[Users] Add NIC directly to VM (Dedicated)
Hi, For setting up a firewall in a VM I would like to add 2 of my 4 nics directly to a VM. In my previous setup I thought I have done that, but at the moment I cannot figure this out and cannot find the docs to accomplish this. I would like to dedicate those 2 nics to my firewall VM's to avoid sharing them using a network per accident to other VM's. How is this be done at the moment ? Cheers, Matt
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
Hi,
For setting up a firewall in a VM I would like to add 2 of my 4 nics directly to a VM.
In my previous setup I thought I have done that, but at the moment I cannot figure this out and cannot find the docs to accomplish this.
I would like to dedicate those 2 nics to my firewall VM's to avoid sharing them using a network per accident to other VM's.
How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM with no interface at all, but instead, mark it with a special custom property you define. Then, you should write a hook that adds the two host interfaces to the VM, by means of either http://libvirt.org/formatdomain.html#elementsNICSDirect or http://libvirt.org/formatdomain.html#elementsNICSHostdev Most probably, you would need to pin your firewall VM to a specific host. Writing a hook is not too complex, but it requires understanding of how vdsm and libvirt works. You can take http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a reference, or ask for specific guidance here. Dan.
Hi Dan, OK, thanks this is something I need to look into. What would be another way to accomplish this ? Create two networks for these nics and VM ? The issue is that when I add a Nic to a host on 3.2 I need to set an IP. When I don't set it or at least set it to DHCP I get an error that there IP is not set right, I also see this in the logs. Is that part still a bug ? I get the feeling that it's the way at the moment, or almost, that the Nics needs an IP, but why ? For an example this is not needed on ESXi, the Virtual Nic can be bridged to a VM without any settings on the host. Thanks so far. Cheers, Matt 2013/2/10 Dan Kenigsberg <danken@redhat.com>
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
Hi,
For setting up a firewall in a VM I would like to add 2 of my 4 nics directly to a VM.
In my previous setup I thought I have done that, but at the moment I cannot figure this out and cannot find the docs to accomplish this.
I would like to dedicate those 2 nics to my firewall VM's to avoid sharing them using a network per accident to other VM's.
How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM with no interface at all, but instead, mark it with a special custom property you define. Then, you should write a hook that adds the two host interfaces to the VM, by means of either http://libvirt.org/formatdomain.html#elementsNICSDirect or http://libvirt.org/formatdomain.html#elementsNICSHostdev
Most probably, you would need to pin your firewall VM to a specific host.
Writing a hook is not too complex, but it requires understanding of how vdsm and libvirt works. You can take http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a reference, or ask for specific guidance here.
Dan.
On 10.02.13 14:13, Dan Kenigsberg wrote:
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
Hi,
For setting up a firewall in a VM I would like to add 2 of my 4 nics directly to a VM.
In my previous setup I thought I have done that, but at the moment I cannot figure this out and cannot find the docs to accomplish this.
I would like to dedicate those 2 nics to my firewall VM's to avoid sharing them using a network per accident to other VM's.
How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM with no interface at all, but instead, mark it with a special custom property you define. Then, you should write a hook that adds the two host interfaces to the VM, by means of either http://libvirt.org/formatdomain.html#elementsNICSDirect or http://libvirt.org/formatdomain.html#elementsNICSHostdev
Most probably, you would need to pin your firewall VM to a specific host.
Writing a hook is not too complex, but it requires understanding of how vdsm and libvirt works. You can take http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a reference, or ask for specific guidance here.
Dan. Dan is right, Currently you can do it via hook, We do have promisc mode but currently we have mirroring mode only (ie you can monitor each VM traffic but cannot intercept it). The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables. you can pass to the hook the network name. when you have the network name you can prob for its mac address and in the libvirt xml you can view the interfaces that are part of that network and get the mac addresses as well. (look at other hooks as Dan point out) when you have the network name the network mac and the target interface you can use ebtables: 1. set the bridge in promisc mode $ ifconfig <netwok name> promisc 2. traffic to the monitoring machine $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11 3. traffic from the monitoring machine $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11 1. set the network interface in promiscous mode 2. traffic that ment to the vm mac will go to the destination mac 2. traffic that sent from the vm mac will go to the destination mac note that the -i <interface> is the interface name and I think it can be omitted... Shahar Havivi.
