Re: [ovirt-users] MAC spoofing for specific VMs

[Dan Kenigsberg]

On Thu, Mar 10, 2016 at 04:57:01PM -0500, Christopher Young wrote:
> Does anyone see a reason why simply installing the EL7 latest rpm for
> this on an ovirt node/RHEV-H system would not work or would be a bad
> solution to getting this working with ovirt-node/RHEV-H?  I don't want
> to do something that is either lost on reboot or would cause issues in
> the future.
> 
> Thoughts?

I do not see a problem in that, but please note that we plan a
fully-fledged integration of this feature in our next release.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] MAC spoofing for specific VMs

[Christopher Young]

Does anyone see a reason why simply installing the EL7 latest rpm for
this on an ovirt node/RHEV-H system would not work or would be a bad
solution to getting this working with ovirt-node/RHEV-H?  I don't want
to do something that is either lost on reboot or would cause issues in
the future.

Thoughts?

On Tue, May 12, 2015 at 2:24 PM, Christopher Young
 wrote:
> Yep.  I had found that and applied it.  Great solution!   I actually wrote
> about it to the zen load balancer list.  I will add it here for
> semi-documentation:
>
> --
>  just wanted to follow-up so that it is documented on how to get this
> working on oVirt/RHEV.  I had to install a VDSM hook to allow mac-spoofing
> as a VM custom property like so (on each node):
>
> yum install vdsm-hook-macspoof
>
> That requires a restart of vdsmd on the node as well as a process on the
> oVirt/RHEV engine:
>
> engine-config -s "UserDefinedVMProperties=macspoof=(true|false)"
>
> Which then requires a restart of the oVirt/RHEV engine.
>
> After that, there will be an available custom properly on the VM called
> 'macspoof' that can be set to 'true'.  Once I did this and shutdown/powered
> on the VMs, the cluster setup now completes successfully.  You learn
> something every day.
>
> Thanks for pointing me in the right direction.  The one thing I wish I had
> on these VMs is the ovirt-guest-agent which would likely work except that
> Debian 6 doesn't seem to have python-ethtool package/deps.  If there are any
> plans to update the version of Debian that ZLB is based on, let me know.
>
> -
>
> On Tue, May 12, 2015 at 5:43 AM, Dan Kenigsberg  wrote:
>>
>> On Mon, May 11, 2015 at 02:12:22PM -0400, Christopher Young wrote:
>> > I'm working on some load-balancing solutions and they appear to require
>> > MAC
>> > spoofing.  I did some searching and reading and as I understand it, you
>> > can
>> > disable the MAC spoofing protection through a few methods.
>> >
>> > I was wondering about the best manner to enable this for the VMs that
>> > require it and not across the board (if that is even possible).  I'd
>> > like
>> > to just allow my load-balancer VMs to do what they need to, but keep the
>> > others untouched as a security mechanism.
>> >
>> > If anyone has any advice on the best method to handle this scenario, I
>> > would greatly appreciate it.  It seems that this might turn into some
>> > type
>> > of feature request, though I'm not sure if this is something that has to
>> > be
>> > done at the Linux bridge level, the port level, or the VM level.  Any
>> > explanations into that would also help in my education.
>>
>> You can enable mac spoofing per VM or per vNIC using vdsm-hook-macspoof.
>> See more details on the hook's README file
>>
>>
>> https://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/macspoof/README;h=6bd11c1cb8ba2603d432fc8826eeb35738136c92;hb=79781a1945ceff6849a6a2b66cb5c4a1a5f8d874
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] MAC spoofing for specific VMs

[Simone Tiraboschi]

- Original Message -
 From: Christopher Young mexigaba...@gmail.com
 To: users@ovirt.org
 Sent: Monday, May 11, 2015 8:12:22 PM
 Subject: [ovirt-users] MAC spoofing for specific VMs
 
 I'm working on some load-balancing solutions and they appear to require MAC
 spoofing. I did some searching and reading and as I understand it, you can
 disable the MAC spoofing protection through a few methods.
 
 I was wondering about the best manner to enable this for the VMs that require
 it and not across the board (if that is even possible). I'd like to just
 allow my load-balancer VMs to do what they need to, but keep the others
 untouched as a security mechanism.
 
 If anyone has any advice on the best method to handle this scenario, I would
 greatly appreciate it. It seems that this might turn into some type of
 feature request, though I'm not sure if this is something that has to be
 done at the Linux bridge level, the port level, or the VM level. Any
 explanations into that would also help in my education.

