Bug 1725166

Summary: [RFE] Private VLAN / port isolation
Product: [oVirt] ovirt-engine Reporter: Dominik Holler <dholler>
Component: BLL.NetworkAssignee: Dominik Holler <dholler>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Burman <mburman>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: ---CC: bugs, dfodor, gveitmic, mgold, michal.skrivanek, mkalinin, mtessun, pelauter, sbonazzo
Target Milestone: ovirt-4.4.3Keywords: FutureFeature, PrioBumpPM
Target Release: ---Flags: pm-rhel: ovirt-4.4+
pm-rhel: ovirt-4.5?
mtessun: planning_ack+
dholler: devel_ack+
mburman: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.4.3.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1848971 (view as bug list) Environment:
Last Closed: 2020-11-11 06:41:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1727263, 1877675    
Bug Blocks: 1651467, 1651499, 1839058, 1848971    
Attachments:
Description Flags
terminal log of the usage of isolated ports on plain libvirt none

Description Dominik Holler 2019-06-28 14:52:09 UTC 
Created attachment 1585671 [details]
terminal log of the usage of isolated ports on plain libvirt

The communication between VMs connected to the same logical network (east-west-traffic) should be blocked on port-level.
The ports of the VMs can only communicate with an "uplink" port, which will be fixed to the physical network.
This means that the default gateway and the DHCP server has to be connected via the physical network to the hosts.

The limitations of bug 1651499 and bug 1651467 will be resolved, and no additional configuration like in bug 1009608, except a checkbox to enable this feature, should be requred.

User interaction and design:
On creating the network, the user can enable this feature for the new network.

Documentation Considerations:
The new property of logical networks has to be added to the doc.

Requirements:
The kernel feature port isolation
https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564
is available on the hosts.

Out of Scope:
 - Updating of the new property of the logical network
 - Configuring port isolation per vNIC or vNIC profile
 - The allowed "uplink", which will be able to communicate with all VMs, is the physical network
Comment 1 Dominik Holler 2019-06-28 19:33:19 UTC 
To stretch the isolation for VMs across multiple hosts, the ports of the
physical switch connected to the related hosts NICs must have
Private VLAN / port isolation enabled and hairpin disabled.
Comment 2 Michal Skrivanek 2020-03-18 15:43:39 UTC 
This bug didn't get any attention for a while, we didn't have the capacity to make any progress. If you deeply care about it or want to work on it please assign/target accordingly
Comment 3 Michal Skrivanek 2020-03-18 15:46:54 UTC 
This bug didn't get any attention for a while, we didn't have the capacity to make any progress. If you deeply care about it or want to work on it please assign/target accordingly
Comment 4 Dominik Holler 2020-03-18 15:54:17 UTC 
I would like to see this implemented as soon as an appropriate libvirt is available to RHV.
Comment 5 Dominik Holler 2020-03-23 15:10:05 UTC 
This is a long requested feature, even if we have to wait to have an appropriate libvirt version available.
Comment 12 michal 2020-10-13 12:09:12 UTC 
michal: verified in build 4.4.3.6-0.13
Comment 13 Sandro Bonazzola 2020-11-11 06:41:46 UTC 
This bugzilla is included in oVirt 4.4.3 release, published on November 10th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.