Using an isolated spice display network in RHEV
Environment
- Red Hat Enterprise Virtualization (RHEV) 3.0, 3.1
Issue
- When a network other than the "rhevm" network is set as the display network, client machines cannot connect to Spice consoles.
Resolution
Note: On RHEV 3.1, with vdsm-4.10.2-1.13 or earlier, launching a Spice console may fail while using a non-VM network as the display network. If you are troubleshooting an issue which is not related using a non-VM network, then proceed with the following solution.
Clients require direct access to the display network IP on the host for the Spice connection to work. If client access to the default gateway is blocked and it has no information to route to clients through another gateway, the connection will fail.
The solution is to either: (1) add a routing rule or (2) change the default gateway to the display network.
Solution 1: Routing
Add iproute2 rule for the display network:
# vi /etc/iproute2/rt_tables
255 local
254 main
253 default
0 unspec
70 spice
# vi /etc/sysconfig/network-scripts/rule-spice
from x.x.x.x/x table spice
# vi /etc/sysconfig/network-scripts/route-spice
default via x.x.x.x table spice
x.x.x.x/x dev spice table spice
Solution 2: Change the default gateway
This method, adding the default gateway via the display network, cannot be done via RHEV_M since it allows a default gateway to be configured via rhevm network only. To configure a default gateway via display network, edit /etc/sysconfig/network
and add GATEWAY=(gateway ip from display network)
.
Root Cause
- By default, the default gateway in RHEV is linked to the "
rhevm
" network. - A Request for Feature Enhancement (RFE) has been opened to allow multiple network gateways to be used. This request is being tracked in a private Red Hat Bug #618636. For more information on this bug, open a case with Red Hat Support.
Diagnostic Steps
- Install RHEV-H (or a RHEL-based host)
- Configure the network (default
rhevm
) - Add a display network VLAN to the cluster
- Assign an IP from the display network to the host
- Block access to the rhevm network from the client (firewall, ACL etc)
- Try to use Spice outside the rhevm network or try to ping host display IP from the client machine (the ping should fail).
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments