Re: [ovirt-users] IP forwarding... Cannot access guest IP
On Tue, Apr 29, 2014 at 06:33:14AM -0400, richard.seg...@marisec.ca wrote: Hi Dan, Yes I am an ovirt user. Basically, I am running into an issue running xen inside of kvm. Our scenario is that this is lab environment, and we enjoy the luxury of spinning up kvm instances (as opposed to installing on bare metal each time we need something). Our product uses Xen, and we are pretty much stuck with it for the time being. I think what I am running into is a double bridge issue... Xen has a bridge, and so does kvm obviously. I am able to ping dom0 (which is just the bridge itself) on Xen from the outside world, but I am not able to ping udom... and... udom doesn't have access out either. When I was using vmware, I enabled promisc mode on the virtual switch, and this solution worked fine... If we ignore the types of technology that I am using, and just focus on the networking, what would I be looking at as possibilities? Or... a better question would be, does ovirt have a promiscuous flag somewhere that I can set? I cannot say that I understand your setup, but if you have nested virtuallization (such as a Xen udom) you may experience ovirt's no-mac-spoofing rule: by default we disallow our VMs to emit traffic that has different mac address from the one assigned by oVirt. To avoid this, follow http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook and report if that's the issue. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP forwarding... Cannot access guest IP
On Tuesday, April 29, 2014 01:35:08 PM Dan Kenigsberg wrote: On Tue, Apr 29, 2014 at 06:33:14AM -0400, richard.seg...@marisec.ca wrote: Hi Dan, Yes I am an ovirt user. Basically, I am running into an issue running xen inside of kvm. Our scenario is that this is lab environment, and we enjoy the luxury of spinning up kvm instances (as opposed to installing on bare metal each time we need something). Our product uses Xen, and we are pretty much stuck with it for the time being. I think what I am running into is a double bridge issue... Xen has a bridge, and so does kvm obviously. I am able to ping dom0 (which is just the bridge itself) on Xen from the outside world, but I am not able to ping udom... and... udom doesn't have access out either. When I was using vmware, I enabled promisc mode on the virtual switch, and this solution worked fine... If we ignore the types of technology that I am using, and just focus on the networking, what would I be looking at as possibilities? Or... a better question would be, does ovirt have a promiscuous flag somewhere that I can set? I cannot say that I understand your setup, but if you have nested virtuallization (such as a Xen udom) you may experience ovirt's no-mac-spoofing rule: by default we disallow our VMs to emit traffic that has different mac address from the one assigned by oVirt. To avoid this, follow http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook and report if that's the issue. If the mac address is the issue wouldn't it be easier for him to just edit the VM and in custom properties set macspoof to true? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP forwarding... Cannot access guest IP
On Tue, Apr 29, 2014 at 08:47:38AM -0400, Alexander Wels wrote: On Tuesday, April 29, 2014 01:35:08 PM Dan Kenigsberg wrote: On Tue, Apr 29, 2014 at 06:33:14AM -0400, richard.seg...@marisec.ca wrote: Hi Dan, Yes I am an ovirt user. Basically, I am running into an issue running xen inside of kvm. Our scenario is that this is lab environment, and we enjoy the luxury of spinning up kvm instances (as opposed to installing on bare metal each time we need something). Our product uses Xen, and we are pretty much stuck with it for the time being. I think what I am running into is a double bridge issue... Xen has a bridge, and so does kvm obviously. I am able to ping dom0 (which is just the bridge itself) on Xen from the outside world, but I am not able to ping udom... and... udom doesn't have access out either. When I was using vmware, I enabled promisc mode on the virtual switch, and this solution worked fine... If we ignore the types of technology that I am using, and just focus on the networking, what would I be looking at as possibilities? Or... a better question would be, does