Re: [Users] why ovirt does not support NAT network
On Mon, Dec 30, 2013 at 09:39:58PM +0100, woswas denni wrote: Well, there's nothing much beyond the hook's README http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;h=0778dbb3ef85c5ae179fb0f6c9ceeabc268abe89;hb=HEAD You should start by defining a libvirt network, and then mark a vNIC profile with a custom propery so that the network is used by vNICs. As a very first stage, you may define the libvirt network on top of your existing br0 bridge (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can consume your networking setup. Hmm do we really need a libvirt bridge or cant we go simply with a regular virtual brdige as i already use? The extnet hook expects that you create a libvirt network on top of your regular nic. You chould write your own extbridge hook, that consumes the regular bridge directly. The libvirt network may seem as a needless layer, but it grants the extnet bridge a lot of flexibility (such as connecting to an ovs bridge instead of to a Linux bridge). all i want is connect ovirts vlan nic to existing interfaces. iam aware tat then many configs has to be done manually, but thats fine for now Understood, and that's doable. But who creates that VPN connection? Who supplies the credentials? well this is manually, only once per host no desire for automation here, ive automated scripts for that but i usually use an offline pc as a signing device. Understood. I am asking since I'd like to understand how people (plan to) use oVirt, and wether we can automate more of their chores. How does this work, if they are both behind NAT? Well they are not and they are, its a routed NAT combo :) Lets say i have 2 server - we would have then 3 internal networks - 1 - VPN conncting and routing between physical hosts 23 - Each hosts internal bridge subnet which does routing NAT comes in when we go outside - usually Portforward - which is handy to save IPs So think of every Host not only as an Hypervisor but also as an Network Node only downside if i move a vm from a to b ife to adjust the ips l, nat and firewall upside and reson for this is: 1, i can use one ext ip for several vms if they need different ports. atm i can save over 3/4 of ext ips. 2, also i do not need to manage the firewall on every vm only on the hosts 3, Additional Security by having all Daemons whatsoever only bound to internal Interfaces. all daemons are bound to their internal br0 ip and i can easy access certain ports like ssh or mysl within the vpn only without exposing anything outside with a minimum administrative work Who can access what is currently defined by Firewall Rules within each Host - Here comes Firewallbuilder Handy BTW :))) You'd like to automate the creation of NAT rules? VPN creation? well i would like to automate port based nat and firewallrules thats the dream. VPN as described i dont really but but hey who knows if someone else want it. Actually i think (even im not gonna need it) would be a nice feature for many - specielly these days only portforwarding/and or complete nat on the host would make live easier. however most importingly is that i get the thing running. even it means manual config on each host my issues with ovirt where simple that i couldn find a way to assign the needed interfaces. so if i simply manually specify whats going on it should be enough btw i took a look at openqrm and they have alreaey adressed many of those needs like puppet, dhcp , dns and nat translation over ip pools and stuff. still my setup seems to strange for them either lol i think (if understand the readme correctly its exactly whats extnet is doing) the best way would be simply allow to specify custom interface names. that way we can build custom configs on our hosts how ever strange we want em right, that's the motivation behind that hook. Please try if oVirt can do what you need, and report to this list! Since you have todo it only for each physical host its not THAT evil todo and you can write easy scripts todo that for you. But what would be Handy in any case - no matter which setup or regular Ovirt setup and iam really missing is a Firewall config. Perfect dream would be something Visual with objects like Firewall Builder (dev stopped sadly) , i think i saw something webbased in some opensource firewall distros too. I mean we have to config FIrewalls for the Hosts in anycase - of course i know this would be a monster to implement fully just dreaming :)) Well do not forget your dream, maybe someone would be able to implement it one day (though it does not seem to be around the corner). Dan. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
Well, there's nothing much beyond the hook's README http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;h=0778dbb3ef85c5ae179fb0f6c9ceeabc268abe89;hb=HEAD You should start by defining a libvirt network, and then mark a vNIC profile with a custom propery so that the network is used by vNICs. As a very first stage, you may define the libvirt network on top of your existing br0 bridge (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can consume your networking setup. Hmm do we really need a libvirt bridge or cant we go simply with a regular virtual brdige as i already use? all i want is connect ovirts vlan nic to existing interfaces. iam aware tat then many configs has to be done manually, but thats fine for now But who creates that VPN connection? Who supplies the credentials? well this is manually, only once per host no desire for automation here, ive automated scripts for that but i usually use an offline pc as a signing device. How does this work, if they are both behind NAT? Well they are not and they are, its a routed NAT combo :) Lets say i have 2 server - we would have then 3 internal networks - 1 - VPN conncting and routing between physical hosts 23 - Each hosts internal bridge subnet which does