Bridge management network

[Robert Navarro <cr...@gmail.com>]

Hey All,

I realize that this is a highly unusual use case, but here we are.

I have a 2U, 4 node server going to the Colo and I want to use all the
nodes as vm hosts.

The biggest thing though, I want to firewall off the management network
using pfSense or some other software firewall VM that also resides on these
hosts.

Now I figure I can run two KVM VMs on two separate physical hosts outside
of CloudStack to accomplish this, but I was wondering if there was a way to
pipe the management network into a CloudStack managed VM so I can take
advantage of the HA stuff that CloudStack offers.

Let me know if you want to know any of the particulars of the networking
layout and I'd be more than happy to supply the details.

-- 
Robert Navarro

Re: Bridge management network

[Shanker Balan <sh...@shapeblue.com>]

On 23-Dec-2013, at 8:42 pm, Robert Navarro <cr...@gmail.com> wrote:

> Hello Shanker,
>
> Thanks for the response!
>
> Seems like the biggest concern is storage, and rightly so. I'll actually be
> using ceph for storage across all of the nodes with a few replica's dropped
> in for good measure.

While you can indeed use Ceph for the primary storage, I believe you will
need NFS for secondary storage.

You will still need to solve the secondary storage option.

> Since the storage is local to the nodes, if more than a few nodes go out at
> the same time there is likely some other, larger failure event going on
> (loss of power or something). The chassis is essentially a blade chassis.

Ok.


> IPMI is going to sit on it's own dedicated network, so I'll still have an
> OOB way to get in, but that costs me money and I'm cheap :)

Ok.

> How would I go about piping the management traffic into a VM? Would this
> have to be done manually? I didn't see the option to attach the management
> network to an instance.

Yep, so try this instead (which is how I run my lab internally)

1) Run free ESXi on all hosts as your bare metal hypervisor
2) Create vSwitch networks to carry traffic as per your preference
3) Create one of more VMs on ESXi to run your CloudStack management services
4) On each ESXi host, create a XenServer VM/KVM VM. Since you want to use Ceph, only KVM would be an option.
5) Create a pfSense VM on bare metal ESXi for gateway services. I personally use freebsd with pfsync
6) Now configure all routing to go via the gateway IP
7) Configure CloudStack to add the XenServer/KVM hosts into your Zone
8) Run a NFS VM in ESXi to provide secondary storage services. I don’t think

Does the above make sense? So how to handle disaster?

1) Start the ESXi hosts
2) The VMs which run gateway services/NFS are set to autostart in ESXi
3) The XenServer/KVM instances are also set to autostart in ESXi
4) The CloudStack management Vms are also set to autostart via ESXi



> On Mon, Dec 23, 2013 at 2:42 AM, Shanker Balan
> <sh...@shapeblue.com>wrote:
>
>> Hi Robert,
>>
>> Comments inline.
>>
>> On 20-Dec-2013, at 10:53 pm, Robert Navarro <cr...@gmail.com> wrote:
>>
>>> Hey All,
>>>
>>> I realize that this is a highly unusual use case, but here we are.
>>>
>>> I have a 2U, 4 node server going to the Colo and I want to use all the
>>> nodes as vm hosts.
>>>
>>> The biggest thing though, I want to firewall off the management network
>>> using pfSense or some other software firewall VM that also resides on
>> these
>>> hosts.
>>
>> Ok.
>>
>>
>>> Now I figure I can run two KVM VMs on two separate physical hosts outside
>>> of CloudStack to accomplish this, but I was wondering if there was a way
>> to
>>> pipe the management network into a CloudStack managed VM so I can take
>>> advantage of the HA stuff that CloudStack offers.
>>
>> The CloudStack VM HA features are available only when a shared primary
>> storage
>> is being used (NFS, iSCSI, FCOE).
>>
>> Are you planning to use a shared storage service in your CloudStack setup?
>>
>>> Let me know if you want to know any of the particulars of the networking
>>> layout and I'd be more than happy to supply the details.
>>
>> While I have not personally tried what you are attempting but I don’t see
>> any reason why you can’t do it. I would however be concerned from an
>> operability
>> point of view - what would happen to your gateway VM:
>>
>> a) If primary storage is unreachable
>> b) If primary storage is down for maintenance
>>
>> Am sure there will be a lot more gotchas along the way which will require
>> “workarounds”.
>>
>> From an uptime SLA perspective, I would stick to having a management
>> network out-of-band from the production network.
>>
>> Regards.
>>
>> --
>> @shankerbalan
>>
>> M: +91 98860 60539 | O: +91 (80) 67935867
>> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
>> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre,
>> Bangalore - 560 055
>>
>> Need Enterprise Grade Support for Apache CloudStack?
>> Our CloudStack Infrastructure Support<
>> http://shapeblue.com/cloudstack-infrastructure-support/> offers the best
>> 24/7 SLA for CloudStack Environments.
>>
>> Apache CloudStack Bootcamp training courses
>>
>> **NEW!** CloudStack 4.2 training<http://shapeblue.com/cloudstack-training/
>>>
>> 08/09 January 2014, London<http://shapeblue.com/cloudstack-training/>
>> 13-17 January 2014, GLOBAL. Instructor led, On-line<
>> http://shapeblue.com/cloudstack-training/>
>> 20-24 January 2014, GLOBAL. Instructor led, On-line<
>> http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. Any views or
>> opinions expressed are solely those of the author and do not necessarily
>> represent those of Shape Blue Ltd or related companies. If you are not the
>> intended recipient of this email, you must neither take any action based
>> upon its contents, nor copy or show it to anyone. Please contact the sender
>> if you believe you have received this email in error. Shape Blue Ltd is a
>> company incorporated in England & Wales. ShapeBlue Services India LLP is a
>> company incorporated in India and is operated under license from Shape Blue
>> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
>> and is operated under license from Shape Blue Ltd. ShapeBlue is a
>> registered trademark.
>>
>
>
>
> --
> Robert Navarro
> +1 (530) 868-6237
> http://www.crshman.com

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Bridge management network

[Robert Navarro <cr...@gmail.com>]

Hello Shanker,

Thanks for the response!

