[Users] why ovirt does not support NAT network
------=_Part_198153_2086911013.1362653360586 Content-Type: text/plain; charset=GBK Content-Transfer-Encoding: 7bit why ovirt does not support NAT network? thanks ------=_Part_198153_2086911013.1362653360586 Content-Type: text/html; charset=GBK Content-Transfer-Encoding: 7bit <div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial">why ovirt does not support NAT network?<div><br></div><div><br></div><div>thanks</div></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"></span></span> ------=_Part_198153_2086911013.1362653360586--
I can see the use for that, to be honest... e.g. you rent 1 server and want to test some stuff, and typically for that you don't get more than 1 IP to use for the server itself but you want your VMs be able to get to "The Internets" :) ... Alex On 7 March 2013 11:28, Dan Kenigsberg <danken@redhat.com> wrote:
On Thu, Mar 07, 2013 at 06:49:20PM +0800, bigclouds wrote:
why ovirt does not support NAT network?
Would you elaborate on that?
Do you refer to putthing VMs behind a NAT, instead of a bridge? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- | RHCE | Senior Systems Engineer | www.vcore.co | www.vsearchcloud.com |
------=_Part_229011_1301094445.1362667608422 Content-Type: text/plain; charset=GBK Content-Transfer-Encoding: 7bit hi, Dan Kenigsberg yes, i am working on this feature, the goal is that HOST can supply bridge and NAT network meanwhile ,users can choise. because birdge network occupy too many IPs, at least, one user will have 2 IPs(VM and thin client). At 2013-03-07 19:28:29,"Dan Kenigsberg" <danken@redhat.com> wrote:
On Thu, Mar 07, 2013 at 06:49:20PM +0800, bigclouds wrote:
why ovirt does not support NAT network?
Would you elaborate on that?
Do you refer to putthing VMs behind a NAT, instead of a bridge?
------=_Part_229011_1301094445.1362667608422 Content-Type: text/html; charset=GBK Content-Transfer-Encoding: 7bit <div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial">hi, <span style="white-space: pre-wrap; line-height: 1.7;">Dan Kenigsberg</span><div><span style="white-space: pre-wrap;">yes, i am working on this feature, the goal is that HOST can supply bridge and NAT network meanwhile ,users can choise.</span></div><div><span style="white-space: pre-wrap;">because birdge network occupy too many IPs, at least, one user will have 2 IPs(VM and thin client).</span></div><div><br><br><br><br><div></div><div id="divNeteaseMailCard"></div><br><pre><br>At 2013-03-07 19:28:29,"Dan Kenigsberg" <danken@redhat.com> wrote: >On Thu, Mar 07, 2013 at 06:49:20PM +0800, bigclouds wrote: >> why ovirt does not support NAT network? > >Would you elaborate on that? > >Do you refer to putthing VMs behind a NAT, instead of a bridge? </pre></div></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"></span></span> ------=_Part_229011_1301094445.1362667608422--
------=_Part_94_8772698.1362668265914 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Just in case it might help you please check:=20 http://lists.ovirt.org/pipermail/users/2012-April/001751.html=20 I managed to implement Virtualbox-hostonly-alike networks gathering more in= fo from:=20 http://libvirt.org/formatnetwork.html=20 .=20 You might be also interested in: http://wiki.libvirt.org/page/Networking al= though I didn't use it myself.=20 You might probably already know this information but, just in case, here it= is.=20 ----- Mensaje original -----
De: "bigclouds" <bigclouds@163.com> Para: "Dan Kenigsberg" <danken@redhat.com> CC: users@ovirt.org Enviados: Jueves, 7 de Marzo 2013 15:46:48 Asunto: Re: [Users] why ovirt does not support NAT network
hi, Dan Kenigsberg yes, i am working on this feature, the goal is that HOST can supply bridge and NAT network meanwhile ,users can choise. because birdge network occupy too many IPs, at least, one user will have 2 IPs(VM and thin client).
