Open vSwitch 跟实体交换机的功能相似,那么如何设置一个mirror端口呢?一般mirror端口是用来监控流量,或者挂snort进行安全扫描的,ovs是也支持这个功能的。
场景: 我们先装好2台kvm,然后连接到ovs网桥ovsbr0,两个kvm的两个网卡的mac地址只是最后1位不同,如下:
------
<interface type='bridge'>
<mac address='52:54:bb:bb:11:11'/>
<source bridge='ovsbr0'/>
<virtualport type='openvswitch'>
</virtualport>
<model type='virtio'/>
</interface>
------
<interface type='bridge'>
<mac address='52:54:bb:bb:11:12'/>
<source bridge='ovsbr0'/>
<virtualport type='openvswitch'>
</virtualport>
<model type='virtio'/>
</interface>
------
OK,先来普及一下libvirt的脚本,有以下四个:
/etc/libvirt/hooks/daemon
Executed when the libvirt daemon is started, stopped, or reloads its configuration
/etc/libvirt/hooks/qemu
Executed when a QEMU guest is started, stopped, or migrated
/etc/libvirt/hooks/lxc
Executed when an LXC guest is started or stopped
/etc/libvirt/hooks/network
Executed when a network is started or stopped or an interface is plugged/unplugged to/from the network
我们要动的就是/etc/libvirt/hooks/qemu,kvm虚机启动的时候,会调用这个脚本,能干的事可太多了,可以备份、强行插入xml、修改网络等等,如果没有就手动建立:
# mkdir /etc/libvirt/hooks
编辑qemu,注意,qemu会接收虚机启动时传过来的两个参数,一个是虚机名,一个是action,启动就是start:
# vi /etc/libvirt/hooks/qemu
------
#!/bin/bash
MAC="52:54:bb:bb:11:12"
#GUEST should point to the name of the guest
GUEST="ids"
if [ $1 = $GUEST ];
then
if [ $2 = 'started' ];
then
IFACE=`ifconfig | grep $MAC | awk '{print $1;}'`
ovs-vsctl clear bridge ovsbr0 mirrors
ovs-vsctl -- --id=@m create mirror name=mirror0 -- add bridge ovsbr0 mirrors @m -- --id=@capt get Port $IFACE -- set mirror mirror0 output_port=@capt select_all=1
exit 0
fi
fi
echo "Nothing to do : $1 $2" | logger
exit 0
------
设置权限:
# chmod 755 /etc/libvirt/hooks/qemu
重启libvirt
# /etc/init.d/libvirt-bin restart
搞定。