vdsm hook noipspoof on interface level
Hi, I would like to restrict of usage IP address on VMs. Thos could be achied by usinf clear-filter instead of vdsm-no-mac-spoofing. I have found noipspoof vdsm hook, https://github.com/oVirt/vdsm/tree/master/vdsm_hooks/noipspoof. This hook but set the filtering on all interfaces, the setting is on VM level, not interface level. So if the there are more interfaces on all of them. I would like just restrict the WAN interface on multi homed VMs. Peter -- *Peter Hudec* Infraštruktúrny architekt phudec@cnc.sk <mailto:phudec@cnc.sk> *CNC, a.s.* Borská 6, 841 04 Bratislava Recepcia: +421 2 35 000 100 Mobil:+421 905 997 203 *www.cnc.sk* <http:///www.cnc.sk>
You might find the following useful: https://ovirt.org/develop/release-management/features/network/networkfilterp... HTH On Thu, Apr 12, 2018, 14:52 Peter Hudec <phudec@cnc.sk> wrote:
Hi,
I would like to restrict of usage IP address on VMs. Thos could be achied by usinf clear-filter instead of vdsm-no-mac-spoofing.
I have found noipspoof vdsm hook, https://github.com/oVirt/vdsm/tree/master/vdsm_hooks/noipspoof.
This hook but set the filtering on all interfaces, the setting is on VM level, not interface level. So if the there are more interfaces on all of them. I would like just restrict the WAN interface on multi homed VMs.
Peter
-- *Peter Hudec* Infraštruktúrny architekt phudec@cnc.sk <mailto:phudec@cnc.sk>
*CNC, a.s.* Borská 6, 841 04 Bratislava Recepcia: +421 2 35 000 100
Mobil:+421 905 997 203 *www.cnc.sk* <http:///www.cnc.sk>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Thanks, this was the last part into my puzzle, HOST INTERFACE params. The example hook provided in https://bugzilla.redhat.com/show_bug.cgi?id=1366905#c8, https://bugzilla.redhat.com/attachment.cgi?id=1232201 looks good, but it seems to set the IP param on all interfaces too, regardless on which interface the NIC PARAM is set. The hooks should be called per vNIC, as reading the https://www.ovirt.org/documentation/admin-guide/appe-VDSM_and_Hooks/#the - -vdsm-hook-domain-xml-object, the one/several of thees hooks should be used or maybe I'm wrong ;( Peter On 14/04/2018 07:04, Eitan Raviv wrote:
You might find the following useful:
https://ovirt.org/develop/release-management/features/network/networkf ilterparameters/
HTH
On Thu, Apr 12, 2018, 14:52 Peter Hudec <phudec@cnc.sk <mailto:phudec@cnc.sk>> wrote:
Hi,
I would like to restrict of usage IP address on VMs. Thos could be achied by usinf clear-filter instead of vdsm-no-mac-spoofing.
I have found noipspoof vdsm hook, https://github.com/oVirt/vdsm/tree/master/vdsm_hooks/noipspoof.
This hook but set the filtering on all interfaces, the setting is on VM level, not interface level. So if the there are more interfaces on all of them. I would like just restrict the WAN interface on multi homed VMs.
Peter
-- *Peter Hudec* Infraštruktúrny architekt phudec@cnc.sk <mailto:phudec@cnc.sk> <mailto:phudec@cnc.sk <mailto:phudec@cnc.sk>>
*CNC, a.s.* Borská 6, 841 04 Bratislava Recepcia: +421 2 35 000 100
Mobil:+421 905 997 203 *www.cnc.sk <http://www.cnc.sk>* <http:///www.cnc.sk <http://www.cnc.sk>>
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
- -- *Peter Hudec* Infraštruktúrny architekt phudec@cnc.sk <mailto:phudec@cnc.sk> *CNC, a.s.* Borská 6, 841 04 Bratislava Recepcia: +421 2 35 000 100 Mobil:+421 905 997 203 *www.cnc.sk* <http:///www.cnc.sk> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlrSm54ACgkQQnvVWOJ3 5BDz5A//dqyf9wnvkRCjEmeUkMsN72qL7o+utazM7L8S4sY4Pu6INsPhpy7QtwHw fyXbdrU9qy+5ts3g+yoxpsdkTWUk47m/6nQR3fiw0nXJu44/ABl+Hw4g0H3/k86f 7sYOYvZ8IfCpL9/2r1VRlP8j7e+CdI8Ltcjppn7PtKhPT03f87p2PT1pJd95DYS+ GbqZZ6yOAUlePP/808+f7hYxKNz0ek1tf/ZxzLgSJsCl1PsIhKiCBiuze/5hdeL5 /VNWVSqVXNZdzOZkupxas50f/AH6g4DXniyChqvoTi+D37Wpf5yTxXM5C+Qf36Ok 2qZEovxuno51A5l9qIE0n2LQ3I6zJbybdth33sV1uxFK65CWxlfLgbPxb4+9JONF 2yozK/DtmGC7Hree2INBGOJA/55fCrccxSMuLW8JbmZqx43uCrE/FBWZhXE6Lx+f F5hR5e3kJEWjEtyPKpdtXedmOsb06xvGq+WFOGl8VgaRmNgsuLN/YYy13kRDY+0K j//ZX7ZqBaP9TqaW9y1LljTPLGugqVX+uzPdbUvW4vqahNU8mT5Kq1pBrrGPdY+C FolC1CLiWixAAhtSXfJihflFUJq+pYkAXDYBNPj/uyuIyeGXABw1UkJqgc0bVAal lSAMK2P09xwJ8Db5HpqxXpOHe/s5XdYD8Mj0jebQ2308CPNxfQM= =AvLd -----END PGP SIGNATURE-----
Probably an easier solution than implementing a vdsm hook in code, would be to use network filter parameters in the web-admin UI of the engine. If the vNic profile of the network on the WAN interface (the one you would like to restrict IPs on) has a clean-traffic filter, then you can specify a different set of IPs for any interface using this network. In the web-admin UI of the engine go to - Compute | Virtual machines | <your vm> | Network Interfaces | <your interface> and click edit. At the bottom of the edit form you can insert the ip pool for the interface by specifying several key-value pairs where the key is 'IP' and the value is the ip address (e.g. 192.168.122.13). HTH On Sun, Apr 15, 2018 at 3:24 AM, Peter Hudec <phudec@cnc.sk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Thanks,
this was the last part into my puzzle, HOST INTERFACE params.
