Re: [Users] Networking questions (LONG)

[bigclouds]

hi,Alan
i  think the best way to solve your question is openvswitch(corresponding to 
vmware vswitch).  but it has not been intigrated with ovirt.
your  solution by adding dummy ethernet,  i do not think it can work as you 
expect.
because  vm's ethernet(vnet)  is vlan-aware or not.   if it is vlan-aware , it 
can be aware of just only one tag.
prosmisc mode  is limited in single vlan scope. 





At 2014-01-09 16:07:46,"Alan Murrell"  wrote:


Hello,

I am evaluating oVirt as a replacement/alternative to VMware deployments we 
typically do.  I have installed and all-in-one setup on a test box (which 
itself used to be an ESXi server), but it only has one NIC.  I trying to 
duplicate our typical configuration we do in VMware, which is this:

  1.) we create several "port groups" on the vSwitch, each assigned a VLAN ID, 
such as:

  - VLAN001 (VLAN ID: 1)
  - VLAN002 (VLAN ID: 2)
  - VLAN009 (VLAN ID: 9)
  - VLAN010 (VLAN ID: 10)
  - VLAN200 (VLAN ID: 200)
  - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all VLANS" 
and basically just passes the VLANs through to whatever is attached to the port 
group for the VM to handle)

  2.) We assign VMs to port groups appropriate for the VLAN they are part of.
  3.) The only VM that has a NIC assigned to the "TRUNK" port group is the 
firewall (which is Linux), and we create VLAN interfaces on it (i.e., "eth1.1", 
"eth1.2", "eth1.10", "eth1.200").  The firewall VM acts as the router between 
the various VLANs.

To replicate the above in oVirt, I created logical networks for each VLAN, and 
assigned the appropriate VLAN ID.  It seems oVirt/KVM does not have an 
equivalent for VMware's VLAN ID of "4095", so after some searching around, so 
for the "TRUNK" network, I left it with no VLAN assigned.  Because i cannot add 
VLAN and non-VLAN networks to the same physical NIC, after some searching 
around, it looks like I may have to utilise two NICS: one for the VLAN networks 
and one for the "TRUNK" network.

Because, at this point, I am not yet concerned with making the test VMs I will 
be setting up be accessible from outside the virtual lab environment (i.e., 
everything will communicate within my oVirt server/network for now), I am 
trying to make use of "dummy" interfaces, but I am not sure the best way to 
make use of this.  I am able to create the dummy* interfaces and have them show 
up in oVirt, but I am not sure of how they should be setup.  Here is what I am 
*thinking* should be done, but want to make sure it is correct before getting 
too deep:

  - I will use the physical NIC for management, therefore the "ovirtmgmt" 
bridge with eth0 assigned to it will remain as-is
  - Create two dummy interfaces: "dummy0" and "dummy1"
  - Create a new bridge, "ovirtvm" and assign "dummy0" and "dummy1" to it
  - Attach the VLAN-enabled networks to "dummy0"
  - Attach the "TRUNK" network to "dummy1"

Would the above be the way to go about this?  The one thing I am not sure of is 
whether or not having no VLAN assigned (on the "TRUNK" network) accomplishes 
the same this as the "VLAN ID 4095" in VMware: will oVirt/KVM just pass the 
traffic through for the VM attached to it to deal with?

Thanks for reading this far, and I appreciate any help you might be able to 
lend in the above.

-Alan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Networking questions (LONG)

[Alan Murrell]

Quoting "Dan Kenigsberg" :


This was devised as a security constraint - otherwise, a VM attached to
the non-VLAN network could sniff traffic from another (VLAN) network.
However, it seems that this is exactly what you need - a special VM that
is designed to do just that.


Well, I would prefer it not be a VM but part of the oVirt networking  
stack itself.  VMware has this built in with just a few clicks (you  
assign a VLAN ID of "4095" to a port group/network and it is basically  
tagging that port group with all VLAN IDs).  VMware of course is not  
using the Linux networking, though; they use their own "vSwitch", so  
that is probably how they are able to do it.


So it seems to me the problem of no being able to do exactly what I am  
looking to do within oVirt itself is not really a shortfall of oVirt,  
per se, but the underlying platform on which it relies :-(



And it's not only you: there's another recent request for lifting this
limitation:
Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the
same NIC


I actually do not have a problem with not being able to mix untagged  
and tagged Logical Networks on the same NIC; it is very convenient to  
be able to do so, but would not be considered a show-stopper IMO; if  
two physical NICs would need to be used, so be it.



I do not understand what you are trying to do with dummy devices (after
all, they are not going to send any packet anywhere).


Since my test server only has one physical NIC, I am using the dummy  
devices instead of physical ones.  I know they cannot pass traffic  
outside of the server (unless attached to a VM was is also attached to  
the physical NIC), but I am not concerned with that at the moment.  I  
am trying to test with a virtual lab, and as long as the  
traffic/access behaves as expected within it, there should be no  
reason it should not behave as expected with physical NICs, when I get  
to that stage.



