[libvirt] default networking issues
Need some help about where to look next. I am running a Fedora 9 machine, up to date on the releaed rpms. SELinux is permissive, iptables is stopped. I have followed the instructions for NAT forwarding [1]. When I launch a guest in virt manager it uses the default network, and is assigned an IP address in the 192.168.122 space. It can do dns resolution, but can not wget a known website (www.cnn.com). From my host machine, I can ssh into the guest. Where is the next place I should look. Is the fact that I am running in a corporate network causing me issues? Thanks! -- bk [1] http://wiki.libvirt.org/page/Networking#NAT_forwarding_.28aka_.22virtual_net...
Bryan Kearney wrote:
Need some help about where to look next. I am running a Fedora 9 machine, up to date on the releaed rpms. SELinux is permissive, iptables is stopped. I have followed the instructions for NAT forwarding [1]. When I launch a guest in virt manager it uses the default network, and is assigned an IP address in the 192.168.122 space. It can do dns resolution, but can not wget a known website (www.cnn.com). From my host machine, I can ssh into the guest.
Where is the next place I should look. Is the fact that I am running in a corporate network causing me issues?
Thanks!
-- bk
I've actually had similar issues with this. I would kick off an http install, it would get to anaconda, pull down a kickstart, and when it would start to pull the install kernel it would get nowhere. tcpdumping virbr0 would show that about every 5-10 seconds there would be some communication with the server, but no apparent progress. However this is only on my lenovo t61, tried both f8 and f9 host. The same exact workflow on multiple other boxes worked fine, all machines (laptop included) using wired networking. Tried with f8, f9, and rhel5 guests. So maybe its hardware specific? I eventually just switched to bridged networking :/ - Cole
Cole Robinson wrote:
Bryan Kearney wrote:
Need some help about where to look next. I am running a Fedora 9 machine, up to date on the releaed rpms. SELinux is permissive, iptables is stopped. I have followed the instructions for NAT forwarding [1]. When I launch a guest in virt manager it uses the default network, and is assigned an IP address in the 192.168.122 space. It can do dns resolution, but can not wget a known website (www.cnn.com). From my host machine, I can ssh into the guest.
Where is the next place I should look. Is the fact that I am running in a corporate network causing me issues?
Thanks!
-- bk
I've actually had similar issues with this. I would kick off an http install, it would get to anaconda, pull down a kickstart, and when it would start to pull the install kernel it would get nowhere. tcpdumping virbr0 would show that about every 5-10 seconds there would be some communication with the server, but no apparent progress.
However this is only on my lenovo t61, tried both f8 and f9 host. The same exact workflow on multiple other boxes worked fine, all machines (laptop included) using wired networking. Tried with f8, f9, and rhel5 guests. So maybe its hardware specific?
I eventually just switched to bridged networking :/
I think this is the voodoo. 1) Add the following lines to /etc/sysconfig/iptables in the OUTPUT chain of the *filter table: --insert FORWARD --destination 192.168.122.0/255.255.255.0 --out-interface virbr0 --match state --state ESTABLISHED,RELATED --jump ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited 2) Restart iptables 3) Restart libvirtd By doing (1), future reboots seem to work. But not doing (3) causes it to appear not to work. Do any of the virt tools do (1) magically for you? -- bk
On Wed, Jul 30, 2008 at 03:44:33PM -0400, Bryan Kearney wrote:
I think this is the voodoo.
1) Add the following lines to /etc/sysconfig/iptables in the OUTPUT chain of the *filter table:
No, no, no no.
--insert FORWARD --destination 192.168.122.0/255.255.255.0 --out-interface virbr0 --match state --state ESTABLISHED,RELATED --jump ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited
2) Restart iptables
Don't do this.
3) Restart libvirtd
Don't do this.
By doing (1), future reboots seem to work. But not doing (3) causes it to appear not to work. Do any of the virt tools do (1) magically for you?
The libvirt default networking capability will automatically setup the correct iptables rules to allow outbound NAT based connectivity for guest VMs. If this wasn't working there are two likely causes: - You run 'service iptables stop' which blew away the rules libvirt added - The 'net.ipv4.ip_forward' sysctl has been reset to 0 For the first problem you can do 'service libvirt reload' and it'll re-create its iptables rules. For the second problem edit /etc/sysctl.conf to make sure its set to '1' and reload the sysctl settings. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On Thu, 2008-07-31 at 09:55 +0100, Daniel P. Berrange wrote:
The libvirt default networking capability will automatically setup the correct iptables rules to allow outbound NAT based connectivity for guest VMs. If this wasn't working there are two likely causes:
- You run 'service iptables stop' which blew away the rules libvirt added
This is a terrible situation; it will be a big surprise to many sysadmins and lead to lots of confusion - is this only temporary until iptables/lokkit has facilities for cleaner addition of persistent firewall rules ? David
On Mon, 2008-08-04 at 14:28 -0700, David Lutterkort wrote:
On Thu, 2008-07-31 at 09:55 +0100, Daniel P. Berrange wrote:
The libvirt default networking capability will automatically setup the correct iptables rules to allow outbound NAT based connectivity for guest VMs. If this wasn't working there are two likely causes:
- You run 'service iptables stop' which blew away the rules libvirt added
This is a terrible situation; it will be a big surprise to many sysadmins and lead to lots of confusion
Agreed.
- is this only temporary until iptables/lokkit has facilities for cleaner addition of persistent firewall rules ?
There's no huge technical issue here AFAICS. We just need a hook for libvirt to persistently register its rules with iptables. The main objection seems to be the old "how do you prevent different sets of rules from conflicting" chestnut. I don't see that being a serious issue in practice - there are all sorts of other global namespaces that apps manage to share effectively. Feel free to take a look at this; I lose motivation for fixing this every time I go back and discuss it with the maintainer: https://bugzilla.redhat.com/227011 The truly depressing aspect of all this is that any fix we come up with would be Fedora specific anyway - e.g. /etc/sysconfig/iptables.d Cheers, Mark.
participants (5)
-
Bryan Kearney -
Cole Robinson -
Daniel P. Berrange -
David Lutterkort -
Mark McLoughlin