11:23 a.m.
Hi,
I have setup Ovirt with glusterfs...I have some concern about the network
part....
1. Is there any way to restrict the Guest VM...so that it can be assign
with single ip address...and in anyhow the user can not manipulate the IP
address from inside the VM (that means user can not change the ip address
inside the VM).
Thanks,
Punit
2:34 p.m.
On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
Hi,
I have setup Ovirt with glusterfs...I have some concern about the network
part....
1. Is there any way to restrict the Guest VM...so that it can be assign
with single ip address...and in anyhow the user can not manipulate the IP
address from inside the VM (that means user can not change the ip address
inside the VM).
I am afraid that oVirt does not let you do that out-of-the-box. By
default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
indeed allows IP spoofing.
This behavior can be changed by writing a vdsm hook that changes the
default filterref to
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
</filterref>
If your VM is assigned with its address not via dhcp, life is more
complicated, since the hook needs to have access to this address before
boot.
I would love to assist you in writing such a hook; please take the
vmfex_dev hook as a reference. To read more about vdsm hooks, please see
http://www.ovirt.org/Vdsm_Hooks .
Regards,
Dan.
11:44 a.m.
On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote:
On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> Hi,
>
> I have setup Ovirt with glusterfs...I have some concern about the network
> part....
>
> 1. Is there any way to restrict the Guest VM...so that it can be assign
> with single ip address...and in anyhow the user can not manipulate the IP
> address from inside the VM (that means user can not change the ip address
> inside the VM).
I am afraid that oVirt does not let you do that out-of-the-box. By
default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
indeed allows IP spoofing.
This behavior can be changed by writing a vdsm hook that changes the
default filterref to
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
</filterref>
If your VM is assigned with its address not via dhcp, life is more
complicated, since the hook needs to have access to this address before
boot.
I would love to assist you in writing such a hook; please take the
vmfex_dev hook as a reference. To read more about vdsm hooks, please see
http://www.ovirt.org/Vdsm_Hooks .
I've posted a hook like that to http://gerrit.ovirt.org/#/c/29093/1
Maybe you can try it out, by placing
http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py on
your /usr/libexec/vdsm/hooks/before_device_create on each of your hosts,
and setting a custom property named "noipspoof" to a list of valid IP
addresses.
Please report if it does what it should.
It would obviously be nicer if we integrate this with cloud-init,
so that each VM would have its list of valid addresses defined once.
Care to open an RFE?
Regards,
Dan.
12:52 p.m.
Hi Den,
Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file....
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user can login to VM and create another virtual ethernet
device and add another ip address 10.0.0.6 to this VM....
I want in anyhow the user can not spoof the ip address....either they can
edit but the new ip address can not boot up(should not active)...
Thanks,
Punit
On Tue, Jun 24, 2014 at 4:44 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote:
> On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> > Hi,
> >
> > I have setup Ovirt with glusterfs...I have some concern about the
network
> > part....
> >
> > 1. Is there any way to restrict the Guest VM...so that it can be assign
> > with single ip address...and in anyhow the user can not manipulate the
IP
> > address from inside the VM (that means user can not change the ip
address
> > inside the VM).
>
> I am afraid that oVirt does not let you do that out-of-the-box. By
> default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
> indeed allows IP spoofing.
>
> This behavior can be changed by writing a vdsm hook that changes the
> default filterref to
>
> <filterref filter='clean-traffic'>
> <parameter name='CTRL_IP_LEARNING'
value='dhcp'/>
> </filterref>
>
> If your VM is assigned with its address not via dhcp, life is more
> complicated, since the hook needs to have access to this address before
> boot.
>
> I would love to assist you in writing such a hook; please take the
> vmfex_dev hook as a reference. To read more about vdsm hooks, please see
> http://www.ovirt.org/Vdsm_Hooks .
I've posted a hook like that to http://gerrit.ovirt.org/#/c/29093/1
Maybe you can try it out, by placing
http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py on
your /usr/libexec/vdsm/hooks/before_device_create on each of your hosts,
and setting a custom property named "noipspoof" to a list of valid IP
addresses.
Please report if it does what it should.
It would obviously be nicer if we integrate this with cloud-init,
so that each VM would have its list of valid addresses defined once.
Care to open an RFE?
Regards,
Dan.
2:02 p.m.
Am 24.06.2014 11:52, schrieb Punit Dambiwal:
Hi Den,
Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file....
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user can login to VM and create another virtual ethernet
device and add another ip address 10.0.0.6 to this VM....
I want in anyhow the user can not spoof the ip address....either they can
edit but the new ip address can not boot up(should not active)...
Thanks,
Punit
Imho you can't force the vm to not spin it's inside network interface up
with a certain IP.
What you _can_ (and should) prevent is to allow packets from this
spoofed ip to access your network.
this is, what the filter no-ip-spoofing does, see the docs here:
http://libvirt.org/formatnwfilter.html#nwfexamples
it prevents sending spoofed packages from inside the vm by not allowing
them on the virtual integrated libvirt switch on your host (which runs
the vm).
this might look a little different, depending on your network setup
(bonding, bridges, vlans).
