6:13 a.m.
Hello,
I want to do some testing and I have removed two VM's from the bridge
what connects them to internet, and added them to another isolated
bridge what's not connected to internet. Problem is that I cannot reach
the other host in the isolated network.
Something like this:
virsh shutdown kvm66
virsh shutdown kvm68
brctl delif br0 vnet10 vnet6 # the interfaces of kvm66 and kvm68
brctl addbr br1
brctl addif br1 vnet10 vnet6
Then I've replaced br0 to br1 in the XML of both VM's with "virsh
edit".
Then I did start the VM's using the serial console (no network):
virsh start --console kvm66
virsh start --console kvm68
I cannot ping from one machine to the other. Why??
With regards,
Paul
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
12:34 p.m.
On 9/9/20 7:13 AM, Paul van der Vlis wrote:
Hello,
I want to do some testing and I have removed two VM's from the bridge
what connects them to internet, and added them to another isolated
bridge what's not connected to internet. Problem is that I cannot reach
the other host in the isolated network.
Something like this:
virsh shutdown kvm66
virsh shutdown kvm68
brctl delif br0 vnet10 vnet6 # the interfaces of kvm66 and kvm68
brctl addbr br1
brctl addif br1 vnet10 vnet6
The delif and addif commands won't do anything if the guests are not
running (you've done "virsh shutdown", but that will either take some
time, or never be honored (depending on how the guest OS deals with
ACPI, I think)
Then I've replaced br0 to br1 in the XML of both VM's with "virsh
edit".
Just be certain that each guest is either completely inactive (doesn't
show up in the output of "virsh list" when you edit, or at some point
after you've edited it (i.e. there must be a complete "virtual
powercycle" of the guest for the changes to take effect).
Then I did start the VM's using the serial console (no network):
virsh start --console kvm66
virsh start --console kvm68
I cannot ping from one machine to the other. Why??
I guess you're using <interface type='bridge'> ... right?
Since the bridge devices were created and are managed outside libvirt's
control, you need to do more than just create a bridge to get the
connected guests talking to each other. In particular, if the guests are
getting their IP addresses from DHCP, then you need to assign an IP
address to the bridge device, and run a DHCP server that is listening on
the bridge. (I'm curious what you used as the argument of the ping
command, if the guests didn't have an IP address...)
(Aside from that, a bridge created with brctl will disappear when the
host is rebooted, and not be recreated until you again enter the commands.)
If you want a simple way to create a bridge, start a dnmasq instance to
serve DHCP, and add iptables rules to prevent the guests from breaking
out of the isolated bridge, *and* as a bonus *re*create all of that
every time you reboot the host, you can create an isolated libvirt
virtual network, with a config file like the one here:
https://libvirt.org/formatnetwork.html#examplesPrivate
(editing to your taste for bridge name and IPv4 and IPv6 addresses). Put
that in a file (e.g. net.xml) and run (as root) "virsh net-define
net.xml; virsh net-start private; virsh net-autostart private".
Then define your guest interfaces with this:
<interface type='network'>
<source network='private'/>
...
</interface>
5:14 p.m.
Op 09-09-2020 om 19:34 schreef Laine Stump:
On 9/9/20 7:13 AM, Paul van der Vlis wrote:
> Hello,
>
> I want to do some testing and I have removed two VM's from the bridge
> what connects them to internet, and added them to another isolated
> bridge what's not connected to internet. Problem is that I cannot reach
> the other host in the isolated network.
>
> Something like this:
>
> virsh shutdown kvm66
> virsh shutdown kvm68
>
> brctl delif br0 vnet10 vnet6 # the interfaces of kvm66 and kvm68
> brctl addbr br1
> brctl addif br1 vnet10 vnet6
The delif and addif commands won't do anything if the guests are not
running (you've done "virsh shutdown", but that will either take some
time, or never be honored (depending on how the guest OS deals with
ACPI, I think)
When I do "brctl show br1" then I see everything nice connected:
root@kvms12:~# brctl show br1
bridge name bridge id STP enabled interfaces
br1 8000.fe54000a90f3 no vnet10
vnet6
root@kvms12:~#
> Then I've replaced br0 to br1 in the XML of both VM's
with "virsh edit".
Just be certain that each guest is either completely inactive (doesn't
show up in the output of "virsh list" when you edit, or at some point
after you've edited it (i.e. there must be a complete "virtual
powercycle" of the guest for the changes to take effect).
What I do then is stop the guest. And start it. Then the new
configuration is used.
