Open vSwitch 3.4
This guide describes how to enable Network isolation provided through Open vSwitch. Each Virtual Network interface will receive a VLAN tag enabling network isolation. Other traffic attributes that may be configured through Open vSwitch are not modified.
The VLAN id will be the same for every interface in a given network, calculated by adding a constant to the network id. It may also be forced by specifying an VLAN_ID parameter in the Virtual Network template.
Requirements
This driver requires Open vSwitch to be installed on each OpenNebula Host. Follow the resources specified in hosts_configuration to install it.
Considerations & Limitations
Integrating OpenNebula with Open vSwitch brings a long list of benefits to OpenNebula, read Open vSwitch Features to get a hold on these features.
This guide will address the usage of VLAN tagging of OpenNebula Virtual Machines. On top of that any other Open vSwitch feature may be used, but that's outside of the scope of this guide.
In OpenNebula 3.0, this functionality was provided through a hook, and it wasn't effective after a migration. Since OpenNebula 3.2 this limitation does not apply.
Configuration
Hosts Configuration
- You need to install Open vSwitch on each OpenNebula Host. Please refer to the Open vSwitch documentation to do so.
- It is also necessary to install the Open vSwitch compatibility layer for Linux bridging.
- The
sudoersfile must be configured sooneadmincan executeovs_vsctlin the hosts.
OpenNebula Configuration
To enable this driver, use ovswitch as the Virtual Network Manager driver parameter when the hosts are created with the onehost command:
<xterm> $ onehost create host01 im_kvm vmm_kvm tm_shared ovswitch </xterm>
Driver Actions
| Action | Description |
|---|---|
| Pre | - |
| Post | Performs the appropriate Open vSwitch commands to tag the virtual tap interface. |
| Clean | It doesn't do anything. The virtual tap interfaces will be automatically discarded when the VM is shut down. |
Usage
The driver will be automatically applied to every Virtual Machine deployed in the Host. Only the virtual networks with the attribute VLAN set to YES will be isolated. There are no other special attributes required.
NAME = "ovswitch_net" TYPE = "fixed" BRIDGE = vbr1 VLAN = "YES" VLAN_ID = 50 # optional LEASES = ...
Any user with Network creation/modification permissions may force a custom vlan id with the VLAN_ID parameter in the network template. In that scenario, any user may be able to connect to another network with the same network id. Techniques to avoid this are explained under the Tuning & Extending section.
Tuning & Extending
Remember that any change in the /var/lib/one/remotes directory won't be effective in the Hosts until you execute, as oneadmin:
<xterm> oneadmin@frontend $ onehost sync </xterm>
This way in the next monitoring cycle the updated files will be copied again to the Hosts.
Calculating VLAN id
The vlan id is calculated by adding the network id to a constant defined in /var/lib/one/remotes/vnm/OpenNebulaNetwork.rb. You can customize that value to your own needs:
CONF = { :start_vlan => 2 }
Restricting manually the VLAN_ID
You can either restrict permissions on Network creation with ACL rules, or you can entirely disable the possibility to redefine the VLAN_ID by modifying the source code of /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb. Change these lines:
if nic[:vlan_id] vlan = nic[:vlan_id] else vlan = CONF[:start_vlan] + nic[:network_id].to_i end
with this one:
vlan = CONF[:start_vlan] + nic[:network_id].to_i