[Ovirt-devel] Some networking and provisioning questions

Daniel P. Berrange berrange at redhat.com
Mon Mar 16 20:15:34 UTC 2009 

On Mon, Mar 16, 2009 at 04:05:12PM -0400, Hugh O. Brock wrote:
> Hi oVirt folks. We just finished a conversation about oVirt network
> and provisioning configuration and I thought it would be useful to put
> it out in the community for discussion. You can refer to the diagrams
> at http://ovirt.org/page/ArchDiagrams for background.


> Problem: With the current network architecture, VMs have no direct
> access to the admin network. However, the provisioning system
> (cobbler) only operates over the admin network (on which it provisions
> nodes). It is therefore impossible to PXE a VM except in the
> degenerate case where the admin network and the VM network is the
> same.

IMHO, that is not quite correct. Cobbler is *intended* to be present 
on both the admin & VM networks in normal circumstances, so that it
can be used for provisioning both hosts and guests.  See this diagram
with cobbler on both:

  http://ovirt.org/wiki/images/d/d3/Ovirt-admin.png

If current oVirt setup isn't putting cobbler on the VM network, then
that's a flaw in our current impl not following the architecture
designs :-P I think the problem is better stated as:

Problem: In an Intranet deployment cobbler is normally present on both
the VM and admin networks. In the case where oVirt is deployed on the
Internet, however, the VM network would be the public Internet. This
implies Cobbler would be on the Internet which is potentially undesirable.

> Solution: Several possible:
> 
>   * Provision only via cobbler-managed ISOs, ditch PXE altogether
>     other than for node boot


>   * Set up a two-stage provisioning process for VMs -- all VMs have
>     two nics, one on the admin network and one on the VM network, but
>     we firewall the admin network post-install. Seems impossibly
>     complex.

Yes, rather tedious

>   * Have cobbler listen on the VM network as well as the admin network
>     (or have two cobblers, one for each network). If the VM network is
>     public (i.e. the internet) this seems like a very strange
>     idea... on the other hand even if the VM network is publicly
>     routable you could still PXE VMs locally. Not sure if this is
>     sensible or not.

Agree, the idea of Cobbler being on the internet is not desirable - if
nothing else in a non-Intranet deployment, it is very unlikely that the
users of 2 VMs trust each other. You don't want 1 vm to spoof a PXE
server during your provisioning.

>   * Set up a separate, private "provisioning" network, on which all
>     VMs would have a permanent NIC, and run a separate cobbler server
>     on it.

Again has the trust issue, if you're considering this as a public hosting
deployment mode.

> I'm inclined to go with solution 1, but I'm willing to be convinced
> otherwise.

Out of those options I agree option 1 is most desirable. Either let it
boot the ISO image, or do a direct kernel+initrd boot of the selected
OS. I would add one further option - in addition - not instead of this.
Namely, ability to clone a pre-existing OS template. eg a hosting
provider may have done generic installs of Fedora, RHEL, Windows, etc.
Provisioning a new VM would just clone this template, and boot it and
now the end-user can log straight in an customize. No 'installation'
step as far as the end user is concerned.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the ovirt-devel mailing list