- 海之寻趣
- Ranler
- 2017-01-26 11:16
- CC BY-NC-SA 3.0
Network for Libvirt
Network for libvirt
- Isolated virtual network
- NAT-based network: VMs have no public IP
- Bridged network: VMs often need to be publicly accessible and bind to its own public IP
- Routed network: like bridged network, could be used for wireless interface
Host Guest +--------------------------------------+ +------------------+ | | | | | +-------| |---------+ | | +------| vnet0 |----------| eth0 | |VM1 | | +-------| |---------+ | | | | | | |------------+ | | +------------------+ | |----------+ | | | | | virb0 |----------+ | | | | | | |---+ | | |------------+ | | | | | | | | | | | |------------+ | | | | virbr0-nic |---+ | | |------------+ | | | | | | | | |----------+ | | | eth0 | | | |----------+ | | +------------------+ | | | | | |----------+ | +-------| |---------+ | | eth1 | +------| vnet1 |----------| eth0 | |VM2 |----------+ +-------| |---------+ | | | | | | | +------------------+ +--------------------------------------+
NAT-based network
Virtual switch: virbr0
# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.5254001ed835 yes virbr0-nic
# cat /etc/libvirt/qemu/networks/default.xml
<network>
<name>default</name>
<uuid>c6b8b176-175f-4957-a84e-d2283850eeb7</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:1e:d8:35'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
how virbr0 and virbr0-nic work
It's a workaround for kernel bug/feature. The bridge's MAC is copied from the first NIC attached. So if one detach all interfaces from a bridge and then attach just one, the bridge will lost previous MAC and gain a new one - just the same as the attached interface has.
So if libvirt has to ensure a MAC for virtual bridge - it creates this dummy device (no traffic is routed through though) and just attach it to the virtual bridge.
DNS & DHCP: dnsmasq on virbr0
# cat /var/lib/libvirt/dnsmasq/default.conf
strict-order
user=libvirt-dnsmasq
pid-file=/var/run/libvirt/network/default.pid
except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
NAT Forwarding: iptables
$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
Isolated virtual network
No NAT Forwarding for iptables compare with NAT virtual network.
Bridged network
Physical interface directly connect to LinuxBridge.
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000e0cb30550 yes eth0
Route network
- No NAT Forwading for iptables.
- all virtual machines are in a subnet routed through the virtual switch.