--------------050709060602070007060706
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
Thank you for your response, Mike. I am slow answering because of the
American Thanksgiving holiday. Answers are below.
On 11/28/2013 1:41 AM, Mike Kolesnik wrote:
----- Original Message -----
> I am trying to set up a testing network using o-virt, but the networking is
> refusing to cooperate. I am testing for possible use in two different
> production setups.
>
> My previous experience has been with VMWare. I have always set up a single
> bridged network on each host. All my hosts, VMs, and non-VM computers were
> peers on the LAN. They could all talk to each other, and things worked very
> well. There was a firewall/gateway that provided access to the Internet, and
> hosts, VMs, and could all communicate with the Internet as needed.
>
> o-virt seems to be compartmentalizing things beyond all reason.
> Is there any way to set up simple networking, so ALL computers can see each
> other?
> Is there anywhere that describes the philosophy behind the networking setup?
> What reason is there that networks are so divided?
Yes there is lack of documentation in this area, it's a shame but given it's an
open source project with an open wiki, everyone is invited to contribute and
improve this.
I'll see if I can get a page started..
Please post a link if you succeed.
> After banging my head against the wall trying to configure just one host, I
> am very frustrated. I have spent several HOURS Googling for a coherent
> explanation of how/why networking is supposed to work, but only fine obscure
> references like "letting non-VMs see VM traffic would be a huge security
> violation". I have no concept of what king of an installation the o-virt
> designers have in mind, but it is obviously worlds different from what I am
> trying to do.
>
> The best I can tell, o-virt networking works like this (at least when you
> have only one NIC):
> there must be an ovirtmgt network, which cannot be combined with any other
> network.
> the ovirtmgt network cannot talk to VMs (unless that VM is running the
> engine)
> the ovirtmgt network can only talk to hosts, not to other non-VM
> computers
> a VM network can talk only to VMs
> cannot talk to hosts
> cannot talk to non-VMs
> hosts cannot talk to my LAN
> hosts cannot talk to VMs
> VMs cannot talk to my LAN
> All of the above are enforced by a boatload of firewall rules that o-virt
> puts into every host and VM under its jurisdiction.
Not sure what you mean by all these "restrictions", from what I know the
firewall
rules that are set on each host are to allow host to talk to engine
(ssh, vdsm, VM consoles traffic, etc) no more no less..
Usually the default behavior of firewall is to block almost all communication so
when you add a host and check the "Configure firewall" box it modifies it so
that
your host can function properly.
I need my host to be on my LAN (for multiple reasons). Ovirtmgt "stole" the
LAN connection, and cut off the host from the LAN, a connection which worked
fine until then.
oVirt has no sense of firewall otherwise. For all it cares you can turn it off
completely, or configure it by yourself (manually or via puppet/chef/foreman/etc)
and not use the capability of the system to configure it for you.
How do I keep the
engine from reconfiguring the firewall again if I change it
manually? I saw a blog post that mentioned being able to uncheck a box (on
the o-virt web GUI) called "configure IPTables". That /might/ be what I
need. I didn't see that box, but I wasn't looking for it (and at the moment
I don't have o-virt available to me).
You can also change it so that it uses the rules you want by
modifying
IPTablesConfig via engine-config tool.
Where can I find documentation on changing firewall rules using engine-config?
From what I understand, I want my LAN to be my non-VLAN bridge. Can I move
the ovirtmgt functionality to run over the LAN, or can I/will I have to put
ovirt-mgt onto a VLAN?
> All of the above is inferred from things I Googled, because I
can't find
> anywhere that explains what or how things are supposed to work--only things
> telling people WHAT THEY CANT DO. All I see on the mailing lists is people
> getting their hands slapped because they are trying to do SIMPLE SETUPS that
> should work, but don't (due to either design restrictions or software bugs).
> My use case A:
> * My (2 or 3) hosts have only one physical NIC.
> * My VMs exist to provide services to non-VM computers.
> * The VMs do not run X-windows, but they provide GUI programs to
> non-VMs via "ssh -X" connections.
> * MY VMs need access to storage that is shared with hosts and non-VMs on
> the LAN.
Your VMs will be sitting on the ovirtmgmt network, or on a VLAN?
I want them to sit
on the LAN (which may be ovirtmgt, if I can get the IP
filtering turned off). If they have to be on something else too, that is OK,
as long as it does not interfere with them being on the LAN.
FYI, the LANs on both of my applications are fairly small. One of them less
than 10 nodes, the other less than 20 nodes, and all nodes are trusted. One
of them is just a small network, the other is a heavily firewalled (only a
handful of pinholes) sub-network, separated so that it is a very safe
environment for a very HA machine grouping.
If you want to use VLANs for the VM traffic, you can configure the management
network to be non-VM thus allowing you to put VLANs on the same NIC this
network is occupying (just make sure to sync it first, because changes aren't
applied automatically to the hosts, yet).
In my small setup, the VMs are not on VLAN and can talk to all other machines
on the LAN via SSH and I didn't configure anything special on host level..
> Is there some way to TURN OFF network control in o-virt?
It looks like the
"configure IPTables" checkbox may be my answer here, if I
can find it (can't see ovirt at this moment).
> My systems are
> small and static. I can hand-configure the networking a whole lot easier
> than I can deal with o-virt (as I have used it so far). Mostly I would need
> to be able to turn off the firewall rules on both hosts and VMs.
>
> banging head against wall,
Try not to break the wall (or your head) ;)
Neither broken yet. Head sometimes
very hard.
Getting a test system up and running is "my next big project". I can't dive
into "my next big project" until I hit a major milestone on my "current big
project". I am hoping to hit that milestone this week. I will then try to
find the "configure IPTables" checkbox. Assuming I am successful, I will
reinstall my host and try adding it to o-virt. If o-virt doesn't mess with
the firewall, that will be step one. I will try to work through the other
networking issues from there. I think my preference would be to have one
non-VLAN bridge on the host which includes ovirtmgt and VM networking, all on
one bridge. I don't know if that is possible or not, but I'll see how close
I can get. If I can get the "configure IPTables" turned off, that will be a
huge step. If I can change what o-virt engine tries to impose on networking,
it will be even easier.
Ted
> Ted
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users
>
--------------050709060602070007060706
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Thank you for your response, Mike. I am slow answering because of
the American Thanksgiving holiday. Answers are below.<br>
<br>
<div class="moz-cite-prefix">On 11/28/2013 1:41 AM, Mike Kolesnik
wrote:<br>
</div>
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">I am trying to set up a testing network using o-virt,
but the networking is
refusing to cooperate. I am testing for possible use in two different
production setups.
My previous experience has been with VMWare. I have always set up a single
bridged network on each host. All my hosts, VMs, and non-VM computers were
peers on the LAN. They could all talk to each other, and things worked very
well. There was a firewall/gateway that provided access to the Internet, and
hosts, VMs, and could all communicate with the Internet as needed.
o-virt seems to be compartmentalizing things beyond all reason.
Is there any way to set up simple networking, so ALL computers can see each
other?
Is there anywhere that describes the philosophy behind the networking setup?
What reason is there that networks are so divided?
</pre>
</blockquote>
<pre wrap="">
Yes there is lack of documentation in this area, it's a shame but given it's an
open source project with an open wiki, everyone is invited to contribute and
improve this.
I'll see if I can get a page started..</pre>
</blockquote>
Please post a link if you succeed.<br>
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
After banging my head against the wall trying to configure just one host, I
am very frustrated. I have spent several HOURS Googling for a coherent
explanation of how/why networking is supposed to work, but only fine obscure
references like "letting non-VMs see VM traffic would be a huge security
violation". I have no concept of what king of an installation the o-virt
designers have in mind, but it is obviously worlds different from what I am
trying to do.
The best I can tell, o-virt networking works like this (at least when you
have only one NIC):
there must be an ovirtmgt network, which cannot be combined with any other
network.
the ovirtmgt network cannot talk to VMs (unless that VM is running the
engine)
the ovirtmgt network can only talk to hosts, not to other non-VM
computers
a VM network can talk only to VMs
cannot talk to hosts
cannot talk to non-VMs
hosts cannot talk to my LAN
hosts cannot talk to VMs
VMs cannot talk to my LAN
All of the above are enforced by a boatload of firewall rules that o-virt
puts into every host and VM under its jurisdiction.
</pre>
</blockquote>
<pre wrap="">
Not sure what you mean by all these "restrictions", from what I know the
firewall
rules that are set on each host are to allow host to talk to engine
(ssh, vdsm, VM consoles traffic, etc) no more no less..
Usually the default behavior of firewall is to block almost all communication so
when you add a host and check the "Configure firewall" box it modifies it so
that
your host can function properly.</pre>
</blockquote>
<br>
I need my host to be on my LAN (for multiple reasons). Ovirtmgt
"stole" the LAN connection, and cut off the host from the LAN, a
connection which worked fine until then.<br>
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
oVirt has no sense of firewall otherwise. For all it cares you can turn it off
completely, or configure it by yourself (manually or via puppet/chef/foreman/etc)
and not use the capability of the system to configure it for you.
