<div dir="ltr"><div><div><div><div><div><div>Hi Valentin,<br><br></div>Your assumption is correct.<br><br></div>My method is to use OpenNebula Virtual Router by refer to this page [1] and Openvswitch.<br><br></div>I have installed Openvswitch in the host and I was able to deploy VM in isolated network. <br>
<br></div>I try to deploy the VirtualRouter in a virtual network.<br><br></div>My problem is, I cannot ping it and cannot SSH into it.<br><br></div><div>From the documentation, I understand that the VirtualRouter needs to be deploy as a VM in a specific virtual network and it will act as the DHCP for the VMs in the same virtual network.<br>
</div><div>I also have included the example context in the VirtualRouter template.<br><br></div><div>My VirtualRouter template:<br><br>NIC=[NETWORK_ID="0"]<br>NIC=[NETWORK_ID="9",IP="10.0.10.1"]<br>
INPUT=[BUS="usb",TYPE="tablet"]<br>MEMORY="512"<br>OS=[ARCH="x86_64",BOOT="hd"]<br>GRAPHICS=[LISTEN="0.0.0.0",TYPE="SPICE"]<br>DISK=[IMAGE_ID="24"]<br>
CPU="0.5"<br>CONTEXT=[TARGET="hdb",NETWORK="YES",FORWARDING="8080:<a href="http://10.0.10.2:80">10.0.10.2:80</a>
<a href="http://10.0.10.2:22">10.0.10.2:22</a>",DHCP="YES",PRIVNET="$NETWORK[TEMPLATE, NETWORK=\"ovs
.10\"]",TEMPLATE="TEMPLATE",SSH_PUBLIC_KEY="ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCk+MN96iAn4uXRieJqyJG7WY32zW0LTXJBdISdjDLlp8QgFrxOdi9Aw2+eu+QSbVHwBsqOTimpOuzknisOhD4RPCTCT7G2/xaEUxWg0AB3ySrMZC3Dv5AgBy0CikFk50/CbwBtMjj2pRINm0axfP+cUT/VBhJRAiwVe2wsIOL/t2PGOy0O8Q2zjG1XfCVZPCYPOxj9Jk0y8DoMHp0ILA6gM7hGN4CKAQiXnbjv8WD9uFpRr7eruXQUdMuPn2wnyDMcCnzUEMtPUoPIy6gyAer3biRyEQkAXNJ+R1WXvX6Ah848MTyoICoA7KKIm9e3xe/SXMJxxOPHZLWSJSIRmhcd
hpc1@hpc-workstation1",PUBNET="$NETWORK[TEMPLATE, NETWORK=\"Virtual
Network .113\"]",DNS="8.8.8.8 8.8.4.4"]<br></div><div><br></div>May I know how to actually use the VirtualRouter?<br><div><div><br>[1] <a href="http://opennebula.org/documentation:rel4.2:router" target="_blank">http://opennebula.org/documentation:rel4.2:router</a><br>
<br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Oct 3, 2013 at 3:56 PM, Valentin Bud <span dir="ltr"><<a href="mailto:valentin.bud@gmail.com" target="_blank">valentin.bud@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Fazli,<br>
<br>
I will make some assumptions about your infrastructure and provide<br>
possible approach(es).<br>
<br>
* Your KVM nodes have a single Ethernet interface, eth0, connected in a<br>
switch and a router used as the default gateway for the 192.168.1/24<br>
network,<br>
<br>
* Also the frontend is connected via the same switch with the rest of<br>
the nodes,<br>
<br>
* You have a br0 bridge with eth0 connected to it on each node and also<br>
the frontend,<br>
<br>
* Your frontend is also a node.<br>
<br>
If you have access to the router the simplest way would be to add an IP<br>
Address alias on the router interface as the default gateway for the new<br>
network.<br>
<br>
Configure a new network inside OpenNebula for that using the chosen<br>
subnet and the same bridge, br0.<br>
<br>
I don't know if you have any kind of security policies in place but be<br>
careful that in this way there is no Layer 2 separation and traffic<br>
between the two subnets is visible with tcpdump or other sniffers.<br>
<br>
The second approach I can think about is to have the frontend configured<br>
with the first IP Address from the new subnet on br0 and define a new<br>
network inside OpenNebula like the above.<br>
<br>
I don't know if this would work though.The NAT must be done for 10.100.0/24 over<br>
192.168.1.X (the IP Address of frontend from 192.168.1/24 subnet). What<br>
I don't know is if iptables can MASQUERADE subnets on the same<br>
interface. Never tried it, it might work.<br>
<br>
Another approach that come to mind is to use the Virtual Router and<br>
define a new subnet on the same br0 bridge. The Virtual Router would<br>
have an interface connected to 192.168.1/24 network and one in the<br>
10.100.0/24 one. Setup it up to have the first IP Address from the<br>
10.100.0/24 network so it is the default gateway.<br>
<br>
The same applies, traffic over L2 is not separated in anyway.<br>
<br>
One more idea :-) would be to use Open vSwitch and GRE tunnels between<br>
the nodes. In this way you can use VLANs and transport over GRE between<br>
nodes. You can also setup IPSec encrypted GRE tunnels if you want<br>