You can do it with vdsm-hook-macspoof. You need to install it on all the 
involved host than you can control its behavior at VM level and also at 
device/interface level.
Please follow the instruction here at VM-level hooks section to create a custom 
property to control it:
http://www.ovirt.org/Vdsm_Hooks#VM-level_hooks

 
 Thanks,
 
 Chris
 
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users
 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] MAC spoofing for specific VMs

[Christopher Young]

Yep.  I had found that and applied it.  Great solution!   I actually wrote
about it to the zen load balancer list.  I will add it here for
semi-documentation:

--
 just wanted to follow-up so that it is documented on how to get this
working on oVirt/RHEV.  I had to install a VDSM hook to allow mac-spoofing
as a VM custom property like so (on each node):

yum install vdsm-hook-macspoof

That requires a restart of vdsmd on the node as well as a process on the
oVirt/RHEV engine:

engine-config -s UserDefinedVMProperties=macspoof=(true|false)

Which then requires a restart of the oVirt/RHEV engine.

After that, there will be an available custom properly on the VM called
'macspoof' that can be set to 'true'.  Once I did this and shutdown/powered
on the VMs, the cluster setup now completes successfully.  You learn
something every day.

Thanks for pointing me in the right direction.  The one thing I wish I had
on these VMs is the ovirt-guest-agent which would likely work except that
Debian 6 doesn't seem to have python-ethtool package/deps.  If there are
any plans to update the version of Debian that ZLB is based on, let me know.

-

On Tue, May 12, 2015 at 5:43 AM, Dan Kenigsberg dan...@redhat.com wrote:

 On Mon, May 11, 2015 at 02:12:22PM -0400, Christopher Young wrote:
  I'm working on some load-balancing solutions and they appear to require
 MAC
  spoofing.  I did some searching and reading and as I understand it, you
 can
  disable the MAC spoofing protection through a few methods.
 
  I was wondering about the best manner to enable this for the VMs that
  require it and not across the board (if that is even possible).  I'd like
  to just allow my load-balancer VMs to do what they need to, but keep the
  others untouched as a security mechanism.
 
  If anyone has any advice on the best method to handle this scenario, I
  would greatly appreciate it.  It seems that this might turn into some
 type
  of feature request, though I'm not sure if this is something that has to
 be
  done at the Linux bridge level, the port level, or the VM level.  Any
  explanations into that would also help in my education.

 You can enable mac spoofing per VM or per vNIC using vdsm-hook-macspoof.
 See more details on the hook's README file


 https://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/macspoof/README;h=6bd11c1cb8ba2603d432fc8826eeb35738136c92;hb=79781a1945ceff6849a6a2b66cb5c4a1a5f8d874

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] MAC spoofing for specific VMs

[Dan Kenigsberg]

On Mon, May 11, 2015 at 02:12:22PM -0400, Christopher Young wrote:
 I'm working on some load-balancing solutions and they appear to require MAC
 spoofing.  I did some searching and reading and as I understand it, you can
 disable the MAC spoofing protection through a few methods.
 
 I was wondering about the best manner to enable this for the VMs that
 require it and not across the board (if that is even possible).  I'd like
 to just allow my load-balancer VMs to do what they need to, but keep the
 others untouched as a security mechanism.
 
 If anyone has any advice on the best method to handle this scenario, I
 would greatly appreciate it.  It seems that this might turn into some type
 of feature request, though I'm not sure if this is something that has to be
 done at the Linux bridge level, the port level, or the VM level.  Any
 explanations into that would also help in my education.

You can enable mac spoofing per VM or per vNIC using vdsm-hook-macspoof.
See more details on the hook's README file

https://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/macspoof/README;h=6bd11c1cb8ba2603d432fc8826eeb35738136c92;hb=79781a1945ceff6849a6a2b66cb5c4a1a5f8d874
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] MAC spoofing for specific VMs

[Christopher Young]

I'm working on some load-balancing solutions and they appear to require MAC
spoofing.  I did some searching and reading and as I understand it, you can
disable the MAC spoofing protection through a few methods.

I was wondering about the best manner to enable this for the VMs that
require it and not across the board (if that is even possible).  I'd like
to just allow my load-balancer VMs to do what they need to, but keep the
others untouched as a security mechanism.

If anyone has any advice on the best method to handle this scenario, I
would greatly appreciate it.  It seems that this might turn into some type
of feature request, though I'm not sure if this is something that has to be
done at the Linux bridge level, the port level, or the VM level.  Any
explanations into that would also help in my education.

Thanks,

Chris
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users