I have noticed that you can't have multiple separate NAT style libvirt
networks defined with the same private IP blocks.
For example I have this default network:
<network>
<name>default</name>
<uuid>13baf167-02ff-4312-928c-b82ed4df5785</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:9c:8f:7c'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.25'/>
</dhcp>
</ip>
</network>
I can't define another nat network that uses the same IP address range. I
assume this is an implementation limit because of how the iptables rules
are written/work for doing the NAT.
I'd like to have 10 networks with the same default IP address, attached to
10 vms that all run off the same read-only image. I know that I could use
different ranges and then have my vms use dhcp, and or a few other similar
ways. I'm limited by the virtual image I want to run (close source OS,
licensed-and-IP-locked software - I have plenty of licences for
instances).
I'd love to replace my 10 instances all with their own IPs on a public
bridge with 10 NAT'd instances all using the same IP each on their own
little network world - so I'd make a separate bridge for each, but of
course it doesn't work.
I have a proof-of-concept setup where I use a routed private network + nat
with the application vm and a small linux vm in pairs. The linux vms have
a public IP, and a private bridge with a fixed ip to be the default route
of the app vm. Then the app vm can have a fixed ip, route to a fixed
default route, and get natted to whatever it's buddy router vm's public IP
is. This works - but then I have 20 vms instead of 10. They are small and
dont use much cpu, but they use ram... which is somewhat constraining. And
I have to maintain a router image. I'm going to settle for this setup If I
have to, but I'd rather not.
So I had the bright idea of somehow routing/natting each vm through a
network namespace. I could perhaps avoid having to have a whole separate
linux instance just to get a copy of the network stack to do nat with. I'm
kind of struggling to see how I'd could have each libvirt vm run in it's
own namespace. I don't think it is possible actually. But perhaps I could
use an extra set of IPs and an extra bridge/veth-pair to work some kind of
magic.
Anyone out there doing something like this? Can you help me wrap my head
around how to mix libvirt kvm VMs and network namespaces?
Is there some other simpler way to achieve what I want?
Thanks.
Fred Clift
fred(a)clift.org
Show replies by date