Description of problem: Nested VMs can't communicate over network since the parent VM is created with a rule to block all communication, but from it's own MAC address. Parent VM should be allowed to communicate using any of the nested VMs that it runs, in addition to it's own MAC. VDSM hook must catch creation of the child (nested) VMs and update the filter accordingly. Version-Release number of selected component (if applicable): How reproducible: Allways. Steps to Reproduce: 1. Create parent VM 2. Create nested VM 3. Try to connect from the nested VM Actual results: Network connection is blocked. Expected results: Network connection should be allowed. Additional info:
Yes, we know that mac-no-spoofing is not good for in-VM bonding or nested VMs. This is one of the reasons that a user can disable the feature per vNIC. I should have though of that when you first described the issue to me. I think that it would be a nice feature to have an API for updating the list of acceptable macs on the fly. In this way a future ovirt-engine-5.2 could communicate with the virt host running its VM prior to their startup, so that traffic from these VMs can flow out of the virt host.
(In reply to comment #1) > Yes, we know that mac-no-spoofing is not good for in-VM bonding or nested > VMs. This is one of the reasons that a user can disable the feature per vNIC. I'm told that despite my smart-alec reasoning above, we do *not* have this as a per vNic feature. too bad.
(In reply to comment #2) > (In reply to comment #1) > > Yes, we know that mac-no-spoofing is not good for in-VM bonding or nested > > VMs. This is one of the reasons that a user can disable the feature per vNIC. > > I'm told that despite my smart-alec reasoning above, we do *not* have this > as a per vNic feature. too bad. so sounds like we need a mac-no-spoofing custom property or checkbox, which only admins/special permission can set? in the interim, sounds like a custom hook which unsets the mac-no-spoofing for hosts running virtual hosts is needed.
(In reply to comment #3) > > so sounds like we need a mac-no-spoofing custom property or checkbox, which > only admins/special permission can set? yes - and it should better be per-vnic. > in the interim, sounds like a custom hook which unsets the mac-no-spoofing > for hosts running virtual hosts is needed. Sounds like a good entry point for Assaf.
As requested I wrote a hook that disables mac spoof filtering on a VM basis. It should solve the issue with nested VMs unable to communicate. http://gerrit.ovirt.org/#/c/12833/
Once http://www.ovirt.org/Features/Device_Custom_Properties is implemented, we can easily make the macspoof filter of comment #5 vnic-specific, add a simple GUI for it, and close the bug.
We merged a hook that does this VM-wide, and another hook that does this per vnic will be merged soon. The question is - Do we want a GUI for this on the engine? If so someone should be assigned the work so it actually gets done.
as RC is built, moving to ON_QA (hopefully did not catch incorrect bugs when doing this)
closing as this should be in 3.3 (doing so in bulk, so may be incorrect)