diff options
author | Vishvananda Ishaya <vishvananda@gmail.com> | 2012-11-20 12:05:04 -0800 |
---|---|---|
committer | Vishvananda Ishaya <vishvananda@gmail.com> | 2012-11-26 15:17:16 -0800 |
commit | 5b21ba723a4fe8076022dcafef0a55de3a99b35e (patch) | |
tree | 9d7dfb7649987e0543220d821cc7d812a1a97224 /etc/nova/rootwrap.d | |
parent | 1bd7b4248dd54c6486e8747074211566ba9c35c8 (diff) | |
download | nova-5b21ba723a4fe8076022dcafef0a55de3a99b35e.tar.gz nova-5b21ba723a4fe8076022dcafef0a55de3a99b35e.tar.xz nova-5b21ba723a4fe8076022dcafef0a55de3a99b35e.zip |
Allow multi_host compute nodes to share dhcp ip
This adds a new flag: share_dhcp_address which if enabled in
multihost mode will allow all compute nodes to share an ip on
guest network. The code will isolate the address using iptables
and ebtables so it is only visible to the vms.
This patch has two benefits:
a) we don't have to use an ip address from every network for each
compute node. This is especially valuable in vlan mode where the
networks are generally small
b) we can improve security by blocking all access to the ip on the
guest network from outside the compute node. While we could do similar
blocking using a different ip for each node, it makes dhcp setup
much more complicated if a vm is migrated to another node.
Implements blueprint shared-dhcp-ip
Change-Id: Iaf84c0ad2848921122866956105eb44c074450dc
Diffstat (limited to 'etc/nova/rootwrap.d')
-rw-r--r-- | etc/nova/rootwrap.d/network.filters | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/etc/nova/rootwrap.d/network.filters b/etc/nova/rootwrap.d/network.filters index c635f12e4..3a46080fa 100644 --- a/etc/nova/rootwrap.d/network.filters +++ b/etc/nova/rootwrap.d/network.filters @@ -34,6 +34,11 @@ ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root # nova/network/linux_net.py: 'ovs-ofctl', .... ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root +# nova/network/linux_net.py: 'ebtables', '-D' ... +# nova/network/linux_net.py: 'ebtables', '-I' ... +ebtables: CommandFilter, /sbin/ebtables, root +ebtables_usr: CommandFilter, /usr/sbin/ebtables, root + # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... iptables-save: CommandFilter, /sbin/iptables-save, root iptables-save_usr: CommandFilter, /usr/sbin/iptables-save, root |