High level network advice request :) I have a self-hosted engine deployed on a node, Ovirt v. 4.3. I am testing, but I don't understand the big idea of how to set-up Ovirt networking for hosted / engine-managed virtual servers. I would like to host a few virtual servers for things like Next/OwnCloud, SuiteCRM, NethServer or others. For example, I know exactly how set-up a virtual machine with a centos / lamp stack on a fedora host, I can make a network bridge for the vm with fedora cli, then use haproxy (or squid) as a reverse-redirect server to allow WAN access to the vm server using FQDNs. What is a good strategy for Ovirt hosting a webserver? To use the default ovirt management network for the virtual server machines doesn't seem like a best practice? Should I make a new logical network for the virtual servers? Do I need to configure bridges for the machines? It looks like bridges and virtual NICs are automatically configured when I make the network and virtual machines, is that right? Is it the usual or typical practice that one ovirt logical network uses only one network bridge to a one physical NIC? Would all of the kVMs on the logical network share the same / single bridge of the particular network? I'm not sure what the big idea should be, what is a best practice? I wonder, should I bond several physical NICs, then point the bridge, for a new / dedicated logical network for webservers, to the the bonded NICs? There is more than a little new vocabulary for me to onboard for Ovirt / virtual / logical networks...I will greatly appreciate, and I thank you in advance for any top level / best practice advice!
This is really a situational question. Short answer is - there's no problem running everything on ovirtmgmt network - I do it, especially if what your deploying on is essentially one big network. Its just the VM's bridged into your hosts NIC. The long answer is, you can create many networks based on a number of factors i.e. VLAN tagging, different names for different groups, different things to run over different networks (like migration traffic and/or host storage traffic etc) this gives you flexibility in the long run if you need to change things around - more management overhead but more flexibility. My home server - being a single node home server - uses a Bond0 interface that the ovirtmgmt bridge is created on. I also have a VLAN Tagged network on that bond setup in oVirt to some servers, as I run my server and client device (and IoT device) networks separately. In terms of your webserver example - you'd ideally have a webproxy VM that you forward your 80,443 to from your router, and it'd be setup to talk to any other application/VM internally on their internal IPs - I do this for a self hosted Nextcloud, Cacti/NMS, Plex, some development servers etc all behind my NAT router, all on oVirt. If you have any specific questions or problems - please let me know and I'll try my best to help. On 24/1/20 2:38 pm, Richard Nilsson wrote:
High level network advice request :)
I have a self-hosted engine deployed on a node, Ovirt v. 4.3. I am testing, but I don't understand the big idea of how to set-up Ovirt networking for hosted / engine-managed virtual servers. I would like to host a few virtual servers for things like Next/OwnCloud, SuiteCRM, NethServer or others.
For example, I know exactly how set-up a virtual machine with a centos / lamp stack on a fedora host, I can make a network bridge for the vm with fedora cli, then use haproxy (or squid) as a reverse-redirect server to allow WAN access to the vm server using FQDNs.
What is a good strategy for Ovirt hosting a webserver? To use the default ovirt management network for the virtual server machines doesn't seem like a best practice?
Should I make a new logical network for the virtual servers? Do I need to configure bridges for the machines? It looks like bridges and virtual NICs are automatically configured when I make the network and virtual machines, is that right?
Is it the usual or typical practice that one ovirt logical network uses only one network bridge to a one physical NIC? Would all of the kVMs on the logical network share the same / single bridge of the particular network? I'm not sure what the big idea should be, what is a best practice?
I wonder, should I bond several physical NICs, then point the bridge, for a new / dedicated logical network for webservers, to the the bonded NICs? There is more than a little new vocabulary for me to onboard for Ovirt / virtual / logical networks...I will greatly appreciate, and I thank you in advance for any top level / best practice advice! _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H7GUEYSB77CB72...
Thanks again Joseph, I do have specific noob question. I'm learning so much with this test deployment :) 'Amazing. I can't get to a test vm / webserver managed by Ovirt Engine from WAN, as I do with the Engine and other machines....I suspect that I am missing some pretty basic setup step with security but I don't know what to check next? So I use pfSense with haproxy add on, which is pretty great. Squid might be better, but haproxy was really easy for me to set-up without mastering config syntax... My pfSense is on a physical box at the gateway as a gateway server....so not a vm. I have a working vm on an ovirt node manged / created with engine. I set up the vm with fedora 31 server then added a lamp stack with mariadb & etc. I can access (from LAN only, not from WAN) the server test page and a text php info page that I made. I don't know what to adjust to debug the problem. I suspect security / firewall issues but not with the pfSense / haproxy reverse redirect, I think that's all fine. I use pfSense DNS Resolution in the LAN as split DNS. Other machines, including the hosted engine machine are accessible from WAN using URLs / FQDNs. My engine for testing is engine.metrodesignoffice.com The test server is mdowebserver.metrodesignoffice.com What should I look at next? I only installed one node so I can't sync new logical networks or vnet profiles as I understand (the single node can't be placed in maintenance mode, for obvious reasons?).