HTH
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
3:06 p.m.
On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote:
Hi Den,
Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file....
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user can login to VM and create another virtual ethernet
device and add another ip address 10.0.0.6 to this VM....
I want in anyhow the user can not spoof the ip address....either they can
edit but the new ip address can not boot up(should not active)...
Thanks,
Punit
Have you placed my script properly? Could you share your domxml as
visible to libvirt?
virsh -r dumxml <name-of-your-vm>
And as alluded by Sven - could you try to use the spooded IP address?
Configuring is not blocked by the filter, only using it (try pinging
outside of the VM).
Regrads,
Dan.
5:16 a.m.
Hi Dan,
I try the following way :-
1. I placed your script in the following location
:- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof &
/usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof
2. Then run this command on the ovirt-engine server (engine-config -s
"UserDefinedVMProperties=noipspoof=^[0-9.]*$")
3. After that stop the VM and set a custom property named "noipspoof" with
ip 10.10.10.6.
4. Run the VM and login via ssh,configure another ethernet with eth0:0 with
the ip address 10.10.10.9
5. From another VM with ip 10.10.10.5 i can able to ping 10.10.10.9....
One strange thing is in VM xml still the filter is "vdsm-no-mac-spoofing"
instead of "noipspoof"
----------------
<interface type='bridge'>
<mac address='00:1a:4a:81:80:09'/>
<source bridge='private'/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='vdsm-no-mac-spoofing'/>
<link state='up'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x05'
function='0x0'/
----------------
Please let me know if i am wrong here....
[image: Inline image 1]
On Tue, Jun 24, 2014 at 8:06 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote:
> Hi Den,
>
> Thanks for the updates...but still the user can spoof the another ip
> address by manually edit the ifcfg-eth0:0 file....
>
> Like if i assign the 10.0.0.5 ip address to one VM through
cloud-int...once
> the VM bootup user can login to VM and create another virtual ethernet
> device and add another ip address 10.0.0.6 to this VM....
>
> I want in anyhow the user can not spoof the ip address....either they can
> edit but the new ip address can not boot up(should not active)...
>
> Thanks,
> Punit
Have you placed my script properly? Could you share your domxml as
visible to libvirt?
virsh -r dumxml <name-of-your-vm>
And as alluded by Sven - could you try to use the spooded IP address?
Configuring is not blocked by the filter, only using it (try pinging
outside of the VM).
Regrads,
Dan.
10:09 a.m.
Here's a workaround:
define one logical network per vm
assign IPs to these networks from a central instance
assign one broadcast domain per logical network.
so in other words: do correct subnetting.
if you got a router who can't get spoofed you should be fine.
HTH
Am 25.06.2014 04:16, schrieb Punit Dambiwal:
Hi Dan,
I try the following way :-
1. I placed your script in the following location
:- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof &
/usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof
2. Then run this command on the ovirt-engine server (engine-config -s
"UserDefinedVMProperties=noipspoof=^[0-9.]*$")
3. After that stop the VM and set a custom property named "noipspoof" with
ip 10.10.10.6.
4. Run the VM and login via ssh,configure another ethernet with eth0:0 with
the ip address 10.10.10.9
5. From another VM with ip 10.10.10.5 i can able to ping 10.10.10.9....
One strange thing is in VM xml still the filter is "vdsm-no-mac-spoofing"
instead of "noipspoof"
----------------
<interface type='bridge'>
<mac address='00:1a:4a:81:80:09'/>
<source bridge='private'/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='vdsm-no-mac-spoofing'/>
<link state='up'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x05'
function='0x0'/
>
----------------
Please let me know if i am wrong here....
[image: Inline image 1]
On Tue, Jun 24, 2014 at 8:06 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
> On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote:
>> Hi Den,
>>
>> Thanks for the updates...but still the user can spoof the another ip
>> address by manually edit the ifcfg-eth0:0 file....
>>
>> Like if i assign the 10.0.0.5 ip address to one VM through
> cloud-int...once
>> the VM bootup user can login to VM and create another virtual ethernet
>> device and add another ip address 10.0.0.6 to this VM....
>>
>> I want in anyhow the user can not spoof the ip address....either they can
>> edit but the new ip address can not boot up(should not active)...
>>
>> Thanks,
>> Punit
>
> Have you placed my script properly? Could you share your domxml as
> visible to libvirt?
>
> virsh -r dumxml <name-of-your-vm>
>
> And as alluded by Sven - could you try to use the spooded IP address?
> Configuring is not blocked by the filter, only using it (try pinging
> outside of the VM).
>
> Regrads,
> Dan.
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
10:57 a.m.
