Open vSwitch 3.4
This guide describes how to enable Network isolation provided through Open vSwitch. Each Virtual Network interface will receive a VLAN tag enabling network isolation. Other traffic attributes that may be configured through Open vSwitch are not modified.
The VLAN id will be the same for every interface in a given network, calculated by adding a constant to the network id. It may also be forced by specifying an VLAN_ID parameter in the Virtual Network template.
This driver requires Open vSwitch to be installed on each OpenNebula Host. Follow the resources specified in hosts_configuration to install it.
Integrating OpenNebula with Open vSwitch brings a long list of benefits to OpenNebula, read Open vSwitch Features to get a hold on these features.
This guide will address the usage of VLAN tagging of OpenNebula Virtual Machines. On top of that any other Open vSwitch feature may be used, but that's outside of the scope of this guide.
In OpenNebula 3.0, this functionality was provided through a hook, and it wasn't effective after a migration. Since OpenNebula 3.2 this limitation does not apply.
sudoers
file must be configured so oneadmin
can execute ovs_vsctl
in the hosts.To enable this driver, use ovswitch as the Virtual Network Manager driver parameter when the hosts are created with the onehost command:
<xterm> $ onehost create host01 im_kvm vmm_kvm tm_shared ovswitch </xterm>
Action | Description |
---|---|
Pre | - |
Post | Performs the appropriate Open vSwitch commands to tag the virtual tap interface. |
Clean | It doesn't do anything. The virtual tap interfaces will be automatically discarded when the VM is shut down. |
The driver will be automatically applied to every Virtual Machine deployed in the Host. Only the virtual networks with the attribute VLAN
set to YES
will be isolated. There are no other special attributes required.
NAME = "ovswitch_net" TYPE = "fixed" BRIDGE = vbr1 VLAN = "YES" VLAN_ID = 50 # optional LEASES = ...
VLAN_ID
parameter in the network template. In that scenario, any user may be able to connect to another network with the same network id. Techniques to avoid this are explained under the Tuning & Extending section.
/var/lib/one/remotes
directory won't be effective in the Hosts until you execute, as oneadmin:
<xterm> oneadmin@frontend $ onehost sync </xterm>
This way in the next monitoring cycle the updated files will be copied again to the Hosts.
The vlan id is calculated by adding the network id to a constant defined in /var/lib/one/remotes/vnm/OpenNebulaNetwork.rb
. You can customize that value to your own needs:
CONF = { :start_vlan => 2 }
You can either restrict permissions on Network creation with ACL rules, or you can entirely disable the possibility to redefine the VLAN_ID by modifying the source code of /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb
. Change these lines:
if nic[:vlan_id] vlan = nic[:vlan_id] else vlan = CONF[:start_vlan] + nic[:network_id].to_i end
with this one:
vlan = CONF[:start_vlan] + nic[:network_id].to_i