[one-users] 转发: 回复: Re: what a virtual network means?

Hutson Betts hut101 at tamu.edu
Mon Nov 21 18:13:38 PST 2011 

In response to your question, yes, but you must take into consideration
the security issues, and networking issues you will encounter by
allowing OpenNebula to automatically create, and manage VLAN tagging on
virtual machine hosts which are connected to a physical network which
also manages VLAN tagging.

Issue 1
By allowing virtual networks to span physical hosts using VLAN tagging,
while talking over a phyiscal switch that handles VLAN-tagged ports, or
VLAN tags from hosts that are not associated with OpenNebula, you run
the risk of a virtual machine intercepting data that it's not authorized
to access.

However, that does not prevent you from doing so. The issue from Issue 1
is caused by the fact that OpenNebula will assign VLAN tags to a virtual
network regardless of what is already in use by non-OpenNebula systems.

When using OpenNebula to manage VLAN tagging, the best page for
information is: http://opennebula.org/documentation:rel3.0:hm-vlan

OpenNebula assigns VLAN tags using the following approach: "The VLAN id
will be the same for every interface in a given network, calculated by
adding a constant to the network id".

If that calculated value is the same as an existing VLAN on the physical
switch, then you could have problems.

One solution is to configure your virtual machine templates with a
hard-coded VLAN id. This approach works if you are the only person
creating virtual networks, and if you are using the one* tools for
interacting with OpenNebula.

If one of those conditions isn't met, then you need to look at the
"Tuning & Extending" section. It discusses how to modify the
HostManaged.rb file. You could, if you wanted, modify that file to
restrict assigned VLAN tag to fall within a specified range. Or further,
you could modify the code to pull VLAN tags from a database.

From there, if those approaches wouldn't work, you might look into the
Open vSwitch as an alternative.

Also, so that you are aware, the situation you describe is actually one
I am encountering now. I am operating virtual machine hosts on a
physical network which manages multiple VLANs. I'll let you know my
experiences with the setup either later this week or next.

-- 
Hutson Betts
Computer Science and Engineering
Texas A&M University


On Tue, 2011-11-22 at 09:40 +0800, shamaya wrote:
> 
> 2011-11-22
> 
> 
> 
> shamaya
> 
> 
> 
> 发件人: "shamaya"<shamaya at 126.com>
> 发送时间: 2011-11-22 09:30
> 主 题: 回复: Re: [one-users] what a virtual network means?
> 收件人: "Hutson Betts"hut101 at tamu.edu
> 
> 
> 
>  I have a question and two advices for OpenNebula's network configuration
> 
> Question:
> 1. Can I use VLAN function on a "physical network" which already running VLAN on the phical swich? (you know, in Eucalyptus, VLAN cann't function properly in such a environment: "underlying physical network must be VLAN clean", http://open.eucalyptus.com/wiki/EucalyptusNetworkConfiguration_v2.0)
> 
> 
> Document advices:
> 1. Maybe, User's life would be more easier if OpenNebula's document on network include a network configuration example to help user build their cloud on their data center, for both physical and logical network configuration. again, Eucalyptus have included such guides for users at http://open.eucalyptus.com/learn/InstallingECC
> 
> 2. Mybe it is helpful to give a throughout network configuration process expample, e.g. you mentioned cloud builder need to setup a bridge on every work node, but I did found a example. 
> 
> 
> 
> 
> Cheers,
> Sha
> 
> 
> 
> 2011-11-22
> 
> 
> 
> shamaya
> 
> 
> 
> 发件人: Hutson Betts <hut101 at tamu.edu>
> 发送时间: 2011-11-21 12:14
> 主 题: Re: [one-users] what a virtual network means?
> 收件人: shamaya <shamaya at 126.com>
> 
> 
> 
> Dear Sha, 
> 
> Have you had an opportunity to read through Managing Virtual Networks 
> 3.0 (http://opennebula.org/documentation:rel3.0:vgg)? Honestly, I think 
> it covers virtual networking better than any of the other OpenNebula 
> configuration documents. 
> 
> However, I would look outside of OpenNebula for a truly in-depth 
> analysis of virtual networking, VLANs, and cloud networks. 
> 
> But, to answer your question, a single virtual network is analogous to a 
> physical switch containing a DHCP server. Virtual machines attached to 
> this "physical" switch are isolated from network traffic on another 
> "physically separated" switch, which in this case is another virtual 
> network. 
> 
> Now, with regard to the DHCP server, OpenNebula allows virtual networks 
> to lease IP addresses to virtual machines that attach to the network. 
> Each IP address can only be leased, or owned, by one virtual machine on 
> that virtual network at any one time. When a virtual machine starts, it 
> is automatically assigned an IP address by OpenNebula. The trick is to 
> know that the MAC address assigned to the virtual machine is a 
> transformation of the IP address. 
> 
> Consider an example in the document linked earlier: 
> A MAC address of: 00:03:c0:a8:00:01 
> Corresponds to an IP address of: 192.168.0.1 
> You can do the hex to int conversion: 
> c0 = 192 
> a8 = 168 
> 
> Now, from a computer perspective, there are quite a few ways to isolate 
> the network traffic between virtual networks, i.e., vlans, ebtables for 
> mac filtering, Open eSwitch. etc. This part you must consider carefully 
> when you wish to expand beyond one virtual machine host, or when you 
> want to use overlapping IP ranges for different virtual networks. 
> 
> From an administrator point, all that is required of you is to create a 
> bridge, and attach it to a physical Ethernet (network) interface on your 
> virtual machine host. 
> 
> Next, when creating new virtual networks using network templates, you 
> can specify the name of that bridge. Also, if you decide to use OCCI, 
> you can specify in the OCCI configuration file, the name of that bridge 
> as well. 
> 
> As you've already hinted at, when virtual machines are created, their 
> virtual network interfaces are attached to the bridge, either directly, 
> or by another mechanism such as when using VLAN tagging. In either case, 
> the bridge acts as the central "physical" switch for your virtual 
> networks, passing traffic between virtual machines. 
> 
> Now, because the bridge is attached to your virtual machine host's 
> physical network interface, your virtual machines will also be able to 
> send traffic to virtual machines on other virtual machine hosts on the 
> same physical switch, literally the physical switch this time. 
> 
> Please let me know if my explanations could use refinements, or if you 
> have any further questions. Also feel free to write out a list of ideas 
> you have for improving the documentation on OpenNebula. I'm sure the 
> community would greatly appreciate any help you're able to provide. 
> 
> --  
> Hutson Betts 
> Computer Science and Engineering 
> Texas A&M University 
> 
> 
> On Mon, 2011-11-21 at 10:02 +0800, shamaya wrote: 
> > Hi all, 
> >    OpenNebula's document on network seems a bit incomplete, and I feel  It's difficult to understand what a virtual network means?  Does a vritual network means create a bridge on a host and connect all VMs of that host to it? Can a virutal network span two host and let VMs of the two form a private network? 
> >  
> > Regards. 
> >  
> > Sha 
> >  
> > 2011-11-21 
> >  
> >  
> >  
> > shamaya 
> > _______________________________________________ Users mailing list Users at lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org 
> _______________________________________________ Users mailing list Users at lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111121/82583775/attachment-0003.pgp>

More information about the Users mailing list