Attaching arbitrary IP addresses using one.vm.attachnic
|Category:||Core & System|
|Target version:||Release 4.4|
|Affected Versions:||OpenNebula 4.0|
Its seems a user can attach any arbitrary IP address to a VM by calling one.vm.attachnic without specifying a NETWORK_ID (or NETWORK).
one.vm.attachnic(key, vm_id, "NIC=[IP=22.214.171.124]")
Would attach the arbitrary address 126.96.36.199 to the VM.
I'm not sure if that's the expected behaviour.
I can see this being a major issue for hypervisors not enforcing VLAN or bridge isolation (ie. configuring all VM in the same VLAN). It can typically be used by a user to grab an existing IP address from the network (such as gateway address or IP addresses assigned to other VMs).
#5 Updated by Ruben S. Montero over 7 years ago
Well, I was thinking exactly the same when I wrote my last comment.
- first, we need a way to have "network-less" NICs. This can be done with MAC (as in NIC=[MAC="00:01.."]). This can be limited with the RESTRICTED attributes.
- So, the same can be applied to IP, I can restricted IP so only oneadmin can do NIC=[IP="192.168..."] (note that this is equivalent to the MAC-form).I can restricted that (putting IP as a RESTRICTED attribute in oned.conf), but then I'd also restrict NIC=[NETWORK="blue",IP="192.."] which probably is a valid entry.
So I'm inclined to agree with you, IP does not make sense without a NETWORK attribute in a NIC. (Because if it makes sense you can always use MAC)
#6 Updated by Ruben S. Montero over 7 years ago
- Category set to Core & System
- Status changed from Pending to New
- Target version set to Release 4.2
So here the real problem is to use BRIDGE, setting up a NIC not attached to any particular interface would not be a problem. In fact I think it fails so we do not pass the SOURCE option for the attach nic command.
This issue will be solved by:
1.- First check for restricted attributes in NIC template
2.- Check that all needed attributes are available (MAC/IP and BRIDGE)
#8 Updated by Carlos Martín about 7 years ago
- Status changed from New to Closed
- Resolution set to fixed
We've been talking about this, and it looks to us that the only real problem is if you let a user choose a mac/ip and attach the nic to a bridge. So for now we have added NIC/BRIDGE as a default restricted attribute in oned.conf.
Let us know if you still see any other problems we may have missed.