1725166 – [RFE] Private VLAN / port isolation

Bug 1725166 - [RFE] Private VLAN / port isolation

Summary: [RFE] Private VLAN / port isolation

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	BLL.Network
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	unspecified
Target Milestone:	ovirt-4.4.3
Target Release:	---
Assignee:	Dominik Holler
QA Contact:	Michael Burman
Docs Contact:
URL:
Whiteboard:
Depends On:	1727263 1877675
Blocks:	1651467 1651499 1839058 1848971
TreeView+	depends on / blocked

Reported:	2019-06-28 14:52 UTC by Dominik Holler
Modified:	2021-01-08 18:07 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ovirt-engine-4.4.3.6
Clone Of:
Clones:	1848971 (view as bug list)
Environment:
Last Closed:	2020-11-11 06:41:46 UTC
oVirt Team:	Network
Embargoed:
Dependent Products:
Flags:	pm-rhel: ovirt-4.4+ pm-rhel: ovirt-4.5? mtessun: planning_ack+ dholler: devel_ack+ mburman: testing_ack+

Attachments	(Terms of Use)
terminal log of the usage of isolated ports on plain libvirt (7.80 KB, text/plain) 2019-06-28 14:52 UTC, Dominik Holler	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	oVirt ovirt-site pull 2267	None	closed	Add feature page isolated port	2021-01-29 13:42:53 UTC
Red Hat Knowledge Base (Solution)	640003	None	None	None	2020-11-12 07:36:18 UTC
Red Hat Knowledge Base (Solution)	5693301	None	None	None	2021-01-08 18:07:07 UTC
oVirt gerrit	109864	master	MERGED	core: create isolated vNICs	2021-01-29 13:42:50 UTC
oVirt gerrit	111055	master	MERGED	core: Add new attribute portIsolation to network	2021-01-29 13:42:50 UTC
oVirt gerrit	111060	master	MERGED	Add portIsolation attribute to networks	2021-01-29 13:42:50 UTC
oVirt gerrit	111065	master	MERGED	restapi: Add portIsolation attribute to network	2021-01-29 13:42:50 UTC
oVirt gerrit	111082	master	MERGED	core: validate cluster level for port isolation	2021-01-29 13:42:50 UTC
oVirt gerrit	111088	master	MERGED	core: Block changing port isolation attribute	2021-01-29 13:42:50 UTC
oVirt gerrit	111101	master	MERGED	core: portIsolation only on VM networks	2021-01-29 13:43:35 UTC
oVirt gerrit	111107	master	MERGED	webadmin: Add port isolation attribute to network	2021-01-29 13:42:51 UTC
oVirt gerrit	111113	master	MERGED	core: validate switch type for port isolation	2021-01-29 13:43:35 UTC
oVirt gerrit	111204	master	MERGED	core: portIsolation not for external networks	2021-01-29 13:42:52 UTC
oVirt gerrit	111224	master	MERGED	webadmin: Add port isolation attribute to networkview	2021-01-29 13:42:52 UTC
oVirt gerrit	111236	master	MERGED	core: block passthrough for port isolation	2021-01-29 13:42:52 UTC
oVirt gerrit	111256	master	MERGED	webadmin: Default network attachments for port isolation	2021-01-29 13:42:53 UTC
oVirt gerrit	111373	master	MERGED	Upgrade: model 4.4.18, metamodel 1.3.2	2021-01-29 13:43:36 UTC
oVirt gerrit	111661	master	MERGED	virt, net: support isolated port in updateDevice	2021-01-29 13:42:52 UTC

Description Dominik Holler 2019-06-28 14:52:09 UTC

Created attachment 1585671 [details]
terminal log of the usage of isolated ports on plain libvirt

The communication between VMs connected to the same logical network (east-west-traffic) should be blocked on port-level.
The ports of the VMs can only communicate with an "uplink" port, which will be fixed to the physical network.
This means that the default gateway and the DHCP server has to be connected via the physical network to the hosts.

The limitations of bug 1651499 and bug 1651467 will be resolved, and no additional configuration like in bug 1009608, except a checkbox to enable this feature, should be requred.

User interaction and design:
On creating the network, the user can enable this feature for the new network.

Documentation Considerations:
The new property of logical networks has to be added to the doc.

Requirements:
The kernel feature port isolation
https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564
is available on the hosts.

Out of Scope:
 - Updating of the new property of the logical network
 - Configuring port isolation per vNIC or vNIC profile
 - The allowed "uplink", which will be able to communicate with all VMs, is the physical network

Comment 1 Dominik Holler 2019-06-28 19:33:19 UTC

To stretch the isolation for VMs across multiple hosts, the ports of the
physical switch connected to the related hosts NICs must have
Private VLAN / port isolation enabled and hairpin disabled.

Comment 2 Michal Skrivanek 2020-03-18 15:43:39 UTC

This bug didn't get any attention for a while, we didn't have the capacity to make any progress. If you deeply care about it or want to work on it please assign/target accordingly

Comment 3 Michal Skrivanek 2020-03-18 15:46:54 UTC

This bug didn't get any attention for a while, we didn't have the capacity to make any progress. If you deeply care about it or want to work on it please assign/target accordingly

Comment 4 Dominik Holler 2020-03-18 15:54:17 UTC

I would like to see this implemented as soon as an appropriate libvirt is available to RHV.

Comment 5 Dominik Holler 2020-03-23 15:10:05 UTC

This is a long requested feature, even if we have to wait to have an appropriate libvirt version available.

Comment 12 michal 2020-10-13 12:09:12 UTC

michal: verified in build 4.4.3.6-0.13

Comment 13 Sandro Bonazzola 2020-11-11 06:41:46 UTC

This bugzilla is included in oVirt 4.4.3 release, published on November 10th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.