[one-users] greetings
Stefan Kooman
stefan at bit.nl
Fri Jun 20 02:57:59 PDT 2014
Quoting Galimba (galimba at gmail.com):
> Hello everyone.
> My name is Sebastian. I'm new to this list and tho I've been a sysadmin for
> several years now, I've only recently dived into Cloud Computing.
> I have successfully installed OpenNebula 4.4 on a local computer behind a
> firewall at my university. I set up two nodes and another dedicated
> computer as a NFS datastore.
> The plan is to provide my research group with the IAAS that OpenNebula
> brings to the table.
> At the moment, I'm dealing with an issue I haven't been able to solve, and
> perhaps some of you could throw me a hint.
> My university assigned me over 100 public ip addresses to provide each VM.
> If I were to plug the cable directly to the OpenNebula box, then I know I
> could create my templates with public ip addresses and then everything
> should be fine. The problem is that I have a firewall in the middle,
> managing all the public ips, and my OpenNebula box is on a LAN behind that
> firewall.
Question: Do you want to filter the traffic for your vm's on the
"firewall in the middle"?
If the answer is yes than you might want to use the vm-hook like
Valentin suggested.
If not then a vlan with public IP's is probably the easiest way to go.
Another possibility is to use the "Public Cloud" interface from ONE,
specifically: EC2 [1]. It makes use of Elastic IPs. It uses scripting to
handle the mapping of public to private ips. Especially the scripts that
interact with the OpenFlow seem promising [2].
Yet another way of doing this is to route the block of 100 ip's to a
router/firewall (possible running on ONE) (through a little ip
interconnection block). In that case you don't have to filter on the
"firewall in the middle" and or do NAT (which I think is very ugly). So
like this: public ip -> interconnect-ip - router/firwall -
router-ip-routed-ips -> vm's with public ip. This will also work for
IPv6. Natting IPv6 is possible, but even more ugly ;). You still have
the possibility to do some filtering on the firewall while leaving the
rest of the ports open. If you like GUI's, pfSense is a very nice and
capable firewall (based on OpenBSD's pf) [3]. If you would like to use
pfSense on KVM -> don't use virtio network drivers, broken on KVM (at
least that is our experience, intel e1000 works fine).
Good luck, and have a fun and bright cloudy day ;),
Gr. Stefan
[1]:
http://docs.opennebula.org/4.6/advanced_administration/public_cloud/ec2qug.html
[2]: http://community.opennebula.org/ecosystem:onenox
[3]: https://www.pfsense.org/
--
| BIT BV http://www.bit.nl/ Kamer van Koophandel 09090351
| GPG: 0xD14839C6 +31 318 648 688 / info at bit.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: Digital signature
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140620/9d8a3383/attachment.pgp>
More information about the Users
mailing list