At=C2=A02013-03-07=C2=A019:28:29,"Dan=C2=A0Kenigsberg"=C2=A0<danken@redha= t.com>=C2=A0wrote:
On=C2=A0Thu,=C2=A0Mar=C2=A007,=C2=A02013=C2=A0at=C2=A006:49:20PM=C2=A0+0= 800,=C2=A0bigclouds=C2=A0wrote:
=C2=A0why=C2=A0ovirt=C2=A0=C2=A0does=C2=A0not=C2=A0support=C2=A0NAT=C2= =A0network?
Would=C2=A0you=C2=A0elaborate=C2=A0on=C2=A0that?
Do=C2=A0you=C2=A0refer=C2=A0to=C2=A0putthing=C2=A0VMs=C2=A0behind=C2=A0a= =C2=A0NAT,=C2=A0instead=C2=A0of=C2=A0a=C2=A0bridge? --=20
although I didn't use it myself.<br><br>You might probably already know t= his information but, just in case, here it is.<br><br><br><hr id=3D"zwchr">= <blockquote style=3D"border-left:2px solid rgb(16, 16, 255);margin-left:5px= ;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-deco= ration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>De: = </b>"bigclouds" <bigclouds@163.com><br><b>Para: </b>"Dan Kenigsberg" = <danken@redhat.com><br><b>CC: </b>users@ovirt.org<br><b>Enviados: </b= Jueves, 7 de Marzo 2013 15:46:48<br><b>Asunto: </b>Re: [Users] why ovirt &= nbsp;does not support NAT network<br><br><div style=3D"line-height:1.7;colo= r:#000000;font-size:14px;font-family:arial">hi, <span style=3D"white-s=
Adri=C3=A1n Gibanel=20 I.T. Manager=20 +34 675 683 301=20 www.btactic.com=20 Ens podeu seguir a/Nos podeis seguir en:=20 i=20 Abans d=C2=B4imprimir aquest missatge, pensa en el medi ambient. El medi am= bient =C3=A9s cosa de tothom. / Antes de imprimir el mensaje piensa en el m= edio ambiente. El medio ambiente es cosa de todos.=20 AVIS:=20 El contingut d'aquest missatge i els seus annexos =C3=A9s confidencial. Si = no en sou el destinatari, us fem saber que est=C3=A0 prohibit utilitzar-lo,= divulgar-lo i/o copiar-lo sense tenir l'autoritzaci=C3=B3 corresponent. Si= heu rebut aquest missatge per error, us agrairem que ho feu saber immediat= ament al remitent i que procediu a destruir el missatge .=20 AVISO:=20 El contenido de este mensaje y de sus anexos es confidencial. Si no es el d= estinatario, les hacemos saber que est=C3=A1 prohibido utilizarlo, divulgar= lo y/o copiarlo sin tener la autorizaci=C3=B3n correspondiente. Si han reci= bido este mensaje por error, les agradecer=C3=ADamos que lo hagan saber inm= ediatamente al remitente y que procedan a destruir el mensaje .=20 ------=_Part_94_8772698.1362668265914 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><style type=3D'text/css'>p { margin: 0; }</style></head><body><= div style=3D'font-family: arial,helvetica,sans-serif; font-size: 10pt; colo= r: #000000'>Just in case it might help you please check:<br><br><a href=3D"= http://lists.ovirt.org/pipermail/users/2012-April/001751.html">http://lists= .ovirt.org/pipermail/users/2012-April/001751.html</a><br><br>I managed to i= mplement Virtualbox-hostonly-alike networks gathering more info from:<br><a= href=3D"http://libvirt.org/formatnetwork.html">http://libvirt.org/formatne= twork.html</a><br>.<br>You might be also interested in: <a href=3D"http://w= iki.libvirt.org/page/Networking">http://wiki.libvirt.org/page/Networking</a= pace: pre-wrap; line-height: 1.7;">Dan Kenigsberg</span><div><span sty= le=3D"white-space: pre-wrap;">yes, i am working on this feature, the goal i= s that HOST can supply bridge and NAT network meanwhile ,users can choise.<= /span></div><div><span style=3D"white-space: pre-wrap;">because birdge netw= ork occupy too many IPs, at least, one user will have 2 IPs(VM and thi= n client).