The example hook provided in https://bugzilla.redhat.com/show_bug.cgi?id=1366905#c8, https://bugzilla.redhat.com/attachment.cgi?id=1232201 looks good, but it seems to set the IP param on all interfaces too, regardless on which interface the NIC PARAM is set.
The hooks should be called per vNIC, as reading the https://www.ovirt.org/documentation/admin-guide/appe-VDSM_and_Hooks/#the - -vdsm-hook-domain-xml-object, the one/several of thees hooks should be used or maybe I'm wrong ;(
Peter
On 14/04/2018 07:04, Eitan Raviv wrote:
You might find the following useful:
https://ovirt.org/develop/release-management/features/network/networkf ilterparameters/
HTH
On Thu, Apr 12, 2018, 14:52 Peter Hudec <phudec@cnc.sk <mailto:phudec@cnc.sk>> wrote:
Hi,
I would like to restrict of usage IP address on VMs. Thos could be achied by usinf clear-filter instead of vdsm-no-mac-spoofing.
I have found noipspoof vdsm hook, https://github.com/oVirt/vdsm/tree/master/vdsm_hooks/noipspoof.
This hook but set the filtering on all interfaces, the setting is on VM level, not interface level. So if the there are more interfaces on all of them. I would like just restrict the WAN interface on multi homed VMs.
Peter
-- *Peter Hudec* Infraštruktúrny architekt phudec@cnc.sk <mailto:phudec@cnc.sk> <mailto:phudec@cnc.sk <mailto:phudec@cnc.sk>>
*CNC, a.s.* Borská 6, 841 04 Bratislava Recepcia: +421 2 35 000 100
Mobil:+421 905 997 203 *www.cnc.sk <http://www.cnc.sk>* <http:///www.cnc.sk <http://www.cnc.sk>>
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
- -- *Peter Hudec* Infraštruktúrny architekt phudec@cnc.sk <mailto:phudec@cnc.sk>
*CNC, a.s.* Borská 6, 841 04 Bratislava Recepcia: +421 2 35 000 100
Mobil:+421 905 997 203 *www.cnc.sk* <http:///www.cnc.sk>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlrSm54ACgkQQnvVWOJ3 5BDz5A//dqyf9wnvkRCjEmeUkMsN72qL7o+utazM7L8S4sY4Pu6INsPhpy7QtwHw fyXbdrU9qy+5ts3g+yoxpsdkTWUk47m/6nQR3fiw0nXJu44/ABl+Hw4g0H3/k86f 7sYOYvZ8IfCpL9/2r1VRlP8j7e+CdI8Ltcjppn7PtKhPT03f87p2PT1pJd95DYS+ GbqZZ6yOAUlePP/808+f7hYxKNz0ek1tf/ZxzLgSJsCl1PsIhKiCBiuze/5hdeL5 /VNWVSqVXNZdzOZkupxas50f/AH6g4DXniyChqvoTi+D37Wpf5yTxXM5C+Qf36Ok 2qZEovxuno51A5l9qIE0n2LQ3I6zJbybdth33sV1uxFK65CWxlfLgbPxb4+9JONF 2yozK/DtmGC7Hree2INBGOJA/55fCrccxSMuLW8JbmZqx43uCrE/FBWZhXE6Lx+f F5hR5e3kJEWjEtyPKpdtXedmOsb06xvGq+WFOGl8VgaRmNgsuLN/YYy13kRDY+0K j//ZX7ZqBaP9TqaW9y1LljTPLGugqVX+uzPdbUvW4vqahNU8mT5Kq1pBrrGPdY+C FolC1CLiWixAAhtSXfJihflFUJq+pYkAXDYBNPj/uyuIyeGXABw1UkJqgc0bVAal lSAMK2P09xwJ8Db5HpqxXpOHe/s5XdYD8Mj0jebQ2308CPNxfQM= =AvLd -----END PGP SIGNATURE-----
-- Eitan Raviv IRC: erav (#ovirt #vdsm #devel #rhev-dev)
participants (2)
-
Eitan Raviv -
Peter Hudec