[one-users] about firewall

Jaime Melis jmelis at opennebula.org
Tue Feb 17 01:04:18 PST 2015 

Hi,

you are right, we don't have this. I just created this in order to document
http://dev.opennebula.org/issues/3602

Answering your specific question:

What is not clear is about the tm driver. An ssh connection is open from
> oned admin server to the hypervisors, to run the clone/cp/etc actions. I
> need to know if the hypervisor will in those actions initiate some SSH
> connection back to the oned admin server? (we are using ssh, shared, and
> lvm drivers). We want to block this king of traffic (ssh to oned admin
> server from the nodes).


The ssh connection to the frontend from the nodes **is** required. It's
used in actions like undeploy or stop.

In any case as you say, creating a reference guide for the connections in
OpenNebula would come in very handy.

cheers,
Jaime

On Fri, Feb 6, 2015 at 11:07 AM, Madko <madko77 at gmail.com> wrote:

> Hi,
>
> Is there any documentation about the ports and network traffic in use with
> OpenNebula?
>
> To go in production we need to have a firewall between our oned admin
> server and the hypervisors nodes.
> So I need to know if there is any network traffic to be initiated (state
> NEW) from the hypervisor nodes to the oned admin server?
> So far I found the UDP port 4124 for collectd, with metrics comming from
> the hypervisors.
>
> What is not clear is about the tm driver. An ssh connection is open from
> oned admin server to the hypervisors, to run the clone/cp/etc actions. I
> need to know if the hypervisor will in those actions initiate some SSH
> connection back to the oned admin server? (we are using ssh, shared, and
> lvm drivers). We want to block this king of traffic (ssh to oned admin
> server from the nodes).
>
> To sum up, here is what we know for sure:
> oned 4124/udp <= nodes
> oned => 22/tcp nodes
>
> We need to know what traffic and who initiate it. I don't see anything
> about it in the documentation. If anyone has this information that would be
> of great help. Untill then I will try to find it out myself by playing with
> iptables.
>
> Best regards
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>


-- 
Jaime Melis
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20150217/7c05972c/attachment.htm>

More information about the Users mailing list