</span><br><div></div><pre>At 2013-03-07 19:28:29,"Dan&= nbsp;Kenigsberg" <danken@redhat.com> wrote: >On Thu, Mar 07, 2013 at 06:49:20PM += 0800, bigclouds wrote: >> why ovirt does not support NAT= network? > >Would you elaborate on that? > >Do you refer to putthing VMs behind = a NAT, instead of a bridge? </pre></div></div></blockquote>-- <br><div><span name=3D"x"></span><font st= yle=3D"font-weight: bold;" size=3D"3"><a style=3D"color: rgb(0, 0, 0);" hre= f=3D"http://www.btactic.com/"><span id=3D"DWT100"><font class=3D"Apple-styl= e-span" face=3D"verdana, helvetica, sans-serif"><span class=3D"Apple-style-= span" style=3D"background-color: rgb(255, 255, 255);"></span></font></span>= </a></font><font style=3D"font-family: 'Times New Roman';" color=3D"#5f5f5f= " face=3D"Arial" size=3D"1"><font size=3D"3"><span style=3D"font-family: ve= rdana,helvetica,sans-serif; color: rgb(0, 0, 0);"><font style=3D"font-famil= y: helvetica;" size=3D"2"><strong>Adri=C3=A1n Gibanel</strong><br>I.T. Mana= ger<br><br>+34 675 683 301<br><a href=3D"http://btactic.com/">www.btactic.c= om</a></font><br><br></span></font></font><font color=3D"#008000" face=3D"A= rial" size=3D"1"><img src=3D"http://www.btactic.com/signaturabtacticmail/bt= acticsignature.png" style=3D"border-width: 0px;"><br></font><font class=3D"= Apple-style-span" face=3D"Arial"><b><span class=3D"Apple-style-span" style= =3D"font-family: Verdana; font-weight: normal;"><span id=3D"bc4bed34-88ab-4= 66b-a731-c40f5c09ab6c"><font color=3D"#5f5f5f" face=3D"Arial" size=3D"1"><b= r>Ens podeu seguir a/Nos podeis seguir en:<br> <br> </font></span><a href=3D"http://www.facebook.com/pages/btactic/118651634826= 400?v=3Dapp_9953271133"><img style=3D"border: 0pt none;" src=3D"http://www.= btactic.com/wp-content/themes/btactic/img/facebookfoot.jpg"></a> i <a href= =3D"http://twitter.com/btactic"><img style=3D"border: 0pt none;" src=3D"htt= p://www.btactic.com/wp-content/themes/btactic/img/twitterfoot.jpg"></a></sp= an></b></font><br><font color=3D"#008000" face=3D"Arial" size=3D"1"><br></f= ont><div><font color=3D"#008000" face=3D"Arial" size=3D"1">Abans d=C2=B4imp= rimir aquest missatge, pensa en el medi ambient. El medi ambient =C3=A9s cosa de= =20 tothom. / Antes de imprimir el mensaje piensa en el medio ambiente. El medio=20 ambiente es cosa de todos. </font><font color=3D"#5f5f5f" face=3D"Arial" size=3D"1">= <br> <br> AVIS: <br> El contingut d'aquest missatge i els seus annexos =C3=A9s confidencial. Si = no en sou el destinatari, us fem saber que est=C3=A0 prohibit utilitzar-lo,=20 divulgar-lo i/o copiar-lo sense tenir l'autoritzaci=C3=B3 corresponent. Si heu rebut=20 aquest missatge per error, us agrairem que ho feu saber immediatament <span class= =3D"Object" id=3D"OBJ_PREFIX_DWT103">al remitent i que procediu a destruir el missatge</span>.<br> <br> AVISO:<br> El contenido de este mensaje y de sus anexos es confidencial. Si no es el destinatario, les hacemos saber que est=C3=A1 prohibido utilizarlo,=20 divulgarlo y/o copiarlo sin tener la autorizaci=C3=B3n correspondiente. Si han recibid= o este mensaje por error, les agradecer=C3=ADamos que lo hagan saber=20 inmediatamente <span class=3D"Object" id=3D"OBJ_PREFIX_DWT104">al remitente y que procedan= a destruir el mensaje</span>.</font> </div><span name=3D"x"></span><br></div></div></body></html> ------=_Part_94_8772698.1362668265914--
On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote:
Just in case it might help you please check:
http://lists.ovirt.org/pipermail/users/2012-April/001751.html
This is almost 1 year old, but I did not notice it yet. I love the detailed solution! Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that in http://www.ovirt.org/Features/Nicless_Network but it's a long way to go.
