虚拟机网络管理
QEMU-KVM 网络概述
支持的网络模式
-
NAT
- 此为virt-install的默认模式,使用的是IP伪装 而不是 SNAT 或 DNAT
- 使用宿主机的IP与外界通信,从而实现实现虚拟机访问外网,而外网无法访问虚拟机
- 此模式下启动会产生很多iptables规则,请小心。如果 iptables 规则出现问题,您的虚拟机可能会停止正常通信。
-
Bridge
- 自定义网桥模式
-
直接分配物理网络设备
- 包括VT-d 和 SR-IOV,性能最好
-
自定义网络
虚拟机的网卡设备
-
RTL8139、e1000、…
-
virtio 生产中常用,性能最好
-
查看qemu-kvm支持的网卡型号:
-
[root@centos-kvm ~]# /usr/libexec/qemu-kvm -net nic,model=? Supported NIC models: e1000 e1000e rtl8139 virtio-net-pci virtio-net-pci-non-transitional virtio-net-pci-transitional
-
—
QEMU 与 tap 设备
- qemu 启动时通过 qemu -netdev tap 指定 tap 设备
如图中所示,红色箭头表示数据报文的入方向,步骤:
-
网络数据从 Host 上的物理网卡接收,到达网桥;
-
由于 eth0 与 tap1 均加入网桥中,根据二层转发原则,br0 将数据从 tap1 口转发出去,即数据由 Tap设备接收;
-
Tap 设备通知对应的 fd 数据可读;
-
fd 的读动作通过 tap 设备的字符设备驱动将数据拷贝到用户空间,完成数据报文的前端接收。
—
KVM默认网络配置
- 默认为NAT模式,相当于wmware workstation的NAT模式
- NAT模式不适用与生产环境
DHCP
- 默认宿主机安装了dnsmasp包来提供DHCP服务
#查看默认安装的dnsmasp包
[root@centos-kvm ~]# rpm -q dnsmasq
dnsmasq-2.79-13.el8.x86_64
#默认的dnsmasp配置文件,由libvirt自动创建
[root@centos-kvm ~]# cat /var/lib/libvirt/dnsmasq/default.conf
##WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
##OVERWRITTEN AND LOST. Changes to this configuration should be made using:
## virsh net-edit default
## or other application using the libvirt API.
##
## dnsmasq conf file created by libvirt
strict-order
pid-file=/run/libvirt/network/default.pid
except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254,255.255.255.0 #可以修改地址范围等信息
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhostsBridge
- 相当于wmware workstation的Vmnet8网桥
虚拟机未开启时网桥状态
- 无任何虚拟机开启时,默认会生成一个 virbr0 的网桥,并且有一个virbr0-nic的网卡桥接到virbr0网桥上
#查看网桥状态
[root@centos-kvm ~]# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.525400ef6aec yes virbr0-nic
#查看哪些设备加入到了virbr0网桥
[root@centos-kvm ~]# ip link show master virbr0
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:ef:6a:ec brd ff:ff:ff:ff:ff:ff
#查看所有桥接网卡信息及对应网桥
[root@centos-kvm ~]# bridge link show
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 master virbr0 state disabled priority 32 cost 100
# ip a
...
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:ef:6a:ec brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:ef:6a:ec brd ff:ff:ff:ff:ff:ff图解
虚拟机开启后网桥状态
- 开启虚拟机后,会按照顺序依次生成vnet0(1、2、3…) 的临时虚拟网卡,同样桥接到virbr0的网桥上
#查看网桥状态
[root@centos-kvm ~]# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.525400ef6aec yes virbr0-nic
vnet0
#查看virbr0网桥的网络状态,可以看到virbr0-nic 和 vnet0这两块网卡以及桥接到virbr0网桥上了
[root@centos-kvm ~]# ip link show master virbr0
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:ef:6a:ec brd ff:ff:ff:ff:ff:ff
8: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:aa:fc:1c brd ff:ff:ff:ff:ff:ff
#查看所有桥接网卡信息及对应网桥
[root@centos-kvm ~]# bridge link show
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 master virbr0 state disabled priority 32 cost 100
8: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master virbr0 state forwarding priority 32 cost 100图解
iptables
- 以下规则由libvirtd服务启动时自动生成,从而实现SNAT,即内网访问外网,而外网无法访问内网
[root@centos-kvm ~]# iptables -vnL -t nat
...
