[libvirt-users] Isolated networks && test lab
I'm trying to migrate my VirtualBox test lab to KVM. In my VB configuration, I have several VM routers with 4 interfaces each. Each router has a bridged interface which connects them all together and to the outside world. I have servers/clients dispersed on each of the other private (Isolated) segments that use the routers as default gateways. In trying to make this work, I used Virtual Machine Manager to define 3x Virtual Networks (Isolated networks) and created a VM router which has 3 interfaces (192.168.x.1) on each Isolated network and a 4th interface using the br0 interface to get to the outside world. The router is able to connect to the outside world. Using Virtual Machine Manager, I also created "client" VM and connected it's single interface to one of the Isolated networks. While testing connectivity of the "client" VM to the router, it seems to go straight to the Host (tested using 'ssh 192.168.x.1'.) I'm trying to isolate the networks from the Host and have the router receive packets for the 192.168.x.1 address on the individual Isolated network segments. Host: br0 (em1): 192.168.1.16 vibr0 (default): 192.168.122.1 virbr1: 192.168.2.1 virbr2: 192.168.3.1 virbr3: 192.168.4.1 VM router: eth0: 192.168.1.10 eth1: 192.168.2.1 eth2: 192.168.3.1 eth3: 192.168.4.1 VM client: eth0: 192.168.3.101 Is there some trick to isolate the Host from the VM's? Is there a comprehensive guide that explains how the networks should be setup (with/without Virtual Machine Manager)? I'm not afraid to get my hands dirty on the console if needed, but GUI's are easier to navigate when you're learning a new technology. I switched to using RemoteBox for managing my VB vm's as it made things a lot easier to deal with than VBoxManage. Thanks for your help!
Lesson learned. I think I had the same IP address assigned to my VM router as I did the Host. Side question: where are the virtual networks stored when you create them w/VM Manager? -----Original Message----- From: Spanky Horawitz <shorawitz@gmail.com> Reply-to: shorawitz@gmail.com To: libvirt-users@redhat.com Subject: Isolated networks && test lab Date: Tue, 25 Aug 2015 17:17:56 -0700 I'm trying to migrate my VirtualBox test lab to KVM. In my VB configuration, I have several VM routers with 4 interfaces each. Each router has a bridged interface which connects them all together and to the outside world. I have servers/clients dispersed on each of the other private (Isolated) segments that use the routers as default gateways. In trying to make this work, I used Virtual Machine Manager to define 3x Virtual Networks (Isolated networks) and created a VM router which has 3 interfaces (192.168.x.1) on each Isolated network and a 4th interface using the br0 interface to get to the outside world. The router is able to connect to the outside world. Using Virtual Machine Manager, I also created "client" VM and connected it's single interface to one of the Isolated networks. While testing connectivity of the "client" VM to the router, it seems to go straight to the Host (tested using 'ssh 192.168.x.1'.) I'm trying to isolate the networks from the Host and have the router receive packets for the 192.168.x.1 address on the individual Isolated network segments. Host: br0 (em1): 192.168.1.16 vibr0 (default): 192.168.122.1 virbr1: 192.168.2.1 virbr2: 192.168.3.1 virbr3: 192.168.4.1 VM router: eth0: 192.168.1.10 eth1: 192.168.2.1 eth2: 192.168.3.1 eth3: 192.168.4.1 VM client: eth0: 192.168.3.101 Is there some trick to isolate the Host from the VM's? Is there a comprehensive guide that explains how the networks should be setup (with/without Virtual Machine Manager)? I'm not afraid to get my hands dirty on the console if needed, but GUI's are easier to navigate when you're learning a new technology. I switched to using RemoteBox for managing my VB vm's as it made things a lot easier to deal with than VBoxManage. Thanks for your help!
On 08/27/2015 02:48 PM, Spanky Horawitz wrote:
Lesson learned. I think I had the same IP address assigned to my VM router as I did the Host.
