On 07/10/2013 09:15 PM, Jorge Fábregas wrote:
On 07/08/2013 02:01 PM, Dean Hunter wrote:
> I need to test new versions of the server guests in isolation from existing server
> guests and server peers; ie. everything except for the http and nfs services of the
server.
Hi Dean,
I'm new to virtualization on Linux so bear with me...
As I see it you have this "Subnet1" for your br1 bridge:
(your network) --> em1 --> br1 <-- your guests
Why don't you just just create a new network "Subnet2" (with a new
bridge "br2") that won't have any real interface bridged to it? That way
you'll get the isolation you want for your new guests plus you'll have
another ip for your host system (the ip you'll assign to the bridge).
And you can do this very easily with a libvirt virtual network:
<network>
<name>isolated</name>
<domain name='isolated.net'/>
<ip address='192.168.254.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.254.2' end='192.168.254.250' />
</dhcp>
</ip>
</network>
Put that in /tmp/x.xml and run:
virsh net-define /tmp/x.xml
virsh net-start isolated
virsh net-autostart isolated
Now edit your guest xml (with "virsh edit" of course!) and change the
<interface>
element to something like this:
<interface type='network'>
...
<source network='isolated'/>
...
</interface>
save that, shutdown the guest (if it isn't already) then start it up
again. The guest will get an IP address from 192.168.254.x, and be able
to communicate with the server at 192.168.254.1 or with other guests on
the same subnet, but won't be able to talk with anything else (even DNS
requests will not be forwarded upstream).
To protect against the guests on this isolated networks contacting
anything except nfs and https (as well as DHCP and DNS, I'm guessing),
you have three choices:
1) make sure the other services are listening only on certain interfaces.
2) modify the host's firewall accordingly
3) put a libvirt nwfilter firewall on the guest (see:
http://www.libvirt.org/formatnwfilter.html)