OVN routing and firewalling in oVirt
Hello, how do we manage routing between different OVN networks in oVirt? And between OVN networks and physical ones? Based on architecture read here: http://openvswitch.org/support/dist-docs/ovn-architecture.7.html I see terms for logical routers and gateway routers respectively but how to apply to oVirt configuration? Do I have to choose between setting up a specialized VM or a physical one: is it applicable/advisable to put on oVirt host itself the gateway functionality? Is there any security policy (like security groups in Openstack) to implement? Thanks, Gianluca
On Thu, Feb 16, 2017 at 2:20 PM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
Hello, how do we manage routing between different OVN networks in oVirt? And between OVN networks and physical ones?
Take a look at this blog post: http://blog.spinhirne.com/2016/09/the-ovn-gateway-router.html The good news is that a distributed NAT is going to be introduced with OVN 2.7: https://patchwork.ozlabs.org/patch/726766/
Based on architecture read here: http://openvswitch.org/support/dist-docs/ovn-architecture.7.html
I see terms for logical routers and gateway routers respectively but how to apply to oVirt configuration? Do I have to choose between setting up a specialized VM or a physical one: is it applicable/advisable to put on oVirt host itself the gateway functionality?
Is there any security policy (like security groups in Openstack) to implement?
Thanks, Gianluca
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Thu, Feb 16, 2017 at 2:26 PM, Simone Tiraboschi <stirabos@redhat.com> wrote:
On Thu, Feb 16, 2017 at 2:20 PM, Gianluca Cecchi < gianluca.cecchi@gmail.com> wrote:
Hello, how do we manage routing between different OVN networks in oVirt? And between OVN networks and physical ones?
Take a look at this blog post: http://blog.spinhirne.com/2016/09/the-ovn-gateway-router.html
Great! Actually using the previous blog post of the series: http://blog.spinhirne.com/2016/09/an-introduction-to-ovn-routing.html I was able to complete routing between two different oVirt subnets: In oVirt I have previously created: ovn_net1 network with subnet subn1 (defined as 172.16.10.0/24 with gw 172.16.10.1) so that ip usable range is from 172.16.10.1 to 172.16.10.254 ovn_net2 network with subnet subn2 (defined as 192.168.10.0/24 with gw 192.168.10.1) so that ip usable range is from 192.168.10.1 to 192.168.10.254 I have to VMs defined on the two subnets: vm1 172.16.10.2 vm2 192.168.10.101 on central server (that is my engine) # define the new logical switches # no, already created from inside oVirt: they are ovn_net1 and ovn_net2 # add the router ovn-nbctl lr-add net1net2 # create router port for the connection to net1 ovn-nbctl lrp-add net1net2 net1 02:ac:10:ff:01:29 172.16.10.1/24 # create the net1 switch port for connection to net1net2 ovn-nbctl lsp-add ovn_net1 net1-net1net2 ovn-nbctl lsp-set-type net1-net1net2 router ovn-nbctl lsp-set-addresses net1-net1net2 02:ac:10:ff:01:29 ovn-nbctl lsp-set-options net1-net1net2 router-port=net1 # create router port for the connection to net2 ovn-nbctl lrp-add net1net2 net2 02:ac:10:ff:01:93 192.168.10.1/24 # create the net2 switch port for connection to net1net2 ovn-nbctl lsp-add ovn_net2 net2-net1net2 ovn-nbctl lsp-set-type net2-net1net2 router ovn-nbctl lsp-set-addresses net2-net1net2 02:ac:10:ff:01:93 ovn-nbctl lsp-set-options net2-net1net2 router-port=net2 # show config ovn-nbctl show [root@ractorshe ~]# ovn-nbctl show switch 38cca50c-e8b2-43fe-b585-2ee815191939 (ovn_net1) port 5562d95d-060f-4c64-b535-0e460ae6aa5a addresses: ["00:1a:4a:16:01:52 dynamic"] port 87fea70a-583b-4484-b72b-030e2f175aa6 addresses: ["00:1a:4a:16:01:53 dynamic"] port net1-net1net2 addresses: ["02:ac:10:ff:01:29"] port 99f619fc-29d2-4d40-8c28-4ce9291eb97a addresses: ["00:1a:4a:16:01:51 dynamic"] switch 6a0e7a92-8edc-44dd-970a-2b1f5c07647d (ovn_net2) port net2-net1net2 addresses: ["02:ac:10:ff:01:93"] port 9b7a79a3-aa38-43b1-abd4-58370171755e addresses: ["00:1a:4a:16:01:54 dynamic"] router 59d79312-a434-4150-be46-285a9f37df8d (net1net2) port net2 mac: "02:ac:10:ff:01:93" networks: ["192.168.10.1/24"] port net1 mac: "02:ac:10:ff:01:29" networks: ["172.16.10.1/24"] [root@ractorshe ~]# And now vm1 is able to ping both the gateways ip on subn1 and subn2 and to ssh into vm2 It remains a sort of spof the fact of the central ovn server, where the logical router lives... but for initial testing it is ok Thanks again, Gianluca
