Hi Den,
Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file....
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user can login to VM and create another virtual ethernet
device and add another ip address 10.0.0.6 to this VM....
I want in anyhow the user can not spoof the ip address....either they can
edit but the new ip address can not boot up(should not active)...
Thanks,
Punit
On Tue, Jun 24, 2014 at 4:44 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote:
> On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> > Hi,
> >
> > I have setup Ovirt with glusterfs...I have some concern about the
network
> > part....
> >
> > 1. Is there any way to restrict the Guest VM...so that it can be assign
> > with single ip address...and in anyhow the user can not manipulate the
IP
> > address from inside the VM (that means user can not change the ip
address
> > inside the VM).
>
> I am afraid that oVirt does not let you do that out-of-the-box. By
> default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
> indeed allows IP spoofing.
>
> This behavior can be changed by writing a vdsm hook that changes the
> default filterref to
>
> <filterref filter='clean-traffic'>
> <parameter name='CTRL_IP_LEARNING'
value='dhcp'/>
> </filterref>
>
> If your VM is assigned with its address not via dhcp, life is more
> complicated, since the hook needs to have access to this address before
> boot.
>
> I would love to assist you in writing such a hook; please take the
> vmfex_dev hook as a reference. To read more about vdsm hooks, please see
>
http://www.ovirt.org/Vdsm_Hooks .
I've posted a hook like that to
http://gerrit.ovirt.org/#/c/29093/1
Maybe you can try it out, by placing
http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py on
your /usr/libexec/vdsm/hooks/before_device_create on each of your hosts,
and setting a custom property named "noipspoof" to a list of valid IP
addresses.
Please report if it does what it should.
It would obviously be nicer if we integrate this with cloud-init,
so that each VM would have its list of valid addresses defined once.
Care to open an RFE?
Regards,
Dan.