But if you are willing to mess with network configuration under the feet
of oVirt, you could do the following:


As long as it does not involve too much complexity, I have no problem  
with having to mess with some configuration outside of oVirt.  It has  
to be kept pretty minimal.


We are looking for a good alternative to VMware so we don't have to  
keep putting up with their onerous licensing.  oVirt is our  
evaluation; if it ticks all our boxes, we would likely go with RHEV  
for those clients who are more comfortable with the commercial  
support, and oVirt for the others.  Unfortunately, this "trunk"  
capability is a pretty big one :-(



- create a network tagged with an id that is not really used in your
  datacenter, say 999, and attach it to the host.
- build and install vdsm-hook-extnet rpm
- define a vnic profile using this network, and adding a custom propery
  called "extnet" with the value of (say) "untagged".
- set up a bridge named "untagged" directly on top of your eth0 (say
  "breth0")
- define a libvirt bridged network named "untagged", that uses "breth0".
- attach the vnic of your firewall VM to your vnic profile.


I will give the above a try and let you know.  It might be a few days  
before I can get to it though.  I am really looking to do a "trunk"  
port though, which actually carries multiple tagged VLANs.  Going back  
to VMware, just for clarification, when VLAN ID "4095" is assigned to  
the "trunk" port group/network we create, that's the same thing as  
tagging that port group with all VLAN IDs, from "1" through to "4094".  
 It is very different from having it "untagged".


OpenvSwitch supports this, but it appears it will be a while until  
full/natural integration is done with OpenvSwitch.  Unfortunately, we  
are not developers, so we are unable help with it's integration :-(


Anyway, we are not ready to give up yet.  We'll see what we can do  
with the above and let you know.  The other work-around, of course, is  
an earlier suggestion of just adding as many vNICs to the firewall VM  
as we need for each VLAN'd Logical Network, but that would raise  
another "problem", albeit a rare one: if we were to put oVirt/RHEV in  
our own datacenter, replacing VMware, we have a couple of BGP routers  
that are setup with a few dozen VLANs.  It would be a PITA to add a  
vNIC for each one :-(  Most of our deployments with our clients,  
though, have less than ten VLANs, so it *could* be workable enough in  
those cases.


-Alan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Networking questions (LONG)

[Dan Kenigsberg]

On Fri, Jan 10, 2014 at 03:06:28PM +0200, Itamar Heim wrote:
> On 01/10/2014 01:32 PM, Dan Kenigsberg wrote:
> >On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote:
> >>Hello Alan,
> >>
> >>On 09/01/14 10:07, Alan Murrell wrote:
> >>>Hello,
> >>>
> >>>I am evaluating oVirt as a replacement/alternative to VMware deployments
> >>>we typically do.  I have installed and all-in-one setup on a test box
> >>>(which itself used to be an ESXi server), but it only has one NIC.  I
> >>>trying to duplicate our typical configuration we do in VMware, which is
> >>>this:
> >>>
> >>>   1.) we create several "port groups" on the vSwitch, each assigned a
> >>>VLAN ID, such as:
> >>>
> >>>   - VLAN001 (VLAN ID: 1)
> >>>   - VLAN002 (VLAN ID: 2)
> >>>   - VLAN009 (VLAN ID: 9)
> >>>   - VLAN010 (VLAN ID: 10)
> >>>   - VLAN200 (VLAN ID: 200)
> >>>   - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all
> >>>VLANS" and basically just passes the VLANs through to whatever is
> >>>attached to the port group for the VM to handle)
> >>>
> >>>   2.) We assign VMs to port groups appropriate for the VLAN they are
> >>>part of.
> >>>   3.) The only VM that has a NIC assigned to the "TRUNK" port group is
> >>>the firewall (which is Linux), and we create VLAN interfaces on it
> >>>(i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200").  The firewall VM acts
> >>>as the router between the various VLANs.
> >>>
> >>>To replicate the above in oVirt, I created logical networks for each
> >>>VLAN, and assigned the appropriate VLAN ID.  It seems oVirt/KVM does not
> >>>have an equivalent for VMware's VLAN ID of "4095", so after some
> >>>searching around, so for the "TRUNK" network, I left it with no VLAN
> >>>assigned.  Because i cannot add VLAN and non-VLAN networks to the same
> >>>physical NIC, after some searching around, it looks like I may have to
> >>>utilise two NICS: one for the VLAN networks and one for the "TRUNK" 
> >>>network.
> >>
> >>That is true. One non-VLAN network can in fact sit on the same NIC with
> >>VLAN networks, but it has to be non-VM.
> >
> >This was devised as a security constraint - otherwise, a VM attached to
> >the non-VLAN network could sniff traffic from another (VLAN) network.
> >However, it seems that this is exactly what you need - a special VM that
> >is designed to do just that.
> >
> 
> isn't that was promiscious mode (aka port mirroring) is for?

Oh that makes more sense...

But unfortunately, it is impossible to mirror more than a single network
onto a vnic. (Engine implementation limitation).

