New oVirt setup with OVN : Hypervisor with LACP bond : queries
Hello team, Thank you for all the wonderful work you've been doing. I'm starting out new with oVirt and OVN. So please excuse me if the questions are too naive. We intend to do a POC to check if we can migrate VMs off our current VMware to oVirt. The intention is to migrate the VMs with the same IP into oVirt. We've setup oVirt with three hypervisors. All of them have four ethernet adapters. We have SDN implemented in our network and LACP bonds are created at the switch level. So we've created two bonds, bond0 and bond1 in each hypervisor. bond0 has the logical networks with vlan tagging created like bond0.101, bond0.102 etc. As a part of the POC we also want to explore OVN as well to check if we can implement a zero trust security policy. Here are the questions now :) 1. We would like to migrate VMs with the current IP into oVirt. Is it possible to achieve this? I've been reading notes and pages that mention about extending the physical network into OVN. But it's a bit confusing on how to implement it. How do we connect OVN to the physical network? Does the fact that we have a SDN make it easier to get this done? I am still reading the ovn-architecture page. It is mentioned that the gateway is the component that extends a tunnel-based logical network into a physical network. 2. We have the IP for the hypervisor assigned on a logical network(ovirtmgmt) in bond0. I read in https://lists.ovirt.org/archives/list/users@ovirt.org/thread/CIE6MZ47GRCEX4Z... that oVirt does not care about how the IP is configured when creating the tunnels. 3. Once we have OVN setup, ovn logical networks created and VMs created/migrated, how do we establish the zero trust policy? From what I've read there are ACLs and security groups. Any pointers on where to explore more about implementing it. If you've read till here, thank you for your patience. Regards, ravi
On Sat, Jan 22, 2022 at 11:41 PM ravi k <kottapar@gmail.com> wrote:
Hello team,
Hi, Thank you for all the wonderful work you've been doing. I'm starting out
new with oVirt and OVN. So please excuse me if the questions are too naive. We intend to do a POC to check if we can migrate VMs off our current VMware to oVirt. The intention is to migrate the VMs with the same IP into oVirt. We've setup oVirt with three hypervisors. All of them have four ethernet adapters. We have SDN implemented in our network and LACP bonds are created at the switch level. So we've created two bonds, bond0 and bond1 in each hypervisor. bond0 has the logical networks with vlan tagging created like bond0.101, bond0.102 etc.
Can you give some more details about your current vSphere infrastructure? What about the level of downtime you could give when migrating? Have you already planned the strategy to transfer your VMs from vSphere to oVirt? Take care that probably on your VMware side your VMs have virtual hw for nics defined as vmxnet, so when you migrate to oVirt, it will change and so depending on your OS type (Windows based or Linux based) and in case of Linux, depending on your distro and version, some manual operations could be required to remap vnic assignments and definitions. One possible first way to proceed could be to make a clone of one running VM into one disconnected from the vSphere infra and then test on it the steps to port to oVirt and so analyze times and impacts
As a part of the POC we also want to explore OVN as well to check if we can implement a zero trust security policy. Here are the questions now :)
1. We would like to migrate VMs with the current IP into oVirt. Is it possible to achieve this? I've been reading notes and pages that mention about extending the physical network into OVN. But it's a bit confusing on how to implement it. How do we connect OVN to the physical network? Does the fact that we have a SDN make it easier to get this done?
The downstream (RHV) documentation to do it is here: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm... the upstream one is here: https://www.ovirt.org/documentation/administration_guide/#Adding_OVN_as_an_E... Take care that in RHV this feature is still considered Technology Preview, so not recommended for production. It could apply to oVirt even more, so... BTW, what do you mean with "... the fact that we have a SDN..."? Do you mean standard virtual networking in contrast with physical one or do you have any kind of special networking in vSphere now (NSX or such...)?
2. We have the IP for the hypervisor assigned on a logical network(ovirtmgmt) in bond0. I read in https://lists.ovirt.org/archives/list/users@ovirt.org/thread/CIE6MZ47GRCEX4Z... that oVirt does not care about how the IP is configured when creating the tunnels.
That was a thread originated by me... ;-) But please consider that it is 5 years old now! At that time we were at 4.1 stage, while now we are at very different 4.4, so refer in case to recent threads and better recent upstream (oVirt) and downstream (RHV) official documentation pointed above Also, at that time ansible was not very much in place, while now in many configuration tasks it is deeply involved. The main concern in that thread was the impact of having OVN tunneling on the ovirtmgmt management network, that is the default choice when you configure OVN, in contrast with creating a dedicated network for it.