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24默认虚拟机与外界通信
环境
KVM1
-
宿主机:
- eth0:10.0.0.8 VMnet8 NAT
-
虚拟机:
-
[root@centos-kvm1 ~]# virsh list Id Name State ------------------------- 1 centos7 running [root@centos-kvm1 ~]# virsh domiflist centos7 Interface Type Source Model MAC ------------------------------------------------------------- vnet0 network default virtio 52:54:00:aa:fc:1c [root@centos-kvm1 ~]# virsh domifaddr centos7 Name MAC address Protocol Address ------------------------------------------------------------------------------- vnet0 52:54:00:aa:fc:1c ipv4 192.168.122.208/24 [root@centos-kvm1 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:0b:14:8b brd ff:ff:ff:ff:ff:ff inet 10.0.0.8/16 brd 10.0.255.255 scope global noprefixroute eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe0b:148b/64 scope link valid_lft forever preferred_lft forever 3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:ef:6a:ec brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000 link/ether 52:54:00:ef:6a:ec brd ff:ff:ff:ff:ff:ff 6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:aa:fc:1c brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:feaa:fc1c/64 scope link valid_lft forever preferred_lft forever [root@centos-kvm1 ~]# brctl show bridge name bridge id STP enabled interfaces virbr0 8000.525400ef6aec yes virbr0-nic #virbr0-nic表示virbr0的网卡 vnet0
-
KVM2
-
宿主机:
- eth0:10.0.0.18 VMnet8 NAT
-
虚拟机:
-
[root@centos-kvm2 ~]# virsh list Id Name State ------------------------- 1 centos7 running [root@centos-kvm2 ~]# virsh domiflist centos7 Interface Type Source Model MAC ------------------------------------------------------------- vnet0 network default virtio 52:54:00:7e:e2:fd [root@centos-kvm2 ~]# virsh domifaddr centos7 Name MAC address Protocol Address ------------------------------------------------------------------------------- vnet0 52:54:00:7e:e2:fd ipv4 192.168.122.211/24 [root@centos-kvm2 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d0:8e:57 brd ff:ff:ff:ff:ff:ff inet 10.0.0.18/16 brd 10.0.255.255 scope global noprefixroute eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed0:8e57/64 scope link valid_lft forever preferred_lft forever 3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:ff:56:99 brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 4: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:7e:e2:fd brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe7e:e2fd/64 scope link valid_lft forever preferred_lft forever [root@centos-kvm2 ~]# brctl show bridge name bridge id STP enabled interfaces virbr0 8000.525400ff5699 yes vnet0
-
与互联网通信
- 结论:
- 虚拟机可以ping通互联网,因为虚拟机走的是SNAT
- 工作过程:
- 当虚拟机启动后,除虚拟机自身会生成eth0网卡外,还会在宿主机生成一块vnet0的网卡,而宿主机生成的vnet0网卡都是桥接在virbr0这个网桥上的,虚拟机的报文会通过宿主机的DNAT转换 也就是所谓的 Address Masquerading 地址伪装出去的
- 桥接网卡的IP可以直接访问
- 报文流向:
- 虚拟机eth0 <–> 宿主机vnet0 <–> 宿主机virbr0 <–> 宿主机iptables <–> 宿主机eth0 <–> internet
- 简述:
- 就相当于宿主机自身访问互联网
范例
#登录到虚拟机
[root@centos-kvm1 ~]# ssh 192.168.122.208
root@192.168.122.208's password:
Last login: Wed Apr 6 18:40:02 2022 from 10.0.0.201
#访问互联网
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (36.152.44.96) 56(84) bytes of data.
