Revision as of 23:02, 13 December 2010

XenServer Host Networking Protections

Background

In a multi-tenant cloud environment a host machine needs to be able to enforce network isolation amongst guest instances, at both layer two and layer three.

Assumptions

• Citrix XenServer 5.6 fp1 (Cowley)
• Linux bridge code (not Open vSwitch)

Dependency

Antony Messerli from Rackspace has working scripts for applying iptables, ebtables, and arptables rules on the host. This blueprint relies on those scripts.

Requirements

• We need to ensure that we do not modify any pre-installed scripts that ship with XenServer.
• We need a Python script that listens for xapi events and triggers adding/removing rules for guests upon start/stop. When a Nova instance reboots its XenServer dom_id changes and the corresponding vif for the domain changes as well, thus requiring the networking protection rules be re-applied.
• These scripts will be stored in an extras/ directory within the Nova source.
• The scripts need to be generic so that they work in environments that don't make the same assumptions that Rackspace does. For example, we can not assume every host machine has eth0 and eth1 available. This could either be provided via a configuration flag, or dynamically detected.
• Host machines need a script equivalent to the current Rackspace 'host-rules' script that starts on boot and sets up networking restrictions for existing guests.

Open Questions

1. Why do we periodically run networking-rules on the hostmachine in Slicehost?
2. When the host machine is bounced (unfortunately), what needs to happen? Script will need to go into /etc/init.d (just like current script does)
3. Will these scripts be a yum package we install on the host (glance plugin/ host scripts, etc)?