On Wed, Jun 25, 2014 at 10:16:12AM +0800, Punit Dambiwal wrote:
Hi Dan,
I try the following way :-
1. I placed your script in the following location
:- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof &
/usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof
2. Then run this command on the ovirt-engine server (engine-config -s
"UserDefinedVMProperties=noipspoof=^[0-9.]*$")
3. After that stop the VM and set a custom property named "noipspoof" with
ip 10.10.10.6.
4. Run the VM and login via ssh,configure another ethernet with eth0:0 with
the ip address 10.10.10.9
5. From another VM with ip 10.10.10.5 i can able to ping 10.10.10.9....
One strange thing is in VM xml still the filter is "vdsm-no-mac-spoofing"
instead of "noipspoof"
----------------
<interface type='bridge'>
<mac address='00:1a:4a:81:80:09'/>
<source bridge='private'/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='vdsm-no-mac-spoofing'/>
<link state='up'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x05'
function='0x0'/
>
----------------
Please let me know if i am wrong here....
I can try to help you debug the issue. Could you attach vdsm.log from
the vmCreate command to the place where the VM turns to "Up"?
Can you verify that
/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof is executable
to the vdsm user?
Dan.
1:03 p.m.
Hi Dan,
Please find the attach logs.
1. vdsm.log (VM Creation)
2. vdsm1.log (when add custom property)
3. vdsm2.log (Start the VM)
On Wed, Jun 25, 2014 at 3:57 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Wed, Jun 25, 2014 at 10:16:12AM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> I try the following way :-
>
> 1. I placed your script in the following location
> :- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof &
> /usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof
>
> 2. Then run this command on the ovirt-engine server (engine-config -s
> "UserDefinedVMProperties=noipspoof=^[0-9.]*$")
> 3. After that stop the VM and set a custom property named "noipspoof"
with
> ip 10.10.10.6.
> 4. Run the VM and login via ssh,configure another ethernet with eth0:0
with
> the ip address 10.10.10.9
> 5. From another VM with ip 10.10.10.5 i can able to ping 10.10.10.9....
>
> One strange thing is in VM xml still the filter is "vdsm-no-mac-spoofing"
> instead of "noipspoof"
>
> ----------------
> <interface type='bridge'>
> <mac address='00:1a:4a:81:80:09'/>
> <source bridge='private'/>
> <target dev='vnet0'/>
> <model type='virtio'/>
> <filterref filter='vdsm-no-mac-spoofing'/>
> <link state='up'/>
> <alias name='net0'/>
> <address type='pci' domain='0x0000' bus='0x00'
slot='0x05'
> function='0x0'/
> >
> ----------------
>
> Please let me know if i am wrong here....
I can try to help you debug the issue. Could you attach vdsm.log from
the vmCreate command to the place where the VM turns to "Up"?
Can you verify that
/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof is executable
to the vdsm user?
Dan.
1:30 p.m.
On Wed, Jun 25, 2014 at 06:03:50PM +0800, Punit Dambiwal wrote:
Hi Dan,
Please find the attach logs.
1. vdsm.log (VM Creation)
2. vdsm1.log (when add custom property)
3. vdsm2.log (Start the VM)
I see no reference there to /usr/libexec/vdsm/hooks/before_device_create
(but other hook scripts are mentioned).
Could you do
# su - vdsm -s /bin/bash
$ ls -l /usr/libexec/vdsm/hooks/before_device_create
so we can confirm that the scripts exists and are executable?
7:22 a.m.
Hi Dan,
The permission looks ok...
[root@gfs1 ~]# su - vdsm -s
/bin/bash
-bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
total 8
-rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
-rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
-bash-4.1$ exit
logout
[root@gfs1 ~]#
But the strange thing is noipspoof hook not display in the host hooks
windows....
On Wed, Jun 25, 2014 at 6:30 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Wed, Jun 25, 2014 at 06:03:50PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Please find the attach logs.
>
> 1. vdsm.log (VM Creation)
> 2. vdsm1.log (when add custom property)
> 3. vdsm2.log (Start the VM)
I see no reference there to /usr/libexec/vdsm/hooks/before_device_create
(but other hook scripts are mentioned).
Could you do
# su - vdsm -s /bin/bash
$ ls -l /usr/libexec/vdsm/hooks/before_device_create
so we can confirm that the scripts exists and are executable?
10:12 a.m.
Well this is strange, and this should not be the reason
but can you attach a ".py" ending to the file names (maybe vdsm performs
some strange checks)?
your permissions look good.
the only other thing I can think of are selinux
restrictions, can you check them with:
#this gives you the actual used selinux security level:
getenforce
:this gives you the selinux attributes for the folder:
ls -lZ /usr/libexec/vdsm/hooks/before_device_create
I first thought it might be related to vdsms sudoers
rights but a plain python script should be executed
without modification to the sudoers config.
HTH
Am 26.06.2014 06:22, schrieb Punit Dambiwal:
Hi Dan,
The permission looks ok...
[root@gfs1 ~]# su - vdsm -s
/bin/bash
-bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
total 8
-rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
-rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
-bash-4.1$ exit
logout
[root@gfs1 ~]#
But the strange thing is noipspoof hook not display in the host hooks
windows....
