4:49 p.m.
I want to run containers and VMs side by side and not necessarily nested. The main reason
for that is GPUs, Voltas mostly, used for CUDA machine learning not for VDI, which is what
most of the VM orchestrators like oVirt or vSphere seem to focus on. And CUDA drivers are
notorious for refusing to work under KVM unless you pay $esla.
oVirt is more of a side show in my environment, used to run some smaller functional VMs
alongside bigger containers, but also in order to consolidate and re-distribute the local
compute node storage as a Gluster storage pool: Kibbutz storage and compute, if you want,
very much how I understand the HCI philosophy behind oVirt.
The full integration of containers and VMs is still very much on the roadmap I believe,
but I was surprised to see that even co-existence seems to be a problem currently.
So I set-up a 3-node HCI on CentOS7 (GPU-less and older) hosts and then added additional
(beefier GPGPU) CentOS7 hosts, that have been running CUDA workloads on the latest
Docker-CE v19 something.
The installation works fine, I can migrate VMs to these extra hosts etc., but to my dismay
Docker containers on these hosts lose access to the local network, that is the entire
subnet the host is in. For some strange reason I can still ping Internet hosts, perhaps
even everything behind the host's gateway, but local connections are blocked.
It would seem that the ovritmgmt network that the oVirt installation puts in breaks the
docker0 bridge that Docker put there first.
I'd consider that a bug, but I'd like to gather some feedback first, if anyone
else has run into this problem.
I've repeated this several times in completely distinct environments with the same
results:
Simply add a host with a working Docker-CE as an oVirt host to an existing DC/cluster and
then try if you can still ping anyone on that net, including the Docker host from a
busybox container afterwards (should try that ping just before you actually add it).
No, I didn't try this with podman yet, because that's separate challenge with
CUDA: Would love to know if that is part of QA for oVirt already.
5:08 p.m.
KubeVirt. https://kubevirt.io/
Otherwise, your hosts are managing VMs as threads and containers as threads, side-by-side,
without awareness of conflict.
Ex: dockerd expects to manage its network for containers, and oVirt expects to manage a
network (bridge) for VMs. Docker will be expecting to have iptables work for it, and then
oVirt too! https://docs.docker.com/network/, and
https://www.ovirt.org/documentation/installing_ovirt_as_a_standalone_mana...
You'll have to manage the conflicts yourself without KubeVirt.
8:35 a.m.
New subject: oVirt thrashes Docker network during installation
Hi Jp, while the project looks intriging, it also looks still very whet behind the ears
and nothing I could do on a side job time budget.
6:15 p.m.
On April 12, 2020 4:49:51 PM GMT+03:00, thomas(a)hoberg.net wrote:
I want to run containers and VMs side by side and not necessarily
nested. The main reason for that is GPUs, Voltas mostly, used for CUDA
machine learning not for VDI, which is what most of the VM
orchestrators like oVirt or vSphere seem to focus on. And CUDA drivers
are notorious for refusing to work under KVM unless you pay $esla.
oVirt is more of a side show in my environment, used to run some
smaller functional VMs alongside bigger containers, but also in order
to consolidate and re-distribute the local compute node storage as a
Gluster storage pool: Kibbutz storage and compute, if you want, very
much how I understand the HCI philosophy behind oVirt.
The full integration of containers and VMs is still very much on the
roadmap I believe, but I was surprised to see that even co-existence
seems to be a problem currently.
So I set-up a 3-node HCI on CentOS7 (GPU-less and older) hosts and then
added additional (beefier GPGPU) CentOS7 hosts, that have been running
CUDA workloads on the latest Docker-CE v19 something.
The installation works fine, I can migrate VMs to these extra hosts
etc., but to my dismay Docker containers on these hosts lose access to
the local network, that is the entire subnet the host is in. For some
strange reason I can still ping Internet hosts, perhaps even everything
behind the host's gateway, but local connections are blocked.
It would seem that the ovritmgmt network that the oVirt installation
puts in breaks the docker0 bridge that Docker put there first.
I'd consider that a bug, but I'd like to gather some feedback first, if
anyone else has run into this problem.
I've repeated this several times in completely distinct environments
with the same results:
Simply add a host with a working Docker-CE as an oVirt host to an
existing DC/cluster and then try if you can still ping anyone on that
net, including the Docker host from a busybox container afterwards
(should try that ping just before you actually add it).
No, I didn't try this with podman yet, because that's separate
challenge with CUDA: Would love to know if that is part of QA for oVirt
already.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WKLB3IAN7FJ...
Hi Thomas,
I don't think that this type of setup is not supported.
Have you tried the opposite way -> add a new host to oVirt, then try to put docker on
it and add the docker0 somehow in oVirt as a VM network (no matter you won't use it as
such)?
About the KVM and Nvidia drivers - RedHat and Nvidia got a partnership and thus by default
you are not able to set "<hidden state='on'/>" on the VM. As the
Nvidia drivers check 'if we are a VM or not' , they either allow using the
hardware or not.Of course enterprise hardware's (sold with that option in mind)
drivers don't care if we are in VM or not.
If you manage to put the hidden flag on a VM , the story will change a little bit for
you.
