Re: [Users] Guest to guest multicast
- Original Message - From: Frank Wall f...@moov.de To: Moti Asayag masa...@redhat.com Cc: users@ovirt.org Sent: Wednesday, October 16, 2013 2:33:11 PM Subject: Re: [Users] Guest to guest multicast Hi Moti, On 17.09.2013 15:41, Moti Asayag wrote: I've tested a multicast traffic between VMs which worked fine to me. The test made between two VMs running on different hosts, connected to the same switch. would you please provide some details about how you tested the multicast traffic between VMs? I would be interested in doing the exact same tests on my side, i.e. running the same commands. (Note that in my test setup all VMs run on the same host.) I used iperf for testing multicast between the vms. See http://iperf.fr/#multicast for the exact commands. Thanks - Frank ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
- Original Message - From: Frank Wall f...@moov.de To: Moti Asayag masa...@redhat.com Cc: users@ovirt.org Sent: Thursday, October 17, 2013 2:12:35 PM Subject: Re: [Users] Guest to guest multicast Hi Moti, On 17.10.2013 08:04, Moti Asayag wrote: I used iperf for testing multicast between the vms. See http://iperf.fr/#multicast for the exact commands. thanks, I did a quick test with iperf with a good result (445 out of 446 datagrams could be received). But still pfSense/FreeBSD CARP/uCARP does not work, it seems to be filtered on the oVirt/KVM Host. Have you ever heard of this? Any idea? On ovirt 3.2 we introduced the network-filters feature [1] which prevents guests from spoofing other mac-addresses than these which assigned by the engine. The feature is enable by default since introduced (for 3.2 and above) There is a possibility that the implementation of the VRRP modifies the mac address to the expected addresses which be ended in libvirt's filtering (using the ebtables) the frames. Could you try disabling the filter, restart the vms and re-run the test ? 1. On the ovirt-engine run: engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.3 (if you're using ovirt-engine 3.2, make sure to specify it in the --cver= option). 2. Restart the ovirt-engine service 3. Restart the vms 4. Re-run the test An alternative might be to use the custom mac address for the vms which serves as routers to start with 00-00-5E-00-01-XX (as long as the mac address will not be replaced by the protocol) [1] http://www.ovirt.org/Features/Design/Network/NetworkFiltering [2] Thanks - Frank ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
Hi Moti, On 17.10.2013 15:08, Moti Asayag wrote: Could you try disabling the filter, restart the vms and re-run the test ? 1. On the ovirt-engine run: engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.3 (if you're using ovirt-engine 3.2, make sure to specify it in the --cver= option). 2. Restart the ovirt-engine service 3. Restart the vms 4. Re-run the test YES! This solved the VRRP problem. THANK YOU! At some point I was already suspecting that ebtables and the Anti-Spoofing rules would be causing my problem, because I could see them in the XML configuration of my VMs, but a ebtables -L did not show any rule. So I kept on searching... My question is: How would I find these Anti-Spoofing rules that oVirt applies to each VM? Just want to find out at which point my debugging went into the wrong direction ;-) Thanks - Frank ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
- Original Message - From: Frank Wall f...@moov.de To: Moti Asayag masa...@redhat.com Cc: users@ovirt.org Sent: Thursday, October 17, 2013 4:33:51 PM Subject: Re: [Users] Guest to guest multicast Hi Moti, On 17.10.2013 15:08, Moti Asayag wrote: Could you try disabling the filter, restart the vms and re-run the test ? 1. On the ovirt-engine run: engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.3 (if you're using ovirt-engine 3.2, make sure to specify it in the --cver= option). 