I find the way to change the nova-base rule,
use the command "virsh nwfilter-edit nova-base" will allow to edit the xml
file,
and will take effect immediately. : )
Thanks guys for your help.
-Jimmy
2012/5/4 Jimmy Tsai <cmi...@gmail.com>
> I tried with following tests:
> 1)
> add "firewall_driver = nova.virt.firewall.IptablesFirewallDriver" to
> nova.conf
> restart nova-compute
> Change the following lines in
> /usr/share/pyshared/nova/virt/libvirt/firewall.py
> self._define_filter(self._filter_container('nova-base',
> ['no-mac-spoofing',
> 'no-ip-spoofing',
> 'no-arp-spoofing',
>
> 'allow-dhcp-server']))
> to
> self._define_filter(self._filter_container('nova-base',
>
> ['allow-dhcp-server']))
> then flush ebtables ruleset : ebtables -t nat -F
> stop libvirt-bin & start libvirt-bin
> Still generate the anti-spoofing rules
>
> 2)
> change the action='drop' with 'accept' to following XML files
> sed -i "s/action='drop'/ action='accept'/g"
> /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml
> sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
> no-arp-mac-spoofing.xml
> sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
> no-ip-spoofing.xml
> sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
> no-mac-broadcast.xml
> sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
> no-mac-spoofing.xml
> sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
> no-other-l2-traffic.xml
> sed -i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/
> no-other-rarp-traffic.xml
>
> then flush ebtables ruleset : ebtables -t nat -F
> stop libvirt-bin & start libvirt-bin
>
> Okay, I can see accept rules, but the kvm processes is also gone at the
> same time.
> Don't know why.
>
> still waiting for some help!!
>
> -Jimmy
>
>
>
>
>
>
> 2012/5/3 Yong Sheng Gong <gong...@cn.ibm.com>
>
>> It seems change https://review.openstack.org/#/c/6569/ can help. Please
>> see how it add a new configuration item to remove some filters.
>>
>>
>> -----openstack-bounces+gongysh=cn.ibm....@lists.launchpad.net wrote:
>> -----
>>
>> To: Mike Scherbakov <mih...@gmail.com> <mih...@gmail.com>
>> From: Jimmy Tsai <cmi...@gmail.com> <cmi...@gmail.com>
>> Sent by: openstack-bounces+gongysh=cn.ibm....@lists.launchpad.net
>> Date: 05/03/2012 01:45AM
>> Cc: openstack@lists.launchpad.net, jimmy.t...@104.com.tw
>> Subject: Re: [Openstack] questions about IP addressing and network config
>>
>>
>> Hi Mike,
>>
>> I really need to bind loopback IP on my environment, I use the command
>> "ebtables -t nat -F" will flush the ebtables rule, so I can bind any IP I
>> wish,
>> but if I do stop libvirt-bin and start libvir-bin, the security rules
>> will be applied again,
>> if I remark no-ip-spoofing & no-arp-spoofing on file
>> /etc/libvirt/nwfilter/nova-base.xml, after launching a instance, the file
>> will reset to default,
>> I think I use the wrong way, Is there any way to ignore the nova-base
>> rule on /usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py ?
>>
>> Thanks for you help.
>> -Jimmy
>>
>> 2012/4/27 Mike Scherbakov <mih...@gmail.com>
>>
>>> Jimmy,
>>> Nova is designed to manage IP addresses.
>>> That means that even with Flat manager it will be allocating IP
>>> addresses for you,
>>> storing them in DB. The difference btw FlatDHCP is Flat injects
>>> /etc/network/interfaces to the instance,
>>> not providing IP by DHCP. So, anti-spoofing rules should be the same (I
>>> never checked though for Flat).
>>>
>>> If you want to provide your own addresses to instances, I believe you
>>> will need to extend nova code
>>> to provide your custom IP address in API request, and then if it's not
>>> already allocated, it should get allocated.
>>>
>>> Regards,
>>>
>>> On Fri, Apr 27, 2012 at 3:27 PM, Jimmy Tsai <cmi...@gmail.com> wrote:
>>>
>>>> Thanks Vish & Mike.
>>>>
>>>> It works very well after flush the anti-spoofing rules , I change the
>>>> IP address and bind alias IP to an interface,
>>>> but when I restart nova-network and nova-compute , I can't ping neither
>>>> the IP I changed nor the instances I haven't changed.
>>>> I'll try to figure out what happened with that !!
>>>>
>>>> Even I change the IP address, I can't not see the correct address on
>>>> Dashboard, because the record of nova.fixed_ips not changed.
