[Users] Add NIC directly to VM (Dedicated)

Itamar Heim iheim at redhat.com
Fri Feb 15 01:53:44 EST 2013


On 10/02/2013 18:07, Matt . wrote:
> Here: http://www.mail-archive.com/users@ovirt.org/msg06261.html
>
>
> 2013/2/10 Shahar Havivi <shaharh at redhat.com <mailto:shaharh at redhat.com>>
>
>     On 10.02.13 16:36, Matt . wrote:
>      > Hi,
>      >
>      > I'm thinking about the way how I did that with the dedicated NIC
>     to the VM.
>      > I was discussing this a couple of months ago on IRC but I can't
>     remeber and
>      > I already tried to do this... no luck yet. I remember that the
>     NICS were
>      > just available when adding a nic to the VM, by MAC-address. Can't
>     figure it
>      > out yet what I did those except of not sleeping that much :)
>     I don't remember that, sorry...
>      >
>      > About the error that I get I do the following:
>      >
>      >
>      > Hosts > Network Interfaces > Setup Host Networks.
>      >
>      > When I drag a network I created to a NIC and I don't set an IP or
>     DHCP or
>      > None I get that error: "Error while executing action Setup Networks:
>      > Illegal or Incomplete IP Address"
>      >
>      > When I set and IP to that network that is draaged to the Nic I
>     don't get an
>      > error, but why only and IP and no GW as this is IP seems to be
>     bridged in
>      > the host to the VM where you add a Nic to with that same network
>     you just
>      > gave an IP.
>      >
>      > When saying the above, could have been possible that I have set the
>      > Mac-Address of the real Nic @ the VM Nic ? As this is possible
>     that might
>      > have been the solution I used ?
>      >
>      > For the rest this software is good and the support is superb!
>     I can't reproduce this error,
>     its look like UI validation...
>     Alona,Moti did you encounter this error?
>
>      >
>      > Thanks so far again.
>      >
>      > Matt
>      >
>      >
>      > 2013/2/10 Shahar Havivi <shaharh at redhat.com
>     <mailto:shaharh at redhat.com>>
>      >
>      > > On 10.02.13 16:16, Matt . wrote:
>      > > > Hi Shahar,
>      > > >
>      > > > Thanks, I need to work this out further to have it 100% visible.
>      > > >
>      > > > I wonder why I was able in the past (3.1) to dedicate an NIC
>     to a VM.
>      > > >
>      > > > Do you also have an explanation why I cannot save a network
>     configuration
>      > > > with a nic in DHCP mode ? It complains about a wrong IP and I
>     have seen
>      > > it
>      > > > should be a bug. Is this right ?
>      > > How did you that...
>      > > I.e can you tell me the steps that you made in the UI? (for
>     both cases)
>      > > >
>      > > > Cheers,
>      > > >
>      > > > Matt
>      > > >
>      > > >
>      > > > 2013/2/10 Shahar Havivi <shaharh at redhat.com
>     <mailto:shaharh at redhat.com>>
>      > > >
>      > > > > On 10.02.13 14:13, Dan Kenigsberg wrote:
>      > > > > > On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
>      > > > > > > Hi,
>      > > > > > >
>      > > > > > > For setting up a firewall in a VM I would like to add 2
>     of my 4
>      > > nics
>      > > > > > > directly to a VM.
>      > > > > > >
>      > > > > > > In my previous setup I thought I have done that, but at
>     the moment
>      > > I
>      > > > > cannot
>      > > > > > > figure this out and cannot find the docs to accomplish
>     this.
>      > > > > > >
>      > > > > > > I would like to dedicate those 2 nics to my firewall
>     VM's to avoid
>      > > > > sharing
>      > > > > > > them using a network per accident to other VM's.
>      > > > > > >
>      > > > > > > How is this be done at the moment ?
>      > > > > >
>      > > > > > AFAIK it can be done only with a vdsm hook. You'd need to
>     define
>      > > your VM
>      > > > > > with no interface at all, but instead, mark it with a
>     special custom
>      > > > > > property you define. Then, you should write a hook that
>     adds the two
>      > > > > > host interfaces to the VM, by means of either
>      > > > > > http://libvirt.org/formatdomain.html#elementsNICSDirect or
>      > > > > > http://libvirt.org/formatdomain.html#elementsNICSHostdev
>      > > > > >
>      > > > > > Most probably, you would need to pin your firewall VM to
>     a specific
>      > > > > > host.
>      > > > > >
>      > > > > > Writing a hook is not too complex, but it requires
>     understanding of
>      > > how
>      > > > > > vdsm and libvirt works. You can take
>      > > > > >
>     http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas a
>      > > > > > reference, or ask for specific guidance here.
>      > > > > >
>      > > > > > Dan.
>      > > > > Dan is right,
>      > > > > Currently you can do it via hook,
>      > > > > We do have promisc mode but currently we have mirroring
>     mode only (ie
>      > > you
>      > > > > can
>      > > > > monitor each VM traffic but cannot intercept it).
>      > > > > The way to do it is via layer 2.
>      > > > >
>      > > > > its best to implement after_vm_start hook and use ebtables.
>      > > > > you can pass to the hook the network name.
>      > > > > when you have the network name you can prob for its mac
>     address and in
>      > > the
>      > > > > libvirt xml
>      > > > > you can view the interfaces that are part of that network
>     and get the
>      > > mac
>      > > > > addresses as well. (look at other hooks as Dan point out)
>      > > > >
>      > > > > when you have the network name the network mac and the target
>      > > interface you
>      > > > > can use ebtables:
>      > > > > 1. set the bridge in promisc mode
>      > > > >    $ ifconfig <netwok name> promisc
>      > > > > 2. traffic to the monitoring machine
>      > > > >    $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i
>     eth0 -j dnat
>      > > > > --to-destination 00:1a:4a:16:01:11
>      > > > > 3. traffic from the monitoring machine
>      > > > >    $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i
>     vnet0 -j
>      > > dnat
>      > > > > --to-destination 00:1a:4a:16:01:11
>      > > > >
>      > > > > 1. set the network interface in promiscous mode
>      > > > > 2. traffic that ment to the vm mac will go to the
>     destination mac
>      > > > > 2. traffic that sent from the vm mac will go to the
>     destination mac
>      > > > >
>      > > > > note that the -i <interface> is the interface name and I
>     think it can
>      > > be
>      > > > > omitted...
>      > > > >
>      > > > > Shahar Havivi.
>      > > > >
>      > >
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

why do you need to attach the nics directly to the guest, rather than 
use logical network A/B. this VM will have a vnic for A and a vnic for 
B. the all guests "behind" the firewall would all be on logical network B?


More information about the Users mailing list