hubert depesz lubaczewski
2014-Jan-22 13:44 UTC
[libvirt-users] Newbie question about network setup
Hi,
I've read some docs, and have some ideas, but before I'll go any
further, I'd like to get confirmation if I'm understanding it right.
Let's assume that on my host I want to have 5 different guests, but they
shouldn't be able to communicate with each other.
Is the solution to it addition of 5 separate "networks" in libvirt,
and
then connecting each guest to its own "network"?
Looks sensible, but perhaps I'm overlooking something.
Best regards,
depesz
--
The best thing about modern society is how easy it is to avoid contact with it.
http://depesz.com/
Jorge Fábregas
2014-Jan-22 23:41 UTC
Re: [libvirt-users] Newbie question about network setup
On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:> Is the solution to it addition of 5 separate "networks" in libvirt, and > then connecting each guest to its own "network"?Yes, that's it. Right now I suggest you create 5 separate "isolated" networks if you want true isolation. If you create 5 standard (NAT) networks, with different addresses of course, there's a bug around that would allow VMs from one network to contact the rest in *other* networks. This is an issue with how iptables rules are configured by libvirt. Not many people seem to care so there's no urgency to fix it :( -- Jorge
hubert depesz lubaczewski
2014-Jan-23 12:45 UTC
Re: [libvirt-users] Newbie question about network setup
On Wed, Jan 22, 2014 at 07:41:51PM -0400, Jorge Fábregas wrote:> On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote: > > Is the solution to it addition of 5 separate "networks" in libvirt, and > > then connecting each guest to its own "network"? > > Yes, that's it. Right now I suggest you create 5 separate "isolated" > networks if you want true isolation. If you create 5 standard (NAT) > networks, with different addresses of course, there's a bug around that > would allow VMs from one network to contact the rest in *other* > networks. This is an issue with how iptables rules are configured by > libvirt. Not many people seem to care so there's no urgency to fix it :(Well, yeah - but I want these instances to have internet access. I.e. each of them should be able to connect to host system, and then, using it as gateway, to internet. I just want them to be invisible to each other. Best regards, depesz -- The best thing about modern society is how easy it is to avoid contact with it. http://depesz.com/
Seemingly Similar Threads
- Newbie question about network setup
- Re: Newbie question about network setup
- Is there any solution, or even work on, limiting which keys gets forwarded where?
- Is there any solution, or even work on, limiting which keys gets forwarded where?
- Re: vnc port/listen address ignored when setting machine?