On Thu, Feb 16, 2017 at 4:49 PM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Thu, Feb 16, 2017 at 2:26 PM, Simone Tiraboschi <stirabos@redhat.com> wrote:
On Thu, Feb 16, 2017 at 2:20 PM, Gianluca Cecchi < gianluca.cecchi@gmail.com> wrote:
Hello, how do we manage routing between different OVN networks in oVirt? And between OVN networks and physical ones?
Take a look at this blog post: http://blog.spinhirne.com/2016/09/the-ovn-gateway-router.html
Great! Actually using the previous blog post of the series: http://blog.spinhirne.com/2016/09/an-introduction-to-ovn-routing.html
It was something I wished to show this Monday in the workshop but we were really out of time!
I was able to complete routing between two different oVirt subnets:
In oVirt I have previously created:
ovn_net1 network with subnet subn1 (defined as 172.16.10.0/24 with gw 172.16.10.1) so that ip usable range is from 172.16.10.1 to 172.16.10.254
ovn_net2 network with subnet subn2 (defined as 192.168.10.0/24 with gw 192.168.10.1) so that ip usable range is from 192.168.10.1 to 192.168.10.254
I have to VMs defined on the two subnets: vm1 172.16.10.2 vm2 192.168.10.101
on central server (that is my engine) # define the new logical switches # no, already created from inside oVirt: they are ovn_net1 and ovn_net2
# add the router ovn-nbctl lr-add net1net2
# create router port for the connection to net1 ovn-nbctl lrp-add net1net2 net1 02:ac:10:ff:01:29 172.16.10.1/24
# create the net1 switch port for connection to net1net2 ovn-nbctl lsp-add ovn_net1 net1-net1net2 ovn-nbctl lsp-set-type net1-net1net2 router ovn-nbctl lsp-set-addresses net1-net1net2 02:ac:10:ff:01:29 ovn-nbctl lsp-set-options net1-net1net2 router-port=net1
# create router port for the connection to net2 ovn-nbctl lrp-add net1net2 net2 02:ac:10:ff:01:93 192.168.10.1/24
# create the net2 switch port for connection to net1net2 ovn-nbctl lsp-add ovn_net2 net2-net1net2 ovn-nbctl lsp-set-type net2-net1net2 router ovn-nbctl lsp-set-addresses net2-net1net2 02:ac:10:ff:01:93 ovn-nbctl lsp-set-options net2-net1net2 router-port=net2
# show config ovn-nbctl show
[root@ractorshe ~]# ovn-nbctl show switch 38cca50c-e8b2-43fe-b585-2ee815191939 (ovn_net1) port 5562d95d-060f-4c64-b535-0e460ae6aa5a addresses: ["00:1a:4a:16:01:52 dynamic"] port 87fea70a-583b-4484-b72b-030e2f175aa6 addresses: ["00:1a:4a:16:01:53 dynamic"] port net1-net1net2 addresses: ["02:ac:10:ff:01:29"] port 99f619fc-29d2-4d40-8c28-4ce9291eb97a addresses: ["00:1a:4a:16:01:51 dynamic"] switch 6a0e7a92-8edc-44dd-970a-2b1f5c07647d (ovn_net2) port net2-net1net2 addresses: ["02:ac:10:ff:01:93"] port 9b7a79a3-aa38-43b1-abd4-58370171755e addresses: ["00:1a:4a:16:01:54 dynamic"] router 59d79312-a434-4150-be46-285a9f37df8d (net1net2) port net2 mac: "02:ac:10:ff:01:93" networks: ["192.168.10.1/24"] port net1 mac: "02:ac:10:ff:01:29" networks: ["172.16.10.1/24"] [root@ractorshe ~]#
And now vm1 is able to ping both the gateways ip on subn1 and subn2 and to ssh into vm2 It remains a sort of spof the fact of the central ovn server, where the logical router lives... but for initial testing it is ok
Are you sure? did you tried bringing it down? AFAIU, OVN is already providing distributed routing since 2.6: if the node where you have the oVirt OVN provider and the OVN controller with northbound and southbound DB is down you cannot edit logical networks but the existing flows should still be there.
