I tried with following tests:
1)
add "firewall_driver = nova.virt.firewall.IptablesFirewallDriver" to
nova.conf
restart nova-compute
Change the following lines in
/usr/share/pyshared/nova/virt/libvirt/firewall.py
self._define_filter(self._filter_container('nova-base',
['no-mac-spoofing',
'no-ip-spoofing',
'no-arp-spoofing',
'allow-dhcp-server']))
to
self._define_filter(self._filter_container('nova-base',
['allow-dhcp-server']))
then flush ebtables ruleset : ebtables -t nat -F
stop libvirt-bin & start libvirt-bin
Still generate the anti-spoofing rules
2)
change the action='drop' with 'accept' to following XML files
sed -i "s/action='drop'/ action='accept'/g"
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml
sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
no-arp-mac-spoofing.xml
sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
no-ip-spoofing.xml
sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
no-mac-broadcast.xml
sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
no-mac-spoofing.xml
sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
no-other-l2-traffic.xml
sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
no-other-rarp-traffic.xml
then flush ebtables ruleset : ebtables -t nat -F
stop libvirt-bin & start libvirt-bin
Okay, I can see accept rules, but the kvm processes is also gone at the
same time.
Don't know why.
still waiting for some help!!
-Jimmy
2012/5/3 Yong Sheng Gong <gong...@cn.ibm.com>
> It seems change https://review.openstack.org/#/c/6569/ can help. Please
> see how it add a new configuration item to remove some filters.
>
>
> -----openstack-bounces+gongysh=cn.ibm....@lists.launchpad.net wrote: -----
>
> To: Mike Scherbakov <mih...@gmail.com> <mih...@gmail.com>
> From: Jimmy Tsai <cmi...@gmail.com> <cmi...@gmail.com>
> Sent by: openstack-bounces+gongysh=cn.ibm....@lists.launchpad.net
> Date: 05/03/2012 01:45AM
> Cc: openstack@lists.launchpad.net, jimmy.t...@104.com.tw
> Subject: Re: [Openstack] questions about IP addressing and network config
>
>
> Hi Mike,
>
> I really need to bind loopback IP on my environment, I use the command
> "ebtables -t nat -F" will flush the ebtables rule, so I can bind any IP I
> wish,
> but if I do stop libvirt-bin and start libvir-bin, the security rules will
> be applied again,
> if I remark no-ip-spoofing & no-arp-spoofing on file
> /etc/libvirt/nwfilter/nova-base.xml, after launching a instance, the file
> will reset to default,
> I think I use the wrong way, Is there any way to ignore the nova-base rule
> on /usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py ?
>
> Thanks for you help.
> -Jimmy
>
> 2012/4/27 Mike Scherbakov <mih...@gmail.com>
>
>> Jimmy,
>> Nova is designed to manage IP addresses.
>> That means that even with Flat manager it will be allocating IP addresses
>> for you,
>> storing them in DB. The difference btw FlatDHCP is Flat injects
>> /etc/network/interfaces to the instance,
>> not providing IP by DHCP. So, anti-spoofing rules should be the same (I
>> never checked though for Flat).
>>
>> If you want to provide your own addresses to instances, I believe you
>> will need to extend nova code
>> to provide your custom IP address in API request, and then if it's not
>> already allocated, it should get allocated.
>>
>> Regards,
>>
>> On Fri, Apr 27, 2012 at 3:27 PM, Jimmy Tsai <cmi...@gmail.com> wrote:
>>
>>> Thanks Vish & Mike.
>>>
>>> It works very well after flush the anti-spoofing rules , I change the
>>> IP address and bind alias IP to an interface,
>>> but when I restart nova-network and nova-compute , I can't ping neither
>>> the IP I changed nor the instances I haven't changed.
>>> I'll try to figure out what happened with that !!
>>>
>>> Even I change the IP address, I can't not see the correct address on
>>> Dashboard, because the record of nova.fixed_ips not changed.
>>> I should try with FlatManager to allocate static IP.
