Return-Path: X-Original-To: apmail-vcl-user-archive@www.apache.org Delivered-To: apmail-vcl-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4FF50D157 for ; Thu, 2 Aug 2012 14:54:28 +0000 (UTC) Received: (qmail 22647 invoked by uid 500); 2 Aug 2012 14:54:28 -0000 Delivered-To: apmail-vcl-user-archive@vcl.apache.org Received: (qmail 22555 invoked by uid 500); 2 Aug 2012 14:54:28 -0000 Mailing-List: contact user-help@vcl.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@vcl.apache.org Delivered-To: mailing list user@vcl.apache.org Received: (qmail 22541 invoked by uid 99); 2 Aug 2012 14:54:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Aug 2012 14:54:28 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mani.doost@gmail.com designates 209.85.220.175 as permitted sender) Received: from [209.85.220.175] (HELO mail-vc0-f175.google.com) (209.85.220.175) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Aug 2012 14:54:23 +0000 Received: by vcbfy27 with SMTP id fy27so7757830vcb.6 for ; Thu, 02 Aug 2012 07:54:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JGxzCAR2qy+DfrQrZZcmorvGMk31I66nkun7HK14GME=; b=PEqoMUljWFNhTYEFHv1/ZnQ8NGJLVVIA1waNeXSPiMuNFjv++ZILvxF4ZIm8mR5Kd8 Rx4FG0daZLDm0rXnC/D5r76rOC3GD3SHKegrcOr4ecGuVhg3/YdYUVrK/Gp4HD7xT1JN 4lgll/WzdFs1vaRYZF0kf2geFy+18ZDUDbw8GDHdM9h8uOOHowecJL0jLVxAlRHzXUlH ofyhakTauXf3w9XmAhf19WzZMT09C1LEjgVJcVvy1YG9mKYJZ7Lt6bW0w8GfvsYje2f8 /JkTvP1imazVnCSM0cKI42Aj2WvTkUXOEP6QwoChDz+csO8/WV1iE0bsIUO1gxXcPemD lR4A== MIME-Version: 1.0 Received: by 10.221.13.72 with SMTP id pl8mr20251796vcb.5.1343919242565; Thu, 02 Aug 2012 07:54:02 -0700 (PDT) Received: by 10.220.241.80 with HTTP; Thu, 2 Aug 2012 07:54:02 -0700 (PDT) In-Reply-To: <50C69D36-6DE3-4186-8687-5F8B33FFB777@gmu.edu> References: <203FAB11-73BD-431D-AAF8-57E3764ED8D1@gmu.edu> <2BB26496-2097-446E-B6AA-1EF0D5C690F6@gmu.edu> <50C69D36-6DE3-4186-8687-5F8B33FFB777@gmu.edu> Date: Thu, 2 Aug 2012 10:54:02 -0400 Message-ID: Subject: Re: Additional VM Networks in Virtual Host profile From: "Mani Shafa'atDoost" To: dev@vcl.apache.org Cc: "user@vcl.apache.org" Content-Type: multipart/alternative; boundary=bcaec54d4b020f584304c649955e X-Virus-Checked: Checked by ClamAV on apache.org --bcaec54d4b020f584304c649955e Content-Type: text/plain; charset=ISO-8859-1 Hi Dimitri, I had some difficulties to understand what are you going to do. But, as far as I understood, you are planing to add more than 2 NICs on each VM( depends on preconfigured network information) and then assign these NICs to special VLAN group. I was thinking to use the same method but there are some problem of using of just VLans: 1. You can't make a communication between two VMs which are located over the router by using Vlan. 2. You can't control traffic and make special rules for traffic of each VM. 3. This solution isn't extendable if you want to extend VCL in near future. So I came with the following solution : http://users.cis.fiu.edu/~mshaf012/pdf/OpenVswitch.pdf BTW, I can't see your attachment, it would be better to upload it somewhere. Best Regards Mani On Thu, Aug 2, 2012 at 10:29 AM, Dmitri Chebotarov wrote: > Hi > > I would like to share a method of adding custom networks per a VCL image. > This solution is based on the code already present in VCL. > > This solution is not end-user/student oriented. There is no option to > specify networks during reservation. > Network(s) and VM hosts needs to be preconfigured before custom networks > can be used. > Switch Local VLAN IDs can be used to create isolated networks for VCL. > Global VLAN IDs can be used to give VCL reservations access to different > networks. > > Isolated network use example would be a security class where malicious > traffic needs to be generated and analyzed. Running such class on > public/private VCL network is not desirable, so an isolated VCL network can > be used in this case. In case with isolated networks a DHCP server needs to > be present to provide IP addresses on isolated networks. The DHCP server > can be part of VCL infrastructure or be a very-long-term server reservation > (the new feature in VCL 2.3). > > Global use example would be a VCL reservation which needs access to a > department network or lab environment. It allows to connect VCL > reservations to existing infrastructure. > > It's different from CS/OS implementation as it doesn't give any control > over networking to end-user, hence no security concerns about VCL end-users > getting unwanted access to a custom network(s). > Since custom network(s) is part of the image properties, only groups/users > who allowed to make reservation based on the image will have access to > specified networks. > > Below is PDF file with code changes. I've tested it in sandbox env and it > seems to be working well. > > > > > Thanks. > > On Jul 31, 2012, at 13:16 , Mani Shafa'atDoost > wrote: > > > Hi Dmitri, > > > > This seems interesting to me. I am planing to do a contribution on VCL > > project which allow you to make a network topology of VMs and load this > > topology instead of one VM. For this reason I need to add more NIC on > some > > images and also I need to make a mechanism for this communication. > > I have read a lot about this and I think the best option is using Open > > Vswitch on VCL which has a strong support on networking part and allow > you > > to do many things on network side. Currently I am making some documents > and > > I will post it here. I would be happy to see some other people from this > > group to work on networking part. > > > > > > On Tue, Jul 31, 2012 at 12:55 PM, Dmitri Chebotarov >wrote: > > > >> Hi > >> > >> Looks like VMware.pm already has a code to add custom networking based > on > >> project name: > >> > >> # Add additional Ethernet interfaces if the image project name is > >> not vcl > >> if ($image_project !~ /^vcl$/i && > >> $self->api->can('get_network_names')) { > >> notify($ERRORS{'DEBUG'}, 0, "image project is: > >> $image_project, checking if additional network adapters should be > >> configured"); > >> > >> # Get a list of all the network names configured on the > >> VMware host > >> my @network_names = $self->api->get_network_names(); > >> notify($ERRORS{'DEBUG'}, 0, "retrieved network names > >> configured on the VM host: " . join(", ", @network_names)); > >> > >> # Check each network name > >> # Begin the index at 2 for additional interfaces added > >> because ethernet0 and ethernet1 have already been added > >> for my $network_name (@network_names) { > >> if ($network_name =~ /$image_project/i || > >> $image_project =~ /$network_name/i) { > >> notify($ERRORS{'DEBUG'}, 0, "network name > >> ($network_name) and image project name ($image_project) intersect, > adding > >> network interface to VM for network $network_name"); > >> %vmx_parameters = (%vmx_parameters, > >> %{$self->get_generated_ethernet_vmx_definition($interface_index, > >> $network_name)}); > >> $interface_index++; > >> } > >> else { > >> notify($ERRORS{'DEBUG'}, 0, "network name > >> ($network_name) and image project name ($image_project) do not > intersect, > >> network interface will not be added to VM for network $network_name"); > >> } > >> } > >> > >> } > >> else { > >> notify($ERRORS{'DEBUG'}, 0, "image project is: > >> $image_project, additional network adapters will not be configured"); > >> } > >> > >> By default all image has project as 'vcl'. > >> Currently project name can only be in ('vcl','hpc','vclhpc'). > >> Will it be OK to remove ENUM on project column, create corresponding > >> additional networks on ESXi servers and use this option to add custom > >> networks? > >> > >> I've also tested how additional VM networks in Virtual Host profile > work. > >> Once I configured profile with additional networks, these networks are > >> added to each reservation which starts on corresponding VM host. > >> This may not be what I'm looking for, as I don't need all these networks > >> on each image. > >> > >> Thank you. > >> > >> On Jul 31, 2012, at 11:39 , Dmitri Chebotarov wrote: > >> > >>> Hi > >>> > >>> VCL 2.3 has added two more VM Networks in Virtual Host profile. > >>> Can I use these networks (all at once or selectively) in images? > >>> > >>> I'm looking to add custom network interface to a Linux image (in > >> addition to default Private/Public). > >>> > >>> -- > >>> Thank you, > >>> > >>> Dmitri Chebotarov > >>> Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging > >>> 223 Aquia Building, Ffx, MSN: 1B5 > >>> Phone: (703) 993-6175 > >>> Fax: (703) 993-3404 > >>> > >>> > >>> > >>> > >> > >> > >> > >> -- > >> Thank you, > >> > >> Dmitri Chebotarov > >> Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging > >> 223 Aquia Building, Ffx, MSN: 1B5 > >> Phone: (703) 993-6175 > >> Fax: (703) 993-3404 > >> > >> > >> > >> > >> > > > > > > -- > > Best Regards > > Mani > > > > -- > Thank you, > > Dmitri Chebotarov > Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging > 223 Aquia Building, Ffx, MSN: 1B5 > Phone: (703) 993-6175 > Fax: (703) 993-3404 > > > > > > -- Best Regards Mani --bcaec54d4b020f584304c649955e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Dimitri,

