[one-users] What does virtual network means?
张佳宝
zhangjiabao at gmail.com
Wed Jan 13 20:44:38 PST 2010
Hi,
Thanks for your reply,and I can go further now,but still not working as
described in the documetation.
I create two virtual-networks,which both reside in different class C ip
addresses,and I create two VM leasing virtual IP from these two
virtual-network.Now the two VMs can not communicate with each other,but from
all other hosts(incluing real machine) the two VMs can not be touched,which
seems to be stanges,because I need to log in the VM ,so I have to touch the
VMs from some hosts,but now the VM can not be touched.
*Besides,the VM-HOOK I am using in oned.conf file is *
---------------
VM_HOOK = [
name = "ebtables-start",
on = "running",
command = "/srv/cloud/one/share/hooks/ebtables-xen",
arguments = "one-$VMID",
remote = "yes" ]
VM_HOOK = [
name = "ebtables-flush",
on = "done",
command = "/srv/cloud/one/share/hooks/ebtables-flush",
arguments = "",
remote = "yes" ]
-----------------
*and the ebtables-xen file is:*
------------
VM_NAME=ARGV[0]
# Uncomment to act only on the listed bridges.
#FILTERED_BRIDGES = ['beth0']
def activate(rule)
system "sudo ebtables -A #{rule}"
end
def get_bridges
bridges = Hash.new
brctl_exit=`brctl show`
cur_bridge = ""
brctl_exit.split("\n")[1..-1].each do |l|
l = l.split
if l.length > 1
cur_bridge = l[0]
bridges[cur_bridge] = Array.new
bridges[cur_bridge] << l[3]
else
bridges[cur_bridge] << l[0]
end
end
bridges
end
def get_interfaces
bridges = get_bridges
if defined? FILTERED_BRIDGES
FILTERED_BRIDGES.collect {|k,v| bridges[k]}.flatten
else
bridges.values.flatten
end
end
vm_id=`sudo xm domid #{VM_NAME}`.strip
networks=`sudo xm network-list #{vm_id}`.split("\n")[1..-1]
interfaces = get_interfaces
networks.each {|net|
n=net.split
iface_id=n[0]
iface_mac=n[2]
tap="vif#{vm_id}.#{iface_id}"
if interfaces.include? tap
mac=iface_mac.split(':')
mac[-1]='00'
net_mac=mac.join(':')
in_rule="FORWARD -s ! #{net_mac}/ff:ff:ff:ff:ff:00 -o #{tap} -j
DROP"
out_rule="FORWARD -s ! #{iface_mac} -i #{tap} -j DROP"
activate(in_rule)
activate(out_rule)
end
}
----------------
I am not familar with ruby language,so I don't know is any error here?
*BTW,must I define virtual-network in different class c IP addresses,if not
,is it also work?*
The information of VMs I have create is as follow:
[root at server images]# onevm list
ID USER NAME STAT CPU MEM HOSTNAME TIME
50 root vm-1 runn 0 523272 node2 00 00:02:48
51 root vm runn 0 523264 Server 00 00:02:40
[root at server images]# onevm show 50
VIRTUAL MACHINE 50
INFORMATION
ID : 50
NAME : vm-1
STATE : ACTIVE
LCM_STATE : RUNNING
START TIME : 01/14 09:39:02
END TIME : -
DEPLOY ID: : one-50
VIRTUAL MACHINE
TEMPLATE
CONTEXT=[
FILES=/vms_configuration/init.sh,
HOSTNAME=vm-1,
IP_PUBLIC=192.168.11.96,
TARGET=sdc ]
CPU=1
DISK=[
READONLY=no,
SOURCE=/srv/cloud/images/CentOS.img,
TARGET=sda ]
MEMORY=512
NAME=vm-1
NIC=[
BRIDGE=xenbr0,
IP=192.168.13.94,
MAC=00:03:c0:a8:0d:5e,
NETWORK=network,
VNID=11 ]
OS=[
KERNEL=/boot/vmlinuz-2.6.18.8-xenU,
ROOT=sda ]
VMID=50
[root at server images]# onevm show 51
VIRTUAL MACHINE 51
INFORMATION
ID : 51
NAME : vm
STATE : ACTIVE
LCM_STATE : RUNNING
START TIME : 01/14 09:39:10
END TIME : -
DEPLOY ID: : one-51
VIRTUAL MACHINE
TEMPLATE
CONTEXT=[
FILES=/vms_configuration/init.sh,
HOSTNAME=vm,
IP_PUBLIC=192.168.11.94,
TARGET=sdc ]
CPU=1
DISK=[
READONLY=no,
SOURCE=/srv/cloud/images/centos.5-3.x86-64.img,
TARGET=sda ]
MEMORY=512
NAME=vm
NIC=[
BRIDGE=xenbr0,
IP=192.168.12.97,
MAC=00:03:c0:a8:0c:61,
NETWORK=network-xenbr0,
VNID=10 ]
OS=[
KERNEL=/boot/vmlinuz-2.6.18.8-xenU,
ROOT=sda ]
VMID=51
2010/1/13 Javier Fontan <jfontan at gmail.com>
>
> Hello,
>
> VM Hypervisors (Xen or KVM) do not provide ways to protect bridged networks
> from on VM to interact with others. To do this we have created scripts
> described in the URL you have been following. Protection comes from the
> ebtables rules that isolates class C networks. Can you check that both
> virtual networks reside in different class C IP addresses and ebtables are
> being added in the execution host? Send us ebtables rules being added and VM
> configuration of the machines that can break this security rules.
>
> Thank you
>
>
> 2010/1/12 张佳宝 <zhangjiabao at gmail.com>
>
>> Hi,
>> I do not completely understand what a virtual network means.I think
>> virtual network is used for security ,and VMs in the same virtual network
>> can communicate with each other,VMs in different virtual network can not
>> .But in my experiment ,VMs in different virtual network also can touch each
>> other,I do not know is there any error in my system,is there anyone can help
>> me?
>>
>> BTW,I am using Opennebula 1.4 and xen 3.02,and I config the
>> virtual-network completely though the guide
>> http://www.opennebula.org/doku.php?id=documentation:rel1.4:nm.
>>
>> Thanks in advance.
>>
>> Best.
>>
>> Atlas
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
>
> --
> Javier Fontan, Grid & Virtualization Technology Engineer/Researcher
> DSA Research Group: http://dsa-research.org
> Globus GridWay Metascheduler: http://www.GridWay.org
> OpenNebula Virtual Infrastructure Engine: http://www.OpenNebula.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20100114/432f086a/attachment-0003.htm>
More information about the Users
mailing list