[one-users] VNETs & VLAN

Ruben S. Montero rsmontero at opennebula.org
Thu Oct 11 07:42:44 PDT 2012 

Hi Valetin,

Aslo we had issues with iptables (kernel 3.5.4) and OpenvSwtich 1.7,
which versions are you using?

Cheers

Ruben

On Thu, Oct 11, 2012 at 4:09 PM, Jaime Melis <jmelis at opennebula.org> wrote:
> Hi Valentin,
>
> would you be willing to share your modified drivers of openvswitch + iptables?
>
> For OpenNebula 3.8 we are going to release a firewall implementation
> using openflow in the openvswitch driver, but we'd like to also
> evaluate the other iptables option.
>
> Thanks a lot!
>
> cheers,
> Jaime
>
> On Wed, Oct 10, 2012 at 6:36 PM, Valentin Bud <valentin at hackaserver.com> wrote:
>>
>>
>> On Wed, Oct 10, 2012 at 7:25 PM, Ruben S. Montero <rsmontero at opennebula.org>
>> wrote:
>>>
>>> > Let's assume a standard configuration with 2 networks: public and
>>> > internal.
>>> > - Is possibile to configure multiple filtering types on the same cloud
>>> > and on the same virtual instance?
>>> > (ebtable for public, vlan/openvswitch for the internal)
>>>
>>>
>>> Virtual Network drivers are defined per host and not per network (in
>>> fact some of the technologies do not play together quite well, e.g.
>>> iptables and ovswitch, when used in the same host)
>>>
>>> You can however define different clusters with different network
>>> technology  for the hosts, and then associated viertual networks to
>>> each cluster (public network to cluster public) Note that VMs will not
>>> be able to use both networks at the same time.
>>
>>
>> Or you can use ovswitch and set the iptables rules using pre/clean/post
>> scripts. I use this approach to load firewall rules based on the role the VM
>> has in the network. It works. I unload the rules when the VM stops. The role
>> is setup be subdomain in some cases and by a CONTEXT variables in others.
>> Each role translates to a chain in iptables.
>>
>> To keep the chains number to a minimum I insert a rule in the INPUT chain to
>> direct traffic to VM IP to the `ROLE` chain.
>>
>> The iptables are written in a file `role`.iptables and pre script add them.
>> If you want to use this approach don't forget to properly set up sudo rules.
>> clean script deletes them at VM shutdown.
>>
>> I also use the above approach to sep up ebtables rules.
>>
>>>
>>>
>>> In your specific case, I think you can simply not set the VLAN
>>> attribute in the public network template this will bypass the vlan
>>> processing in 802.1Q and ovswith drivers
>>>
>>> >
>>> > I'm asking this because I would like to avoid a public vlan for each
>>> > customers on the public side (this will need a router reconfiguration
>>> > every time, to add the proper gateway on the same broadcast domain of
>>> > customer in each vlan)
>>> >
>>> > - Is possibile, for a customer, to create a sort of PVLAN where a part
>>> > of its internal network will be isolated from other virtual machines
>>> > (same customer and same vlan). For example, let's assume that
>>> > customer1 has 5 VPS: vps1, vps2...vps5.
>>> > VPS1 should communicate only with VPS4 in a sort of custom vlan. I
>>> > have a VLAN, on private side, for each customers and I would like to
>>> > give customers the capability  to create some communication groups.
>>>
>>> I'd recommend to take a look to the virtual appliance router, simply
>>> add a virtual with a NIC in both networks
>>>
>>> http://opennebula.org/documentation:rel3.8:router
>>>
>>>
>>> >
>>> > - Accounting: on which frequency accounting data are saved on DB? This
>>> > is much important for us, as we will use this to invoice customers.
>>> > Will be possibile to touch the real number of seconds that an instance
>>> > was ON  and the real number of seconds that an instance was paused but
>>> > with data still present on the node (no cpu/ram utilization but only
>>> > disk utilization)
>>> > _______________________________________________
>>> > Users mailing list
>>> > Users at lists.opennebula.org
>>> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>>
>>> --
>>> Ruben S. Montero, PhD
>>> Project co-Lead and Chief Architect
>>> OpenNebula - The Open Source Solution for Data Center Virtualization
>>> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
>
>
> --
> Jaime Melis
> Project Engineer
> OpenNebula - The Open Source Toolkit for Cloud Computing
> www.OpenNebula.org | jmelis at opennebula.org



-- 
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula

More information about the Users mailing list