Thanks again, Gianluca
On Thu, Feb 16, 2017 at 5:09 PM, Simone Tiraboschi <stirabos@redhat.com> wrote:
http://blog.spinhirne.com/2016/09/the-ovn-gateway-router.html
Great! Actually using the previous blog post of the series: http://blog.spinhirne.com/2016/09/an-introduction-to-ovn-routing.html
It was something I wished to show this Monday in the workshop but we were really out of time!
Don't worry Simone; you were superfast for the time you had available and you didn't any mistake jumping from one presentation to another in realtime... superb ;-)
And now vm1 is able to ping both the gateways ip on subn1 and subn2 and to ssh into vm2 It remains a sort of spof the fact of the central ovn server, where the logical router lives... but for initial testing it is ok
Are you sure? did you tried bringing it down?
AFAIU, OVN is already providing distributed routing since 2.6: if the node where you have the oVirt OVN provider and the OVN controller with northbound and southbound DB is down you cannot edit logical networks but the existing flows should still be there.
No, I'm not sure... it was only my wrong assumption. And you are right. This is a single host environment with self hosted engine. I put the provider on hosted engine. I set global maintenance and shutdown the engine. And I'm still able to go from ovn_net1 to ovn_net2 without any problem... Fine! After exiting global maintenance and automatic power on of the engine I can verify that the configuration has been retained with the configured virtual router and its gateway ports in nb database. Just a question: so where does the virtual router live? which command can I run on the host to verify the sw defined router configuration while the provider is down, how this information is mapped on the host itself so that it routes packets from ovn_net1 to ovn_net2? Cheers, Gianluca
Thank you very much for listing down the steps. It's been 5 years. So I'm not sure if we still need to create LRPs and LSPs manually? I ask because I do not see any provision in the oVirt interface. If we have a large number of networks defined in OVN, then it'll be a task to add the LRPs and LSPs? Regards, Ravi
On Sun, Apr 17, 2022 at 9:25 AM ravi k <kottapar@gmail.com> wrote:
Thank you very much for listing down the steps. It's been 5 years. So I'm not sure if we still need to create LRPs and LSPs manually? I ask because I do not see any provision in the oVirt interface.
If we have a large number of networks defined in OVN, then it'll be a task to add the LRPs and LSPs?
Regards, Ravi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MTQJCOKHMG2J7H...
Hi, to some extent yes, you need to create them manually. oVirt Provider OVN supports logical routers so you can use the API as well as for the LRP and LSP, for l3gw or floating IPs you would need to do that through ovn-nbctl as this is not supported by the provider. Regards, Ales -- Ales Musil Senior Software Engineer - RHV Network Red Hat EMEA <https://www.redhat.com> amusil@redhat.com IM: amusil <https://red.ht/sig>
participants (4)
-
Ales Musil -
Gianluca Cecchi -
ravi k -
Simone Tiraboschi