[one-users] OpenNebula and DHCP Server

Valentin Bud valentin.bud at gmail.com
Thu Oct 3 00:56:45 PDT 2013 

Hello Fazli,

I will make some assumptions about your infrastructure and provide 
possible approach(es).

* Your KVM nodes have a single Ethernet interface, eth0, connected in a
  switch and a router used as the default gateway for the 192.168.1/24
  network,

* Also the frontend is connected via the same switch with the rest of
  the nodes,

* You have a br0 bridge with eth0 connected to it on each node and also
  the frontend,

* Your frontend is also a node.

If you have access to the router the simplest way would be to add an IP
Address alias on the router interface as the default gateway for the new
network. 

Configure a new network inside OpenNebula for that using the chosen
subnet and the same bridge, br0.

I don't know if you have any kind of security policies in place but be
careful that in this way there is no Layer 2 separation and traffic
between the two subnets is visible with tcpdump or other sniffers.

The second approach I can think about is to have the frontend configured
with the first IP Address from the new subnet on br0 and define a new
network inside OpenNebula like the above.

I don't know if this would work though.The NAT must be done for 10.100.0/24 over
192.168.1.X (the IP Address of frontend from 192.168.1/24 subnet). What
I don't know is if iptables can MASQUERADE subnets on the same
interface. Never tried it, it might work.

Another approach that come to mind is to use the Virtual Router and
define a new subnet on the same br0 bridge. The Virtual Router would
have an interface connected to 192.168.1/24 network and one in the
10.100.0/24 one. Setup it up to have the first IP Address from the
10.100.0/24 network so it is the default gateway.

The same applies, traffic over L2 is not separated in anyway.

One more idea :-) would be to use Open vSwitch and GRE tunnels between
the nodes. In this way you can use VLANs and transport over GRE between
nodes. You can also setup IPSec encrypted GRE tunnels if you want
security. It might be overkill but again it depends on your
requirements.

Another working setup I have done is to use tinc VPN [1] between nodes
in switch mode and connect it to the Open vSwitch from each host as a
port. This way traffic that travels between nodes is fully encrypted and
you can use the same L2 network in a secure fashion.

But maybe the best approach would be to have a second network card,
eth1, in each node. Connect that second card in an Open vSwitch and use
VLANs with the frontend being the router, or any other node for that
matter.

