<div dir="ltr"><div><p dir="ltr"><br>
><br>
> Well, there's nothing much beyond the hook's README<br>
> <a href="http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;h=0778dbb3ef85c5ae179fb0f6c9ceeabc268abe89;hb=HEAD" target="_blank">http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;h=0778dbb3ef85c5ae179fb0f6c9ceeabc268abe89;hb=HEAD</a><br>
> You should start by defining a libvirt network, and then mark a vNIC<br>
> profile with a custom propery so that the network is used by vNICs.<br>
><br>
> As a very first stage, you may define the libvirt network on top of your<br>
> existing br0 bridge<br>
> (<a href="http://libvirt.org/formatnetwork.html#examplesBridge" target="_blank">http://libvirt.org/formatnetwork.html#examplesBridge</a>) so oVirt can<br>
> consume your networking setup.<br>
><br>
</p><p>Hmm do we really need a libvirt bridge or cant we go simply with a regular virtual brdige as i already use?</p><p>all i want is connect ovirts vlan nic to existing interfaces. <br>iam aware tat then many configs has to be done manually, but thats fine for now<br>
</p><p dir="ltr"><br></p><p dir="ltr">> But who creates that VPN connection? Who supplies the credentials?<br>
well this is manually, only once per host no desire for automation here, ive automated scripts for that but i usually use an offline pc as a signing device.<br>
</p><p dir="ltr"><br></p>><br><p dir="ltr">
><br>
> How does this work, if they are both behind NAT?</p>
<p>Well they are not and they are, its a routed NAT combo :)</p><p>Lets say i have 2 server - we would have then 3 internal networks - <br></p><p>1 - VPN conncting and routing between physical hosts<br>2&3 - Each hosts internal bridge subnet which does routing <br>
<br></p><p>NAT comes in when we go outside - usually Portforward - which is handy to save IPs<br></p><p>So think of every Host not only as an Hypervisor but also as an Network Node<br></p><p dir="ltr"><br></p>only downside if i move a vm from a to b ife to adjust the ips l, nat and firewall
<p>upside and reson for this is:<br>1, i can use one ext ip for several vms if they need different ports. atm i can save over 3/4 of ext ips.<br>2, also i do not need to manage the firewall on every vm only on the hosts<br>
3, Additional Security by having all Daemons whatsoever only bound to internal Interfaces.<br></p>all daemons are bound to their internal br0 ip and i can easy access certain ports like ssh or mysl within the vpn only without exposing anything outside with a minimum administrative work <br>
</div>Who can access what is currently defined by Firewall Rules within each Host - Here comes Firewallbuilder Handy BTW :)))<br><div>
<p>><br>
> You'd like to automate the creation of NAT rules? VPN creation?<br>
well i would like to automate port based nat and firewallrules thats the dream. VPN as described i dont really but but hey who knows if someone else want it.<br>Actually i think (even im not gonna need it) would be a nice feature for many - specielly these days<br>
</p>
<p></p><p dir="ltr"><br>only portforwarding/and or complete nat on the host would make live easier. however most importingly is that i get the thing running.<br>
even it means manual config on each host</p>
<p dir="ltr"><br></p><p dir="ltr">my issues with ovirt where simple that i couldn find a way to assign the needed interfaces. so if i simply manually specify whats going on it should be enough<br><br>btw i took a look at openqrm and they have alreaey adressed many of those needs like puppet, dhcp , dns and nat translation over ip pools and stuff. still my setup seems to strange for them either lol<br>
</p><p dir="ltr"><br><br></p><p>i think (if understand the readme correctly its exactly whats extnet is doing) the best way would be simply allow to specify custom interface names.<br>that way we can build custom configs on our hosts how ever strange we want em<br>
</p><p>Since you have todo it only for each physical host its not THAT evil todo and you can write easy scripts todo that for you.<br></p><p>But what would be Handy in any case - no matter which setup or regular Ovirt setup and iam really missing is a Firewall config.<br>
Perfect dream would be something Visual with objects like Firewall Builder (dev stopped sadly) , i think i saw something webbased in some opensource firewall distros too.</p><p>I mean we have to config FIrewalls for the Hosts in anycase - of course i know this would be a monster to implement fully <br>
</p><p>just dreaming :))<br>
</p>
</div></div>