>>>> I should try with FlatManager to allocate static IP.
>>>>
>>>> Thanks,
>>>> -Jimmy
>>>>
>>>>
>>>> 2012/4/27 Mike Scherbakov <mih...@gmail.com>
>>>>
>>>>>
>>>>>
>>>>> On Thu, Apr 26, 2012 at 10:31 PM, Vishvananda Ishaya <
>>>>> vishvana...@gmail.com> wrote:
>>>>>
>>>>>>
>>>>>> On Apr 25, 2012, at 7:31 PM, Jimmy Tsai wrote:
>>>>>>
>>>>>> >
>>>>>> > Hi everyone,
>>>>>> >
>>>>>> > I'm running with Essex 2012.1,
>>>>>> > and have some questions about the nova network operation,
>>>>>> >
>>>>>> > 1. Is it possible manually assigned IP address to a launched
>>>>>> instance, my situation is :
>>>>>> > after instance boot up (OS: CentOS 6.2), I changed the
>>>>>> /etc/sysconfig/network-scripts/ifcfg-eth0 setting
>>>>>> > from dhcp to static (the same subnet as created by command :
>>>>>> nova-manage create network....), and restart the network service,
>>>>>> > And then I couldn't ssh or ping the instance from other server with
>>>>>> the same subnet.
>>>>>> > What is the problem ? I checked the iptables policies on the
>>>>>> compute host, and find nothing about the DROP packets.
>>>>>> > I also tried to changed the record from nova.fixed_ips table and
>>>>>> libvirt.xml of the instance, then reboot the instance, still not worked.
>>>>>> > I used FlatDHCP as my network manager.
>>>>>>
>>>>>> You can't do this. Libvirt sets up no mac spoofing and no ip
>>>>>> spoofing so the ip address needs to match the dhcp'd one. You should be
>>>>>> able to switch to a static and use the same info that you get from dhcp
>>>>>> though.
>>>>>> >
>>>>>> > 2. According to the first question, I have another requirement to
>>>>>> set up a loopback IP address (lo:0) on the running instance, after
>>>>>> setting
>>>>>> was completed,I couldn't ping or ssh the loopback IP from the same
>>>>>> subnet,
>>>>>> and I tried to set a alias IP address with eth0:0, but still not get
>>>>>> worked.
>>>>>> > Any ideas with this ?
>>>>>>
>>>>>
>>>>>> Not sure
>>>>>>
>>>>> I guess it's the same issue as with setting a different IP from what
>>>>> dnsmasq provided. You can try ebtables -F; ebtables -t nat -F to flush
>>>>> those anti spoofing rules.
>>>>>
>>>>
>>>>>> >
>>>>>> > 3. Is there any way to use 2 NICs with different subnets on
>>>>>> instances? I want to separate the network traffic.
>>>>>> > Now I'm running with one bridged interface (br100), and it works
>>>>>> well. In order to backup the large log files,
>>>>>> > I'm planing to use 2 NICs for the compute hosts, I want use 2 vNICs
>>>>>> on instance, one for web service and the other for log backup,
>>>>>> > I think I should create a new network for the second bridged
>>>>>> interface, but I can't find any document to guild me.
>>>>>>
>>>>>> This is definitely possible with FlatManager (You could use
>>>>>> cloud_config drive and some version of contrib/openstack-config converted
>>>>>> to work with centos to set up the interfaces)
>>>>>>
>>>>>> It was possible at one point with FlatDHCPManager as well by creating
>>>>>> multiple networks and using a specific combination of config options like
>>>>>> use_single_default_gateway. I don' t know if anyone has tried this for a
>>>>>> while so there may be issues with it. You might try creating a second
>>>>>> network and setting use_single_default_gateway and see what happens.
>>>>>>
>>>>> Confirm that it works with Essex release.
>>>>> If you don't specify use_single_default_gateway=true your default
>>>>> route will be jumping from one interface to another. If you both subnets
>>>>> are covered by --fixed_network, it's fine even without setting
>>>>> the use_single_default_gateway.
>>>>>
>>>>>
>>>>>> There are plans underway to support this by only dhcping the first
>>>>>> interface and allowing a guest agent to set up the other interfaces, but
>>>>>> it
>>>>>> isn't in place yet.
>>>>>>
>>>>>> Vish
>>>>>> _______________________________________________
>>>>>> Mailing list: https://launchpad.net/~openstack
>>>>>> Post to : openstack@lists.launchpad.net
>>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Mike Scherbakov
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Mike Scherbakov
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>>
>
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
