Hi,<br>Thanks for your reply,and I can go further now,but still not working as described in the documetation.<br> I create two virtual-networks,which both reside in different class C ip addresses,and I create two VM leasing virtual IP from these two virtual-network.Now the two VMs can not communicate with each other,but from all other hosts(incluing real machine) the two VMs can not be touched,which seems to be stanges,because I need to log in the VM ,so I have to touch the VMs from some hosts,but now the VM can not be touched.<br>
<br><b>Besides,the VM-HOOK I am using in oned.conf file is </b><br>---------------<br>VM_HOOK = [<br> name = "ebtables-start",<br> on = "running",<br> command = "/srv/cloud/one/share/hooks/ebtables-xen",<br>
arguments = "one-$VMID",<br> remote = "yes" ]<br>VM_HOOK = [<br> name = "ebtables-flush",<br> on = "done",<br> command = "/srv/cloud/one/share/hooks/ebtables-flush",<br>
arguments = "",<br> remote = "yes" ]<br>-----------------<br><br><b>and the ebtables-xen file is:</b><br>------------<br>VM_NAME=ARGV[0]<br><br># Uncomment to act only on the listed bridges.<br>
#FILTERED_BRIDGES = ['beth0']<br><br>def activate(rule)<br> system "sudo ebtables -A #{rule}"<br>end<br><br>def get_bridges<br> bridges = Hash.new<br> brctl_exit=`brctl show`<br> cur_bridge = ""<br>
brctl_exit.split("\n")[1..-1].each do |l| <br> l = l.split<br> if l.length > 1<br> cur_bridge = l[0]<br> bridges[cur_bridge] = Array.new<br> bridges[cur_bridge] << l[3]<br>
else<br> bridges[cur_bridge] << l[0]<br> end<br> end<br> bridges<br>end<br><br>def get_interfaces<br> bridges = get_bridges<br> if defined? FILTERED_BRIDGES<br> FILTERED_BRIDGES.collect {|k,v| bridges[k]}.flatten<br>
else<br> bridges.values.flatten<br> end<br>end<br><br>vm_id=`sudo xm domid #{VM_NAME}`.strip<br>networks=`sudo xm network-list #{vm_id}`.split("\n")[1..-1]<br><br>interfaces = get_interfaces<br><br>
networks.each {|net|<br> n=net.split<br> iface_id=n[0]<br> iface_mac=n[2]<br><br> tap="vif#{vm_id}.#{iface_id}"<br><br> if interfaces.include? tap<br> mac=iface_mac.split(':')<br> mac[-1]='00'<br>
net_mac=mac.join(':')<br><br><br> in_rule="FORWARD -s ! #{net_mac}/ff:ff:ff:ff:ff:00 -o #{tap} -j DROP"<br> out_rule="FORWARD -s ! #{iface_mac} -i #{tap} -j DROP"<br><br> activate(in_rule)<br>
activate(out_rule)<br> end<br>}<br>----------------<br>I am not familar with ruby language,so I don't know is any error here?<br><br><b>BTW,must I define virtual-network in different class c IP addresses,if not ,is it also work?</b><br>
<br>The information of VMs I have create is as follow:<br>[root@server images]# onevm list<br> ID USER NAME STAT CPU MEM HOSTNAME TIME<br> 50 root vm-1 runn 0 523272 node2 00 00:02:48<br>
51 root vm runn 0 523264 Server 00 00:02:40<br>[root@server images]# onevm show 50<br>VIRTUAL MACHINE 50 INFORMATION <br>ID : 50 <br>
NAME : vm-1 <br>STATE : ACTIVE <br>LCM_STATE : RUNNING <br>START TIME : 01/14 09:39:02 <br>END TIME : - <br>DEPLOY ID: : one-50 <br>
<br>VIRTUAL MACHINE TEMPLATE <br>CONTEXT=[<br> FILES=/vms_configuration/init.sh,<br> HOSTNAME=vm-1,<br> IP_PUBLIC=192.168.11.96,<br> TARGET=sdc ]<br>CPU=1<br>DISK=[<br>
READONLY=no,<br> SOURCE=/srv/cloud/images/CentOS.img,<br> TARGET=sda ]<br>MEMORY=512<br>NAME=vm-1<br>NIC=[<br> BRIDGE=xenbr0,<br> IP=192.168.13.94,<br> MAC=00:03:c0:a8:0d:5e,<br> NETWORK=network,<br> VNID=11 ]<br>