Ah, I should have read this response first, but I assumed it was just a duplicate message without looking at the content (happens a lot when someone sends mail to both libvirt-users and libvir-list, so I kind of expect it). As long as you don't care that the guests can reach the host if they really want to, and you have the guest IP configuration done manually, this won't be a problem. If you're really pedantic about isolating the guests from the host and/or need them to get their IP address from DHCP, then you'll need to do what I described in the other message.
Side question: where are the virtual networks stored when you create them w/VM Manager?
They are stored in /etc/libvirt/qemu/networks, but you should never access/modify those files directly. Instead, use "virsh net-dumpxml $netname" to look at the config of a network, and "virsh net-edit $netname" to modify it (or variations of "virsh net-update $netname..." to make some changes that can be done without shutting down/restarting the network).
Thank you! I am still playing with KVM, and will more than likely setup my lab as you suggest in order to isolate the guests from the host. Not sure if I can create an isolated network from VM Manager. -----Original Message----- From: Laine Stump <laine@laine.org> To: libvirt-users@redhat.com Cc: shorawitz@gmail.com Subject: Re: [libvirt-users] Isolated networks && test lab Date: Thu, 27 Aug 2015 18:43:04 -0400 On 08/27/2015 02:48 PM, Spanky Horawitz wrote:
Lesson learned. I think I had the same IP address assigned to my VM router as I did the Host.
Ah, I should have read this response first, but I assumed it was just a duplicate message without looking at the content (happens a lot when someone sends mail to both libvirt-users and libvir-list, so I kind of expect it). As long as you don't care that the guests can reach the host if they really want to, and you have the guest IP configuration done manually, this won't be a problem. If you're really pedantic about isolating the guests from the host and/or need them to get their IP address from DHCP, then you'll need to do what I described in the other message.
Side question: where are the virtual networks stored when you create them w/VM Manager?
They are stored in /etc/libvirt/qemu/networks, but you should never access/modify those files directly. Instead, use "virsh net-dumpxml $netname" to look at the config of a network, and "virsh net-edit $netname" to modify it (or variations of "virsh net-update $netname..." to make some changes that can be done without shutting down/restarting the network).
On 08/27/2015 07:13 PM, Spanky Horawitz wrote:
Thank you! I am still playing with KVM, and will more than likely setup my lab as you suggest in order to isolate the guests from the host. Not sure if I can create an isolated network from VM Manager.
I just tried it and yes it is possible. On the 2nd screen where it asks for IPv4 info, just uncheck the "Enable IPv4" checkbox, then on screen 4, clear out the "DNS Domain Name" at the bottom of the page. This will give you a virtual network with a bridge created by libvirt, but no IP address on the bridge itself, so no traffic will be able to go to/from the host from that bridge. The only other bit you'll need to do is setup the dhcp server on the router guest.
I must be using a different version on Mint/Ubuntu: Virtual Machine Manager 0.9.5 I don't have any options on 2nd screen. I assume we are talking about the Host "Connection Details" screen. I'm getting to this by right-click on remote host (QEMU) and selecting "Details". Second tab is "Virtual Networks" and I click the "+" button to create a new network. Second screen only allows me to enter the CIDR. Next screen enable/disable DHCP (and assign pool.) Next screen has option to connect to physical network or keep "Isolated virtual network". Last screen is a summary before creation. Should I be using a different client to manage Host remotely? Thanks again! -----Original Message----- From: Laine Stump <laine@laine.org> To: libvirt-users@redhat.com Cc: shorawitz@gmail.com Subject: Re: [libvirt-users] Isolated networks && test lab Date: Thu, 27 Aug 2015 19:26:03 -0400 On 08/27/2015 07:13 PM, Spanky Horawitz wrote:
Thank you! I am still playing with KVM, and will more than likely setup my lab as you suggest in order to isolate the guests from the host. Not sure if I can create an isolated network from VM Manager.