64 bytes from 36.152.44.96 (36.152.44.96): icmp_seq=1 ttl=127 time=43.0 ms
...与其他宿主机通信
- 结论:
- 虚拟机可以与其他宿主机通信,因为虚拟机走的是SNAT
- 工作过程:
- 当虚拟机启动后,除虚拟机自身会生成eth0网卡外,还会在宿主机生成一块vnet0的网卡,而宿主机生成的vnet0网卡都是桥接在virbr0这个网桥上的,虚拟机的报文会通过宿主机的DNAT转换 也就是所谓的 Address Masquerading 地址伪装出去的
- 报文流向:
- 虚拟机eth0 <–> 宿主机vnet0 <–> 宿主机iptables <–> 宿主机eth0 <–> internet
- 简述:
- 就相当于宿主机自身访问其他宿主机
范例
#登录到虚拟机
[root@centos-kvm1 ~]# ssh 192.168.122.208
root@192.168.122.208's password:
Last login: Wed Apr 6 18:40:02 2022 from 10.0.0.201
#访问其他宿主机
[root@localhost ~]# ping 10.0.0.18
PING 10.0.0.18 (10.0.0.18) 56(84) bytes of data.
64 bytes from 10.0.0.18: icmp_seq=1 ttl=64 time=2.15 ms
...
#其他宿主机抓包
[root@centos-kvm2 ~]# tcpdump -nn icmp
...
16:18:50.914048 IP 10.0.0.8 > 10.0.0.18: ICMP echo request, id 3195, seq 1, length 64
16:18:50.914175 IP 10.0.0.18 > 10.0.0.8: ICMP echo reply, id 3195, seq 1, length 64
...与其他宿主机中的虚拟机进行通信
- 结论:
- 无法通信,因为都在各自的NAT网络中
范例
[root@centos-kvm1 ~]# ping -c1 192.168.122.211
PING 192.168.122.211 (192.168.122.211) 56(84) bytes of data.
From 192.168.122.1 icmp_seq=1 Destination Host Unreachable
--- 192.168.122.211 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms默认外界与虚拟机通信
环境
- 参阅上文
#外部主机无法访问虚拟机,因为虚拟机走的是SNAT
C:\Users\阿征>ping 192.168.122.208
正在 Ping 192.168.122.208 具有 32 字节的数据:
请求超时。
192.168.122.208 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),—
KVM网络管理相关命令
- 以下命令全部都在宿主机执行
- 相关信息其实就是调用了此文件中的内容:/etc/libvirt/qemu/centos7.xml
查看虚拟机的网卡配置
#默认NAT网络
# virsh domiflist centos7
Interface Type Source Model MAC
-------------------------------------------------------------
- network default virtio 52:54:00:aa:fc:1c
#桥接到宿主机eth0
# virsh domiflist centos7
Interface Type Source Model MAC
-----------------------------------------------------------
macvtap0 direct eth0 virtio 52:54:00:aa:fc:1c查看虚拟机的网卡地址信息
- 需要虚拟机开启,否则将无法获取虚拟机的IP地址
# virsh domifaddr centos7-3
Name MAC address Protocol Address
-------------------------------------------------------------------------------
vnet0 52:54:00:23:d4:db ipv4 192.168.122.63/24查看虚拟机指定网卡的状态
# virsh domifstat centos7-3 --interface vnet0
vnet0 rx_bytes 20302 #接受的字节大小
vnet0 rx_packets 326
vnet0 rx_errs 0
vnet0 rx_drop 0
vnet0 tx_bytes 6851 #发送的字节大小
vnet0 tx_packets 84
vnet0 tx_errs 0
vnet0 tx_drop 0列出目前已有的网络
# virsh net-list
Name State Autostart Persistent
--------------------------------------------
default active yes yes列出指定网络的详细配置
- 下面以查看默认的default网络详细信息(也就是nat网络模式)
# virsh net-dumpxml default
<network>
<name>default</name>
<uuid>1064e2fe-d78e-4690-84a1-9f043b84b643</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:ef:6a:ec'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>本质上就是调用此文件的内容
# cat /etc/libvirt/qemu/networks/default.xml
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit default
or other application using the libvirt API.