I managed to implement Virtualbox-hostonly-alike networks gathering more info from: http://libvirt.org/formatnetwork.html . You might be also interested in: http://wiki.libvirt.org/page/Networking although I didn't use it myself.
You might probably already know this information but, just in case, here it is.
This is a multi-part message in MIME format. --------------030208090801000703070009 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 03/08/2013 05:16 AM, Dan Kenigsberg wrote:
On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote:
Just in case it might help you please check:
http://lists.ovirt.org/pipermail/users/2012-April/001751.html This is almost 1 year old, but I did not notice it yet. I love the detailed solution! +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's mac address is invisible to external switch.
But there're two limitations of NAT network compared with physically bridged network: 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine. 2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\ For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum. ////
Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that in http://www.ovirt.org/Features/Nicless_Network but it's a long way to go.
I managed to implement Virtualbox-hostonly-alike networks gathering more info from: http://libvirt.org/formatnetwork.html . You might be also interested in: http://wiki.libvirt.org/page/Networking although I didn't use it myself.
You might probably already know this information but, just in case, here it is.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--------------030208090801000703070009 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 03/08/2013 05:16 AM, Dan Kenigsberg wrote:<br> </div> <blockquote cite="mid:20130307211608.GD14400@redhat.com" type="cite"> <pre wrap="">On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote: </pre> <blockquote type="cite"> <pre wrap="">Just in case it might help you please check: <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/pipermail/users/2012-April/001751.html">http://lists.ovirt.org/pipermail/users/2012-April/001751.html</a> </pre> </blockquote> <pre wrap=""> This is almost 1 year old, but I did not notice it yet. I love the detailed solution!</pre> </blockquote> +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's<br> mac address is invisible to external switch. <br> <br> But there're two limitations of NAT network compared with physically bridged network:<br> 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels<br> among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine.<br> <br> 2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\<br> For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum.<br> <br> <em></em><em></em> <blockquote cite="mid:20130307211608.GD14400@redhat.com" type="cite"> <pre wrap=""> Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that in <a class="moz-txt-link-freetext" href="http://www.ovirt.org/Features/Nicless_Network">http://www.ovirt.org/Features/Nicless_Network</a> but it's a long way to go. </pre> <blockquote type="cite"> <pre wrap=""> I managed to implement Virtualbox-hostonly-alike networks gathering more info from: <a class="moz-txt-link-freetext" href="http://libvirt.org/formatnetwork.html">http://libvirt.org/formatnetwork.html</a> . You might be also interested in: <a class="moz-txt-link-freetext" href="http://wiki.libvirt.org/page/Networking">http://wiki.libvirt.org/page/Networking</a> although I didn't use it myself. You might probably already know this information but, just in case, here it is. </pre> </blockquote> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> </body> </html> --------------030208090801000703070009--
On 03/11/2013 05:16 AM, Mark Wu wrote:
On 03/08/2013 05:16 AM, Dan Kenigsberg wrote:
On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote:
Just in case it might help you please check:
http://lists.ovirt.org/pipermail/users/2012-April/001751.html This is almost 1 year old, but I did not notice it yet. I love the detailed solution! +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's mac address is invisible to external switch.
But there're two limitations of NAT network compared with physically bridged network: 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine.
2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\ For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum.
also need to remember live migration will probably not work with NAT. how would floating IP work? wouldn't you need to map it 1:1 with the NAT'd IP?
////
Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that inhttp://www.ovirt.org/Features/Nicless_Network but it's a long way to go.
