[libvirt-users] Newbie question about network setup
Hi, I've read some docs, and have some ideas, but before I'll go any further, I'd like to get confirmation if I'm understanding it right. Let's assume that on my host I want to have 5 different guests, but they shouldn't be able to communicate with each other. Is the solution to it addition of 5 separate "networks" in libvirt, and then connecting each guest to its own "network"? Looks sensible, but perhaps I'm overlooking something. Best regards, depesz -- The best thing about modern society is how easy it is to avoid contact with it. http://depesz.com/
On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:
Is the solution to it addition of 5 separate "networks" in libvirt, and then connecting each guest to its own "network"?
Yes, that's it. Right now I suggest you create 5 separate "isolated" networks if you want true isolation. If you create 5 standard (NAT) networks, with different addresses of course, there's a bug around that would allow VMs from one network to contact the rest in *other* networks. This is an issue with how iptables rules are configured by libvirt. Not many people seem to care so there's no urgency to fix it :( -- Jorge
On Wed, Jan 22, 2014 at 07:41:51PM -0400, Jorge Fábregas wrote:
On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:
Is the solution to it addition of 5 separate "networks" in libvirt, and then connecting each guest to its own "network"?
Yes, that's it. Right now I suggest you create 5 separate "isolated" networks if you want true isolation. If you create 5 standard (NAT) networks, with different addresses of course, there's a bug around that would allow VMs from one network to contact the rest in *other* networks. This is an issue with how iptables rules are configured by libvirt. Not many people seem to care so there's no urgency to fix it :(
Well, yeah - but I want these instances to have internet access. I.e. each of them should be able to connect to host system, and then, using it as gateway, to internet. I just want them to be invisible to each other. Best regards, depesz -- The best thing about modern society is how easy it is to avoid contact with it. http://depesz.com/
On 01/23/2014 02:45 PM, hubert depesz lubaczewski wrote:
On Wed, Jan 22, 2014 at 07:41:51PM -0400, Jorge Fábregas wrote:
Is the solution to it addition of 5 separate "networks" in libvirt, and then connecting each guest to its own "network"? Yes, that's it. Right now I suggest you create 5 separate "isolated" networks if you want true isolation. If you create 5 standard (NAT) networks, with different addresses of course, there's a bug around that would allow VMs from one network to contact the rest in *other* networks. This is an issue with how iptables rules are configured by
On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote: libvirt. Not many people seem to care so there's no urgency to fix it :( Well, yeah - but I want these instances to have internet access.
I.e. each of them should be able to connect to host system, and then, using it as gateway, to internet.
I just want them to be invisible to each other.
You might get what you want with <interface type='direct'> ... <source dev='something' mode='private'/> ... </interface> (replace "something" with the name of the network interface on your host) This is macvtap private mode. The guests will be able to communicate with everything on the network *except* the host itself, and other guests on the same host. Of course it is less restrictive in other ways than having a virtual network for each guest. For example, incoming connections to the guests will be possible. But then maybe you want that anyway...
On Thu, Jan 23, 2014 at 03:00:53PM +0200, Laine Stump wrote:
This is macvtap private mode. The guests will be able to communicate with everything on the network *except* the host itself, and other guests on the same host.
Thanks. Will look into it. So far it looks pretty understandable. Best regards, depesz -- The best thing about modern society is how easy it is to avoid contact with it. http://depesz.com/
participants (3)
-
hubert depesz lubaczewski -
Jorge Fábregas -
Laine Stump