[Users] why ovirt does not support NAT network

Thu Jan 2 11:42:23 UTC 2014

On Mon, Dec 30, 2013 at 09:39:58PM +0100, woswas denni wrote:
> >
> > Well, there's nothing much beyond the hook's README
> >
> http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;h=0778dbb3ef85c5ae179fb0f6c9ceeabc268abe89;hb=HEAD
> > You should start by defining a libvirt network, and then mark a vNIC
> > profile with a custom propery so that the network is used by vNICs.
> >
> > As a very first stage, you may define the libvirt network on top of your
> > existing br0 bridge
> > (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can
> > consume your networking setup.
> >
> 
> Hmm do we really need a libvirt bridge or cant we go simply with a regular
> virtual brdige as i already use?

The extnet hook expects that you create a libvirt network on top of your
regular nic. You chould write your own "extbridge" hook, that consumes
the regular bridge directly.

The libvirt network may seem as a needless layer, but it grants the
extnet bridge a lot of flexibility (such as connecting to an ovs bridge
instead of to a Linux bridge).

> 
> all i want is connect ovirts vlan nic to existing interfaces.
> iam aware tat then many configs has to be done manually, but thats fine for
> now

Understood, and that's doable.

> 
> 
> > But who creates that VPN connection? Who supplies the credentials?
> well this is manually, only once per host no desire for automation here,
> ive automated scripts for that but i usually use an offline pc as a signing
> device.

Understood. I am asking since I'd like to understand how people (plan
to) use oVirt, and wether we can automate more of their chores.

> 
> 
> >
> 
> >
> > How does this work, if they are both behind NAT?
> 
> Well they are not and they are, its a routed NAT combo :)
> 
> Lets say i have 2 server - we would have then 3 internal networks -
> 
> 1 - VPN conncting and routing between physical hosts
> 2&3 - Each hosts internal bridge subnet which does routing
> 
> NAT comes in when we go outside - usually Portforward - which is handy to
> save IPs
> 
> So think of every Host not only as an Hypervisor but also as an Network Node
> 
> 
> only downside if i move a vm from a to b ife to adjust the ips l, nat and
> firewall
> 
> upside and reson for this is:
> 1, i can use one ext ip for several vms if they need different ports. atm i
> can save over 3/4 of ext ips.
> 2, also i do not need to manage the firewall on every vm only on the hosts
> 3, Additional Security by having all Daemons whatsoever only bound to
> internal Interfaces.
> all daemons are bound to their internal br0 ip and i can easy access
> certain ports like ssh or mysl within the vpn only without exposing
> anything outside with a minimum administrative work
> Who can access what is currently defined by Firewall Rules within each Host
> - Here comes Firewallbuilder Handy BTW :)))
> 
> >
> > You'd like to automate the creation of NAT rules? VPN creation?
> well i would like to automate port based nat and firewallrules thats the
> dream. VPN as described i dont really but but hey who knows if someone else
> want it.
> Actually i think (even im not gonna need it) would be a nice feature for
> many - specielly these days
> 
> 
> only portforwarding/and or complete nat on the host would make live easier.
> however most importingly is that i get the thing running.
> even it means manual config on each host
> 
> 
> my issues with ovirt where simple that i couldn find a way to assign the
> needed interfaces. so if i simply manually specify whats going on it should
> be enough
> 
> btw i took a look at openqrm and they have alreaey adressed many of those
> needs like puppet, dhcp , dns and nat translation over ip pools and stuff.
> still my setup seems to strange for them either lol
> 
> 
> 
> i think (if understand the readme correctly its exactly whats extnet is
> doing) the best way would be simply allow to specify custom interface names.
> that way we can build custom configs on our hosts how ever strange we want
> em

right, that's the motivation behind that hook. Please try if oVirt can
do what you need, and report to this list!

> 
> Since you have todo it only for each physical host its not THAT evil todo
> and you can write easy scripts todo that for you.
> 
> But what would be Handy in any case - no matter which setup or regular
> Ovirt setup and iam really missing is a Firewall config.
> Perfect dream would be something Visual with objects like Firewall Builder
> (dev stopped sadly) , i think i saw something webbased in some opensource
> firewall distros too.
> 
> I mean we have to config FIrewalls for the Hosts in anycase - of course i
> know this would be a monster to implement fully
> 
> just dreaming :))

Well do not forget your dream, maybe someone would be able to implement
it one day (though it does not seem to be around the corner).

Dan.