Hi Shahar, Thanks, I need to work this out further to have it 100% visible. I wonder why I was able in the past (3.1) to dedicate an NIC to a VM. Do you also have an explanation why I cannot save a network configuration with a nic in DHCP mode ? It complains about a wrong IP and I have seen it should be a bug. Is this right ? Cheers, Matt 2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 14:13, Dan Kenigsberg wrote:
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
Hi,
For setting up a firewall in a VM I would like to add 2 of my 4 nics directly to a VM.
In my previous setup I thought I have done that, but at the moment I cannot figure this out and cannot find the docs to accomplish this.
I would like to dedicate those 2 nics to my firewall VM's to avoid sharing them using a network per accident to other VM's.
How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM with no interface at all, but instead, mark it with a special custom property you define. Then, you should write a hook that adds the two host interfaces to the VM, by means of either http://libvirt.org/formatdomain.html#elementsNICSDirect or http://libvirt.org/formatdomain.html#elementsNICSHostdev
Most probably, you would need to pin your firewall VM to a specific host.
Writing a hook is not too complex, but it requires understanding of how vdsm and libvirt works. You can take http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a reference, or ask for specific guidance here.
Dan. Dan is right, Currently you can do it via hook, We do have promisc mode but currently we have mirroring mode only (ie you can monitor each VM traffic but cannot intercept it). The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables. you can pass to the hook the network name. when you have the network name you can prob for its mac address and in the libvirt xml you can view the interfaces that are part of that network and get the mac addresses as well. (look at other hooks as Dan point out)
when you have the network name the network mac and the target interface you can use ebtables: 1. set the bridge in promisc mode $ ifconfig <netwok name> promisc 2. traffic to the monitoring machine $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11 3. traffic from the monitoring machine $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11
1. set the network interface in promiscous mode 2. traffic that ment to the vm mac will go to the destination mac 2. traffic that sent from the vm mac will go to the destination mac
note that the -i <interface> is the interface name and I think it can be omitted...
Shahar Havivi.
On 10.02.13 16:16, Matt . wrote:
Hi Shahar,
Thanks, I need to work this out further to have it 100% visible.
I wonder why I was able in the past (3.1) to dedicate an NIC to a VM.
Do you also have an explanation why I cannot save a network configuration with a nic in DHCP mode ? It complains about a wrong IP and I have seen it should be a bug. Is this right ? How did you that... I.e can you tell me the steps that you made in the UI? (for both cases)
Cheers,
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 14:13, Dan Kenigsberg wrote:
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
Hi,
For setting up a firewall in a VM I would like to add 2 of my 4 nics directly to a VM.
In my previous setup I thought I have done that, but at the moment I cannot figure this out and cannot find the docs to accomplish this.
I would like to dedicate those 2 nics to my firewall VM's to avoid sharing them using a network per accident to other VM's.
How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM with no interface at all, but instead, mark it with a special custom property you define. Then, you should write a hook that adds the two host interfaces to the VM, by means of either http://libvirt.org/formatdomain.html#elementsNICSDirect or http://libvirt.org/formatdomain.html#elementsNICSHostdev
Most probably, you would need to pin your firewall VM to a specific host.
Writing a hook is not too complex, but it requires understanding of how vdsm and libvirt works. You can take http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a reference, or ask for specific guidance here.
Dan. Dan is right, Currently you can do it via hook, We do have promisc mode but currently we have mirroring mode only (ie you can monitor each VM traffic but cannot intercept it). The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables. you can pass to the hook the network name. when you have the network name you can prob for its mac address and in the libvirt xml you can view the interfaces that are part of that network and get the mac addresses as well. (look at other hooks as Dan point out)
when you have the network name the network mac and the target interface you can use ebtables: 1. set the bridge in promisc mode $ ifconfig <netwok name> promisc 2. traffic to the monitoring machine $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11 3. traffic from the monitoring machine $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11
1. set the network interface in promiscous mode 2. traffic that ment to the vm mac will go to the destination mac 2. traffic that sent from the vm mac will go to the destination mac
note that the -i <interface> is the interface name and I think it can be omitted...
