAN_ID atttribute
+----------------------------------
+
+You can either restrict permissions on Network creation with ACL rules, or
you can entirely disable the possibility to redefine the VLAN_ID by
modifying the source code of
`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. Change these lines:
+
+ if nic[:vlan_id]
+ vlan = nic[:vlan_id]
+ else
+ vlan = CONF[:start_vlan] + nic[:network_id].to_i
+ end
+with this one:
+
+ vlan = CONF[:start_vlan] + nic[:network_id].to_i
+
+OpenFlow Rules
+--------------
+
+To modify these rules you have to edit:
+`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`.
+
+1. Mac-spoofing
+
+These rules prevent any traffic to come out of the port the MAC address has
+changed.
+
+ in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
+ in_port=<PORT>,priority=39000,actions=normal
+
+2. Black ports (one rule per port)
+
+ tcp,dl_dst=<MAC>,tp_dst=<PORT>,actions=drop
+
+3. ICMP Drop
+
+ icmp,dl_dst=<MAC>,actions=drop
+
+Troubleshooting
+---------------
+
+When an Open vSwitch driver actions fails it will be reflected in the logs:
+
+- `/var/log/one/oned.log`
+- `/var/log/one/<vm_id>.log`
+
+Further Reading
+---------------
+
+- OpenNebula Hosts: http://opennebula.org/documentation:rel3.8:host_guide
+- OpenNebula ACLs: http://opennebula.org/documentation:rel3.8:openvswitch
+- OpenNebula Open vSwitch guide:
+ http://opennebula.org/documentation:rel3.8:manage_acl
+
+Bug Reporting
+-------------
+
+Please report OpenNebula problems to the OpenNebula Users mailing list.
Open vSwitch specific problems should be reported to bugs at openvswitch.org.
diff --git a/Makefile.am b/Makefile.am
index e2e0aa4..6d44400 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -47,6 +47,7 @@ EXTRA_DIST = \
INSTALL.Fedora \
INSTALL.KVM \
INSTALL.Libvirt \
+ INSTALL.OpenNebula \
INSTALL.RHEL \
INSTALL.SSL \
INSTALL.XenServer \
diff --git a/README b/README
index b0e6d05..39daa74 100644
--- a/README
+++ b/README
@@ -103,6 +103,8 @@ To use Open vSwitch...
- ...with Libvirt, read INSTALL.Libvirt.
+ - ...with OpenNebula, read INSTALL.OpenNebula.
+
- ...as a drop-in replacement for the Linux bridge, read
INSTALL.bridge.
--
1.8.0
--047d7bb03e685619e404d0199a91
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div>From 32dd91bcc835b41e28b48fcc8f3278dc69f8851d Mon Sep 17 00:00:00 2001=
</div><div>From: Jaime Melis <<a href=3D"mailto:jmelis at opennebula.org">j=
melis at opennebula.org</a>></div><div>Date: Wed, 5 Dec 2012 12:33:40 +0100=
</div>
<div>Subject: [PATCH] INSTALL.OpenNebula: New instructions for using with</=
div><div>=A0OpenNebula.</div><div><br></div><div>---</div><div>=A0INSTALL.O=
penNebula | 177 +++++++++++++++++++++++++++++++++++++++++++++++++++++</div>
<div>=A0Makefile.am =A0 =A0 =A0 =A0| =A0 1 +</div><div>=A0README =A0 =A0 =
=A0 =A0 =A0 =A0 | =A0 2 +</div><div>=A03 files changed, 180 insertions(+)</=
div><div>=A0create mode 100644 INSTALL.OpenNebula</div><div><br></div><div>=
diff --git a/INSTALL.OpenNebula b/INSTALL.OpenNebula</div>
<div>new file mode 100644</div><div>index 0000000..927a8bc</div><div>--- /d=
ev/null</div><div>+++ b/INSTALL.OpenNebula</div><div>@@ -0,0 +1,177 @@</div=
><div>+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0How to Use Open vSwitch with=
OpenNebula</div>
