Is it possible to MAC-spoofing on nested virtualization?
654 views
Skip to first unread message
Matteo Capuano
Jan 6, 2018, 11:57:18 AM1/6/18
to gce-discussion
Hi to everyone,
i'm testing the new nested virtualization support of GCE by trying to install "oVirt hosted-engine" but i got an issue with the network configuration. I need to enable MAC-spoofing on the NIC used by oVirt to create the bridge that will give connectivity to the hosted VMs. That NIC has only an internal ip and is created with the "--guest-os-features MULTI_IP_SUBNET" command to enable a /24 sub-net.
Thank you
Cheers
Matteo
i'm testing the new nested virtualization support of GCE by trying to install "oVirt hosted-engine" but i got an issue with the network configuration. I need to enable MAC-spoofing on the NIC used by oVirt to create the bridge that will give connectivity to the hosted VMs. That NIC has only an internal ip and is created with the "--guest-os-features MULTI_IP_SUBNET" command to enable a /24 sub-net.
Thank you
Cheers
Matteo
Navi Aujla (Google Cloud Support)
Jan 6, 2018, 2:53:27 PM1/6/18
to gce-discussion
Hello Matteo
Can you provide more details on the "oVirt hosted-engine" setup you are implementing and if any available documentation on the ovirt networking setup that you are implementing would be helpful to have more understanding of the setup?
I will check on the MAC-spoofing on the NICs as in nested virtualization of VMs environment.
Matteo Capuano
Jan 7, 2018, 11:57:18 AM1/7/18
to gce-discussion
Hi Navi,
thanks for your reply.
oVirt is a kvm based hypervisor, it's the upstream version of Red Hat Virtualization .
I'm trying to deploy the hyperconverged solution ( here you can find two how-tos : https://www.ovirt.org/blog/2017/04/up-and-running-with-ovirt-4.1-and-gluster-storage/ and https://access.redhat.com/documentation/en-us/red_hat_hyperconverged_infrastructure/1.0/html-single/deploying_red_hat_hyperconverged_infrastructure/index ) that needs three nodes to create a high-availability cluster where the Engine ( a software that works like VMWare's vCenter ) controlling all the hosts needs to be a VM that can move between each hosts without loosing connectivity. To do so, oVirt creates a network bridge on each host's nic used for management, the result is that the v-nic of the VM running the engine is able to move between the hosts while retaining the same ip adrress. During setup I can choose the mac address of the v-nic used by the engine, i tried with a random one and also with a subsequent free mac of the ones generated by GCE.
My issue is that Engine vm's ip is pingable only from the host hosting the vm and not from the other hosts on the same network. I had stepped on the very same issue the first time i tried this setup on a bare-metal nested environment and, thanks to the oVirt Community, i've been able to resolve it by enabling mac-spoofing on all hosts' nics used for the oVirt management network. That is why I think I need to been able to enable mac-spoofing on the nics generated by GCE.
To work, hosted-engine needs a pingable gateway, all the hosts and engine's vm itself have to have a resolvable FQDN and that engine vm's ip has to be on the same subnet of the hosts.
Going into the details, this is my enviroment on GCE:
- management subnet: 172.18.1.0/24
- storage subnet: 172.18.2.0/24
- gateway: and instance working as a NAT with lan address 172.18.1.2 (due to the unpingable GCE's gateways)
- host 1: an instance created with "--guest-os-features MULTI_IP_SUBNET" and two nics: etho 172.18.1.210 for management and eth1 172.18.2.210 for storage
- host 2: same as host1 but with eth0:172.18.1.220 eth1: 172.18.2.220
- host 3: eth0 172.18.1.230 eth1 172.18.2.230
You can find in the attachments two files named "before" and "after" with the details of the network interfaces and ifconfig of host1 before and after the deployment.
I hope my English was good enough to explain myself
Thanks for your time
Matteo
thanks for your reply.
oVirt is a kvm based hypervisor, it's the upstream version of Red Hat Virtualization .
