oVirt Blog

Security group support in OVN external networks

In this post I will introduce and showcase how security groups can be used to enable certain scenarios.
Security groups allow fine-grained access control to – and from – the oVirt VMs attached to external OVN networks.
The Networking API v2 defines security groups as a white list of rules – the user specifies in it which traffic is allowed. That means, that when the rule list is empty, neither incoming nor outgoing traffic is allowed (from the VMs perspective).
A demo recording of the security group feature can be found below.

Federate oVirt engine authentication to OpenID Connect infrastructure

In this post I will introduce how to integrate OIDC with oVirt engine using Keycloak and LDAP user federation.

Prerequisites: I assume you have already setup the 389ds directory server, but the solution is very similar for any other LDAP provider.
As OIDC is not integrated into oVirt directly, we use Apache to do the OIDC authentication for us. The mod_auth_openidc module nicely covers all needed functionality.


Integrate with external OpenID Connect Identity Provider (IDP) to provide Single Sign-On (SSO) across products that use the IDP for authenticating users. We currently have oVirt SSO for providing unified […]

oVirt and OKD

This is a series of posts to demonstrate how to install OKD 3.11 on oVirt and what you can do with it. Part I – How to install OKD 3.11 on oVirt How to install OKD 3.11 on oVirt (4.2 and up) Installing OKD or Kubernetes on oVirt has many advantages, and it’s also gotten a lot easier these days. Admins and users who want to take container platform management for a spin, on oVirt, will be encouraged by this. Few of the advantages are: Virtualizing the control plane for Kubernetes – provide HA/backup/affinity capabilities to the controllers and allowing […]

oVirt SAML with keyloak using 389ds user federation

In this post I will introduce how simple it is to integrate SAML with oVirt using Keycloak and LDAP user federation.

Prerequisites: I assume you have already setup the 389ds directory server, but the solution is very similar for any other LDAP provider.
As SAML is not integrated into oVirt directly, we use Apache to do the SAML authentication for us. The mod_auth_mellon module nicely covers all needed functionality.

mod_auth_mellon configuration
First we need to configure oVirt’s apache. SSH to the oVirt engine and create a directory where we’ll store all SAML related certificates.

ssh root@engine
yum […]

Skydive With oVirt

Skydive network is an open source real-time network topology and protocols analyzer providing a comprehensive way of understanding what is happening in your network infrastructure.
The common use cases will be, troubleshooting, monitoring, SDN integration and much more.
It has features such as:

Topology capturing – Captures network topology, interface, bridge and more
Flow capture – Distributed probe, L2-L4 classifier, GRE, VXLAN, GENEVE, MPLS/GRE, MPLS/UDP tunnelling support
Extendable – Support for external SDN Controllers or container based infrastructure, OpenStack. Supports extensions through API

Benefit to oVirt users
Skydive allows oVirt administrators to see the network […]

Upgraded DPDK support in oVirt

DPDK (Data Plane Development Kit) is a set of open-source high-performance packet processing libraries and user space drivers.

oVirt support for DPDK was introduced in 2017, and is now enhanced in terms of deployment via Ansible and usage via Open Virtual Network.

While still experimental, OVN-DPDK in oVirt is now available in version 4.2.

What’s new?

Ansible DPDK host setup

Host configuration for DPDK usage is now automated using Ansible. This primarly includes:

Hugepages configuration – hugepage size and quantity in the kernel.
CPU partitioning.
Binding NICs to userspace drivers. […]

Build oVirt Reports Using Grafana

Grafana, The open platform for beautiful analytics and monitoring,
recently added support for PostgreSQL.

It in now possible to connect Grafana to oVirt DWH,
in order to visualize and monitor the oVirt environment.

Grafana dashboard example

Adding a Read-Only User to the History Database

You may want to add a read only user to connect the history database :

Note: In oVirt 4.2 we ship postgres 9.5 through the Software Collection.

In order to run psql you will need to run:

# su – postgres
$ scl enable rh-postgresql95 — psql ovirt_engine_history

Your Container Volumes Served By oVirt

Note: < 5 minutes read

When running a virtualization workload on oVirt, a VM disk is ‘natively’ a disk somewhere on your network-storage.
Entering containers world, on Kubernetes(k8s) or OpenShift, there are many options specifically because the workload can be totally stateless, i.e
they are stored on a host supplied disk and can be removed when the container is terminated. The more interesting case is stateful workloads i.e apps that persist data (think DBs, web servers/services, etc). k8s/OpenShift designed an API to dynamically provision the container storage (volume in k8s terminology).

See the resources section for more details. […]

Up and Running with oVirt 4.2 and Gluster Storage

In December, the oVirt Project shipped version 4.2 of its open source virtualization management system. With a new release comes an update to this howto for running oVirt together with Gluster storage using a trio of servers to provide for the system’s virtualization and storage needs, in a configuration that allows you to take one of the three hosts down at a time without disrupting your running VMs.

If you’re looking instead for a simpler, single-machine option for trying out oVirt, your best bet is the oVirt Live ISO page. This is a LiveCD image that you can burn […]

oVirt 4.2.2 web admin UI browser bookmarks

oVirt web admin UI now allows the user to bookmark all entities and searches using their browser.

Synchronizing URL with application state

Whenever you select a detail view in the application, the browser URL is now updated to match the selected entity. For instance if you have a VM named MyVM and you click on the name to see the details, the URL of the browser will go to #vms-general;name=MyVM. If you switch to lets say the network interfaces tab the URL in your browser will switch to #vms-network_interfaces;name=MyVM. Changing entity or changing location will keep the […]