Hi,
I don't know if this is much help but here is our setup which
works in a way that users cannot spoof public IP from inside VM.
We've set up a MAC pool range on engine and a DHCP server on one
VM, this server assigns IPs according to VMs MACs.
We
Hi Jure,
It's okbut what about if user will spoof the ip on the eth0:0then
the mac address will be same as eth0 ?? how we can control this ??
Thanks,
Punit D
On Wed, Jul 9, 2014 at 3:38 PM, Jure Kranjc jure.kra...@arnes.si wrote:
Hi,
I don't know if this is much help but here is
Hi Dan,
If i use openstack neutron and integrate with ovirtcan it help to
prevent the ip spoof ??
If yes...is there any good howto for install the neutron integrate
neutron with ovirt ??
Thanks,
Punit
On Wed, Jul 2, 2014 at 4:55 PM, Punit Dambiwal hypu...@gmail.com wrote:
Hi Dan,
On Wed, Jul 02, 2014 at 09:55:19AM +0800, Punit Dambiwal wrote:
Hi Dan,
I didn't understand about this,would you mind to more elaborate this :-
-
Remind me, does
PYTHONPATH=/usr/share/vdsm /usr/libexec/vdsm/hooks/
before_device_create/50_noipspoof.py --test
Hi Dan,
Even now i install the noipspoof on all the hosts...but still the same
result...user can be spoof
On Wed, Jul 2, 2014 at 4:44 PM, Dan Kenigsberg dan...@redhat.com wrote:
On Wed, Jul 02, 2014 at 09:55:19AM +0800, Punit Dambiwal wrote:
Hi Dan,
I didn't understand about this,would
Hi Dan,
I didn't understand about this,would you mind to more elaborate this :-
-
Remind me, does
PYTHONPATH=/usr/share/vdsm /usr/libexec/vdsm/hooks/
before_device_create/50_noipspoof.py --test
work for you?
-
I have this file in
On Mon, Jun 30, 2014 at 10:11:21AM +0800, Punit Dambiwal wrote:
Hi Dan,
I did the same as you suggested...please find the attached logs and
domainxml
And now, the log does not mention any hook at all. Have you removed the
macspoof hook which you had there before? How many hosts do you
Hi Dan,
Yes...i already removed the macspoofi have 3 hosts in the cluster...but
i have applied this hook on one server only..not all,but at the time of VM
deployment i assign the specific host for the VM,so that the VM should
deploy on the same host that has the hook.
Do i need to install
On Mon, Jun 30, 2014 at 06:17:25PM +0800, Punit Dambiwal wrote:
Hi Dan,
Yes...i already removed the macspoofi have 3 hosts in the cluster...but
i have applied this hook on one server only..not all,but at the time of VM
deployment i assign the specific host for the VM,so that the VM
Subject: Re: [ovirt-users] Ip spoofing
Well this is strange, and this should not be the reason
but can you attach a .py ending to the file names (maybe vdsm performs
some strange checks)?
We do not ;-)
your permissions look good.
the only other thing I can think of are selinux
- Original Message -
From: Punit Dambiwal hypu...@gmail.com
To: Antoni Segura Puimedon asegu...@redhat.com, Dan Kenigsberg
dan...@redhat.com
Cc: Sven Kieske s.kie...@mittwald.de, users@ovirt.org
Sent: Friday, June 27, 2014 11:07:56 AM
Subject: Re: [ovirt-users] Ip spoofing
Hi
On Fri, Jun 27, 2014 at 05:07:56PM +0800, Punit Dambiwal wrote:
Hi Dan,
Still the sameVM can spoof the ip address...attached is the VM domain
xml file
snip
yep, the hook script did not come into action.
interface type='bridge'
mac address='00:1a:4a:81:80:01'/
Hi Dan,
Please find the below :-
[root@gfs1 ~]# su - vdsm -s /bin/bash
-bash-4.1$ cd /usr/share/vdsm; python -c 'import hooks;print
hooks._scriptsPerDir(before_device_create)'
['/usr/libexec/vdsm/hooks/before_device_create/50_noipspoof']
-bash-4.1$
Antoni @ selinux already in the permissive
Well I doubt this is a solution to this,
anyway, if you want to check if it's a permission error
due to not correctly configured selinux you
could do:
grep avc /var/log/auditd/auditd.log
and configure your selinux correctly, no need to disable it.