I'm trying to deploy the hyperconverged solution ( here you can find two how-tos : https://www.ovirt.org/blog/2017/04/up-and-running-with-ovirt-4.1-and-gluster-storage/ and https://access.redhat.com/documentation/en-us/red_hat_hyperconverged_infrastructure/1.0/html-single/deploying_red_hat_hyperconverged_infrastructure/index ) that needs three nodes to create a high-availability cluster where the Engine ( a software that works like VMWare's vCenter ) controlling all the hosts needs to be a VM that can move between each hosts without loosing connectivity. To do so, oVirt creates a network bridge on each host's nic used for management, the result is that the v-nic of the VM running the engine is able to move between the hosts while retaining the same ip adrress. During setup I can choose the mac address of the v-nic used by the engine, i tried with a random one and also with a subsequent free mac of the ones generated by GCE.
My issue is that Engine vm's ip is pingable only from the host hosting the vm and not from the other hosts on the same network. I had stepped on the very same issue the first time i tried this setup on a bare-metal nested environment and, thanks to the oVirt Community, i've been able to resolve it by enabling mac-spoofing on all hosts' nics used for the oVirt management network. That is why I think I need to been able to enable mac-spoofing on the nics generated by GCE.
To work, hosted-engine needs a pingable gateway, all the hosts and engine's vm itself have to have a resolvable FQDN and that engine vm's ip has to be on the same subnet of the hosts.
Going into the details, this is my enviroment on GCE:
- management subnet: 172.18.1.0/24
- storage subnet: 172.18.2.0/24
- gateway: and instance working as a NAT with lan address 172.18.1.2 (due to the unpingable GCE's gateways)
- host 1: an instance created with "--guest-os-features MULTI_IP_SUBNET" and two nics: etho 172.18.1.210 for management and eth1 172.18.2.210 for storage
- host 2: same as host1 but with eth0:172.18.1.220 eth1: 172.18.2.220
- host 3: eth0 172.18.1.230 eth1 172.18.2.230
You can find in the attachments two files named "before" and "after" with the details of the network interfaces and ifconfig of host1 before and after the deployment.
I hope my English was good enough to explain myself
Thanks for your time
Matteo
Navi Aujla (Google Cloud Support)
Jan 7, 2018, 3:18:03 PM1/7/18
to gce-discussion
Hello Matteo
Yes, it is helpful in understanding the set up. I will check into it and notify.
Yes, it is helpful in understanding the set up. I will check into it and notify.
Matteo Capuano
Jan 7, 2018, 3:45:22 PM1/7/18
to gce-discussion
Thanks Navi.
Matteo Capuano
Jan 10, 2018, 1:24:50 PM1/10/18
to gce-discussion
Hi Navi,
do you got any news about the possibility to mac-spoof a nic?
Thank you
Matteo
do you got any news about the possibility to mac-spoof a nic?
Thank you
Matteo
Carlos (Cloud Platform Support)
Jan 11, 2018, 1:29:29 PM1/11/18
to gce-discussion
Hi Matteo,
I have been following up Navi’s investigation but not useful information have surfaced on how to achieve mac-spoofing. I am not sure if oVirt would be able to handle this by setting up a virtual interface in the VM and having traffic redirected to it.
Navi’s is currently out of the office but I will ask him to update this thread in case he can find something that can help you.
I have been following up Navi’s investigation but not useful information have surfaced on how to achieve mac-spoofing. I am not sure if oVirt would be able to handle this by setting up a virtual interface in the VM and having traffic redirected to it.
Navi’s is currently out of the office but I will ask him to update this thread in case he can find something that can help you.
Matteo Capuano
Jan 11, 2018, 1:50:28 PM1/11/18
to Carlos (Cloud Platform Support), gce-discussion
Hi Carlos,
--
© 2017 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussion+unsubscribe@googlegroups.com.
To post to this group, send email to gce-discussion@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/f5ad4e8e-630b-472c-b2f5-747b142a3310%40googlegroups.com.
Navi Aujla (Google Cloud Support)
Jan 16, 2018, 1:13:03 PM1/16/18
to gce-discussion
Hello Matteo
Yes, if you wish to submit a feature-request regarding the same, feel free to submit using public issue tracker[1] .
[1] https://cloud.google.com/support/docs/issue-trackers
Yes, if you wish to submit a feature-request regarding the same, feel free to submit using public issue tracker[1] .
[1] https://cloud.google.com/support/docs/issue-trackers
On Thursday, January 11, 2018 at 1:50:28 PM UTC-5, Matteo Capuano wrote:
MatteoCheersIf mac-spoofing is not possible, do you think it would be helpful to send a feature's request?Hi Carlos,thank you for the follow up. I'm gonna investigate if oVirt could handle your solution.
Reply all
Reply to author
Forward
0 new messages