[one-users] Question about securing/isolatings vms in open nebula?
Fernando Filgueira
fernando.filgueira at gmail.com
Fri Sep 13 14:46:26 PDT 2013
Hello to everyone, my name is fernando, from the canary island (a piece of
earth lost in the middle of the atlantic ocean), and this is my first mail
to this list.
At last, after three hard days having a fight with my virtual enviroment i
manage to get opennebula half running (well, almost all works, vnc,
sunstone, virtual machines working ok), the biggest problem was that all
"big" machines downloaded from market were incomplete thanks to a shitty
net connection, i managed to wget a centos server image after 54 continues
and register it manually...
Well, lets get into the problem.
I have the following working setup (all virtualized in vmware player from
the ground up).
Centos 6.4 for all machines
Freenas for nas storage
Two working nodes.
Open Nebula last version installed
all machines virtualized with tree nics:
eth0 : for internet conectivity (ill setup a proxy later)
eth1 : for internal data transfer between nodes
eth2 : for "vm's".
IPtables : disabled
Defined ranges for nic's:
eth0: 192.168.10.0/24
eth1: 10.10.10.0/24
eth2: 10.11.10.0/24
I have setup the bridge as follow in the nodes, example of one node,
configured by script at boot (along other modifications, too lazy to modify
config files...) :
ifconfig eth2 0.0.0.0
....
brctl addif virbr0 eth2
....
ifconfig virbr0 10.11.10.15
resulting in following node ips :
eth0: 192.168.10.15
eth1: 10.10.10.15
eth2: 0.0.0.0
virbr: 10.11.10.15
I configured in sunstone a network as follows:
type : ranged network
define a subnet by ip : checked
IP start 10.11.13.5
IP end : 10.11.13.254
Network model : Open vswitch
Bridge: virbr0
Vlan : yes
Vlan id: 2
All works as espected, machine gets ip from defined range and i cant ping
machines in other networks, but if i change ip' inside one opennebula's vm
in that network (vlan id 2), for example: ifconfig eth0 10.10.10.54 netmask
255.0.0.0 I can ping all machines in every net range.
My objetive is that, every machine in that subnet receive and send traffic
only to the other machines in the same subnet, even if i force change the
ip in the launched vm.
I searched for a solution or similar problem in the mail list archive an
internet but i didnt found a solution for a similar problem.
What I am doing wrong?
How can it be fixed?
Im explaining myself correctly?
ps: first, sorry for my english if its badly written and second, my
experience in linux is only about a year, Im not an idiot (well not
entirely :-) , but Im not a linux gurú, I google
examples/tutorials/documentation, and can think I little by myself, but
please if you're going to help me I would thank a lot, a little explanation
of the problem and possible solutions (i would preffer ther easiest
solution possible) to enlighth me.
Thanks in advance.
--
...---...
www.fherking.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130913/1af5e9ac/attachment.htm>
More information about the Users
mailing list