VirtManager: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Zeile 116: | Zeile 116: | ||
</devices> | </devices> | ||
</domain> | </domain> | ||
</pre> | |||
= NAT mit "Routed network" = | |||
<pre> | |||
# MAC generieren: | |||
ADDR=$(hexdump -vn3 -e '/3 "52:54:00"' -e '/1 ":%02x"' -e '"\n"' /dev/urandom) | |||
52:54:00:7e:27:af | |||
# Create a dummy network | |||
BRIDGE=virbr10 | |||
IP_PREFIX=10.10.10 | |||
ip link add $BRIDGE address $ADDR type dummy | |||
# Create a virtual bridge | |||
brctl addbr $BRIDGE | |||
brctl stp $BRIDGE on | |||
ip address add $IP_PREFIX.1/24 dev $BRIDGE broadcast $IP_PREFIX.255 | |||
# Implement NAT with iptables | |||
FN_NAT=/tmp/nat.rules | |||
cat <<EOS >$FN_NAT | |||
# This format is understood by iptables-restore. See `man iptables-restore`. | |||
*nat | |||
:PREROUTING ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
:POSTROUTING ACCEPT [0:0] | |||
# Do not masquerade to these reserved address blocks. | |||
-A POSTROUTING -s $IP_PREFIX.0/24 -d 224.0.0.0/24 -j RETURN | |||
-A POSTROUTING -s $IP_PREFIX.0/24 -d 255.255.255.255/32 -j RETURN | |||
# Masquerade all packets going from VMs to the LAN/Internet. | |||
-A POSTROUTING -s $IP_PREFIX.0/24 ! -d $IP_PREFIX.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 | |||
-A POSTROUTING -s $IP_PREFIX.0/24 ! -d $IP_PREFIX.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 | |||
-A POSTROUTING -s $IP_PREFIX.0/24 ! -d $IP_PREFIX.0/24 -j MASQUERADE | |||
COMMIT | |||
EOS | |||
FN_FILTER=/tmp/filter.rules | |||
cat <<EOS >$FN_FILTER | |||
# This format is understood by iptables-restore. See `man iptables-restore`. | |||
*filter | |||
:INPUT ACCEPT [0:0] | |||
:FORWARD ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
#... snipped ... | |||
# Allow established traffic to the private subnet. | |||
-A FORWARD -d $IP_PREFIX.0/24 -o $BRIDGE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
# Allow outbound traffic from the private subnet. | |||
-A FORWARD -s $IP_PREFIX.0/24 -i $BRIDGE -j ACCEPT | |||
# Allow traffic between virtual machines. | |||
-A FORWARD -i $BRIDGE -o $BRIDGE -j ACCEPT | |||
# Reject everything else. | |||
-A FORWARD -i $BRIDGE -j REJECT --reject-with icmp-port-unreachable | |||
-A FORWARD -o $BRIDGE -j REJECT --reject-with icmp-port-unreachable | |||
#... snipped ... | |||
COMMIT | |||
EOS | |||
</pre> | </pre> |
Version vom 13. Oktober 2019, 10:45 Uhr
Links
- Befehl virsh: https://docs.fedoraproject.org/de-DE/Fedora/12/html/Virtualization_Guide/chap-Virtualization_Guide-Managing_guests_with_virsh.html
- FirewallD
Links
- virsh Referenz: https://libvirt.org/sources/virshcmdref/html-single
Beschreibung
VirtManager ist eine Software, die die Verwaltung von virtuellen Maschinen (mittels KVM) mittels graphischer Oberfläche erlaubt.
