Isolated bridge does not bridge

Laine Stump laine at redhat.com
Wed Sep 9 17:34:05 UTC 2020 

On 9/9/20 7:13 AM, Paul van der Vlis wrote:
> Hello,
> 
> I want to do some testing and I have removed two VM's from the bridge
> what connects them to internet, and added them to another isolated
> bridge what's not connected to internet. Problem is that I cannot reach
> the other host in the isolated network.
> 
> Something like this:
> 
> virsh shutdown kvm66
> virsh shutdown kvm68
> 
> brctl delif br0 vnet10 vnet6  # the interfaces of kvm66 and kvm68
> brctl addbr br1
> brctl addif br1 vnet10 vnet6

The delif and addif commands won't do anything if the guests are not 
running (you've done "virsh shutdown", but that will either take some 
time, or never be honored (depending on how the guest OS deals with 
ACPI, I think)


> 
> Then I've replaced br0 to br1 in the XML of both VM's with "virsh edit".

Just be certain that each guest is either completely inactive (doesn't 
show up in the output of "virsh list" when you edit, or at some point 
after you've edited it (i.e. there must be a complete "virtual 
powercycle" of the guest for the changes to take effect).


> Then I did start the VM's using the serial console (no network):
> virsh start --console kvm66
> virsh start --console kvm68
> 
> I cannot ping from one machine to the other. Why??

I guess you're using <interface type='bridge'> ... right?

Since the bridge devices were created and are managed outside libvirt's 
control, you need to do more than just create a bridge to get the 
connected guests talking to each other. In particular, if the guests are 
getting their IP addresses from DHCP, then you need to assign an IP 
address to the bridge device, and run a DHCP server that is listening on 
the bridge. (I'm curious what you used as the argument of the ping 
command, if the guests didn't have an IP address...)

(Aside from that, a bridge created with brctl will disappear when the 
host is rebooted, and not be recreated until you again enter the commands.)

If you want a simple way to create a bridge, start a dnmasq instance to 
serve DHCP, and add iptables rules to prevent the guests from breaking 
out of the isolated bridge, *and* as a bonus *re*create all of that 
every time you reboot the host, you can create an isolated libvirt 
virtual network, with a config file like the one here:


https://libvirt.org/formatnetwork.html#examplesPrivate

(editing to your taste for bridge name and IPv4 and IPv6 addresses). Put 
that in a file (e.g. net.xml) and run (as root) "virsh net-define 
net.xml; virsh net-start private; virsh net-autostart private".

Then define your guest interfaces with this:

    <interface type='network'>
      <source network='private'/>
      ...
    </interface>

More information about the libvirt-users mailing list