<div>+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div><div>+</div><div>+This document describes how to use O=
pen vSwitch with OpenNebula 3.8.1 or</div><div>+later.This document assumes=
that you followed INSTALL or installed Open vSwitch</div>
<div>+from distribution packaging such as a .deb or .rpm.</div><div>+</div>=
<div>+This guide will address the usage of VLAN tagging and OpenFlow filter=
ing of</div><div>+OpenNebula Virtual Machines. On top of that any other Ope=
n vSwitch feature may</div>
<div>+be used by tuning and extending the Open vSwitch drivers in OpenNebul=
a.</div><div>+</div><div>+Setup</div><div>+-----</div><div>+</div><div>+You=
need to install Open vSwitch on each OpenNebula Host. Please refer to the<=
/div>
<div>+INSTALL guide to do so.</div><div>+</div><div>+It is also necessary t=
o install the Open vSwitch compatibility layer for Linux</div><div>+bridgin=
g. Please refer to the INSTALL.bridge guide.</div><div>+</div><div>+The sud=
oers file must be configured so oneadmin can execute `ovs_vsctl` in the</di=
v>
<div>+hosts.</div><div>+</div><div>+Next, create an Open vSwitch bridge by =
using the ovs-vsctl utility (this</div><div>+must be done with administrati=
ve privileges):</div><div>+</div><div>+ =A0 =A0% ovs-vsctl add-br ovsbr</di=
v>
<div>+</div><div>+An Open vSwitch bridge should be created in each host, pr=
eferably with the same</div><div>+name, and the name of this bridge should =
be specified in the network definition</div><div>+template with the `BRIDGE=
` parameter.</div>
<div>+</div><div>+OpenNebula Configuration</div><div>+---------------------=
---</div><div>+</div><div>+The Open vSwitch driver (ovswitch) is enabled by=
default in OpenNebula. To make</div><div>+use of it, simply associate a ho=
st to that network driver (as oneadmin).</div>
<div>+</div><div>+ =A0 =A0$ onehost create <hostname> im_kvm vmm_kvm =
tm_shared ovswitch</div><div>+</div><div>+Driver Actions</div><div>+-------=
-------</div><div>+</div><div>+</div><div>+- Pre: =A0 Not enabled for Open =
vSwitch.</div>
<div>+- Post: =A0Performs the appropriate Open vSwitch commands to tag the =
virtual tap</div><div>+ =A0 =A0 =A0 =A0 interface (network isolation) and a=
pplies traffic filtering rules.</div><div>+- Clean: It doesn't do anyth=
ing. The virtual tap interfaces will be</div>
<div>+ =A0 =A0 =A0 =A0 automatically discarded when the VM is shut down.</d=
iv><div>+</div><div>+Network Isolation</div><div>+-----------------</div><d=
iv>+</div><div>+The driver will be automatically applied to every Virtual M=
achine deployed in</div>
<div>+the Host. Only the virtual networks with the attribute `VLAN=3D"=
YES"` will be</div><div>+isolated. There are no other special attribut=
es required.</div><div>+</div><div>+ =A0 =A0NAME =A0 =A0=3D "ovswitch_=
net"</div>
<div>+ =A0 =A0TYPE =A0 =A0=3D "fixed"</div><div>+</div><div>+ =A0=
=A0# "ovsbr" is an Open vSwtich bridge</div><div>+ =A0 =A0BRIDGE=
=A0=3D "ovsbr"</div><div>+</div><div>+ =A0 =A0VLAN =A0 =A0=3D &q=
uot;YES"</div><div>+</div>
<div>+ =A0 =A0# Optional</div><div>+ =A0 =A0VLAN_ID =3D 50</div><div>+</div=
><div>+ =A0 =A0# Lease information</div><div>+ =A0 =A0LEASES =3D 10.0.0.10<=
/div><div>+ =A0 =A0LEASES =3D 10.0.0.11</div><div>+ =A0 =A0LEASES =3D ...</=