However, one can device a tc-based after_network_setup hook, that
directs all traffic from all bridges onto a specific target bridge, onto
which the firewall VM is connected.

Dan.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Networking questions (LONG)

[Dan Kenigsberg]

On Fri, Jan 10, 2014 at 10:39:20AM -0200, Juan Pablo Lorier wrote:
> Hi Dan,
> 
> I take the chance to ask; why is that the untagged IF can see the
> traffic of the tagged vlans? Isn't that filtered at kernel level? Is
> this a virtualization design limitation or is it down to the kernel?
> I don't know how the kernel processes the packages, but I thought that
> packages that arrives to the nic are filtered by the kernel and sent to
> the respective vif (untagged to the "master" interface and tagged to the
> .XX interfaces). I ask because other virtualization platforms don't have
> this limitation and I wonder if it's because they "don't care" of
> because they solved this somehow.

I do not know how this is implemented elsewhere, but to the best of my
knowledge, the "master" interface sees tagged packets, too (which is the
basis of Alan's use case: he wants the trunk VM to see all traffic).

BTW, Alan, for this to actually work, you need to enable macspoofing on the
relevant nic. Yet another step on the hack I've outlined earlier.

Dan.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Networking questions (LONG)

[Itamar Heim]

On 01/10/2014 01:32 PM, Dan Kenigsberg wrote:

On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote:

Hello Alan,

On 09/01/14 10:07, Alan Murrell wrote:

Hello,

I am evaluating oVirt as a replacement/alternative to VMware deployments
we typically do.  I have installed and all-in-one setup on a test box
(which itself used to be an ESXi server), but it only has one NIC.  I
trying to duplicate our typical configuration we do in VMware, which is
this:

   1.) we create several "port groups" on the vSwitch, each assigned a
VLAN ID, such as:

   - VLAN001 (VLAN ID: 1)
   - VLAN002 (VLAN ID: 2)
   - VLAN009 (VLAN ID: 9)
   - VLAN010 (VLAN ID: 10)
   - VLAN200 (VLAN ID: 200)
   - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all
VLANS" and basically just passes the VLANs through to whatever is
attached to the port group for the VM to handle)

   2.) We assign VMs to port groups appropriate for the VLAN they are
part of.
   3.) The only VM that has a NIC assigned to the "TRUNK" port group is
the firewall (which is Linux), and we create VLAN interfaces on it
(i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200").  The firewall VM acts
as the router between the various VLANs.

To replicate the above in oVirt, I created logical networks for each
VLAN, and assigned the appropriate VLAN ID.  It seems oVirt/KVM does not
have an equivalent for VMware's VLAN ID of "4095", so after some
searching around, so for the "TRUNK" network, I left it with no VLAN
assigned.  Because i cannot add VLAN and non-VLAN networks to the same
physical NIC, after some searching around, it looks like I may have to
utilise two NICS: one for the VLAN networks and one for the "TRUNK" network.


That is true. One non-VLAN network can in fact sit on the same NIC with
VLAN networks, but it has to be non-VM.


This was devised as a security constraint - otherwise, a VM attached to
the non-VLAN network could sniff traffic from another (VLAN) network.
However, it seems that this is exactly what you need - a special VM that
is designed to do just that.



isn't that was promiscious mode (aka port mirroring) is for?


And it's not only you: there's another recent request for lifting this
limitation:
 Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the
 same NIC



However, I'm not sure that you in fact need a "TRUNK" VM network in
oVirt. If you want your firewall VM to get all traffic from the VLANs,
you could create a vNIC for each network, to which you'll attach a
profile (oVirt's equivalent of port group if I'm not mistaken) of the
corresponding network. The host can remain with just the VLAN networks
attached to its NICs, without a designated "TRUNK".

This way the firewall VM will get something like "eth1" for VLAN 1,
"eth2" for VLAN 200 and so forth, which might be close enough to what
you described on your previous setup (oVirt currently doesn't allow
creating VLANs inside VMs). And if I correctly understood your needs it
will save you the trouble you described below (well, you would need the
one dummy interface).



Because, at this point, I am not yet concerned with making the test VMs
I will be setting up be accessible from outside the virtual lab
environment (i.e., everything will communicate within my oVirt
server/network for now), I am trying to make use of "dummy" interfaces,
but I am not sure the best way to make use of this.  I am able to create
the dummy* interfaces and have them show up in oVirt, but I am not sure
of how they should be setup.  Here is what I am *thinking* should be
done, but want to make sure it is correct before getting too deep:

   - I will use the physical NIC for management, therefore the
"ovirtmgmt" bridge with eth0 assigned to it will remain as-is
   - Create two dummy interfaces: "dummy0" and "dummy1"
   - Create a new bridge, "ovirtvm" and assign "dummy0" and "dummy1" to it


This is something that currently can't be done from within the oVirt
engine, but if my above suggestion works for you then it won't be needed.


   - Attach the VLAN-enabled networks to "dummy0"
   - Attach the "TRUNK" network to "dummy1"


I do not understand what you are trying to do with dummy devices (after
all, they are not going to send any packet anywhere).

