2:19 p.m.
Hi,
Trying to move a VM with CARP/VRRP on oVirt 3.3.2 I got bitten by this.
http://www.ovirt.org/Features/Design/Network/NetworkFiltering
http://lists.ovirt.org/pipermail/users/2013-October/017217.html
Is there a way to disable mac filtering only for a specific VM
and not for the entire cluster?
I've tried giving MAC addresses in the form of
00-00-5E-00-01-XX
but it didn't work.
Best regards,
G
6:26 p.m.
Yep!
Here you go:
'yum install vdsm-hook-macspoof' on all hosts, then following the instructions
here:
https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README
You can disable the filter on a VM or VNIC level.
Assaf Muller, Cloud Networking Engineer
Red Hat
----- Original Message -----
From: "Kapetanakis Giannis" <bilias(a)edu.physics.uoc.gr>
To: "users(a)oVirt.org" <users(a)ovirt.org>
Sent: Wednesday, December 25, 2013 1:19:23 PM
Subject: [Users] disable EnableMACAntiSpoofingFilterRules per VM
Hi,
Trying to move a VM with CARP/VRRP on oVirt 3.3.2 I got bitten by this.
http://www.ovirt.org/Features/Design/Network/NetworkFiltering
http://lists.ovirt.org/pipermail/users/2013-October/017217.html
Is there a way to disable mac filtering only for a specific VM
and not for the entire cluster?
I've tried giving MAC addresses in the form of
00-00-5E-00-01-XX
but it didn't work.
Best regards,
G
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
6:44 p.m.
On 25/12/13 17:26, Assaf Muller wrote:
Yep!
Here you go:
'yum install vdsm-hook-macspoof' on all hosts, then following the instructions
here:
https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README
You can disable the filter on a VM or VNIC level.
Assaf Muller, Cloud Networking Engineer
Red Hat
Thanks for the quick reply.
That looks very cool :)
Just to understand better because the instructions are not clear on that.
Suppose I install the package and add
engine-config -s
UserDefinedVMProperties='previousProperties;macspoof=^(true|false)$'
--cver=3.3
what will be the default action for my VMs? Filter or not filter?
So I gave to alter EnableMACAntiSpoofingFilterRules as well?
I mean do I have to explicitly define macspoof=true on all the VMs
except the VMs I don't need filtering
or the opposite -> filter by default and set macspoof=false in the VM I
don't need filtering?
I guess the same applies for VNIC.
What about conflicting values between VM and VNIC. Which has precedence
over the other?
Thanks
G
12:06 p.m.
what will be the default action for my VMs? Filter or not filter?
So I gave to alter EnableMACAntiSpoofingFilterRules as well?
The default is to filter. You'll have to add a VM or VNIC custom property
and set the value to False whenever you want to disable the filtering.
What about conflicting values between VM and VNIC. Which has
precedence
over the other?
You would think that anything VNIC specific would take precedence, but with
how the code is implemented at this time, before_device_create is called
for all devices, and before_vm_create is called after that. That means
that whatever is defined at the VM level will take precedence.
Assaf Muller, Cloud Networking Engineer
Red Hat
----- Original Message -----
From: "Kapetanakis Giannis" <bilias(a)edu.physics.uoc.gr>
To: "users(a)oVirt.org" <users(a)ovirt.org>
Sent: Wednesday, December 25, 2013 5:44:47 PM
Subject: Re: [Users] disable EnableMACAntiSpoofingFilterRules per VM
On 25/12/13 17:26, Assaf Muller wrote:
Yep!
Here you go:
'yum install vdsm-hook-macspoof' on all hosts, then following the instructions
here:
https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README
You can disable the filter on a VM or VNIC level.
Assaf Muller, Cloud Networking Engineer
Red Hat
Thanks for the quick reply.
That looks very cool :)
Just to understand better because the instructions are not clear on that.
Suppose I install the package and add
engine-config -s
UserDefinedVMProperties='previousProperties;macspoof=^(true|false)$'
--cver=3.3
what will be the default action for my VMs? Filter or not filter?
So I gave to alter EnableMACAntiSpoofingFilterRules as well?
I mean do I have to explicitly define macspoof=true on all the VMs
except the VMs I don't need filtering
or the opposite -> filter by default and set macspoof=false in the VM I
don't need filtering?
I guess the same applies for VNIC.
What about conflicting values between VM and VNIC. Which has precedence
over the other?
Thanks
G
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
4:06 p.m.