div><div>+</div><div>+Any user with Network creation/modification permissio=
ns may force a custom vlan</div>
<div>+id with the ''VLAN_ID'' parameter in the network temp=
late. In that scenario, any</div><div>+user may be able to connect to anoth=
er network with the same network id.</div><div>+Techniques to avoid this ar=
e explained under the Tuning & Extending section.</div>
<div>+</div><div>+Traffic Filtering</div><div>+-----------------</div><div>=
+</div><div>+The first rule that is always applied when using the Open vSwi=
tch drivers is the</div><div>+MAC-spoofing rule, that prevents any traffic =
coming out of the VM if the user</div>
<div>+changes the MAC address.</div><div>+</div><div>+The firewall directiv=
es must be placed in the network section of the Virtual</div><div>+Machine =
template. These are the possible attributes:</div><div>+</div><div>+- BLACK=
_PORTS_TCP =3D iptables_range: Doesn't permit access to the VM through =
the</div>
<div>+ =A0specified ports in the TCP protocol.</div><div>+- BLACK_PORTS_UDP=
=3D iptables_range: Doesn't permit access to the VM through the</div><=
div>+ =A0specified ports in the UDP protocol.</div><div>+- ICMP =3D drop: B=
locks ICMP connections to the VM. By default it's set to accept.</div>
<div>+</div><div>+iptables_range: a list of ports separated by commas, e.g.=
: 80,8080.</div><div>+Currently no ranges are supported, e.g.: 5900:6000 is=
not supported.</div><div>+</div><div>+Example:</div><div>+</div><div>
+ =A0 =A0NIC =3D [</div>
<div>+ =A0 =A0 =A0 =A0NETWORK_ID =3D 3,</div><div>+ =A0 =A0 =A0 =A0BLACK_PO=
RTS_TCP =3D "80,8080",</div><div>+ =A0 =A0 =A0 =A0ICMP =3D drop</=
div><div>+ =A0 =A0]</div><div>+</div><div>+Tuning and Extending</div><div>+=
--------------------</div><div>
+</div><div>+Remember that any change in the /var/lib/one/remotes directory=
won't be</div><div>+effective in the Hosts until you execute `onehost =
sync` (as oneadmin).</div><div>+</div><div>+ =A0 =A0$ onehost sync</div><di=
v>
+</div><div>+The vlan id is calculated by adding the network id to a consta=
nt defined in</div><div>+`/var/lib/one/remotes/vnm/OpenNebulaNetwork.rb`. Y=
ou can customize that value to</div><div>+your own needs:</div><div>+</div>
<div>+ =A0 =A0CONF =3D {</div><div>+ =A0 =A0 =A0 =A0:start_vlan =3D> 2</=
div><div>+ =A0 =A0}</div><div>+</div><div>+Restricting the VLAN_ID atttribu=
te</div><div>+----------------------------------</div><div>+</div><div>+You=
can either restrict permissions on Network creation with ACL rules, or you=
can entirely disable the possibility to redefine the VLAN_ID by modifying =
the source code of `/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. Chan=
ge these lines:</div>
<div>+</div><div>+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if nic[:vlan_id]</div><di=
v>+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0vlan =3D nic[:vlan_id]</div><div=
>+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0else</div><div>+ =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0vlan =3D CONF[:start_vlan] + nic[:network_id].to_i</div>
<div>
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0end</div><div>+with this one:</div><div>+<=
/div><div>+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0vlan =3D CONF[:start_vlan] + nic=
