Skip to content

Commit 48227b9

Browse files
committed
docs: Add network and firewall configuration for Hypervisor
1 parent 6772047 commit 48227b9

3 files changed

Lines changed: 205 additions & 0 deletions

File tree

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
<?xml version='1.0' encoding='utf-8' ?>
2+
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
3+
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
4+
%BOOK_ENTITIES;
5+
]>
6+
7+
<!-- Licensed to the Apache Software Foundation (ASF) under one
8+
or more contributor license agreements. See the NOTICE file
9+
distributed with this work for additional information
10+
regarding copyright ownership. The ASF licenses this file
11+
to you under the Apache License, Version 2.0 (the
12+
"License"); you may not use this file except in compliance
13+
with the License. You may obtain a copy of the License at
14+
15+
http://www.apache.org/licenses/LICENSE-2.0
16+
17+
Unless required by applicable law or agreed to in writing,
18+
software distributed under the License is distributed on an
19+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
20+
KIND, either express or implied. See the License for the
21+
specific language governing permissions and limitations
22+
under the License.
23+
-->
24+
25+
<section id="hypervisor-host-install-firewall">
26+
<title>Configuring the firewall</title>
27+
<para>The hypervisor needs to be able to communicate with other hypervisors and the management server needs to be able to reach the hypervisor.</para>
28+
<para>In order to do so we have to open the following TCP ports (if you are using a firewall):</para>
29+
<orderedlist>
30+
<listitem><para>22 (SSH)</para></listitem>
31+
<listitem><para>1798</para></listitem>
32+
<listitem><para>16509 (libvirt)</para></listitem>
33+
<listitem><para>5900 - 6100 (VNC consoles)</para></listitem>
34+
<listitem><para>49152 - 49216 (libvirt live migration)</para></listitem>
35+
</orderedlist>
36+
<para>It depends on the firewall you are using how to open these ports. Below you'll find examples how to open these ports in RHEL/CentOS and Ubuntu.</para>
37+
<section id="hypervisor-host-install-firewall-rhel">
38+
<title>Open ports in RHEL/CentOS</title>
39+
<para>TODO: How to open ports</para>
40+
</section>
41+
<section id="hypervisor-host-install-firewall-ubuntu">
42+
<title>Open ports in Ubuntu</title>
43+
<para>The default firewall under Ubuntu is UFW (Uncomplicated FireWall), although not enabled.</para>
44+
<para>To open the required ports, execute the following commands:</para>
45+
<programlisting language="Bash">ufw allow proto tcp from any to any port 22</programlisting>
46+
<programlisting language="Bash">ufw allow proto tcp from any to any port 1798</programlisting>
47+
<programlisting language="Bash">ufw allow proto tcp from any to any port 16509</programlisting>
48+
<programlisting language="Bash">ufw allow proto tcp from any to any port 5900:6100</programlisting>
49+
<programlisting language="Bash">ufw allow proto tcp from any to any port 49152:492160</programlisting>
50+
<note><para>By default UFW is not enabled on Ubuntu. Executing these commands with the firewall disabled does not enable the firewall.</para></note>
51+
</section>
52+
</section>

