[one-users] Need some explanation on vnets and network setup

Zaina AFOULKI zaina.afoulki at ensi-bourges.fr
Tue Apr 5 04:16:59 PDT 2011


Hi,

I made a couple more tests trying desperately to understand how VNets
(and especially their isolation) work in OpenNebula (much of what I
mentioned in my earlier post is not accurate).

If I start with an initial state where there are no VNets in any of the
nodes. Then request two VMs on two different VNets, OpenNebula adds the
same "vnet0" to each node and starts the VMs on them,  even though the
VNets are different. I think it makes more sense if the VNets had
different names, because I'm basing the firewall rules on these names.

I am using the script provided in [2] that is supposed to isolate the
VNets using ebtables. I noticed that 2 VMs on different VNets are still
able to ping each other. (This should not be allowed).

I would very much appreciate any ideas/thoughts on this.

Zaina

> Hi,
> 
> I'm having some trouble understanding the networking setup of OpenNebula. 
> 
> I have two nodes connected by a bridge interface br0. I enabled
> contextualization using the vm-context script as explained in [1]. This is
> the output of onevnet list:
>   ID USER     NAME        TYPE  BRIDGE P #LEASES
>   19 user1    network1    Fixed    br0 N       1
>   20 user2    network2    Fixed    br0 Y       1
> 
> I noticed that whenever I launch a VM, OpenNebula adds a virtual network
> named vnet0, vnet1 etc... to the list of interfaces in the node. Why are
> the VNets named vnet0, vnet1, etc when they could keep the same name as
> already defined by the OpenNebula user?
> 
> Why is there a need to add interfaces anyways? Why not let the VMs connect
> to br0 directly?
> Is it necessary to create a different bridge for every VNet defined with
> the onevnet command?
> 
> The vnet is created only on the node that the VM was launched on and not
> on the other nodes or the frontend. Why is this the case? Why not create it
> on all nodes? I'm asking because I am using the script provided in [2] to
> isolate the VNets using ebtables: I don't understand why 2 VMs on different
> VNets are unable to ping each other when they are on the same node, whereas
> it is possible to do so when they are on different nodes?
> 
> These are the ebtables rules created when a VM is launched on node1:
>    -s ! 2:0:ac:1e:8:0/ff:ff:ff:ff:ff:0 -o vnet0 -j DROP 
>    -s ! 2:0:ac:1e:8:b -i vnet0 -j DROP 
> Why are they based on MAC addresses and not IP addresses?
> 
> Many thanks.
> 
> Zaina
> 
> [1] http://opennebula.org/documentation:rel2.0:cong
> [2] http://opennebula.org/documentation:rel2.0:nm



More information about the Users mailing list