[:network_id].to_i</div><div>+</div><div>+OpenFlow Rules</div><div>+-------=
-------</div><div>+</div><div>
+To modify these rules you have to edit:</div><div>+`/var/lib/one/remotes/v=
nm/ovswitch/OpenvSwitch.rb`.</div><div>+</div><div>+1. Mac-spoofing</div><d=
iv>+</div><div>+These rules prevent any traffic to come out of the port the=
MAC address has</div>
<div>+changed.</div><div>+</div><div>+ =A0 =A0in_port=3D<PORT>,dl_src=
=3D<MAC>,priority=3D40000,actions=3Dnormal</div><div>+ =A0 =A0in_port=
=3D<PORT>,priority=3D39000,actions=3Dnormal</div><div>+</div><div>+2.=
Black ports (one rule per port)</div>
<div>+</div><div>+ =A0 =A0tcp,dl_dst=3D<MAC>,tp_dst=3D<PORT>,ac=
tions=3Ddrop</div><div>+</div><div>+3. ICMP Drop</div><div>+</div><div>+ =
=A0 =A0icmp,dl_dst=3D<MAC>,actions=3Ddrop</div><div>+</div><div>+Trou=
bleshooting</div>
<div>+---------------</div><div>+</div><div>+When an Open vSwitch driver ac=
tions fails it will be reflected in the logs:</div><div>+</div><div>+- `/va=
r/log/one/oned.log`</div><div>+- `/var/log/one/<vm_id>.log`</div>
<div>+</div><div>+Further Reading</div><div>+---------------</div><div>+</d=
iv><div>+- OpenNebula Hosts: <a href=3D"http://opennebula.org/documentation=
:rel3.8:host_guide">http://opennebula.org/documentation:rel3.8:host_guide</=
a></div>
<div>+- OpenNebula ACLs: <a href=3D"http://opennebula.org/documentation:rel=
3.8:openvswitch">http://opennebula.org/documentation:rel3.8:openvswitch</a>=
</div><div>+- OpenNebula Open vSwitch guide:</div><div>+ =A0<a href=3D"http=
://opennebula.org/documentation:rel3.8:manage_acl">http://opennebula.org/do=
cumentation:rel3.8:manage_acl</a></div>
<div>+</div><div>+Bug Reporting</div><div>+-------------</div><div>+</div><=
div>+Please report OpenNebula problems to the OpenNebula Users mailing list=
. Open vSwitch specific problems should be reported to <a href=3D"mailto:bu=
gs at openvswitch.org">bugs at openvswitch.org</a>.</div>
<div>diff --git a/Makefile.am b/Makefile.am</div><div>index e2e0aa4..6d4440=
0 100644</div><div>--- a/Makefile.am</div><div>+++ b/Makefile.am</div><div>=
@@ -47,6 +47,7 @@ EXTRA_DIST =3D \</div><div>=A0<span class=3D"" style=3D"w=
hite-space:pre"> </span>INSTALL.Fedora \</div>
<div>=A0<span class=3D"" style=3D"white-space:pre"> </span>INSTALL.KVM \</d=
iv><div>=A0<span class=3D"" style=3D"white-space:pre"> </span>INSTALL.Libvi=
rt \</div><div>+<span class=3D"" style=3D"white-space:pre"> </span>INSTALL.=
OpenNebula \</div>
<div>=A0<span class=3D"" style=3D"white-space:pre"> </span>INSTALL.RHEL \</=
div><div>=A0<span class=3D"" style=3D"white-space:pre"> </span>INSTALL.SSL =
\</div><div>=A0<span class=3D"" style=3D"white-space:pre"> </span>INSTALL.X=
enServer \</div>
<div>diff --git a/README b/README</div><div>index b0e6d05..39daa74 100644</=
div><div>--- a/README</div><div>+++ b/README</div><div>@@ -103,6 +103,8 @@ =
To use Open vSwitch...</div><div>=A0</div><div>=A0 =A0 =A0- ...with Libvirt=
, read INSTALL.Libvirt.</div>
<div>=A0</div><div>+ =A0 =A0- ...with OpenNebula, read INSTALL.OpenNebula.<=
/div><div>+</div><div>=A0 =A0 =A0- ...as a drop-in replacement for the Linu=
x bridge, read</div><div>=A0 =A0 =A0 =A0INSTALL.bridge.</div><div>=A0</div>=
<div>--=A0</div><div>
1.8.0</div>
--047d7bb03e685619e404d0199a91--
More information about the dev
mailing list