7:44 a.m.
Hi,
I've read some docs, and have some ideas, but before I'll go any
further, I'd like to get confirmation if I'm understanding it right.
Let's assume that on my host I want to have 5 different guests, but they
shouldn't be able to communicate with each other.
Is the solution to it addition of 5 separate "networks" in libvirt, and
then connecting each guest to its own "network"?
Looks sensible, but perhaps I'm overlooking something.
Best regards,
depesz
--
The best thing about modern society is how easy it is to avoid contact with it.
http://depesz.com/
5:41 p.m.
On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:
Is the solution to it addition of 5 separate "networks" in
libvirt, and
then connecting each guest to its own "network"?
Yes, that's it. Right now I suggest you create 5 separate "isolated"
networks if you want true isolation. If you create 5 standard (NAT)
networks, with different addresses of course, there's a bug around that
would allow VMs from one network to contact the rest in *other*
networks. This is an issue with how iptables rules are configured by
libvirt. Not many people seem to care so there's no urgency to fix it :(
--
Jorge
6:45 a.m.
On Wed, Jan 22, 2014 at 07:41:51PM -0400, Jorge Fábregas wrote:
On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:
> Is the solution to it addition of 5 separate "networks" in libvirt, and
> then connecting each guest to its own "network"?
Yes, that's it. Right now I suggest you create 5 separate "isolated"
networks if you want true isolation. If you create 5 standard (NAT)
networks, with different addresses of course, there's a bug around that
would allow VMs from one network to contact the rest in *other*
networks. This is an issue with how iptables rules are configured by
libvirt. Not many people seem to care so there's no urgency to fix it :(
Well, yeah - but I want these instances to have internet access.
I.e. each of them should be able to connect to host system, and then,
using it as gateway, to internet.
I just want them to be invisible to each other.
Best regards,
depesz
--
The best thing about modern society is how easy it is to avoid contact with it.
http://depesz.com/
7 a.m.
On 01/23/2014 02:45 PM, hubert depesz lubaczewski wrote:
On Wed, Jan 22, 2014 at 07:41:51PM -0400, Jorge Fábregas wrote:
> On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:
>> Is the solution to it addition of 5 separate "networks" in libvirt,
and
>> then connecting each guest to its own "network"?
> Yes, that's it. Right now I suggest you create 5 separate "isolated"
> networks if you want true isolation. If you create 5 standard (NAT)
> networks, with different addresses of course, there's a bug around that
> would allow VMs from one network to contact the rest in *other*
> networks. This is an issue with how iptables rules are configured by
> libvirt. Not many people seem to care so there's no urgency to fix it :(
Well, yeah - but I want these instances to have internet access.
I.e. each of them should be able to connect to host system, and then,
using it as gateway, to internet.
I just want them to be invisible to each other.
You might get what you want with
<interface type='direct'>
...
<source dev='something' mode='private'/>
...
</interface>
(replace "something" with the name of the network interface on your host)
This is macvtap private mode. The guests will be able to communicate
with everything on the network *except* the host itself, and other
guests on the same host.
Of course it is less restrictive in other ways than having a virtual
network for each guest. For example, incoming connections to the guests
will be possible. But then maybe you want that anyway...
7:03 a.m.
On Thu, Jan 23, 2014 at 03:00:53PM +0200, Laine Stump wrote:
This is macvtap private mode. The guests will be able to communicate
with everything on the network *except* the host itself, and other
guests on the same host.
Thanks. Will look into it. So far it looks pretty understandable.
Best regards,
depesz
--
The best thing about modern society is how easy it is to avoid contact with it.
http://depesz.com/
3956
days inactive
3957
days old
4 comments
3 participants
participants (3)
-
hubert depesz lubaczewski -
Jorge Fábregas -
Laine Stump