Shahar Havivi.
Hi, I'm thinking about the way how I did that with the dedicated NIC to the VM. I was discussing this a couple of months ago on IRC but I can't remeber and I already tried to do this... no luck yet. I remember that the NICS were just available when adding a nic to the VM, by MAC-address. Can't figure it out yet what I did those except of not sleeping that much :) About the error that I get I do the following: Hosts > Network Interfaces > Setup Host Networks. When I drag a network I created to a NIC and I don't set an IP or DHCP or None I get that error: "Error while executing action Setup Networks: Illegal or Incomplete IP Address" When I set and IP to that network that is draaged to the Nic I don't get an error, but why only and IP and no GW as this is IP seems to be bridged in the host to the VM where you add a Nic to with that same network you just gave an IP. When saying the above, could have been possible that I have set the Mac-Address of the real Nic @ the VM Nic ? As this is possible that might have been the solution I used ? For the rest this software is good and the support is superb! Thanks so far again. Matt 2013/2/10 Shahar Havivi <shaharh@redhat.com>
Hi Shahar,
Thanks, I need to work this out further to have it 100% visible.
I wonder why I was able in the past (3.1) to dedicate an NIC to a VM.
Do you also have an explanation why I cannot save a network configuration with a nic in DHCP mode ? It complains about a wrong IP and I have seen it should be a bug. Is this right ? How did you that... I.e can you tell me the steps that you made in the UI? (for both cases)
Cheers,
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 14:13, Dan Kenigsberg wrote:
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
Hi,
For setting up a firewall in a VM I would like to add 2 of my 4 nics directly to a VM.
In my previous setup I thought I have done that, but at the moment I cannot figure this out and cannot find the docs to accomplish this.
I would like to dedicate those 2 nics to my firewall VM's to avoid sharing them using a network per accident to other VM's.
How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM with no interface at all, but instead, mark it with a special custom property you define. Then, you should write a hook that adds the two host interfaces to the VM, by means of either http://libvirt.org/formatdomain.html#elementsNICSDirect or http://libvirt.org/formatdomain.html#elementsNICSHostdev
Most probably, you would need to pin your firewall VM to a specific host.
Writing a hook is not too complex, but it requires understanding of how vdsm and libvirt works. You can take http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas a reference, or ask for specific guidance here.
Dan. Dan is right, Currently you can do it via hook, We do have promisc mode but currently we have mirroring mode only (ie you can monitor each VM traffic but cannot intercept it). The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables. you can pass to the hook the network name. when you have the network name you can prob for its mac address and in
On 10.02.13 16:16, Matt . wrote: the
libvirt xml you can view the interfaces that are part of that network and get the mac addresses as well. (look at other hooks as Dan point out)
when you have the network name the network mac and the target interface you can use ebtables: 1. set the bridge in promisc mode $ ifconfig <netwok name> promisc 2. traffic to the monitoring machine $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11 3. traffic from the monitoring machine $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11
1. set the network interface in promiscous mode 2. traffic that ment to the vm mac will go to the destination mac 2. traffic that sent from the vm mac will go to the destination mac
note that the -i <interface> is the interface name and I think it can be omitted...
Shahar Havivi.
On 10.02.13 16:36, Matt . wrote:
Hi,
I'm thinking about the way how I did that with the dedicated NIC to the VM. I was discussing this a couple of months ago on IRC but I can't remeber and I already tried to do this... no luck yet. I remember that the NICS were just available when adding a nic to the VM, by MAC-address. Can't figure it out yet what I did those except of not sleeping that much :) I don't remember that, sorry...
About the error that I get I do the following:
Hosts > Network Interfaces > Setup Host Networks.
When I drag a network I created to a NIC and I don't set an IP or DHCP or None I get that error: "Error while executing action Setup Networks: Illegal or Incomplete IP Address"
When I set and IP to that network that is draaged to the Nic I don't get an error, but why only and IP and no GW as this is IP seems to be bridged in the host to the VM where you add a Nic to with that same network you just gave an IP.
