Created attachment 1190771 [details] network filter ip space Hello, It was requested to create a Bug Tracker item for this via the users list: As a service provider, we utilize oVirt for a range of tasks. One issue with oVirt keeping from being able to place into production where users have root access to VM's is the ability to steal IP's. It's understood subnetting would be ideal, but it's a huge waste of IP space. Most other software such as OnApp, SolusVM, Virtualizor etc utilize ebtables along with an internal IP pool to the software. When an IP from the pool is assigned to a VM, the ebtables rules are automatically added. when it's removed, those rules are also removed. oVirt current lacks any functionality for IP address management, but the network filters are a good start. http://lists.ovirt.org/pipermail/users/2016-August/041913.html Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address. Something like this: http://i.imgur.com/9BUZRCN.jpg So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another text field. /// Manually editing the VM's XML file will work however, only if the VM is then restarted from Virsh. If it's restarted via oVirt, the XML file appears to be overwritted again with the default values. http://lists.ovirt.org/pipermail/users/2016-August/041920.html ///////// I have a VM with network filtering enabled, specifically the clean-traffic filter. Through virsh, I modify the configuration to reflect changes like this: <filterref filter='clean-traffic'> <parameter name='IP' value='192.168.10.10.'/> <parameter name='IP' value='192.168.10.11'/> </filterref> This only allows those two specified IP’s to communicate on the VM. I’ve defined the xml through virsh. Now, if I start the VM directly through virsh, those rules apply and work correctly. I can add any other random IP from the same subnet and it does not work, as expected. Only the two Ip’s specified above will respond. This unfortunately, makes the VM appear to be down from with the ovirt dashboard if it’s started manually through virsh. If I edit the machine through virsh but do not start it and then go onto oVirt to start the VM, it seems the configuration is not loaded – does oVirt load a different configuration file other than /etc/libvirt/qemu/machine.xml? /////////
Hello - is there anything else needed for this? Or is it a possibility? Not sure how this Bugzilla/feature request should work or if it's in the right place or not.
(In reply to jax2568 from comment #1) > Hello - is there anything else needed for this? Or is it a possibility? Not > sure how this Bugzilla/feature request should work or if it's in the right > place or not. We are currently reviewing this for oVirt 4.1. No other needs from you at this point.
The fix for this issue should be included in oVirt 4.1.0 beta 1 released on December 1st. If not included please move back to modified.
This RFE is not in 4.1.0-0.2.master.20161210231201.git26a385e.el7.centos
Hello, I see this was updated with the line below: Flags: ovirt-4.1? → ovirt-4.2? Is this not included anymore in 4.1? If not, how long until 4.2?
ovirt-4.2 schedule has not been decided yet. But we do know that we've missed 4.1's feature freeze. Maybe we can help you write a vdsm hook to enable the functionality on the mean while?
Ok, thanks for the update. >>Maybe we can help you write a vdsm hook to enable the functionality on the mean while? Sure however, I don't have any experience with writing hooks for vdsm. Basically, the clean traffic filter works as expected but it the VM has multiple IP's, only one of them would work. What would be involved with a vdsm hook to accomplish what we need to do?
Created attachment 1232201 [details] untested /usr/libexec/vdsm/hooks/before_vm_start/multiips hook place this in the hook directory, and define a vm custom property named multiips. Set this property to a comma-separated list of ip addresses. The hook script would allow the VM to use these ips on all of its clean-traffic filters.
Hi, Thanks for that hook - I will get this tested! >place this in the hook directory, and define a vm custom property named multiips. Sorry, I'm not exactly sure how I would create a custom property. Is there an article or guide on how to do this?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/VDSM_hooks_defining_custom_properties.html
@Dan Kenigsberg, Thanks for that link. I took a look at that earlier actually, but wasn't 100% sure what I was supposed to put for the values. Would it be like this? engine-config -s CustomDeviceProperties="{multiips}" --cver=3.3
This discussion about the hack does not really belong to this RFE. Let's continue it on users. A good start would be engine-config -s UserDefinedVMProperties='multiips=.*' --cver=4.0 and then restart ovirt-engine.
Created attachment 1233353 [details] /usr/libexec/vdsm/hooks/before_vm_start/multiips hook with debug output
*** Bug 1342784 has been marked as a duplicate of this bug. ***
Please fill in the DOC TEXT and link to the feature page. The feature page http://www.ovirt.org/develop/release-management/features/network/networkfilterparameters/ should refer to the API doc http://ovirt.github.io/ovirt-engine-api-model/4.2/#services/nic_network_filter_parameters and mention that it is the only thing currently implemented.
A rudimentary implementation of this (REST only) already exists in master (future 4.2), https://gerrit.ovirt.org/#/c/78045/ would give a test and an example for usage. UX may follow later.
User can manage network filter parameters via REST-API and via UI. Tested clean-traffic network filter scenario - name - IP value - x.x.x.z Values passed as expected to the Libvirt XML - <interface type='bridge'> <mac address='00:00:00:00:00:23'/> <source bridge='m3'/> <target dev='vnet2'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='x.x.x.x'/> </filterref> <boot order='2'/> <alias name='net0'/> Network filter parameters working as expected. Verified on - 4.2.0-0.0.master.20170901193740.git7900511.el7.centos
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017. Since the problem described in this bug report should be resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.