search

OpenNebula / one

The open source Cloud & Edge Computing Platform bringing real freedom to your Enterprise Cloud 🚀
http://opennebula.io
Apache License 2.0
1.22k stars 479 forks source link

Implement Security Groups for Open vSwitch #830

Open OpenNebulaProject opened 6 years ago

OpenNebulaProject commented 6 years ago

Author Name: Stefan Kooman (Stefan Kooman) Original Redmine Issue: 3250, https://dev.opennebula.org/issues/3250 Original Date: 2014-10-20

This will probably connect open vSwitch with a central controller.

The original description of this issue:

The WHITE_PORTS_TCP (and probably _UDP too) rules do not get applied when a VM template with _only_ white ports gets instantiated:

VM in running state, dump of openflow rules on hypervisor:

ovs-ofctl dump-flows uplink

NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=317492.877s, table=0, n_packets=969597, n_bytes=95755656, idle_age=0, hard_age=65534, priority=0 actions=NORMAL
 cookie=0x0, duration=282728.832s, table=0, n_packets=5941, n_bytes=501927, idle_age=32, hard_age=65534, priority=40000,in_port=3,dl_src=02:02:b9:3e:10:8d actions=NORMAL
 cookie=0x0, duration=282728.820s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=39000,in_port=3 actions=drop

There is no rule blocking all traffic _except_ the white port, all traffic is allowed.
OpenNebulaProject commented 6 years ago

Original Redmine Comment Author Name: Ruben S. Montero (@rsmontero) Original Date: 2014-10-24T11:42:49Z

This will be considered together with the security groups feature.

OpenNebulaProject commented 6 years ago

Original Redmine Comment Author Name: Ruben S. Montero (@rsmontero) Original Date: 2014-12-09T16:53:02Z

Updating the issue considering the new security groups functionality

OpenNebulaProject commented 6 years ago

Original Redmine Comment Author Name: Esteban Freire Garcia (Esteban Freire Garcia) Original Date: 2015-10-27T14:00:27Z

Hello all,

I would like to add that we (SURFsara) are also interested in implement Security Groups for Open vSwitch. Please, let us know if you need any information about it or if you need we test anything on our OpenNebula test environment.

hydro-b commented 1 month ago

As far as I'm concerned this would still be a nice addition to the OpenvSwitch (OVS) driver. According to OpenNebula architecture survey 2023 results almost 1/3 of all deployments use OVS.