[ovs-dev] [PATCH] docs: Add INSTALL.OpenNebula

Jaime Melis jmelis at opennebula.org
Wed Dec 5 12:03:58 UTC 2012


Attaching as a patch after reading "Documentation/email-clients.txt" and
realising that gmail (Web GUI) doesn't work for sending inline patches.




On Wed, Dec 5, 2012 at 12:51 PM, Jaime Melis <jmelis at opennebula.org> wrote:

> From 32dd91bcc835b41e28b48fcc8f3278dc69f8851d Mon Sep 17 00:00:00 2001
> From: Jaime Melis <jmelis at opennebula.org>
> Date: Wed, 5 Dec 2012 12:33:40 +0100
> Subject: [PATCH] INSTALL.OpenNebula: New instructions for using with
>  OpenNebula.
>
> ---
>  INSTALL.OpenNebula | 177
> +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  Makefile.am        |   1 +
>  README             |   2 +
>  3 files changed, 180 insertions(+)
>  create mode 100644 INSTALL.OpenNebula
>
> diff --git a/INSTALL.OpenNebula b/INSTALL.OpenNebula
> new file mode 100644
> index 0000000..927a8bc
> --- /dev/null
> +++ b/INSTALL.OpenNebula
> @@ -0,0 +1,177 @@
> +                    How to Use Open vSwitch with OpenNebula
> +                    =======================================
> +
> +This document describes how to use Open vSwitch with OpenNebula 3.8.1 or
> +later.This document assumes that you followed INSTALL or installed Open
> vSwitch
> +from distribution packaging such as a .deb or .rpm.
> +
> +This guide will address the usage of VLAN tagging and OpenFlow filtering
> of
> +OpenNebula Virtual Machines. On top of that any other Open vSwitch
> feature may
> +be used by tuning and extending the Open vSwitch drivers in OpenNebula.
> +
> +Setup
> +-----
> +
> +You need to install Open vSwitch on each OpenNebula Host. Please refer to
> the
> +INSTALL guide to do so.
> +
> +It is also necessary to install the Open vSwitch compatibility layer for
> Linux
> +bridging. Please refer to the INSTALL.bridge guide.
> +
> +The sudoers file must be configured so oneadmin can execute `ovs_vsctl`
> in the
> +hosts.
> +
> +Next, create an Open vSwitch bridge by using the ovs-vsctl utility (this
> +must be done with administrative privileges):
> +
> +    % ovs-vsctl add-br ovsbr
> +
> +An Open vSwitch bridge should be created in each host, preferably with
> the same
> +name, and the name of this bridge should be specified in the network
> definition
> +template with the `BRIDGE` parameter.
> +
> +OpenNebula Configuration
> +------------------------
> +
> +The Open vSwitch driver (ovswitch) is enabled by default in OpenNebula.
> To make
> +use of it, simply associate a host to that network driver (as oneadmin).
> +
> +    $ onehost create <hostname> im_kvm vmm_kvm tm_shared ovswitch
> +
> +Driver Actions
> +--------------
> +
> +
> +- Pre:   Not enabled for Open vSwitch.
> +- Post:  Performs the appropriate Open vSwitch commands to tag the
> virtual tap
> +         interface (network isolation) and applies traffic filtering
> rules.
> +- Clean: It doesn't do anything. The virtual tap interfaces will be
> +         automatically discarded when the VM is shut down.
> +
> +Network Isolation
> +-----------------
> +
> +The driver will be automatically applied to every Virtual Machine
> deployed in
> +the Host. Only the virtual networks with the attribute `VLAN="YES"` will
> be
> +isolated. There are no other special attributes required.
> +
> +    NAME    = "ovswitch_net"
> +    TYPE    = "fixed"
> +
> +    # "ovsbr" is an Open vSwtich bridge
> +    BRIDGE  = "ovsbr"
> +
> +    VLAN    = "YES"
> +
> +    # Optional
> +    VLAN_ID = 50
> +
> +    # Lease information
> +    LEASES = 10.0.0.10
> +    LEASES = 10.0.0.11
> +    LEASES = ...
> +
> +Any user with Network creation/modification permissions may force a
> custom vlan
> +id with the ''VLAN_ID'' parameter in the network template. In that
> scenario, any
> +user may be able to connect to another network with the same network id.
> +Techniques to avoid this are explained under the Tuning & Extending
> section.
> +
> +Traffic Filtering
> +-----------------
> +
> +The first rule that is always applied when using the Open vSwitch drivers
> is the
> +MAC-spoofing rule, that prevents any traffic coming out of the VM if the
> user
> +changes the MAC address.
