James Gibbon
2013-Oct-01  12:04 UTC
[libvirt-users] Bringing up a guest with network disabled
Hello all,
I have a KVM guest VM which is a clone of a production machine
running on a different physical server, incarnated from an 
image backup.
I want to start up the clone, but obviously it has the same IP
address at the moment, and naturally I want to avoid an IP
conflict.
Normally I'd mount the clone image, go in and change the
network config to allocate a different IP, but because it's set
up with its whole disk as a LVM that's a bit painful.
Is there a simple way I can disable the networking for the
guest clone in the config file, so I can VNC into its console
and change its IP address config that way?
The devices section of the config looks like this:
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'
cache='writeback'/>
      <source file='/var/lib/libvirt/images/sonic2.img'/>
      <target dev='hda' bus='ide'/>
    </disk>
    <interface type='bridge'>
      <mac address='0A:F7:B6:96:BF:85'/>
      <source bridge='br0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='5937' autoport='no'
keymap='en-gb'/>
  </devices>
.. can I change that 'interface type' value to disable its
interface?
Thanks,
James
Eric Blake
2013-Oct-01  12:10 UTC
Re: [libvirt-users] Bringing up a guest with network disabled
On 10/01/2013 06:04 AM, James Gibbon wrote:> > > Hello all, > > I have a KVM guest VM which is a clone of a production machine > running on a different physical server, incarnated from an > image backup.Careful. You need to scrub more than just the IP address for a clone and it's parent to safely run at the same time. For example, if you don't scrub the entropy pool, then one of the two machines will now have predictable "random" numbers just by watching what the other host did, which is horrible from a security perspective. I highly recommend the use of 'virt-sysprep' on the image backup prior to creating your clone, which will not only scrub the IP address, but everything else that ought to be unique between a clone that is intended to run alongside the parent. Once you start from a clean image, then the question about starting the guest with network disabled may be moot. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
James Gibbon
2013-Oct-01  13:29 UTC
Re: [libvirt-users] Bringing up a guest with network disabled
On Tue, 01 Oct 2013 06:10:46 -0600 Eric Blake <eblake@redhat.com> wrote:> On 10/01/2013 06:04 AM, James Gibbon wrote: > > > > > > Hello all, > > > > I have a KVM guest VM which is a clone of a production machine > > running on a different physical server, incarnated from an > > image backup. > > Careful. You need to scrub more than just the IP address for a > clone and it's parent to safely run at the same time. For > example, if you don't scrub the entropy pool, then one of the > two machines will now have predictable "random" numbers just by > watching what the other host did, which is horrible from a > security perspective. I highly recommend the use of > 'virt-sysprep' on the image backup prior to creating your > clone, which will not only scrub the IP address, but everything > else that ought to be unique between a clone that is intended > to run alongside the parent. Once you start from a clean > image, then the question about starting the guest with network > disabled may be moot. >Thanks, looks really useful but unfortunately I don't have it on this particular machine, which is going to be decommissioned in a few weeks anyway. The cloned VM will only be used for testing purposes, and only for a short time. Would be grateful if someone could suggest a way to disable the networking in the cloned VM within the XML, if that's possible. Thanks again, James