3:02 p.m.
Hello,
I'm looking for a way to prevent the users/administrators of our virtual
machines to change their ip.
One of the interesting solutions I stumbled upon is the isolatedprivatevlan
hook[1]
I installed the hook via yum, added the Custom VM Setting
("UserDefinedVMProperties=isolatedprivatevlan=^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}),(?:[0-9]{1,3}\.){3}[0-9]{1,3}$"),
that I'm not sure if it's correct as it was written up quickly.
Now when I set the custom setting via the panel and try to start the VM I
get the following error:
"VM TestVM is down. Exit message: XML error: Invalid specification of
multiple <filterref>s in a single <interface>." If I read the wiki[1]
correcty the <interface> should have multiple <filterrefs> when this hook
is activated. So I'm wondering if the hook is simply out of date/not
working or am I missing something else?
I'm running oVirt 3.4.2-1.el6 on CentOS 6 (everything up to date).
Any help would be greatly appreciated, (including other ways of preventing
the VM ip changes from users)
Črnko
[1] - http://www.ovirt.org/VDSM-Hooks/isolatedprivatevlan
4:38 p.m.
In short:
I believe this hook is out of date,
you can define logical networks in ovirt and assign
them v-lans, so you can go with one logical network
per vm and assign a unique vlan to that, ovirt
takes care of the complete deploy process, you need no
hook.
the only thing you need of course is some network hardware
which is capable of vlan tagging.
HTH
Am 26.06.2014 14:02, schrieb Matjaž Črnko:
Hello,
I'm looking for a way to prevent the users/administrators of our virtual
machines to change their ip.
One of the interesting solutions I stumbled upon is the isolatedprivatevlan
hook[1]
I installed the hook via yum, added the Custom VM Setting
("UserDefinedVMProperties=isolatedprivatevlan=^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}),(?:[0-9]{1,3}\.){3}[0-9]{1,3}$"),
that I'm not sure if it's correct as it was written up quickly.
Now when I set the custom setting via the panel and try to start the VM I
get the following error:
"VM TestVM is down. Exit message: XML error: Invalid specification of
multiple <filterref>s in a single <interface>." If I read the wiki[1]
correcty the <interface> should have multiple <filterrefs> when this hook
is activated. So I'm wondering if the hook is simply out of date/not
working or am I missing something else?
I'm running oVirt 3.4.2-1.el6 on CentOS 6 (everything up to date).
Any help would be greatly appreciated, (including other ways of preventing
the VM ip changes from users)
Črnko
[1] - http://www.ovirt.org/VDSM-Hooks/isolatedprivatevlan
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
8:33 p.m.
On Thu, Jun 26, 2014 at 01:38:16PM +0000, Sven Kieske wrote:
In short:
I believe this hook is out of date,
Correct. It happens to have been broken quite long time ago (ovirt-3.1)
with the introduction of no-mac-spoof filtering.
I remember reviewing a gerrit post that aimed to change things there,
but I fail to find it now (could the author has retracted a draft?)
Basically, the hook should replace (and not add) a filterref. Anybody
cares to send a quick fix or file a BZ?
you can define logical networks in ovirt and assign
them v-lans, so you can go with one logical network
per vm and assign a unique vlan to that, ovirt
takes care of the complete deploy process, you need no
hook.
the only thing you need of course is some network hardware
which is capable of vlan tagging.
Alternatively, we can consume libvirt's "clean-traffic" filter. Given
the onslaght of requests regarding this, I've file
http://www.ovirt.org/Features/Avoid_IP_Spoofing; a user filing an RFE
could help, too.
Integrating this with Engine may take a while, so I'd be pleased if you
try out this suggestion for a noipspoof hook
http://gerrit.ovirt.org/29093
Regards,
Dan.
3802
days inactive
3802
days old
2 comments
3 participants
participants (3)
-
Dan Kenigsberg -
Matjaž Črnko -
Sven Kieske