You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by jordan j <yo...@gmail.com> on 2022/12/15 13:12:51 UTC

Choose system VMs network ?

Dear all,

I have the following setup.

ACS 4.17.1 + XCP-NG 8.2.1 with network bridge + Advanced network with
security groups.
Because Security Groups are enabled there is no public network in the zone
so instead system VMs use the user network. The setup has multiple such
networks so SSVMs use one randomly during creation, is it possible to force
them to use a specific network?

Regards,
Jordan

Re: Choose system VMs network ?

Posted by jordan j <yo...@gmail.com>.

alright in regards to the example design post it seems i was wrong.
The traffic to cloudstack goes through the PODID interface so things are
fine there.

On Fri, Dec 16, 2022 at 10:55 AM jordan j <yo...@gmail.com> wrote:

> And one more in regards to SSVM.
>
> If a new system vm  (console or storage) offering is created is there a
> way to select which one is chosen for the zone operation?
> For example, I created one with a host and storage tags so the SSVM sits
> on specific servers, how can i tell the system to use it?
>
>
> On Fri, Dec 16, 2022 at 8:13 AM jordan j <yo...@gmail.com> wrote:
>
>> By design, Cloudstack networks and user networks should be fully
>> isolated. The problem is that as the Public network is not present the
>> SSVMs user network interface takes the responsibilities of the public one.
>> Here is an example:
>> - ACS server 10.10.10.10/24
>> - XCP-NG hosts 10.10.11.10 to 10.10.11.19/24 (POD network is
>> 10.10.10.11.0/24)
>> - user networks:
>>     -> 192.168.1.0/24
>>     -> 192.168.2.0/24
>>     -> 192.168.3.0/24
>>
>> When SSVMs are created they take 2 ips, one from the pod network and one
>> from a random network below. For example:
>> - Console SVM - 10.10.11.20/24 and 192.168.2.20 - 192.168.2.20 is the ip
>> used by users to view VM consoles in Cloudstack. The problem is that
>> Cloudstack management networks ( ACS and XCP) are accessed from VPN MGMT
>> where user networks are accessed from VPN USERS. So the system admin cannot
>> view consoles.
>> - Storage SVM - 10.10.11.21/24 and 192.168.2.21 - 192.168.2.21' is the
>> ip used to go to the internet and get ISOs.
>> Both of the issues above are not that important. What is important though
>> is that the 192.168.2.X IPs are used to connect SSVM to ACS and report
>> online state and we don't want to do that OR if we do to be from specific
>> IPs that do not change (which is impossible).
>>
>> An alternative that comes to my mind is somehow make the SVMs pod ip (
>> 10.10.11.0/24) to take the role of the public interface instead but i
>> dont know if that is possible at all.
>>
>> Best regards,
>> Jordan
>>
>> On Thu, Dec 15, 2022 at 6:51 PM Nux <nu...@li.nux.ro> wrote:
>>
>>> Hello,
>>>
>>> Then I do not think there is a setting to help you.
>>>
>>> What exactly is the problem with the system VMs getting IPs "randomly"
>>> from multiple networks? Perhaps we can find another solution to help you.
>>>
>>> Cheers
>>> ---
>>> Nux
>>> www.nux.ro
>>>
>>>
>>> On 2022-12-15 16:42, jordan j wrote:
>>>
>>> Thank you Nux,
>>>
>>> My question was related to guest networks.
>>> For management I have already dedicated network range.
>>>
>>> I am doing tests with 5 networks but they may become more later in
>>> production.
>>>
>>> Regards,
>>> Jordan
>>>
>>> On Thu, Dec 15, 2022 at 6:36 PM Nux <nu...@li.nux.ro> wrote:
>>>
>>> Hi,
>>>
>>> Yes and no, depends how many network traffic types you have. For example
>>> if you have defined 2 physical networks in the zone, one with traffic type
>>> "management" and another one with type "guest", then your system VM will
>>> use an IP from both.
>>> Usually in the "management" traffic type you can add another "IP range"
>>> and dedicate it to system VMs[1], but you can't do this in the "guest"
>>> network.
>>> So at most you can have a dedicated range for system VMs in the
>>> management network, but not in the guest one..
>>> So what is your situation, how many networks do you have?
>>>
>>>
>>> [1] see screenshot below
>>>
>>>
>>>
>>> ---
>>> Nux
>>> www.nux.ro
>>>
>>>
>>> On 2022-12-15 13:12, jordan j wrote:
>>>
>>> Dear all,
>>>
>>> I have the following setup.
>>>
>>> ACS 4.17.1 + XCP-NG 8.2.1 with network bridge + Advanced network with
>>> security groups.
>>> Because Security Groups are enabled there is no public network in the
>>> zone
>>> so instead system VMs use the user network. The setup has multiple such
>>> networks so SSVMs use one randomly during creation, is it possible to
>>> force
>>> them to use a specific network?
>>>
>>> Regards,
>>> Jordan
>>>
>>>

Re: Choose system VMs network ?

Posted by jordan j <yo...@gmail.com>.

