2:01 p.m.
Hi all
I have a VM network created with some hosts and I have included a vyos router acting as a
Layer 2 extension to another hypervisor through VXLAN.
I can see traffic reaching VMs from the other hypervisor to the ovirt hosted VMs.
I can see traffic leaving the VMs hosted on the ovirt hypervisor.
However, i do not see return traffic reaching the vyos VXLAN hosted on ovirt.
I believe the VM network drops return traffic based on the destination MAC address.
However, i have created the VM Network with security disabled.
Can you please assist on how to troubleshoot?
6:42 p.m.
On Wed, Dec 11, 2019 at 12:12 PM <k.betsis(a)gmail.com> wrote:
Hi all
I have a VM network created with some hosts and I have included a vyos
router acting as a Layer 2 extension to another hypervisor through VXLAN.
This sounds interesting, but might be not supported by oVir. Can you share
details?
What is your motivation to do this?
Would the internal OVN networking work for you, too?
I can see traffic reaching VMs from the other hypervisor to the
ovirt
hosted VMs.
I can see traffic leaving the VMs hosted on the ovirt hypervisor.
However, i do not see return traffic reaching the vyos VXLAN hosted on
ovirt.
I believe the VM network drops return traffic based on the destination MAC
address.
However, i have created the VM Network with security disabled.
Can you please assist on how to troubleshoot?
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z3AVFZRF3CJ...
7:29 p.m.
We currently have 2 bare metals.
One holds the ovirt and the other proxmox.
As to enable high availability and config sync on the proxmox hosted VMs we have deployed
VyOS on both hyper-visors.
We then use L2TPv3 as to extend VM networks from proxmox to ovirt and vice versa.
When that was finalized and all VMs were activated in ovirt we would delete proxmox and
deploy ovirt and re-do the same think as to re-enable VM high availability.
The issue is that VM Networks drop traffic towards the VyOS VM even through we have enable
mac-spoofing and promiscuous on the VM custom properties.
The VM Networks must drop frames for destination MAC addresses not directly hosted on it
and i don't know how to disable/bypass that.
10:46 a.m.
On Wed, Dec 11, 2019 at 5:31 PM <k.betsis(a)gmail.com> wrote:
We currently have 2 bare metals.
One holds the ovirt and the other proxmox.
As to enable high availability and config sync on the proxmox hosted VMs
we have deployed VyOS on both hyper-visors.
Is VyOS installed on the host, or in a VM?
We then use L2TPv3 as to extend VM networks from proxmox to ovirt and
vice
versa.
Does this mean that the VyOS VM on oVirt should forward layer 2 traffic to
the VyOS VM on proxmox?
Is there a way to share a VLAN? (This would avoid additional tunneling.)
Can you please share some details?
When that was finalized and all VMs were activated in ovirt we would
delete proxmox and deploy ovirt and re-do the same think as to re-enable VM
high availability.
The issue is that VM Networks drop traffic towards the VyOS VM even
through we have enable mac-spoofing and promiscuous on the VM custom
properties.
If VyOS is a VM on oVirt, network filtering should be disabled on the vNIC
profile which sends and
receives the unencapsulated traffic, before the oVirt VM is booted.
The VM Networks must drop frames for destination MAC addresses not
directly hosted on it and i don't know how to disable/bypass that.
Don't understand.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/T6FKORHF3NC...
1:26 p.m.
On Wed, Dec 11, 2019 at 5:31 PM <k.betsis(a)gmail.com>
wrote:
Is VyOS installed on the host, or in a VM?
VyOS is installed on the ovirt node
Does this mean that the VyOS VM on oVirt should forward layer 2 traffic to
the VyOS VM on proxmox?
Is there a way to share a VLAN? (This would avoid additional tunneling.)
Can you please share some details?
VLAN approach is not feasible unfortunatelly.
VyOS VM on oVirt should forward Layer 2 traffic over ovirtmgmt network.
So from oVirt's perspective there is no tunneling.
If VyOS is a VM on oVirt, network filtering should be disabled on the vNIC
profile which sends and
receives the unencapsulated traffic, before the oVirt VM is booted.
I have disabled all filters on the VM Network by selecting Network Port Security:
Disabled
Don't understand.