I managed to implement Virtualbox-hostonly-alike networks gathering more info from: http://libvirt.org/formatnetwork.html . You might be also interested in:http://wiki.libvirt.org/page/Networking although I didn't use it myself.
You might probably already know this information but, just in case, here it is.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Wed 13 Mar 2013 07:09:16 AM CST, Itamar Heim wrote:
On 03/11/2013 05:16 AM, Mark Wu wrote:
On 03/08/2013 05:16 AM, Dan Kenigsberg wrote:
On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote:
Just in case it might help you please check:
http://lists.ovirt.org/pipermail/users/2012-April/001751.html This is almost 1 year old, but I did not notice it yet. I love the detailed solution! +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's mac address is invisible to external switch.
But there're two limitations of NAT network compared with physically bridged network: 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine.
2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\ For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum.
also need to remember live migration will probably not work with NAT. Yes, it could break live migration. But we could use conntrack-tools(conntrack or conntrackd) to sync the ip conntrack entries related to that VM's ip address before resume the VM on dest host. Just a preliminary idea, not verified yet.
how would floating IP work? wouldn't you need to map it 1:1 with the NAT'd IP? Yes, it should have a 1:1 mapping between external ip address and the ip address in the NAT network.
////
Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that inhttp://www.ovirt.org/Features/Nicless_Network but it's a long way to go.
I managed to implement Virtualbox-hostonly-alike networks gathering more info from: http://libvirt.org/formatnetwork.html . You might be also interested in:http://wiki.libvirt.org/page/Networking although I didn't use it myself.
You might probably already know this information but, just in case, here it is.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Wed, Mar 13, 2013 at 01:09:16AM +0200, Itamar Heim wrote:
On 03/11/2013 05:16 AM, Mark Wu wrote:
On 03/08/2013 05:16 AM, Dan Kenigsberg wrote:
On Thu, Mar 07, 2013 at 03:57:49PM +0100, Adrian Gibanel wrote:
Just in case it might help you please check:
http://lists.ovirt.org/pipermail/users/2012-April/001751.html This is almost 1 year old, but I did not notice it yet. I love the detailed solution! +1 on NAT network. Except that it can save ip address, it also could reduce the external physical switch's pressure on mac table. Because the VM's mac address is invisible to external switch.
But there're two limitations of NAT network compared with physically bridged network: 1. The VMs attached to the same NAT network, but on different hosts can't hear each other. It could be resolved by constructing a tunnel or tunnels among the hosts in the same cluster and centralizing the mac address management of dnsmasq on ovirt engine.
2. The VMs in NAT network are hidden behind the host. The external host can't initiate a connection to the VM. I think it's fine for a desktop VM.\ For a server VM, it can't be resolved by add a DNAT rule on demand. It's similar to the 'floating ip address' in quantum.
also need to remember live migration will probably not work with NAT.
That's why I consider this as an option to host-local networks.
how would floating IP work? wouldn't you need to map it 1:1 with the NAT'd IP?
////
Yes, the rant there, about ovirt network being tightly-coupled with a physical interface, is 100% justified. I'm trying to address some of that inhttp://www.ovirt.org/Features/Nicless_Network but it's a long way to go.
Why not Bridged/routed NAT Setup? Iam currently heavy using those setups. All VMs have an internal nic let say physical host1 - 10.10.10.x physical host2 - 10-10.11.x psysical host vpn - 10.10.1.x so basically every psysical host has at least one physical NIC, one virtual VPN nic, one virtual bridge. all those are internal routed (i use openvpn to connect host 1 and 2) so every VM can communicate to each others vm every psysical host hast also NAT to forward one or more IP/ports to each VM also the psysical host can work as a transparent firewall and i dont need a vpn nic on every vm. so what i would love to have is at least ability to use the vpn network interfaces instead of real one and at least beeing able to say that bridge/nat vonfig is done manually , which isnot ideal but better than not beeing able to use that setup at all why is it needed. well either you rent a server, OR you have several server in an external data center but they dont reside to each other AND/ OR you have several server on different data center OR you have a tight security policy no traffic without VPN (you know google should have used that a loong time ago to prevent snow lol) VLANs are nice but limited to psysical access and are also local
On Fri, Dec 27, 2013 at 11:00:15AM +0000, quasides wrote:
Why not Bridged/routed NAT Setup?