But if you are willing to mess with network configuration under the feet
of oVirt, you could do the following:
- create a network tagged with an id that is not really used in your
   datacenter, say 999, and attach it to the host.
- build and install vdsm-hook-extnet rpm
- define a vnic profile using this network, and adding a custom propery
   called "extnet" with the value of (say) "untagged".
- set up a bridge named "untagged" directly on top of your eth0 (say
   "breth0")
- define a libvirt bridged network named "untagged", that uses "breth0".
- attach the vnic of your firewall VM to your vnic profile.

Now, when you start up your firewall vm, the "extnet" hook gets into
action, and forces the firewall vm from 

Re: [Users] Networking questions (LONG)

[Juan Pablo Lorier]

Hi Dan,

I take the chance to ask; why is that the untagged IF can see the
traffic of the tagged vlans? Isn't that filtered at kernel level? Is
this a virtualization design limitation or is it down to the kernel?
I don't know how the kernel processes the packages, but I thought that
packages that arrives to the nic are filtered by the kernel and sent to
the respective vif (untagged to the "master" interface and tagged to the
.XX interfaces). I ask because other virtualization platforms don't have
this limitation and I wonder if it's because they "don't care" of
because they solved this somehow.
Regards,

On 10/01/14 09:32, Dan Kenigsberg wrote:
> On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote:
>> Hello Alan,
>>
>> On 09/01/14 10:07, Alan Murrell wrote:
>>> Hello,
>>>
>>> I am evaluating oVirt as a replacement/alternative to VMware deployments
>>> we typically do.  I have installed and all-in-one setup on a test box
>>> (which itself used to be an ESXi server), but it only has one NIC.  I
>>> trying to duplicate our typical configuration we do in VMware, which is
>>> this:
>>>
>>>   1.) we create several "port groups" on the vSwitch, each assigned a
>>> VLAN ID, such as:
>>>
>>>   - VLAN001 (VLAN ID: 1)
>>>   - VLAN002 (VLAN ID: 2)
>>>   - VLAN009 (VLAN ID: 9)
>>>   - VLAN010 (VLAN ID: 10)
>>>   - VLAN200 (VLAN ID: 200)
>>>   - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all
>>> VLANS" and basically just passes the VLANs through to whatever is
>>> attached to the port group for the VM to handle)
>>>
>>>   2.) We assign VMs to port groups appropriate for the VLAN they are
>>> part of.
>>>   3.) The only VM that has a NIC assigned to the "TRUNK" port group is
>>> the firewall (which is Linux), and we create VLAN interfaces on it
>>> (i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200").  The firewall VM acts
>>> as the router between the various VLANs.
>>>
>>> To replicate the above in oVirt, I created logical networks for each
>>> VLAN, and assigned the appropriate VLAN ID.  It seems oVirt/KVM does not
>>> have an equivalent for VMware's VLAN ID of "4095", so after some
>>> searching around, so for the "TRUNK" network, I left it with no VLAN
>>> assigned.  Because i cannot add VLAN and non-VLAN networks to the same
>>> physical NIC, after some searching around, it looks like I may have to
>>> utilise two NICS: one for the VLAN networks and one for the "TRUNK" network.
>> That is true. One non-VLAN network can in fact sit on the same NIC with
>> VLAN networks, but it has to be non-VM.
> This was devised as a security constraint - otherwise, a VM attached to
> the non-VLAN network could sniff traffic from another (VLAN) network.
> However, it seems that this is exactly what you need - a special VM that
> is designed to do just that.
>
> And it's not only you: there's another recent request for lifting this
> limitation:
> Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the
> same NIC
>
>> However, I'm not sure that you in fact need a "TRUNK" VM network in
>> oVirt. If you want your firewall VM to get all traffic from the VLANs,
>> you could create a vNIC for each network, to which you'll attach a
>> profile (oVirt's equivalent of port group if I'm not mistaken) of the
>> corresponding network. The host can remain with just the VLAN networks
>> attached to its NICs, without a designated "TRUNK".
>>
>> This way the firewall VM will get something like "eth1" for VLAN 1,
>> "eth2" for VLAN 200 and so forth, which might be close enough to what
>> you described on your previous setup (oVirt currently doesn't allow
>> creating VLANs inside VMs). And if I correctly understood your needs it
>> will save you the trouble you described below (well, you would need the
>> one dummy interface).
>>
>>> Because, at this point, I am not yet concerned with making the test VMs
>>> I will be setting up be accessible from outside the virtual lab
>>> environment (i.e., everything will communicate within my oVirt
>>> server/network for now), I am trying to make use of "dummy" interfaces,
>>> but I am not sure the best way to make use of this.  I am able to create
>>> the dummy* interfaces and have them show up in oVirt, but I am not sure
>>> of how they should be setup.  Here is what I am *thinking* should be
>>> done, but want to make sure it is correct before getting too deep:
>>>
>>>   - I will use the physical NIC for management, therefore the
>>> "ovirtmgmt" bridge with eth0 assigned to it will remain as-is
>>>   - Create two dummy interfaces: "dummy0" and "dummy1"
>>>   - Create a new bridge, "ovirtvm" and assign "dummy0" and "dummy1" to it
>> This is something that currently can't be done from within the oVirt
>> engine, but if my above suggestion works for you then it won't be needed.
>>
>>>   - Attach the VLAN-enabled networks to "dummy0"
>>>   - Attach the "TRUNK" network to "dummy1"
> I do not understand what you are trying to do with dummy devices (af