> +
> +The firewall directives must be placed in the network section of the
> Virtual
> +Machine template. These are the possible attributes:
> +
> +- BLACK_PORTS_TCP = iptables_range: Doesn't permit access to the VM
> through the
> +  specified ports in the TCP protocol.
> +- BLACK_PORTS_UDP = iptables_range: Doesn't permit access to the VM
> through the
> +  specified ports in the UDP protocol.
> +- ICMP = drop: Blocks ICMP connections to the VM. By default it's set to
> accept.
> +
> +iptables_range: a list of ports separated by commas, e.g.: 80,8080.
> +Currently no ranges are supported, e.g.: 5900:6000 is not supported.
> +
> +Example:
> +
> +    NIC = [
> +        NETWORK_ID = 3,
> +        BLACK_PORTS_TCP = "80,8080",
> +        ICMP = drop
> +    ]
> +
> +Tuning and Extending
> +--------------------
> +
> +Remember that any change in the /var/lib/one/remotes directory won't be
> +effective in the Hosts until you execute `onehost sync` (as oneadmin).
> +
> +    $ onehost sync
> +
> +The vlan id is calculated by adding the network id to a constant defined
> in
> +`/var/lib/one/remotes/vnm/OpenNebulaNetwork.rb`. You can customize that
> value to
> +your own needs:
> +
> +    CONF = {
> +        :start_vlan => 2
> +    }
> +
> +Restricting the VLAN_ID atttribute
> +----------------------------------
> +
> +You can either restrict permissions on Network creation with ACL rules,
> or you can entirely disable the possibility to redefine the VLAN_ID by
> modifying the source code of
> `/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. Change these lines:
> +
> +                if nic[:vlan_id]
> +                    vlan = nic[:vlan_id]
> +                else
> +                    vlan = CONF[:start_vlan] + nic[:network_id].to_i
>  +                end
> +with this one:
> +
> +                vlan = CONF[:start_vlan] + nic[:network_id].to_i
> +
> +OpenFlow Rules
> +--------------
> +
> +To modify these rules you have to edit:
> +`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`.
> +
> +1. Mac-spoofing
> +
> +These rules prevent any traffic to come out of the port the MAC address
> has
> +changed.
> +
> +    in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
> +    in_port=<PORT>,priority=39000,actions=normal
> +
> +2. Black ports (one rule per port)
> +
> +    tcp,dl_dst=<MAC>,tp_dst=<PORT>,actions=drop
> +
> +3. ICMP Drop
> +
> +    icmp,dl_dst=<MAC>,actions=drop
> +
> +Troubleshooting
> +---------------
> +
> +When an Open vSwitch driver actions fails it will be reflected in the
> logs:
> +
> +- `/var/log/one/oned.log`
> +- `/var/log/one/<vm_id>.log`
> +
> +Further Reading
> +---------------
> +
> +- OpenNebula Hosts: http://opennebula.org/documentation:rel3.8:host_guide
> +- OpenNebula ACLs: http://opennebula.org/documentation:rel3.8:openvswitch
> +- OpenNebula Open vSwitch guide:
> +  http://opennebula.org/documentation:rel3.8:manage_acl
> +
> +Bug Reporting
> +-------------
> +
> +Please report OpenNebula problems to the OpenNebula Users mailing list.
> Open vSwitch specific problems should be reported to bugs at openvswitch.org.
> diff --git a/Makefile.am b/Makefile.am
> index e2e0aa4..6d44400 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -47,6 +47,7 @@ EXTRA_DIST = \
>   INSTALL.Fedora \
>   INSTALL.KVM \
>   INSTALL.Libvirt \
> + INSTALL.OpenNebula \
>   INSTALL.RHEL \
>   INSTALL.SSL \
>   INSTALL.XenServer \
> diff --git a/README b/README
> index b0e6d05..39daa74 100644
> --- a/README
> +++ b/README
> @@ -103,6 +103,8 @@ To use Open vSwitch...
>
>      - ...with Libvirt, read INSTALL.Libvirt.
>
> +    - ...with OpenNebula, read INSTALL.OpenNebula.
> +
>      - ...as a drop-in replacement for the Linux bridge, read
>        INSTALL.bridge.
>
> --
> 1.8.0
>



-- 
Jaime Melis
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20121205/24d04a89/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-INSTALL.OpenNebula-New-instructions-for-using-with-O.patch
Type: application/octet-stream
Size: 7080 bytes
Desc: not available
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20121205/24d04a89/attachment-0005.obj>


More information about the dev mailing list