Open vSwitch 跟实体交换机的功能相似,那么如何设置一个mirror端口呢?一般mirror端口是用来监控流量,或者挂snort进行安全扫描的,ovs是也支持这个功能的。

场景: 我们先装好2台kvm,然后连接到ovs网桥ovsbr0,两个kvm的两个网卡的mac地址只是最后1位不同,如下:

------
<interface type='bridge'>  
 <mac address='52:54:bb:bb:11:11'/>
 <source bridge='ovsbr0'/>
 <virtualport type='openvswitch'>
 </virtualport>
 <model type='virtio'/>
</interface>  
------
<interface type='bridge'>  
 <mac address='52:54:bb:bb:11:12'/>
 <source bridge='ovsbr0'/>
 <virtualport type='openvswitch'>
 </virtualport>
 <model type='virtio'/>
</interface>  
------

OK,先来普及一下libvirt的脚本,有以下四个:

  • /etc/libvirt/hooks/daemon

    Executed when the libvirt daemon is started, stopped, or reloads its configuration

  • /etc/libvirt/hooks/qemu

    Executed when a QEMU guest is started, stopped, or migrated

  • /etc/libvirt/hooks/lxc

    Executed when an LXC guest is started or stopped

  • /etc/libvirt/hooks/network

    Executed when a network is started or stopped or an interface is plugged/unplugged to/from the network

我们要动的就是/etc/libvirt/hooks/qemu,kvm虚机启动的时候,会调用这个脚本,能干的事可太多了,可以备份、强行插入xml、修改网络等等,如果没有就手动建立:

# mkdir /etc/libvirt/hooks

编辑qemu,注意,qemu会接收虚机启动时传过来的两个参数,一个是虚机名,一个是action,启动就是start

# vi /etc/libvirt/hooks/qemu
------
#!/bin/bash
MAC="52:54:bb:bb:11:12"  
#GUEST should point to the name of the guest
GUEST="ids"

if [ $1 = $GUEST ];  
then  
        if [ $2 = 'started' ];
        then
                IFACE=`ifconfig | grep $MAC | awk '{print $1;}'`
                ovs-vsctl clear bridge ovsbr0 mirrors
                ovs-vsctl -- --id=@m create mirror name=mirror0 -- add bridge ovsbr0 mirrors @m -- --id=@capt get Port $IFACE -- set mirror mirror0 output_port=@capt select_all=1
                exit 0
        fi
fi

echo "Nothing to do : $1 $2" | logger  
exit 0  
------

设置权限:

# chmod 755 /etc/libvirt/hooks/qemu

重启libvirt

# /etc/init.d/libvirt-bin restart

搞定。

comments powered by Disqus