12:10 p.m.
On Sat, Jan 22, 2022 at 11:41 PM ravi k <kottapar(a)gmail.com> wrote:
Hello team,
Hi,
Thank you for all the wonderful work you've been doing. I'm starting out
new with oVirt and OVN. So please excuse me if the questions are too
naive.
We intend to do a POC to check if we can migrate VMs off our current
VMware to oVirt. The intention is to migrate the VMs with the same IP into
oVirt. We've setup oVirt with three hypervisors. All of them have four
ethernet adapters. We have SDN implemented in our network and LACP bonds
are created at the switch level. So we've created two bonds, bond0 and
bond1 in each hypervisor. bond0 has the logical networks with vlan tagging
created like bond0.101, bond0.102 etc.
Can you give some more details about your current vSphere infrastructure?
What about the level of downtime you could give when migrating?
Have you already planned the strategy to transfer your VMs from vSphere to
oVirt?
Take care that probably on your VMware side your VMs have virtual hw for
nics defined as vmxnet, so when you migrate to oVirt, it will change and so
depending on your OS type (Windows based or Linux based) and in case of
Linux, depending on your distro and version, some manual operations could
be required to remap vnic assignments and definitions.
One possible first way to proceed could be to make a clone of one running
VM into one disconnected from the vSphere infra and then test on it the
steps to port to oVirt and so analyze times and impacts
As a part of the POC we also want to explore OVN as well to check if
we
can implement a zero trust security policy. Here are the questions now :)
1. We would like to migrate VMs with the current IP into oVirt. Is it
possible to achieve this? I've been reading notes and pages that mention
about extending the physical network into OVN. But it's a bit confusing on
how to implement it.
How do we connect OVN to the physical network? Does the fact that we have
a SDN make it easier to get this done?
The downstream (RHV) documentation to do it is here:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/...
the upstream one is here:
https://www.ovirt.org/documentation/administration_guide/#Adding_OVN_as_a...
Take care that in RHV this feature is still considered Technology Preview,
so not recommended for production. It could apply to oVirt even more, so...
BTW, what do you mean with "... the fact that we have a SDN..."? Do you
mean standard virtual networking in contrast with physical one or do you
have any kind of special networking in vSphere now (NSX or such...)?
2. We have the IP for the hypervisor assigned on a logical
network(ovirtmgmt) in bond0. I read in
https://lists.ovirt.org/archives/list/users@ovirt.org/thread/CIE6MZ47GRCE...
that oVirt does not care about how the IP is configured when creating the
tunnels.
That was a thread originated by me... ;-)
But please consider that it is 5 years old now! At that time we were at 4.1
stage, while now we are at very different 4.4, so refer in case to recent
threads and better recent upstream (oVirt) and downstream (RHV) official
documentation pointed above
Also, at that time ansible was not very much in place, while now in many
configuration tasks it is deeply involved.
The main concern in that thread was the impact of having OVN tunneling on
the ovirtmgmt management network, that is the default choice when you
configure OVN, in contrast with creating a dedicated network for it.
3. Once we have OVN setup, ovn logical networks created and VMs
created/migrated, how do we establish the zero trust policy? From what I've
read there are ACLs and security groups. Any pointers on where to explore
more about implementing it.
The downstream documentation and notes for this is here:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/...
and upstream here:
https://www.ovirt.org/documentation/administration_guide/#Assigning_Secur...
some manual undocumented steps through OpenStack Networking API or Ansible
could be required depending on your needs
BTW: both upstream and downstream docs refer here to 4.2.7.... :
"
In oVirt 4.2.7, security groups are disabled by default.
"
and
"
In Red Hat Virtualization 4.2.7, security groups are disabled by default.
"
They should be changed with the corresponding version, or into something
like "in 4.2.7 and above..." if that applies and is intended
If you've read till here, thank you for your patience.
no problem ;-)
Gianluca