And one more in regards to SSVM.

If a new system vm  (console or storage) offering is created is there a way
to select which one is chosen for the zone operation?
For example, I created one with a host and storage tags so the SSVM sits on
specific servers, how can i tell the system to use it?


On Fri, Dec 16, 2022 at 8:13 AM jordan j <yo...@gmail.com> wrote:

> By design, Cloudstack networks and user networks should be fully isolated.
> The problem is that as the Public network is not present the SSVMs user
> network interface takes the responsibilities of the public one. Here is an
> example:
> - ACS server 10.10.10.10/24
> - XCP-NG hosts 10.10.11.10 to 10.10.11.19/24 (POD network is
> 10.10.10.11.0/24)
> - user networks:
>     -> 192.168.1.0/24
>     -> 192.168.2.0/24
>     -> 192.168.3.0/24
>
> When SSVMs are created they take 2 ips, one from the pod network and one
> from a random network below. For example:
> - Console SVM - 10.10.11.20/24 and 192.168.2.20 - 192.168.2.20 is the ip
> used by users to view VM consoles in Cloudstack. The problem is that
> Cloudstack management networks ( ACS and XCP) are accessed from VPN MGMT
> where user networks are accessed from VPN USERS. So the system admin cannot
> view consoles.
> - Storage SVM - 10.10.11.21/24 and 192.168.2.21 - 192.168.2.21' is the ip
> used to go to the internet and get ISOs.
> Both of the issues above are not that important. What is important though
> is that the 192.168.2.X IPs are used to connect SSVM to ACS and report
> online state and we don't want to do that OR if we do to be from specific
> IPs that do not change (which is impossible).
>
> An alternative that comes to my mind is somehow make the SVMs pod ip (
> 10.10.11.0/24) to take the role of the public interface instead but i
> dont know if that is possible at all.
>
> Best regards,
> Jordan
>
> On Thu, Dec 15, 2022 at 6:51 PM Nux <nu...@li.nux.ro> wrote:
>
>> Hello,
>>
>> Then I do not think there is a setting to help you.
>>
>> What exactly is the problem with the system VMs getting IPs "randomly"
>> from multiple networks? Perhaps we can find another solution to help you.
>>
>> Cheers
>> ---
>> Nux
>> www.nux.ro
>>
>>
>> On 2022-12-15 16:42, jordan j wrote:
>>
>> Thank you Nux,
>>
>> My question was related to guest networks.
>> For management I have already dedicated network range.
>>
>> I am doing tests with 5 networks but they may become more later in
>> production.
>>
>> Regards,
>> Jordan
>>
>> On Thu, Dec 15, 2022 at 6:36 PM Nux <nu...@li.nux.ro> wrote:
>>
>> Hi,
>>
>> Yes and no, depends how many network traffic types you have. For example
>> if you have defined 2 physical networks in the zone, one with traffic type
>> "management" and another one with type "guest", then your system VM will
>> use an IP from both.
>> Usually in the "management" traffic type you can add another "IP range"
>> and dedicate it to system VMs[1], but you can't do this in the "guest"
>> network.
>> So at most you can have a dedicated range for system VMs in the
>> management network, but not in the guest one..
>> So what is your situation, how many networks do you have?
>>
>>
>> [1] see screenshot below
>>
>>
>>
>> ---
>> Nux
>> www.nux.ro
>>
>>
>> On 2022-12-15 13:12, jordan j wrote:
>>
>> Dear all,
>>
>> I have the following setup.
>>
>> ACS 4.17.1 + XCP-NG 8.2.1 with network bridge + Advanced network with
>> security groups.
>> Because Security Groups are enabled there is no public network in the zone
>> so instead system VMs use the user network. The setup has multiple such
>> networks so SSVMs use one randomly during creation, is it possible to
>> force
>> them to use a specific network?
>>
>> Regards,
>> Jordan
>>
>>

Re: Choose system VMs network ?

Posted by Nux <nu...@li.nux.ro>.

Hi,

Yes and no, depends how many network traffic types you have. For example 
if you have defined 2 physical networks in the zone, one with traffic 
type "management" and another one with type "guest", then your system VM 
will use an IP from both.
Usually in the "management" traffic type you can add another "IP range" 
and dedicate it to system VMs[1], but you can't do this in the "guest" 
network.
So at most you can have a dedicated range for system VMs in the 
management network, but not in the guest one..
So what is your situation, how many networks do you have?

[1] see screenshot below

---
Nux
www.nux.ro [1]

On 2022-12-15 13:12, jordan j wrote:

> Dear all,
> 
> I have the following setup.
> 
> ACS 4.17.1 + XCP-NG 8.2.1 with network bridge + Advanced network with
> security groups.
> Because Security Groups are enabled there is no public network in the 
> zone
> so instead system VMs use the user network. The setup has multiple such
> networks so SSVMs use one randomly during creation, is it possible to 
> force
> them to use a specific network?
> 
> Regards,
> Jordan

Links:
------
[1] http://www.nux.ro