3:58 p.m.
Can users outside of the hosts' networks reach the VMs in the hosts?
If you use netstat -rn it is expected that the gateway will be 0.0.0.0, as ifcfg-ovirtmgmt
has DEFROUTE=yes and ifcfg-public has DEFROUTE=no, then ovirtmgmt's
'gateway' (0.0.0.0) will be determined as the host's default gateway. However
with the new multiple gateways feature we configure source routing to make
sure that traffic that comes (from the outside) in the public network's device will
return the way it came in.
You can use 'ip rule' to see the rules VDSM configures. It creates two rules and a
routing table per device. You can use 'ip route show table %s' on each
table, where the IDs can be obtained by 'ip rule'.
----- Original Message -----
From: "Chris Geddings" <chris.geddings(a)duke.edu>
To: "Assaf Muller" <amuller(a)redhat.com>
Sent: Tuesday, November 12, 2013 2:26:40 PM
Subject: Re: [Users] Default route on hosts
On Nov 12, 2013, at 3:32 AM, Assaf Muller <amuller(a)redhat.com> wrote:
oVirt 3.3 introduced a feature called multiple gateways which may
assist you. If you configured a gateway on the public network (Either statically via
oVirt
or via DHCP), then all traffic into the hosts through their public network NIC will be
returned via that nic, *even though* the host's default gateway is
ovirtmgmt's gateway.
So, interestingly or not, when I define a gateway on the public interface (through
the web management interface or DHCP), and I don't worry about making the
DEFROUTE=yes setting in my "public" network, the box behaves like it has an
incorrect default route. Now, my management network has a gateway
of 0.0.0.0, as it is a completely simple network, so that may be part of the problem.
I'm not sure the impact of a 0.0.0.0 as a gateway.
I'm not sure how to poke at this further to figure out where the breakage is. Routing
looks like it has gotten a little more complex, and I'm still operating with
'netstat -rn' and 'route add foo' type commands.
--Chris
5:50 p.m.
New subject: [Users] Default route on hosts
--Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Nov 12, 2013, at 7:58 AM, Assaf Muller wrote:
Can users outside of the hosts' networks reach the VMs in the
hosts?
I have not tested this yet. I have been focused on the host's =
networking behavior outside of the ovirt/vdsm bits.
(Mainly, it checking in on other things.) I realize this presents a =
flaw in my thinking that the host was not behaving
properly. I will adjust my thinking on this item, and then test with a =
valid set of criteria.
If you use netstat -rn it is expected that the gateway will be =
0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=3Dyes and ifcfg-public has =
DEFROUTE=3Dno, then ovirtmgmt's
'gateway' (0.0.0.0) will be determined as the host's
default gateway. =
However with the new multiple gateways feature we configure
source =
routing to make
sure that traffic that comes (from the outside) in the public =
network's device will return the way it came in.
That makes a lot of sense to me now. And, actually, I believe is the =
way it is working, the more I think about the behavior I'm seeing.
You can use 'ip rule' to see the rules VDSM configures. It
creates two =
rules and a routing table per device. You can use 'ip route show
table =
%s' on each
table, where the IDs can be obtained by 'ip rule'.
This
is super helpful. Thank you.
A large part of this is likely me needing to adjust my thinking. As =
long as my VM's are behaving as expected, do I actually need the host
to, by default, send traffic out the 'public' interface? If I do, what =
traffic is that? Can I change that traffic? The likely hood is that =
there are
only a small amount of data, mostly centering around metrics, and some =
config management, that would be host sourced data that currently
isn't destined for my management network. Maybe those data *should* run =
over the management network, if my desire for an extra layer
of protection of those data is a valid desire.
Of course, that's not the way I have things arranged right now, but, =
maybe I can fix that.
Thank you very much for your help, I have enough information to get back =
on the problem now.
