Bug 1366905

Summary: [RFE] Allow multiple IP's / text fields for network filters, specifically clean-traffic
Product: [oVirt] ovirt-engine Reporter: jax2568
Component: RFEsAssignee: Dominik Holler <dholler>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Burman <mburman>
Severity: medium Docs Contact:
Priority: medium    
Version: futureCC: apinnick, bugs, danken, dholler, jax2568, mburman, troels, ylavi
Target Milestone: ovirt-4.2.0Keywords: FutureFeature
Target Release: 4.2.0Flags: danken: ovirt-4.2?
gklein: testing_plan_complete-
rule-engine: planning_ack?
danken: devel_ack+
mburman: testing_ack+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-engine-4.2.0-0.0.master.20170901193740.git7900511.el7.centos.noarch.rpm Doc Type: Enhancement
Doc Text:
The engine already supports filtering the network communication of VMs. Now it is possible to configure the filter parameters using the REST-API. See http://www.ovirt.org/develop/release-management/features/network/networkfilterparameters/#current-implementation-status for details.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-20 11:23:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1502496    
Attachments:
Description Flags
network filter ip space
none
untested /usr/libexec/vdsm/hooks/before_vm_start/multiips hook
none
/usr/libexec/vdsm/hooks/before_vm_start/multiips hook with debug output none

Description jax2568 2016-08-14 15:46:15 UTC 
Created attachment 1190771 [details]
network filter ip space

Hello,

It was requested to create a Bug Tracker item for this via the users list:

As a service provider, we utilize oVirt for a range of tasks. One issue with oVirt keeping from being able to place into production where users have root access to VM's is the ability to steal IP's. It's understood subnetting would be ideal, but it's a huge waste of IP space. Most other software such as OnApp, SolusVM, Virtualizor etc utilize ebtables along with an internal IP pool to the software. When an IP from the pool is assigned to a VM, the ebtables rules are automatically added. when it's removed, those rules are also removed. oVirt current lacks any functionality for IP address management, but the network filters are a good start.

http://lists.ovirt.org/pipermail/users/2016-August/041913.html

Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address.

Something like this: http://i.imgur.com/9BUZRCN.jpg

So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another text field.

///

Manually editing the VM's XML file will work however, only if the VM is then restarted from Virsh. If it's restarted via oVirt, the XML file appears to be overwritted again with the default values.

http://lists.ovirt.org/pipermail/users/2016-August/041920.html

/////////
I have a VM with network filtering enabled, specifically the clean-traffic filter.

Through virsh, I modify the configuration to reflect changes like this:

     <filterref filter='clean-traffic'>
        <parameter name='IP' value='192.168.10.10.'/>
        <parameter name='IP' value='192.168.10.11'/>
      </filterref>

This only allows those two specified IP’s to communicate on the VM. I’ve defined the xml through virsh.

Now, if I start the VM directly through virsh, those rules apply and work correctly. I can add any other random IP from the same subnet and it does not work, as expected. Only the two Ip’s specified above will respond.

This unfortunately, makes the VM appear to be down from with the ovirt dashboard if it’s started manually through virsh.

If I edit the machine through virsh but do not start it and then go onto oVirt to start the VM, it seems the configuration is not loaded – does oVirt load a different configuration file other than /etc/libvirt/qemu/machine.xml?
/////////
Comment 1 jax2568 2016-08-25 01:19:49 UTC 
Hello - is there anything else needed for this? Or is it a possibility? Not sure how this Bugzilla/feature request should work or if it's in the right place or not.
Comment 2 Yaniv Lavi 2016-08-25 01:33:44 UTC 
(In reply to jax2568 from comment #1)
> Hello - is there anything else needed for this? Or is it a possibility? Not
> sure how this Bugzilla/feature request should work or if it's in the right
> place or not.

We are currently reviewing this for oVirt 4.1. No other needs from you at this point.
Comment 3 Sandro Bonazzola 2016-12-12 13:59:36 UTC 
The fix for this issue should be included in oVirt 4.1.0 beta 1 released on December 1st. If not included please move back to modified.
Comment 4 Michael Burman 2016-12-13 13:19:29 UTC 
This RFE is not in 4.1.0-0.2.master.20161210231201.git26a385e.el7.centos
Comment 5 jax2568 2016-12-14 15:57:56 UTC 
Hello,

I see this was updated with the line below:

Flags: ovirt-4.1? → ovirt-4.2?