routing NAT comes in when we go outside - usually Portforward - which is handy to save IPs So think of every Host not only as an Hypervisor but also as an Network Node only downside if i move a vm from a to b ife to adjust the ips l, nat and firewall upside and reson for this is: 1, i can use one ext ip for several vms if they need different ports. atm i can save over 3/4 of ext ips. 2, also i do not need to manage the firewall on every vm only on the hosts 3, Additional Security by having all Daemons whatsoever only bound to internal Interfaces. all daemons are bound to their internal br0 ip and i can easy access certain ports like ssh or mysl within the vpn only without exposing anything outside with a minimum administrative work Who can access what is currently defined by Firewall Rules within each Host - Here comes Firewallbuilder Handy BTW :))) You'd like to automate the creation of NAT rules? VPN creation? well i would like to automate port based nat and firewallrules thats the dream. VPN as described i dont really but but hey who knows if someone else want it. Actually i think (even im not gonna need it) would be a nice feature for many - specielly these days only portforwarding/and or complete nat on the host would make live easier. however most importingly is that i get the thing running. even it means manual config on each host my issues with ovirt where simple that i couldn find a way to assign the needed interfaces. so if i simply manually specify whats going on it should be enough btw i took a look at openqrm and they have alreaey adressed many of those needs like puppet, dhcp , dns and nat translation over ip pools and stuff. still my setup seems to strange for them either lol i think (if understand the readme correctly its exactly whats extnet is doing) the best way would be simply allow to specify custom interface names. that way we can build custom configs on our hosts how ever strange we want em Since you have todo it only for each physical host its not THAT evil todo and you can write easy scripts todo that for you. But what would be Handy in any case - no matter which setup or regular Ovirt setup and iam really missing is a Firewall config. Perfect dream would be something Visual with objects like Firewall Builder (dev stopped sadly) , i think i saw something webbased in some opensource firewall distros too. I mean we have to config FIrewalls for the Hosts in anycase - of course i know this would be a monster to implement fully just dreaming :)) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
On Wed 13 Mar 2013 07:09:16 AM CST, Itamar Heim wrote: On 03/11/2013 05:16 AM, Mark Wu wrote: On 03/08/2013 05:16 AM, Dan Kenigsberg wrote: On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote: Just in case it might help you please check: http://lists.ovirt.org/pipermail/users/2012-April/001751.html This is almost 1 year old, but I did not notice it yet. I love the detailed solution! +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's mac address is invisible to external switch. But there're two limitations of NAT network compared with physically bridged network: 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine. 2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\ For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum. also need to remember live migration will probably not work with NAT. Yes, it could break live migration. But we could use conntrack-tools(conntrack or conntrackd) to sync the ip conntrack entries related to that VM's ip address before resume the VM on dest host. Just a preliminary idea, not verified yet. how would floating IP work? wouldn't you need to map it 1:1 with the NAT'd IP? Yes, it should have a 1:1 mapping between external ip address and the ip address in the NAT network. Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that inhttp://www.ovirt.org/Features/Nicless_Network but it's a long way to go. I managed to implement Virtualbox-hostonly-alike networks gathering more info from: http://libvirt.org/formatnetwork.html . You might be also interested in:http://wiki.libvirt.org/page/Networking although I didn't use it myself. You might probably already know this information but, just in case, here it is. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
On Wed, Mar 13, 2013 at 01:09:16AM +0200, Itamar Heim wrote: On 03/11/2013 05:16 AM, Mark Wu wrote: On 03/08/2013 05:16 AM, Dan Kenigsberg wrote: On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote: Just in case it might help you please check: http://lists.ovirt.org/pipermail/users/2012-April/001751.html This is almost 1 year old, but I did not notice it yet. I love the detailed solution! +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's mac address is invisible to external switch. But there're two limitations of NAT network compared with physically bridged network: 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine. 2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\ For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum. also need to remember live migration will probably not work with NAT. That's why I consider this as an option to host-local networks. how would floating IP work? wouldn't you need to map it 1:1 with the NAT'd IP? Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that inhttp://www.ovirt.org/Features/Nicless_Network but it's a long way to go. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
