[libvirt-users] Newbie question about network setup
Laine Stump
laine at laine.org
Thu Jan 23 13:00:53 UTC 2014
On 01/23/2014 02:45 PM, hubert depesz lubaczewski wrote:
> On Wed, Jan 22, 2014 at 07:41:51PM -0400, Jorge Fábregas wrote:
>> On 01/22/2014 09:44 AM, hubert depesz lubaczewski wrote:
>>> Is the solution to it addition of 5 separate "networks" in libvirt, and
>>> then connecting each guest to its own "network"?
>> Yes, that's it. Right now I suggest you create 5 separate "isolated"
>> networks if you want true isolation. If you create 5 standard (NAT)
>> networks, with different addresses of course, there's a bug around that
>> would allow VMs from one network to contact the rest in *other*
>> networks. This is an issue with how iptables rules are configured by
>> libvirt. Not many people seem to care so there's no urgency to fix it :(
> Well, yeah - but I want these instances to have internet access.
>
> I.e. each of them should be able to connect to host system, and then,
> using it as gateway, to internet.
>
> I just want them to be invisible to each other.
You might get what you want with
<interface type='direct'>
...
<source dev='something' mode='private'/>
...
</interface>
(replace "something" with the name of the network interface on your host)
This is macvtap private mode. The guests will be able to communicate
with everything on the network *except* the host itself, and other
guests on the same host.
Of course it is less restrictive in other ways than having a virtual
network for each guest. For example, incoming connections to the guests
will be possible. But then maybe you want that anyway...
More information about the libvirt-users
mailing list