docs/en-US/hypervisor-host-install-flow.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,6 @@
2828
<xi:include href="hypervisor-host-install-prepare-os.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
2929
<xi:include href="hypervisor-host-install-libvirt.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
3030
<xi:include href="hypervisor-host-install-security-policies.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
31+
<xi:include href="hypervisor-host-install-network.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
32+
<xi:include href="hypervisor-host-install-firewall.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
3133
</section>
Lines changed: 151 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,151 @@
1+
<?xml version='1.0' encoding='utf-8' ?>
2+
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
3+
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
4+
%BOOK_ENTITIES;
5+
]>
6+
7+
<!-- Licensed to the Apache Software Foundation (ASF) under one
8+
or more contributor license agreements. See the NOTICE file
9+
distributed with this work for additional information
10+
regarding copyright ownership. The ASF licenses this file
11+
to you under the Apache License, Version 2.0 (the
12+
"License"); you may not use this file except in compliance
13+
with the License. You may obtain a copy of the License at
14+
15+
http://www.apache.org/licenses/LICENSE-2.0
16+
17+
Unless required by applicable law or agreed to in writing,
18+
software distributed under the License is distributed on an
19+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
20+
KIND, either express or implied. See the License for the
21+
specific language governing permissions and limitations
22+
under the License.
23+
-->
24+
25+
<section id="hypervisor-host-install-network">
26+
<title>Configure the network bridges</title>
27+
<warning><para>This is a very important section, please make sure you read this thoroughly.</para></warning>
28+
<para>In order to forward traffic to your instances you will need at least two bridges: public and private.</para>
29+
<para>By default these bridges are called cloudbr0 and cloudbr1, but you do have to make sure they are available on each hypervisor.</para>
30+
<section id="hypervisor-host-install-network-vlan">
31+
<title>Network example</title>
32+
<para>There are many ways to configure your network. In the Basic networking mode you should have two (V)LAN's, one for your private network and one for the public network.</para>
33+
<para>The hypervisor has one NIC (eth0) with three VLAN's:</para>
34+
<orderedlist>
35+
<listitem><para>VLAN 100 for management of the hypervisor</para></listitem>
36+
<listitem><para>VLAN 200 for public network of the instances (cloudbr0)</para></listitem>
37+
<listitem><para>VLAN 300 for private network of the instances (cloudbr1)</para></listitem>
38+
</orderedlist>
39+
<para>On VLAN 100 we give the Hypervisor the IP-Address 192.168.42.11/24 with the gateway 192.168.42.1</para>
40+
</section>
41+
<section id="hypervisor-host-install-network-configure">
42+
<title>Configuring the network bridges</title>
43+
<para>It depends on the distribution you are using how to configure these, below you'll find examples for RHEL/CentOS and Ubuntu.</para>
44+
<note><para>The goal is to have two bridges called 'cloudbr0' and 'cloudbr1' after this section. This should be used as a guideline only. The exact configuration will depend on your network layout.</para></note>
45+
<section id="hypervisor-host-install-network-configure-rhel">
46+
<title>Configure in RHEL or CentOS</title>
47+
<para>The required packages were installed when libvirt was installed, we can proceed to configuring the network.</para>
48+
<para>First we configure eth0</para>
49+
<programlisting language="Bash">vi /etc/sysconfig/network-scripts/ifcfg-eth0</programlisting>
50+
<para>Make sure it looks similair to:</para>
51+
<programlisting><![CDATA[DEVICE=eth0
52+
HWADDR=00:04:xx:xx:xx:xx
53+
ONBOOT=yes
54+
HOTPLUG=no
55+
BOOTPROTO=none
56+
TYPE=Ethernet]]></programlisting>
57+
<para>We now have to configure the three VLAN interfaces:</para>
58+
<programlisting language="Bash">vi /etc/sysconfig/network-scripts/ifcfg-eth0.100</programlisting>
59+
<programlisting><![CDATA[DEVICE=eth0.100
60+
HWADDR=00:04:xx:xx:xx:xx
61+
ONBOOT=yes
62+
HOTPLUG=no
63+
BOOTPROTO=none
64+
TYPE=Ethernet
65+
VLAN=yes
66+
IPADDR=192.168.42.11
67+
GATEWAY=192.168.42.1
68+
NETMASK=255.255.255.0]]></programlisting>
69+
<programlisting language="Bash">vi /etc/sysconfig/network-scripts/ifcfg-eth0.200</programlisting>
70+
<programlisting><![CDATA[DEVICE=eth0.200
71+
HWADDR=00:04:xx:xx:xx:xx
72+
ONBOOT=yes
73+
HOTPLUG=no
74+
BOOTPROTO=none
75+
TYPE=Ethernet
76+
VLAN=yes
77+
BRIDGE=cloudbr0]]></programlisting>
78+
<programlisting language="Bash">vi /etc/sysconfig/network-scripts/ifcfg-eth0.300</programlisting>
79+
<programlisting><![CDATA[DEVICE=eth0.300
80+
HWADDR=00:04:xx:xx:xx:xx
81+
ONBOOT=yes
82+
HOTPLUG=no
83+
BOOTPROTO=none
84+
TYPE=Ethernet
85+
VLAN=yes
86+
BRIDGE=cloudbr1]]></programlisting>
87+
<para>Now we have the VLAN interfaces configured we can add the bridges on top of them.</para>
88+
<programlisting language="Bash">vi /etc/sysconfig/network-scripts/ifcfg-cloudbr0</programlisting>
89+
<para>Now we just configure it is a plain bridge without an IP-Adress</para>
90+
<programlisting><![CDATA[DEVICE=cloudbr0
91+
TYPE=Bridge
92+
ONBOOT=yes
93+
BOOTPROTO=none
94+
IPV6INIT=no
95+
IPV6_AUTOCONF=no
96+
DELAY=5
97+
STP=yes]]></programlisting>
98+
<para>We do the same for cloudbr1</para>
99+
<programlisting language="Bash">vi /etc/sysconfig/network-scripts/ifcfg-cloudbr1</programlisting>
100+
<programlisting><![CDATA[DEVICE=cloudbr1
101+
TYPE=Bridge
102+
ONBOOT=yes
103+
BOOTPROTO=none
104+
IPV6INIT=no
105+
IPV6_AUTOCONF=no
106+
DELAY=5
107+
STP=yes]]></programlisting>
108+
<para>With this configuration you should be able to restart the network, although a reboot is recommended to see if everything works properly.</para>
109+
<warning><para>Make sure you have an alternative way like IPMI or ILO to reach the machine in case you made a configuration error and the network stops functioning!</para></warning>
110+
</section>
111+
<section id="hypervisor-host-install-network-configure-ubuntu">
112+
<title>Configure in Ubuntu</title>
113+
<para>All the required packages were installed when you installed libvirt, so we only have to configure the network.</para>
114+
<programlisting language="Bash">vi /etc/network/interfaces</programlisting>
115+
<para>Modify the interfaces file to look like this:</para>
116+
<programlisting><![CDATA[auto lo
117+
iface lo inet loopback
118+
119+
auto eth0.200
120+
iface eth0.200 inet manual
121+
122+
auto eth0.300
123+
iface eth0.300 inet manual
124+
125+
# The primary network interface
126+
auto eth0.100
127+
iface eth0.100 inet static
128+
address 192.168.42.11
129+
netmask 255.255.255.240
130+
gateway 192.168.42.1
131+
132+
# Public network
133+
auto cloudbr0
134+
iface cloudbr0 inet manual
135+
bridge_ports eth0.200
136+
bridge_fd 5
137+
bridge_stp off
138+
bridge_maxwait 1
139+
140+
# Private network
141+
auto cloudbr1
142+
iface cloudbr1 inet manual
143+
bridge_ports eth0.300
144+
bridge_fd 5
145+
bridge_stp off
146+
bridge_maxwait 1]]></programlisting>
147+
<para>With this configuration you should be able to restart the network, although a reboot is recommended to see if everything works properly.</para>
148+
<warning><para>Make sure you have an alternative way like IPMI or ILO to reach the machine in case you made a configuration error and the network stops functioning!</para></warning>
149+
</section>
150+
</section>
151+
</section>

0 commit comments

Comments
 (0)