libvirt users - Jun 2011 - Starting libvirtd cuts off host access to external network

I've spent some hours on this without success - any help greatly 
appreciated.

I've just done a new RHEL6 setup, with a KVM guest (first time). The 
basic installation works fine until I start libvirtd; at this point, the 
host machine loses access to the external network:

step 1: ping from host to network works; external machine on network can 
ping both eth0 and br1 on the host

step 2: /sbin/service libvirtd start

step 3: ping from host to network fails; external machine on the network 
can't ping either eth0 or br1 on the host

Stopping libvirtd (/sbin/service libvirtd stop) makes no difference - 
the network remains unreachable.

Any idea why this would happen? I have installed a kvm guest, using the 
default network script at /etc/libvirtd/qemu/networks/default.xml 
(although I've changed the IP addresses to be on my subnet, and the DHCP 
server returns only one address).

I have also configured a bridge; I've attached ifcfg-eth0, ifcfg-eth1, 
and ifcfg-br1 below. I haven't changed any iptables configuration. If I 
run the guest (also RHEL6) the guest can talk to the host, but it can't 
see the outside world.

Thanks -

Paul

===============================================
ifcfg-eth0:
-----------

NM_CONTROLLED="no"
DEVICE="eth0"
HWADDR=00:16:E6:8A:C7:20
ONBOOT=yes
TYPE=Ethernet
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
NETMASK=255.255.255.0
BOOTPROTO=dhcp

ifcfg-eth1:
-----------

NM_CONTROLLED="no"
DEVICE="eth1"
HWADDR=00:16:E6:8A:C7:21
ONBOOT=yes
TYPE=Ethernet
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth1"
BRIDGE=br1
NETMASK=255.255.255.0

ifcfg-br1:
----------

NM_CONTROLLED="no"
DEVICE=br1
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Bridge
DELAY=0

On Fri, Jun 24, 2011 at 12:14:50AM +0100, PLD wrote:
> I've spent some hours on this without success - any help greatly
> appreciated.
> 
> I've just done a new RHEL6 setup, with a KVM guest (first time). The
> basic installation works fine until I start libvirtd; at this point,
> the host machine loses access to the external network:
> 
> step 1: ping from host to network works; external machine on network
> can ping both eth0 and br1 on the host
> 
> step 2: /sbin/service libvirtd start
> 
> step 3: ping from host to network fails; external machine on the
> network can't ping either eth0 or br1 on the host
> 
> Stopping libvirtd (/sbin/service libvirtd stop) makes no difference
> - the network remains unreachable.
> 
> Any idea why this would happen? I have installed a kvm guest, using
> the default network script at
> /etc/libvirtd/qemu/networks/default.xml (although I've changed the
> IP addresses to be on my subnet, and the DHCP server returns only
> one address).
And therein lies your mistake, I believe. The libvirt virtual
network functionality is *not* for attaching your guests to
the physical LAN. If you want guests to have addresses on
the physical LAN, you want to just setup bridging for your
physical NICs and attach the guest to the bridge.

The libvirt virtual network functionality is for providing
NAT based connections to the guest, with the guest network
having a *different* IP range to the physical LAN. By
changing the libvirt network to have an IP address which
is on your LAN subnet, the firewall rules will likely have
killed all your host connectivity.

The virtual network stuff is not deactived when stopping
libvirtd. Instead use the following to stop it

  virsh net-destroy default
  virsh net-autostart --disable default

and the firewall rules should then go away.
> I have also configured a bridge; I've attached ifcfg-eth0,
> ifcfg-eth1, and ifcfg-br1 below. I haven't changed any iptables
> configuration. If I run the guest (also RHEL6) the guest can talk to
> the host, but it can't see the outside world.
Yes, this is what you want. Revert your changes to the default
virtual network and just use this bridge setup.

Basically you want to follow setup 2 here:

  http://wiki.libvirt.org/page/Networking


What you have tried todo is to use setup1 & 2 at the same
time which is not good :-)

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|