Re: [one-users] greetings
Hello! I'm sorry for the delay on my response. Thanks Valentin and Stefan for your responses! You were really REALLY helpful. At the time, I didn't know hooks existed! Even tho it sounds as the more elegant solution, my boss decided we should just route a block of 200 public addresses. Fastest and easiest solution to configure. As we say in Argentina, lo atamo con alambre (meaning, we stitched it with wire cables... there, I fixed it) He also decided I should have no life at all, and assigned me yet more work than I can handle :-D LoL I've got a new 20TB debian storage. Researchers here use the PostgreSQL database, and they have asked me to merge the database service with the cloud. Meaning... they want me to provide the database service from within the cloud. Is that even possible with OpenNebula? One solution I came up with is to install PostgreSQL on the debian storage, then DNAT the storage:PostgreSQLport so it can be accessible tru the firewall... the problem is: I'm limited on the accounting I can do on this service. is there some sort of OpenNebula Plug In that allows ONE to provide infrastructure services other than VMs? For instance: a PostgreSQL engine or DB? Once again, Thank you guys! best regards galimba On Fri, Jun 20, 2014 at 6:57 AM, Stefan Kooman ste...@bit.nl wrote: Quoting Galimba (gali...@gmail.com): Hello everyone. My name is Sebastian. I'm new to this list and tho I've been a sysadmin for several years now, I've only recently dived into Cloud Computing. I have successfully installed OpenNebula 4.4 on a local computer behind a firewall at my university. I set up two nodes and another dedicated computer as a NFS datastore. The plan is to provide my research group with the IAAS that OpenNebula brings to the table. At the moment, I'm dealing with an issue I haven't been able to solve, and perhaps some of you could throw me a hint. My university assigned me over 100 public ip addresses to provide each VM. If I were to plug the cable directly to the OpenNebula box, then I know I could create my templates with public ip addresses and then everything should be fine. The problem is that I have a firewall in the middle, managing all the public ips, and my OpenNebula box is on a LAN behind that firewall. Question: Do you want to filter the traffic for your vm's on the firewall in the middle? If the answer is yes than you might want to use the vm-hook like Valentin suggested. If not then a vlan with public IP's is probably the easiest way to go. Another possibility is to use the Public Cloud interface from ONE, specifically: EC2 [1]. It makes use of Elastic IPs. It uses scripting to handle the mapping of public to private ips. Especially the scripts that interact with the OpenFlow seem promising [2]. Yet another way of doing this is to route the block of 100 ip's to a router/firewall (possible running on ONE) (through a little ip interconnection block). In that case you don't have to filter on the firewall in the middle and or do NAT (which I think is very ugly). So like this: public ip - interconnect-ip - router/firwall - router-ip-routed-ips - vm's with public ip. This will also work for IPv6. Natting IPv6 is possible, but even more ugly ;). You still have the possibility to do some filtering on the firewall while leaving the rest of the ports open. If you like GUI's, pfSense is a very nice and capable firewall (based on OpenBSD's pf) [3]. If you would like to use pfSense on KVM - don't use virtio network drivers, broken on KVM (at least that is our experience, intel e1000 works fine). Good luck, and have a fun and bright cloudy day ;), Gr. Stefan [1]: http://docs.opennebula.org/4.6/advanced_administration/public_cloud/ec2qug.html [2]: http://community.opennebula.org/ecosystem:onenox [3]: https://www.pfsense.org/ -- | BIT BV http://www.bit.nl/Kamer van Koophandel 09090351 | GPG: 0xD14839C6 +31 318 648 688 / i...@bit.nl -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAlOkBaYACgkQTyGgYdFIOcYSbgD/bzTJCtJXvGYmalwWMBKXevVS LI3F2jPRszntMR/9PBYBAIB7XTZz16GrdJ3tzPvHEgR7HBKLjPpnA/bLlmKd6bSQ =GB+k -END PGP SIGNATURE- -- ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] greetings
Hello Galimba, I would like to kindly welcome you to the magic world of Cloud Computing :). I think your decision to use OpenNebula for your needs was a wise one. A road filled with fun, amusement and sometimes frustrations lay ahead. Enjoy. When I've first read your E-Mail I thought at exactly the same solution as the one pointed out by you, connect to the firewall and modify the iptables rules. I would choose to modify them via a hook [1] because I don't like to mangle with deploy. You might ask why is that? In case of update in the future you don't have to worry that your deploy script gets overwritten. Another safe option would be to copy the whole virtualization manager and name it kvm-local and modify the deploy script there and update the hosts to use that driver. Another solution that came to mind is to define a pseudo public network in ONE using a desired private range. Then map the last octet from you public range with the one in this private range. Easier to remember, though your users might not agree. I think it's easier if I write an example. Public: X.Y.Z.*100* Private: 172.16.0.*100* On the firewall you would have to DNAT each of those one 100 IP addresses to each of those private ones. You would have to do this once. For speed you can generate the rules with a basic for. Next step would be to hold [2] all the IPs from the private network (pseudo public) that you don't have available in the Public range. Not elegant, not user friendly but a (working) solution non the less. The most elegant solution I am aware of would be to create a VLAN subinterface for that /25 range on the firewall and configure a true public network inside ONE. It could even be done with bridging only without the hassle of setting up VLANs. But you need to be able to partition your network in this manner. It might not work for you. You're challenge is a really interesting one and I would like to hear other people opinions and possible solutions. It gave me food for thought and I am grateful for that. [1]: http://docs.opennebula.org/4.4/integration/infrastructure_integration/hooks.html [2]: http://docs.opennebula.org/4.4/user/virtual_resource_management/vgg.html Best, Valentin On Fri, Jun 20, 2014 at 12:27 AM, Galimba gali...