[one-users] more question about the ebtables hook
Ruben S. Montero
rubensm at dacya.ucm.es
Tue Sep 22 12:29:48 PDT 2009
Hi,
> * preventing users from changing the IP address of the virtual machine
Our primary goal is ti provide isolated layer 2 networks. In this way
a user can define its own network, and VMs in that network can include
any layer 3 service (including multicasting/broadcasting DHCP or
DNS...). However, we do not allow users to change the MAC address we
assigned to them (i.e. we filter out those packages coming out of the
VM if they are not from the assigned MAC).
It would be easy to have this, just add an iptables rule (only let
out packets with the IP). However, this would restrict the previous
more general approach. So I think this is a dangerous default behavior
that may not apply to all cases.
> * preventing users to run a dhcp server to mess up the network etc
This is related with the previous point. In fact we want level 3
services to be part of the VMs in a given network, so we want users to
put DHCP servers or any other multicast service they want to
(monitoring facilities, intrusion detection systems...).
Note that with the ebtables hooks, the virtual LANs are isolated
so the DHCP server from each user would not interfere with the others.
So any multicast messages in one network will not be seen in other
network. Again this allows the deployment of more general services.
This is basically what Amazon calls now "Virtual Private Cloud".
http://aws.amazon.com/vpc/
> * additional firewall to open some specific ports like what EC2 is offering
This is quite interesting. With the hook system we can have this very
easily. We may just add the relevant information in the VM template
and pass it to a hook that would setup the iptables in the cluster
node.
As I said all the machinery to implement this policies is in place and
should only require a bit of scripting effort. This is in fact one of
the goals of 1.4.0. We'd glad to help you work on this...
Cheers
Ruben
>
> If anyone has done similar things or want to work together on them, I
> would be happy to collaborate.
>
> Cheers,
> Shi
>
> --
> Shi Jin, Ph.D.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
--
+---------------------------------------------------------------+
Dr. Ruben Santiago Montero
Associate Professor
Distributed System Architecture Group (http://dsa-research.org)
URL: http://dsa-research.org/doku.php?id=people:ruben
Weblog: http://blog.dsa-research.org/?author=7
GridWay, http://www.gridway.org
OpenNebula, http://www.opennebula.org
+---------------------------------------------------------------+
More information about the Users
mailing list