8:08 p.m.
Hello team,
Thank you for all the wonderful work you've been doing. I'm starting out new with
oVirt and OVN. So please excuse me if the questions are too naive.
We intend to do a POC to check if we can migrate VMs off our current VMware to oVirt. The
intention is to migrate the VMs with the same IP into oVirt. We've setup oVirt with
three hypervisors. All of them have four ethernet adapters. We have SDN implemented in our
network and LACP bonds are created at the switch level. So we've created two bonds,
bond0 and bond1 in each hypervisor. bond0 has the logical networks with vlan tagging
created like bond0.101, bond0.102 etc.
As a part of the POC we also want to explore OVN as well to check if we can implement a
zero trust security policy. Here are the questions now :)
1. We would like to migrate VMs with the current IP into oVirt. Is it possible to achieve
this? I've been reading notes and pages that mention about extending the physical
network into OVN. But it's a bit confusing on how to implement it.
How do we connect OVN to the physical network? Does the fact that we have a SDN make it
easier to get this done?
I am still reading the ovn-architecture page. It is mentioned that the gateway is the
component that extends a tunnel-based logical network into a physical network.
2. We have the IP for the hypervisor assigned on a logical network(ovirtmgmt) in bond0. I
read in
https://lists.ovirt.org/archives/list/users@ovirt.org/thread/CIE6MZ47GRCE...
that oVirt does not care about how the IP is configured when creating the tunnels.
3. Once we have OVN setup, ovn logical networks created and VMs created/migrated, how do
we establish the zero trust policy? From what I've read there are ACLs and security
groups. Any pointers on where to explore more about implementing it.
If you've read till here, thank you for your patience.
Regards,
ravi
12:10 p.m.
New subject: New oVirt setup with OVN : Hypervisor with LACP bond : queries
On Sat, Jan 22, 2022 at 11:41 PM ravi k <kottapar(a)gmail.com> wrote:
Hello team,
Hi,
Thank you for all the wonderful work you've been doing. I'm starting out
new with oVirt and OVN. So please excuse me if the questions are too
naive.
We intend to do a POC to check if we can migrate VMs off our current
VMware to oVirt. The intention is to migrate the VMs with the same IP into
oVirt. We've setup oVirt with three hypervisors. All of them have four
ethernet adapters. We have SDN implemented in our network and LACP bonds
are created at the switch level. So we've created two bonds, bond0 and
bond1 in each hypervisor. bond0 has the logical networks with vlan tagging
created like bond0.101, bond0.102 etc.
Can you give some more details about your current vSphere infrastructure?
What about the level of downtime you could give when migrating?
Have you already planned the strategy to transfer your VMs from vSphere to
oVirt?
Take care that probably on your VMware side your VMs have virtual hw for
nics defined as vmxnet, so when you migrate to oVirt, it will change and so
depending on your OS type (Windows based or Linux based) and in case of
Linux, depending on your distro and version, some manual operations could
be required to remap vnic assignments and definitions.
One possible first way to proceed could be to make a clone of one running
VM into one disconnected from the vSphere infra and then test on it the
steps to port to oVirt and so analyze times and impacts
As a part of the POC we also want to explore OVN as well to check if
we
can implement a zero trust security policy. Here are the questions now :)
1. We would like to migrate VMs with the current IP into oVirt. Is it
possible to achieve this? I've been reading notes and pages that mention
about extending the physical network into OVN. But it's a bit confusing on
how to implement it.
How do we connect OVN to the physical network? Does the fact that we have
a SDN make it easier to get this done?
The downstream (RHV) documentation to do it is here:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/...
the upstream one is here:
https://www.ovirt.org/documentation/administration_guide/#Adding_OVN_as_a...
Take care that in RHV this feature is still considered Technology Preview,
so not recommended for production. It could apply to oVirt even more, so...
BTW, what do you mean with "... the fact that we have a SDN..."? Do you
mean standard virtual networking in contrast with physical one or do you
have any kind of special networking in vSphere now (NSX or such...)?
2. We have the IP for the hypervisor assigned on a logical
network(ovirtmgmt) in bond0. I read in
https://lists.ovirt.org/archives/list/users@ovirt.org/thread/CIE6MZ47GRCE...
that oVirt does not care about how the IP is configured when creating the
tunnels.
That was a thread originated by me... ;-)
But please consider that it is 5 years old now! At that time we were at 4.1
stage, while now we are at very different 4.4, so refer in case to recent
threads and better recent upstream (oVirt) and downstream (RHV) official
documentation pointed above
Also, at that time ansible was not very much in place, while now in many
configuration tasks it is deeply involved.
The main concern in that thread was the impact of having OVN tunneling on
the ovirtmgmt management network, that is the default choice when you
configure OVN, in contrast with creating a dedicated network for it.
3. Once we have OVN setup, ovn logical networks created and VMs
created/migrated, how do we establish the zero trust policy? From what I've
read there are ACLs and security groups. Any pointers on where to explore
more about implementing it.