I had some difficulties to understand what a= re you going to do. But, as far as I understood, you are planing to add mor= e than 2 NICs on each VM( depends on preconfigured network information) and= then assign these NICs to special VLAN group.=A0
I was thinking to use the same method but there are some problem of us= ing of just VLans:
1. You can't make a communication between = two VMs which are located over the router by using Vlan.
2. You c= an't control traffic and make special rules for traffic of each VM.
3. This solution isn't extendable if you want to extend VCL in nea= r future.
So I came with the following solution :

BTW, I can't see your attachment, it would be bette= r to upload it somewhere.

Best Regards
M= ani

On Thu, Aug 2, 2012 at 10:29 A= M, Dmitri Chebotarov <dchebota@gmu.edu> wrote:
Hi

I would like to share a method of adding custom networks per a VCL image. This solution is based on the code already present in VCL.

This solution is not end-user/student oriented. There is no option to speci= fy networks during reservation.
Network(s) and VM hosts needs to be preconfigured before custom networks ca= n be used.
Switch Local VLAN IDs can be used to create isolated networks for VCL.
Global VLAN IDs can be used to give VCL reservations access to different ne= tworks.

Isolated network use example would be a security class where malicious traf= fic needs to be generated and analyzed. Running such class on public/privat= e VCL network is not desirable, so an isolated VCL network can be used in t= his case. In case with isolated networks a DHCP server needs to be present = to provide IP addresses on isolated networks. The DHCP server can be part o= f VCL infrastructure or be a very-long-term server reservation (the new fea= ture in VCL 2.3).

Global use example would be a VCL reservation which needs access to a depar= tment network or lab environment. It allows to connect VCL reservations to = existing infrastructure.

It's different from CS/OS implementation as it doesn't give any con= trol over networking to end-user, hence no security concerns about VCL end-= users getting unwanted access to a custom network(s).
Since custom network(s) is part of the image properties, only groups/users = who allowed to make reservation based on the image will have access to spec= ified networks.

Below is PDF file with code changes. I've tested it in sandbox env and = it seems to be working well.




Thanks.

On Jul 31, 2012, at 13:16 , Mani Shafa'atDoost <mani.doost@gmail.com> wrote:

> Hi =A0Dmitri,
>
> This seems interesting to me. =A0I am planing to do a contribution on = VCL
> project which allow you to make a network topology of VMs and load thi= s
> topology instead of one VM. For this reason I need to add more NIC on = some
> images and also I need to make a mechanism for this communication.
> I have read a lot about this and I think the best option is using Open=
> Vswitch on VCL which has a strong support on networking part and allow= you
> to do many things on network side. Currently I am making some document= s and
> I will post it here. I would be happy to see some other people from th= is
> group to work on networking part.
>
>
> On Tue, Jul 31, 2012 at 12:55 PM, Dmitri Chebotarov <dchebota@gmu.edu>wrote:
>
>> Hi
>>
>> Looks like VMware.pm already has a code to add custom networking b= ased on
>> project name:
>>
>> =A0 =A0 =A0 =A0# Add additional Ethernet interfaces if the image p= roject name is
>> not vcl
>> =A0 =A0 =A0 =A0if ($image_project !~ /^vcl$/i &&
>> $self->api->can('get_network_names')) {
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0notify($ERRORS{'DEBUG'}, 0,= "image project is:
>> $image_project, checking if additional network adapters should be<= br> >> configured");
>>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0# Get a list of all the network nam= es configured on the
>> VMware host
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0my @network_names =3D $self->api= ->get_network_names();
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0notify($ERRORS{'DEBUG'}, 0,= "retrieved network names
>> configured on the VM host: " . join(", ", @network_= names));
>>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0# Check each network name
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0# Begin the index at 2 for addition= al interfaces added
>> because ethernet0 and ethernet1 have already been added
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0for my $network_name (@network_name= s) {
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if ($network_name = =3D~ /$image_project/i ||
>> $image_project =3D~ /$network_name/i) {
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0not= ify($ERRORS{'DEBUG'}, 0, "network name
>> ($network_name) and image project name ($image_project) intersect,= adding
>> network interface to VM for network $network_name");
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0%vm= x_parameters =3D (%vmx_parameters,
>> %{$self->get_generated_ethernet_vmx_definition($interface_index= ,
>> $network_name)});
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$in= terface_index++;
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0else {
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0not= ify($ERRORS{'DEBUG'}, 0, "network name
>> ($network_name) and image project name ($image_project) do not int= ersect,
>> network interface will not be added to VM for network $network_nam= e");
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}
>>
>> =A0 =A0 =A0 =A0}
>> =A0 =A0 =A0 =A0else {
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0notify($ERRORS{'DEBUG'}, 0,= "image project is:
>> $image_project, additional network adapters will not be configured= ");
>> =A0 =A0 =A0 =A0}
>>
>> By default all image has project as 'vcl'.
>> Currently project name can only be in ('vcl','hpc'= ,'vclhpc').
>> Will it be OK to remove ENUM on project column, create correspondi= ng
>> additional networks on ESXi servers and use this option to add cus= tom
>> networks?
>>
>> I've also tested how additional VM networks in Virtual Host pr= ofile work.
>> Once I configured profile with additional networks, these networks= are
>> added to each reservation which starts on corresponding VM host. >> This may not be what I'm looking for, as I don't need all = these networks
>> on each image.
>>
>> Thank you.
>>
>> On Jul 31, 2012, at 11:39 , Dmitri Chebotarov <dchebota@gmu.edu> wrote:
>>
>>> Hi
>>>
>>> VCL 2.3 has added two more VM Networks in Virtual Host profile= .
>>> Can I use these networks (all at once or selectively) in image= s?
>>>
>>> I'm looking to add custom network interface to a Linux ima= ge (in
>> addition to default Private/Public).
>>>
>>> --
>>> Thank you,
>>>
>>> Dmitri Chebotarov
>>> Virtual Computing Lab Systems Engineer, TSD - Ent Servers &= ; Messaging
>>> 223 Aquia Building, Ffx, MSN: 1B5
>>> Phone: (703) 993-6175
>>> Fax: (703) 993-3404
>>>
>>>
>>>
>>>
>>
>>
>>
>> --
>> Thank you,
>>
>> Dmitri Chebotarov
>> Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Me= ssaging
>> 223 Aquia Building, Ffx, MSN: 1B5
>> Phone: (703) 993-6175
>> Fax: (= 703) 993-3404
>>
>>
>>
>>
>>
>
>
> --
> Best Regards
> Mani



--
Thank you,

Dmitri Chebotarov
Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging 223 Aquia Building, Ffx, MSN: 1B5
Phone: (703) 993-6175
Fax: (703) 993-3404








--
Best Reg= ards
Mani

--bcaec54d4b020f584304c649955e--