Re: [Users] Networking questions (LONG)

[Dan Kenigsberg]

On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote:
> Hello Alan,
> 
> On 09/01/14 10:07, Alan Murrell wrote:
> > Hello,
> > 
> > I am evaluating oVirt as a replacement/alternative to VMware deployments
> > we typically do.  I have installed and all-in-one setup on a test box
> > (which itself used to be an ESXi server), but it only has one NIC.  I
> > trying to duplicate our typical configuration we do in VMware, which is
> > this:
> > 
> >   1.) we create several "port groups" on the vSwitch, each assigned a
> > VLAN ID, such as:
> > 
> >   - VLAN001 (VLAN ID: 1)
> >   - VLAN002 (VLAN ID: 2)
> >   - VLAN009 (VLAN ID: 9)
> >   - VLAN010 (VLAN ID: 10)
> >   - VLAN200 (VLAN ID: 200)
> >   - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all
> > VLANS" and basically just passes the VLANs through to whatever is
> > attached to the port group for the VM to handle)
> > 
> >   2.) We assign VMs to port groups appropriate for the VLAN they are
> > part of.
> >   3.) The only VM that has a NIC assigned to the "TRUNK" port group is
> > the firewall (which is Linux), and we create VLAN interfaces on it
> > (i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200").  The firewall VM acts
> > as the router between the various VLANs.
> > 
> > To replicate the above in oVirt, I created logical networks for each
> > VLAN, and assigned the appropriate VLAN ID.  It seems oVirt/KVM does not
> > have an equivalent for VMware's VLAN ID of "4095", so after some
> > searching around, so for the "TRUNK" network, I left it with no VLAN
> > assigned.  Because i cannot add VLAN and non-VLAN networks to the same
> > physical NIC, after some searching around, it looks like I may have to
> > utilise two NICS: one for the VLAN networks and one for the "TRUNK" network.
> 
> That is true. One non-VLAN network can in fact sit on the same NIC with
> VLAN networks, but it has to be non-VM.

This was devised as a security constraint - otherwise, a VM attached to
the non-VLAN network could sniff traffic from another (VLAN) network.
However, it seems that this is exactly what you need - a special VM that
is designed to do just that.

And it's not only you: there's another recent request for lifting this
limitation:
Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the
same NIC

>
> However, I'm not sure that you in fact need a "TRUNK" VM network in
> oVirt. If you want your firewall VM to get all traffic from the VLANs,
> you could create a vNIC for each network, to which you'll attach a
> profile (oVirt's equivalent of port group if I'm not mistaken) of the
> corresponding network. The host can remain with just the VLAN networks
> attached to its NICs, without a designated "TRUNK".
>
> This way the firewall VM will get something like "eth1" for VLAN 1,
> "eth2" for VLAN 200 and so forth, which might be close enough to what
> you described on your previous setup (oVirt currently doesn't allow
> creating VLANs inside VMs). And if I correctly understood your needs it
> will save you the trouble you described below (well, you would need the
> one dummy interface).
>
> > 
> > Because, at this point, I am not yet concerned with making the test VMs
> > I will be setting up be accessible from outside the virtual lab
> > environment (i.e., everything will communicate within my oVirt
> > server/network for now), I am trying to make use of "dummy" interfaces,
> > but I am not sure the best way to make use of this.  I am able to create
> > the dummy* interfaces and have them show up in oVirt, but I am not sure
> > of how they should be setup.  Here is what I am *thinking* should be
> > done, but want to make sure it is correct before getting too deep:
> > 
> >   - I will use the physical NIC for management, therefore the
> > "ovirtmgmt" bridge with eth0 assigned to it will remain as-is
> >   - Create two dummy interfaces: "dummy0" and "dummy1"
> >   - Create a new bridge, "ovirtvm" and assign "dummy0" and "dummy1" to it
> 
> This is something that currently can't be done from within the oVirt
> engine, but if my above suggestion works for you then it won't be needed.
> 
> >   - Attach the VLAN-enabled networks to "dummy0"
> >   - Attach the "TRUNK" network to "dummy1"

I do not understand what you are trying to do with dummy devices (after
all, they are not going to send any packet anywhere).

But if you are willing to mess with network configuration under the feet
of oVirt, you could do the following:
- create a network tagged with an id that is not really used in your
  datacenter, say 999, and attach it to the host.
- build and install vdsm-hook-extnet rpm
- define a vnic profile using this network, and adding a custom propery
  called "extnet" with the value of (say) "untagged".
- set up a bridge named "untagged" directly on top of your eth0 (say
  "breth0")
- define a libvirt bridged network named "untagged", that uses "breth0".
- attach the vnic of your firewall VM to your vnic profile.