[1]: http://www.tinc-vpn.org/

Good Will,
Valentin

On Thu, Oct 03, 2013 at 09:18:41AM +0800, M Fazli A Jalaluddin wrote:
> Hello Valentin,
> 
> My setup for OpenNebula is 1 Front-end and several KVM nodes. The front-end
> and nodes are using IP address 192.168.1.xxx and are able to connect to the
> internet.
> 
> The current networking setup for the VM is using dummy and bridge, br0.
> 
> So, for the VM able to access to the internet, is by assigning them
> 192.168.1.xxx IP addresses.
> 
> If I have many VMs, IP address 192.168.1.xxx will be depleted.
> 
> Hence, I need to make a new private network such as, 10.0.1.xxx which will
> map to only a single 192.168.1.xxx, e.g 192.168.1.5.
> 
> Thank you.
> 
> Regards,
> Fazli
> 
> 
> On Wed, Oct 2, 2013 at 7:21 PM, Valentin Bud <valentin.bud at gmail.com> wrote:
> 
> > Hello Fazli,
> >
> > The Virtual Router documentation [1] is definitely a good place to start.
> >
> >
> > On Wed, Oct 2, 2013 at 1:57 PM, M Fazli A Jalaluddin <
> > fazli.jalaluddin at gmail.com> wrote:
> >
> >> Hi,
> >>
> >> Is there any tutorial on how to use the VirtualRouter?
> >>
> >> I have download the image from Marketplace and Deploy a VM out of it.
> >>
> >> Then what should I do?
> >>
> >> My concern is that the Multiple VM will be able to be assigned a private
> >> IP address (at the same time connect to the internet) while the KVM host is
> >> using public IP address.
> >>
> >
> > I don't really understand your concern. Could you be more specific?
> >
> > Yes, every VM will get a private IP address from the Router in case you
> > connect it to the private
> > network. If you connect the VM to the public network too you'd have to
> > setup the IP address on the VM.
> > If context package is installed in the VM it'll autoconfigure the public
> > IP also.
> >
> > [1]: http://opennebula.org/documentation:rel4.2:router
> >
> > Good Will,
> >
> >
> >>
> >> Thank you
> >>
> >> On Wed, Oct 2, 2013 at 4:26 PM, Carlos Martín Sánchez <
> >> cmartin at opennebula.org> wrote:
> >>
> >>> Hi,
> >>>
> >>> On Wed, Oct 2, 2013 at 6:56 AM, M Fazli A Jalaluddin <
> >>> fazli.jalaluddin at gmail.com> wrote:
> >>>
> >>> Hi,
> >>>>
> >>>> May I know if the Virtual Router provide NAT?
> >>>>
> >>>
> >>> Yes, look for the Full Router section in the documentation:
> >>> http://opennebula.org/documentation:rel4.2:router
> >>>
> >>> PS: Please reply also to the mailing list
> >>>
> >>> Regards.
> >>> --
> >>> Carlos Martín, MSc
> >>> Project Engineer
> >>> OpenNebula - Flexible Enterprise Cloud Made Simple
> >>> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>
> >>>
> >>>
> >>> On Wed, Oct 2, 2013 at 6:56 AM, M Fazli A Jalaluddin <
> >>> fazli.jalaluddin at gmail.com> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> May I know if the Virtual Router provide NAT?
> >>>>
> >>>> Thank you
> >>>>
> >>>>
> >>>> On Thu, Sep 5, 2013 at 5:29 PM, Carlos Martín Sánchez <
> >>>> cmartin at opennebula.org> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> Actually, we do provide a Virtual Router appliance that contains a
> >>>>> DHCP server. It knows the correct IP assigned by OpenNebula to each MAC.
> >>>>> See http://opennebula.org/documentation:rel4.2:router
> >>>>>
> >>>>> Regards
> >>>>>
> >>>>> --
> >>>>> Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin,
> >>>>> 24-26 September, 2013
> >>>>> --
> >>>>> Carlos Martín, MSc
> >>>>> Project Engineer
> >>>>> OpenNebula - The Open-source Solution for Data Center Virtualization
> >>>>> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>
> >>>>>
> >>>>>
> >>>>> On Thu, Sep 5, 2013 at 8:55 AM, Ionut Popovici <ionut at hackaserver.com>wrote:
> >>>>>
> >>>>>>  No opennebula don't provide DHCP , you could use vlans to brake the
> >>>>>> network, and u can use contextualization to get the ip for virtual
> >>>>>> machines, if u use bridge mode is u should make rules in iptables(ebtables)
> >>>>>> for udp dst port 67  and allow only response from your DHCP server.
> >>>>>> Chears.
> >>>>>> On 9/5/2013 9:49 AM, Mohammad Fazli Ahmat Jalaluddin wrote:
> >>>>>>
> >>>>>>     Hi guys,
> >>>>>>
> >>>>>> I just want to ask few questions.
> >>>>>>
> >>>>>> Does OpenNebula act as a DHCP Server and give IP address to the VM if
> >>>>>> it is not contextualized in the first place?
> >>>>>>
> >>>>>> When the VM is deploy (without context), e.g Ubuntu server default
> >>>>>> network configuration is using DHCP, and thus the IP for the VM is
> >>>>>> different with the one that OpenNebula uses from the vnet lease.
> >>>>>>
> >>>>>>  Is the IP address in the VM is given by OpenNebula (act as the DHCP
> >>>>>> server) or given by our network existing DHCP server?
> >>>>>>
> >>>>>>  The reason I'm asking is because our network is poisoned since there
> >>>>>> are 2 DHCP server. BTW, our OpenNebula configuration for the network is
> >>>>>> using dummy and using bridge in the frontend
> >>>>>>
> >>>>>>  Thank you very much.
> >>>>>>
> >>>>>>  Regards,
> >>>>>>  Fazli
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Users mailing listUsers at lists.opennebula.orghttp://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Users mailing list
> >>>>>> Users at lists.opennebula.org
> >>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Users mailing list
> >>>>> Users at lists.opennebula.org
> >>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opennebula.org
> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>
> >>
> >
> >
> > --
> > Valentin Bud
> > http://databus.pro | valentin at databus.pro
> >

More information about the Users mailing list