On 5/30/20 3:48 PM, Jp wrote: > I'm running oVirt + Gluster in HCI config and had similar questions > as you when building it out.
I think it would be nice to have some (best practice) design guides... but there are so many possibilities how to build a oVirt cluster... This time I try to build very cheap solution with as much redundancy as is feasible. But of course what is chep cannot be rock-solid... >> - single point of failure in this router (not really - just in case >> oVirt is badly broken and I need to access internal vlans to >> recover it) > > There is no SPOF if you're doing 3x HCI nodes. I regularly put 1 of > my 3 Nodes into Maintenance or shutdown Gluster and have had no > SPOFs. Are you only doing a single Node? If so, the point of > failure is ... that 1 node :) you are righ, I ment hypotetical situation with non functional HE vm, broken gluster etc... >> * have this router as virtual appliance inside oVirt (something >> like pfSense for example) > > I'm running pfSense in hardware still (a Netgate ARM device). > There's plenty of opinions on Reddit, StackOverflow, etc. about > running any router in VM. There's several steps you'd need to take > when I looked into it, and if you setup pfSense's interfaces as > virtio / vhost I'd imagine you'd bump into limitations b/c those para > devices weren't intended to do things like hardware offload, advanced > routing, etc.; so you may have to setup PCI passthru / SR-IOV to get > all of pfSense's routing capabilities. So I'm keeping pfSense in > hardware ... though I've thought of creating a backup pfSense > instance in VM encase of hardware disaster to keep my Internet up in > "limp mode" ... but creating a cellular Hotspot is my current backup > plan :) thanks for sharing your experience. I will try to keep my topology as simple as possible in the start. pfSense appliance is something I can add later. >> Install all hosts and HE with public addresses > > Why? The HE is a manager to the cluster and sits on the management > network (ovirtmgmt), so giving it public IPs would be adding a > security risk to the setup. I keep my HE accessible only via local > VLAN and that's how most folks lock it down. Are you thinking the HE > or HCI includes a load balancer? Eitherway, oVirt doesn't, but > putting a load balancer in front of VM's and giving it your public IP > would make more sense for exposing things to the Internet ... but I'm > assuming too much and don't know what your cluster will be running. just for sure I can access it in case of disaster recovery. But it is overkill and of course security risk. My problem is that I have no other access to my housing other then through public ips. No problem, I will add dedicated router which will act as gw for local vlans, NAT and vpn gw and will keep oVirt hosts inside on private space. Once more thanks for brainstorming :-) Cheers, Jiri > _______________________________________________ Users mailing list -- > users@ovirt.org To unsubscribe send an email to > users-le...@ovirt.org Privacy Statement: > https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ List > Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/BCV75LWZ6KTBTP23OIEYIQOMH42RDO3I/ >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BBRHMZVHJZXTHAXWIKLICMJTS2CCO5KN/
