nova team mailing list archive
Mailing list archive
Network filtering for libvirt and for non-libvirt hypervisors
Soren Hansen <soren@xxxxxxxxxx>
Wed, 15 Sep 2010 13:33:37 +0200
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:22.214.171.124) Gecko/20100903 Thunderbird/3.1.3
I have a spec and a corresponding branch about making basic use of
libvirt's nwfilter support. It basically just adds a snippet to the
libvirt templates that enables a number of network filtering techniques.
Specifically, it prevents MAC spoofing, ARP spoofing, and IP spoofing. I
didn't bother making this configurable, since it seems like the sort of
thing everyone will always want. As such, there's no API call to enable
it, nor is there a setting in the datamodel that enables/disables it.
While this is a great feature to have, it raises a few questions about
the non-libvirt hypervisors.
Ideally, of course, we don't want the choice of hypervisors to affect
the utility of Nova. Lacking decent network filtering IMO limits a cloud
computing platform's utility significantly.
So, what to do? Should we more clearly define the contract to which a
hypervisor driver is meant to adhere and list the above mentioned
spoofing protections as requirements? We could assign specific people as
designated maintainers of the different hypervisor drivers, and make it
their responsibility to make their driver conformant to the contract.
I also have another spec and a corresponding branch that
implements EC2 style security groups using libvirt's nwfilter. This is a
bigger chunk of work, but it seems like it should follow the same pattern.
Ubuntu Developer http://www.ubuntu.com/
OpenStack Developer http://www.openstack.org/