[ovirt-users] ovirtmgmt network security

Mon Oct 30 20:13:30 UTC 2017

On Mon, Oct 30, 2017 at 10:50 AM, Alona Kaplan <alkaplan at redhat.com> wrote:

> Hi Istvan,
>
> I agree with Luca. You can remove nic1.
> 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no
> vnics (vitrual nics) at all.
> The 'ovirtmgmt' network is used for communication between the engine and
> the host.
> Whether the vm using the 'ovirtmgmt' network or not won't affect the
> management capabilities.
>
> You said that the vm nic with 'ovirtmgmt' was automatically added when you
> added the vm.
> It is strange and shouldn't behave this way. Are you sure that in the add
> vm dialog you didn't choose it as the network of nic1? (you could leave
> this section in the dialog unfilled, it is not mandatory).
>
> BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to
> the edit network dialog of 'ovirtmgmt' (in the Network main tab) and
> uncheck the 'vm network' checkbox.
>
> Hope it helps you,
> Alona.
>
>
Hi Alona,

Yes, removing nic1 was the solution I was looking for.

You are right, I probably added nic1 during the creation of the VM. This is
my first ovirt install and I'm a little bit overwhelmed by all the details
one has to know to create a system that is reliable and efficient.
Fortunately, thanks to people like you and Luca, I'll be able to overcome
the initial difficulties.

Istvan

On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
> lorenzetto.luca at gmail.com> wrote:
>
>> On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan at gmail.com>
>> wrote:
>> > Hello,
>> >
>> > thank you for your patience for trying to let me see the light.
>> >
>> > Indeed I don't understand what you are explaining. Maybe if I give you
>> more
>> > concrete details it will help.
>> >
>> > My internal network is 192.168.196.0
>> > My DMZ network is 192.168.188.0
>> >
>> > ovirt-engine is running on a centos server with IP 192.168.186.3
>> > ovirt host is on a centos server with IP 192.168.186.4
>> >
>> > On the host I created a VM that I want to be in the DMZ. When I created
>> the
>> > VM, nic 1 was automatically added and is linked to the ovirtmgmt
>> network.
>> > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
>> > 192.168.186.167.
>> >
>> > After that I added a host device to that VM using passthrough. This
>> device
>> > is called ens7 in the VM and I gave IP 192.186.188.4.
>> > That device is directly connected to my physical DMZ switch and from
>> there
>> > to the firewall.
>> > This part is OK.
>> >
>> > My problem is that through eth0 my VM has access to my internal network.
>> > Removing the device seems impossible because this is ovirtmgmt network.
>> > I can not change or remove the IP of my host because it would not be
>> > reachable anymore on my internal network.
>> >
>> > Maybe the solution is obvious but I can't see it. I'm running in circle
>> with
>> > this problem and it makes me crazy.
>> >
>>
>>
>>
>> Hi Istvan,
>>
>> why are you using device passthrough?
>>
>> Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
>> As far as i can understand, you're directly communicating through DMZ.
>>
>> Luca
>>
>>
>> --
>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>> macchine"
>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>
>> "Internet è la più grande biblioteca del mondo.
>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>> John Allen Paulos, Matematico (1945-vivente)
>>
>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
>> lorenzetto.luca at gmail.com>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20171030/d10f0f44/attachment.html>