Ovirt devel - Mar 2009 - Some networking and provisioning questions

Hi oVirt folks. We just finished a conversation about oVirt network
and provisioning configuration and I thought it would be useful to put
it out in the community for discussion. You can refer to the diagrams
at http://ovirt.org/page/ArchDiagrams for background.

oVirt quick network meeting summary

Problem: With the current SSL setup for httpd, you can't reach the UI
from the server's public (web) interface. In effect, Apache is only
listening on the admin network, which works fine for configuring the
node but doesn't work at all for users browsing to the UI.

Solution: Change the installer so that it will define both public and
admin networks, such that we can correctly redirect http requests on
the public network to port 443 on the public network. This is underway
and will be done before the 0.97 release (i.e. today).

Problem: With the current network architecture, VMs have no direct
access to the admin network. However, the provisioning system
(cobbler) only operates over the admin network (on which it provisions
nodes). It is therefore impossible to PXE a VM except in the
degenerate case where the admin network and the VM network is the
same.

Solution: Several possible:

  * Provision only via cobbler-managed ISOs, ditch PXE altogether
    other than for node boot

  * Set up a two-stage provisioning process for VMs -- all VMs have
    two nics, one on the admin network and one on the VM network, but
    we firewall the admin network post-install. Seems impossibly
    complex.

  * Have cobbler listen on the VM network as well as the admin network
    (or have two cobblers, one for each network). If the VM network is
    public (i.e. the internet) this seems like a very strange
    idea... on the other hand even if the VM network is publicly
    routable you could still PXE VMs locally. Not sure if this is
    sensible or not.

  * Set up a separate, private "provisioning" network, on which all
    VMs would have a permanent NIC, and run a separate cobbler server
    on it.

I'm inclined to go with solution 1, but I'm willing to be convinced
otherwise.

Suggestions?

Take care,
--Hugh

On Mon, Mar 16, 2009 at 04:05:12PM -0400, Hugh O. Brock
wrote:
> Hi oVirt folks. We just finished a conversation about oVirt network
> and provisioning configuration and I thought it would be useful to put
> it out in the community for discussion. You can refer to the diagrams
> at http://ovirt.org/page/ArchDiagrams for background.
> Problem: With the current network architecture, VMs have no direct
> access to the admin network. However, the provisioning system
> (cobbler) only operates over the admin network (on which it provisions
> nodes). It is therefore impossible to PXE a VM except in the
> degenerate case where the admin network and the VM network is the
> same.
IMHO, that is not quite correct. Cobbler is *intended* to be present 
on both the admin & VM networks in normal circumstances, so that it
can be used for provisioning both hosts and guests.  See this diagram
with cobbler on both:

  http://ovirt.org/wiki/images/d/d3/Ovirt-admin.png

If current oVirt setup isn't putting cobbler on the VM network, then
that's a flaw in our current impl not following the architecture
designs :-P I think the problem is better stated as:

Problem: In an Intranet deployment cobbler is normally present on both
the VM and admin networks. In the case where oVirt is deployed on the
Internet, however, the VM network would be the public Internet. This
implies Cobbler would be on the Internet which is potentially undesirable.
> Solution: Several possible:
> 
>   * Provision only via cobbler-managed ISOs, ditch PXE altogether
>     other than for node boot
>   * Set up a two-stage provisioning process for VMs -- all VMs have
>     two nics, one on the admin network and one on the VM network, but
>     we firewall the admin network post-install. Seems impossibly
>     complex.
Yes, rather tedious
>   * Have cobbler listen on the VM network as well as the admin network
>     (or have two cobblers, one for each network). If the VM network is
>     public (i.e. the internet) this seems like a very strange
>     idea... on the other hand even if the VM network is publicly
>     routable you could still PXE VMs locally. Not sure if this is
>     sensible or not.
Agree, the idea of Cobbler being on the internet is not desirable - if
nothing else in a non-Intranet deployment, it is very unlikely that the
users of 2 VMs trust each other. You don't want 1 vm to spoof a PXE
server during your provisioning.
>   * Set up a separate, private "provisioning" network, on which
all
>     VMs would have a permanent NIC, and run a separate cobbler server
>     on it.
Again has the trust issue, if you're considering this as a public hosting
deployment mode.
> I'm inclined to go with solution 1, but I'm willing to be convinced
> otherwise.
Out of those options I agree option 1 is most desirable. Either let it
boot the ISO image, or do a direct kernel+initrd boot of the selected
OS. I would add one further option - in addition - not instead of this.
Namely, ability to clone a pre-existing OS template. eg a hosting
provider may have done generic installs of Fedora, RHEL, Windows, etc.
Provisioning a new VM would just clone this template, and boot it and
now the end-user can log straight in an customize. No 'installation'
step as far as the end user is concerned.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|