When saying the above, could have been possible that I have set the Mac-Address of the real Nic @ the VM Nic ? As this is possible that might have been the solution I used ?
For the rest this software is good and the support is superb! I can't reproduce this error, its look like UI validation... Alona,Moti did you encounter this error?
Thanks so far again.
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
Hi Shahar,
Thanks, I need to work this out further to have it 100% visible.
I wonder why I was able in the past (3.1) to dedicate an NIC to a VM.
Do you also have an explanation why I cannot save a network configuration with a nic in DHCP mode ? It complains about a wrong IP and I have seen it should be a bug. Is this right ? How did you that... I.e can you tell me the steps that you made in the UI? (for both cases)
Cheers,
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 14:13, Dan Kenigsberg wrote:
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
Hi,
For setting up a firewall in a VM I would like to add 2 of my 4 nics directly to a VM.
In my previous setup I thought I have done that, but at the moment I cannot figure this out and cannot find the docs to accomplish this.
I would like to dedicate those 2 nics to my firewall VM's to avoid sharing them using a network per accident to other VM's.
How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM with no interface at all, but instead, mark it with a special custom property you define. Then, you should write a hook that adds the two host interfaces to the VM, by means of either http://libvirt.org/formatdomain.html#elementsNICSDirect or http://libvirt.org/formatdomain.html#elementsNICSHostdev
Most probably, you would need to pin your firewall VM to a specific host.
Writing a hook is not too complex, but it requires understanding of how vdsm and libvirt works. You can take http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas a reference, or ask for specific guidance here.
Dan. Dan is right, Currently you can do it via hook, We do have promisc mode but currently we have mirroring mode only (ie you can monitor each VM traffic but cannot intercept it). The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables. you can pass to the hook the network name. when you have the network name you can prob for its mac address and in
On 10.02.13 16:16, Matt . wrote: the
libvirt xml you can view the interfaces that are part of that network and get the mac addresses as well. (look at other hooks as Dan point out)
when you have the network name the network mac and the target interface you can use ebtables: 1. set the bridge in promisc mode $ ifconfig <netwok name> promisc 2. traffic to the monitoring machine $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11 3. traffic from the monitoring machine $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11
1. set the network interface in promiscous mode 2. traffic that ment to the vm mac will go to the destination mac 2. traffic that sent from the vm mac will go to the destination mac
note that the -i <interface> is the interface name and I think it can be omitted...
Shahar Havivi.
Here: http://www.mail-archive.com/users@ovirt.org/msg06261.html 2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 16:36, Matt . wrote:
Hi,
I'm thinking about the way how I did that with the dedicated NIC to the VM. I was discussing this a couple of months ago on IRC but I can't remeber and I already tried to do this... no luck yet. I remember that the NICS were just available when adding a nic to the VM, by MAC-address. Can't figure it out yet what I did those except of not sleeping that much :) I don't remember that, sorry...
About the error that I get I do the following:
Hosts > Network Interfaces > Setup Host Networks.
When I drag a network I created to a NIC and I don't set an IP or DHCP or None I get that error: "Error while executing action Setup Networks: Illegal or Incomplete IP Address"
When I set and IP to that network that is draaged to the Nic I don't get an error, but why only and IP and no GW as this is IP seems to be bridged in the host to the VM where you add a Nic to with that same network you just gave an IP.
When saying the above, could have been possible that I have set the Mac-Address of the real Nic @ the VM Nic ? As this is possible that might have been the solution I used ?
For the rest this software is good and the support is superb! I can't reproduce this error, its look like UI validation... Alona,Moti did you encounter this error?
Thanks so far again.
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 16:16, Matt . wrote:
Hi Shahar,
Thanks, I need to work this out further to have it 100% visible.
I wonder why I was able in the past (3.1) to dedicate an NIC to a VM.
