<div dir="ltr">Here: <a href="http://www.mail-archive.com/users@ovirt.org/msg06261.html">http://www.mail-archive.com/users@ovirt.org/msg06261.html</a><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/2/10 Shahar Havivi <span dir="ltr"><<a href="mailto:shaharh@redhat.com" target="_blank">shaharh@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 10.02.13 16:36, Matt . wrote:<br>
> Hi,<br>
><br>
> I'm thinking about the way how I did that with the dedicated NIC to the VM.<br>
> I was discussing this a couple of months ago on IRC but I can't remeber and<br>
> I already tried to do this... no luck yet. I remember that the NICS were<br>
> just available when adding a nic to the VM, by MAC-address. Can't figure it<br>
> out yet what I did those except of not sleeping that much :)<br>
</div>I don't remember that, sorry...<br>
<div class="im">><br>
> About the error that I get I do the following:<br>
><br>
><br>
> Hosts > Network Interfaces > Setup Host Networks.<br>
><br>
> When I drag a network I created to a NIC and I don't set an IP or DHCP or<br>
> None I get that error: "Error while executing action Setup Networks:<br>
> Illegal or Incomplete IP Address"<br>
><br>
> When I set and IP to that network that is draaged to the Nic I don't get an<br>
> error, but why only and IP and no GW as this is IP seems to be bridged in<br>
> the host to the VM where you add a Nic to with that same network you just<br>
> gave an IP.<br>
><br>
> When saying the above, could have been possible that I have set the<br>
> Mac-Address of the real Nic @ the VM Nic ? As this is possible that might<br>
> have been the solution I used ?<br>
><br>
> For the rest this software is good and the support is superb!<br>
</div>I can't reproduce this error,<br>
its look like UI validation...<br>
Alona,Moti did you encounter this error?<br>
<div><div class="h5"><br>
><br>
> Thanks so far again.<br>
><br>
> Matt<br>
><br>
><br>
> 2013/2/10 Shahar Havivi <<a href="mailto:shaharh@redhat.com">shaharh@redhat.com</a>><br>
><br>
> > On 10.02.13 16:16, Matt . wrote:<br>
> > > Hi Shahar,<br>
> > ><br>
> > > Thanks, I need to work this out further to have it 100% visible.<br>
> > ><br>
> > > I wonder why I was able in the past (3.1) to dedicate an NIC to a VM.<br>
> > ><br>
> > > Do you also have an explanation why I cannot save a network configuration<br>
> > > with a nic in DHCP mode ? It complains about a wrong IP and I have seen<br>
> > it<br>
> > > should be a bug. Is this right ?<br>
> > How did you that...<br>
> > I.e can you tell me the steps that you made in the UI? (for both cases)<br>
> > ><br>
> > > Cheers,<br>
> > ><br>
> > > Matt<br>
> > ><br>
> > ><br>
> > > 2013/2/10 Shahar Havivi <<a href="mailto:shaharh@redhat.com">shaharh@redhat.com</a>><br>
> > ><br>
> > > > On 10.02.13 14:13, Dan Kenigsberg wrote:<br>
> > > > > On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:<br>
> > > > > > Hi,<br>
> > > > > ><br>
> > > > > > For setting up a firewall in a VM I would like to add 2 of my 4<br>
> > nics<br>
> > > > > > directly to a VM.<br>
> > > > > ><br>
> > > > > > In my previous setup I thought I have done that, but at the moment<br>
> > I<br>
> > > > cannot<br>
> > > > > > figure this out and cannot find the docs to accomplish this.<br>
> > > > > ><br>
> > > > > > I would like to dedicate those 2 nics to my firewall VM's to avoid<br>
> > > > sharing<br>
> > > > > > them using a network per accident to other VM's.<br>
> > > > > ><br>
> > > > > > How is this be done at the moment ?<br>
> > > > ><br>
> > > > > AFAIK it can be done only with a vdsm hook. You'd need to define<br>
> > your VM<br>
> > > > > with no interface at all, but instead, mark it with a special custom<br>
> > > > > property you define. Then, you should write a hook that adds the two<br>
> > > > > host interfaces to the VM, by means of either<br>
> > > > > <a href="http://libvirt.org/formatdomain.html#elementsNICSDirect" target="_blank">http://libvirt.org/formatdomain.html#elementsNICSDirect</a> or<br>
> > > > > <a href="http://libvirt.org/formatdomain.html#elementsNICSHostdev" target="_blank">http://libvirt.org/formatdomain.html#elementsNICSHostdev</a><br>
> > > > ><br>
> > > > > Most probably, you would need to pin your firewall VM to a specific<br>
> > > > > host.<br>
> > > > ><br>
> > > > > Writing a hook is not too complex, but it requires understanding of<br>
> > how<br>
> > > > > vdsm and libvirt works. You can take<br>
</div></div>> > > > > <a href="http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas" target="_blank">http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas</a> a<br>
<div class="HOEnZb"><div class="h5">> > > > > reference, or ask for specific guidance here.<br>
> > > > ><br>
> > > > > Dan.<br>
> > > > Dan is right,<br>
> > > > Currently you can do it via hook,<br>
> > > > We do have promisc mode but currently we have mirroring mode only (ie<br>
> > you<br>
> > > > can<br>
> > > > monitor each VM traffic but cannot intercept it).<br>
> > > > The way to do it is via layer 2.<br>
> > > ><br>
> > > > its best to implement after_vm_start hook and use ebtables.<br>
> > > > you can pass to the hook the network name.<br>
> > > > when you have the network name you can prob for its mac address and in<br>
> > the<br>
> > > > libvirt xml<br>
> > > > you can view the interfaces that are part of that network and get the<br>
> > mac<br>
> > > > addresses as well. (look at other hooks as Dan point out)<br>
> > > ><br>
> > > > when you have the network name the network mac and the target<br>
> > interface you<br>
> > > > can use ebtables:<br>
> > > > 1. set the bridge in promisc mode<br>
> > > > $ ifconfig <netwok name> promisc<br>
> > > > 2. traffic to the monitoring machine<br>
> > > > $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat<br>
> > > > --to-destination 00:1a:4a:16:01:11<br>
> > > > 3. traffic from the monitoring machine<br>
> > > > $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j<br>
> > dnat<br>
> > > > --to-destination 00:1a:4a:16:01:11<br>
> > > ><br>
> > > > 1. set the network interface in promiscous mode<br>
> > > > 2. traffic that ment to the vm mac will go to the destination mac<br>
> > > > 2. traffic that sent from the vm mac will go to the destination mac<br>
> > > ><br>
> > > > note that the -i <interface> is the interface name and I think it can<br>
> > be<br>
> > > > omitted...<br>
> > > ><br>
> > > > Shahar Havivi.<br>
> > > ><br>
> ><br>
</div></div></blockquote></div><br></div>