MAC spoofing for specific VMs
I'm working on some load-balancing solutions and they appear to require MAC spoofing. I did some searching and reading and as I understand it, you can disable the MAC spoofing protection through a few methods. I was wondering about the best manner to enable this for the VMs that require it and not across the board (if that is even possible). I'd like to just allow my load-balancer VMs to do what they need to, but keep the others untouched as a security mechanism. If anyone has any advice on the best method to handle this scenario, I would greatly appreciate it. It seems that this might turn into some type of feature request, though I'm not sure if this is something that has to be done at the Linux bridge level, the port level, or the VM level. Any explanations into that would also help in my education. Thanks, Chris
----- Original Message -----
From: "Christopher Young" <mexigabacho@gmail.com> To: users@ovirt.org Sent: Monday, May 11, 2015 8:12:22 PM Subject: [ovirt-users] MAC spoofing for specific VMs
I'm working on some load-balancing solutions and they appear to require MAC spoofing. I did some searching and reading and as I understand it, you can disable the MAC spoofing protection through a few methods.
I was wondering about the best manner to enable this for the VMs that require it and not across the board (if that is even possible). I'd like to just allow my load-balancer VMs to do what they need to, but keep the others untouched as a security mechanism.
If anyone has any advice on the best method to handle this scenario, I would greatly appreciate it. It seems that this might turn into some type of feature request, though I'm not sure if this is something that has to be done at the Linux bridge level, the port level, or the VM level. Any explanations into that would also help in my education.
You can do it with vdsm-hook-macspoof. You need to install it on all the involved host than you can control its behavior at VM level and also at device/interface level. Please follow the instruction here at VM-level hooks section to create a custom property to control it: http://www.ovirt.org/Vdsm_Hooks#VM-level_hooks
Thanks,
Chris
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Mon, May 11, 2015 at 02:12:22PM -0400, Christopher Young wrote:
I'm working on some load-balancing solutions and they appear to require MAC spoofing. I did some searching and reading and as I understand it, you can disable the MAC spoofing protection through a few methods.
I was wondering about the best manner to enable this for the VMs that require it and not across the board (if that is even possible). I'd like to just allow my load-balancer VMs to do what they need to, but keep the others untouched as a security mechanism.
If anyone has any advice on the best method to handle this scenario, I would greatly appreciate it. It seems that this might turn into some type of feature request, though I'm not sure if this is something that has to be done at the Linux bridge level, the port level, or the VM level. Any explanations into that would also help in my education.
You can enable mac spoofing per VM or per vNIC using vdsm-hook-macspoof. See more details on the hook's README file https://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/macspoof/READ...
Yep. I had found that and applied it. Great solution! I actually wrote about it to the zen load balancer list. I will add it here for semi-documentation: ------ just wanted to follow-up so that it is documented on how to get this working on oVirt/RHEV. I had to install a VDSM hook to allow mac-spoofing as a VM custom property like so (on each node): yum install vdsm-hook-macspoof That requires a restart of vdsmd on the node as well as a process on the oVirt/RHEV engine: engine-config -s "UserDefinedVMProperties=macspoof=(true|false)" Which then requires a restart of the oVirt/RHEV engine. After that, there will be an available custom properly on the VM called 'macspoof' that can be set to 'true'. Once I did this and shutdown/powered on the VMs, the cluster setup now completes successfully. You learn something every day. Thanks for pointing me in the right direction. The one thing I wish I had on these VMs is the ovirt-guest-agent which would likely work except that Debian 6 doesn't seem to have python-ethtool package/deps. If there are any plans to update the version of Debian that ZLB is based on, let me know. ----- On Tue, May 12, 2015 at 5:43 AM, Dan Kenigsberg <danken@redhat.com> wrote:
On Mon, May 11, 2015 at 02:12:22PM -0400, Christopher Young wrote:
I'm working on some load-balancing solutions and they appear to require MAC spoofing. I did some searching and reading and as I understand it, you can disable the MAC spoofing protection through a few methods.
I was wondering about the best manner to enable this for the VMs that require it and not across the board (if that is even possible). I'd like to just allow my load-balancer VMs to do what they need to, but keep the others untouched as a security mechanism.
If anyone has any advice on the best method to handle this scenario, I would greatly appreciate it. It seems that this might turn into some type of feature request, though I'm not sure if this is something that has to be done at the Linux bridge level, the port level, or the VM level. Any explanations into that would also help in my education.
You can enable mac spoofing per VM or per vNIC using vdsm-hook-macspoof. See more details on the hook's README file
https://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/macspoof/READ...
Does anyone see a reason why simply installing the EL7 latest rpm for this on an ovirt node/RHEV-H system would not work or would be a bad solution to getting this working with ovirt-node/RHEV-H? I don't want to do something that is either lost on reboot or would cause issues in the future. Thoughts? On Tue, May 12, 2015 at 2:24 PM, Christopher Young <mexigabacho@gmail.com> wrote:
Yep. I had found that and applied it. Great solution! I actually wrote about it to the zen load balancer list. I will add it here for semi-documentation:
------ just wanted to follow-up so that it is documented on how to get this working on oVirt/RHEV. I had to install a VDSM hook to allow mac-spoofing as a VM custom property like so (on each node):
yum install vdsm-hook-macspoof
That requires a restart of vdsmd on the node as well as a process on the oVirt/RHEV engine:
engine-config -s "UserDefinedVMProperties=macspoof=(true|false)"
Which then requires a restart of the oVirt/RHEV engine.
After that, there will be an available custom properly on the VM called 'macspoof' that can be set to 'true'. Once I did this and shutdown/powered on the VMs, the cluster setup now completes successfully. You learn something every day.
Thanks for pointing me in the right direction. The one thing I wish I had on these VMs is the ovirt-guest-agent which would likely work except that Debian 6 doesn't seem to have python-ethtool package/deps. If there are any plans to update the version of Debian that ZLB is based on, let me know.
-----
On Tue, May 12, 2015 at 5:43 AM, Dan Kenigsberg <danken@redhat.com> wrote:
On Mon, May 11, 2015 at 02:12:22PM -0400, Christopher Young wrote:
I'm working on some load-balancing solutions and they appear to require MAC spoofing. I did some searching and reading and as I understand it, you can disable the MAC spoofing protection through a few methods.
I was wondering about the best manner to enable this for the VMs that require it and not across the board (if that is even possible). I'd like to just allow my load-balancer VMs to do what they need to, but keep the others untouched as a security mechanism.
If anyone has any advice on the best method to handle this scenario, I would greatly appreciate it. It seems that this might turn into some type of feature request, though I'm not sure if this is something that has to be done at the Linux bridge level, the port level, or the VM level. Any explanations into that would also help in my education.
You can enable mac spoofing per VM or per vNIC using vdsm-hook-macspoof. See more details on the hook's README file
https://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/macspoof/READ...
On Thu, Mar 10, 2016 at 04:57:01PM -0500, Christopher Young wrote:
Does anyone see a reason why simply installing the EL7 latest rpm for this on an ovirt node/RHEV-H system would not work or would be a bad solution to getting this working with ovirt-node/RHEV-H? I don't want to do something that is either lost on reboot or would cause issues in the future.
Thoughts?
I do not see a problem in that, but please note that we plan a fully-fledged integration of this feature in our next release.
participants (3)
-
Christopher Young -
Dan Kenigsberg -
Simone Tiraboschi