[one-users] Dynamic firewall like Amazon
Ruben S. Montero
rubensm at dacya.ucm.es
Tue Feb 1 13:44:43 PST 2011
Hi,
It is easy to mimic the EC2 security groups in OpenNebula. As said before in
this thread, OpenNebula can be adapted to your network architecture. I'll
give you a couple of hints here and let us know if you need more help:
- Let assume that your VMs are connected to the Internet through a
predefined *network* named *"Public". *The network is defined as usual in
OpenNebula.
- VMs attached to this network do have access to the Internet and are
given a public IP. Let's assume that you palce a VM in that network and
only connections to TCP ports 22 and 80 are allowed. The *VM template* to
get a lease from that network could be
...
NIC = [ NETWORK = "Public", IN_TCP_PORTS = "22 80" ]
...
- Now you have to configure a hook that automatically set an iptables
rule for the VM interface attached to the bridge used by that network (we
are setting the firewall from the outside). You have to pass the ports you
want to open, the *hook in oned.conf* would be:
...
VM_HOOK = [
name = "myiptables",
on = "running",
command = "/srv/cloud/one/share/hooks/myiptables",
arguments = '$NIC[IN_TCP_PORTS, Network = "Public"]',
remote = "yes" ]
...
- You have to *develop the myiptables* scripts and should be placed in
your hosts in the cluster, (the remotes location is a good place). You can
use the $ONE_LOCATION/share/hooks/ebtables script as an starting point. You
have xen and kvm versions.
- *Final touches*, you may need some configurations: the hooks are
executed by oneadmin so you may need to grant access oneadmin to some
network utils in the /etc/sudoers file. Also you probably want to remove the
rules when the VM is shutdown, there is also and ebtables_flush script that
you can use as inspiration to create other VM hook. Take a look to the
Network guide to get an idea of the overall process [1],
Also you can do this through the CONTEXT section. In this case the firewall
is set from the inside. Drawbacks are: solution is OS specific and firewall
rules can be bypassed (either intentionally or not). In this case you have
to create an script that creates the firewall configuration of the VM.
Setting the specific ports in a VM template could look like:
CONTEXT = [ IN_TCP_PORTS = "22 80" ]
But this is just the easy part, you have to prepare the context scripts to
deal with the OUT_TCP_PORTS variable [1]
Just a final thought, Eucalyptus and maybe others provide this
out-of-the-box but the price of this is too high, IMHO. OpenNebula does not
require any specific network setup in your hosts, and it gives you more
flexibility (i.e. multiple NICs on a VM attached to different networks).
Trying to cover as much hw configurations as possible prevents some
straight-forward configurations. Nevertheless balance is always a desirable
state, Do you think that we should include this in the distro +
documentation?
Cheers
Ruben
REFERENCES
[1] http://www.opennebula.org/documentation:rel2.0:nm
[2] http://www.opennebula.org/documentation:rel2.0:cong
On Tue, Feb 1, 2011 at 8:12 PM, Toens Bueker <
toens.bueker at lists0903.nurfuerspam.neuroserve.de> wrote:
> Zeeshan Ali Shah <zashah at pdc.kth.se> wrote:
>
> > No Firewall yet , that is i am asking how to put mechanism like
> > Security Group of amazon . preferably with out any HW (if possible)
>
> OpenNebulas components allow you to implement and manage virtual
> networks on physical infrastructure.
>
> I'm not really sure where a "NATing device" should be implemented. As
> you use the Xen hypervisor you could implement routed (not bridged)
> network interfaces.
>
> But that is not an issue, which would be solved in a management
> software component like OpenNebula (as there are so many possibilities
> to implement such a solution).
>
> If you have a solution for your problem, I'm sure it should be
> possible to adapt OpenNebula to it.
>
> Regards,
> Töns
> --
> There is no safe distance.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
--
Dr. Ruben Santiago Montero
Associate Professor (Profesor Titular), Complutense University of Madrid
URL: http://dsa-research.org/doku.php?id=people:ruben
Weblog: http://blog.dsa-research.org/?author=7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110201/897439f1/attachment-0002.htm>
More information about the Users
mailing list