But I doubt that the VM can spoof the ip
Hi,
I found below messages in the audit log :-
[root@gfs1 ~]# grep avc /var/log/audit/audit.log
type=AVC msg=audit(1403834461.442:266685): avc: denied { read } for
pid=27958
comm=logrotate name=core dev=dm-0
ino=789758 scontext=system_u:system_r:log
Well selinux is not your problem as you run
it in permissive mode, this means
selinux violations will get logged but
not be forbidden.
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
On Fri, Jun 27, 2014 at 05:36:49PM +0800, Punit Dambiwal wrote:
Hi Dan,
Please find the below :-
[root@gfs1 ~]# su - vdsm -s /bin/bash
-bash-4.1$ cd /usr/share/vdsm; python -c 'import hooks;print
hooks._scriptsPerDir(before_device_create)'
On Thu, Jun 26, 2014 at 12:22:23PM +0800, Punit Dambiwal wrote:
Hi Dan,
The permission looks ok...
[root@gfs1 ~]# su - vdsm -s
/bin/bash
-bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
total 8
-rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
-rwxr-xr-x. 1 root root
Well this is strange, and this should not be the reason
but can you attach a .py ending to the file names (maybe vdsm performs
some strange checks)?
your permissions look good.
the only other thing I can think of are selinux
restrictions, can you check them with:
#this gives you the actual used
- Original Message -
From: Sven Kieske s.kie...@mittwald.de
To: users@ovirt.org
Sent: Thursday, June 26, 2014 9:12:31 AM
Subject: Re: [ovirt-users] Ip spoofing
Well this is strange, and this should not be the reason
but can you attach a .py ending to the file names (maybe vdsm
Message -
From: Sven Kieske s.kie...@mittwald.de
To: users@ovirt.org
Sent: Thursday, June 26, 2014 9:12:31 AM
Subject: Re: [ovirt-users] Ip spoofing
Well this is strange, and this should not be the reason
but can you attach a .py ending to the file names (maybe vdsm performs
some
Here's a workaround:
define one logical network per vm
assign IPs to these networks from a central instance
assign one broadcast domain per logical network.
so in other words: do correct subnetting.
if you got a router who can't get spoofed you should be fine.
HTH
Am 25.06.2014 04:16, schrieb
On Wed, Jun 25, 2014 at 10:16:12AM +0800, Punit Dambiwal wrote:
Hi Dan,
I try the following way :-
1. I placed your script in the following location
:- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof
/usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof
2. Then run this
On Wed, Jun 25, 2014 at 06:03:50PM +0800, Punit Dambiwal wrote:
Hi Dan,
Please find the attach logs.
1. vdsm.log (VM Creation)
2. vdsm1.log (when add custom property)
3. vdsm2.log (Start the VM)
I see no reference there to /usr/libexec/vdsm/hooks/before_device_create
(but other hook
Hi Den,
Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user can login to VM and create another virtual ethernet
device and add
Am 24.06.2014 11:52, schrieb Punit Dambiwal:
Hi Den,
Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user can login to VM and
On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote:
Hi Den,
Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user
Hi,
I have setup Ovirt with glusterfs...I have some concern about the network
part
1. Is there any way to restrict the Guest VM...so that it can be assign
with single ip address...and in anyhow the user can not manipulate the IP
address from inside the VM (that means user can not change the
On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
Hi,
I have setup Ovirt with glusterfs...I have some concern about the network
part
1. Is there any way to restrict the Guest VM...so that it can be assign
with single ip address...and in anyhow the user can not manipulate
29 matches
Mail list logo