Re: [Users] Default route on hosts
Can users outside of the hosts' networks reach the VMs in the hosts? If you use netstat -rn it is expected that the gateway will be 0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=yes and ifcfg-public has DEFROUTE=no, then ovirtmgmt's 'gateway' (0.0.0.0) will be determined as the host's default gateway. However with the new multiple gateways feature we configure source routing to make sure that traffic that comes (from the outside) in the public network's device will return the way it came in. You can use 'ip rule' to see the rules VDSM configures. It creates two rules and a routing table per device. You can use 'ip route show table %s' on each table, where the IDs can be obtained by 'ip rule'. ----- Original Message ----- From: "Chris Geddings" <chris.geddings@duke.edu> To: "Assaf Muller" <amuller@redhat.com> Sent: Tuesday, November 12, 2013 2:26:40 PM Subject: Re: [Users] Default route on hosts On Nov 12, 2013, at 3:32 AM, Assaf Muller <amuller@redhat.com> wrote:
oVirt 3.3 introduced a feature called multiple gateways which may assist you. If you configured a gateway on the public network (Either statically via oVirt or via DHCP), then all traffic into the hosts through their public network NIC will be returned via that nic, *even though* the host's default gateway is ovirtmgmt's gateway.
So, interestingly or not, when I define a gateway on the public interface (through the web management interface or DHCP), and I don't worry about making the DEFROUTE=yes setting in my "public" network, the box behaves like it has an incorrect default route. Now, my management network has a gateway of 0.0.0.0, as it is a completely simple network, so that may be part of the problem. I'm not sure the impact of a 0.0.0.0 as a gateway. I'm not sure how to poke at this further to figure out where the breakage is. Routing looks like it has gotten a little more complex, and I'm still operating with 'netstat -rn' and 'route add foo' type commands. --Chris
Can users outside of the hosts' networks reach the VMs in the hosts? I have not tested this yet. I have been focused on the host's = networking behavior outside of the ovirt/vdsm bits. (Mainly, it checking in on other things.) I realize this presents a = flaw in my thinking that the host was not behaving
--Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Nov 12, 2013, at 7:58 AM, Assaf Muller wrote: properly. I will adjust my thinking on this item, and then test with a = valid set of criteria.
If you use netstat -rn it is expected that the gateway will be = 0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=3Dyes and ifcfg-public has = DEFROUTE=3Dno, then ovirtmgmt's 'gateway' (0.0.0.0) will be determined as the host's default gateway. = However with the new multiple gateways feature we configure source = routing to make sure that traffic that comes (from the outside) in the public = network's device will return the way it came in. That makes a lot of sense to me now. And, actually, I believe is the = way it is working, the more I think about the behavior I'm seeing.
You can use 'ip rule' to see the rules VDSM configures. It creates two = rules and a routing table per device. You can use 'ip route show table = %s' on each table, where the IDs can be obtained by 'ip rule'. This is super helpful. Thank you.
A large part of this is likely me needing to adjust my thinking. As = long as my VM's are behaving as expected, do I actually need the host to, by default, send traffic out the 'public' interface? If I do, what = traffic is that? Can I change that traffic? The likely hood is that = there are only a small amount of data, mostly centering around metrics, and some = config management, that would be host sourced data that currently isn't destined for my management network. Maybe those data *should* run = over the management network, if my desire for an extra layer of protection of those data is a valid desire. Of course, that's not the way I have things arranged right now, but, = maybe I can fix that. Thank you very much for your help, I have enough information to get back = on the problem now. --Chris --Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = "><br><div><div>On Nov 12, 2013, at 7:58 AM, Assaf Muller = wrote:</div><br class=3D"Apple-interchange-newline"><blockquote = type=3D"cite"><span class=3D"Apple-style-span" style=3D"border-collapse: = separate; font-family: Helvetica; font-style: normal; font-variant: = normal; font-weight: normal; letter-spacing: normal; line-height: = normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; = text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; font-size: medium; ">Can users = outside of the hosts' networks reach the VMs in the = hosts?<br></span></blockquote>I have not tested this yet. I have = been focused on the host's networking behavior outside of the ovirt/vdsm = bits.</div><div>(Mainly, it checking in on other things.) I = realize this presents a flaw in my thinking that the host was not = behaving</div><div>properly. I will adjust my thinking on this = item, and then test with a valid set of = criteria.