[one-users] VNETs & VLAN
Valentin Bud
valentin at hackaserver.com
Wed Oct 10 09:36:22 PDT 2012
On Wed, Oct 10, 2012 at 7:25 PM, Ruben S. Montero
<rsmontero at opennebula.org>wrote:
> > Let's assume a standard configuration with 2 networks: public and
> internal.
> > - Is possibile to configure multiple filtering types on the same cloud
> > and on the same virtual instance?
> > (ebtable for public, vlan/openvswitch for the internal)
>
> Virtual Network drivers are defined per host and not per network (in
> fact some of the technologies do not play together quite well, e.g.
> iptables and ovswitch, when used in the same host)
>
> You can however define different clusters with different network
> technology for the hosts, and then associated viertual networks to
> each cluster (public network to cluster public) Note that VMs will not
> be able to use both networks at the same time.
>
Or you can use ovswitch and set the iptables rules using pre/clean/post
scripts. I use this approach to load firewall rules based on the role the
VM has in the network. It works. I unload the rules when the VM stops. The
role is setup be subdomain in some cases and by a CONTEXT variables in
others. Each role translates to a chain in iptables.
To keep the chains number to a minimum I insert a rule in the INPUT chain
to direct traffic to VM IP to the `ROLE` chain.
The iptables are written in a file `role`.iptables and pre script add them.
If you want to use this approach don't forget to properly set up sudo
rules. clean script deletes them at VM shutdown.
I also use the above approach to sep up ebtables rules.
>
> In your specific case, I think you can simply not set the VLAN
> attribute in the public network template this will bypass the vlan
> processing in 802.1Q and ovswith drivers
>
> >
> > I'm asking this because I would like to avoid a public vlan for each
> > customers on the public side (this will need a router reconfiguration
> > every time, to add the proper gateway on the same broadcast domain of
> > customer in each vlan)
> >
> > - Is possibile, for a customer, to create a sort of PVLAN where a part
> > of its internal network will be isolated from other virtual machines
> > (same customer and same vlan). For example, let's assume that
> > customer1 has 5 VPS: vps1, vps2...vps5.
> > VPS1 should communicate only with VPS4 in a sort of custom vlan. I
> > have a VLAN, on private side, for each customers and I would like to
> > give customers the capability to create some communication groups.
>
> I'd recommend to take a look to the virtual appliance router, simply
> add a virtual with a NIC in both networks
>
> http://opennebula.org/documentation:rel3.8:router
>
>
> >
> > - Accounting: on which frequency accounting data are saved on DB? This
> > is much important for us, as we will use this to invoice customers.
> > Will be possibile to touch the real number of seconds that an instance
> > was ON and the real number of seconds that an instance was paused but
> > with data still present on the node (no cpu/ram utilization but only
> > disk utilization)
> > _______________________________________________
> > Users mailing list
> > Users at lists.opennebula.org
> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
> --
> Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - The Open Source Solution for Data Center Virtualization
> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20121010/adc68a32/attachment-0002.htm>
More information about the Users
mailing list