Re: [Users] Default route on hosts

On Nov 12, 2013, at 7:58 AM, Assaf Muller wrote: > Can users outside of the hosts' networks reach the VMs in the hosts? I have not tested this yet. I have been focused on the host's networking behavior outside of the ovirt/vdsm bits. (Mainly, it checking in on other things.) I realize this presents a flaw in my thinking that the host was not behaving properly. I will adjust my thinking on this item, and then test with a valid set of criteria. > If you use netstat -rn it is expected that the gateway will be > 0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=yes and ifcfg-public has > DEFROUTE=no, then ovirtmgmt's > 'gateway' (0.0.0.0) will be determined as the host's default gateway. > However with the new multiple gateways feature we configure source > routing to make > sure that traffic that comes (from the outside) in the public > network's device will return the way it came in. That makes a lot of sense to me now. And, actually, I believe is the way it is working, the more I think about the behavior I'm seeing. > You can use 'ip rule' to see the rules VDSM configures. It creates two > rules and a routing table per device. You can use 'ip route show table > %s' on each > table, where the IDs can be obtained by 'ip rule'. This is super helpful. Thank you. A large part of this is likely me needing to adjust my thinking. As long as my VM's are behaving as expected, do I actually need the host to, by default, send traffic out the 'public' interface? If I do, what traffic is that? Can I change that traffic? The likely hood is that there are only a small amount of data, mostly centering around metrics, and some config management, that would be host sourced data that currently isn't destined for my management network. Maybe those data *should* run over the management network, if my desire for an extra layer of protection of those data is a valid desire. Of course, that's not the way I have things arranged right now, but, maybe I can fix that. Thank you very much for your help, I have enough information to get back on the problem now. --Chris _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users