The short answer is that it simply has never been implemented. The longer answer is about the entranchement of a network's interface device in Engine, and the multitude of possible NAT configurations. It is not easy to define which of the many-possible NAT configurations should be contollable via Engine.
Iam currently heavy using those setups. All VMs have an internal nic let say physical host1 - 10.10.10.x physical host2 - 10-10.11.x psysical host vpn - 10.10.1.x
so basically every psysical host has at least one physical NIC, one virtual VPN nic, one virtual bridge.
all those are internal routed (i use openvpn to connect host 1 and 2) so every VM can communicate to each others vm every psysical host hast also NAT to forward one or more IP/ports to each VM also the psysical host can work as a transparent firewall and i dont need a vpn nic on every vm.
so what i would love to have is at least ability to use the vpn network interfaces instead of real one and at least beeing able to say that bridge/nat vonfig is done manually , which isnot ideal but better than not beeing able to use that setup at all
I think that in this regard, you can use my recently-posted "extnet" Vdsm hook. You should manually create a libvirt NATed network on each host and then add the "extnet" custom property to vNICs that you want to be connected to it. You may use another hook to automate the creation of that libvirt network. If you provide more details on how you manually configure your VPN, we may be able to help you write such a hook. Dan.
I think that in this regard, you can use my recently-posted "extnet" Vdsm hook. You should manually create a libvirt NATed network on each host and then add the "extnet" custom property to vNICs that you want to be connected to it.
You may use another hook to automate the creation of that libvirt network. If you provide more details on how you manually configure your VPN, we may be able to help you write such a hook.
Thanks for your kind and quick answer. Well i understand that you had to set priorities in development, however i really belive the total number of servers could use similar setups are way bigger than setups having its own network infrastructure so i really believe this feature would be really needed. doing that manually is something i could live with (even i would really live with at least for a while :) so is there any documentation regarding the extnet hook? i was searching google up and down but couldnt really find something about my setup - its pretty straight forward. i do not use libvirt bridge setup instead i simply define on the hosts network/interfaces 3 interfaces eth0 public IP/gateway etc static tun1 VPN interface to connect every phisical host to each other static br0 internal subnet for VMs br0 has a different subnet on ever host like host 1 - 10.10.51.1 host 2 . 10.10.52.1 and so on i let all those br0 subnet route so i can easily conenct from host 1 - vm1 on 10.10.51.10 to another vm on host to like 10.10.52.10 every host is working then as a NAT and transparent firewall so all IPs the host might have are bound to eth0 and i use ip tables for the NAT rules (incomming, outgoing ,... ) all VMs using local storage on each host, iam using image file instead of LVM to be a bit more flexible so all i want is at least to be able to manually config that networking thing (of course automating woudl be supergreat) however when i tested ovirt ealier this year i wasnt able to even get it to run in anyway so a bit more documentation or a hint would be great
On Sun, Dec 29, 2013 at 01:22:15AM +0100, woswas denni wrote:
I think that in this regard, you can use my recently-posted "extnet" Vdsm hook. You should manually create a libvirt NATed network on each host and then add the "extnet" custom property to vNICs that you want to be connected to it.
You may use another hook to automate the creation of that libvirt network. If you provide more details on how you manually configure your VPN, we may be able to help you write such a hook.
Thanks for your kind and quick answer.
Well i understand that you had to set priorities in development, however i really belive the total number of servers could use similar setups are way bigger than setups having its own network infrastructure so i really believe this feature would be really needed.
