On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote:
On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
Hi,
I have setup Ovirt with glusterfs...I have some concern about the network part....
1. Is there any way to restrict the Guest VM...so that it can be assign with single ip address...and in anyhow the user can not manipulate the IP address from inside the VM (that means user can not change the ip address inside the VM).
I am afraid that oVirt does not let you do that out-of-the-box. By default, the vdsm-no-mac-spoofing filter is applied to vNICs, which indeed allows IP spoofing.
This behavior can be changed by writing a vdsm hook that changes the default filterref to
<filterref filter='clean-traffic'> <parameter name='CTRL_IP_LEARNING' value='dhcp'/> </filterref>
If your VM is assigned with its address not via dhcp, life is more complicated, since the hook needs to have access to this address before boot.
I would love to assist you in writing such a hook; please take the vmfex_dev hook as a reference. To read more about vdsm hooks, please see http://www.ovirt.org/Vdsm_Hooks .
I've posted a hook like that to http://gerrit.ovirt.org/#/c/29093/1 Maybe you can try it out, by placing http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py on your /usr/libexec/vdsm/hooks/before_device_create on each of your hosts, and setting a custom property named "noipspoof" to a list of valid IP addresses. Please report if it does what it should. It would obviously be nicer if we integrate this with cloud-init, so that each VM would have its list of valid addresses defined once. Care to open an RFE? Regards, Dan.