Can users outside of the hosts' networks reach the VMs in the hosts? I have not tested this yet. I have been focused on the host's = networking behavior outside of the ovirt/vdsm bits. (Mainly, it checking in on other things.) I realize this presents a = flaw in my thinking that the host was not behaving
--Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Nov 12, 2013, at 7:58 AM, Assaf Muller wrote: properly. I will adjust my thinking on this item, and then test with a = valid set of criteria.
If you use netstat -rn it is expected that the gateway will be = 0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=3Dyes and ifcfg-public has = DEFROUTE=3Dno, then ovirtmgmt's 'gateway' (0.0.0.0) will be determined as the host's default gateway. = However with the new multiple gateways feature we configure source = routing to make sure that traffic that comes (from the outside) in the public = network's device will return the way it came in. That makes a lot of sense to me now. And, actually, I believe is the = way it is working, the more I think about the behavior I'm seeing.
You can use 'ip rule' to see the rules VDSM configures. It creates two = rules and a routing table per device. You can use 'ip route show table = %s' on each table, where the IDs can be obtained by 'ip rule'. This is super helpful. Thank you.
A large part of this is likely me needing to adjust my thinking. As = long as my VM's are behaving as expected, do I actually need the host to, by default, send traffic out the 'public' interface? If I do, what = traffic is that? Can I change that traffic? The likely hood is that = there are only a small amount of data, mostly centering around metrics, and some = config management, that would be host sourced data that currently isn't destined for my management network. Maybe those data *should* run = over the management network, if my desire for an extra layer of protection of those data is a valid desire. Of course, that's not the way I have things arranged right now, but, = maybe I can fix that. Thank you very much for your help, I have enough information to get back = on the problem now. --Chris --Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = "><br><div><div>On Nov 12, 2013, at 7:58 AM, Assaf Muller = wrote:</div><br class=3D"Apple-interchange-newline"><blockquote = type=3D"cite"><span class=3D"Apple-style-span" style=3D"border-collapse: = separate; font-family: Helvetica; font-style: normal; font-variant: = normal; font-weight: normal; letter-spacing: normal; line-height: = normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; = text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; font-size: medium; ">Can users = outside of the hosts' networks reach the VMs in the = hosts?<br></span></blockquote>I have not tested this yet. I have = been focused on the host's networking behavior outside of the ovirt/vdsm = bits.</div><div>(Mainly, it checking in on other things.) I = realize this presents a flaw in my thinking that the host was not = behaving</div><div>properly. I will adjust my thinking on this = item, and then test with a valid set of = criteria.</div><div><br><blockquote type=3D"cite"><span = class=3D"Apple-style-span" style=3D"border-collapse: separate; = font-family: Helvetica; font-style: normal; font-variant: normal; = font-weight: normal; letter-spacing: normal; line-height: normal; = orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: = none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; font-size: medium; ">If you use = netstat -rn it is expected that the gateway will be 0.0.0.0, as = ifcfg-ovirtmgmt has DEFROUTE=3Dyes and ifcfg-public has DEFROUTE=3Dno, = then ovirtmgmt's<br>'gateway' (0.0.0.0) will be determined as the host's = default gateway. However with the new multiple gateways feature we = configure source routing to make<br>sure that traffic that comes (from = the outside) in the public network's device will return the way it came = in.<br></span></blockquote><div>That makes a lot of sense to me now. = And, actually, I believe is the way it is working, the more I = think about the behavior I'm seeing.</div><div><br></div><blockquote = type=3D"cite"><span class=3D"Apple-style-span" style=3D"border-collapse: = separate; font-family: Helvetica; font-style: normal; font-variant: = normal; font-weight: normal; letter-spacing: normal; line-height: = normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; = text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; font-size: medium; ">You can use = 'ip rule' to see the rules VDSM configures. It creates two rules and a = routing table per device. You can use 'ip route show table %s' on = each<br>table, where the IDs can be obtained by 'ip = rule'.</span></blockquote>This is super helpful. Thank = you.</div><div><br></div><div>A large part of this is likely me needing = to adjust my thinking. As long as my VM's are behaving as = expected, do I actually need the host</div><div>to, by default, send = traffic out the 'public' interface? If I do, what traffic is that? = Can I change that traffic? The likely hood is that there = are</div><div>only a small amount of data, mostly centering around = metrics, and some config management, that would be host sourced = data that currently</div><div>isn't destined for my management network. = Maybe those data *should* run over the management network, if my = desire for an extra layer</div><div>of protection of those data is a = valid desire.</div><div><br></div><div>Of course, that's not the way I = have things arranged right now, but, maybe I can fix = that.</div><div><br></div><div>Thank you very much for your help, I have = enough information to get back on the problem = now.</div><div><br></div><div>--Chris</div><div><br></div><br></body></htm= l>= --Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6--