I agree, but it's less clear to me what this feature should encompass. When you, and others, use it via the hook, we can understand more on what's needed and how to provide it integrally within oVirt.
doing that manually is something i could live with (even i would really live with at least for a while :) so is there any documentation regarding the extnet hook? i was searching google up and down but couldnt really find something
Well, there's nothing much beyond the hook's README http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;... You should start by defining a libvirt network, and then mark a vNIC profile with a custom propery so that the network is used by vNICs. As a very first stage, you may define the libvirt network on top of your existing br0 bridge (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can consume your networking setup.
about my setup - its pretty straight forward. i do not use libvirt bridge setup instead i simply define on the hosts network/interfaces 3 interfaces
eth0 public IP/gateway etc static
tun1 VPN interface to connect every phisical host to each other static
But who creates that VPN connection? Who supplies the credentials?
br0 internal subnet for VMs br0 has a different subnet on ever host like host 1 - 10.10.51.1 host 2 . 10.10.52.1 and so on
i let all those br0 subnet route so i can easily conenct from host 1 - vm1 on 10.10.51.10 to another vm on host to like 10.10.52.10
How does this work, if they are both behind NAT?
every host is working then as a NAT and transparent firewall so all IPs the host might have are bound to eth0 and i use ip tables for the NAT rules (incomming, outgoing ,... )
all VMs using local storage on each host, iam using image file instead of LVM to be a bit more flexible
so all i want is at least to be able to manually config that networking thing (of course automating woudl be supergreat)
You'd like to automate the creation of NAT rules? VPN creation?
however when i tested ovirt ealier this year i wasnt able to even get it to run in anyway so a bit more documentation or a hint would be great
You failed to run oVirt altogether? Or a specific configuration? Where was the failure? Dan.
Well, there's nothing much beyond the hook's README
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;...
You should start by defining a libvirt network, and then mark a vNIC profile with a custom propery so that the network is used by vNICs.
As a very first stage, you may define the libvirt network on top of your existing br0 bridge (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can consume your networking setup.
Hmm do we really need a libvirt bridge or cant we go simply with a regular virtual brdige as i already use? all i want is connect ovirts vlan nic to existing interfaces. iam aware tat then many configs has to be done manually, but thats fine for now
But who creates that VPN connection? Who supplies the credentials? well this is manually, only once per host no desire for automation here, ive automated scripts for that but i usually use an offline pc as a signing device.
How does this work, if they are both behind NAT?
Well they are not and they are, its a routed NAT combo :) Lets say i have 2 server - we would have then 3 internal networks - 1 - VPN conncting and routing between physical hosts 2&3 - Each hosts internal bridge subnet which does routing NAT comes in when we go outside - usually Portforward - which is handy to save IPs So think of every Host not only as an Hypervisor but also as an Network Node only downside if i move a vm from a to b ife to adjust the ips l, nat and firewall upside and reson for this is: 1, i can use one ext ip for several vms if they need different ports. atm i can save over 3/4 of ext ips. 2, also i do not need to manage the firewall on every vm only on the hosts 3, Additional Security by having all Daemons whatsoever only bound to internal Interfaces. all daemons are bound to their internal br0 ip and i can easy access certain ports like ssh or mysl within the vpn only without exposing anything outside with a minimum administrative work Who can access what is currently defined by Firewall Rules within each Host - Here comes Firewallbuilder Handy BTW :)))
You'd like to automate the creation of NAT rules? VPN creation?
well i would like to automate port based nat and firewallrules thats the dream. VPN as described i dont really but but hey who knows if someone else want it. Actually i think (even im not gonna need it) would be a nice feature for many - specielly these days only portforwarding/and or complete nat on the host would make live easier. however most importingly is that i get the thing running. even it means manual config on each host my issues with ovirt where simple that i couldn find a way to assign the needed interfaces. so if i simply manually specify whats going on it should be enough btw i took a look at openqrm and they have alreaey adressed many of those needs like puppet, dhcp , dns and nat translation over ip pools and stuff. still my setup seems to strange for them either lol i think (if understand the readme correctly its exactly whats extnet is doing) the best way would be simply allow to specify custom interface names. that way we can build custom configs on our hosts how ever strange we want em Since you have todo it only for each physical host its not THAT evil todo and you can write easy scripts todo that for you. But what would be Handy in any case - no matter which setup or regular Ovirt setup and iam really missing is a Firewall config. Perfect dream would be something Visual with objects like Firewall Builder (dev stopped sadly) , i think i saw something webbased in some opensource firewall distros too. I mean we have to config FIrewalls for the Hosts in anycase - of course i know this would be a monster to implement fully just dreaming :))
On Mon, Dec 30, 2013 at 09:39:58PM +0100, woswas denni wrote:
Well, there's nothing much beyond the hook's README
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;...
