[Users] why ovirt does not support NAT network
Dan Kenigsberg
danken at redhat.com
Thu Jan 2 11:42:23 UTC 2014
On Mon, Dec 30, 2013 at 09:39:58PM +0100, woswas denni wrote:
> >
> > Well, there's nothing much beyond the hook's README
> >
> http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;h=0778dbb3ef85c5ae179fb0f6c9ceeabc268abe89;hb=HEAD
> > You should start by defining a libvirt network, and then mark a vNIC
> > profile with a custom propery so that the network is used by vNICs.
> >
> > As a very first stage, you may define the libvirt network on top of your
> > existing br0 bridge
> > (http://libvirt.org/formatnetwork.html#examplesBridge) so oVirt can
> > consume your networking setup.
> >
>
> Hmm do we really need a libvirt bridge or cant we go simply with a regular
> virtual brdige as i already use?
The extnet hook expects that you create a libvirt network on top of your
regular nic. You chould write your own "extbridge" hook, that consumes
the regular bridge directly.
The libvirt network may seem as a needless layer, but it grants the
extnet bridge a lot of flexibility (such as connecting to an ovs bridge
instead of to a Linux bridge).
>
> all i want is connect ovirts vlan nic to existing interfaces.
> iam aware tat then many configs has to be done manually, but thats fine for
> now
Understood, and that's doable.
>
>
> > But who creates that VPN connection? Who supplies the credentials?
> well this is manually, only once per host no desire for automation here,
> ive automated scripts for that but i usually use an offline pc as a signing
> device.
Understood. I am asking since I'd like to understand how people (plan
to) use oVirt, and wether we can automate more of their chores.
>
>
> >
>
> >
> > How does this work, if they are both behind NAT?
>
> Well they are not and they are, its a routed NAT combo :)
>
> Lets say i have 2 server - we would have then 3 internal networks -
>
> 1 - VPN conncting and routing between physical hosts
> 2&3 - Each hosts internal bridge subnet which does routing
>
> NAT comes in when we go outside - usually Portforward - which is handy to
> save IPs
>
> So think of every Host not only as an Hypervisor but also as an Network Node
>
>
> only downside if i move a vm from a to b ife to adjust the ips l, nat and
> firewall
>
> upside and reson for this is:
> 1, i can use one ext ip for several vms if they need different ports. atm i
> can save over 3/4 of ext ips.
> 2, also i do not need to manage the firewall on every vm only on the hosts
> 3, Additional Security by having all Daemons whatsoever only bound to
> internal Interfaces.
> all daemons are bound to their internal br0 ip and i can easy access
> certain ports like ssh or mysl within the vpn only without exposing
> anything outside with a minimum administrative work
> Who can access what is currently defined by Firewall Rules within each Host
> - Here comes Firewallbuilder Handy BTW :)))
>
> >
> > You'd like to automate the creation of NAT rules? VPN creation?
> well i would like to automate port based nat and firewallrules thats the
> dream. VPN as described i dont really but but hey who knows if someone else
> want it.
> Actually i think (even im not gonna need it) would be a nice feature for
> many - specielly these days
>
>
> only portforwarding/and or complete nat on the host would make live easier.
> however most importingly is that i get the thing running.
> even it means manual config on each host
>
>
> my issues with ovirt where simple that i couldn find a way to assign the
> needed interfaces. so if i simply manually specify whats going on it should
> be enough
>
> btw i took a look at openqrm and they have alreaey adressed many of those
> needs like puppet, dhcp , dns and nat translation over ip pools and stuff.
> still my setup seems to strange for them either lol
>
>
>
> i think (if understand the readme correctly its exactly whats extnet is
> doing) the best way would be simply allow to specify custom interface names.
> that way we can build custom configs on our hosts how ever strange we want
> em
right, that's the motivation behind that hook. Please try if oVirt can
do what you need, and report to this list!
>
> Since you have todo it only for each physical host its not THAT evil todo
> and you can write easy scripts todo that for you.
>
> But what would be Handy in any case - no matter which setup or regular
> Ovirt setup and iam really missing is a Firewall config.
> Perfect dream would be something Visual with objects like Firewall Builder
> (dev stopped sadly) , i think i saw something webbased in some opensource
> firewall distros too.
>
> I mean we have to config FIrewalls for the Hosts in anycase - of course i
> know this would be a monster to implement fully
>
> just dreaming :))
Well do not forget your dream, maybe someone would be able to implement
it one day (though it does not seem to be around the corner).
Dan.
More information about the Users
mailing list