Given what you have described, it seems to be either a HAproxy or server config issue. If the server can reach the internet, that solves default gateway issues, if you can reach the server from the LAN then that solves any networking issues. I would probably do a packet capture at the pfSense box and on the server to see where they stop. It can also tell you if there may be some kind of haproxy issue where the translation may not be what you expect. Robert ________________________________________ From: Richard Nilsson <rnilsson@rcn.com> Sent: Friday, January 31, 2020 8:49 AM To: users@ovirt.org Subject: [ovirt-users] Re: High level network advice request Thanks again Joseph, I do have specific noob question. I'm learning so much with this test deployment :) 'Amazing. I can't get to a test vm / webserver managed by Ovirt Engine from WAN, as I do with the Engine and other machines....I suspect that I am missing some pretty basic setup step with security but I don't know what to check next? So I use pfSense with haproxy add on, which is pretty great. Squid might be better, but haproxy was really easy for me to set-up without mastering config syntax... My pfSense is on a physical box at the gateway as a gateway server....so not a vm. I have a working vm on an ovirt node manged / created with engine. I set up the vm with fedora 31 server then added a lamp stack with mariadb & etc. I can access (from LAN only, not from WAN) the server test page and a text php info page that I made. I don't know what to adjust to debug the problem. I suspect security / firewall issues but not with the pfSense / haproxy reverse redirect, I think that's all fine. I use pfSense DNS Resolution in the LAN as split DNS. Other machines, including the hosted engine machine are accessible from WAN using URLs / FQDNs. My engine for testing is engine.metrodesignoffice.com The test server is mdowebserver.metrodesignoffice.com What should I look at next? I only installed one node so I can't sync new logical networks or vnet profiles as I understand (the single node can't be placed in maintenance mode, for obvious reasons?). _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Q2WNHYIUWVLGF3...
As Joseph mentioned in his email, it is mostly situational dependent. I run a 2 node cluster and use multiple interfaces. The first 1Gb nic is for ovirtmgmt and is used for management with no vlan tagging and has the default gateway, DNS, etc assigned to it. My 2nd 1Gb NIC, for now, is for all VM traffic and from the switch is setup as a trunk and carries multiple vlans to the various VM's. My 3rd NIC is 10Gb and it is on its own isolated vlan with no routing and I use it for connectivity to my back end NFS storage and I made it the interface for VM migration between nodes. An additional 10Gb nic is not in use right now, but plans are that once I can get a switch with more 10Gb connectivity, that will become my interface for all VM traffic. So as you can see, very situational dependent. As Joseph also mentioned, please feel free to ask if you have any questions. I am still pretty new to oVirt, but making progress. Robert
-----Original Message----- From: Richard Nilsson <rnilsson@rcn.com> Sent: Thursday, January 23, 2020 10:39 PM To: users@ovirt.org Subject: [ovirt-users] High level network advice request
High level network advice request :)
I have a self-hosted engine deployed on a node, Ovirt v. 4.3. I am testing, but I don't understand the big idea of how to set-up Ovirt networking for hosted / engine-managed virtual servers. I would like to host a few virtual servers for things like Next/OwnCloud, SuiteCRM, NethServer or others.
For example, I know exactly how set-up a virtual machine with a centos / lamp stack on a fedora host, I can make a network bridge for the vm with fedora cli, then use haproxy (or squid) as a reverse-redirect server to allow WAN access to the vm server using FQDNs.
What is a good strategy for Ovirt hosting a webserver? To use the default ovirt management network for the virtual server machines doesn't seem like a best practice?
Should I make a new logical network for the virtual servers? Do I need to configure bridges for the machines? It looks like bridges and virtual NICs are automatically configured when I make the network and virtual machines, is that right?
Is it the usual or typical practice that one ovirt logical network uses only one network bridge to a one physical NIC? Would all of the kVMs on the logical network share the same / single bridge of the particular network? I'm not sure what the big idea should be, what is a best practice?
I wonder, should I bond several physical NICs, then point the bridge, for a new / dedicated logical network for webservers, to the the bonded NICs? There is more than a little new vocabulary for me to onboard for Ovirt / virtual / logical networks...I will greatly appreciate, and I thank you in advance for any top level / best practice advice! _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H7GUEYSB77C B72Q3HR3GOTXHQPAEFD6A/
participants (3)
-
Joseph Goldman -
Richard Nilsson -
Robert Webb