Ubuntu KVM 4: Second Network Interface
Often you need to expose a second network interface in your virtual machines. Sometimes you have a second physical interface on the actual host, this is usually part of a private back end network (with a private IP space). Other times, you are using virtualization on a single host for isolating individual components, here you can make a second (virtual) bridge with no physical backing network.
Note* For these articles I'm going to assume a clean Ubuntu 14.04 Trusty server install with minimal extras (nano, htop, openssh-server etc.) and/or the outcome of previous articles.
Second Bridge on KVM Host
Physical Interface / Bridge
If you have two network cards, you need to setup a second bridge in /etc/network/interfaces binding the second network port to the new bridge. Note, take extra care to define all physical network ports before any bridges.
# The loopback network interface auto lo iface lo inet loopback # The primary network interface auto em1 iface em1 inet manual auto br0 iface br0 inet static address 10.1.1.11 network 10.1.1.0 netmask 255.255.255.0 broadcast 10.1.1.255 gateway 10.1.1.1 dns-nameservers 10.1.1.1 bridge_ports em1 bridge_stp off bridge_fd 0 bridge_maxwait 0
# The loopback network interface auto lo iface lo inet loopback # The primary network interface auto em1 iface em1 inet manual # The second network interface auto em2 iface em2 inet manual auto br0 iface br0 inet static address 10.1.1.11 network 10.1.1.0 netmask 255.255.255.0 broadcast 10.1.1.255 gateway 10.1.1.1 dns-nameservers 10.1.1.1 bridge_ports em1 brige_stp off bridge_fd 0 bridge_maxwait 0 auto br1 iface br1 inet static address 10.1.11.1 network 10.1.11.0 netmask 255.255.255.0 broadcast 10.1.11.255 bridge_ports em2 bridge_stp off bridge_fd 0 bridge_maxwait 0
You will note that the 'network' details are distinctly different. After rebooting, or reloading the network system, you will have a second bridge for assigning to your KVM guest hosts.
Second Virtual Bridge
If you do not have a second physical interface, you can still make a private virtual network for your guest OS's. For this I will be using virsh's built in networking. Note that this will only work for you if you still have KVM's "default" network, or if you create another one using virsh net-create .
virsh net-edit default before:
<network> <name>default</name> <uuid>7f62750f-ff4b-4fc0-8397-278d41ea0127</uuid> <forward mode='nat'/> <bridge name='virbr0' stp='on' delay='0'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254'/> </dhcp> </ip> </network>
<network> <name>default</name> <uuid>7f62750f-ff4b-4fc0-8397-278d41ea0127</uuid> <bridge name='virbr0' stp='off' delay='0'/> <ip address='10.1.11.1' netmask='255.255.255.0'> </ip> </network>
Obviously this is just an example, and your network details will be different. I don't find it necessary to run DHCP on my private network (I'm going to be setting up the guest interface by hand anyway). Likewise, I do not need this interface to have outside connectivity (the <forward /> node), as all of my guests will also have a 'public' side interface.
Second Guest Interface
Edit your guest configuration to add a <interface /> child node to the main <devices /> node. Specifically, you should basically duplicate your main network interface editing the 'source', 'mac', and 'slot' variables. Here is an example (note the source bridge will be either br1 or virbr0 depending on your previous use case):
<interface type='bridge'> <mac address='52:54:00:03:fc:ff'/> <source bridge='virbr0'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </interface>
Your 'slot' needs to be unique in the context of your guest's configuration file. The MAC address needs to be unique within the network's scope. You will need to reboot the guest OS and setup the second interface. (Note that in either case this will appear to the guest as a 'physical' device.)
Having a second private network in both simulation and practice is very useful. If you have a service like MySQL you can bind it to the second network and only accept connections coming from 'your' private network. Likewise, you can unburden your 'public' interfaces from traffic that might compete with your 'public' services. Generally, the private network side will be cheaper, faster, and more secure.