On Tue, Dec 11, 2012 at 10:03:22AM -0800, Ben Pfaff wrote:
> On Tue, Dec 11, 2012 at 04:10:02PM +0100, Jaime Melis wrote:
> > here you go.
>
> Thanks.
>
> While proofreading, I noticed what might be a problem, though. The
> documentation says:
Here's what I came up with while proofreading, by the way. I reflowed
paragraphs and adjusting spacing and punctuation in a few places to
match the other files in the documentation directory.
--8<--------------------------cut here-------------------------->8--
From: Jaime Melis <jme...@opennebula.org>
Date: Wed, 5 Dec 2012 12:33:40 +0100
Subject: [PATCH] INSTALL.OpenNebula: New instructions for using with OpenNebula.
Signed-off-by: Jaime Melis <jme...@opennebula.org>
Signed-off-by: Ben Pfaff <b...@nicira.com>
---
INSTALL.OpenNebula | 198 ++++++++++++++++++++++++++++++++++++++++++++++++++++
Makefile.am | 1 +
README | 2 +
3 files changed, 201 insertions(+), 0 deletions(-)
create mode 100644 INSTALL.OpenNebula
diff --git a/INSTALL.OpenNebula b/INSTALL.OpenNebula
new file mode 100644
index 0000000..1bc20b5
--- /dev/null
+++ b/INSTALL.OpenNebula
@@ -0,0 +1,198 @@
+ How to Use Open vSwitch with OpenNebula
+ =======================================
+
+This document describes how to use Open vSwitch with OpenNebula 3.8.1
+or later. This document assumes that you followed INSTALL or
+installed Open vSwitch from distribution packaging such as a .deb or
+.rpm.
+
+This guide will address the usage of VLAN tagging and OpenFlow
+filtering of OpenNebula Virtual Machines. On top of that any other
+Open vSwitch feature may be used by tuning and extending the Open
+vSwitch drivers in OpenNebula.
+
+Setup
+-----
+
+You need to install Open vSwitch on each OpenNebula Host. Please refer
+to the INSTALL guide to do so.
+
+It is also necessary to install the Open vSwitch compatibility layer
+for Linux bridging. Please refer to the INSTALL.bridge guide.
+
+The sudoers file must be configured so oneadmin can execute
+`ovs_vsctl` in the hosts.
+
+Next, create an Open vSwitch bridge by using the ovs-vsctl utility
+(this must be done with administrative privileges):
+
+ % ovs-vsctl add-br ovsbr
+
+An Open vSwitch bridge should be created in each host, preferably with
+the same name, and the name of this bridge should be specified in the
+network definition template with the `BRIDGE` parameter.
+
+OpenNebula Configuration
+------------------------
+
+The Open vSwitch driver (ovswitch) is enabled by default in
+OpenNebula. To make use of it, simply associate a host to that network
+driver (as oneadmin).
+
+ $ onehost create <hostname> im_kvm vmm_kvm tm_shared ovswitch
+
+Driver Actions
+--------------
+
+- Pre: Not enabled for Open vSwitch.
+
+- Post: Performs the appropriate Open vSwitch commands to tag the
+ virtual tap interface (network isolation) and applies traffic
+ filtering rules.
+
+- Clean: It doesn't do anything. The virtual tap interfaces will be
+ automatically discarded when the VM is shut down.
+
+Network Isolation
+-----------------
+
+The driver will be automatically applied to every Virtual Machine
+deployed in the Host. Only the virtual networks with the attribute
+`VLAN="YES"` will be isolated. There are no other special attributes
+required.
+
+ NAME = "ovswitch_net"
+ TYPE = "fixed"
+
+ # "ovsbr" is an Open vSwtich bridge
+ BRIDGE = "ovsbr"
+
+ VLAN = "YES"
+
+ # Optional
+ VLAN_ID = 50
+
+ # Lease information
+ LEASES = 10.0.0.10
+ LEASES = 10.0.0.11
+ LEASES = ...
+
+Any user with Network creation/modification permissions may force a
+custom vlan id with the ''VLAN_ID'' parameter in the network
+template. In that scenario, any user may be able to connect to another
+network with the same network id. Techniques to avoid this are
+explained under the Tuning & Extending section.
