On Thu, Dec 12, 2019 at 10:06 AM Pavel Nakonechnyi <pavel@gremwell.com> wrote:
On Wednesday, 11 December 2019 16:37:50 CET Dominik Holler wrote:
On Wed, Dec 11, 2019 at 1:21 PM Pavel Nakonechnyi <pavel@gremwell.com>
Are there plans to introduce such support? (or explicitly not to..)
The feature is tracked in https://bugzilla.redhat.com/1782056
If you would comment on the bug about your use case and why the feature would be helpful in your scenario, this might help to push the feature.
Great, thanks, added a comment.
Thanks for helping to adjust oVirt!
Is it possible to somehow manually configure such tunneling for existing virtual networks? (even in a limited way)
I would be interested to know, how far we are away from the flow described in http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/ . I expect that the openvswitch-ipsec package is missing. Any input on this is welcome.
Could you direct me to the part of oVirt system which handles OVS tunnels creation?
It seems that at some point oVirt issues a command similar to the following one:
`ovs-vsctl add-port br-int ovn-xxx-0 -- set interface ovn-xxx-0 \ type=geneve options:csum=true key=flow options:remote_ip=1.1.1.1`
I was not able to identify were the corresponding code is located. :(
When I tried to do a bad thing, manual deletion of such tunnel interface:
`ovs-vsctl del-port br-int ovn-xxx-0`
it was immediately re-created or just was not deleted.. Still have to experiment with that..
Yes, for VM OVS networking, oVirt does not use OVS directly, instead, OVN is doing the work. During adding or reinstalling a host, https://github.com/oVirt/ovirt-engine/tree/ovirt-engine-4.3/packaging/playbo... is triggered. This triggers https://github.com/oVirt/ovirt-provider-ovn/blob/master/driver/vdsm_tool/ovn... and https://github.com/oVirt/ovirt-provider-ovn/blob/master/driver/scripts/setup... while the latter is really doing the work. I expect that this file has to be extended by the call from http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/#configuring-ovn-i... Maybe the http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/#enabling-ovn-ipse... can be done in a first try manually. The weak point I expect is that the package openvswitch-ipsec might be missing in our repos, details in http://docs.openvswitch.org/en/stable/tutorials/ipsec/#install-ovs-ipsec . In a first step, this package can be built manually. Any feedback on this would be very helpful, thanks for having a look!
-- WBR, Pavel +32478910884