[Users] Default route on hosts

Itamar Heim iheim at redhat.com
Thu Nov 14 10:38:16 UTC 2013 

On 11/12/2013 09:50 AM, Christopher Geddings wrote:
>
> On Nov 12, 2013, at 7:58 AM, Assaf Muller wrote:
>
>> Can users outside of the hosts' networks reach the VMs in the hosts?
> I have not tested this yet.  I have been focused on the host's
> networking behavior outside of the ovirt/vdsm bits.
> (Mainly, it checking in on other things.)  I realize this presents a
> flaw in my thinking that the host was not behaving
> properly.  I will adjust my thinking on this item, and then test with a
> valid set of criteria.
>
>> If you use netstat -rn it is expected that the gateway will be
>> 0.0.0.0, as ifcfg-ovirtmgmt has DEFROUTE=yes and ifcfg-public has
>> DEFROUTE=no, then ovirtmgmt's
>> 'gateway' (0.0.0.0) will be determined as the host's default gateway.
>> However with the new multiple gateways feature we configure source
>> routing to make
>> sure that traffic that comes (from the outside) in the public
>> network's device will return the way it came in.
> That makes a lot of sense to me now.  And, actually, I believe is the
> way it is working, the more I think about the behavior I'm seeing.
>
>> You can use 'ip rule' to see the rules VDSM configures. It creates two
>> rules and a routing table per device. You can use 'ip route show table
>> %s' on each
>> table, where the IDs can be obtained by 'ip rule'.
> This is super helpful.  Thank you.
>
> A large part of this is likely me needing to adjust my thinking.  As
> long as my VM's are behaving as expected, do I actually need the host
> to, by default, send traffic out the 'public' interface?  If I do, what
> traffic is that?  Can I change that traffic?  The likely hood is that
> there are
> only a small amount of data, mostly centering around metrics,  and some
> config management, that would be host sourced data that currently
> isn't destined for my management network.  Maybe those data *should* run
> over the management network, if my desire for an extra layer
> of protection of those data is a valid desire.
>
> Of course, that's not the way I have things arranged right now, but,
> maybe I can fix that.
>
> Thank you very much for your help, I have enough information to get back
> on the problem now.
>
> --Chris
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

please note you can set which logical network is the 'disaply' 
(console/spice/vnc) network, which is what the users use to connect 
spice/vnc console to the VM with. default is ovirtmgmt, but you probably 
want to change it in your case.

More information about the Users mailing list