security. It might be overkill but again it depends on your<br>
requirements.<br>
<br>
Another working setup I have done is to use tinc VPN [1] between nodes<br>
in switch mode and connect it to the Open vSwitch from each host as a<br>
port. This way traffic that travels between nodes is fully encrypted and<br>
you can use the same L2 network in a secure fashion.<br>
<br>
But maybe the best approach would be to have a second network card,<br>
eth1, in each node. Connect that second card in an Open vSwitch and use<br>
VLANs with the frontend being the router, or any other node for that<br>
matter.<br>
<br>
[1]: <a href="http://www.tinc-vpn.org/" target="_blank">http://www.tinc-vpn.org/</a><br>
<br>
Good Will,<br>
Valentin<br>
<div><div class="h5"><br>
On Thu, Oct 03, 2013 at 09:18:41AM +0800, M Fazli A Jalaluddin wrote:<br>
> Hello Valentin,<br>
><br>
> My setup for OpenNebula is 1 Front-end and several KVM nodes. The front-end<br>
> and nodes are using IP address 192.168.1.xxx and are able to connect to the<br>
> internet.<br>
><br>
> The current networking setup for the VM is using dummy and bridge, br0.<br>
><br>
> So, for the VM able to access to the internet, is by assigning them<br>
> 192.168.1.xxx IP addresses.<br>
><br>
> If I have many VMs, IP address 192.168.1.xxx will be depleted.<br>
><br>
> Hence, I need to make a new private network such as, 10.0.1.xxx which will<br>
> map to only a single 192.168.1.xxx, e.g 192.168.1.5.<br>
><br>
> Thank you.<br>
><br>
> Regards,<br>
> Fazli<br>
><br>
><br>
> On Wed, Oct 2, 2013 at 7:21 PM, Valentin Bud <<a href="mailto:valentin.bud@gmail.com">valentin.bud@gmail.com</a>> wrote:<br>
><br>
> > Hello Fazli,<br>
> ><br>
> > The Virtual Router documentation [1] is definitely a good place to start.<br>
> ><br>
> ><br>
> > On Wed, Oct 2, 2013 at 1:57 PM, M Fazli A Jalaluddin <<br>
> > <a href="mailto:fazli.jalaluddin@gmail.com">fazli.jalaluddin@gmail.com</a>> wrote:<br>
> ><br>
> >> Hi,<br>
> >><br>
> >> Is there any tutorial on how to use the VirtualRouter?<br>
> >><br>
> >> I have download the image from Marketplace and Deploy a VM out of it.<br>
> >><br>
> >> Then what should I do?<br>
> >><br>
> >> My concern is that the Multiple VM will be able to be assigned a private<br>
> >> IP address (at the same time connect to the internet) while the KVM host is<br>
> >> using public IP address.<br>
> >><br>
> ><br>
> > I don't really understand your concern. Could you be more specific?<br>
> ><br>
> > Yes, every VM will get a private IP address from the Router in case you<br>
> > connect it to the private<br>
> > network. If you connect the VM to the public network too you'd have to<br>
> > setup the IP address on the VM.<br>
> > If context package is installed in the VM it'll autoconfigure the public<br>
> > IP also.<br>
> ><br>
> > [1]: <a href="http://opennebula.org/documentation:rel4.2:router" target="_blank">http://opennebula.org/documentation:rel4.2:router</a><br>
> ><br>
> > Good Will,<br>
> ><br>
> ><br>
> >><br>
> >> Thank you<br>
> >><br>
> >> On Wed, Oct 2, 2013 at 4:26 PM, Carlos Martín Sánchez <<br>
> >> <a href="mailto:cmartin@opennebula.org">cmartin@opennebula.org</a>> wrote:<br>
> >><br>
> >>> Hi,<br>
> >>><br>
> >>> On Wed, Oct 2, 2013 at 6:56 AM, M Fazli A Jalaluddin <<br>
> >>> <a href="mailto:fazli.jalaluddin@gmail.com">fazli.jalaluddin@gmail.com</a>> wrote:<br>
> >>><br>
> >>> Hi,<br>
> >>>><br>
> >>>> May I know if the Virtual Router provide NAT?<br>
> >>>><br>
> >>><br>
> >>> Yes, look for the Full Router section in the documentation:<br>
> >>> <a href="http://opennebula.org/documentation:rel4.2:router" target="_blank">http://opennebula.org/documentation:rel4.2:router</a><br>
> >>><br>
> >>> PS: Please reply also to the mailing list<br>
> >>><br>
> >>> Regards.<br>
> >>> --<br>
> >>> Carlos Martín, MSc<br>
> >>> Project Engineer<br>
> >>> OpenNebula - Flexible Enterprise Cloud Made Simple<br>
</div></div>> >>> <a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:cmartin@opennebula.org">cmartin@opennebula.org</a> | @OpenNebula<<a href="http://twitter.com/opennebula" target="_blank">http://twitter.com/opennebula</a>><<a href="mailto:cmartin@opennebula.org">cmartin@opennebula.org</a>><br>
<div class="im">> >>><br>
> >>><br>
> >>> On Wed, Oct 2, 2013 at 6:56 AM, M Fazli A Jalaluddin <<br>