Is this not included anymore in 4.1? If not, how long until 4.2?
Comment 6 Dan Kenigsberg 2016-12-14 22:41:37 UTC 
ovirt-4.2 schedule has not been decided yet. But we do know that we've missed 4.1's feature freeze.

Maybe we can help you write a vdsm hook to enable the functionality on the mean while?
Comment 7 jax2568 2016-12-14 22:55:28 UTC 
Ok, thanks for the update.

>>Maybe we can help you write a vdsm hook to enable the functionality on the mean while?

Sure however, I don't have any experience with writing hooks for vdsm.

Basically, the clean traffic filter works as expected but it the VM has multiple IP's, only one of them would work.

What would be involved with a vdsm hook to accomplish what we need to do?
Comment 8 Dan Kenigsberg 2016-12-15 14:53:19 UTC 
Created attachment 1232201 [details]
untested /usr/libexec/vdsm/hooks/before_vm_start/multiips hook

place this in the hook directory, and define a vm custom property named multiips. Set this property to a comma-separated list of ip addresses. The hook script would allow the VM to use these ips on all of its clean-traffic filters.
Comment 9 jax2568 2016-12-15 16:36:18 UTC 
Hi,

Thanks for that hook - I will get this tested!

>place this in the hook directory, and define a vm custom property named multiips.

Sorry, I'm not exactly sure how I would create a custom property. Is there an article or guide on how to do this?
Comment 10 Dan Kenigsberg 2016-12-15 20:03:52 UTC 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/VDSM_hooks_defining_custom_properties.html
Comment 11 jax2568 2016-12-15 20:07:49 UTC 
@Dan Kenigsberg,

Thanks for that link. I took a look at that earlier actually, but wasn't 100% sure what I was supposed to put for the values. Would it be like this?

engine-config -s CustomDeviceProperties="{multiips}" --cver=3.3
Comment 12 Dan Kenigsberg 2016-12-15 20:16:47 UTC 
This discussion about the hack does not really belong to this RFE. Let's continue it on users. A good start would be

engine-config -s UserDefinedVMProperties='multiips=.*' --cver=4.0

and then restart ovirt-engine.
Comment 13 Dominik Holler 2016-12-19 10:20:32 UTC 
Created attachment 1233353 [details]
/usr/libexec/vdsm/hooks/before_vm_start/multiips hook with debug output
Comment 14 Dan Kenigsberg 2016-12-25 10:17:18 UTC 
*** Bug 1342784 has been marked as a duplicate of this bug. ***
Comment 15 Meni Yakove 2017-06-05 08:07:39 UTC 
Please fill in the DOC TEXT and link to the feature page. The feature page http://www.ovirt.org/develop/release-management/features/network/networkfilterparameters/ should refer to the API doc http://ovirt.github.io/ovirt-engine-api-model/4.2/#services/nic_network_filter_parameters and mention that it is the only thing currently implemented.
Comment 16 Dan Kenigsberg 2017-06-11 16:02:08 UTC 
A rudimentary implementation of this (REST only) already exists in master (future 4.2), https://gerrit.ovirt.org/#/c/78045/ would give a test and an example for usage. UX may follow later.
Comment 17 Michael Burman 2017-09-03 08:35:16 UTC 
User can manage network filter parameters via REST-API and via UI.

Tested clean-traffic network filter scenario - 
name - IP
value - x.x.x.z 

Values passed as expected to the Libvirt XML -

<interface type='bridge'>
      <mac address='00:00:00:00:00:23'/>
      <source bridge='m3'/>
      <target dev='vnet2'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'>
        <parameter name='IP' value='x.x.x.x'/>
      </filterref>
      <boot order='2'/>
      <alias name='net0'/>

Network filter parameters working as expected.

Verified on - 4.2.0-0.0.master.20170901193740.git7900511.el7.centos
Comment 18 Sandro Bonazzola 2017-12-20 11:23:06 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.