2. Restart the ovirt-engine service 3. Restart the vms 4. Re-run the test YES! This solved the VRRP problem. THANK YOU! At some point I was already suspecting that ebtables and the Anti-Spoofing rules would be causing my problem, because I could see them in the XML configuration of my VMs, but a ebtables -L did not show any rule. So I kept on searching... you should have specify the 'nat' table name and then you'd see the entire rules: ebtables -t nat -L My question is: How would I find these Anti-Spoofing rules that oVirt applies to each VM? Just want to find out at which point my debugging went into the wrong direction ;-) ovirt applies the same rules for all of the vm. A custom nwfilter rule named 'vdsm-no-mac-spoofing' is being created by vdsm when it starts. To see it contents requires using 'virsh' on the node: virsh -r nwfilter-dumpxml vdsm-no-mac-spoofing uuidc05471a7-9dee-6021-32e3-5d70e7617fc5/uuid filterref filter='no-mac-spoofing'/ filterref filter='no-arp-mac-spoofing'/ /filter where the 2 rules are predefined by libvirt's nwfilter. Thanks - Frank ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
tor 2013-10-17 klockan 13:12 +0200 skrev Frank Wall: Hi Moti, On 17.10.2013 08:04, Moti Asayag wrote: I used iperf for testing multicast between the vms. See http://iperf.fr/#multicast for the exact commands. thanks, I did a quick test with iperf with a good result (445 out of 446 datagrams could be received). But still pfSense/FreeBSD CARP/uCARP does not work, it seems to be filtered on the oVirt/KVM Host. Have you ever heard of this? Any idea? Didn´t think of it first but I´ve actually set up VM's as cluster with CARP and FreeBSD, and it worked flawlessly for me (TM). I´m running oVirt-3.2, if that is of interest. Thanks - Frank ___ Users mailing list Users@ovirt.orgmailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Med Vänliga Hälsningar --- Karli Sjöberg Swedish University of Agricultural Sciences Box 7079 (Visiting Address Kronåsvägen 8) S-750 07 Uppsala, Sweden Phone: +46-(0)18-67 15 66 karli.sjob...@slu.semailto:karli.sjob...@adm.slu.se ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
fre 2013-10-18 klockan 05:12 + skrev Karli Sjöberg: tor 2013-10-17 klockan 13:12 +0200 skrev Frank Wall: Hi Moti, On 17.10.2013 08:04, Moti Asayag wrote: I used iperf for testing multicast between the vms. See http://iperf.fr/#multicast for the exact commands. thanks, I did a quick test with iperf with a good result (445 out of 446 datagrams could be received). But still pfSense/FreeBSD CARP/uCARP does not work, it seems to be filtered on the oVirt/KVM Host. Have you ever heard of this? Any idea? Didn´t think of it first but I´ve actually set up VM's as cluster with CARP and FreeBSD, and it worked flawlessly for me (TM). I´m running oVirt-3.2, if that is of interest. Hmm, come to think of it, those VM's were created back in 3.1 for a specific test and I haven´t run them since, so if I wanted to run them again, I would also likely have to change that spoofing setting. Sorry for the noise. Thanks - Frank ___ Users mailing list Users@ovirt.orgmailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Med Vänliga Hälsningar --- Karli Sjöberg Swedish University of Agricultural Sciences Box 7079 (Visiting Address Kronåsvägen 8) S-750 07 Uppsala, Sweden Phone: +46-(0)18-67 15 66 karli.sjob...@slu.semailto:karli.sjob...@adm.slu.se -- Med Vänliga Hälsningar --- Karli Sjöberg Swedish University of Agricultural Sciences Box 7079 (Visiting Address Kronåsvägen 8) S-750 07 Uppsala, Sweden Phone: +46-(0)18-67 15 66 karli.sjob...@slu.semailto:karli.sjob...@adm.slu.se ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
Hi Yedidyah, On 17.09.2013 09:32, Yedidyah Bar David wrote: What is required to enable guest-to-guest multicast communication on an oVirt node? Are they on the same virtual network/bridge? Did you check iptables? You can add a rule to log such things and see if it was iptables that blocked it (or something else). Check both host and VMs. yes, both guest interfaces are on the same virtual bridge: mytestlan 8000.8000.0111 no dummy_3 vnet11 vnet13 On the host side iptables is configured to log rejected packets: -A INPUT -j LOG -m limit --limit 2/min --log-prefix REJECT: --log-level 4 But I've never seen any log message related to multicast traffic while debugging this issue. Thanks - Frank ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