3. Once we have OVN setup, ovn logical networks created and VMs created/migrated, how do we establish the zero trust policy? From what I've read there are ACLs and security groups. Any pointers on where to explore more about implementing it.
The downstream documentation and notes for this is here: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm... and upstream here: https://www.ovirt.org/documentation/administration_guide/#Assigning_Security... some manual undocumented steps through OpenStack Networking API or Ansible could be required depending on your needs BTW: both upstream and downstream docs refer here to 4.2.7.... : " In oVirt 4.2.7, security groups are disabled by default. " and " In Red Hat Virtualization 4.2.7, security groups are disabled by default. " They should be changed with the corresponding version, or into something like "in 4.2.7 and above..." if that applies and is intended
If you've read till here, thank you for your patience.
no problem ;-) Gianluca
Can you give some more details about your current vSphere infrastructure? What about the level of downtime you could give when migrating? Have you already planned the strategy to transfer your VMs from vSphere to oVirt?
We are still in the initial stages and so conducting a POC.
Take care that probably on your VMware side your VMs have virtual hw for nics defined as vmxnet, so when you migrate to oVirt, it will change and so depending on your OS type (Windows based or Linux based) and in case of Linux, depending on your distro and version, some manual operations could be required to remap vnic assignments and definitions.
We are planning to clone a VM and then migrate it to note down the findings. We will surely verify the virtual nic hw as well.
Take care that in RHV this feature is still considered Technology Preview, so not recommended for production. It could apply to oVirt even more, so... BTW, what do you mean with "... the fact that we have a SDN..."? Do you mean standard virtual networking in contrast with physical one or do you have any kind of special networking in vSphere now (NSX or such...)?
We have SDN implemented at our physical network level. IIRC it is Cumulus. We do not have NSX. What I meant was as we have SDN implemented at the physical network level. So will it make it easier to connect our Ovirt to the physical network. I will go through the docs you updated and come back.
That was a thread originated by me... ;-) But please consider that it is 5 years old now! At that time we were at 4.1 stage, while now we are at very different 4.4, so refer in case to recent threads and better recent upstream (oVirt) and downstream (RHV) official documentation pointed above Also, at that time ansible was not very much in place, while now in many configuration tasks it is deeply involved. The main concern in that thread was the impact of having OVN tunneling on the ovirtmgmt management network, that is the default choice when you configure OVN, in contrast with creating a dedicated network for it.
My apologies. I wasn't clear. As the IP was assigned on bond0 which is a LACP bond, do we need to make any changes before running the vdsm-tool ovn-config <ovn-central-ip> <hypervisor ip> ?
some manual undocumented steps through OpenStack Networking API or Ansible could be required depending on your needs
I'll go through the docs you mentioned and update here about my progress.
On Mon, Jan 24, 2022 at 10:30 AM ravi k <kottapar@gmail.com> wrote:
Can you give some more details about your current vSphere infrastructure? What about the level of downtime you could give when migrating? Have you already planned the strategy to transfer your VMs from vSphere to oVirt?
We are still in the initial stages and so conducting a POC.
Take care that probably on your VMware side your VMs have virtual hw for nics defined as vmxnet, so when you migrate to oVirt, it will change and so depending on your OS type (Windows based or Linux based) and in case of Linux, depending on your distro and version, some manual operations could be required to remap vnic assignments and definitions.
We are planning to clone a VM and then migrate it to note down the findings. We will surely verify the virtual nic hw as well.
Take care that in RHV this feature is still considered Technology Preview, so not recommended for production. It could apply to oVirt even more, so... BTW, what do you mean with "... the fact that we have a SDN..."? Do you mean standard virtual networking in contrast with physical one or do you have any kind of special networking in vSphere now (NSX or such...)?
We have SDN implemented at our physical network level. IIRC it is Cumulus. We do not have NSX. What I meant was as we have SDN implemented at the physical network level. So will it make it easier to connect our Ovirt to the physical network. I will go through the docs you updated and come back.
That was a thread originated by me... ;-) But please consider that it is 5 years old now! At that time we were at 4.1 stage, while now we are at very different 4.4, so refer in case to recent threads and better recent upstream (oVirt) and downstream (RHV) official documentation pointed above Also, at that time ansible was not very much in place, while now in many configuration tasks it is deeply involved. The main concern in that thread was the impact of having OVN tunneling on the ovirtmgmt management network, that is the default choice when you configure OVN, in contrast with creating a dedicated network for it.