You should start by defining a libvirt network, and then mark a vNIC profile with a custom propery so that the network is used by vNICs.
As a very first stage, you may define the libvirt network on top of your existing br0 bridge (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can consume your networking setup.
Hmm do we really need a libvirt bridge or cant we go simply with a regular virtual brdige as i already use?
The extnet hook expects that you create a libvirt network on top of your regular nic. You chould write your own "extbridge" hook, that consumes the regular bridge directly. The libvirt network may seem as a needless layer, but it grants the extnet bridge a lot of flexibility (such as connecting to an ovs bridge instead of to a Linux bridge).
all i want is connect ovirts vlan nic to existing interfaces. iam aware tat then many configs has to be done manually, but thats fine for now
Understood, and that's doable.
But who creates that VPN connection? Who supplies the credentials? well this is manually, only once per host no desire for automation here, ive automated scripts for that but i usually use an offline pc as a signing device.
Understood. I am asking since I'd like to understand how people (plan to) use oVirt, and wether we can automate more of their chores.
How does this work, if they are both behind NAT?
Well they are not and they are, its a routed NAT combo :)
Lets say i have 2 server - we would have then 3 internal networks -
1 - VPN conncting and routing between physical hosts 2&3 - Each hosts internal bridge subnet which does routing
NAT comes in when we go outside - usually Portforward - which is handy to save IPs
So think of every Host not only as an Hypervisor but also as an Network Node
only downside if i move a vm from a to b ife to adjust the ips l, nat and firewall
upside and reson for this is: 1, i can use one ext ip for several vms if they need different ports. atm i can save over 3/4 of ext ips. 2, also i do not need to manage the firewall on every vm only on the hosts 3, Additional Security by having all Daemons whatsoever only bound to internal Interfaces. all daemons are bound to their internal br0 ip and i can easy access certain ports like ssh or mysl within the vpn only without exposing anything outside with a minimum administrative work Who can access what is currently defined by Firewall Rules within each Host - Here comes Firewallbuilder Handy BTW :)))
You'd like to automate the creation of NAT rules? VPN creation?
well i would like to automate port based nat and firewallrules thats the dream. VPN as described i dont really but but hey who knows if someone else want it. Actually i think (even im not gonna need it) would be a nice feature for many - specielly these days
only portforwarding/and or complete nat on the host would make live easier. however most importingly is that i get the thing running. even it means manual config on each host
my issues with ovirt where simple that i couldn find a way to assign the needed interfaces. so if i simply manually specify whats going on it should be enough
btw i took a look at openqrm and they have alreaey adressed many of those needs like puppet, dhcp , dns and nat translation over ip pools and stuff. still my setup seems to strange for them either lol
i think (if understand the readme correctly its exactly whats extnet is doing) the best way would be simply allow to specify custom interface names. that way we can build custom configs on our hosts how ever strange we want em
right, that's the motivation behind that hook. Please try if oVirt can do what you need, and report to this list!
Since you have todo it only for each physical host its not THAT evil todo and you can write easy scripts todo that for you.
But what would be Handy in any case - no matter which setup or regular Ovirt setup and iam really missing is a Firewall config. Perfect dream would be something Visual with objects like Firewall Builder (dev stopped sadly) , i think i saw something webbased in some opensource firewall distros too.
I mean we have to config FIrewalls for the Hosts in anycase - of course i know this would be a monster to implement fully
just dreaming :))
Well do not forget your dream, maybe someone would be able to implement it one day (though it does not seem to be around the corner). Dan.
participants (8)
-
Adrian Gibanel -
Alex Leonhardt -
bigclouds -
Dan Kenigsberg -
Itamar Heim -
Mark Wu -
quasides -
woswas denni