Open vSwitch 3.0

Network isolation provided through Open vSwitch. Each Virtual Network interface will receive an VLAN tag enabling network isolation. Other traffic attributes that may be configured through Open vSwitch are not modified.

The VLAN id will be the same for every interface in a given network, calculated by adding a constant to the network id. It may also be forced by specifying an VLAN_ID parameter in the network template.

Requirements

This hook requires Open vSwitch to be installed on each OpenNebula Host. Follow the resources specified in External Component Configuration to install it.

Considerations & Limitations

Integrating OpenNebula with Open vSwitch brings a long list of benefits to OpenNebula, read Open vSwitch Features to get a hold on these feautures.

This guide will address the using of VLAN tagging of OpenNebula Virtual Machines. On top of that any other Open vSwitch feature may be used, but that's outside of the scope of this guide.

Since this functionality is provided through a hook it won't be effective after a migration since the hook won't be triggered again in the target host.

Configuration

External Component Configuration

You need to install Open vSwitch on each OpenNebula Host. Please refer to the Open vSwitch documentation to do so.
It is also necessary to install the Open vSwitch compatibility layer for Linux bridging.
Configure passwordless sudo permissions for oneadmin to execute ovs_vsctl.

OpenNebula Configuration

To activate the hook, uncomment the following snippet in oned.conf:

VM_HOOK = [
    name      = "openvswitch-vlan",
    on        = "RUNNING",
    command   = "vnm/openvswitch-vlan",
    arguments = "$TEMPLATE",
    remote    = "yes" ]

Usage

Once the hook is activated in oned.conf it will be automatically applied to every Virtual Machine.

Any user with Network creation/modification permissions may force a custom vlan id with the VLAN_ID parameter in the network template. In that scenario, any user may be able to connect to another network with the same network id. Techniques to avoid this are explained under the Tuning & Extending section.

Tuning & Extending

Calculating VLAN id

The vlan id is calculated by adding the network id to a constant defined in /var/lib/one/remotes/hooks/vnm/OpenNebulaNetwork.rb:

CONF = {
    :start_vlan => 2
}

You can customize that value to your own needs.

Restricting manual the VLAN_ID

You can either restrict permissions on Network creation with ACLs or you can entirely disable this feature by modifying the source code of /var/lib/one/remotes/hooks/vnm/HostManaged.rb. Change these lines:

            if nic[:vlan_id]
                vlan = nic[:vlan_id]
            else
                vlan = CONF[:start_vlan] + nic[:network_id].to_i
            end

with this one:

            vlan = CONF[:start_vlan] + nic[:network_id].to_i