libvirt users - Jan 2014 - Re: Newbie question about network setup

On Wed, Jan 22, 2014 at 07:41:51PM -0400, Jorge Fábregas
wrote:
> On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:
> > Is the solution to it addition of 5 separate "networks" in
libvirt, and
> > then connecting each guest to its own "network"?
> 
> Yes, that's it.  Right now I suggest you create 5 separate
"isolated"
> networks if you want true isolation.  If you create 5 standard (NAT)
> networks, with different addresses of course, there's a bug around that
> would allow VMs from one network to contact the rest in *other*
> networks.  This is an issue with how iptables rules are configured by
> libvirt.  Not many people seem to care so there's no urgency to fix it
:(
Well, yeah - but I want these instances to have internet access.

I.e. each of them should be able to connect to host system, and then,
using it as gateway, to internet.

I just want them to be invisible to each other.

Best regards,

depesz

-- 
The best thing about modern society is how easy it is to avoid contact with it.
                                                             http://depesz.com/

On 01/23/2014 02:45 PM, hubert depesz lubaczewski wrote:
> On Wed, Jan 22, 2014 at 07:41:51PM -0400, Jorge Fábregas wrote:
>> On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:
>>> Is the solution to it addition of 5 separate "networks"
in libvirt, and
>>> then connecting each guest to its own "network"?
>> Yes, that's it.  Right now I suggest you create 5 separate
"isolated"
>> networks if you want true isolation.  If you create 5 standard (NAT)
>> networks, with different addresses of course, there's a bug around
that
>> would allow VMs from one network to contact the rest in *other*
>> networks.  This is an issue with how iptables rules are configured by
>> libvirt.  Not many people seem to care so there's no urgency to fix
it :(
> Well, yeah - but I want these instances to have internet access.
>
> I.e. each of them should be able to connect to host system, and then,
> using it as gateway, to internet.
>
> I just want them to be invisible to each other.
You might get what you want with

   <interface type='direct'>
     ...
     <source dev='something' mode='private'/>
     ...
   </interface>

(replace "something" with the name of the network interface on your
host)

This is macvtap private mode. The guests will be able to communicate
with everything on the network *except* the host itself, and other
guests on the same host.

Of course it is less restrictive in other ways than having a virtual
network for each guest. For example, incoming connections to the guests
will be possible. But then maybe you want that anyway...

On Thu, Jan 23, 2014 at 03:00:53PM +0200, Laine Stump
wrote:
> This is macvtap private mode. The guests will be able to communicate
> with everything on the network *except* the host itself, and other
> guests on the same host.
Thanks. Will look into it. So far it looks pretty understandable.

Best regards,

depesz

-- 
The best thing about modern society is how easy it is to avoid contact with it.
                                                             http://depesz.com/