On 26/12/13 11:06, Assaf Muller wrote:
> what will be the default action for my VMs? Filter or not
filter?
> So I gave to alter EnableMACAntiSpoofingFilterRules as well?
The default is to filter. You'll have to add a VM or VNIC custom property
and set the value to False whenever you want to disable the filtering.
> What about conflicting values between VM and VNIC. Which has precedence
> over the other?
You would think that anything VNIC specific would take precedence, but with
how the code is implemented at this time, before_device_create is called
for all devices, and before_vm_create is called after that. That means
that whatever is defined at the VM level will take precedence.
ok, this worked like a charm but I did some changes.
Maybe you want to update the README on
https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README
engine-config -s
UserDefinedVMProperties='previousProperties;macspoof=^(true|false)$'
--cver=3.3 failed with an error: Cannot set value
previousProperties;macspoof=^(true|false)$ to key
UserDefinedVMProperties. Invalid syntax, user defined VM properties
specification should conform to
(([a-z_A-Z0-9])+)=(([^;])+)(;(([a-z_A-Z0-9])+)=(([^;])+))*;? I changed
that to engine-config -s "UserDefinedVMProperties=macspoof=(true|false)"
like it is defined in http://www.ovirt.org/Engine_config_examples which
was inserted with no error. CustomDeviceProperties also inserted like
engine-config -s
CustomDeviceProperties='{type=interface;prop={ifacemacspoof=(true|false)}}'
so both options could be available. VM option indeed takes precedence
over VNIC option. You should also take notice that setting
macspoof=false or ifacemacspoof=false does the opposite of at least what
I expected. It filters. I had to apply with either macspoof=true or
ifacemacspoof=true to disable filtering The README also has that the
other way. Either the README has to be changed or the options could be
renamed to something like disable_macspoof_filter and
disable_ifacemacspoof_filter best regards and thanks for all the replies, G
4:23 p.m.
Resending cause somehow the format got screwed up.
On 26/12/13 11:06, Assaf Muller wrote:
> what will be the default action for my VMs? Filter or not
filter?
> So I gave to alter EnableMACAntiSpoofingFilterRules as well?
The default is to filter. You'll have to add a VM or VNIC custom property
and set the value to False whenever you want to disable the filtering.
> What about conflicting values between VM and VNIC. Which has precedence
> over the other?
You would think that anything VNIC specific would take precedence, but with
how the code is implemented at this time, before_device_create is called
for all devices, and before_vm_create is called after that. That means
that whatever is defined at the VM level will take precedence.
ok, this worked like a charm but I did some changes.
Maybe you want to update the README on
https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README
engine-config -s
UserDefinedVMProperties='previousPropertiesmacspoof=^(true|false)$'
--cver=3.3
failed with an error:
Cannot set value previousProperties;macspoof=^(true|false)$ to key
UserDefinedVMProperties. Invalid syntax, user defined VM properties
specification should conform to
(([a-z_A-Z0-9])+)=(([^;])+)(;(([a-z_A-Z0-9])+)=(([^;])+))*;?
I changed that to
engine-config -s "UserDefinedVMProperties=macspoof=(true|false)"
like it is defined in http://www.ovirt.org/Engine_config_examples
which was inserted with no error.
CustomDeviceProperties also inserted like
engine-config -s CustomDeviceProperties=
'{type=interface;prop={ifacemacspoof=(true|false)}}'
so both true/false options could be available.
VM option indeed takes precedence over VNIC option.
You should also take notice that setting macspoof=false or
ifacemacspoof=false does the opposite of at least what I expected.
It filters.
I had to apply with either macspoof=true or ifacemacspoof=true to
disable filtering.
The README also has that the other way.
Either the README has to be changed or the options could be renamed to
something like disable_macspoof_filter and disable_ifacemacspoof_filter
best regards and thanks for all the replies,
G
5:34 p.m.
Thank you for your feedback. I sent a patch to fix all mentioned issues:
http://gerrit.ovirt.org/#/c/22760/
It will be available for oVirt 3.4.
Assaf Muller, Cloud Networking Engineer
Red Hat
----- Original Message -----
From: "Kapetanakis Giannis" <bilias(a)edu.physics.uoc.gr>
To: "users(a)oVirt.org" <users(a)ovirt.org>
Cc: "Assaf Muller" <amuller(a)redhat.com>, danken(a)redhat.com
Sent: Thursday, December 26, 2013 3:23:07 PM
Subject: Re: [Users] disable EnableMACAntiSpoofingFilterRules per VM
Resending cause somehow the format got screwed up.