The downstream documentation and notes for this is here:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/...
and upstream here:
https://www.ovirt.org/documentation/administration_guide/#Assigning_Secur...
some manual undocumented steps through OpenStack Networking API or Ansible
could be required depending on your needs
BTW: both upstream and downstream docs refer here to 4.2.7.... :
"
In oVirt 4.2.7, security groups are disabled by default.
"
and
"
In Red Hat Virtualization 4.2.7, security groups are disabled by default.
"
They should be changed with the corresponding version, or into something
like "in 4.2.7 and above..." if that applies and is intended
If you've read till here, thank you for your patience.
no problem ;-)
Gianluca
12:02 p.m.
New subject: New oVirt setup with OVN : Hypervisor with LACP bond : queries
Can you give some more details about your current vSphere
infrastructure?
What about the level of downtime you could give when migrating?
Have you already planned the strategy to transfer your VMs from vSphere to
oVirt?
We are still in the initial stages and so conducting a POC.
Take care that probably on your VMware side your VMs have virtual hw
for
nics defined as vmxnet, so when you migrate to oVirt, it will change and so
depending on your OS type (Windows based or Linux based) and in case of
Linux, depending on your distro and version, some manual operations could
be required to remap vnic assignments and definitions.
We are planning to clone a VM and then migrate it to note down the findings. We will
surely verify the virtual nic hw as well.
Take care that in RHV this feature is still considered Technology
Preview,
so not recommended for production. It could apply to oVirt even more, so...
BTW, what do you mean with "... the fact that we have a SDN..."? Do you
mean standard virtual networking in contrast with physical one or do you
have any kind of special networking in vSphere now (NSX or such...)?
We have SDN implemented at our physical network level. IIRC it is Cumulus. We do not have
NSX. What I meant was as we have SDN implemented at the physical network level. So will it
make it easier to connect our Ovirt to the physical network.
I will go through the docs you updated and come back.
That was a thread originated by me... ;-)
But please consider that it is 5 years old now! At that time we were at 4.1
stage, while now we are at very different 4.4, so refer in case to recent
threads and better recent upstream (oVirt) and downstream (RHV) official
documentation pointed above
Also, at that time ansible was not very much in place, while now in many
configuration tasks it is deeply involved.
The main concern in that thread was the impact of having OVN tunneling on
the ovirtmgmt management network, that is the default choice when you
configure OVN, in contrast with creating a dedicated network for it.
My apologies. I wasn't clear. As the IP was assigned on bond0 which is a LACP bond, do
we need to make any changes before running the vdsm-tool ovn-config <ovn-central-ip>
<hypervisor ip> ?
some manual undocumented steps through OpenStack Networking API or
Ansible
could be required depending on your needs
I'll go through the docs you mentioned and update here about my progress.
12:36 p.m.
New subject: New oVirt setup with OVN : Hypervisor with LACP bond : queries
On Mon, Jan 24, 2022 at 10:30 AM ravi k <kottapar(a)gmail.com> wrote:
> Can you give some more details about your current vSphere
infrastructure?
> What about the level of downtime you could give when migrating?
> Have you already planned the strategy to transfer your VMs from vSphere
to
> oVirt?
We are still in the initial stages and so conducting a POC.
> Take care that probably on your VMware side your VMs have virtual hw for
> nics defined as vmxnet, so when you migrate to oVirt, it will change and
so
> depending on your OS type (Windows based or Linux based) and in case of
> Linux, depending on your distro and version, some manual operations could
> be required to remap vnic assignments and definitions.
We are planning to clone a VM and then migrate it to note down the
findings. We will surely verify the virtual nic hw as well.
> Take care that in RHV this feature is still considered Technology
Preview,
> so not recommended for production. It could apply to oVirt even more,
so...
> BTW, what do you mean with "... the fact that we have a SDN..."? Do you
> mean standard virtual networking in contrast with physical one or do you
> have any kind of special networking in vSphere now (NSX or such...)?
We have SDN implemented at our physical network level. IIRC it is Cumulus.
We do not have NSX. What I meant was as we have SDN implemented at the
physical network level. So will it make it easier to connect our Ovirt to
the physical network.
I will go through the docs you updated and come back.
> That was a thread originated by me... ;-)
> But please consider that it is 5 years old now! At that time we were at
4.1
> stage, while now we are at very different 4.4, so refer in case to recent
> threads and better recent upstream (oVirt) and downstream (RHV) official
> documentation pointed above
> Also, at that time ansible was not very much in place, while now in many
> configuration tasks it is deeply involved.
> The main concern in that thread was the impact of having OVN tunneling on
> the ovirtmgmt management network, that is the default choice when you
> configure OVN, in contrast with creating a dedicated network for it.