I just tried it and yes it is possible. On the 2nd screen where it asks for IPv4 info, just uncheck the "Enable IPv4" checkbox, then on screen 4, clear out the "DNS Domain Name" at the bottom of the page. This will give you a virtual network with a bridge created by libvirt, but no IP address on the bridge itself, so no traffic will be able to go to/from the host from that bridge. The only other bit you'll need to do is setup the dhcp server on the router guest.
Sorry, just realized there is a VMmanager app too (free version seem to only have support for Debian 7 though.) I am using the Virtual Machine Manager GUI (virt-manager.) -----Original Message----- From: Laine Stump <laine@laine.org> To: libvirt-users@redhat.com Cc: shorawitz@gmail.com Subject: Re: [libvirt-users] Isolated networks && test lab Date: Thu, 27 Aug 2015 19:26:03 -0400 On 08/27/2015 07:13 PM, Spanky Horawitz wrote:
Thank you! I am still playing with KVM, and will more than likely setup my lab as you suggest in order to isolate the guests from the host. Not sure if I can create an isolated network from VM Manager.
I just tried it and yes it is possible. On the 2nd screen where it asks for IPv4 info, just uncheck the "Enable IPv4" checkbox, then on screen 4, clear out the "DNS Domain Name" at the bottom of the page. This will give you a virtual network with a bridge created by libvirt, but no IP address on the bridge itself, so no traffic will be able to go to/from the host from that bridge. The only other bit you'll need to do is setup the dhcp server on the router guest.
On 08/27/2015 08:25 PM, Spanky Horawitz wrote:
Sorry, just realized there is a VMmanager app too (free version seem to only have support for Debian 7 though.) I am using the Virtual Machine Manager GUI (virt-manager.)
virt-manager is what I'm talking about (don't know what you mean by "VMmanager"). Probably the dialogs have changed - mine is v1.2.1. 0.9.5 sounds a bit old, you should see if there is a backport of a newer version somewhere for whatever distro you're running. Alternately, it is dirt simple to create a new network that has no IP address associated with it. Just do this: 1) create a file with these contents: <network> <name>mynetname</name> </network> 2) "virsh net-define filename.xml" (where filename.xml is the file containing the above XML) 3) "virsh net-autostart mynetname; virsh net-start mynetname" (all these run as root)
Thanks again! Can you tell me the difference in setting things up that way as opposed to updating (in Ubuntu) /etc/network/interfaces and adding physical br(idge) interfaces? On my other test box, I setup networks the way you describe from https://help.ubuntu.com/community/KVM/Networking -----Original Message----- From: Laine Stump <laine@laine.org> To: libvirt-users@redhat.com Cc: shorawitz@gmail.com Subject: Re: [libvirt-users] Isolated networks && test lab Date: Thu, 27 Aug 2015 20:52:04 -0400 On 08/27/2015 08:25 PM, Spanky Horawitz wrote:
Sorry, just realized there is a VMmanager app too (free version seem to only have support for Debian 7 though.) I am using the Virtual Machine Manager GUI (virt-manager.)
virt-manager is what I'm talking about (don't know what you mean by "VMmanager"). Probably the dialogs have changed - mine is v1.2.1. 0.9.5 sounds a bit old, you should see if there is a backport of a newer version somewhere for whatever distro you're running. Alternately, it is dirt simple to create a new network that has no IP address associated with it. Just do this: 1) create a file with these contents: <network> <name>mynetname</name> </network> 2) "virsh net-define filename.xml" (where filename.xml is the file containing the above XML) 3) "virsh net-autostart mynetname; virsh net-start mynetname" (all these run as root)
On 08/27/2015 08:56 PM, Spanky Horawitz wrote:
Thanks again!