On 26/12/13 11:06, Assaf Muller wrote:
> what will be the default action for my VMs? Filter or not
filter?
> So I gave to alter EnableMACAntiSpoofingFilterRules as well?
The default is to filter. You'll have to add a VM or VNIC custom property
and set the value to False whenever you want to disable the filtering.
> What about conflicting values between VM and VNIC. Which has precedence
> over the other?
You would think that anything VNIC specific would take precedence, but with
how the code is implemented at this time, before_device_create is called
for all devices, and before_vm_create is called after that. That means
that whatever is defined at the VM level will take precedence.
ok, this worked like a charm but I did some changes.
Maybe you want to update the README on
https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README
engine-config -s
UserDefinedVMProperties='previousPropertiesmacspoof=^(true|false)$'
--cver=3.3
failed with an error:
Cannot set value previousProperties;macspoof=^(true|false)$ to key
UserDefinedVMProperties. Invalid syntax, user defined VM properties
specification should conform to
(([a-z_A-Z0-9])+)=(([^;])+)(;(([a-z_A-Z0-9])+)=(([^;])+))*;?
I changed that to
engine-config -s "UserDefinedVMProperties=macspoof=(true|false)"
like it is defined in http://www.ovirt.org/Engine_config_examples
which was inserted with no error.
CustomDeviceProperties also inserted like
engine-config -s CustomDeviceProperties=
'{type=interface;prop={ifacemacspoof=(true|false)}}'
so both true/false options could be available.
VM option indeed takes precedence over VNIC option.
You should also take notice that setting macspoof=false or
ifacemacspoof=false does the opposite of at least what I expected.
It filters.
I had to apply with either macspoof=true or ifacemacspoof=true to
disable filtering.
The README also has that the other way.
Either the README has to be changed or the options could be renamed to
something like disable_macspoof_filter and disable_ifacemacspoof_filter
best regards and thanks for all the replies,
G
12:25 a.m.
----- Original Message -----
From: "Kapetanakis Giannis"
<bilias(a)edu.physics.uoc.gr>
To: "users(a)oVirt.org" <users(a)ovirt.org>
Sent: Wednesday, December 25, 2013 1:19:23 PM
Subject: [Users] disable EnableMACAntiSpoofingFilterRules per VM
Hi,
Trying to move a VM with CARP/VRRP on oVirt 3.3.2 I got bitten by this.
http://www.ovirt.org/Features/Design/Network/NetworkFiltering
http://lists.ovirt.org/pipermail/users/2013-October/017217.html
Is there a way to disable mac filtering only for a specific VM
and not for the entire cluster?
The EnableMACAntiSpoofingFilterRules config value is defined on cluster level,
therefore this isn't a way from engine side to disable it for a specific vm/nic.
Perhaps using the "custom properties" and a vdsm hook which omits the filter
rule
from the vm configuration it will be achievable.
Adding Dan to see if it is feasible or if there is a better alternative.
I've tried giving MAC addresses in the form of
00-00-5E-00-01-XX
but it didn't work.
Best regards,
G
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
11:21 a.m.
Resending the message, since it seems like the previous one failed to reach
the @users.
----- Original Message -----
> From: "Kapetanakis Giannis" <bilias(a)edu.physics.uoc.gr>
> To: "users(a)oVirt.org" <users(a)ovirt.org>
> Sent: Wednesday, December 25, 2013 1:19:23 PM
> Subject: [Users] disable EnableMACAntiSpoofingFilterRules per VM
>
> Hi,
>
> Trying to move a VM with CARP/VRRP on oVirt 3.3.2 I got bitten by this.
> http://www.ovirt.org/Features/Design/Network/NetworkFiltering
> http://lists.ovirt.org/pipermail/users/2013-October/017217.html
>
> Is there a way to disable mac filtering only for a specific VM
> and not for the entire cluster?
The EnableMACAntiSpoofingFilterRules config value is defined on cluster
level,
therefore this isn't a way from engine side to disable it for a specific
vm/nic.
Perhaps using the "custom properties" and a vdsm hook which omits the filter
rule
from the vm configuration it will be achievable.
Adding Dan to see if it is feasible or if there is a better alternative.
>
> I've tried giving MAC addresses in the form of
> 00-00-5E-00-01-XX
> but it didn't work.
>
> Best regards,
>
> G
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
3983
days inactive
3984
days old
8 comments
3 participants
participants (3)
-
Assaf Muller -
Kapetanakis Giannis -
Moti Asayag