</pre>
</blockquote>
How do I keep the engine from reconfiguring the firewall again if I
change it manually? I saw a blog post that mentioned being able to
uncheck a box (on the o-virt web GUI) called "configure IPTables".
That <i>might</i> be what I need. I didn't see that box, but I
wasn't looking for it (and at the moment I don't have o-virt
available to me).<br>
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
You can also change it so that it uses the rules you want by modifying
IPTablesConfig via engine-config tool.
</pre>
</blockquote>
<br>
Where can I find documentation on changing firewall rules using
engine-config? <br>
<br>
From what I understand, I want my LAN to be my non-VLAN bridge. Can
I move the ovirtmgt functionality to run over the LAN, or can I/will
I have to put ovirt-mgt onto a VLAN?<br>
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
All of the above is inferred from things I Googled, because I can't find
anywhere that explains what or how things are supposed to work--only things
telling people WHAT THEY CANT DO. All I see on the mailing lists is people
getting their hands slapped because they are trying to do SIMPLE SETUPS that
should work, but don't (due to either design restrictions or software bugs).
</pre>
</blockquote>
</blockquote>
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<blockquote type="cite">
<pre wrap="">
My use case A:
* My (2 or 3) hosts have only one physical NIC.
* My VMs exist to provide services to non-VM computers.
* The VMs do not run X-windows, but they provide GUI programs to
non-VMs via "ssh -X" connections.
* MY VMs need access to storage that is shared with hosts and non-VMs on
the LAN.
</pre>
</blockquote>
<pre wrap="">
Your VMs will be sitting on the ovirtmgmt network, or on a VLAN?</pre>
</blockquote>
I want them to sit on the LAN (which may be ovirtmgt, if I can get
the IP filtering turned off). If they have to be on something else
too, that is OK, as long as it does not interfere with them being on
the LAN.<br>
<br>
FYI, the LANs on both of my applications are fairly small. One of
them less than 10 nodes, the other less than 20 nodes, and all nodes
are trusted. One of them is just a small network, the other is a
heavily firewalled (only a handful of pinholes) sub-network,
separated so that it is a very safe environment for a very HA
machine grouping.<br>
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
If you want to use VLANs for the VM traffic, you can configure the management
network to be non-VM thus allowing you to put VLANs on the same NIC this
network is occupying (just make sure to sync it first, because changes aren't
applied automatically to the hosts, yet).
In my small setup, the VMs are not on VLAN and can talk to all other machines
on the LAN via SSH and I didn't configure anything special on host level..
</pre>
<blockquote type="cite">
<pre wrap="">
Is there some way to TURN OFF network control in o-virt?</pre>
</blockquote>
</blockquote>
It looks like the "configure IPTables" checkbox may be my answer
here, if I can find it (can't see ovirt at this moment).<br>
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<blockquote type="cite">
<pre wrap="">My systems are
small and static. I can hand-configure the networking a whole lot easier
than I can deal with o-virt (as I have used it so far). Mostly I would need
to be able to turn off the firewall rules on both hosts and VMs.
banging head against wall,
</pre>
</blockquote>
<pre wrap="">
Try not to break the wall (or your head) ;)</pre>
</blockquote>
Neither broken yet. Head sometimes very hard.<br>
<br>
Getting a test system up and running is "my next big project". I
can't dive into "my next big project" until I hit a major milestone
on my "current big project". I am hoping to hit that milestone this
week. I will then try to find the "configure IPTables" checkbox.
Assuming I am successful, I will reinstall my host and try adding it
to o-virt. If o-virt doesn't mess with the firewall, that will be
step one. I will try to work through the other networking issues
from there. I think my preference would be to have one non-VLAN
bridge on the host which includes ovirtmgt and VM networking, all on
one bridge. I don't know if that is possible or not, but I'll see
how close I can get. If I can get the "configure IPTables" turned
off, that will be a huge step. If I can change what o-virt engine
tries to impose on networking, it will be even easier.<br>
<br>
Ted
<blockquote
cite="mid:1865139121.42221961.1385620870171.JavaMail.root@redhat.com"
type="cite">
<blockquote type="cite">
<pre wrap="">Ted
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
</blockquote>
</blockquote>
<br>
<pre class="moz-signature" cols="77">
</pre>
</body>
</html>
--------------050709060602070007060706--