Now

Re: [Users] Networking questions (LONG)

[Lior Vernia]

Hi Allan,

On 10/01/14 02:16, Alan Murrell wrote:
> Hello Lior,
> 
> Thank you for your reply.
> 

Sure, let's try to get that setup of yours working :)

> Quoting "Lior Vernia" :
> 
>> This way the firewall VM will get something like "eth1" for VLAN 1,
>> "eth2" for VLAN 200 and so forth, which might be close enough to what
>> you described on your previous setup (oVirt currently doesn't allow
>> creating VLANs inside VMs). And if I correctly understood your needs it
>> will save you the trouble you described below (well, you would need the
>> one dummy interface).
> 
> That would be doable, except I am not sure if there is a limit to the
> number of vNICs a VM could have and/or if there is an OS-level limit to
> how many?  It is also a bit "messier" IMO, but that is more of a
> personal issue than a technical one, and one I could probably get over :-)
> 

oVirt does not enforce any sort of limit on the number of vNICs. I
personally don't know about KVM or your VMs' OS, but this should be
Googleable.

> When you say that oVirt currently doesn't allow creating VLANs inside
> VMs, are you referring to the use of VLAN interfaces like I describe
> (e.g., "eth1.1", "eth1.2", "eth1.10", etc.)?  If so, is that an oVirt
> limitation, or a KVM one?
> 

Yes, sorry, I realise now that my phrasing was only half-understandable.
I indeed meant that oVirt doesn't support attaching more than one
network to the same vNIC (be it VLAN-tagged or not). I doubt that this
is a KVM limitation (but I'm no expert on KVM), I think it's just
something that we haven't yet found a strong case for in oVirt.

> I have seen examples where one can create a "Trunk" with KVM and Open
> vSwitch, and I thought for some reason oVirt used Open vSwitch, but none
> of the commands I tried from the examples were found.  A check of
>  shows that
> indeed there does not appear to be any integration yet, and it is only
> 60% done :-(
> 

I actually know nothing of the link you provided, but I can offer
alternatives.

If you REALLY want to use OVS with oVirt NOW, you could take advantage
of its integration with OpenStack Neutron. That would require you to
install another machine (should be possible on an all-in-one setup too)
as a Neutron server. This might go smoothly or it might cause you some
headaches.
http://www.ovirt.org/Features/Detailed_OSN_Integration

It will probably become possible in the future to use OVS with oVirt
directly (although I can't promise or commit on the time frame) by
leveraging a development process that's going on in VDSM networking
right now. In fact, if you're a developer you could help make it happen
and control the time frame yourself by contributing to an OVS backend.
http://www.ovirt.org/Feature/NetworkReloaded

> With regards to using the dummy interfaces, I realised I probably do not
> need to add them to a bridge, since they would be physical NICs in
> production (this is just for testing).  I initially did create the
> "ovirtvm" bridge before I realised that, but have made them
> "stand-alone" NICs with no IPs attached to them, but they are not
> "green" in oVirt when I try to attach my logical networks to them under
> "Networks > Hosts > vmhost01 > Setup Host Networks".
> 
> When I am in "Setup Host Networks", I see my dummy interfaces, but they
> have a red dot instead of a green one (like what "eth0" has). I can my
> logical networks to them, but the "Network Device Status" has a red
> arrow pointing down.  Here are my ifcfg-dummy* files:
> 

I'm not an expert on these things, but this "Down" status is basically
the "administrative" link state on the host. From my experience when
logical networks are attached via the Setup Networks dialog, it does go
up, although I haven't tried without an IP address. Also, it's worth
trying to see if the actual networking works even if the NIC shows as
down, or to ifup the NIC manually if it doesn't.

> --- ifcfg-dummy0 ---
> DEVICE=dummy0
> ONBOOT=yes
> TYPE=Ethernet
> DELAY=0
> BOOTPROTO=none
> NM_CONTROLLED=no
> STP=no
> --- ifcfg-dummy0 ---
> 
> My "ifcfg-dummy1" is identical, except of course it has "DEVICE=dummy1"
> in it.  The interfaces do come up on the host, but as I said, in "Setup
> Host Networks" they have a red dot instead of a green one.  Perhaps I do
> need to assign an IP?  I can maybe assign a "dummy" one (i.e., one that
> I would never use)?
> 
> -Alan
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Networking questions (LONG)

[Alan Murrell]

Hello Lior,

Thank you for your reply.

Quoting "Lior Vernia" :


This way the firewall VM will get something like "eth1" for VLAN 1,
"eth2" for VLAN 200 and so forth, which might be close enough to what
you described on your previous setup (oVirt currently doesn't allow
creating VLANs inside VMs). And if I correctly understood your needs it
will save you the trouble you described below (well, you would need the
one dummy interface).