-->
<network>
<name>default</name>
<uuid>1064e2fe-d78e-4690-84a1-9f043b84b643</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:ef:6a:ec'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>—
将虚拟网络流量限制到特定接口
- 虚拟网络可以连接到物理网络。它的流量还可以被限制为使用特定接口
- 例如在具有 eth0/1/2 的系统上,可以限制虚拟网络仅使用 eth0
- 但是,这只在路由和 nat 模式下才有意义
- 在创建新的虚拟网络时,可以在 XML(dev="" 属性)或 virt-manager 中定义限制
—
实现 虚拟机网卡桥接到宿主机的物理网卡
- 因为默认虚拟机的网卡是桥接到宿主机的 virbr0 网桥,而 virbr0 网桥是无法和其他宿主机间进行通信的
- 而将虚拟机网卡桥接到宿主机的物理网卡后,只要宿主机能与其他的虚拟机的宿主机进行通信,那么就可以实现跨宿主机的虚拟机与虚拟机之间的通信
- 相当于 wmware workstation 中的 Vmnet0
图解
…
实现
- 所有虚拟机的宿主机都执行:
#centos or Ubuntu
export DISPLAY=10.0.0.1:0.0
virt-manager- 选择一个虚拟机然后双击
- 点击💡
- NIC :xx:xx:xx –> Details
- Network source
- Host device eth0: macvtap
- Source mode
- Bridge
- Device mode
- virtio
- Apply
- Network source
实现后
# virsh domiflist centos7
Interface Type Source Model MAC
-----------------------------------------------------------
macvtap0 direct eth0 virtio 52:54:00:aa:fc:1c测试
问题
- 宿主机无法ssh到虚拟机,但在windows可以ping通???
- 另外一台主机在添加的时候为什么没有 Host device eth0: macvtap 这个选项???
—
实现 基于自定义网桥的虚拟网络
原理
- 将宿主机的eth0网卡 和 宿主机的eth0网卡 都桥接到 自定义的网桥上,从而实现跨宿主机的虚拟机间通信
创建自定义网桥
- 所有宿主机都进行此操作
centos
写配置文件创建
- 注意:写静态文件有时候加载配置文件后也会无法连接到宿主机???,解决方法???
初始状态
# nmcli connection
NAME UUID TYPE DEVICE
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
virbr0 de813b16-d55d-4983-82cd-82fb7d44aa17 bridge virbr0 写配置文件创建
# cat /etc/sysconfig/network-scripts/ifcfg-virbr1
TYPE=Bridge
NAME=virbr1
DEVICE=virbr1
STP=yes
BOOTPROTO=none
IPADDR=10.0.0.88
PREFIX=24
GATEWAY=10.0.0.2
ONBOOT=yes
DNS1=180.76.76.76
DNS2=223.5.5.5使配置文件生效
# nmcli connection reload
# nmcli connection up virbr1
Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 eth0
0.0.0.0 10.0.0.2 0.0.0.0 UG 426 0 0 virbr1
10.0.0.0 0.0.0.0 255.255.255.0 U 101 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 426 0 0 virbr1
10.0.0.0 0.0.0.0 255.255.0.0 U 100 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 425 0 0 virbr0
# nmcli connection
NAME UUID TYPE DEVICE
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
virbr0 9bab7bc4-8462-4013-a378-1f65274045a3 bridge virbr0
virbr1 282db82c-a36d-fb08-d7a9-78ef62fac87e bridge virbr1
# ip link show master virbr1
空
# bridge link show
空将eth0网卡加入到自定义网桥
- 写配置文件,永久生效
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
DEVICE=eth0
NAME=eth0
ONBOOT=yes
BRIDGE=virbr1- 命令行添加,临时生效
# brctl addif virbr1 eth0
#使其生效
# nmcli connection reload
# nmcli connection up eth0 登录测试
# ssh 10.0.0.88
The authenticity of host '10.0.0.88 (10.0.0.88)' can't be established.