> >>> <a href="mailto:fazli.jalaluddin@gmail.com">fazli.jalaluddin@gmail.com</a>> wrote:<br>
> >>><br>
> >>>> Hi,<br>
> >>>><br>
> >>>> May I know if the Virtual Router provide NAT?<br>
> >>>><br>
> >>>> Thank you<br>
> >>>><br>
> >>>><br>
> >>>> On Thu, Sep 5, 2013 at 5:29 PM, Carlos Martín Sánchez <<br>
> >>>> <a href="mailto:cmartin@opennebula.org">cmartin@opennebula.org</a>> wrote:<br>
> >>>><br>
> >>>>> Hi,<br>
> >>>>><br>
> >>>>> Actually, we do provide a Virtual Router appliance that contains a<br>
> >>>>> DHCP server. It knows the correct IP assigned by OpenNebula to each MAC.<br>
> >>>>> See <a href="http://opennebula.org/documentation:rel4.2:router" target="_blank">http://opennebula.org/documentation:rel4.2:router</a><br>
> >>>>><br>
> >>>>> Regards<br>
> >>>>><br>
> >>>>> --<br>
</div>> >>>>> Join us at OpenNebulaConf2013 <<a href="http://opennebulaconf.com" target="_blank">http://opennebulaconf.com</a>> in Berlin,<br>
<div class="im">> >>>>> 24-26 September, 2013<br>
> >>>>> --<br>
> >>>>> Carlos Martín, MSc<br>
> >>>>> Project Engineer<br>
> >>>>> OpenNebula - The Open-source Solution for Data Center Virtualization<br>
</div>> >>>>> <a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:cmartin@opennebula.org">cmartin@opennebula.org</a> | @OpenNebula<<a href="http://twitter.com/opennebula" target="_blank">http://twitter.com/opennebula</a>><<a href="mailto:cmartin@opennebula.org">cmartin@opennebula.org</a>><br>
<div class="im">> >>>>><br>
> >>>>><br>
> >>>>> On Thu, Sep 5, 2013 at 8:55 AM, Ionut Popovici <<a href="mailto:ionut@hackaserver.com">ionut@hackaserver.com</a>>wrote:<br>
> >>>>><br>
> >>>>>> No opennebula don't provide DHCP , you could use vlans to brake the<br>
> >>>>>> network, and u can use contextualization to get the ip for virtual<br>
> >>>>>> machines, if u use bridge mode is u should make rules in iptables(ebtables)<br>
> >>>>>> for udp dst port 67 and allow only response from your DHCP server.<br>
> >>>>>> Chears.<br>
> >>>>>> On 9/5/2013 9:49 AM, Mohammad Fazli Ahmat Jalaluddin wrote:<br>
> >>>>>><br>
> >>>>>> Hi guys,<br>
> >>>>>><br>
> >>>>>> I just want to ask few questions.<br>
> >>>>>><br>
> >>>>>> Does OpenNebula act as a DHCP Server and give IP address to the VM if<br>
> >>>>>> it is not contextualized in the first place?<br>
> >>>>>><br>
> >>>>>> When the VM is deploy (without context), e.g Ubuntu server default<br>
> >>>>>> network configuration is using DHCP, and thus the IP for the VM is<br>
> >>>>>> different with the one that OpenNebula uses from the vnet lease.<br>
> >>>>>><br>
> >>>>>> Is the IP address in the VM is given by OpenNebula (act as the DHCP<br>
> >>>>>> server) or given by our network existing DHCP server?<br>
> >>>>>><br>
> >>>>>> The reason I'm asking is because our network is poisoned since there<br>
> >>>>>> are 2 DHCP server. BTW, our OpenNebula configuration for the network is<br>
> >>>>>> using dummy and using bridge in the frontend<br>
> >>>>>><br>
> >>>>>> Thank you very much.<br>
> >>>>>><br>
> >>>>>> Regards,<br>
> >>>>>> Fazli<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> _______________________________________________<br>
</div>> >>>>>> Users mailing listUsers@lists.opennebula.orghttp://<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<div class="HOEnZb"><div class="h5">> >>>>>><br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> _______________________________________________<br>
> >>>>>> Users mailing list<br>
> >>>>>> <a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
> >>>>>> <a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
> >>>>>><br>
> >>>>>><br>
> >>>>><br>
> >>>>> _______________________________________________<br>
> >>>>> Users mailing list<br>
> >>>>> <a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
> >>>>> <a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
> >>>>><br>
> >>>>><br>
> >>>><br>
> >>><br>
> >><br>
> >> _______________________________________________<br>
> >> Users mailing list<br>
> >> <a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
> >> <a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
> >><br>
> >><br>
> ><br>
> ><br>
> > --<br>
> > Valentin Bud<br>
> > <a href="http://databus.pro" target="_blank">http://databus.pro</a> | <a href="mailto:valentin@databus.pro">valentin@databus.pro</a><br>
> ><br>
</div></div></blockquote></div><br></div>