Ubuntu KVM 4: Second Network Interface
Often you need to expose a second network interface in your virtual machines. Sometimes you have a second physical interface on the actual host, this is usually part of a private back end network (with a private IP space). Other times, you are using virtualization on a single host for isolating individual components, here you can make a second (virtual) bridge with no physical backing network.
Note* For these articles I'm going to assume a clean Ubuntu 14.04 Trusty server install with minimal extras (nano, htop, openssh-server etc.) and/or the outcome of previous articles.
Second Bridge on KVM Host
Physical Interface / Bridge
If you have two network cards, you need to setup a second bridge in /etc/network/interfaces binding the second network port to the new bridge. Note, take extra care to define all physical network ports before any bridges.
/etc/network/interfaces Before:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto em1
iface em1 inet manual
auto br0
iface br0 inet static
address 10.1.1.11
network 10.1.1.0
netmask 255.255.255.0
broadcast 10.1.1.255
gateway 10.1.1.1
dns-nameservers 10.1.1.1
bridge_ports em1
bridge_stp off
bridge_fd 0
bridge_maxwait 0
... after:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto em1
iface em1 inet manual
# The second network interface
auto em2
iface em2 inet manual
auto br0
iface br0 inet static
address 10.1.1.11
network 10.1.1.0
netmask 255.255.255.0
broadcast 10.1.1.255
gateway 10.1.1.1
dns-nameservers 10.1.1.1
bridge_ports em1
brige_stp off
bridge_fd 0
bridge_maxwait 0
auto br1
iface br1 inet static
address 10.1.11.1
network 10.1.11.0
netmask 255.255.255.0
broadcast 10.1.11.255
bridge_ports em2
bridge_stp off
bridge_fd 0
bridge_maxwait 0
You will note that the 'network' details are distinctly different. After rebooting, or reloading the network system, you will have a second bridge for assigning to your KVM guest hosts.
Second Virtual Bridge
If you do not have a second physical interface, you can still make a private virtual network for your guest OS's. For this I will be using virsh's built in networking. Note that this will only work for you if you still have KVM's "default" network, or if you create another one using virsh net-create .
virsh net-edit default before:
<network>
<name>default</name>
<uuid>7f62750f-ff4b-4fc0-8397-278d41ea0127</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
... after:
<network>
<name>default</name>
<uuid>7f62750f-ff4b-4fc0-8397-278d41ea0127</uuid>
<bridge name='virbr0' stp='off' delay='0'/>
<ip address='10.1.11.1' netmask='255.255.255.0'>
</ip>
</network>
Obviously this is just an example, and your network details will be different. I don't find it necessary to run DHCP on my private network (I'm going to be setting up the guest interface by hand anyway). Likewise, I do not need this interface to have outside connectivity (the <forward /> node), as all of my guests will also have a 'public' side interface.
Second Guest Interface
Edit your guest configuration to add a <interface /> child node to the main <devices /> node. Specifically, you should basically duplicate your main network interface editing the 'source', 'mac', and 'slot' variables. Here is an example (note the source bridge will be either br1 or virbr0 depending on your previous use case):
<interface type='bridge'>
<mac address='52:54:00:03:fc:ff'/>
<source bridge='virbr0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</interface>
Your 'slot' needs to be unique in the context of your guest's configuration file. The MAC address needs to be unique within the network's scope. You will need to reboot the guest OS and setup the second interface. (Note that in either case this will appear to the guest as a 'physical' device.)
Having a second private network in both simulation and practice is very useful. If you have a service like MySQL you can bind it to the second network and only accept connections coming from 'your' private network. Likewise, you can unburden your 'public' interfaces from traffic that might compete with your 'public' services. Generally, the private network side will be cheaper, faster, and more secure.
Post your comment
Comments
No one has commented on this page yet.
RSS feed for comments on this page | RSS feed for all comments