NAT/internal Networks in ovirt?
Hi, I'm migrating off a vmware-server infrastructure and one thing that provided was a NAT and a HostOnly network by default. I'm trying to replicate this (at least the NAT part) in ovirt. A few years ago people were asking about setting up oVirt with NAT/Internal networks, e.g. http://lists.ovirt.org/pipermail/users/2012-April/001751.html I also found https://www.ovirt.org/develop/developer-guide/vdsm/hook/network-nat/ Has this at all been integrated in the intervening years? Or is NAT networking still completely a manual process? One would think this would be a relatively common interface, where you want to have a VM that isn't directly connected to the internet but still has internet access via a (virtual) NAT? -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
On Wed, Nov 02, 2016 at 05:22:43PM -0400, Derek Atkins wrote:
Hi,
I'm migrating off a vmware-server infrastructure and one thing that provided was a NAT and a HostOnly network by default. I'm trying to replicate this (at least the NAT part) in ovirt.
A few years ago people were asking about setting up oVirt with NAT/Internal networks, e.g. http://lists.ovirt.org/pipermail/users/2012-April/001751.html
I also found https://www.ovirt.org/develop/developer-guide/vdsm/hook/network-nat/
Has this at all been integrated in the intervening years? Or is NAT networking still completely a manual process? One would think this would be a relatively common interface, where you want to have a VM that isn't directly connected to the internet but still has internet access via a (virtual) NAT?
I'm afraid that we have not advanced this any further. Main conceptual problem with the suggested manual process is that VMs behind NAT cannot be reliably migrated to another host. I hope that our current work, of attaching VMs onto an OVN-defined overlay network (see https://www.ovirt.org/blog/2016/11/ovirt-provider-ovn/ ) would satisfy most of what you need of a NATted network, and more. For HostOnly networks, btw, you can create dummy interfaces http://lists.ovirt.org/pipermail/users/2015-December/036897.html and then attach them to a network. Regards, Dan.
Hi Dan, On Thu, November 3, 2016 6:14 am, Dan Kenigsberg wrote:
On Wed, Nov 02, 2016 at 05:22:43PM -0400, Derek Atkins wrote:
Hi,
[snip] I'm afraid that we have not advanced this any further. Main conceptual problem with the suggested manual process is that VMs behind NAT cannot be reliably migrated to another host.
I suppose the only real issue in migration would be open connections. In my case, since I only have a single machine, migration isn't an issue. But I see the larger problem that seamless migration would cause.
I hope that our current work, of attaching VMs onto an OVN-defined overlay network (see https://www.ovirt.org/blog/2016/11/ovirt-provider-ovn/ ) would satisfy most of what you need of a NATted network, and more.
I have to better understand OVN, how to configure it, and how it would work, but it sounds like it might solve the problem. From a cursory glance it looks like this would allow me to set up a virtual network that goes through the OVN service in lieu of the standard bridges that ovirt networking provides -- so I would provide an ovirt bridge to an OVN network which could act as a NAT to the "standard" bridge out into the Internet at large. (Honestly, I wish there were a good overview of networking in ovirt -- all the pages seem to assume you already know how it works and are more aimed at explaining how to configure it -- which doesn't help a n00b like me)
For HostOnly networks, btw, you can create dummy interfaces http://lists.ovirt.org/pipermail/users/2015-December/036897.html and then attach them to a network.
Yes, I don't specifically need this, but it would certainly work for those who want a HostOnly network. Thank you for your reply!
Regards, Dan.
-derek PS: Is there any particular reason, if I only have a single physical network/uplink, to create multiple logical networks within ovirt? Or is it "safe" to just use the management network for everything? Everything is, effectively, already in the same broadcast network. -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
participants (2)
-
Dan Kenigsberg -
Derek Atkins