+
+Traffic Filtering
+-----------------
+
+The first rule that is always applied when using the Open vSwitch
+drivers is the MAC-spoofing rule, that prevents any traffic coming out
+of the VM if the user changes the MAC address.
+
+The firewall directives must be placed in the network section of the
+Virtual Machine template. These are the possible attributes:
+
+- BLACK_PORTS_TCP = iptables_range: Doesn't permit access to the VM
+ through the specified ports in the TCP protocol.
+
+- BLACK_PORTS_UDP = iptables_range: Doesn't permit access to the VM
+ through the specified ports in the UDP protocol.
+
+- ICMP = drop: Blocks ICMP connections to the VM. By default it's set
+ to accept.
+
+iptables_range: a list of ports separated by commas, e.g.: 80,8080.
+Currently no ranges are supported, e.g.: 5900:6000 is not supported.
+
+Example:
+
+ NIC = [
+ NETWORK_ID = 3,
+ BLACK_PORTS_TCP = "80,8080",
+ ICMP = drop
+ ]
+
+Tuning and Extending
+--------------------
+
+Remember that any change in the /var/lib/one/remotes directory won't
+be effective in the Hosts until you execute `onehost sync` (as
+oneadmin).
+
+ $ onehost sync
+
+The vlan id is calculated by adding the network id to a constant
+defined in `/var/lib/one/remotes/vnm/OpenNebulaNetwork.rb`. You can
+customize that value to your own needs:
+
+ CONF = {
+ :start_vlan => 2
+ }
+
+Restricting the VLAN_ID atttribute
+----------------------------------
+
+You can either restrict permissions on Network creation with ACL
+rules, or you can entirely disable the possibility to redefine the
+VLAN_ID by modifying the source code of
+`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. Change these
+lines:
+
+ if nic[:vlan_id]
+ vlan = nic[:vlan_id]
+ else
+ vlan = CONF[:start_vlan] + nic[:network_id].to_i
+ end
+with this one:
+
+ vlan = CONF[:start_vlan] + nic[:network_id].to_i
+
+OpenFlow Rules
+--------------
+
+To modify these rules you have to edit:
+`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`.
+
+1. Mac-spoofing
+
+These rules prevent any traffic to come out of the port the MAC
+address has changed.
+
+ in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
+ in_port=<PORT>,priority=39000,actions=normal
+
+2. Black ports (one rule per port)
+
+ tcp,dl_dst=<MAC>,tp_dst=<PORT>,actions=drop
+
+3. ICMP Drop
+
+ icmp,dl_dst=<MAC>,actions=drop
+
+Troubleshooting
+---------------
+
+When an Open vSwitch driver actions fails it will be reflected in the
+logs:
+
+- `/var/log/one/oned.log`
+
+- `/var/log/one/<vm_id>.log`
+
+Further Reading
+---------------
+
+- OpenNebula Hosts: http://opennebula.org/documentation:rel3.8:host_guide
+
+- OpenNebula ACLs: http://opennebula.org/documentation:rel3.8:openvswitch
+
+- OpenNebula Open vSwitch guide:
+ http://opennebula.org/documentation:rel3.8:manage_acl
+
+Bug Reporting
+-------------
+
+Please report OpenNebula problems to the OpenNebula Users mailing
+list. Open vSwitch specific problems should be reported to
+b...@openvswitch.org.
diff --git a/Makefile.am b/Makefile.am
index fe6aa45..ba626a1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -47,6 +47,7 @@ EXTRA_DIST = \
INSTALL.Fedora \
INSTALL.KVM \
INSTALL.Libvirt \
+ INSTALL.OpenNebula \
INSTALL.RHEL \
INSTALL.SSL \
INSTALL.XenServer \
diff --git a/README b/README
index f5a9db8..5dcce7a 100644
--- a/README
+++ b/README
@@ -103,6 +103,8 @@ To use Open vSwitch...
- ...with Libvirt, read INSTALL.Libvirt.
+ - ...with OpenNebula, read INSTALL.OpenNebula.
+
- ...as a drop-in replacement for the Linux bridge, read
INSTALL.bridge.
--
1.7.2.5
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
