Using an isolated spice display network in RHEV

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Virtualization (RHEV) 3.0, 3.1

Issue

  • When a network other than the "rhevm" network is set as the display network, client machines cannot connect to Spice consoles.

Resolution

Note: On RHEV 3.1, with vdsm-4.10.2-1.13 or earlier, launching a Spice console may fail while using a non-VM network as the display network. If you are troubleshooting an issue which is not related using a non-VM network, then proceed with the following solution.

Clients require direct access to the display network IP on the host for the Spice connection to work. If client access to the default gateway is blocked and it has no information to route to clients through another gateway, the connection will fail.

The solution is to either: (1) add a routing rule or (2) change the default gateway to the display network.

Solution 1: Routing

Add iproute2 rule for the display network:

    # vi /etc/iproute2/rt_tables 

    255 local
    254 main
    253 default
    0   unspec
    70  spice

    # vi /etc/sysconfig/network-scripts/rule-spice 
    from x.x.x.x/x table spice

    # vi /etc/sysconfig/network-scripts/route-spice 
    default via x.x.x.x table spice
    x.x.x.x/x dev spice table spice

Solution 2: Change the default gateway

This method, adding the default gateway via the display network, cannot be done via RHEV_M since it allows a default gateway to be configured via rhevm network only. To configure a default gateway via display network, edit /etc/sysconfig/network and add GATEWAY=(gateway ip from display network).

Root Cause

  • By default, the default gateway in RHEV is linked to the "rhevm" network.
  • A Request for Feature Enhancement (RFE) has been opened to allow multiple network gateways to be used. This request is being tracked in a private Red Hat Bug #618636. For more information on this bug, open a case with Red Hat Support.

Diagnostic Steps

  1. Install RHEV-H (or a RHEL-based host)
  2. Configure the network (default rhevm)
  3. Add a display network VLAN to the cluster
  4. Assign an IP from the display network to the host
  5. Block access to the rhevm network from the client (firewall, ACL etc)
  6. Try to use Spice outside the rhevm network or try to ping host display IP from the client machine (the ping should fail).

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments