[ovirt-users] Re: High level network advice request
Happy to help. Host shouldn't need to be in maintenance mode to add logical networks. I don't do mine that way, but I am using a second nic for those and the first nic is dedicated to ovirtmgmt. Let me know if you need anything. I am an engineer, network, but also have done storage, linux, and proxy, but I don't do windows. :-) Actually I do, but just thought I would throw in a pun. Robert From: Richard Nilsson Sent: Friday, January 31, 2020 9:04 AM To: users@ovirt.org Subject: [ovirt-users] Re: High level network advice request Thanks so much for your reply Robert! I like your set-up alot, that's where I'm going too actually. But now I have only one node, I'm trying to learn very basic setup with just the one for the moment (Because I have it running after years of trying! It will take a few weeks and another motherboard / rebuild before I have the second node, I'll get there soon). I've just learned (I think) that I can't sync new logical networks with the host, because I can't put the only host in maintenance mode...I thought that there might be a way with cli and restarts and all that but lo, there no point, I will have another node in a few weeks or months :) That's okay, I'm trying to work out why I can't access my new test server from WAN. I use split dns with pfsense and haproxy reverse redirects. I can get to the server test pages from LAN via the pfSense dns resolution (LAN) but the reverse redirects are not working from WAN. I don't know what next step to take to debug the problem. The engine is accessible from WAN, so I think it should work for the vm server, which is also on the default ovirt management network and uses all defaults like the hosted engine. I suspect that there is a security setting on the engine, logical network or maybe the server? What should I check next? My singe node, is also in the same condition, which may be instructive to a noob like me...the node I can reach from the LAN but not the WAN. So the engine is a special case. Do I need to create certificates on the vm webserver? I'd like to see if I can set-up a NextCloud server after trying a SuiteCRM server. But I started with fedora 31 server and a very basic lamp stack to limit variables... Thanks in advance. Let me know if I can ever help you with anything! I'm an Architect, but a real one; not IT but bricks and all that :) These are the links: engine.metrodesignoffice.com mdowebserver.metrodesignoffice.com ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/P3BGTTBCAQWKNZMISYBOJVLDXPOOXC6S/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BCUZJIP5DZXQSP67QIBGXEBWA52RR6UM/
[ovirt-users] Re: High level network advice request
Given what you have described, it seems to be either a HAproxy or server config issue. If the server can reach the internet, that solves default gateway issues, if you can reach the server from the LAN then that solves any networking issues. I would probably do a packet capture at the pfSense box and on the server to see where they stop. It can also tell you if there may be some kind of haproxy issue where the translation may not be what you expect. Robert From: Richard Nilsson Sent: Friday, January 31, 2020 8:49 AM To: users@ovirt.org Subject: [ovirt-users] Re: High level network advice request Thanks again Joseph, I do have specific noob question. I'm learning so much with this test deployment :) 'Amazing. I can't get to a test vm / webserver managed by Ovirt Engine from WAN, as I do with the Engine and other machinesI suspect that I am missing some pretty basic setup step with security but I don't know what to check next? So I use pfSense with haproxy add on, which is pretty great. Squid might be better, but haproxy was really easy for me to set-up without mastering config syntax... My pfSense is on a physical box at the gateway as a gateway serverso not a vm. I have a working vm on an ovirt node manged / created with engine. I set up the vm with fedora 31 server then added a lamp stack with mariadb & etc. I can access (from LAN only, not from WAN) the server test page and a text php info page that I made. I don't know what to adjust to debug the problem. I suspect security / firewall issues but not with the pfSense / haproxy reverse redirect, I think that's all fine. I use pfSense DNS Resolution in the LAN as split DNS. Other machines, including the hosted engine machine are accessible from WAN using URLs / FQDNs. My engine for testing is engine.metrodesignoffice.com The test server is mdowebserver.metrodesignoffice.com What should I look at next? I only installed one node so I can't sync new logical networks or vnet profiles as I understand (the single node can't be placed in maintenance mode, for obvious reasons?). ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Q2WNHYIUWVLGF3FZGUBCZ2MH3IIVJFXD/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/XWBKV5XPMPR2BPGKA6ZAH7LWKVQX5HUQ/
[ovirt-users] Re: High level network advice request
Thanks so much for your reply Robert! I like your set-up alot, that's where I'm going too actually. But now I have only one node, I'm trying to learn very basic setup with just the one for the moment (Because I have it running after years of trying! It will take a few weeks and another motherboard / rebuild before I have the second node, I'll get there soon). I've just learned (I think) that I can't sync new logical networks with the host, because I can't put the only host in maintenance mode...I thought that there might be a way with cli and restarts and all that but lo, there no point, I will have another node in a few weeks or months :) That's okay, I'm trying to work out why I can't access my new test server from WAN. I use split dns with pfsense and haproxy reverse redirects. I can get to the server test pages from LAN via the pfSense dns resolution (LAN) but the reverse redirects are not working from WAN. I don't know what next step to take to debug the problem. The engine is accessible from WAN, so I think it should work for the vm server, which is also on the default ovirt management network and uses all defaults like the hosted engine. I suspect that there is a security setting on the engine, logical network or maybe the server? What should I check next? My singe node, is also in the same condition, which may be instructive to a noob like me...the node I can reach from the LAN but not the WAN. So the engine is a special case. Do I need to create certificates on the vm webserver? I'd like to see if I can set-up a NextCloud server after trying a SuiteCRM server. But I started with fedora 31 server and a very basic lamp stack to limit variables... Thanks in advance. Let me know if I can ever help you with anything! I'm an Architect, but a real one; not IT but bricks and all that :) These are the links: engine.metrodesignoffice.com mdowebserver.metrodesignoffice.com ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/P3BGTTBCAQWKNZMISYBOJVLDXPOOXC6S/
[ovirt-users] Re: High level network advice request
Thanks again Joseph, I do have specific noob question. I'm learning so much with this test deployment :) 'Amazing. I can't get to a test vm / webserver managed by Ovirt Engine from WAN, as I do with the Engine and other machinesI suspect that I am missing some pretty basic setup step with security but I don't know what to check next? So I use pfSense with haproxy add on, which is pretty great. Squid might be better, but haproxy was really easy for me to set-up without mastering config syntax... My pfSense is on a physical box at the gateway as a gateway serverso not a vm. I have a working vm on an ovirt node manged / created with engine. I set up the vm with fedora 31 server then added a lamp stack with mariadb & etc. I can access (from LAN only, not from WAN) the server test page and a text php info page that I made. I don't know what to adjust to debug the problem. I suspect security / firewall issues but not with the pfSense / haproxy reverse redirect, I think that's all fine. I use pfSense DNS Resolution in the LAN as split DNS. Other machines, including the hosted engine machine are accessible from WAN using URLs / FQDNs. My engine for testing is engine.metrodesignoffice.com The test server is mdowebserver.metrodesignoffice.com What should I look at next? I only installed one node so I can't sync new logical networks or vnet profiles as I understand (the single node can't be placed in maintenance mode, for obvious reasons?). ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Q2WNHYIUWVLGF3FZGUBCZ2MH3IIVJFXD/
[ovirt-users] Re: High level network advice request
As Joseph mentioned in his email, it is mostly situational dependent. I run a 2 node cluster and use multiple interfaces. The first 1Gb nic is for ovirtmgmt and is used for management with no vlan tagging and has the default gateway, DNS, etc assigned to it. My 2nd 1Gb NIC, for now, is for all VM traffic and from the switch is setup as a trunk and carries multiple vlans to the various VM's. My 3rd NIC is 10Gb and it is on its own isolated vlan with no routing and I use it for connectivity to my back end NFS storage and I made it the interface for VM migration between nodes. An additional 10Gb nic is not in use right now, but plans are that once I can get a switch with more 10Gb connectivity, that will become my interface for all VM traffic. So as you can see, very situational dependent. As Joseph also mentioned, please feel free to ask if you have any questions. I am still pretty new to oVirt, but making progress. Robert > -Original Message- > From: Richard Nilsson > Sent: Thursday, January 23, 2020 10:39 PM > To: users@ovirt.org > Subject: [ovirt-users] High level network advice request > > High level network advice request :) > > I have a self-hosted engine deployed on a node, Ovirt v. 4.3. I am testing, > but > I don't understand the big idea of how to set-up Ovirt networking for hosted > / engine-managed virtual servers. I would like to host a few virtual servers > for things like Next/OwnCloud, SuiteCRM, NethServer or others. > > For example, I know exactly how set-up a virtual machine with a centos / > lamp stack on a fedora host, I can make a network bridge for the vm with > fedora cli, then use haproxy (or squid) as a reverse-redirect server to allow > WAN access to the vm server using FQDNs. > > What is a good strategy for Ovirt hosting a webserver? To use the default > ovirt management network for the virtual server machines doesn't seem like > a best practice? > > Should I make a new logical network for the virtual servers? Do I need to > configure bridges for the machines? It looks like bridges and virtual NICs are > automatically configured when I make the network and virtual machines, is > that right? > > Is it the usual or typical practice that one ovirt logical network uses only > one > network bridge to a one physical NIC? Would all of the kVMs on the logical > network share the same / single bridge of the particular network? I'm not > sure what the big idea should be, what is a best practice? > > I wonder, should I bond several physical NICs, then point the bridge, for a > new / dedicated logical network for webservers, to the the bonded NICs? > There is more than a little new vocabulary for me to onboard for Ovirt / > virtual / logical networks...I will greatly appreciate, and I thank you in > advance > for any top level / best practice advice! > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: > https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/H7GUEYSB77C > B72Q3HR3GOTXHQPAEFD6A/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6MLDB7RJ2XYOLIV3RTCW6LIZKNLRYFUS/
[ovirt-users] Re: High level network advice request
This is really a situational question. Short answer is - there's no problem running everything on ovirtmgmt network - I do it, especially if what your deploying on is essentially one big network. Its just the VM's bridged into your hosts NIC. The long answer is, you can create many networks based on a number of factors i.e. VLAN tagging, different names for different groups, different things to run over different networks (like migration traffic and/or host storage traffic etc) this gives you flexibility in the long run if you need to change things around - more management overhead but more flexibility. My home server - being a single node home server - uses a Bond0 interface that the ovirtmgmt bridge is created on. I also have a VLAN Tagged network on that bond setup in oVirt to some servers, as I run my server and client device (and IoT device) networks separately. In terms of your webserver example - you'd ideally have a webproxy VM that you forward your 80,443 to from your router, and it'd be setup to talk to any other application/VM internally on their internal IPs - I do this for a self hosted Nextcloud, Cacti/NMS, Plex, some development servers etc all behind my NAT router, all on oVirt. If you have any specific questions or problems - please let me know and I'll try my best to help. On 24/1/20 2:38 pm, Richard Nilsson wrote: High level network advice request :) I have a self-hosted engine deployed on a node, Ovirt v. 4.3. I am testing, but I don't understand the big idea of how to set-up Ovirt networking for hosted / engine-managed virtual servers. I would like to host a few virtual servers for things like Next/OwnCloud, SuiteCRM, NethServer or others. For example, I know exactly how set-up a virtual machine with a centos / lamp stack on a fedora host, I can make a network bridge for the vm with fedora cli, then use haproxy (or squid) as a reverse-redirect server to allow WAN access to the vm server using FQDNs. What is a good strategy for Ovirt hosting a webserver? To use the default ovirt management network for the virtual server machines doesn't seem like a best practice? Should I make a new logical network for the virtual servers? Do I need to configure bridges for the machines? It looks like bridges and virtual NICs are automatically configured when I make the network and virtual machines, is that right? Is it the usual or typical practice that one ovirt logical network uses only one network bridge to a one physical NIC? Would all of the kVMs on the logical network share the same / single bridge of the particular network? I'm not sure what the big idea should be, what is a best practice? I wonder, should I bond several physical NICs, then point the bridge, for a new / dedicated logical network for webservers, to the the bonded NICs? There is more than a little new vocabulary for me to onboard for Ovirt / virtual / logical networks...I will greatly appreciate, and I thank you in advance for any top level / best practice advice! ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H7GUEYSB77CB72Q3HR3GOTXHQPAEFD6A/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7XK5ST3EOZVPVZGEOQ3QIFVGM5GAZJRH/