ovirt have a promiscuous flag somewhere that I can set? I cannot say that I understand your setup, but if you have nested virtuallization (such as a Xen udom) you may experience ovirt's no-mac-spoofing rule: by default we disallow our VMs to emit traffic that has different mac address from the one assigned by oVirt. To avoid this, follow http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook and report if that's the issue. If the mac address is the issue wouldn't it be easier for him to just edit the VM and in custom properties set macspoof to true? yes, that's what I'm suggesting. But this requires having the hook installed, first. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP forwarding... Cannot access guest IP
You have no idea how much I wanted this to work... macspoof = true nothing changed... -Original Message- From: Alexander Wels aw...@redhat.com Sent: Tuesday, April 29, 2014 8:47am To: users@ovirt.org Cc: Dan Kenigsberg dan...@redhat.com, richard.seg...@marisec.ca Subject: Re: [ovirt-users] IP forwarding... Cannot access guest IP On Tuesday, April 29, 2014 01:35:08 PM Dan Kenigsberg wrote: On Tue, Apr 29, 2014 at 06:33:14AM -0400, richard.seg...@marisec.ca wrote: Hi Dan, Yes I am an ovirt user. Basically, I am running into an issue running xen inside of kvm. Our scenario is that this is lab environment, and we enjoy the luxury of spinning up kvm instances (as opposed to installing on bare metal each time we need something). Our product uses Xen, and we are pretty much stuck with it for the time being. I think what I am running into is a double bridge issue... Xen has a bridge, and so does kvm obviously. I am able to ping dom0 (which is just the bridge itself) on Xen from the outside world, but I am not able to ping udom... and... udom doesn't have access out either. When I was using vmware, I enabled promisc mode on the virtual switch, and this solution worked fine... If we ignore the types of technology that I am using, and just focus on the networking, what would I be looking at as possibilities? Or... a better question would be, does ovirt have a promiscuous flag somewhere that I can set? I cannot say that I understand your setup, but if you have nested virtuallization (such as a Xen udom) you may experience ovirt's no-mac-spoofing rule: by default we disallow our VMs to emit traffic that has different mac address from the one assigned by oVirt. To avoid this, follow http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook and report if that's the issue. If the mac address is the issue wouldn't it be easier for him to just edit the VM and in custom properties set macspoof to true? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP forwarding... Cannot access guest IP
On Tuesday, April 29, 2014 04:34:29 PM richard.seg...@marisec.ca wrote: You have no idea how much I wanted this to work... macspoof = true nothing changed... I forgot to mention what Dan DID mention, go to http://www.ovirt.org/Vdsm_Hooks And look at the yum install vdsm-hook-macspoof part. Unless of course you already did this. -Original Message- From: Alexander Wels aw...@redhat.com Sent: Tuesday, April 29, 2014 8:47am To: users@ovirt.org Cc: Dan Kenigsberg dan...@redhat.com, richard.seg...@marisec.ca Subject: Re: [ovirt-users] IP forwarding... Cannot access guest IP On Tuesday, April 29, 2014 01:35:08 PM Dan Kenigsberg wrote: On Tue, Apr 29, 2014 at 06:33:14AM -0400, richard.seg...@marisec.ca wrote: Hi Dan, Yes I am an ovirt user. Basically, I am running into an issue running xen inside of kvm. Our scenario is that this is lab environment, and we enjoy the luxury of spinning up kvm instances (as opposed to installing on bare metal each time we need something). Our product uses Xen, and we are pretty much stuck with it for the time being. I think what I am running into is a double bridge issue... Xen has a bridge, and so does kvm obviously. I am able to ping dom0 (which is just the bridge itself) on Xen from the outside world, but I am not able to ping udom... and... udom doesn't have access out either. When I was using vmware, I enabled promisc mode on the virtual switch, and this solution worked fine... If we ignore the types of technology that I am using, and just focus on the networking, what would I be looking at as possibilities? Or... a better question would be, does ovirt have a promiscuous flag somewhere that I can set? I cannot say that I understand your setup, but if you have nested virtuallization (such as a Xen udom) you may experience ovirt's no-mac-spoofing rule: by default we disallow our VMs to emit traffic that has different mac address from the one assigned by oVirt. To avoid this, follow http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook and report if that's the issue. If the mac address is the issue wouldn't it be easier for him to just edit the VM and in custom properties set macspoof to true? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP forwarding... Cannot access guest IP
Hi Alex, I already did that part. It's strange... The xen guest can ping dom0... but nothing beyond it... yet dom0 can ping other addresses... and the guests... It almost sounds like I have a nat going on here... -Original Message- From: Alexander Wels aw...@redhat.com Sent: Tuesday, April 29, 2014 4:37pm To: richard.seg...@marisec.ca Cc: users@ovirt.org, Dan Kenigsberg dan...@redhat.com Subject: Re: [ovirt-users] IP forwarding... Cannot access guest IP On Tuesday, April 29, 2014 04:34:29 PM richard.seg...@marisec.ca wrote: You have no idea how much I wanted this to work... macspoof = true nothing changed... I forgot to mention what Dan DID mention, go to http://www.ovirt.org/Vdsm_Hooks And look at the yum install vdsm-hook-macspoof part. Unless of course you already did this. -Original Message- From: Alexander Wels aw...@redhat.com Sent: Tuesday, April 29, 2014 8:47am To: users@ovirt.org Cc: Dan Kenigsberg dan...@redhat.com, richard.seg...@marisec.ca Subject: Re: [ovirt-users] IP forwarding... Cannot access guest IP On Tuesday, April 29, 2014 01:35:08 PM Dan Kenigsberg wrote: On Tue, Apr 29, 2014 at 06:33:14AM -0400, richard.seg...@marisec.ca wrote: Hi Dan, Yes I am an ovirt user. Basically, I am running into an issue running xen inside of kvm. Our scenario is that this is lab environment, and we enjoy the luxury of spinning up kvm instances (as opposed to installing on bare metal each time we need something). Our product uses Xen, and we are pretty much stuck with it for the time being. I think what I am running into is a double bridge issue... Xen has a bridge, and so does kvm obviously. I am able to ping dom0 (which is just the bridge itself) on Xen from the outside world, but I am not able to ping udom... and... udom doesn't have access out either. When I was using vmware, I enabled promisc mode on the virtual switch, and this solution worked fine... If we ignore the types of technology that I am using, and just focus on the networking, what would I be looking at as possibilities? Or... a better question would be, does ovirt have a promiscuous flag somewhere that I can set? I cannot say that I understand your setup, but if you have nested virtuallization (such as a Xen udom) you may experience ovirt's no-mac-spoofing rule: by default we disallow our VMs to emit traffic that has different mac address from the one assigned by oVirt. To avoid this, follow http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook and report if that's the issue. If the mac address is the issue wouldn't it be easier for him to just edit the VM and in custom properties set macspoof to true? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP forwarding... Cannot access guest IP
All of the other hypervisors that I am reading about allows for promiscuous mode to be turned on at the host level... Do we have anything like that? -Original Message- From: Alexander Wels aw...@redhat.com Sent: Tuesday, April 29, 2014 4:37pm To: richard.seg...@marisec.ca Cc: users@ovirt.org, Dan Kenigsberg dan...@redhat.com Subject: Re: [ovirt-users] IP forwarding... Cannot access guest IP On Tuesday, April 29, 2014 04:34:29 PM richard.seg...@marisec.ca wrote: You have no idea how much I wanted this to work... macspoof = true nothing changed... I forgot to mention what Dan DID mention, go to http://www.ovirt.org/Vdsm_Hooks And look at the yum install vdsm-hook-macspoof part. Unless of course you already did this. -Original Message- From: Alexander Wels aw...@redhat.com Sent: Tuesday, April 29, 2014 8:47am To: users@ovirt.org Cc: Dan Kenigsberg dan...@redhat.com, richard.seg...