On 03/11/2013 05:16 AM, Mark Wu wrote: On 03/08/2013 05:16 AM, Dan Kenigsberg wrote: On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote: Just in case it might help you please check: http://lists.ovirt.org/pipermail/users/2012-April/001751.html This is almost 1 year old, but I did not notice it yet. I love the detailed solution! +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's mac address is invisible to external switch. But there're two limitations of NAT network compared with physically bridged network: 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine. 2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\ For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum. also need to remember live migration will probably not work with NAT. how would floating IP work? wouldn't you need to map it 1:1 with the NAT'd IP? Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that inhttp://www.ovirt.org/Features/Nicless_Network but it's a long way to go. I managed to implement Virtualbox-hostonly-alike networks gathering more info from: http://libvirt.org/formatnetwork.html . You might be also interested in:http://wiki.libvirt.org/page/Networking although I didn't use it myself. You might probably already know this information but, just in case, here it is. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
On 03/08/2013 05:16 AM, Dan Kenigsberg wrote: On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote: Just in case it might help you please check: http://lists.ovirt.org/pipermail/users/2012-April/001751.html This is almost 1 year old, but I did not notice it yet. I love the detailed solution! +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's mac address is invisible to external switch. But there're two limitations of NAT network compared with physically bridged network: 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine. 2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\ For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum. Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that in http://www.ovirt.org/Features/Nicless_Network but it's a long way to go. I managed to implement Virtualbox-hostonly-alike networks gathering more info from: http://libvirt.org/formatnetwork.html . You might be also interested in: http://wiki.libvirt.org/page/Networking although I didn't use it myself. You might probably already know this information but, just in case, here it is. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] why ovirt does not support NAT network
why ovirt does not support NAT network? thanks___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
On Thu, Mar 07, 2013 at 06:49:20PM +0800, bigclouds wrote: why ovirt does not support NAT network? Would you elaborate on that? Do you refer to putthing VMs behind a NAT, instead of a bridge? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
I can see the use for that, to be honest... e.g. you rent 1 server and want to test some stuff, and typically for that you don't get more than 1 IP to use for the server itself but you want your VMs be able to get to The Internets :) ... Alex On 7 March 2013 11:28, Dan Kenigsberg dan...@redhat.com wrote: On Thu, Mar 07, 2013 at 06:49:20PM +0800, bigclouds wrote: why ovirt does not support NAT network? Would you elaborate on that? Do you refer to putthing VMs behind a NAT, instead of a bridge? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- | RHCE | Senior Systems Engineer | www.vcore.co | www.vsearchcloud.com | ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
hi, Dan Kenigsberg yes, i am working on this feature, the goal is that HOST can supply bridge and NAT network meanwhile ,users can choise. because birdge network occupy too many IPs, at least, one user will have 2 IPs(VM and thin client). At 2013-03-07 19:28:29,Dan Kenigsberg dan...@redhat.com wrote: On Thu, Mar 07, 2013 at 06:49:20PM +0800, bigclouds wrote: why ovirt does not support NAT network? Would you elaborate on that? Do you refer to putthing VMs behind a NAT, instead of a bridge? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] why ovirt does not support NAT network
Just in case it might help you please check: http://lists.ovirt.org/pipermail/users/2012-April/001751.html I managed to implement Virtualbox-hostonly-alike networks gathering more info from: http://libvirt.org/formatnetwork.html . You might be also interested in: http://wiki.libvirt.org/page/Networking although I didn't use it myself. You might probably already know this information but, just in case, here it is. - Mensaje original - De: bigclouds bigclo...@163.com Para: Dan Kenigsberg dan...@redhat.com CC: users@ovirt.org Enviados: Jueves, 7 de Marzo 2013 15:46:48 Asunto: Re: [Users] why ovirt does not support NAT network hi, Dan Kenigsberg yes, i am working on this feature, the goal is that HOST can supply bridge and NAT network meanwhile ,users can choise. because birdge network occupy too many IPs, at least, one user will have 2 IPs(VM and thin client). At 2013-03-07 19:28:29,Dan Kenigsberg dan...@redhat.com wrote: On Thu, Mar 07, 2013 at 06:49:20PM +0800, bigclouds wrote: why ovirt does not support NAT network? Would you elaborate on that? Do you refer to putthing VMs behind a NAT, instead of a bridge? -- Adrián Gibanel I.T. Manager +34 675 683 301 www.btactic.com Ens podeu seguir a/Nos podeis seguir en: i Abans d´imprimir aquest missatge, pensa en el medi ambient. El medi ambient és cosa de tothom. / Antes de imprimir el mensaje piensa en el medio ambiente. El medio ambiente es cosa de todos. AVIS: El contingut d'aquest missatge i els seus annexos és confidencial. Si no en sou el destinatari, us fem saber que està prohibit utilitzar-lo, divulgar-lo i/o copiar-lo sense tenir l'autorització corresponent. Si heu rebut aquest missatge per error, us agrairem que ho feu saber immediatament al remitent i que procediu a destruir el missatge . AVISO: El contenido de este mensaje y de sus anexos es confidencial. Si no es el destinatario, les hacemos saber que está prohibido utilizarlo, divulgarlo y/o copiarlo sin tener la autorización correspondiente. Si han recibido este mensaje por error, les agradeceríamos que lo hagan saber inmediatamente al remitente y que procedan a destruir el mensaje . ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users