I have created a VM Network with no filters on ovirt named
auth_net with the following parameters:
1. VM Network, check
2. MTU, custom 2000
3. Create on external provider, check
3a. External provider: ovirt-provider-ovn
3b. Network Port Security: Disabled
This is done as to allow me to attach VMs to this network.
I have attached 3 VMs on this VM Network.
A firewall with IP e.g. 10.0.0.1
The VyOS VM
An LDAP VM with IP e.g. 10.0.0.5
The VyOS VM is attached to the auth_net with no IP address and with L2TPv3 via ovirtmgmt
as to get the VM network Layer 2 traffic and forward it to the proxmox network through the
VyOS routers.
Even though i have not created any network filters traffic is dropped before reaching VyOS
VM from the LDAP Auth server.
TCPDUMP on the LDAP VM shows traffic leaving the LDAP VM.
TCPDUMP on the VyOS VM does not show traffic reaching the vnic.
5:50 p.m.
On Thu, Dec 12, 2019 at 11:29 AM <k.betsis(a)gmail.com> wrote:
> On Wed, Dec 11, 2019 at 5:31 PM <k.betsis(a)gmail.com>
wrote:
>
> Is VyOS installed on the host, or in a VM?
>
VyOS is installed on the ovirt node
>
>
> Does this mean that the VyOS VM on oVirt should forward layer 2 traffic
to
> the VyOS VM on proxmox?
> Is there a way to share a VLAN? (This would avoid additional tunneling.)
> Can you please share some details?
>
VLAN approach is not feasible unfortunatelly.
VyOS VM on oVirt should forward Layer 2 traffic over ovirtmgmt network.
So from oVirt's perspective there is no tunneling.
>
>
> If VyOS is a VM on oVirt, network filtering should be disabled on the
vNIC
> profile which sends and
> receives the unencapsulated traffic, before the oVirt VM is booted.
>
I have disabled all filters on the VM Network by selecting Network Port
Security: Disabled
>
>
> Don't understand.
I have created a VM Network with no filters on ovirt named auth_net with
the following parameters:
1. VM Network, check
2. MTU, custom 2000
3. Create on external provider, check
3a. External provider: ovirt-provider-ovn
I see.
This will create an external OVN network.
As far as I know, OVN networks do not allow mac spoofing, even if port
security is disabled.
Are you able to use physical networks (oVirt logical network with VM
networking, optional VLAN tag, but not external)
to connect the oVirt VMs?
3b. Network Port Security: Disabled
This is done as to allow me to attach VMs to this network.
I have attached 3 VMs on this VM Network.
A firewall with IP e.g. 10.0.0.1
The VyOS VM
An LDAP VM with IP e.g. 10.0.0.5
The VyOS VM is attached to the auth_net with no IP address and with L2TPv3
via ovirtmgmt as to get the VM network Layer 2 traffic and forward it to
the proxmox network through the VyOS routers.
Even though i have not created any network filters traffic is dropped
before reaching VyOS VM from the LDAP Auth server.
TCPDUMP on the LDAP VM shows traffic leaving the LDAP VM.
TCPDUMP on the VyOS VM does not show traffic reaching the vnic.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BOEK5LTE6CM...
6:25 p.m.
On Thu, Dec 12, 2019 at 11:29 AM <k.betsis(a)gmail.com>
wrote:
I see.
This will create an external OVN network.
As far as I know, OVN networks do not allow mac spoofing, even if port
security is disabled.
I have installed the vdsm hook for allow both promiscuous and mac-spoofing and
have the same experience.
So it is safe to assume that this cannot be supported in ovirt?
Are you able to use physical networks (oVirt logical network with VM
networking, optional VLAN tag, but not external)
to connect the oVirt VMs?
I can connect to VMs through the internet and IPSEC, but i wanted to extend them.
Do you know of any other way where i can extend on VM network from ovirt to another
hypervisor?
Any idea will help.
Appreciate the till now assistance.
7:38 p.m.
On Thu, Dec 12, 2019 at 4:27 PM <k.betsis(a)gmail.com> wrote:
> On Thu, Dec 12, 2019 at 11:29 AM
<k.betsis(a)gmail.com> wrote:
>
>
> I see.
> This will create an external OVN network.
> As far as I know, OVN networks do not allow mac spoofing, even if port
> security is disabled.
>
I have installed the vdsm hook for allow both promiscuous and mac-spoofing
and have the same experience.