@marisec.ca Subject: Re: [ovirt-users] IP forwarding... Cannot access guest IP On Tuesday, April 29, 2014 01:35:08 PM Dan Kenigsberg wrote: On Tue, Apr 29, 2014 at 06:33:14AM -0400, richard.seg...@marisec.ca wrote: Hi Dan, Yes I am an ovirt user. Basically, I am running into an issue running xen inside of kvm. Our scenario is that this is lab environment, and we enjoy the luxury of spinning up kvm instances (as opposed to installing on bare metal each time we need something). Our product uses Xen, and we are pretty much stuck with it for the time being. I think what I am running into is a double bridge issue... Xen has a bridge, and so does kvm obviously. I am able to ping dom0 (which is just the bridge itself) on Xen from the outside world, but I am not able to ping udom... and... udom doesn't have access out either. When I was using vmware, I enabled promisc mode on the virtual switch, and this solution worked fine... If we ignore the types of technology that I am using, and just focus on the networking, what would I be looking at as possibilities? Or... a better question would be, does ovirt have a promiscuous flag somewhere that I can set? I cannot say that I understand your setup, but if you have nested virtuallization (such as a Xen udom) you may experience ovirt's no-mac-spoofing rule: by default we disallow our VMs to emit traffic that has different mac address from the one assigned by oVirt. To avoid this, follow http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook and report if that's the issue. If the mac address is the issue wouldn't it be easier for him to just edit the VM and in custom properties set macspoof to true? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP forwarding... Cannot access guest IP
On Tue, Apr 29, 2014 at 05:11:57PM -0400, richard.seg...@marisec.ca wrote: All of the other hypervisors that I am reading about allows for promiscuous mode to be turned on at the host level... Do we have anything like that? Would you confirm that once you have set macspoof=true, libvirt's domxml for the relevant VM has lost its filterref element? (virsh -r dumpxml would verify that) This should allow you to ping out of the Xen guest outside of the KVM host. If it doesn't, we'd have to debug this to understand what drops your packets. I'm not quite sure what you mean by promiscuous mode. What VMWare calls promiscuous mode is not unlike oVirt's port mirroring, but I'm not convinced that this is what you are looking for. Dan. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP forwarding... Cannot access guest IP
Dan, I knew that something didn't quite make sense when I tried this earlier today. I'm glad that I set this up on my home lab, because I got it working using the advice that you folks provided. Now that I know that this is a viable solution, I can go back and start learning this correctly, from the beginning. Thank you :) Richard Seguin -Original Message- From: Dan Kenigsberg dan...@redhat.com Sent: Tuesday, April 29, 2014 7:01pm To: richard.seg...@marisec.ca Cc: aw...@redhat.com, users@ovirt.org Subject: Re: [ovirt-users] IP forwarding... Cannot access guest IP On Tue, Apr 29, 2014 at 05:11:57PM -0400, richard.seg...@marisec.ca wrote: All of the other hypervisors that I am reading about allows for promiscuous mode to be turned on at the host level... Do we have anything like that? Would you confirm that once you have set macspoof=true, libvirt's domxml for the relevant VM has lost its filterref element? (virsh -r dumpxml would verify that) This should allow you to ping out of the Xen guest outside of the KVM host. If it doesn't, we'd have to debug this to understand what drops your packets. I'm not quite sure what you mean by promiscuous mode. What VMWare calls promiscuous mode is not unlike oVirt's port mirroring, but I'm not convinced that this is what you are looking for. Dan. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] IP forwarding... Cannot access guest IP
Is there a way to enable promiscuous mode on virtual adapters? I can't seem to access guest IP addresses on our product (that uses Xen). In Vmware I could enable promiscious mode so that our guest's IP would be allow, as well as the other virtual interfaces under it. Any ideas? Thanks, Richard Seguin ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users