My apologies. I wasn't clear. As the IP was assigned on bond0 which is a
LACP bond, do we need to make any changes before running the vdsm-tool
ovn-config <ovn-central-ip> <hypervisor ip> ?
You should not run ovn-config manually, if the host bond0 has ovirtmgmt on
top of it. That is all done by host deploy. The step might be needed if you
want to have a tunnel on a different interface than ovirtmgmt is using.
> some manual undocumented steps through OpenStack Networking API
or
Ansible
> could be required depending on your needs
I'll go through the docs you mentioned and update here about my progress.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FCOB5JRZVHF...
--
Ales Musil
Senior Software Engineer - RHV Network
Red Hat EMEA <https://www.redhat.com>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
7:48 p.m.
New subject: New oVirt setup with OVN : Hypervisor with LACP bond : queries
You should not run ovn-config manually, if the host bond0 has
ovirtmgmt on
top of it. That is all done by host deploy. The step might be needed if you
want to have a tunnel on a different interface than ovirtmgmt is using.
Thanks for that. We performed a normal oVirt install and as a part of it the controller
was installed in the manager. I can see the pre-req rpms and services are also installed
in the hypervisors. So If I understood correctly you're saying that the tunnels and
bridge would've been already created when we added the host?
If we just bring up the openvswitch and ovn-controller services we should be able to see
the tunnels and bridge.
9:03 a.m.
New subject: New oVirt setup with OVN : Hypervisor with LACP bond : queries
On Mon, Jan 24, 2022 at 5:52 PM ravi k <kottapar(a)gmail.com> wrote:
> You should not run ovn-config manually, if the host bond0 has
ovirtmgmt
on
> top of it. That is all done by host deploy. The step might be needed if
you
> want to have a tunnel on a different interface than ovirtmgmt is using.
Thanks for that. We performed a normal oVirt install and as a part of it
the controller was installed in the manager. I can see the pre-req rpms and
services are also installed in the hypervisors. So If I understood
correctly you're saying that the tunnels and bridge would've been already
created when we added the host?
If we just bring up the openvswitch and ovn-controller services we should
be able to see the tunnels and bridge.
So there are a couple of things to keep in mind. During engine-setup you
need to say yes for the OVN provider option.
The cluster with the hostat needs to have default network provider, which
for "Default" cluster is configured automatically when the
OVN option is yes. With those conditions you don't need to start any
service, everything should be running and the hosts installed
in the cluster will have tunnels ready on ovirtmgmt.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XOBGD7VYYBA...
--
Ales Musil
Senior Software Engineer - RHV Network
Red Hat EMEA <https://www.redhat.com>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
8:46 p.m.
New subject: New oVirt setup with OVN : Hypervisor with LACP bond : queries
With those conditions you don't need to start any
service, everything should be running and the hosts installed
in the cluster will have tunnels ready on ovirtmgmt.
Thanks for that. It is clear now. We have an existing oVirt setup with logical networks
created. In order to test OVN we are going to add a new cluster with switch type as OVS
and the default network provider as ovirt-provider-ovn. We will then add a host to this
cluster.
The section 14.2.7.5 mentions "You can create an external provider network that
overlays a native Red Hat Virtualization network so that the virtual machines on each
appear to be sharing the same subnet."
Does this mean that we should always first create a native RHV network that talks to the
physical network? Is it not possible for OVN to talk directly to the physical network by
using the LACP bond configured in the physical host?
9:09 a.m.
New subject: New oVirt setup with OVN : Hypervisor with LACP bond : queries
On Tue, Jan 25, 2022 at 6:48 PM ravi k <kottapar(a)gmail.com> wrote:
>With those conditions you don't need to start any
> service, everything should be running and the hosts installed
> in the cluster will have tunnels ready on ovirtmgmt.
Thanks for that. It is clear now. We have an existing oVirt setup with
logical networks created. In order to test OVN we are going to add a new
cluster with switch type as OVS and the default network provider as
ovirt-provider-ovn. We will then add a host to this cluster.
The section 14.2.7.5 mentions "You can create an external provider network
that overlays a native Red Hat Virtualization network so that the virtual
machines on each appear to be sharing the same subnet."
Does this mean that we should always first create a native RHV network
that talks to the physical network? Is it not possible for OVN to talk
directly to the physical network by using the LACP bond configured in the
physical host?
So bond and it's configuration has nothing to do with it, in other words
OVN does not care what the physical network is. The recommended way is to
have a RHV network which will be used for OVN.
This is due to the fact that we need to create a mapping on the host, so
OVN knows what bridge to use for this connection. Then the OVN network
created can use the "Connect to physical network" which
will connect the OVN network to the physical one.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AHMBUFPAMNG...
--
Ales Musil
Senior Software Engineer - RHV Network
Red Hat EMEA <https://www.redhat.com>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
1028
days inactive
1034
days old
7 comments
3 participants
participants (3)
-
Ales Musil -
Gianluca Cecchi -
ravi k