<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=ZH-CN link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I am also very interesting about this and also try to find a way
to forbid the talking between VMs on same compute+network node. </span><span
lang=EN-US style='font-size:10.5pt;font-family:Wingdings;color:#1F497D'>J</span><span
lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Romi<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:SimSun'>发件人<span
lang=EN-US>:</span></span></b><span lang=EN-US style='font-size:10.0pt;
font-family:SimSun'>
openstack-bounces+romizhang1968=163.com@lists.launchpad.net
[mailto:openstack-bounces+romizhang1968=163.com@lists.launchpad.net] </span><b><span
style='font-size:10.0pt;font-family:SimSun'>代表 </span></b><span
lang=EN-US style='font-size:10.0pt;font-family:SimSun'>Christian Parpart<br>
</span><b><span style='font-size:10.0pt;font-family:SimSun'>发送时间<span
lang=EN-US>:</span></span></b><span lang=EN-US style='font-size:10.0pt;
font-family:SimSun'> 2012</span><span style='font-size:10.0pt;font-family:SimSun'>年<span
lang=EN-US>7</span>月<span lang=EN-US>5</span>日 星期四<span
lang=EN-US> 23:48<br>
</span><b>收件人<span lang=EN-US>:</span></b><span
lang=EN-US> <openstack@lists.launchpad.net><br>
</span><b>主题<span lang=EN-US>:</span></b><span lang=EN-US>
[Openstack] inter-tenant and VM-to-bare-metal communication
policies/restrictions.<o:p></o:p></span></span></p>
</div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Hi all,<o:p></o:p></span></p>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>I am running multiple compute nodes and a
single nova-network node, that is to act<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>as a central gateway for the tenant's VMs.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>However, since this nova-network node (of
course) knows all routes, every VM of<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>any tenant can talk to each other,
including to the physical nodes, which<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>I highly disagree with and would like to
restrict that. :-)<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>root@gw1:~#
ip route show</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>default
via $UPLINK_IP dev eth1 metric 100 </span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'><a
href="http://10.10.0.0/19">10.10.0.0/19</a> dev eth0 proto kernel
scope link src 10.10.30.5 </span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'><a
href="http://10.10.40.0/21">10.10.40.0/21</a> dev br100 proto kernel
scope link src 10.10.40.1 </span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'><a
href="http://10.10.48.0/24">10.10.48.0/24</a> dev br101 proto kernel
scope link src 10.10.48.1 </span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'><a
href="http://10.10.49.0/24">10.10.49.0/24</a> dev br102 proto kernel
scope link src 10.10.49.1 </span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>$PUBLIC_NET/28
dev eth1 proto kernel scope link src $PUBLIC_IP</span><span
lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'><a
href="http://192.168.0.0/16">192.168.0.0/16</a> dev eth0 proto kernel
scope link src 192.168.2.1</span><span lang=EN-US><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>- <a href="http://10.10.0.0/19">10.10.0.0/19</a>
is the network for bare metal nodes, switches, PDUs, etc.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>- <a href="http://10.10.40.0/21(br100)">10.10.40.0/21(br100)</a>
is the "production" tenant<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>- <a href="http://10.10.48.0/24">10.10.48.0/24</a>
(br101) is the "staging" tenant<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>- <a href="http://10.10.49.0/24">10.10.49.0/24</a>
(br102) is the "playground" tenant.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>- <a href="http://192.168.0.0/16">192.168.0.0/16</a>
is the legacy network (management and VM nodes)<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>No tenant's VM shall be able to talk to a
VM of another tenant.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>And ideally no tenant's VM should be able
to talk to the management<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>network either.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>Unfortunately, since we're migrating a live
system, and we also have<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>production services on the bare-metal
nodes, I had to add special routes<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>to allow the legacy installations to
communicate to the new "production"<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>VMs for the transition phase. I hope I can
remove that ASAP.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>Now, checking iptables on the nova-network
node:<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>root@gw1:~#
iptables -t filter -vn -L FORWARD</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Chain
FORWARD (policy ACCEPT 64715 packets, 13M bytes)</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'> pkts
bytes target prot opt in out source
destination
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
36M 29G nova-filter-top all -- * *
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
36M 29G nova-network-FORWARD all -- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>root@gw1:~#
iptables -t filter -vn -L nova-filter-top</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Chain
nova-filter-top (2 references)</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'> pkts
bytes target prot opt in out source
destination
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
36M 29G nova-network-local all -- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>root@gw1:~#
iptables -t filter -vn -L nova-network-local</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Chain
nova-network-local (1 references)</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'> pkts
bytes target prot opt in out source
destination </span><span
lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>root@gw1:~#
iptables -t filter -vn -L nova-network-FORWARD</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Chain
nova-network-FORWARD (1 references)</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'> pkts
bytes target prot opt in out source
destination
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
0 0 ACCEPT all -- br102 *
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
0 0 ACCEPT all -- *
br102 <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
0 0 ACCEPT udp -- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
10.10.49.2
udp dpt:1194</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
18M 11G ACCEPT all -- br100 *
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
18M 18G ACCEPT all -- *
br100 <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
0 0 ACCEPT udp -- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
10.10.40.2
udp dpt:1194</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'> 106K
14M ACCEPT all -- br101 *
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>79895
23M ACCEPT all -- * br101
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</span><span lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>
0 0 ACCEPT udp -- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
10.10.48.2
udp dpt:1194</span><span lang=EN-US><o:p></o:p></span></p>
</div>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>Now I see, that all traffic from tenant
"staging" (br101) for example allows any traffic from/to any
destination (-j ACCEPT).<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>I'd propose to reduce this limitation to
the public gateway interface (eth1 in my case) and that this value<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>shall be configurable in the nova.conf
file.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>Is there any other thing, I might have
overseen, to disallow inter-tenant communication and to disallow<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>tenant-VM-to-bare-metal communication?<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>Many thanks in advance,<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US>Christian Parpart.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
<div>
<div style='border:solid #D9D9D9 1.0pt;padding:0cm 0cm 0cm 0cm;margin-bottom:
7.5pt' id="file_gistfile1.txt">
<div>
<p class=MsoNormal style='background:ghostwhite'><span lang=EN-US><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>