[libvirt-users] Bringing up a guest with network disabled

Hello all, I have a KVM guest VM which is a clone of a production machine running on a different physical server, incarnated from an image backup. I want to start up the clone, but obviously it has the same IP address at the moment, and naturally I want to avoid an IP conflict. Normally I'd mount the clone image, go in and change the network config to allocate a different IP, but because it's set up with its whole disk as a LVM that's a bit painful. Is there a simple way I can disable the networking for the guest clone in the config file, so I can VNC into its console and change its IP address config that way? The devices section of the config looks like this: <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='writeback'/> <source file='/var/lib/libvirt/images/sonic2.img'/> <target dev='hda' bus='ide'/> </disk> <interface type='bridge'> <mac address='0A:F7:B6:96:BF:85'/> <source bridge='br0'/> </interface> <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target port='0'/> </console> <input type='mouse' bus='ps2'/> <graphics type='vnc' port='5937' autoport='no' keymap='en-gb'/> </devices> .. can I change that 'interface type' value to disable its interface? Thanks, James

On 10/01/2013 06:04 AM, James Gibbon wrote:
Hello all,
I have a KVM guest VM which is a clone of a production machine running on a different physical server, incarnated from an image backup.
Careful. You need to scrub more than just the IP address for a clone and it's parent to safely run at the same time. For example, if you don't scrub the entropy pool, then one of the two machines will now have predictable "random" numbers just by watching what the other host did, which is horrible from a security perspective. I highly recommend the use of 'virt-sysprep' on the image backup prior to creating your clone, which will not only scrub the IP address, but everything else that ought to be unique between a clone that is intended to run alongside the parent. Once you start from a clean image, then the question about starting the guest with network disabled may be moot. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On Tue, 01 Oct 2013 06:10:46 -0600 Eric Blake <eblake@redhat.com> wrote:
On 10/01/2013 06:04 AM, James Gibbon wrote:
Hello all,
I have a KVM guest VM which is a clone of a production machine running on a different physical server, incarnated from an image backup.
Careful. You need to scrub more than just the IP address for a clone and it's parent to safely run at the same time. For example, if you don't scrub the entropy pool, then one of the two machines will now have predictable "random" numbers just by watching what the other host did, which is horrible from a security perspective. I highly recommend the use of 'virt-sysprep' on the image backup prior to creating your clone, which will not only scrub the IP address, but everything else that ought to be unique between a clone that is intended to run alongside the parent. Once you start from a clean image, then the question about starting the guest with network disabled may be moot.
Thanks, looks really useful but unfortunately I don't have it on this particular machine, which is going to be decommissioned in a few weeks anyway. The cloned VM will only be used for testing purposes, and only for a short time. Would be grateful if someone could suggest a way to disable the networking in the cloned VM within the XML, if that's possible. Thanks again, James

On 10/01/2013 07:29 AM, James Gibbon wrote:
Thanks, looks really useful but unfortunately I don't have it on this particular machine, which is going to be decommissioned in a few weeks anyway. The cloned VM will only be used for testing purposes, and only for a short time. Would be grateful if someone could suggest a way to disable the networking in the cloned VM within the XML, if that's possible.
Have you tried just removing the network device from the xml altogether, then booting the guest, then hot-plugging a replacement device? The hotplug action would force the guest to negotiate a new IP address. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On 10/01/2013 09:29 AM, James Gibbon wrote:
Would be grateful if someone could suggest a way to disable the networking in the cloned VM within the XML, if that's possible.
I have no idea if it's possible to "disable" the NIC on the VM definition but you could boot into runlevel 1 (where there is no network) and perform the changes there. You may do this by passing a 1 to the end of the kernel line (during GRUB boot section). HTH, Jorge

2013/10/2 Jorge Fábregas <jorge.fabregas@gmail.com>
On 10/01/2013 09:29 AM, James Gibbon wrote:
Would be grateful if someone could suggest a way to disable the networking in the cloned VM within the XML, if that's possible.
I have no idea if it's possible to "disable" the NIC on the VM definition but you could boot into runlevel 1 (where there is no network) and perform the changes there. You may do this by passing a 1 to the end of the kernel line (during GRUB boot section).
try : virsh domif-setlink

On 10/01/2013 11:40 PM, Gao Yongwei wrote:
try : virsh domif-setlink
Thanks Gao! I didn't know that one! I did it right now on a WinXP VM: virsh domif-setlink WinXP 52:54:00:f1:b7:27 down ...and right away I saw on the guest "A network cable is unplugged". The man page says we can use the MAC address or the target name. I'm wondering what would the "target name" be for the Windows NIC (as there's no target specified on the XML). Thanks, Jorge

On Tue, 01 Oct 2013 15:46:52 -0400 Jorge Fábregas <jorge.fabregas@gmail.com> wrote:
On 10/01/2013 09:29 AM, James Gibbon wrote:
Would be grateful if someone could suggest a way to disable the networking in the cloned VM within the XML, if that's possible.
I have no idea if it's possible to "disable" the NIC on the VM definition but you could boot into runlevel 1 (where there is no network) and perform the changes there. You may do this by passing a 1 to the end of the kernel line (during GRUB boot section).
I solved this eventually by both removing the <interface> section from the config, and interrupting grub and booting single user. I wasn't sure I'd get an opportunity to interrupt the boot, but since I had belt and braces I went for it. Many thanks for all the suggestions. James
participants (5)
-
Eric Blake
-
Gao Yongwei
-
James Gibbon
-
James Gibbon
-
Jorge Fábregas