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
11:03 a.m.
----- Original Message -----
From: "Sven Kieske" <S.Kieske(a)mittwald.de>
To: users(a)ovirt.org
Sent: Thursday, June 26, 2014 9:12:31 AM
Subject: Re: [ovirt-users] Ip spoofing
Well this is strange, and this should not be the reason
but can you attach a ".py" ending to the file names (maybe vdsm performs
some strange checks)?
We do not ;-)
your permissions look good.
the only other thing I can think of are selinux
restrictions, can you check them with:
#this gives you the actual used selinux security level:
getenforce
That could be it
:this gives you the selinux attributes for the folder:
ls -lZ /usr/libexec/vdsm/hooks/before_device_create
I first thought it might be related to vdsms sudoers
rights but a plain python script should be executed
without modification to the sudoers config.
HTH
Am 26.06.2014 06:22, schrieb Punit Dambiwal:
> Hi Dan,
>
> The permission looks ok...
>
>
> [root@gfs1 ~]# su - vdsm -s
> /bin/bash
> -bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
> total 8
> -rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
> -rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
> -bash-4.1$ exit
> logout
> [root@gfs1 ~]#
>
> But the strange thing is noipspoof hook not display in the host hooks
> windows....
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
12:30 p.m.
Hi Sven,
I already give the sudo user permission to VDSM user...
Yes..after VDSM restart i can see this hook in host tab....I will test it
again and udpate you guys if still not solve....
On Thu, Jun 26, 2014 at 4:03 PM, Antoni Segura Puimedon <asegurap(a)redhat.com
wrote:
----- Original Message -----
> From: "Sven Kieske" <S.Kieske(a)mittwald.de>
> To: users(a)ovirt.org
> Sent: Thursday, June 26, 2014 9:12:31 AM
> Subject: Re: [ovirt-users] Ip spoofing
>
> Well this is strange, and this should not be the reason
> but can you attach a ".py" ending to the file names (maybe vdsm performs
> some strange checks)?
We do not ;-)
> your permissions look good.
> the only other thing I can think of are selinux
> restrictions, can you check them with:
> #this gives you the actual used selinux security level:
> getenforce
That could be it
> :this gives you the selinux attributes for the folder:
> ls -lZ /usr/libexec/vdsm/hooks/before_device_create
>
> I first thought it might be related to vdsms sudoers
> rights but a plain python script should be executed
> without modification to the sudoers config.
>
> HTH
>
> Am 26.06.2014 06:22, schrieb Punit Dambiwal:
> > Hi Dan,
> >
> > The permission looks ok...
> >
> >
> > [root@gfs1 ~]# su - vdsm -s
> > /bin/bash
> > -bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
> > total 8
> > -rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
> > -rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
> > -bash-4.1$ exit
> > logout
> > [root@gfs1 ~]#
> >
> > But the strange thing is noipspoof hook not display in the host hooks
> > windows....
>
> --
> Mit freundlichen Grüßen / Regards
>
> Sven Kieske
>
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
Oeynhausen
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
12:07 p.m.
Hi Dan,
Still the same....VM can spoof the ip address...attached is the VM domain
xml file....
On Thu, Jun 26, 2014 at 5:30 PM, Punit Dambiwal <hypunit(a)gmail.com> wrote:
Hi Sven,
I already give the sudo user permission to VDSM user...
Yes..after VDSM restart i can see this hook in host tab....I will test it
again and udpate you guys if still not solve....
On Thu, Jun 26, 2014 at 4:03 PM, Antoni Segura Puimedon <
asegurap(a)redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Sven Kieske" <S.Kieske(a)mittwald.de>
> > To: users(a)ovirt.org
> > Sent: Thursday, June 26, 2014 9:12:31 AM
> > Subject: Re: [ovirt-users] Ip spoofing
> >
> > Well this is strange, and this should not be the reason
> > but can you attach a ".py" ending to the file names (maybe vdsm
performs
> > some strange checks)?
>
> We do not ;-)
>
> > your permissions look good.
> > the only other thing I can think of are selinux
> > restrictions, can you check them with:
> > #this gives you the actual used selinux security level:
> > getenforce
>
> That could be it
>
> > :this gives you the selinux attributes for the folder:
> > ls -lZ /usr/libexec/vdsm/hooks/before_device_create
> >
> > I first thought it might be related to vdsms sudoers
> > rights but a plain python script should be executed
> > without modification to the sudoers config.
> >
> > HTH
> >
> > Am 26.06.2014 06:22, schrieb Punit Dambiwal:
> > > Hi Dan,
> > >
> > > The permission looks ok...
> > >
> > >
> > > [root@gfs1 ~]# su - vdsm -s
> > > /bin/bash
> > > -bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
> > > total 8
> > > -rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
> > > -rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
> > > -bash-4.1$ exit
> > > logout
> > > [root@gfs1 ~]#
> > >
> > > But the strange thing is noipspoof hook not display in the host hooks
> > > windows....
