[Users] simple networking?

Mike Kolesnik mkolesni at redhat.com
Thu Nov 28 06:41:10 UTC 2013 

----- Original Message -----
> I am trying to set up a testing network using o-virt, but the networking is
> refusing to cooperate.  I am testing for possible use in two different
> production setups.
> 
> My previous experience has been with VMWare.  I have always set up a single
> bridged network on each host.  All my hosts, VMs, and non-VM computers were
> peers on the LAN.  They could all talk to each other, and things worked very
> well.  There was a firewall/gateway that provided access to the Internet, and
> hosts, VMs, and could all communicate with the Internet as needed.
> 
> o-virt seems to be compartmentalizing things beyond all reason.
> Is there any way to set up simple networking, so ALL computers can see each
> other?
> Is there anywhere that describes the philosophy behind the networking setup?
> What reason is there that networks are so divided?

Yes there is lack of documentation in this area, it's a shame but given it's an
open source project with an open wiki, everyone is invited to contribute and
improve this.

I'll see if I can get a page started..

> 
> After banging my head against the wall trying to configure just one host, I
> am very frustrated.  I have spent several HOURS Googling for a coherent
> explanation of how/why networking is supposed to work, but only fine obscure
> references like "letting non-VMs see VM traffic would be a huge security
> violation".  I have no concept of what king of an installation the o-virt
> designers have in mind, but it is obviously worlds different from what I am
> trying to do.
> 
> The best I can tell, o-virt networking works like this (at least when you
> have only one NIC):
> there must be an ovirtmgt network, which cannot be combined with any other
> network.
>       the ovirtmgt network cannot talk to VMs (unless that VM is running the
> engine)
>       the ovirtmgt network can only talk to hosts, not to other non-VM
>       computers
> a VM network can talk only to VMs
>       cannot talk to hosts
>       cannot talk to non-VMs
> hosts cannot talk to my LAN
> hosts cannot talk to VMs
> VMs cannot talk to my LAN
> All of the above are enforced by a boatload of firewall rules that o-virt
> puts into every host and VM under its jurisdiction.

Not sure what you mean by all these "restrictions", from what I know the firewall
rules that are set on each host are to allow host to talk to engine
(ssh, vdsm, VM consoles traffic, etc) no more no less..

Usually the default behavior of firewall is to block almost all communication so
when you add a host and check the "Configure firewall" box it modifies it so that
your host can function properly.

oVirt has no sense of firewall otherwise. For all it cares you can turn it off
completely, or configure it by yourself (manually or via puppet/chef/foreman/etc)
and not use the capability of the system to configure it for you.

You can also change it so that it uses the rules you want by modifying
IPTablesConfig via engine-config tool.

> 
> All of the above is inferred from things I Googled, because I can't find
> anywhere that explains what or how things are supposed to work--only things
> telling people WHAT THEY CANT DO.  All I see on the mailing lists is people
> getting their hands slapped because they are trying to do SIMPLE SETUPS that
> should work, but don't (due to either design restrictions or software bugs).

What slaps did you see?
What simple setups don't work?

> 
> My use case A:
>   * My (2 or 3) hosts have only one physical NIC.
>   * My VMs exist to provide services to non-VM computers.
>      *  The VMs do not run X-windows, but they provide GUI programs to
> non-VMs via "ssh -X" connections.
>   * MY VMs need access to storage that is shared with hosts and non-VMs on
> the LAN.

Your VMs will be sitting on the ovirtmgmt network, or on a VLAN?

If you want to use VLANs for the VM traffic, you can configure the management
network to be non-VM thus allowing you to put VLANs on the same NIC this
network is occupying (just make sure to sync it first, because changes aren't
applied automatically to the hosts, yet).

In my small setup, the VMs are not on VLAN and can talk to all other machines
on the LAN via SSH and I didn't configure anything special on host level..

> 
> Is there some way to TURN OFF network control in o-virt?  My systems are
> small and static.  I can hand-configure the networking a whole lot easier
> than I can deal with o-virt (as I have used it so far). Mostly I would need
> to be able to turn off the firewall rules on both hosts and VMs.
> 
> banging head against wall,

Try not to break the wall (or your head) ;)

> Ted
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list