Seems like the biggest concern is storage, and rightly so. I'll actually be
using ceph for storage across all of the nodes with a few replica's dropped
in for good measure.

Since the storage is local to the nodes, if more than a few nodes go out at
the same time there is likely some other, larger failure event going on
(loss of power or something). The chassis is essentially a blade chassis.

IPMI is going to sit on it's own dedicated network, so I'll still have an
OOB way to get in, but that costs me money and I'm cheap :)

How would I go about piping the management traffic into a VM? Would this
have to be done manually? I didn't see the option to attach the management
network to an instance.


On Mon, Dec 23, 2013 at 2:42 AM, Shanker Balan
<sh...@shapeblue.com>wrote:

> Hi Robert,
>
> Comments inline.
>
> On 20-Dec-2013, at 10:53 pm, Robert Navarro <cr...@gmail.com> wrote:
>
> > Hey All,
> >
> > I realize that this is a highly unusual use case, but here we are.
> >
> > I have a 2U, 4 node server going to the Colo and I want to use all the
> > nodes as vm hosts.
> >
> > The biggest thing though, I want to firewall off the management network
> > using pfSense or some other software firewall VM that also resides on
> these
> > hosts.
>
> Ok.
>
>
> > Now I figure I can run two KVM VMs on two separate physical hosts outside
> > of CloudStack to accomplish this, but I was wondering if there was a way
> to
> > pipe the management network into a CloudStack managed VM so I can take
> > advantage of the HA stuff that CloudStack offers.
>
> The CloudStack VM HA features are available only when a shared primary
> storage
> is being used (NFS, iSCSI, FCOE).
>
> Are you planning to use a shared storage service in your CloudStack setup?
>
> > Let me know if you want to know any of the particulars of the networking
> > layout and I'd be more than happy to supply the details.
>
> While I have not personally tried what you are attempting but I don’t see
> any reason why you can’t do it. I would however be concerned from an
> operability
> point of view - what would happen to your gateway VM:
>
> a) If primary storage is unreachable
> b) If primary storage is down for maintenance
>
> Am sure there will be a lot more gotchas along the way which will require
> “workarounds”.
>
> From an uptime SLA perspective, I would stick to having a management
> network out-of-band from the production network.
>
> Regards.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre,
> Bangalore - 560 055
>
> Need Enterprise Grade Support for Apache CloudStack?
> Our CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/> offers the best
> 24/7 SLA for CloudStack Environments.
>
> Apache CloudStack Bootcamp training courses
>
> **NEW!** CloudStack 4.2 training<http://shapeblue.com/cloudstack-training/
> >
> 08/09 January 2014, London<http://shapeblue.com/cloudstack-training/>
> 13-17 January 2014, GLOBAL. Instructor led, On-line<
> http://shapeblue.com/cloudstack-training/>
> 20-24 January 2014, GLOBAL. Instructor led, On-line<
> http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
>



-- 
Robert Navarro
+1 (530) 868-6237
http://www.crshman.com

Re: Bridge management network

[Shanker Balan <sh...@shapeblue.com>]

Hi Robert,

Comments inline.

On 20-Dec-2013, at 10:53 pm, Robert Navarro <cr...@gmail.com> wrote:

> Hey All,
>
> I realize that this is a highly unusual use case, but here we are.
>
> I have a 2U, 4 node server going to the Colo and I want to use all the
> nodes as vm hosts.
>
> The biggest thing though, I want to firewall off the management network
> using pfSense or some other software firewall VM that also resides on these
> hosts.

Ok.


> Now I figure I can run two KVM VMs on two separate physical hosts outside
> of CloudStack to accomplish this, but I was wondering if there was a way to
> pipe the management network into a CloudStack managed VM so I can take
> advantage of the HA stuff that CloudStack offers.

The CloudStack VM HA features are available only when a shared primary storage
is being used (NFS, iSCSI, FCOE).

Are you planning to use a shared storage service in your CloudStack setup?

> Let me know if you want to know any of the particulars of the networking
> layout and I'd be more than happy to supply the details.

While I have not personally tried what you are attempting but I don’t see
any reason why you can’t do it. I would however be concerned from an operability
point of view - what would happen to your gateway VM:

a) If primary storage is unreachable
b) If primary storage is down for maintenance

Am sure there will be a lot more gotchas along the way which will require
“workarounds”.

>From an uptime SLA perspective, I would stick to having a management
network out-of-band from the production network.

Regards.

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2 training<http://shapeblue.com/cloudstack-training/>
08/09 January 2014, London<http://shapeblue.com/cloudstack-training/>
13-17 January 2014, GLOBAL. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
20-24 January 2014, GLOBAL. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.