So it is safe to assume that this cannot be supported in ovirt?
Not external logical networks, with vNIC profiles, have no network filter
during the VM is started (or the vNIC is hotplugged),
allows any MAC address. This works without any hook required.
In most simple flow for a lab would be to remove the network filter from
ovirtmgmt, attach ovirtmgmt to a VM and boot the VM.
>
> Are you able to use physical networks (oVirt logical network with VM
> networking, optional VLAN tag, but not external)
> to connect the oVirt VMs?
>
I can connect to VMs through the internet and IPSEC, but i wanted to
extend them.
Do you know of any other way where i can extend on VM network from ovirt
to another hypervisor?
As I wrote above, layer 2 tunneling from one VM to another should work.
Are you force to extend the network on layer 2? If not,
two VMs connected by a tunnel or a VPN might be more straight and would
even limit layer 2 broadcasts.
Any idea will help.
Appreciate the till now assistance.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PPOE54V2SXW...
5:54 p.m.
On Thu, Dec 12, 2019 at 4:27 PM <k.betsis(a)gmail.com>
wrote:
Not external logical networks, with vNIC profiles, have no network filter
during the VM is started (or the vNIC is hotplugged),
allows any MAC address. This works without any hook required.
In most simple flow for a lab would be to remove the network filter from
ovirtmgmt, attach ovirtmgmt to a VM and boot the VM.
Well this is where theory contradicts practice...
Based on what you say layer 2 frames would traverse the VM Network bridge and reach VyOS
vnic, which they do not.
Layer 2 frames are dropped after leaving the VM and before reaching the VyOS vnic.
In theory if the VM bridge did not know where they should be forwarded it should broadcast
them to all attached ports, which again it is not been done.
So i am not sure if it is a bug, or a feature...
As I wrote above, layer 2 tunneling from one VM to another should work.
Are you force to extend the network on layer 2? If not,
two VMs connected by a tunnel or a VPN might be more straight and would
even limit layer 2 broadcasts.
I agree Layer 3 would be the best way forward but we
need layer 2 extension since the firewalls require it for high availability as well and we
need pcsd VIPs attached to monitored services to have high availability.
12:20 a.m.
On Fri, Dec 13, 2019 at 3:56 PM <k.betsis(a)gmail.com> wrote:
> On Thu, Dec 12, 2019 at 4:27 PM <k.betsis(a)gmail.com>
wrote:
>
>
>
> Not external logical networks, with vNIC profiles, have no network filter
> during the VM is started (or the vNIC is hotplugged),
> allows any MAC address. This works without any hook required.
> In most simple flow for a lab would be to remove the network filter from
> ovirtmgmt, attach ovirtmgmt to a VM and boot the VM.
>
Well this is where theory contradicts practice...
Based on what you say layer 2 frames would traverse the VM Network bridge
and reach VyOS vnic, which they do not.
Layer 2 frames are dropped after leaving the VM and before reaching the
VyOS vnic.
In theory if the VM bridge did not know where they should be forwarded it
should broadcast them to all attached ports, which again it is not been
done.
So i am not sure if it is a bug, or a feature...
This works very reliably.
To check the oVirt networking related part, I tried the following setup:
VM1 <-vlan4->VM0<->ovirtmgmt<->dhcpserver/gateway
With a bridge on VM0 which connects the interfaces connected to vlan4 and
ovirtmgmt.
VM0 was the "CentOS 8 test image v20191009 for x86_64 (280f3e8)"
from ovirt-image-repository.
I installed cockpit in VM0 and added a bridge on cockpit web UI over the
two virtual NICs on VM0.
VM1 was able to get an IP address via DHCP and ping through the gateway to
the outside world.
Are you able to replicate this as a first step to isolate the problem?
>
>
> As I wrote above, layer 2 tunneling from one VM to another should work.
> Are you force to extend the network on layer 2? If not,
> two VMs connected by a tunnel or a VPN might be more straight and would
> even limit layer 2 broadcasts.
I agree Layer 3 would be the best way forward but we need layer 2
extension since the firewalls require it for high availability as well and
we need pcsd VIPs attached to monitored services to have high availability.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WFV4A4YIDL7...
1803
days inactive
1808
days old
9 comments
2 participants
participants (2)
-
Dominik Holler -
k.betsis@gmail.com