On 11/12/2013 09:50 AM, Christopher Geddings wrote:
On Nov 12, 2013, at 7:58 AM, Assaf Muller wrote:
Can users outside of the hosts' networks reach the VMs in the hosts? I have not tested this yet. I have been focused on the host's networking behavior outside of the ovirt/vdsm bits. (Mainly, it checking in on other things.) I realize this presents a flaw in my thinking that the host was not behaving properly. I will adjust my thinking on this item, and then test with a valid set of criteria.
If you use netstat -rn it is expected that the gateway will be 0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=yes and ifcfg-public has DEFROUTE=no, then ovirtmgmt's 'gateway' (0.0.0.0) will be determined as the host's default gateway. However with the new multiple gateways feature we configure source routing to make sure that traffic that comes (from the outside) in the public network's device will return the way it came in. That makes a lot of sense to me now. And, actually, I believe is the way it is working, the more I think about the behavior I'm seeing.
You can use 'ip rule' to see the rules VDSM configures. It creates two rules and a routing table per device. You can use 'ip route show table %s' on each table, where the IDs can be obtained by 'ip rule'. This is super helpful. Thank you.
A large part of this is likely me needing to adjust my thinking. As long as my VM's are behaving as expected, do I actually need the host to, by default, send traffic out the 'public' interface? If I do, what traffic is that? Can I change that traffic? The likely hood is that there are only a small amount of data, mostly centering around metrics, and some config management, that would be host sourced data that currently isn't destined for my management network. Maybe those data *should* run over the management network, if my desire for an extra layer of protection of those data is a valid desire.
Of course, that's not the way I have things arranged right now, but, maybe I can fix that.
Thank you very much for your help, I have enough information to get back on the problem now.
--Chris
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
please note you can set which logical network is the 'disaply' (console/spice/vnc) network, which is what the users use to connect spice/vnc console to the VM with. default is ovirtmgmt, but you probably want to change it in your case.