> Then I did start the VM's using the serial console (no
network):
> virsh start --console kvm66
> virsh start --console kvm68
>
> I cannot ping from one machine to the other. Why??
I guess you're using <interface type='bridge'> ... right?
Yes.
Since the bridge devices were created and are managed outside
libvirt's
control, you need to do more than just create a bridge to get the
connected guests talking to each other. In particular, if the guests are
getting their IP addresses from DHCP, then you need to assign an IP
address to the bridge device, and run a DHCP server that is listening on
the bridge. (I'm curious what you used as the argument of the ping
command, if the guests didn't have an IP address...)
I am using a fixed network configuration. This are servers.
(Aside from that, a bridge created with brctl will disappear when
the
host is rebooted, and not be recreated until you again enter the commands.)
This machine is not often rebooted, and I know how to make a bridge
permanent.
If you want a simple way to create a bridge, start a dnmasq instance
to
serve DHCP,
I don't want DHCP.
and add iptables rules to prevent the guests from breaking
out of the isolated bridge, *and* as a bonus *re*create all of that
every time you reboot the host, you can create an isolated libvirt
virtual network, with a config file like the one here:
https://libvirt.org/formatnetwork.html#examplesPrivate
Interesting that "omission of the forward element".
Not sure, is a "virbr" the same as what's normal a "br" ?
(editing to your taste for bridge name and IPv4 and IPv6 addresses).
Put
that in a file (e.g. net.xml) and run (as root) "virsh net-define
net.xml; virsh net-start private; virsh net-autostart private".
Then define your guest interfaces with this:
<interface type='network'>
<source network='private'/>
...
</interface>
Thanks for your information, I will look at it.
But I still wonder why my setup with good-old brctl what I use for years
now in production does not work in an isolated network.
With regards,
Paul
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
3:24 a.m.
New subject: relation between "virbr0" / "virbr0-nic" network interfaces
I am trying to understand KVM networking a little better and have noted
that the "virbr0" network interface (the default KVM bridge) comes with
another device named "virbr0-nic".
The same kind of pair comes with each new bridge you may create via the
"virtual machine manager" (and assumingly other KVM tools alike)
Like "virbr1" comes in a pair with "virbr1-nic" (the *-nic interface
is
being created automatically (and I assume will disapear automatically if
you remove the parent interface)
Can anybody kindly explain how these pairs are related to each other
and/or work together?
thanks ... Gunnar
5:20 a.m.
New subject: relation between "virbr0" / "virbr0-nic" network interfaces
On Fri, Jan 01, 2021 at 10:24:41AM +0100, vrms wrote:
I am trying to understand KVM networking a little better and have
noted
that the "virbr0" network interface (the default KVM bridge) comes with
another device named "virbr0-nic".
The same kind of pair comes with each new bridge you may create via the
"virtual machine manager" (and assumingly other KVM tools alike)
Like "virbr1" comes in a pair with "virbr1-nic" (the *-nic interface
is
being created automatically (and I assume will disapear automatically if
you remove the parent interface)
Can anybody kindly explain how these pairs are related to each other
and/or work together?
The "$FOO-nic" device is a tap device created as a hack to force a
stable MAC address on the main bridge device due to bad kernel impl
of bridge device MAC address assignment.
We stopped creating the "$FOO-nic" device in libvirt 6.8.0 since the
kernel was long ago fixed.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
11:40 a.m.
New subject: relation between "virbr0" / "virbr0-nic" network interfaces
ok, thanks for the explainer.
On 04.01.21 12:20, Daniel P. Berrangé wrote:
On Fri, Jan 01, 2021 at 10:24:41AM +0100, vrms wrote:
> I am trying to understand KVM networking a little better and have noted
> that the "virbr0" network interface (the default KVM bridge) comes with
> another device named "virbr0-nic".
> The same kind of pair comes with each new bridge you may create via the
> "virtual machine manager" (and assumingly other KVM tools alike)
> Like "virbr1" comes in a pair with "virbr1-nic" (the *-nic
interface is
> being created automatically (and I assume will disapear automatically if
> you remove the parent interface)
>
> Can anybody kindly explain how these pairs are related to each other
> and/or work together?
The "$FOO-nic" device is a tap device created as a hack to force a
stable MAC address on the main bridge device due to bad kernel impl
of bridge device MAC address assignment.
We stopped creating the "$FOO-nic" device in libvirt 6.8.0 since the
kernel was long ago fixed.
Regards,
Daniel
1418
days inactive
1535
days old
5 comments
4 participants
participants (4)
-
Daniel P. Berrangé -
Laine Stump -
Paul van der Vlis -
vrms