</div><div><br><blockquote type=3D"cite"><span = class=3D"Apple-style-span" style=3D"border-collapse: separate; = font-family: Helvetica; font-style: normal; font-variant: normal; = font-weight: normal; letter-spacing: normal; line-height: normal; = orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: = none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; font-size: medium; ">If you use = netstat -rn it is expected that the gateway will be 0.0.0.0, as = ifcfg-ovirtmgmt has DEFROUTE=3Dyes and ifcfg-public has DEFROUTE=3Dno, = then ovirtmgmt's<br>'gateway' (0.0.0.0) will be determined as the host's = default gateway. However with the new multiple gateways feature we = configure source routing to make<br>sure that traffic that comes (from = the outside) in the public network's device will return the way it came = in.<br></span></blockquote><div>That makes a lot of sense to me now. = And, actually, I believe is the way it is working, the more I = think about the behavior I'm seeing.</div><div><br></div><blockquote = type=3D"cite"><span class=3D"Apple-style-span" style=3D"border-collapse: = separate; font-family: Helvetica; font-style: normal; font-variant: = normal; font-weight: normal; letter-spacing: normal; line-height: = normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; = text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; font-size: medium; ">You can use = 'ip rule' to see the rules VDSM configures. It creates two rules and a = routing table per device. You can use 'ip route show table %s' on = each<br>table, where the IDs can be obtained by 'ip = rule'.</span></blockquote>This is super helpful. Thank = you.</div><div><br></div><div>A large part of this is likely me needing = to adjust my thinking. As long as my VM's are behaving as = expected, do I actually need the host</div><div>to, by default, send = traffic out the 'public' interface? If I do, what traffic is that? = Can I change that traffic? The likely hood is that there = are</div><div>only a small amount of data, mostly centering around = metrics, and some config management, that would be host sourced = data that currently</div><div>isn't destined for my management network. = Maybe those data *should* run over the management network, if my = desire for an extra layer</div><div>of protection of those data is a = valid desire.</div><div><br></div><div>Of course, that's not the way I = have things arranged right now, but, maybe I can fix = that.</div><div><br></div><div>Thank you very much for your help, I have = enough information to get back on the problem = now.</div><div><br></div><div>--Chris</div><div><br></div><br></body></htm= l>= --Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6--
On 11/12/2013 09:50 AM, Christopher Geddings wrote:
On Nov 12, 2013, at 7:58 AM, Assaf Muller wrote:
Can users outside of the hosts' networks reach the VMs in the hosts? I have not tested this yet. I have been focused on the host's networking behavior outside of the ovirt/vdsm bits. (Mainly, it checking in on other things.) I realize this presents a flaw in my thinking that the host was not behaving properly. I will adjust my thinking on this item, and then test with a valid set of criteria.
If you use netstat -rn it is expected that the gateway will be 0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=yes and ifcfg-public has DEFROUTE=no, then ovirtmgmt's 'gateway' (0.0.0.0) will be determined as the host's default gateway. However with the new multiple gateways feature we configure source routing to make sure that traffic that comes (from the outside) in the public network's device will return the way it came in. That makes a lot of sense to me now. And, actually, I believe is the way it is working, the more I think about the behavior I'm seeing.
You can use 'ip rule' to see the rules VDSM configures. It creates two rules and a routing table per device. You can use 'ip route show table %s' on each table, where the IDs can be obtained by 'ip rule'. This is super helpful. Thank you.
A large part of this is likely me needing to adjust my thinking. As long as my VM's are behaving as expected, do I actually need the host to, by default, send traffic out the 'public' interface? If I do, what traffic is that? Can I change that traffic? The likely hood is that there are only a small amount of data, mostly centering around metrics, and some config management, that would be host sourced data that currently isn't destined for my management network. Maybe those data *should* run over the management network, if my desire for an extra layer of protection of those data is a valid desire.
Of course, that's not the way I have things arranged right now, but, maybe I can fix that.
Thank you very much for your help, I have enough information to get back on the problem now.
--Chris
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
please note you can set which logical network is the 'disaply' (console/spice/vnc) network, which is what the users use to connect spice/vnc console to the VM with. default is ovirtmgmt, but you probably want to change it in your case.
participants (3)
-
Assaf Muller -
Christopher Geddings -
Itamar Heim