Kommandos
# show the guests: virsh list # Start the VM: virsh start alfa # stop the VM alfa virsh destroy alfa # Autostart festlegen virsh autostart alfa virsh net-list virt-install --name=alfa --vcpus=4 --memory=1024 --cdrom=/opt/iso/debian-10.1.0-amd64-netinst.iso --disk path=/media/vm-images/vm-alfa,size=20 --os-type=Linux --os-variant=debian8
Netzwerk aufbauen Host und VMs
Problem wird [hier beschrieben]
NETNAME=vmnet cat <<EOS >/tmp/$NETNAME.xml <network> <name>$NETNAME</name> <ip address='10.10.10.1' netmask='255.0.0.0'> <dhcp> <range start='10.10.10.20' end='10.10.10.99' /> </dhcp> </ip> </network> EOS virsh net-define /tmp/$NETNAME.xml virsh net-autostart $NETNAME virsh net-start $NETNAME # Alle Netze auflisten: virsh net-list
# alle Namen der laufenden virtuellen Maschinen auflisten: virsh list # für alle Gäste: virsh edit $guestname
<interface type='network'> <source network='$NETNAME'/> <model type='virtio'/> <-- This line is optional. </interface>
DHCP konfigurieren
virsh net-list virsh net-edit $NETWORK_NAME
* folgende Sequenz anpassen: <dhcp> <range start='10.10.10.10' end='10.10.10.99'/> <host mac='52:54:00:6c:3c:01' name='vm100' ip='10.10.10.100'/> <host mac='52:54:00:6c:3c:02' name='vm101' ip='10.10.10.101'/> </dhcp>
- die Änderungen stehen dann in /etc/libvirt/qemu/networks/$NETWORK_NAME.xml (wird generiert)
# DHCP-Dienst informieren (Änderungen aktivieren): killall -s SIGHUP dnsmasq # Wenn das nicht reicht: Achtung: alle VMs in diesem Netz werden offline, evt. Neustart notwendig virsh net-destroy $NETWORK_NAME virsh net-start $NETWORK_NAME
- im laufenden Betrieb hinzufügen,
# IP4: --parent-index 0 virsh net-update $NETWORK_NAME add-last ip-dhcp-host \ '<host mac="52:54:00:6f:78:f3" ip="10.10.10.101"/>' \ --live --config --parent-index 0
Diverses
Spice-Zugriff auf VM
- virsh edit alfa
<domain type='kvm'> <name>fedora25</name> <uuid>ae4e5582-492a-4292-8da2-48320a7816e6</uuid> <memory unit='KiB'>4194304</memory> <currentMemory unit='KiB'>4194304</currentMemory> <vcpu placement='static'>2</vcpu> <graphics type='spice' port='5900' autoport='no' listen='0.0.0.0' passwd='password'> <listen type='address' address='0.0.0.0'/> </graphics> <sound model='ac97'> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </sound> <video> <model type='qxl' ram='65536' vram='32768' heads='1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <memballoon model='virtio'> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </memballoon> </devices> </domain>
NAT mit "Routed network"
# MAC generieren: ADDR=$(hexdump -vn3 -e '/3 "52:54:00"' -e '/1 ":%02x"' -e '"\n"' /dev/urandom) 52:54:00:7e:27:af # Create a dummy network BRIDGE=virbr10 IP_PREFIX=10.10.10 ip link add $BRIDGE address $ADDR type dummy # Create a virtual bridge brctl addbr $BRIDGE brctl stp $BRIDGE on ip address add $IP_PREFIX.1/24 dev $BRIDGE broadcast $IP_PREFIX.255 # Implement NAT with iptables FN_NAT=/tmp/nat.rules cat <<EOS >$FN_NAT # This format is understood by iptables-restore. See `man iptables-restore`. *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Do not masquerade to these reserved address blocks. -A POSTROUTING -s $IP_PREFIX.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s $IP_PREFIX.0/24 -d 255.255.255.255/32 -j RETURN # Masquerade all packets going from VMs to the LAN/Internet. -A POSTROUTING -s $IP_PREFIX.0/24 ! -d $IP_PREFIX.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s $IP_PREFIX.0/24 ! -d $IP_PREFIX.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s $IP_PREFIX.0/24 ! -d $IP_PREFIX.0/24 -j MASQUERADE COMMIT EOS FN_FILTER=/tmp/filter.rules cat <<EOS >$FN_FILTER # This format is understood by iptables-restore. See `man iptables-restore`. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #... snipped ... # Allow established traffic to the private subnet. -A FORWARD -d $IP_PREFIX.0/24 -o $BRIDGE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow outbound traffic from the private subnet. -A FORWARD -s $IP_PREFIX.0/24 -i $BRIDGE -j ACCEPT # Allow traffic between virtual machines. -A FORWARD -i $BRIDGE -o $BRIDGE -j ACCEPT # Reject everything else. -A FORWARD -i $BRIDGE -j REJECT --reject-with icmp-port-unreachable -A FORWARD -o $BRIDGE -j REJECT --reject-with icmp-port-unreachable #... snipped ... COMMIT EOS