Best Regards,
Strahil Nikolov
7:36 p.m.
New subject: oVirt thrashes Docker network during installation
Hi Strahil,
color me surprised, too, especially considering where things are supposed to go in terms
of roadmap.
Yet again, both oVIrt and Docker could be excused to think that they "own the
hardware" they are running on, because it's a rather natural assumption, even if
there are good reasons to run VMs and containers side-by-side as well as nested.
Yes, I believe, I have also done the reverse, put Docker on a system that was already
running as oVirt compute host and it wasn't with better results, either. The biggest
challenge is to repairing the node, without having to re-install the whole thing and I
have gone through quite a few wobbles there, with colleagues who weren't too
appreciative of having their ML jobs fail (those tend to be rather lenghty...)
I've managed to get CUDA work on KVM VMs twiddling the XML config files in these ways
documented on the Web. But with oVirt those KVM XML config files get generated on the fly
in Python and I'd have to fiddle with the code which does that.
Actually I *did* try doing that at one point in time about a year or two ago, but I never
found the right place, where that code actually was taken from. You see, there are copies
of that code on every node, but also on the management engine. And you know how Ansible
squirts code from machine to machine to do its magic, so that's were I stopped at one
point, because running ML workloads containerized was more natural anyway and I was happy
to have CPU-only VMs at their side.
Besides GPU access also disables live-migration and the abillity to move these
long-running functional VMs around to manage resources for ML jobs is exactly what
attracts me to oVirt.
Currently I am mostly probing around here, to see if what I try would be considered
totally esoteric or irresponsible or if it's worth reporting as a bug.
8:48 p.m.
On April 12, 2020 7:36:23 PM GMT+03:00, thomas(a)hoberg.net wrote:
Hi Strahil,
color me surprised, too, especially considering where things are
supposed to go in terms of roadmap.
Yet again, both oVIrt and Docker could be excused to think that they
"own the hardware" they are running on, because it's a rather natural
assumption, even if there are good reasons to run VMs and containers
side-by-side as well as nested.
Yes, I believe, I have also done the reverse, put Docker on a system
that was already running as oVirt compute host and it wasn't with
better results, either. The biggest challenge is to repairing the node,
without having to re-install the whole thing and I have gone through
quite a few wobbles there, with colleagues who weren't too appreciative
of having their ML jobs fail (those tend to be rather lenghty...)
I've managed to get CUDA work on KVM VMs twiddling the XML config files
in these ways documented on the Web. But with oVirt those KVM XML
config files get generated on the fly in Python and I'd have to fiddle
with the code which does that.
Actually I *did* try doing that at one point in time about a year or
two ago, but I never found the right place, where that code actually
was taken from. You see, there are copies of that code on every node,
but also on the management engine. And you know how Ansible squirts
code from machine to machine to do its magic, so that's were I stopped
at one point, because running ML workloads containerized was more
natural anyway and I was happy to have CPU-only VMs at their side.
Besides GPU access also disables live-migration and the abillity to
move these long-running functional VMs around to manage resources for
ML jobs is exactly what attracts me to oVirt.
Currently I am mostly probing around here, to see if what I try would
be considered totally esoteric or irresponsible or if it's worth
reporting as a bug.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6S7VBHOMI76...
Actually,
Is this a bug or not ... I have no idea.
Have you checked if Openstack is your thing in case oVirt cannot cover your needs?
Best Regards,
Strahil Nikolov
9:15 p.m.
New subject: oVirt thrashes Docker network during installation
The general idea was, that with oVirt I'd get a little more automation and benefits
than with just using VirtualBox as a GUI for KVMs.
Boy did I underestimate the amount of intellectual investment for the first value return.
Turned out quite a bit bigger than vSphere, but much more intriguing, because after all:
The code was all there! I got hooked... beyond reasonble, perhaps.
With Openstack they jury has come back a long time ago: Unless you're willing to
sacrifice a double digit team for a year or three, don't go near it.
Three node HCI oVirt just looked like a tight little project with plenty of
expandability... sigh!
10:29 p.m.
I'm with you Thomas. I was looking for a way to cluster my kvm's. Ovirt to the
rescue. It has been a bit of a learning curve, but well worth the effort.
Thanks Ovirt team.
Eric Evans
Digital Data Services LLC.
304.660.9080
-----Original Message-----
From: thomas(a)hoberg.net <thomas(a)hoberg.net>
Sent: Sunday, April 12, 2020 2:15 PM
To: users(a)ovirt.org
Subject: [ovirt-users] Re: oVirt thrashes Docker network during installation
The general idea was, that with oVirt I'd get a little more automation and benefits
than with just using VirtualBox as a GUI for KVMs.
Boy did I underestimate the amount of intellectual investment for the first value return.
Turned out quite a bit bigger than vSphere, but much more intriguing, because after all:
The code was all there! I got hooked... beyond reasonble, perhaps.
With Openstack they jury has come back a long time ago: Unless you're willing to
sacrifice a double digit team for a year or three, don't go near it.
Three node HCI oVirt just looked like a tight little project with plenty of
expandability... sigh!
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement:
https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VTLWH3UKDDO...