Can you tell me the difference in setting things up that way as opposed to updating (in Ubuntu) /etc/network/interfaces and adding physical br(idge) interfaces? On my other test box, I setup networks the way you describe from https://help.ubuntu.com/community/KVM/Networking
The main difference between libvirt's bridges and a bridge setup as described on that page is that bridges created by libvirt will never have a physical ethernet device directly attached, so any communication to the outside from interfaces connected to a libvirt-created bridge will need to be routed at L3 by an IP stack on "something" connected directly to the bridge; that could be another guest which has multiple interfaces (as you're setting up) or it could be the host itself (when you configure an IP address on a bridge, that effectively plugs the host's IP stack into a port on the bridge). It's possible to configure bridge interfaces with no directly attached ethernet outside the scope of libvirt in /etc/network/interfaces - just skip the "bridge_ports" line. The effect is the same, just depends on where you want your config.
-----Original Message----- *From*: Laine Stump <laine@laine.org <mailto:Laine%20Stump%20%3claine@laine.org%3e>> *To*: libvirt-users@redhat.com <mailto:libvirt-users@redhat.com> *Cc*: shorawitz@gmail.com <mailto:shorawitz@gmail.com> *Subject*: Re: [libvirt-users] Isolated networks && test lab *Date*: Thu, 27 Aug 2015 20:52:04 -0400
On 08/27/2015 08:25 PM, Spanky Horawitz wrote:
Sorry, just realized there is a VMmanager app too (free version seem to only have support for Debian 7 though.) I am using the Virtual Machine Manager GUI (virt-manager.)
virt-manager is what I'm talking about (don't know what you mean by "VMmanager"). Probably the dialogs have changed - mine is v1.2.1. 0.9.5 sounds a bit old, you should see if there is a backport of a newer version somewhere for whatever distro you're running.
Alternately, it is dirt simple to create a new network that has no IP address associated with it. Just do this:
1) create a file with these contents:
<network> <name>mynetname</name> </network>
2) "virsh net-define filename.xml" (where filename.xml is the file containing the above XML)
3) "virsh net-autostart mynetname; virsh net-start mynetname"
(all these run as root)
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
On 08/25/2015 08:17 PM, Spanky Horawitz wrote:
I'm trying to migrate my VirtualBox test lab to KVM. In my VB configuration, I have several VM routers with 4 interfaces each. Each router has a bridged interface which connects them all together and to the outside world. I have servers/clients dispersed on each of the other private (Isolated) segments that use the routers as default gateways.
In trying to make this work, I used Virtual Machine Manager to define 3x Virtual Networks (Isolated networks) and created a VM router which has 3 interfaces (192.168.x.1) on each Isolated network and a 4th interface using the br0 interface to get to the outside world. The router is able to connect to the outside world.
Using Virtual Machine Manager, I also created "client" VM and connected it's single interface to one of the Isolated networks. While testing connectivity of the "client" VM to the router, it seems to go straight to the Host (tested using 'ssh 192.168.x.1'.) I'm trying to isolate the networks from the Host and have the router receive packets for the 192.168.x.1 address on the individual Isolated network segments.
Host: br0 (em1): 192.168.1.16 vibr0 (default): 192.168.122.1 virbr1: 192.168.2.1 virbr2: 192.168.3.1 virbr3: 192.168.4.1
VM router: eth0: 192.168.1.10 eth1: 192.168.2.1 eth2: 192.168.3.1 eth3: 192.168.4.1
VM client: eth0: 192.168.3.101
Is there some trick to isolate the Host from the VM's?
"Isolated" means "connection only to the host and to the guests on this network". If you want the guests to be isolated from the host, then you need to define a virtual network with no IP address at all for the host, then run a DHCP server on the guest that is acting as the router.
Is there a comprehensive guide that explains how the networks should be setup (with/without Virtual Machine Manager)?
Several years ago someone started writing such a guide, but then switched to another job before it was finished. There is a lot of information on the libvirt wiki, but not necessarily well organized or formatted: http://wiki.libvirt.org/page/Networking
participants (2)
-
Laine Stump -
Spanky Horawitz