[one-users] Libvirt networkfilter firewall implementation for Opennebula

[Jhon Masschelein]

Hi,

On 04/11/2012 04:00 PM, Jaime Melis wrote:
> We're in the process of defining the roadmap for OpenNebula 3.6 and we
> had already thought of improving the network management, especifically
> the management of a NIC's firewall while a VM is running (which I think
> it's a rather nifty feature). I think this could fit in nicely with what
> you've done.

Implementing this for my netfilters (as they exist now) would mean 
changing the VMs xml definition or the nwfilter definition in libvirt.

At this time nothing in Opennebula does this (mutating a live VM); once 
the VM has launched, all one can do through ONE is stop it.

It would be great if a live mutation functionality was added since this 
would mean we could add/remove devices to a running VM. :)

It won't be easy to put it in though, I think. This is something I have 
been looking at but there are different ways to do this and I was 
waiting to see what aproach Opennebula takes for this.

> There is something that concerns us, though: if we implement this
> feature only through libvirt, probably VMware won't have support and Xen
> will certainly don't. But I think we can call a different action
> depending on each hypervisor, maybe create a new VMM action to setup
> network filters. So in the end, for KVM it will be done exactly how
> you've done, but we would need to implement those actions for the rest
> of hypervisors. We have to look into this, but I think it's feasible.

I always thought that Opennebula talked to all the different hypervisors 
through libvirt. If that is not the case then yes, this indeed means 
extra work.

The networkfilter object can be the same for but the step where the 
deployment file is created will then need to be hypervisor specific.

That should not be too much work. However, if libvirt is not keeping the 
filter up to date (after migration and such), "something else" will have 
to do it...

Wkr,

Jhon