OS=[<br> KERNEL=/boot/vmlinuz-2.6.18.8-xenU,<br> ROOT=sda ]<br>VMID=50<br>[root@server images]# onevm show 51<br>VIRTUAL MACHINE 51 INFORMATION <br>ID : 51 <br>
NAME : vm <br>STATE : ACTIVE <br>LCM_STATE : RUNNING <br>START TIME : 01/14 09:39:10 <br>END TIME : - <br>DEPLOY ID: : one-51 <br>
<br>VIRTUAL MACHINE TEMPLATE <br>CONTEXT=[<br> FILES=/vms_configuration/init.sh,<br> HOSTNAME=vm,<br> IP_PUBLIC=192.168.11.94,<br> TARGET=sdc ]<br>CPU=1<br>DISK=[<br>
READONLY=no,<br> SOURCE=/srv/cloud/images/centos.5-3.x86-64.img,<br> TARGET=sda ]<br>MEMORY=512<br>NAME=vm<br>NIC=[<br> BRIDGE=xenbr0,<br> IP=192.168.12.97,<br> MAC=00:03:c0:a8:0c:61,<br> NETWORK=network-xenbr0,<br>
VNID=10 ]<br>OS=[<br> KERNEL=/boot/vmlinuz-2.6.18.8-xenU,<br> ROOT=sda ]<br>VMID=51<br><br><br><br><br><div class="gmail_quote">2010/1/13 Javier Fontan <span dir="ltr"><<a href="mailto:jfontan@gmail.com">jfontan@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><br></div><div>Hello,</div><div><br></div><div>VM Hypervisors (Xen or KVM) do not provide ways to protect bridged networks from on VM to interact with others. To do this we have created scripts described in the URL you have been following. Protection comes from the ebtables rules that isolates class C networks. Can you check that both virtual networks reside in different class C IP addresses and ebtables are being added in the execution host? Send us ebtables rules being added and VM configuration of the machines that can break this security rules.</div>
<div><br></div><div>Thank you</div><br><br><div class="gmail_quote"><div class="im">2010/1/12 Õżѱ¦ <span dir="ltr"><<a href="mailto:zhangjiabao@gmail.com" target="_blank">zhangjiabao@gmail.com</a>></span><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi, <br><div><div></div><div class="h5"> I do not <span><span style="background-color: rgb(255, 255, 255);" title="ÍêÈ«µÄ">completely understand what a virtual network means.I think virtual network is used for security ,and VMs in the same virtual network can communicate with each other,VMs in different virtual network can not .But in my experiment ,VMs in different virtual network also can touch each other,I do not know is there any error in my system,is there anyone can help me?<br>
<br>BTW,I am using Opennebula 1.4 and xen 3.02,and I config the virtual-network completely though the guide <a href="http://www.opennebula.org/doku.php?id=documentation:rel1.4:nm" target="_blank">http://www.opennebula.org/doku.php?id=documentation:rel1.4:nm</a>.<br>
<br>Thanks in advance.<br><br>Best.<br><br>Atlas<br></span></span>
<br></div></div><div class="im">_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></div></blockquote></div><br><br clear="all"><br>-- <br><div><div></div><div class="h5">Javier Fontan, Grid & Virtualization Technology Engineer/Researcher<br>DSA Research Group: <a href="http://dsa-research.org" target="_blank">http://dsa-research.org</a><br>
Globus GridWay Metascheduler: <a href="http://www.GridWay.org" target="_blank">http://www.GridWay.org</a> <br>
OpenNebula Virtual Infrastructure Engine: <a href="http://www.OpenNebula.org" target="_blank">http://www.OpenNebula.org</a><br>
</div></div></blockquote></div><br>