--Chris
--Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><br><div><div>On Nov 12, 2013, at 7:58 AM, Assaf Muller =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote
=
type=3D"cite"><span class=3D"Apple-style-span"
style=3D"border-collapse: =
separate; font-family: Helvetica; font-style: normal; font-variant: =
normal; font-weight: normal; letter-spacing: normal; line-height: =
normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; ">Can users =
outside of the hosts' networks reach the VMs in the =
hosts?<br></span></blockquote>I have not tested this yet. I
have =
been focused on the host's networking behavior outside of the ovirt/vdsm =
bits.</div><div>(Mainly, it checking in on other things.) I =
realize this presents a flaw in my thinking that the host was not =
behaving</div><div>properly. I will adjust my thinking on this =
item, and then test with a valid set of =
criteria.</div><div><br><blockquote
type=3D"cite"><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: =
none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; ">If you use =
netstat -rn it is expected that the gateway will be 0.0.0.0, as =
ifcfg-ovirtmgmt has DEFROUTE=3Dyes and ifcfg-public has DEFROUTE=3Dno, =
then ovirtmgmt's<br>'gateway' (0.0.0.0) will be determined as the
host's =
default gateway. However with the new multiple gateways feature we =
configure source routing to make<br>sure that traffic that comes (from =
the outside) in the public network's device will return the way it came =
in.<br></span></blockquote><div>That makes a lot of sense to me
now. =
And, actually, I believe is the way it is working, the more I =
think about the behavior I'm
seeing.</div><div><br></div><blockquote =
type=3D"cite"><span class=3D"Apple-style-span"
style=3D"border-collapse: =
separate; font-family: Helvetica; font-style: normal; font-variant: =
normal; font-weight: normal; letter-spacing: normal; line-height: =
normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; ">You can use =
'ip rule' to see the rules VDSM configures. It creates two rules and a =
routing table per device. You can use 'ip route show table %s' on =
each<br>table, where the IDs can be obtained by 'ip =
rule'.</span></blockquote>This is super helpful. Thank =
you.</div><div><br></div><div>A large part of this is likely
me needing =
to adjust my thinking. As long as my VM's are behaving as =
expected, do I actually need the host</div><div>to, by default, send =
traffic out the 'public' interface? If I do, what traffic is that? =
Can I change that traffic? The likely hood is that there =
are</div><div>only a small amount of data, mostly centering around =
metrics, and some config management, that would be host sourced =
data that currently</div><div>isn't destined for my management network. =
Maybe those data *should* run over the management network, if my =
desire for an extra layer</div><div>of protection of those data is a =
valid desire.</div><div><br></div><div>Of course, that's
not the way I =
have things arranged right now, but, maybe I can fix =
that.</div><div><br></div><div>Thank you very much for your
help, I have =
enough information to get back on the problem =
now.</div><div><br></div><div>--Chris</div><div><br></div><br></body></htm=
l>=
--Apple-Mail=_FCD8DFFF-35C7-43CB-9FC6-56D63CD3F5E6--
1:38 p.m.
New subject: [Users] Default route on hosts
On 11/12/2013 09:50 AM, Christopher Geddings wrote:
On Nov 12, 2013, at 7:58 AM, Assaf Muller wrote:
> Can users outside of the hosts' networks reach the VMs in the hosts?
I have not tested this yet. I have been focused on the host's
networking behavior outside of the ovirt/vdsm bits.
(Mainly, it checking in on other things.) I realize this presents a
flaw in my thinking that the host was not behaving
properly. I will adjust my thinking on this item, and then test with a
valid set of criteria.
> If you use netstat -rn it is expected that the gateway will be
> 0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=yes and ifcfg-public has
> DEFROUTE=no, then ovirtmgmt's
> 'gateway' (0.0.0.0) will be determined as the host's default gateway.
> However with the new multiple gateways feature we configure source
> routing to make
> sure that traffic that comes (from the outside) in the public
> network's device will return the way it came in.
That makes a lot of sense to me now. And, actually, I believe is the
way it is working, the more I think about the behavior I'm seeing.
> You can use 'ip rule' to see the rules VDSM configures. It creates two
> rules and a routing table per device. You can use 'ip route show table
> %s' on each
> table, where the IDs can be obtained by 'ip rule'.
This is super helpful. Thank you.
A large part of this is likely me needing to adjust my thinking. As
long as my VM's are behaving as expected, do I actually need the host
to, by default, send traffic out the 'public' interface? If I do, what
traffic is that? Can I change that traffic? The likely hood is that
there are
only a small amount of data, mostly centering around metrics, and some
config management, that would be host sourced data that currently
isn't destined for my management network. Maybe those data *should* run
over the management network, if my desire for an extra layer
of protection of those data is a valid desire.
Of course, that's not the way I have things arranged right now, but,
maybe I can fix that.
Thank you very much for your help, I have enough information to get back
on the problem now.
--Chris
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
please note you can set which logical network is the 'disaply'
(console/spice/vnc) network, which is what the users use to connect
spice/vnc console to the VM with. default is ovirtmgmt, but you probably
want to change it in your case.
4026
days inactive
4028
days old
2 comments
3 participants
participants (3)
-
Assaf Muller -
Christopher Geddings -
Itamar Heim