> >
> > --
> > Mit freundlichen Grüßen / Regards
> >
> > Sven Kieske
> >
> > Systemadministrator
> > Mittwald CM Service GmbH & Co. KG
> > Königsberger Straße 6
> > 32339 Espelkamp
> > T: +49-5772-293-100
> > F: +49-5772-293-333
> > https://www.mittwald.de
> > Geschäftsführer: Robert Meyer
> > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
> Oeynhausen
> > Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
> Oeynhausen
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
12:16 p.m.
----- Original Message -----
From: "Punit Dambiwal" <hypunit(a)gmail.com>
To: "Antoni Segura Puimedon" <asegurap(a)redhat.com>, "Dan
Kenigsberg" <danken(a)redhat.com>
Cc: "Sven Kieske" <S.Kieske(a)mittwald.de>, users(a)ovirt.org
Sent: Friday, June 27, 2014 11:07:56 AM
Subject: Re: [ovirt-users] Ip spoofing
Hi Dan,
Still the same....VM can spoof the ip address...attached is the VM domain
xml file....
Did you try to disable SELinux with "setenforce 0" to see if the problem is
one of secure contexts?
On Thu, Jun 26, 2014 at 5:30 PM, Punit Dambiwal <hypunit(a)gmail.com> wrote:
> Hi Sven,
>
> I already give the sudo user permission to VDSM user...
>
> Yes..after VDSM restart i can see this hook in host tab....I will test it
> again and udpate you guys if still not solve....
>
>
> On Thu, Jun 26, 2014 at 4:03 PM, Antoni Segura Puimedon <
> asegurap(a)redhat.com> wrote:
>
>>
>>
>> ----- Original Message -----
>> > From: "Sven Kieske" <S.Kieske(a)mittwald.de>
>> > To: users(a)ovirt.org
>> > Sent: Thursday, June 26, 2014 9:12:31 AM
>> > Subject: Re: [ovirt-users] Ip spoofing
>> >
>> > Well this is strange, and this should not be the reason
>> > but can you attach a ".py" ending to the file names (maybe vdsm
performs
>> > some strange checks)?
>>
>> We do not ;-)
>>
>> > your permissions look good.
>> > the only other thing I can think of are selinux
>> > restrictions, can you check them with:
>> > #this gives you the actual used selinux security level:
>> > getenforce
>>
>> That could be it
>>
>> > :this gives you the selinux attributes for the folder:
>> > ls -lZ /usr/libexec/vdsm/hooks/before_device_create
>> >
>> > I first thought it might be related to vdsms sudoers
>> > rights but a plain python script should be executed
>> > without modification to the sudoers config.
>> >
>> > HTH
>> >
>> > Am 26.06.2014 06:22, schrieb Punit Dambiwal:
>> > > Hi Dan,
>> > >
>> > > The permission looks ok...
>> > >
>> > >
>> > > [root@gfs1 ~]# su - vdsm -s
>> > > /bin/bash
>> > > -bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
>> > > total 8
>> > > -rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
>> > > -rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
>> > > -bash-4.1$ exit
>> > > logout
>> > > [root@gfs1 ~]#
>> > >
>> > > But the strange thing is noipspoof hook not display in the host hooks
>> > > windows....
>> >
>> > --
>> > Mit freundlichen Grüßen / Regards
>> >
>> > Sven Kieske
>> >
>> > Systemadministrator
>> > Mittwald CM Service GmbH & Co. KG
>> > Königsberger Straße 6
>> > 32339 Espelkamp
>> > T: +49-5772-293-100
>> > F: +49-5772-293-333
>> > https://www.mittwald.de
>> > Geschäftsführer: Robert Meyer
>> > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
>> Oeynhausen
>> > Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
>> Oeynhausen
>> > _______________________________________________
>> > Users mailing list
>> > Users(a)ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users
>> >
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
12:35 p.m.
Well I doubt this is a solution to this,
anyway, if you want to check if it's a permission error
due to not correctly configured selinux you
could do:
grep "avc" /var/log/auditd/auditd.log
and configure your selinux correctly, no need to disable it.
But I doubt that the "VM can spoof the ip address"
you can configure it, sure, but you should not be able
to access anything outside of the vm.
another way to set this up, is, to configure the filter
vdsm-no-mac-spoofing for each vm
and to configure your network to not allow any other ip-packages
from the given mac, and assign well known macs to each vm.
you can also add vlans and proper subnetting to the mix to make
it more secure.
Am 27.06.2014 11:16, schrieb Antoni Segura Puimedon:
Did you try to disable SELinux with "setenforce 0" to see
if the problem is
one of secure contexts?
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
1:15 p.m.