Do you also have an explanation why I cannot save a network
with a nic in DHCP mode ? It complains about a wrong IP and I have seen it should be a bug. Is this right ? How did you that... I.e can you tell me the steps that you made in the UI? (for both cases)
Cheers,
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 14:13, Dan Kenigsberg wrote:
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote: > Hi, > > For setting up a firewall in a VM I would like to add 2 of my 4 nics > directly to a VM. > > In my previous setup I thought I have done that, but at the moment I cannot > figure this out and cannot find the docs to accomplish this. > > I would like to dedicate those 2 nics to my firewall VM's to avoid sharing > them using a network per accident to other VM's. > > How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM with no interface at all, but instead, mark it with a special custom property you define. Then, you should write a hook that adds the two host interfaces to the VM, by means of either http://libvirt.org/formatdomain.html#elementsNICSDirect or http://libvirt.org/formatdomain.html#elementsNICSHostdev
Most probably, you would need to pin your firewall VM to a specific host.
Writing a hook is not too complex, but it requires understanding of how vdsm and libvirt works. You can take
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas a
reference, or ask for specific guidance here.
Dan. Dan is right, Currently you can do it via hook, We do have promisc mode but currently we have mirroring mode only (ie you can monitor each VM traffic but cannot intercept it). The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables. you can pass to the hook the network name. when you have the network name you can prob for its mac address and in the libvirt xml you can view the interfaces that are part of that network and get
configuration the
mac
addresses as well. (look at other hooks as Dan point out)
when you have the network name the network mac and the target interface you can use ebtables: 1. set the bridge in promisc mode $ ifconfig <netwok name> promisc 2. traffic to the monitoring machine $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11 3. traffic from the monitoring machine $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11
1. set the network interface in promiscous mode 2. traffic that ment to the vm mac will go to the destination mac 2. traffic that sent from the vm mac will go to the destination mac
note that the -i <interface> is the interface name and I think it can be omitted...
Shahar Havivi.
On Sun, Feb 10, 2013 at 05:07:08PM +0100, Matt . wrote:
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 16:36, Matt . wrote:
Hi,
I'm thinking about the way how I did that with the dedicated NIC to the VM. I was discussing this a couple of months ago on IRC but I can't remeber and I already tried to do this... no luck yet. I remember that the NICS were just available when adding a nic to the VM, by MAC-address. Can't figure it out yet what I did those except of not sleeping that much :) I don't remember that, sorry...
About the error that I get I do the following:
Hosts > Network Interfaces > Setup Host Networks.
When I drag a network I created to a NIC and I don't set an IP or DHCP or None I get that error: "Error while executing action Setup Networks: Illegal or Incomplete IP Address"
When I set and IP to that network that is draaged to the Nic I don't get an error, but why only and IP and no GW as this is IP seems to be bridged in the host to the VM where you add a Nic to with that same network you just gave an IP.
When saying the above, could have been possible that I have set the Mac-Address of the real Nic @ the VM Nic ? As this is possible that might have been the solution I used ?
For the rest this software is good and the support is superb! I can't reproduce this error,
Neither do I. Which ovirt-engine version do you have installed?
its look like UI validation... Alona,Moti did you encounter this error?
Here: http://www.mail-archive.com/users@ovirt.org/msg06261.html
Do you mean that your issue is the same? Does it go away if you make sure that the ip and subnet fields are blank (even when you select None)? Would you attach the vdsm.log section with 'call setupNetwork', and maybe a screenshot of the dialog that is opened after you press the little pencil? Dan.
Matt, I attached a hook that will give you a kick start on the promisc mode, it implemented only the mirror mode which is a part of vdsm now but you can look at the comments and the README file that have the appropriate in-line mode commands and implementation. Shahar Havivi. On 10.02.13 17:07, Matt . wrote:
Here: http://www.mail-archive.com/users@ovirt.org/msg06261.html
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 16:36, Matt . wrote:
Hi,
I'm thinking about the way how I did that with the dedicated NIC to the VM. I was discussing this a couple of months ago on IRC but I can't remeber and I already tried to do this... no luck yet. I remember that the NICS were just available when adding a nic to the VM, by MAC-address. Can't figure it out yet what I did those except of not sleeping that much :) I don't remember that, sorry...
About the error that I get I do the following:
Hosts > Network Interfaces > Setup Host Networks.