>>>
>>> Thanks,
>>> -Jimmy
>>>
>>>
>>> 2012/4/27 Mike Scherbakov <mih...@gmail.com>
>>>
>>>>
>>>>
>>>> On Thu, Apr 26, 2012 at 10:31 PM, Vishvananda Ishaya <
>>>> vishvana...@gmail.com> wrote:
>>>>
>>>>>
>>>>> On Apr 25, 2012, at 7:31 PM, Jimmy Tsai wrote:
>>>>>
>>>>> >
>>>>> > Hi everyone,
>>>>> >
>>>>> > I'm running with Essex 2012.1,
>>>>> > and have some questions about the nova network operation,
>>>>> >
>>>>> > 1. Is it possible manually assigned IP address to a launched
>>>>> instance, my situation is :
>>>>> > after instance boot up (OS: CentOS 6.2), I changed the
>>>>> /etc/sysconfig/network-scripts/ifcfg-eth0 setting
>>>>> > from dhcp to static (the same subnet as created by command :
>>>>> nova-manage create network....), and restart the network service,
>>>>> > And then I couldn't ssh or ping the instance from other server with
>>>>> the same subnet.
>>>>> > What is the problem ? I checked the iptables policies on the
>>>>> compute host, and find nothing about the DROP packets.
>>>>> > I also tried to changed the record from nova.fixed_ips table and
>>>>> libvirt.xml of the instance, then reboot the instance, still not worked.
>>>>> > I used FlatDHCP as my network manager.
>>>>>
>>>>> You can't do this. Libvirt sets up no mac spoofing and no ip spoofing
>>>>> so the ip address needs to match the dhcp'd one. You should be able to
>>>>> switch to a static and use the same info that you get from dhcp though.
>>>>> >
>>>>> > 2. According to the first question, I have another requirement to
>>>>> set up a loopback IP address (lo:0) on the running instance, after setting
>>>>> was completed,I couldn't ping or ssh the loopback IP from the same subnet,
>>>>> and I tried to set a alias IP address with eth0:0, but still not get
>>>>> worked.
>>>>> > Any ideas with this ?
>>>>>
>>>>
>>>>> Not sure
>>>>>
>>>> I guess it's the same issue as with setting a different IP from what
>>>> dnsmasq provided. You can try ebtables -F; ebtables -t nat -F to flush
>>>> those anti spoofing rules.
>>>>
>>>
>>>>> >
>>>>> > 3. Is there any way to use 2 NICs with different subnets on
>>>>> instances? I want to separate the network traffic.
>>>>> > Now I'm running with one bridged interface (br100), and it works
>>>>> well. In order to backup the large log files,
>>>>> > I'm planing to use 2 NICs for the compute hosts, I want use 2 vNICs
>>>>> on instance, one for web service and the other for log backup,
>>>>> > I think I should create a new network for the second bridged
>>>>> interface, but I can't find any document to guild me.
>>>>>
>>>>> This is definitely possible with FlatManager (You could use
>>>>> cloud_config drive and some version of contrib/openstack-config converted
>>>>> to work with centos to set up the interfaces)
>>>>>
>>>>> It was possible at one point with FlatDHCPManager as well by creating
>>>>> multiple networks and using a specific combination of config options like
>>>>> use_single_default_gateway. I don' t know if anyone has tried this for a
>>>>> while so there may be issues with it. You might try creating a second
>>>>> network and setting use_single_default_gateway and see what happens.
>>>>>
>>>> Confirm that it works with Essex release.
>>>> If you don't specify use_single_default_gateway=true your default
>>>> route will be jumping from one interface to another. If you both subnets
>>>> are covered by --fixed_network, it's fine even without setting
>>>> the use_single_default_gateway.
>>>>
>>>>
>>>>> There are plans underway to support this by only dhcping the first
>>>>> interface and allowing a guest agent to set up the other interfaces, but
>>>>> it
>>>>> isn't in place yet.
>>>>>
>>>>> Vish
>>>>> _______________________________________________
>>>>> Mailing list: https://launchpad.net/~openstack
>>>>> Post to : openstack@lists.launchpad.net
>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Mike Scherbakov
>>>>
>>>
>>>
>>
>>
>> --
>> Mike Scherbakov
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
>
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