Hi,
I found below messages in the audit log :-
[root@gfs1 ~]# grep "avc" /var/log/audit/audit.log
type=AVC msg=audit(1403834461.442:266685): avc: denied { read } for
pid=27958
comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403835901.532:266865): avc: denied { read } for
pid=29746
comm="xz" name="online" dev=sysfs
ino=23
scontext=system_u:system_r:logrotate_t
:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1403836508.226:266868): avc: denied { signal } for
pid=353
7 comm="sanlock-helper"
scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1403838061.918:266965): avc: denied { read } for
pid=32528
comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403841661.051:267604): avc: denied { read } for
pid=3256
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403841661.053:267605): avc: denied { read } for
pid=3257
comm="xz" name="online" dev=sysfs
ino=23
scontext=system_u:system_r:logrotate_t:
s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1403845261.394:271326): avc: denied { read } for
pid=6791
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403848861.538:271797): avc: denied { read } for
pid=9269
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403852461.654:272828): avc: denied { read } for
pid=12222
comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403852998.237:272831): avc: denied { signal } for
pid=353
7 comm="sanlock-helper"
scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1403856061.898:273118): avc: denied { read } for
pid=16215
comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403859661.098:273934): avc: denied { read } for
pid=19991
comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403863261.394:276053): avc: denied { read } for
pid=24345
comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
[root@gfs1 ~]#
On Fri, Jun 27, 2014 at 5:35 PM, Sven Kieske <S.Kieske(a)mittwald.de> wrote:
Well I doubt this is a solution to this,
anyway, if you want to check if it's a permission error
due to not correctly configured selinux you
could do:
grep "avc" /var/log/auditd/auditd.log
and configure your selinux correctly, no need to disable it.
But I doubt that the "VM can spoof the ip address"
you can configure it, sure, but you should not be able
to access anything outside of the vm.
another way to set this up, is, to configure the filter
vdsm-no-mac-spoofing for each vm
and to configure your network to not allow any other ip-packages
from the given mac, and assign well known macs to each vm.
you can also add vlans and proper subnetting to the mix to make
it more secure.
Am 27.06.2014 11:16, schrieb Antoni Segura Puimedon:
> Did you try to disable SELinux with "setenforce 0" to see if the problem
is
> one of secure contexts?
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
2:12 p.m.
Well selinux is not your problem as you run
it in permissive mode, this means
selinux violations will get logged but
not be forbidden.
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
12:31 p.m.
On Fri, Jun 27, 2014 at 05:07:56PM +0800, Punit Dambiwal wrote:
Hi Dan,
Still the same....VM can spoof the ip address...attached is the VM domain
xml file....
<snip>
yep, the hook script did not come into action.
<interface type='bridge'>
<mac address='00:1a:4a:81:80:01'/>
<source bridge='private'/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='vdsm-no-mac-spoofing'/>
<link state='up'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
</interface>
and I am still at the dark regarding what could cause that. Would you
repeat the following line, as root and as vdsm user?
$ cd /usr/share/vdsm; python -c 'import hooks;print
hooks._scriptsPerDir("before_device_create")'
12:36 p.m.
Hi Dan,
Please find the below :-
[root@gfs1 ~]# su - vdsm -s /bin/bash
-bash-4.1$ cd /usr/share/vdsm; python -c 'import hooks;print
hooks._scriptsPerDir("before_device_create")'
['/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof']
-bash-4.1$
Antoni @ selinux already in the permissive mode....do you want me to
disable it ??
[root@gfs1 ~]# sestatus | grep -i mode
Current mode: permissive
Mode from config file: permissive
[root@gfs1 ~]#
On Fri, Jun 27, 2014 at 5:31 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Fri, Jun 27, 2014 at 05:07:56PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Still the same....VM can spoof the ip address...attached is the VM domain
> xml file....
<snip>
yep, the hook script did not come into action.
> <interface type='bridge'>
> <mac address='00:1a:4a:81:80:01'/>
> <source bridge='private'/>
> <target dev='vnet0'/>
> <model type='virtio'/>
> <filterref filter='vdsm-no-mac-spoofing'/>
> <link state='up'/>
> <alias name='net0'/>
> <address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
function='0x0'/>
> </interface>
and I am still at the dark regarding what could cause that. Would you
repeat the following line, as root and as vdsm user?
$ cd /usr/share/vdsm; python -c 'import hooks;print
hooks._scriptsPerDir("before_device_create")'
2:51 p.m.
On Fri, Jun 27, 2014 at 05:36:49PM +0800, Punit Dambiwal wrote:
Hi Dan,
Please find the below :-
[root@gfs1 ~]# su - vdsm -s /bin/bash
-bash-4.1$ cd /usr/share/vdsm; python -c 'import hooks;print
hooks._scriptsPerDir("before_device_create")'
['/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof']
-bash-4.1$
very odd. could you try again and attach a fresh log of the vmCreate
flow? Maybe you could add a
sys.stderr.write('%s' % os.environ)
line in the main() function of the script just to see if it's ever
called?
5:11 a.m.
Hi Dan,
I did the same as you suggested...please find the attached logs and
domainxml....
