Tried this a year ago and failed miserably. I want to have a non-bridged libvirt network that allows inbound traffic to the VMs. Bridged networking works fine but I do not want all my devs having to set up bridges, especially since most of them use laptops with wlan. Alright, I tried messing with iptables, even the hook system that was mentioned on the net. But for the life of me I cannot get this to work. So, anybody has this working? What is the secret sauce? Which of the libvirtd networking types is the right one. And sure I can read XML, so feel free to post config samples that work on your side
Setup is host with IP 10.0.0.* and a bunch of VMs on a virtual network 10.10.10.*. I want to ssh from host to VMs and access whatever http services are running on the VMs. The VMs need to talk to each other, of course. I would prefer to having it all managed via libvirt, ie no manual (including yast) setup of a bridge or manual setup of firewall configs. Certainly not Virtualbox or Vmware.
For background info, the point of this is creating prod-like environments on dev laptops including prod VM OS and IPs. The VMs and also the network should be provisioned via terraform libvirt provider. I aleady have the VM provisoning set up via terraform. Next stage would be to deploy a kubernetes cluster spanning the VMs. Which is simple. And finally using helm to deploy apps and services to the cluster. In effect, there should be a small scale local cluster matching the props of the real cluster in the data center albeit with much less available resources.
libvirt and wireless has always been a difficult issue.
Myself personally, nowadays I just choose a different virtualization technology (both VMware Player and Virtualbox are free and easy to set up).
But if you have a special reason to set up KVM or Xen…
Options
My personal favorite awhile back was to set up a MacVtap connection which is now much easier using libvirt vm-manager. Used to be an adventure but today is a main configuration in the Guest’s networking properties(You configure a tap device connecting to a physical device). Note that as you describe, this does not virtualize the network connection, it is direct access to the network device. This would actually be the preferred method if you needed direct physical access, eg networking scanning in promiscuous mode.
There are advantages to setting up virtualized networking using bridge devices. If you do so, you’re not advised to hand craft iptables, that’s difficult. Better is to implement an arp proxy as described in the last comment in the following link. The higher rated links have some interesting info, but don’t lead to an easy solution. Note that parprouted was written back in 2008 and not updated since which might be a security issue, but sometimes these kinds of things are so simple there’s no attack surface to speak of. I have not reviewed the code so YMMV.
Although I recommend you configure a virtual network bridging device with an arp proxy, it’s possible to do this without an arp proxy, the following describes how to simply issue arp commands… But I’d recommend you use the br0 device set up by YaST instead of creating the br device manually and I’d recommend issuing the arp commands on boot by sysctl commands instead and adding entries to the /etc/sysctl.conf If this is unclear to you and you want to set this up, post your questions and I’ll try to provide a more detailed answer.
AFAIK (I never doublechecked, just assumed that as later methods superceded older, functionality under the surface didn’t change) when you configure a TAP connection in the Guest Network Properties, it uses MacVTap which today is integrated by default in the Linux kernel. When I was doing this, I had to build the kernel module, load and then configure access which was an adventure but not needed nowadays.
This should be different from and have no relationship with vlans.
If someone comes up with info that contradicts my assumptions, am always open to correction.
Thanks for the suggestions. I think I will try macvtap. Still need to figure out how to assign the net to VMs with terraform. The good thing is that I can create it from within libvirt. There is also a libvirt wiki page that suggests assigning a second interface to VMs with isolated host/guest network. Fine with me for as long as I can manage all the networks through libvirt. Let’s see how this works out. I am not that much into networking because usually I just fill out a form and the data center guys place the VM in whatever network I need . Still, this should be an interesting exercise
. Still, this should be an interesting exercise