@gmail.com wrote: Hello everyone. My name is Sebastian. I'm new to this list and tho I've been a sysadmin for several years now, I've only recently dived into Cloud Computing. I have successfully installed OpenNebula 4.4 on a local computer behind a firewall at my university. I set up two nodes and another dedicated computer as a NFS datastore. The plan is to provide my research group with the IAAS that OpenNebula brings to the table. At the moment, I'm dealing with an issue I haven't been able to solve, and perhaps some of you could throw me a hint. My university assigned me over 100 public ip addresses to provide each VM. If I were to plug the cable directly to the OpenNebula box, then I know I could create my templates with public ip addresses and then everything should be fine. The problem is that I have a firewall in the middle, managing all the public ips, and my OpenNebula box is on a LAN behind that firewall. Is there an easy (and safe) way to assign public ips and pass tru the iptables on the firewall? I mean... the only solution I came up with was to modify the deploy script on the OpenNebula box to connect to the firewall and modify the iptables rules regarding the particular VM I'm trying to deploy. That's not a very happy solution. Thanks in advance. galimba -- ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Valentin Bud http://databus.pro | valen...@databus.pro ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] greetings
Quoting Galimba (gali...@gmail.com): Hello everyone. My name is Sebastian. I'm new to this list and tho I've been a sysadmin for several years now, I've only recently dived into Cloud Computing. I have successfully installed OpenNebula 4.4 on a local computer behind a firewall at my university. I set up two nodes and another dedicated computer as a NFS datastore. The plan is to provide my research group with the IAAS that OpenNebula brings to the table. At the moment, I'm dealing with an issue I haven't been able to solve, and perhaps some of you could throw me a hint. My university assigned me over 100 public ip addresses to provide each VM. If I were to plug the cable directly to the OpenNebula box, then I know I could create my templates with public ip addresses and then everything should be fine. The problem is that I have a firewall in the middle, managing all the public ips, and my OpenNebula box is on a LAN behind that firewall. Question: Do you want to filter the traffic for your vm's on the firewall in the middle? If the answer is yes than you might want to use the vm-hook like Valentin suggested. If not then a vlan with public IP's is probably the easiest way to go. Another possibility is to use the Public Cloud interface from ONE, specifically: EC2 [1]. It makes use of Elastic IPs. It uses scripting to handle the mapping of public to private ips. Especially the scripts that interact with the OpenFlow seem promising [2]. Yet another way of doing this is to route the block of 100 ip's to a router/firewall (possible running on ONE) (through a little ip interconnection block). In that case you don't have to filter on the firewall in the middle and or do NAT (which I think is very ugly). So like this: public ip - interconnect-ip - router/firwall - router-ip-routed-ips - vm's with public ip. This will also work for IPv6. Natting IPv6 is possible, but even more ugly ;). You still have the possibility to do some filtering on the firewall while leaving the rest of the ports open. If you like GUI's, pfSense is a very nice and capable firewall (based on OpenBSD's pf) [3]. If you would like to use pfSense on KVM - don't use virtio network drivers, broken on KVM (at least that is our experience, intel e1000 works fine). Good luck, and have a fun and bright cloudy day ;), Gr. Stefan [1]: http://docs.opennebula.org/4.6/advanced_administration/public_cloud/ec2qug.html [2]: http://community.opennebula.org/ecosystem:onenox [3]: https://www.pfsense.org/ -- | BIT BV http://www.bit.nl/Kamer van Koophandel 09090351 | GPG: 0xD14839C6 +31 318 648 688 / i...@bit.nl signature.asc Description: Digital signature ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] greetings
Hello everyone. My name is Sebastian. I'm new to this list and tho I've been a sysadmin for several years now, I've only recently dived into Cloud Computing. I have successfully installed OpenNebula 4.4 on a local computer behind a firewall at my university. I set up two nodes and another dedicated computer as a NFS datastore. The plan is to provide my research group with the IAAS that OpenNebula brings to the table. At the moment, I'm dealing with an issue I haven't been able to solve, and perhaps some of you could throw me a hint. My university assigned me over 100 public ip addresses to provide each VM. If I were to plug the cable directly to the OpenNebula box, then I know I could create my templates with public ip addresses and then everything should be fine. The problem is that I have a firewall in the middle, managing all the public ips, and my OpenNebula box is on a LAN behind that firewall. Is there an easy (and safe) way to assign public ips and pass tru the iptables on the firewall? I mean... the only solution I came up with was to modify the deploy script on the OpenNebula box to connect to the firewall and modify the iptables rules regarding the particular VM I'm trying to deploy. That's not a very happy solution. Thanks in advance. galimba -- ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