When I drag a network I created to a NIC and I don't set an IP or DHCP or None I get that error: "Error while executing action Setup Networks: Illegal or Incomplete IP Address"
When I set and IP to that network that is draaged to the Nic I don't get an error, but why only and IP and no GW as this is IP seems to be bridged in the host to the VM where you add a Nic to with that same network you just gave an IP.
When saying the above, could have been possible that I have set the Mac-Address of the real Nic @ the VM Nic ? As this is possible that might have been the solution I used ?
For the rest this software is good and the support is superb! I can't reproduce this error, its look like UI validation... Alona,Moti did you encounter this error?
Thanks so far again.
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 16:16, Matt . wrote:
Hi Shahar,
Thanks, I need to work this out further to have it 100% visible.
I wonder why I was able in the past (3.1) to dedicate an NIC to a VM.
Do you also have an explanation why I cannot save a network
with a nic in DHCP mode ? It complains about a wrong IP and I have seen it should be a bug. Is this right ? How did you that... I.e can you tell me the steps that you made in the UI? (for both cases)
Cheers,
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 14:13, Dan Kenigsberg wrote: > On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote: > > Hi, > > > > For setting up a firewall in a VM I would like to add 2 of my 4 nics > > directly to a VM. > > > > In my previous setup I thought I have done that, but at the moment I cannot > > figure this out and cannot find the docs to accomplish this. > > > > I would like to dedicate those 2 nics to my firewall VM's to avoid sharing > > them using a network per accident to other VM's. > > > > How is this be done at the moment ? > > AFAIK it can be done only with a vdsm hook. You'd need to define your VM > with no interface at all, but instead, mark it with a special custom > property you define. Then, you should write a hook that adds the two > host interfaces to the VM, by means of either > http://libvirt.org/formatdomain.html#elementsNICSDirect or > http://libvirt.org/formatdomain.html#elementsNICSHostdev > > Most probably, you would need to pin your firewall VM to a specific > host. > > Writing a hook is not too complex, but it requires understanding of how > vdsm and libvirt works. You can take > http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas a > reference, or ask for specific guidance here. > > Dan. Dan is right, Currently you can do it via hook, We do have promisc mode but currently we have mirroring mode only (ie you can monitor each VM traffic but cannot intercept it). The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables. you can pass to the hook the network name. when you have the network name you can prob for its mac address and in the libvirt xml you can view the interfaces that are part of that network and get
configuration the
mac
addresses as well. (look at other hooks as Dan point out)
when you have the network name the network mac and the target interface you can use ebtables: 1. set the bridge in promisc mode $ ifconfig <netwok name> promisc 2. traffic to the monitoring machine $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11 3. traffic from the monitoring machine $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11
1. set the network interface in promiscous mode 2. traffic that ment to the vm mac will go to the destination mac 2. traffic that sent from the vm mac will go to the destination mac
note that the -i <interface> is the interface name and I think it can be omitted...
Shahar Havivi.
On 10/02/2013 18:07, Matt . wrote:
Here: http://www.mail-archive.com/users@ovirt.org/msg06261.html
2013/2/10 Shahar Havivi <shaharh@redhat.com <mailto:shaharh@redhat.com>>
On 10.02.13 16:36, Matt . wrote: > Hi, > > I'm thinking about the way how I did that with the dedicated NIC to the VM. > I was discussing this a couple of months ago on IRC but I can't remeber and > I already tried to do this... no luck yet. I remember that the NICS were > just available when adding a nic to the VM, by MAC-address. Can't figure it > out yet what I did those except of not sleeping that much :) I don't remember that, sorry... > > About the error that I get I do the following: > > > Hosts > Network Interfaces > Setup Host Networks. > > When I drag a network I created to a NIC and I don't set an IP or DHCP or > None I get that error: "Error while executing action Setup Networks: > Illegal or Incomplete IP Address" > > When I set and IP to that network that is draaged to the Nic I don't get an > error, but why only and IP and no GW as this is IP seems to be bridged in > the host to the VM where you add a Nic to with that same network you just > gave an IP. > > When saying the above, could have been possible that I have set the > Mac-Address of the real Nic @ the VM Nic ? As this is possible that might > have been the solution I used ? > > For the rest this software is good and the support is superb! I can't reproduce this error, its look like UI validation... Alona,Moti did you encounter this error?