My apologies. I wasn't clear. As the IP was assigned on bond0 which is a LACP bond, do we need to make any changes before running the vdsm-tool ovn-config <ovn-central-ip> <hypervisor ip> ?
You should not run ovn-config manually, if the host bond0 has ovirtmgmt on top of it. That is all done by host deploy. The step might be needed if you want to have a tunnel on a different interface than ovirtmgmt is using.
some manual undocumented steps through OpenStack Networking API or Ansible could be required depending on your needs
I'll go through the docs you mentioned and update here about my progress. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FCOB5JRZVHFYDD...
-- Ales Musil Senior Software Engineer - RHV Network Red Hat EMEA <https://www.redhat.com> amusil@redhat.com IM: amusil <https://red.ht/sig>
You should not run ovn-config manually, if the host bond0 has ovirtmgmt on top of it. That is all done by host deploy. The step might be needed if you want to have a tunnel on a different interface than ovirtmgmt is using.
Thanks for that. We performed a normal oVirt install and as a part of it the controller was installed in the manager. I can see the pre-req rpms and services are also installed in the hypervisors. So If I understood correctly you're saying that the tunnels and bridge would've been already created when we added the host? If we just bring up the openvswitch and ovn-controller services we should be able to see the tunnels and bridge.
On Mon, Jan 24, 2022 at 5:52 PM ravi k <kottapar@gmail.com> wrote:
You should not run ovn-config manually, if the host bond0 has ovirtmgmt on top of it. That is all done by host deploy. The step might be needed if you want to have a tunnel on a different interface than ovirtmgmt is using.
Thanks for that. We performed a normal oVirt install and as a part of it the controller was installed in the manager. I can see the pre-req rpms and services are also installed in the hypervisors. So If I understood correctly you're saying that the tunnels and bridge would've been already created when we added the host? If we just bring up the openvswitch and ovn-controller services we should be able to see the tunnels and bridge.
So there are a couple of things to keep in mind. During engine-setup you need to say yes for the OVN provider option. The cluster with the hostat needs to have default network provider, which for "Default" cluster is configured automatically when the OVN option is yes. With those conditions you don't need to start any service, everything should be running and the hosts installed in the cluster will have tunnels ready on ovirtmgmt.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/XOBGD7VYYBAW4M...
-- Ales Musil Senior Software Engineer - RHV Network Red Hat EMEA <https://www.redhat.com> amusil@redhat.com IM: amusil <https://red.ht/sig>
With those conditions you don't need to start any service, everything should be running and the hosts installed in the cluster will have tunnels ready on ovirtmgmt.
Thanks for that. It is clear now. We have an existing oVirt setup with logical networks created. In order to test OVN we are going to add a new cluster with switch type as OVS and the default network provider as ovirt-provider-ovn. We will then add a host to this cluster. The section 14.2.7.5 mentions "You can create an external provider network that overlays a native Red Hat Virtualization network so that the virtual machines on each appear to be sharing the same subnet." Does this mean that we should always first create a native RHV network that talks to the physical network? Is it not possible for OVN to talk directly to the physical network by using the LACP bond configured in the physical host?
On Tue, Jan 25, 2022 at 6:48 PM ravi k <kottapar@gmail.com> wrote:
With those conditions you don't need to start any service, everything should be running and the hosts installed in the cluster will have tunnels ready on ovirtmgmt.
Thanks for that. It is clear now. We have an existing oVirt setup with logical networks created. In order to test OVN we are going to add a new cluster with switch type as OVS and the default network provider as ovirt-provider-ovn. We will then add a host to this cluster.
The section 14.2.7.5 mentions "You can create an external provider network that overlays a native Red Hat Virtualization network so that the virtual machines on each appear to be sharing the same subnet." Does this mean that we should always first create a native RHV network that talks to the physical network? Is it not possible for OVN to talk directly to the physical network by using the LACP bond configured in the physical host?
So bond and it's configuration has nothing to do with it, in other words OVN does not care what the physical network is. The recommended way is to have a RHV network which will be used for OVN. This is due to the fact that we need to create a mapping on the host, so OVN knows what bridge to use for this connection. Then the OVN network created can use the "Connect to physical network" which will connect the OVN network to the physical one.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AHMBUFPAMNGNOC...
-- Ales Musil Senior Software Engineer - RHV Network Red Hat EMEA <https://www.redhat.com> amusil@redhat.com IM: amusil <https://red.ht/sig>
participants (3)
-
Ales Musil -
Gianluca Cecchi -
ravi k