On Fri, Jun 27, 2014 at 7:51 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Fri, Jun 27, 2014 at 05:36:49PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Please find the below :-
>
> [root@gfs1 ~]# su - vdsm -s /bin/bash
> -bash-4.1$ cd /usr/share/vdsm; python -c 'import hooks;print
> hooks._scriptsPerDir("before_device_create")'
> ['/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof']
> -bash-4.1$
very odd. could you try again and attach a fresh log of the vmCreate
flow? Maybe you could add a
sys.stderr.write('%s' % os.environ)
line in the main() function of the script just to see if it's ever
called?
10:46 a.m.
On Mon, Jun 30, 2014 at 10:11:21AM +0800, Punit Dambiwal wrote:
Hi Dan,
I did the same as you suggested...please find the attached logs and
domainxml....
And now, the log does not mention any hook at all. Have you removed the
macspoof hook which you had there before? How many hosts do you have? Do
they have the same set of installed hooks on them all?
Dan.
1:17 p.m.
Hi Dan,
Yes...i already removed the macspoof....i have 3 hosts in the cluster...but
i have applied this hook on one server only..not all,but at the time of VM
deployment i assign the specific host for the VM,so that the VM should
deploy on the same host that has the hook.
Do i need to install the hook on all the hosts and give a try ??
On Mon, Jun 30, 2014 at 3:46 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Mon, Jun 30, 2014 at 10:11:21AM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> I did the same as you suggested...please find the attached logs and
> domainxml....
And now, the log does not mention any hook at all. Have you removed the
macspoof hook which you had there before? How many hosts do you have? Do
they have the same set of installed hooks on them all?
Dan.
2:12 p.m.
On Mon, Jun 30, 2014 at 06:17:25PM +0800, Punit Dambiwal wrote:
Hi Dan,
Yes...i already removed the macspoof....i have 3 hosts in the cluster...but
i have applied this hook on one server only..not all,but at the time of VM
deployment i assign the specific host for the VM,so that the VM should
deploy on the same host that has the hook.
Do i need to install the hook on all the hosts and give a try ??
No, as long as you start the VM on the specific host you should be fine.
The fact that the macspoof hook disappeared made me worry that you have
not.
Unfortunately, I have no more guesses why this specific hook would not
run when it should. What happens when you put a silly script instead,
that only does
echo hello world > /dev/stderr
can you see a trace of it in vdsm.log?
Remind me, does
PYTHONPATH=/usr/share/vdsm
/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof.py --test
work for you?
4:55 a.m.
Hi Dan,
I didn't understand about this,would you mind to more elaborate this :-
---------------------
Remind me, does
PYTHONPATH=/usr/share/vdsm /usr/libexec/vdsm/hooks/
before_device_create/50_noipspoof.py --test
work for you?
---------------------
I have this file in before_device_create without .py file extension should
i change it with "50_noipspoof.py" ??
[root@gfs1 before_device_create]# ls
50_noipspoof
[root@gfs1 before_device_create]#
On Mon, Jun 30, 2014 at 7:12 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Mon, Jun 30, 2014 at 06:17:25PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Yes...i already removed the macspoof....i have 3 hosts in the
cluster...but
> i have applied this hook on one server only..not all,but at the time of
VM
> deployment i assign the specific host for the VM,so that the VM should
> deploy on the same host that has the hook.
>
> Do i need to install the hook on all the hosts and give a try ??
No, as long as you start the VM on the specific host you should be fine.
The fact that the macspoof hook disappeared made me worry that you have
not.
Unfortunately, I have no more guesses why this specific hook would not
run when it should. What happens when you put a silly script instead,
that only does
echo hello world > /dev/stderr
can you see a trace of it in vdsm.log?
Remind me, does
PYTHONPATH=/usr/share/vdsm
/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof.py --test
work for you?
11:44 a.m.
On Wed, Jul 02, 2014 at 09:55:19AM +0800, Punit Dambiwal wrote:
Hi Dan,
I didn't understand about this,would you mind to more elaborate this :-
---------------------
Remind me, does
PYTHONPATH=/usr/share/vdsm /usr/libexec/vdsm/hooks/
before_device_create/50_noipspoof.py --test
work for you?
---------------------
I have this file in before_device_create without .py file extension should
i change it with "50_noipspoof.py" ??
[root@gfs1 before_device_create]# ls
50_noipspoof
[root@gfs1 before_device_create]#
The .py extension is my typo; I'm shooting at the dark, trying to guess
why the script does not even attempt to be run for you.
11:55 a.m.
Hi Dan,
Even now i install the noipspoof on all the hosts...but still the same
result...user can be spoof
On Wed, Jul 2, 2014 at 4:44 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Wed, Jul 02, 2014 at 09:55:19AM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> I didn't understand about this,would you mind to more elaborate this :-
>
> ---------------------
> Remind me, does
>
> PYTHONPATH=/usr/share/vdsm /usr/libexec/vdsm/hooks/
> before_device_create/50_noipspoof.py --test
>
> work for you?
> ---------------------
>
> I have this file in before_device_create without .py file extension
should
> i change it with "50_noipspoof.py" ??