> > Thanks so far again. > > Matt > > > 2013/2/10 Shahar Havivi <shaharh@redhat.com <mailto:shaharh@redhat.com>> > > > On 10.02.13 16:16, Matt . wrote: > > > Hi Shahar, > > > > > > Thanks, I need to work this out further to have it 100% visible. > > > > > > I wonder why I was able in the past (3.1) to dedicate an NIC to a VM. > > > > > > Do you also have an explanation why I cannot save a network configuration > > > with a nic in DHCP mode ? It complains about a wrong IP and I have seen > > it > > > should be a bug. Is this right ? > > How did you that... > > I.e can you tell me the steps that you made in the UI? (for both cases) > > > > > > Cheers, > > > > > > Matt > > > > > > > > > 2013/2/10 Shahar Havivi <shaharh@redhat.com <mailto:shaharh@redhat.com>> > > > > > > > On 10.02.13 14:13, Dan Kenigsberg wrote: > > > > > On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote: > > > > > > Hi, > > > > > > > > > > > > For setting up a firewall in a VM I would like to add 2 of my 4 > > nics > > > > > > directly to a VM. > > > > > > > > > > > > In my previous setup I thought I have done that, but at the moment > > I > > > > cannot > > > > > > figure this out and cannot find the docs to accomplish this. > > > > > > > > > > > > I would like to dedicate those 2 nics to my firewall VM's to avoid > > > > sharing > > > > > > them using a network per accident to other VM's. > > > > > > > > > > > > How is this be done at the moment ? > > > > > > > > > > AFAIK it can be done only with a vdsm hook. You'd need to define > > your VM > > > > > with no interface at all, but instead, mark it with a special custom > > > > > property you define. Then, you should write a hook that adds the two > > > > > host interfaces to the VM, by means of either > > > > > http://libvirt.org/formatdomain.html#elementsNICSDirect or > > > > > http://libvirt.org/formatdomain.html#elementsNICSHostdev > > > > > > > > > > Most probably, you would need to pin your firewall VM to a specific > > > > > host. > > > > > > > > > > Writing a hook is not too complex, but it requires understanding of > > how > > > > > vdsm and libvirt works. You can take > > > > > http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas a > > > > > reference, or ask for specific guidance here. > > > > > > > > > > Dan. > > > > Dan is right, > > > > Currently you can do it via hook, > > > > We do have promisc mode but currently we have mirroring mode only (ie > > you > > > > can > > > > monitor each VM traffic but cannot intercept it). > > > > The way to do it is via layer 2. > > > > > > > > its best to implement after_vm_start hook and use ebtables. > > > > you can pass to the hook the network name. > > > > when you have the network name you can prob for its mac address and in > > the > > > > libvirt xml > > > > you can view the interfaces that are part of that network and get the > > mac > > > > addresses as well. (look at other hooks as Dan point out) > > > > > > > > when you have the network name the network mac and the target > > interface you > > > > can use ebtables: > > > > 1. set the bridge in promisc mode > > > > $ ifconfig <netwok name> promisc > > > > 2. traffic to the monitoring machine > > > > $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat > > > > --to-destination 00:1a:4a:16:01:11 > > > > 3. traffic from the monitoring machine > > > > $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j > > dnat > > > > --to-destination 00:1a:4a:16:01:11 > > > > > > > > 1. set the network interface in promiscous mode > > > > 2. traffic that ment to the vm mac will go to the destination mac > > > > 2. traffic that sent from the vm mac will go to the destination mac > > > > > > > > note that the -i <interface> is the interface name and I think it can > > be > > > > omitted... > > > > > > > > Shahar Havivi. > > > > > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
why do you need to attach the nics directly to the guest, rather than use logical network A/B. this VM will have a vnic for A and a vnic for B. the all guests "behind" the firewall would all be on logical network B?
participants (4)
-
Dan Kenigsberg -
Itamar Heim -
Matt . -
Shahar Havivi