ECDSA key fingerprint is SHA256:LMMMtet8FFLvX4xwl2ykQhhB/5ffCO6zMiwn5OsNRXg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.88' (ECDSA) to the list of known hosts.
root@10.0.0.88's password:
# nmcli connection
NAME UUID TYPE DEVICE
virbr1 282db82c-a36d-fb08-d7a9-78ef62fac87e bridge virbr1
virbr0 9bab7bc4-8462-4013-a378-1f65274045a3 bridge virbr0
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.2 0.0.0.0 UG 426 0 0 virbr1
10.0.0.0 0.0.0.0 255.255.255.0 U 426 0 0 virbr1
192.168.122.0 0.0.0.0 255.255.255.0 U 425 0 0 virbr0
# ip link show master virbr1
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr1 state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:d0:8e:57 brd ff:ff:ff:ff:ff:ff
# bridge link show
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master virbr1 state forwarding priority 32 cost 100
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr1 state UP group default qlen 1000
link/ether 00:0c:29:d0:8e:57 brd ff:ff:ff:ff:ff:ff
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:fe:17:91 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
9: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:0c:29:d0:8e:57 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.88/24 brd 10.0.0.255 scope global noprefixroute virbr1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fed0:8e57/64 scope link
valid_lft forever preferred_lft forever通过命令行创建
- 注意:通过命令创建网桥而生成的文件一般后续还要加以修改
- 此方式有问题
- 初始状态
[root@centos-kvm2 ~]# nmcli connection
NAME UUID TYPE DEVICE
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
virbr0 9bab7bc4-8462-4013-a378-1f65274045a3 bridge virbr0 - 通过命令行创建
- 注意:通过命令创建的网桥 创建后会自动启动 下面命令执行后会和宿主机断开连接 且无法连接(为什么???),除非将virbr1这个网桥down掉,所以最好还是通过写配置文件的方式创建
[root@centos-kvm2 ~]# nmcli connection add con-name virbr1 type bridge ifname virbr1 ipv4.method manual ipv4.addresses 10.0.0.88/24 ipv4.gateway 10.0.0.2
Connection 'virbr1' (b1aa3849-e990-465a-b300-08d5e91e6da3) successfully added.- 创建后生成的文件
[root@centos-kvm2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-virbr1
STP=yes
BRIDGING_OPTS=priority=32768
TYPE=Bridge
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=10.0.0.88
PREFIX=24
GATEWAY=10.0.0.2
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=virbr1
UUID=2f95f5ad-a549-4262-96ef-2201236ee920
DEVICE=virbr1
ONBOOT=yes- 创建后生成的规则
- 然后就无法ssh连接到宿主机了
[root@centos-kvm2 ~]# nmcli connection show
NAME UUID TYPE DEVICE
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
virbr0 9bab7bc4-8462-4013-a378-1f65274045a3 bridge virbr0
virbr1 2f95f5ad-a549-4262-96ef-2201236ee920 bridge virbr1 ubuntu
写配置文件创建
- 参阅pdf或自写笔记
通过virt-manager修改原有虚拟机配置测试
修改前环境
#kvm1
[root@centos-kvm1 ~]# virsh domiflist centos7
Interface Type Source Model MAC
-------------------------------------------------------------
vnet0 network default virtio 52:54:00:aa:fc:1c
[root@centos-kvm1 ~]# virsh domifaddr centos7
Name MAC address Protocol Address
-------------------------------------------------------------------------------
vnet0 52:54:00:aa:fc:1c ipv4 192.168.122.208/24
#kvm2
[root@centos-kvm2 ~]# virsh domiflist centos7
Interface Type Source Model MAC
-------------------------------------------------------------
vnet0 network default virtio 52:54:00:7e:e2:fd
[root@centos-kvm2 ~]# virsh domifaddr centos7
Name MAC address Protocol Address
-------------------------------------------------------------------------------
vnet0 52:54:00:7e:e2:fd ipv4 192.168.122.211/24修改
- 所有虚拟机的宿主机都执行:
#centos or Ubuntu