That would be doable, except I am not sure if there is a limit to the  
number of vNICs a VM could have and/or if there is an OS-level limit  
to how many?  It is also a bit "messier" IMO, but that is more of a  
personal issue than a technical one, and one I could probably get over  
:-)


When you say that oVirt currently doesn't allow creating VLANs inside  
VMs, are you referring to the use of VLAN interfaces like I describe  
(e.g., "eth1.1", "eth1.2", "eth1.10", etc.)?  If so, is that an oVirt  
limitation, or a KVM one?


I have seen examples where one can create a "Trunk" with KVM and Open  
vSwitch, and I thought for some reason oVirt used Open vSwitch, but  
none of the commands I tried from the examples were found.  A check of  
 shows that  
indeed there does not appear to be any integration yet, and it is only  
60% done :-(


With regards to using the dummy interfaces, I realised I probably do  
not need to add them to a bridge, since they would be physical NICs in  
production (this is just for testing).  I initially did create the  
"ovirtvm" bridge before I realised that, but have made them  
"stand-alone" NICs with no IPs attached to them, but they are not  
"green" in oVirt when I try to attach my logical networks to them  
under "Networks > Hosts > vmhost01 > Setup Host Networks".


When I am in "Setup Host Networks", I see my dummy interfaces, but  
they have a red dot instead of a green one (like what "eth0" has). I  
can my logical networks to them, but the "Network Device Status" has a  
red arrow pointing down.  Here are my ifcfg-dummy* files:


--- ifcfg-dummy0 ---
DEVICE=dummy0
ONBOOT=yes
TYPE=Ethernet
DELAY=0
BOOTPROTO=none
NM_CONTROLLED=no
STP=no
--- ifcfg-dummy0 ---

My "ifcfg-dummy1" is identical, except of course it has  
"DEVICE=dummy1" in it.  The interfaces do come up on the host, but as  
I said, in "Setup Host Networks" they have a red dot instead of a  
green one.  Perhaps I do need to assign an IP?  I can maybe assign a  
"dummy" one (i.e., one that I would never use)?


-Alan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Networking questions (LONG)

[Lior Vernia]

Hello Alan,

On 09/01/14 10:07, Alan Murrell wrote:
> Hello,
> 
> I am evaluating oVirt as a replacement/alternative to VMware deployments
> we typically do.  I have installed and all-in-one setup on a test box
> (which itself used to be an ESXi server), but it only has one NIC.  I
> trying to duplicate our typical configuration we do in VMware, which is
> this:
> 
>   1.) we create several "port groups" on the vSwitch, each assigned a
> VLAN ID, such as:
> 
>   - VLAN001 (VLAN ID: 1)
>   - VLAN002 (VLAN ID: 2)
>   - VLAN009 (VLAN ID: 9)
>   - VLAN010 (VLAN ID: 10)
>   - VLAN200 (VLAN ID: 200)
>   - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all
> VLANS" and basically just passes the VLANs through to whatever is
> attached to the port group for the VM to handle)
> 
>   2.) We assign VMs to port groups appropriate for the VLAN they are
> part of.
>   3.) The only VM that has a NIC assigned to the "TRUNK" port group is
> the firewall (which is Linux), and we create VLAN interfaces on it
> (i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200").  The firewall VM acts
> as the router between the various VLANs.
> 
> To replicate the above in oVirt, I created logical networks for each
> VLAN, and assigned the appropriate VLAN ID.  It seems oVirt/KVM does not
> have an equivalent for VMware's VLAN ID of "4095", so after some
> searching around, so for the "TRUNK" network, I left it with no VLAN
> assigned.  Because i cannot add VLAN and non-VLAN networks to the same
> physical NIC, after some searching around, it looks like I may have to
> utilise two NICS: one for the VLAN networks and one for the "TRUNK" network.

That is true. One non-VLAN network can in fact sit on the same NIC with
VLAN networks, but it has to be non-VM.

However, I'm not sure that you in fact need a "TRUNK" VM network in
oVirt. If you want your firewall VM to get all traffic from the VLANs,
you could create a vNIC for each network, to which you'll attach a
profile (oVirt's equivalent of port group if I'm not mistaken) of the
corresponding network. The host can remain with just the VLAN networks
attached to its NICs, without a designated "TRUNK".

This way the firewall VM will get something like "eth1" for VLAN 1,
"eth2" for VLAN 200 and so forth, which might be close enough to what
you described on your previous setup (oVirt currently doesn't allow
creating VLANs inside VMs). And if I correctly understood your needs it
will save you the trouble you described below (well, you would need the
one dummy interface).

> 
> Because, at this point, I am not yet concerned with making the test VMs
> I will be setting up be accessible from outside the virtual lab
> environment (i.e., everything will communicate within my oVirt
> server/network for now), I am trying to make use of "dummy" interfaces,
> but I am not sure the best way to make use of this.  I am able to create
> the dummy* interfaces and have them show up in oVirt, but I am not sure
> of how they should be setup.  Here is what I am *thinking* should be
> done, but want to make sure it is correct before getting too deep:
> 
>   - I will use the physical NIC for management, therefore the
> "ovirtmgmt" bridge with eth0 assigned to it will remain as-is
>   - Create two dummy interfaces: "dummy0" and "dummy1"
>   - Create a new bridge, "ovirtvm" and assign "dummy0" and "dummy1" to it

This is something that currently can't be done from within the oVirt
engine, but if my above suggestion works for you then it won't be needed.

