On Sat, Jan 22, 2022 at 11:41 PM ravi k <kottapar@gmail.com> wrote:
Hello team,
Hi,

Thank you for all the wonderful work you've been doing. I'm starting out new with oVirt and OVN. So please excuse me if the questions are too naive.
We intend to do a POC to check if we can migrate VMs off our current VMware to oVirt. The intention is to migrate the VMs with the same IP into oVirt. We've setup oVirt with three hypervisors. All of them have four ethernet adapters. We have SDN implemented in our network and LACP bonds are created at the switch level. So we've created two bonds, bond0 and bond1 in each hypervisor. bond0 has the logical networks with vlan tagging created like bond0.101, bond0.102 etc.

Can you give some more details about your current vSphere infrastructure? What about the level of downtime you could give when migrating?
Have you already planned the strategy to transfer your VMs from vSphere to oVirt?
Take care that probably on your VMware side your VMs have virtual hw for nics defined as vmxnet, so when you migrate to oVirt, it will change and so depending on your OS type (Windows based or Linux based) and in case of Linux, depending on your distro and version, some manual operations could be required to remap vnic assignments and definitions.

One possible first way to proceed could be to make a clone of one running VM into one disconnected from the vSphere infra and then test on it the steps to port to oVirt and so analyze times and impacts


As a part of the POC we also want to explore OVN as well to check if we can implement a zero trust security policy. Here are the questions now :)

1. We would like to migrate VMs with the current IP into oVirt. Is it possible to achieve this? I've been reading notes and pages that mention about extending the physical network into OVN. But it's a bit confusing on how to implement it.
How do we connect OVN to the physical network? Does the fact that we have a SDN make it easier to get this done?

The downstream (RHV) documentation to do it is here:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/sect-adding_external_providers#Connecting_an_OVN_Network_to_a_Physical_Network

the upstream one is here:
https://www.ovirt.org/documentation/administration_guide/#Adding_OVN_as_an_External_Network_Provider

Take care that in RHV this feature is still considered Technology Preview, so not recommended for production. It could apply to oVirt even more, so...
BTW, what do you mean with "... the fact that we have a SDN..."? Do you mean standard virtual networking in contrast with physical one or do you have any kind of special networking in vSphere now (NSX or such...)?

 


2. We have the IP for the hypervisor assigned on a logical network(ovirtmgmt) in bond0. I read in https://lists.ovirt.org/archives/list/users@ovirt.org/thread/CIE6MZ47GRCEX4Z6GWRLFSERCEODADJY/ that oVirt does not care about how the IP is configured when creating the tunnels. 

That was a thread originated by me... ;-)
But please consider that it is 5 years old now! At that time we were at 4.1 stage, while now we are at very different 4.4, so refer in case to recent threads and better recent upstream (oVirt) and downstream (RHV) official documentation pointed above
Also, at that time ansible was not very much in place, while now in many configuration tasks it is deeply involved.
The main concern in that thread was the impact of having OVN tunneling on the ovirtmgmt management network, that is the default choice when you configure OVN, in contrast with creating a dedicated network for it.


3. Once we have OVN setup, ovn logical networks created and VMs created/migrated, how do we establish the zero trust policy? From what I've read there are ACLs and security groups. Any pointers on where to explore more about implementing it.

The downstream documentation and notes for this is here:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/sect-external_provider_networks#Assigning_Security_Groups_to_Logical_Networks

and upstream here:
https://www.ovirt.org/documentation/administration_guide/#Assigning_Security_Groups_to_Logical_Networks

some manual undocumented steps through OpenStack Networking API or Ansible could be required depending on your needs

BTW: both upstream and downstream docs refer here to 4.2.7.... :
"
In oVirt 4.2.7, security groups are disabled by default.
"
and
"
In Red Hat Virtualization 4.2.7, security groups are disabled by default.
"

They should be changed with the corresponding version, or into something like "in 4.2.7 and above..." if that applies and is intended



If you've read till here, thank you for your patience.

no problem ;-)

Gianluca