Hi Moti, On 17.09.2013 15:41, Moti Asayag wrote: I've tested a multicast traffic between VMs which worked fine to me. The test made between two VMs running on different hosts, connected to the same switch. would you please provide some details about how you tested the multicast traffic between VMs? I would be interested in doing the exact same tests on my side, i.e. running the same commands. (Note that in my test setup all VMs run on the same host.) Thanks - Frank ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
On 17.09.2013 15:41, Moti Asayag wrote: I've tested a multicast traffic between VMs which worked fine to me. The test made between two VMs running on different hosts, connected to the same switch. OK, I found a secure way to test multicast communication: (see http://www.linuxproblems.org/wiki/How_to_check_Multicasting) # VM_A: start the receiver VM_A# java -cp jgroups-3.3.3.Final.jar org.jgroups.tests.McastReceiverTest -mcast_addr 231.12.21.132 -port 45566 Socket=0.0.0.0/0.0.0.0:45566, bind interface=/127.0.0.1 Socket=0.0.0.0/0.0.0.0:45566, bind interface=/10.1.2.3 # VM_B: start the sender, send message test VM_B# java -cp jgroups-3.3.3.Final.jar org.jgroups.tests.McastSenderTest -mcast_addr 231.12.21.132 -port 45566 Socket #1=0.0.0.0/0.0.0.0:45566, ttl=32, bind interface=/127.0.0.1 Socket #2=0.0.0.0/0.0.0.0:45566, ttl=32, bind interface=/10.1.2.4 test # VM_A will receive the message test [sender=10.1.2.4:45566] So this basically means that multicast is working. For some reason, VRRP/CARP is NOT working. This means pfSense HA and *BSD (u)CARP is not usable right now. Any hint? I'm out of ideas right now. Thanks - Frank ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
Hi, - Original Message - From: Frank Wall f...@moov.de To: users@ovirt.org Sent: Friday, September 6, 2013 8:05:21 PM Subject: [Users] Guest to guest multicast Hi, I'm trying to use the VRRP protocol between two VMs, but the multicast traffic never gets through. On the oVirt host I can see the VRRP advertisements coming in for both VMs: aio:~# tcpdump -n -X -i vnet3 net 224.0.0.0/4 listening on vnet3, link-type EN10MB (Ethernet), capture size 65535 bytes 18:58:31.841220 IP 10.1.2.3 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 1s, length 36 aio:~# tcpdump -n -X -i vnet8 net 224.0.0.0/4 listening on vnet8, link-type EN10MB (Ethernet), capture size 65535 bytes 19:02:26.907054 IP 10.1.2.4 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 100, authtype none, intvl 1s, length 36 What is required to enable guest-to-guest multicast communication on an oVirt node? Are they on the same virtual network/bridge? Did you check iptables? You can add a rule to log such things and see if it was iptables that blocked it (or something else). Check both host and VMs. -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Guest to guest multicast
Hi, I've tested a multicast traffic between VMs which worked fine to me. The test made between two VMs running on different hosts, connected to the same switch. The only pitfall i encountered was the firewall which blocked the traffic. Once disabled, I was able to complete the test (used iperf). Regards, Moti - Original Message - From: Frank Wall f...@moov.de To: users@ovirt.org Sent: Friday, September 6, 2013 8:05:21 PM Subject: [Users] Guest to guest multicast Hi, I'm trying to use the VRRP protocol between two VMs, but the multicast traffic never gets through. On the oVirt host I can see the VRRP advertisements coming in for both VMs: aio:~# tcpdump -n -X -i vnet3 net 224.0.0.0/4 listening on vnet3, link-type EN10MB (Ethernet), capture size 65535 bytes 18:58:31.841220 IP 10.1.2.3 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 1s, length 36 aio:~# tcpdump -n -X -i vnet8 net 224.0.0.0/4 listening on vnet8, link-type EN10MB (Ethernet), capture size 65535 bytes 19:02:26.907054 IP 10.1.2.4 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 100, authtype none, intvl 1s, length 36 What is required to enable guest-to-guest multicast communication on an oVirt node? Thanks - Frank ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