>
> [root@gfs1 before_device_create]# ls
> 50_noipspoof
> [root@gfs1 before_device_create]#
The .py extension is my typo; I'm shooting at the dark, trying to guess
why the script does not even attempt to be run for you.
10:06 a.m.
Hi Dan,
If i use openstack neutron and integrate with ovirt....can it help to
prevent the ip spoof ??
If yes...is there any good howto for install the neutron & integrate
neutron with ovirt ??
Thanks,
Punit
On Wed, Jul 2, 2014 at 4:55 PM, Punit Dambiwal <hypunit(a)gmail.com> wrote:
Hi Dan,
Even now i install the noipspoof on all the hosts...but still the same
result...user can be spoof
On Wed, Jul 2, 2014 at 4:44 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
> On Wed, Jul 02, 2014 at 09:55:19AM +0800, Punit Dambiwal wrote:
> > Hi Dan,
> >
> > I didn't understand about this,would you mind to more elaborate this :-
> >
> > ---------------------
> > Remind me, does
> >
> > PYTHONPATH=/usr/share/vdsm /usr/libexec/vdsm/hooks/
> > before_device_create/50_noipspoof.py --test
> >
> > work for you?
> > ---------------------
> >
> > I have this file in before_device_create without .py file extension
> should
> > i change it with "50_noipspoof.py" ??
> >
> > [root@gfs1 before_device_create]# ls
> > 50_noipspoof
> > [root@gfs1 before_device_create]#
>
> The .py extension is my typo; I'm shooting at the dark, trying to guess
> why the script does not even attempt to be run for you.
>
10:14 a.m.
On Thu, Jun 26, 2014 at 12:22:23PM +0800, Punit Dambiwal wrote:
Hi Dan,
The permission looks ok...
[root@gfs1 ~]# su - vdsm -s
/bin/bash
-bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
total 8
-rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
-rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
-bash-4.1$ exit
logout
[root@gfs1 ~]#
I'm out of guesses. It should not make any change, but please
`service vdsmd stop`, wait a bit, and `service vdsmd start`.
But the strange thing is noipspoof hook not display in the host hooks
windows....
That's not so strange - it is updated only when the host becomes
operational. If you restart vdsmd as explained above, they should show
up.
7:25 a.m.
Hi Dan,
The permission looks ok...
[root@gfs1 ~]# su - vdsm -s
/bin/bash
-bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
total 8
-rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
-rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
-bash-4.1$ exit
logout
[root@gfs1 ~]#
But the strange thing is noipspoof hook not display in the host hooks
windows....please check the attachment.
On Wed, Jun 25, 2014 at 6:30 PM, Dan Kenigsberg <danken(a)redhat.com> wrote:
On Wed, Jun 25, 2014 at 06:03:50PM +0800, Punit Dambiwal wrote:
> Hi Dan,
>
> Please find the attach logs.
>
> 1. vdsm.log (VM Creation)
> 2. vdsm1.log (when add custom property)
> 3. vdsm2.log (Start the VM)
I see no reference there to /usr/libexec/vdsm/hooks/before_device_create
(but other hook scripts are mentioned).
Could you do
# su - vdsm -s /bin/bash
$ ls -l /usr/libexec/vdsm/hooks/before_device_create
so we can confirm that the scripts exists and are executable?
12:56 p.m.
Hi Jure,
It's ok....but what about if user will spoof the ip on the eth0:0....then
the mac address will be same as eth0 ?? how we can control this ??
Thanks,
Punit D
On Wed, Jul 9, 2014 at 3:38 PM, Jure Kranjc <jure.kranjc(a)arnes.si> wrote:
Hi,
I don't know if this is much help but here is our setup which works in a
way that users cannot spoof public IP from inside VM.
We've set up a MAC pool range on engine and a DHCP server on one VM, this
server assigns IPs according to VMs MACs.
We use CentOS6 nodes (and engine 3.3.5). The node always sees the VM's NIC
by it's ovirt MAC, even if user changes it from inside VM.
Now the solution was ebtables (bridge tables). We've set rules on bridge
to public network which drops packets if they don't come from legit MAC/IP
combination. Example:
-A FORWARD -p IPv4 -s 0:1a:4a:f9:xx:xx --ip-src ! IPADDRofVM -j DROP
Any comments on the setup are appriceated.
JureKr
On 06/19/2014 10:23 AM, Punit Dambiwal wrote:
Hi,
I have setup Ovirt with glusterfs...I have some concern about the
network part....
1. Is there any way to restrict the Guest VM...so that it can be assign
with single ip address...and in anyhow the user can not manipulate the IP
address from inside the VM (that means user can not change the ip address
inside the VM).
Thanks,
Punit
_______________________________________________
Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3789
days inactive
3809
days old
34 comments
5 participants
participants (5)
-
Antoni Segura Puimedon -
Dan Kenigsberg -
Jure Kranjc -
Punit Dambiwal -
Sven Kieske