9:54 p.m.
i think it wouldn't work out of box
ovirt will overwrite all your routes and network. you might try to tell
ovirt do jot maintain the network of a interface where you got a docker and
also add custom rules in the firewall ports template on the engine.
<thomas(a)hoberg.net> schrieb am So., 12. Apr. 2020, 15:51:
I want to run containers and VMs side by side and not necessarily
nested.
The main reason for that is GPUs, Voltas mostly, used for CUDA machine
learning not for VDI, which is what most of the VM orchestrators like oVirt
or vSphere seem to focus on. And CUDA drivers are notorious for refusing to
work under KVM unless you pay $esla.
oVirt is more of a side show in my environment, used to run some smaller
functional VMs alongside bigger containers, but also in order to
consolidate and re-distribute the local compute node storage as a Gluster
storage pool: Kibbutz storage and compute, if you want, very much how I
understand the HCI philosophy behind oVirt.
The full integration of containers and VMs is still very much on the
roadmap I believe, but I was surprised to see that even co-existence seems
to be a problem currently.
So I set-up a 3-node HCI on CentOS7 (GPU-less and older) hosts and then
added additional (beefier GPGPU) CentOS7 hosts, that have been running CUDA
workloads on the latest Docker-CE v19 something.
The installation works fine, I can migrate VMs to these extra hosts etc.,
but to my dismay Docker containers on these hosts lose access to the local
network, that is the entire subnet the host is in. For some strange reason
I can still ping Internet hosts, perhaps even everything behind the host's
gateway, but local connections are blocked.
It would seem that the ovritmgmt network that the oVirt installation puts
in breaks the docker0 bridge that Docker put there first.
I'd consider that a bug, but I'd like to gather some feedback first, if
anyone else has run into this problem.
I've repeated this several times in completely distinct environments with
the same results:
Simply add a host with a working Docker-CE as an oVirt host to an existing
DC/cluster and then try if you can still ping anyone on that net, including
the Docker host from a busybox container afterwards (should try that ping
just before you actually add it).
No, I didn't try this with podman yet, because that's separate challenge
with CUDA: Would love to know if that is part of QA for oVirt already.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WKLB3IAN7FJ...
10:15 p.m.
On April 12, 2020 9:54:15 PM GMT+03:00, Arman Khalatyan <arm2arm(a)gmail.com> wrote:
i think it wouldn't work out of box
ovirt will overwrite all your routes and network. you might try to tell
ovirt do jot maintain the network of a interface where you got a docker
and
also add custom rules in the firewall ports template on the engine.
<thomas(a)hoberg.net> schrieb am So., 12. Apr. 2020, 15:51:
> I want to run containers and VMs side by side and not necessarily
nested.
> The main reason for that is GPUs, Voltas mostly, used for CUDA
machine
> learning not for VDI, which is what most of the VM orchestrators like
oVirt
> or vSphere seem to focus on. And CUDA drivers are notorious for
refusing to
> work under KVM unless you pay $esla.
>
> oVirt is more of a side show in my environment, used to run some
smaller
> functional VMs alongside bigger containers, but also in order to
> consolidate and re-distribute the local compute node storage as a
Gluster
> storage pool: Kibbutz storage and compute, if you want, very much how
I
> understand the HCI philosophy behind oVirt.
>
> The full integration of containers and VMs is still very much on the
> roadmap I believe, but I was surprised to see that even co-existence
seems
> to be a problem currently.
>
> So I set-up a 3-node HCI on CentOS7 (GPU-less and older) hosts and
then
> added additional (beefier GPGPU) CentOS7 hosts, that have been
running CUDA
> workloads on the latest Docker-CE v19 something.
>
> The installation works fine, I can migrate VMs to these extra hosts
etc.,
> but to my dismay Docker containers on these hosts lose access to the
local
> network, that is the entire subnet the host is in. For some strange
reason
> I can still ping Internet hosts, perhaps even everything behind the
host's
> gateway, but local connections are blocked.
>
> It would seem that the ovritmgmt network that the oVirt installation
puts
> in breaks the docker0 bridge that Docker put there first.
>
> I'd consider that a bug, but I'd like to gather some feedback first,
if
> anyone else has run into this problem.
>
> I've repeated this several times in completely distinct environments
with
> the same results:
>
> Simply add a host with a working Docker-CE as an oVirt host to an
existing
> DC/cluster and then try if you can still ping anyone on that net,
including
> the Docker host from a busybox container afterwards (should try that
ping
> just before you actually add it).
>
> No, I didn't try this with podman yet, because that's separate
challenge
> with CUDA: Would love to know if that is part of QA for oVirt
already.
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WKLB3IAN7FJ...
>
Actually I think I got an idea.
Vdsm hooks can be used to do some stuff before/after somwthing happens.
So you can create your oqn script to configure docker network after the network was
initiated by vdsm.
I think implementation will be fairly easy.
Best Regards,
Strahil Nikolov
1575
days inactive
1684
days old
9 comments
5 participants
participants (5)
-
Arman Khalatyan -
eevans@digitaldatatechs.com -
Jp -
Strahil Nikolov -
thomas@hoberg.net