export DISPLAY=10.0.0.1:0.0
virt-manager- 选择一个虚拟机然后双击
- 点击💡
- NIC :xx:xx:xx –> Details
- Network source
- Bridge device …
- Device name:virbr1
- Source mode
- Bridge
- Device mode
- virtio
- Apply
- Network source
- 重启虚拟机,重启后因为是与宿主机的eth0网卡共同桥接在virbr1网桥上,所以会使用wmnet8也就是NAT网卡的DHCP服务获取IP地址
修改后环境
#kvm1
[root@centos-kvm1 ~]# virsh domiflist centos7
Interface Type Source Model MAC
-------------------------------------------------------------
vnet0 network default virtio 52:54:00:aa:fc:1c
[root@centos-kvm1 ~]# virsh domifaddr centos7
Name MAC address Protocol Address
-------------------------------------------------------------------------------
需要进入到虚拟机查看,这里看不到,这里获取的地址是10.0.0.208
因为是与宿主机的eth0网卡共同桥接在virbr1网桥上,所以会使用wmnet8也就是NAT网卡的DHCP服务获取IP地址
#kvm2
[root@centos-kvm2 ~]# virsh domiflist centos7
Interface Type Source Model MAC
-----------------------------------------------------------
vnet0 bridge virbr1 virtio 52:54:00:7e:e2:fd
[root@centos-kvm2 ~]# virsh domifaddr centos7
Name MAC address Protocol Address
-------------------------------------------------------------------------------
需要进入到虚拟机查看,这里看不到,这里获取的地址是10.0.0.210
因为是与宿主机的eth0网卡共同桥接在virbr1网桥上,所以会使用wmnet8也就是NAT网卡的DHCP服务获取IP地址修改后宿主机的变化
- 开启的虚拟机在宿主机生成vnet0 网卡,而vnet0又桥接到virbr1网桥上
[root@centos-kvm1 ~]# ip link show master virbr1
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr1 state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:0b:14:8b brd ff:ff:ff:ff:ff:ff
5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr1 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:aa:fc:1c brd ff:ff:ff:ff:ff:ff
[root@centos-kvm2 ~]# ip link show master virbr1
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr1 state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:d0:8e:57 brd ff:ff:ff:ff:ff:ff
10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr1 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:7e:e2:fd brd ff:ff:ff:ff:ff:ff测试
[root@localhost ~]# ping 10.0.0.210
...
64 bytes from 10.0.0.210: icmp_seq=1 ttl=64 time=4.12 ms
...
[root@localhost2 ~]# ping 10.0.0.208
...
64 bytes from 10.0.0.208: icmp_seq=1 ttl=64 time=1.97 ms
...
------------------------------------------------------------------------------
[root@localhost ~]# ping www.baidu.com
...
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=1 ttl=128 time=41.1 ms
...
[root@localhost2 ~]# ping www.baidu.com
...
64 bytes from 36.152.44.95 (36.152.44.95): icmp_seq=1 ttl=128 time=42.8 ms
...
------------------------------------------------------------------------------
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 10.0.0.2
[root@localhost2 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 10.0.0.2本质上变化的内容
#修改前
# /etc/libvirt/qemu/centos7.xml
...
<interface type='network'>
<mac address='52:54:00:aa:fc:1c'/>
<source network='default'/>
...
#修改后
# /etc/libvirt/qemu/centos7.xml
...
<interface type='bridge'>
<mac address='52:54:00:aa:fc:1c'/>
<source bridge='virbr1'/>
...创建新的虚拟机测试
-
创建新的虚拟机时指定桥接网络
-
PXE实现准备过程参阅 KVM pdf 或 OS install笔记
-
注意:ks文件的虚拟磁盘要改为vda
#创建虚拟磁盘
qemu-img create -f qcow2 /var/lib/libvirt/images/centos7-pxe.qcow2 200G
#创建自定义网桥的虚拟机
virt-install --virt-type kvm --name centos7 --memory 2048 --vcpus 2 --disk bus=virtio,path=/var/lib/libvirt/images/centos7-pxe.qcow2 --graphics vnc,listen=0.0.0.0 --network=bridge:virbr1,model=virtio --pxe- …
—
实现 用户自定义的隔离的虚拟网络
- 即虚拟机的网卡桥接到宿主机的网桥上,而宿主机的网桥不再与宿主机的eth0等设备连接,从而实现隔离的虚拟网络
- 因为每个虚拟机只能在宿主机互相通信,而不能跨宿主机虚拟机与虚拟机间通信,所以生产中很少使用