On Mon, Dec 30, 2013 at 09:39:58PM +0100, woswas denni wrote: > > > > Well, there's nothing much beyond the hook's README > > > http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;h=0778dbb3ef85c5ae179fb0f6c9ceeabc268abe89;hb=HEAD > > You should start by defining a libvirt network, and then mark a vNIC > > profile with a custom propery so that the network is used by vNICs. > > > > As a very first stage, you may define the libvirt network on top of your > > existing br0 bridge > > (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can > > consume your networking setup. > > > > Hmm do we really need a libvirt bridge or cant we go simply with a regular > virtual brdige as i already use?
The extnet hook expects that you create a libvirt network on top of your regular nic. You chould write your own "extbridge" hook, that consumes the regular bridge directly. The libvirt network may seem as a needless layer, but it grants the extnet bridge a lot of flexibility (such as connecting to an ovs bridge instead of to a Linux bridge). > > all i want is connect ovirts vlan nic to existing interfaces. > iam aware tat then many configs has to be done manually, but thats fine for > now Understood, and that's doable. > > > > But who creates that VPN connection? Who supplies the credentials? > well this is manually, only once per host no desire for automation here, > ive automated scripts for that but i usually use an offline pc as a signing > device. Understood. I am asking since I'd like to understand how people (plan to) use oVirt, and wether we can automate more of their chores. > > > > > > > > > How does this work, if they are both behind NAT? > > Well they are not and they are, its a routed NAT combo :) > > Lets say i have 2 server - we would have then 3 internal networks - > > 1 - VPN conncting and routing between physical hosts > 2&3 - Each hosts internal bridge subnet which does routing > > NAT comes in when we go outside - usually Portforward - which is handy to > save IPs > > So think of every Host not only as an Hypervisor but also as an Network Node > > > only downside if i move a vm from a to b ife to adjust the ips l, nat and > firewall > > upside and reson for this is: > 1, i can use one ext ip for several vms if they need different ports. atm i > can save over 3/4 of ext ips. > 2, also i do not need to manage the firewall on every vm only on the hosts > 3, Additional Security by having all Daemons whatsoever only bound to > internal Interfaces. > all daemons are bound to their internal br0 ip and i can easy access > certain ports like ssh or mysl within the vpn only without exposing > anything outside with a minimum administrative work > Who can access what is currently defined by Firewall Rules within each Host > - Here comes Firewallbuilder Handy BTW :))) > > > > > You'd like to automate the creation of NAT rules? VPN creation? > well i would like to automate port based nat and firewallrules thats the > dream. VPN as described i dont really but but hey who knows if someone else > want it. > Actually i think (even im not gonna need it) would be a nice feature for > many - specielly these days > > > only portforwarding/and or complete nat on the host would make live easier. > however most importingly is that i get the thing running. > even it means manual config on each host > > > my issues with ovirt where simple that i couldn find a way to assign the > needed interfaces. so if i simply manually specify whats going on it should > be enough > > btw i took a look at openqrm and they have alreaey adressed many of those > needs like puppet, dhcp , dns and nat translation over ip pools and stuff. > still my setup seems to strange for them either lol > > > > i think (if understand the readme correctly its exactly whats extnet is > doing) the best way would be simply allow to specify custom interface names. > that way we can build custom configs on our hosts how ever strange we want > em right, that's the motivation behind that hook. Please try if oVirt can do what you need, and report to this list! > > Since you have todo it only for each physical host its not THAT evil todo > and you can write easy scripts todo that for you. > > But what would be Handy in any case - no matter which setup or regular > Ovirt setup and iam really missing is a Firewall config. > Perfect dream would be something Visual with objects like Firewall Builder > (dev stopped sadly) , i think i saw something webbased in some opensource > firewall distros too. > > I mean we have to config FIrewalls for the Hosts in anycase - of course i > know this would be a monster to implement fully > > just dreaming :)) Well do not forget your dream, maybe someone would be able to implement it one day (though it does not seem to be around the corner). Dan. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users