>   - Attach the VLAN-enabled networks to "dummy0"
>   - Attach the "TRUNK" network to "dummy1"
> 
> Would the above be the way to go about this?  The one thing I am not
> sure of is whether or not having no VLAN assigned (on the "TRUNK"
> network) accomplishes the same this as the "VLAN ID 4095" in VMware:
> will oVirt/KVM just pass the traffic through for the VM attached to it
> to deal with?
> 
> Thanks for reading this far, and I appreciate any help you might be able
> to lend in the above.
> 
> -Alan
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Networking questions (LONG)

[Sven Kieske]

Just as a quick shot:

it is possible to configure it the way you want (ip-less bridges), but I
can't exactly tell you what you're doing wrong atm.

ip-less bridges work here with vlans and stuff, so keep trying or
post more info about your setup :-)

Am 09.01.2014 09:22, schrieb Alan Murrell:
> One other question to add: If I do indeed ned to create a new bridge
> ("ovirtvm" in my example), I do not want to assign any IPs to it, nor
> any of the logical networks I create.  When I did try this in my
> "fooling around", oVirt would not let me save the changes, giving me an
> error about network parameters not correct (I have the host shut down a
> the moment, so I can get the exact message, but if necessary, I can get
> it for you when I get in to our shop in the morning)


-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Networking questions (LONG)

[Alan Murrell]

One other question to add: If I do indeed ned to create a new bridge  
("ovirtvm" in my example), I do not want to assign any IPs to it, nor  
any of the logical networks I create.  When I did try this in my  
"fooling around", oVirt would not let me save the changes, giving me  
an error about network parameters not correct (I have the host shut  
down a the moment, so I can get the exact message, but if necessary, I  
can get it for you when I get in to our shop in the morning)


Thanks! :-)

-Alan

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[Users] Networking questions (LONG)

[Alan Murrell]

Hello,

I am evaluating oVirt as a replacement/alternative to VMware deployments we 
typically do.  I have installed and all-in-one setup on a test box (which 
itself used to be an ESXi server), but it only has one NIC.  I trying to 
duplicate our typical configuration we do in VMware, which is this:

  1.) we create several "port groups" on the vSwitch, each assigned a VLAN ID, 
such as:

  - VLAN001 (VLAN ID: 1)
  - VLAN002 (VLAN ID: 2)
  - VLAN009 (VLAN ID: 9)
  - VLAN010 (VLAN ID: 10)
  - VLAN200 (VLAN ID: 200)
  - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all VLANS" 
and basically just passes the VLANs through to whatever is attached to the port 
group for the VM to handle)

  2.) We assign VMs to port groups appropriate for the VLAN they are part of.
  3.) The only VM that has a NIC assigned to the "TRUNK" port group is the 
firewall (which is Linux), and we create VLAN interfaces on it (i.e., "eth1.1", 
"eth1.2", "eth1.10", "eth1.200").  The firewall VM acts as the router between 
the various VLANs.

To replicate the above in oVirt, I created logical networks for each VLAN, and 
assigned the appropriate VLAN ID.  It seems oVirt/KVM does not have an 
equivalent for VMware's VLAN ID of "4095", so after some searching around, so 
for the "TRUNK" network, I left it with no VLAN assigned.  Because i cannot add 
VLAN and non-VLAN networks to the same physical NIC, after some searching 
around, it looks like I may have to utilise two NICS: one for the VLAN networks 
and one for the "TRUNK" network.

Because, at this point, I am not yet concerned with making the test VMs I will 
be setting up be accessible from outside the virtual lab environment (i.e., 
everything will communicate within my oVirt server/network for now), I am 
trying to make use of "dummy" interfaces, but I am not sure the best way to 
make use of this.  I am able to create the dummy* interfaces and have them show 
up in oVirt, but I am not sure of how they should be setup.  Here is what I am 
*thinking* should be done, but want to make sure it is correct before getting 
too deep:

  - I will use the physical NIC for management, therefore the "ovirtmgmt" 
bridge with eth0 assigned to it will remain as-is
  - Create two dummy interfaces: "dummy0" and "dummy1"
  - Create a new bridge, "ovirtvm" and assign "dummy0" and "dummy1" to it
  - Attach the VLAN-enabled networks to "dummy0"
  - Attach the "TRUNK" network to "dummy1"

Would the above be the way to go about this?  The one thing I am not sure of is 
whether or not having no VLAN assigned (on the "TRUNK" network) accomplishes 
the same this as the "VLAN ID 4095" in VMware: will oVirt/KVM just pass the 
traffic through for the VM attached to it to deal with?

Thanks for reading this far, and I appreciate any help you might be able to 
lend in the above.

-Alan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users