Open vSwitch 4.0

:!: **Development version of OpenNebula 4.0**. The material on this page needs to be reviewed for completeness and accuracy.

This guide describes how to use the [[http://openvswitch.org/|Open vSwitch]] network drives. They provide two indepent functionalities that can be used together: network isolation using VLANs, and network filtering using OpenFlow. Each Virtual Network interface will receive a VLAN tag enabling network isolation. Other traffic attributes that may be configured through Open vSwitch are not modified. The VLAN id will be the same for every interface in a given network, calculated by adding a constant to the network id. It may also be forced by specifying an VLAN_ID parameter in the [[.:vnet_template|Virtual Network template]]. The network filtering functionality is very similar to the [[.:firewall|Firewall]] drivers, with a few limitations discussed below. {{INLINETOC}} ====== Requirements ====== This driver requires Open vSwitch to be installed on each OpenNebula Host. Follow the resources specified in [[#hosts_configuration]] to install it. ====== Considerations & Limitations ====== Integrating OpenNebula with Open vSwitch brings a long list of benefits to OpenNebula, read [[http://openvswitch.org/features/|Open vSwitch Features]] to get a hold on these features. This guide will address the usage of VLAN tagging and OpenFlow filtering of OpenNebula Virtual Machines. On top of that any other Open vSwitch feature may be used, but that's outside of the scope of this guide. ===== ovswitch and ovswitch_brcompat ===== OpenNebula ships with two sets of drivers that provide the same functionality: **ovswitch** and **ovsvswitch_brcompat**. The following list details the differences between both drivers: * **''ovswitch''**: Recommended for ''kvm'' hosts. Only works with ''kvm''. Doesn't require the [[http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.bridge;hb=HEAD|Open vSwitch compatibility layer for Linux bridging]]. * **''ovswitch_brcompat''**: Works with ''kvm'' and ''xen''. This is the only set that currently works with ''xen''. Not recommended for ''kvm''. Requires [[http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.bridge;hb=HEAD|Open vSwitch compatibility layer for Linux bridging]]. ====== Configuration ====== ===== Hosts Configuration ===== * You need to install Open vSwitch on each OpenNebula Host. Please refer to the [[http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.Linux;hb=HEAD|Open vSwitch documentation]] to do so. * If using ''ovswitch_brcompat'' it is also necessary to install the [[http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.bridge;hb=HEAD|Open vSwitch compatibility layer for Linux bridging]]. * The **''sudoers''** file must be configured so **''oneadmin''** can execute **''ovs_vsctl''** in the hosts. ===== OpenNebula Configuration ===== To enable this driver, use **ovswitch** or **ovswitch_brcompat** as the Virtual Network Manager driver parameter when the hosts are created with the [[.:host_guide|onehost command]]: # for kvm hosts $ onehost create host01 im_kvm vmm_kvm tm_shared ovswitch # for xen hosts $ onehost create host02 im_xen vmm_xen tm_shared ovswitch_brcompat ===== Driver Actions ===== ^ Action ^ Description ^ | **Pre** | - | | **Post** | Performs the appropriate Open vSwitch commands to tag the virtual tap interface. | | **Clean** | It doesn't do anything. The virtual tap interfaces will be automatically discarded when the VM is shut down. | ====== Usage ====== ===== Network Isolation ===== The driver will be automatically applied to every Virtual Machine deployed in the Host. Only the virtual networks with the attribute **''VLAN''** set to **''YES''** will be isolated. There are no other special attributes required.


NAME    = "ovswitch_net"
TYPE    = "fixed"
BRIDGE  = vbr1

VLAN    = "YES"
VLAN_ID = 50        # optional

LEASES = ...

:!: Any user with Network creation/modification permissions may force a custom vlan id with the ''VLAN_ID'' parameter in the network template. In that scenario, any user may be able to connect to another network with the same network id. Techniques to avoid this are explained under the Tuning & Extending section.

===== Network Filtering ===== The first rule that is always applied when using the Open vSwitch drivers is the MAC-spoofing rule, that prevents any traffic coming out of the VM if the user changes the MAC address. The firewall directives must be placed in the [[template#network_section|network section]] of the Virtual Machine template. These are the possible attributes: * **BLACK_PORTS_TCP = ''iptables_range''**: Doesn't permit access to the VM through the specified ports in the TCP protocol. Superseded by WHITE_PORTS_TCP if defined. * **BLACK_PORTS_UDP = ''iptables_range''**: Doesn't permit access to the VM through the specified ports in the UDP protocol. Superseded by WHITE_PORTS_UDP if defined. * **ICMP = drop**: Blocks ICMP connections to the VM. By default it's set to accept. ''iptables_range'': a list of ports separated by commas, e.g.: ''80,8080''. Currently no ranges are supporteg, e.g.: ''5900:6000'' is **not** supported. Example:


NIC = [ NETWORK_ID = 3, BLACK_PORTS_TCP = "80, 22", ICMP = drop ]

Note that WHITE_PORTS_TCP and BLACK_PORTS_TCP are mutually exclusive. In the event where they're both defined the more restrictive will prevail i.e. WHITE_PORTS_TCP. The same happens with WHITE_PORTS_UDP and BLACK_PORTS_UDP. ====== Tuning & Extending ======

:!: Remember that any change in the ''/var/lib/one/remotes'' directory won't be effective in the Hosts until you execute, as oneadmin: oneadmin@frontend $ onehost sync This way in the next monitoring cycle the updated files will be copied again to the Hosts.

===== Calculating VLAN id ===== The vlan id is calculated by adding the network id to a constant defined in ''/var/lib/one/remotes/vnm/OpenNebulaNetwork.rb''. You can customize that value to your own needs:


CONF = {
    :start_vlan => 2
}

===== Restricting manually the VLAN_ID ===== You can either restrict permissions on Network creation with [[.:manage_acl|ACL rules]], or you can entirely disable the possibility to redefine the VLAN_ID by modifying the source code of ''/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb''. Change these lines:


                if nic[:vlan_id]
                    vlan = nic[:vlan_id]
                else
                    vlan = CONF[:start_vlan] + nic[:network_id].to_i
                end

with this one:


                vlan = CONF[:start_vlan] + nic[:network_id].to_i

===== OpenFlow Rules ===== To modify these rules you have to edit: ''/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb''. **Mac-spoofing** These rules prevent any traffic to come out of the port the MAC address has changed.


in_port=,dl_src=,priority=40000,actions=normal
in_port=,priority=39000,actions=normal

**Black ports (one rule per port)**


tcp,dl_dst=,tp_dst=,actions=drop

**ICMP Drop**


icmp,dl_dst=,actions=drop