[kwlug-disc] Networking on libvirt vs. VirtualBox

Sat Aug 2 10:02:57 EDT 2014

Thanks for this. Ties in with my own recent experimentation.

Couple things I have wondered about:

1. With vbox there is no entry into the BIOS, unlike vmware. That's not 
necessarily bad, but it also means there's no BIOS level IBM KVM-like 
attach screen to virtual machine facility. So if a vbox is run headless, 
and you fail to set up some form of remote access, and it doesn't appear 
to be running correctly ...

2. How to make this safe in one's own network? In a provided cloud, 
presumably they're guaranteeing absolute machine isolation - it's their 
back end networking. At 'home' everything must inherently participate in 
the local network, else you could not maintain it, yet how to otherwise 
isolate it for the world, to run LAMP plus favourite serving applications?

- bridged, and router subnet forwarding, is intuitive, let alone 
internal machine magic to understand public/private IP presentment, but 
otherwise??? Virtual VLAN? While still being able to access locally in 
order to maintain. The networking should be able to prevent any security 
hole discovery / attack, but the conceptual networking setup specifics 
elude me at the moment. Remotely things would be on a separate DMZ 
network, with machines not able to talk to each other (separate VLANs), 
but that's more hardware, let alone not virtual, than I might want on my 
own desktop.

- only thing I have thought of is each vm on it's own virtual net, 
pointing one's router for a supernet of them to the host, and turn 
routing on on the host. Not sure what that's buying, as the local net 
must still be able to get to them to maintain. All in the effort of 
properly isolating vmachines.

Links to proper network isolation / security precautions for LAMP 
servers would be appreciated, especially within a single KVM server for 
multiple sites / clients.

In Khalid's case, he could even have a service offering of a redundant, 
albeit slow, site in case of provider down time, such as provider under 
DDOS attack. A UPS, beefy tower, good to go!

On 14-08-01 06:02 PM, Khalid Baheyeldin wrote:
> I was able to get a working VM up finally on KVM.
>
> Using more or less the tricks here
>
> http://mojodna.net/2014/05/14/kvm-libvirt-and-ubuntu-14-04.html
>
> In a nutshell, start with the Ubuntu Amazon EC2 images (not the regular
> server ISO image), then create and use an additional init ISO image so it
> would allow password login, then once you login you can add your ssh key.
>
> By adding a MAC address, you get your DHCP server to assign it a known IP
> address, and then you can ssh to that. No VNC required, no console!
>
> But, yet again, all this was not needed with VirtualBox ... sigh ...
>
>
> On Fri, Aug 1, 2014 at 5:05 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>
>> Another difference between libvirt and VirtualBox.
>>
>> I was able to take the Ubuntu Server stock .iso file, and install it
>> inside of VirtualBox normally. That includes installing grub in the virtual
>> disk's MBR.
>>
>> With libvirt, grub installation does not complete, with no errors. The
>> step proceeds, then returns to the tasks.
>>
>> So, I am unable to have a working VM with KVM and libvirt so far because
>> of grub aborting.
>>
>>
>> On Fri, Aug 1, 2014 at 4:03 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>>
>>> After defining br0 in the host's network, if I specify bridge=br0, it
>>> works fine, but only with sudo, which is annoying.
>>>
>>> VirtualBox did not need any host changes, and did not require sudo.
>>>
>>> Is there a way to do this on kvm/libvirt?
>>>
>>>
>>> On Fri, Aug 1, 2014 at 3:03 PM, William Park <opengeometry at yahoo.ca>
>>> wrote:
>>>
>>>> On Fri, Aug 01, 2014 at 12:27:21PM -0400, Khalid Baheyeldin wrote:
>>>>> On VirtualBox, I was able as non-root to get bridged networking by
>>>> doing:
>>>>>
>>>>> vboxmanage createvm --name p1 --ostype Ubuntu_64 --register
>>>>> vboxmanage modifyvm p1  ... --nic1 bridged --bridgeadapter1 eth0
>>>> --nictype1
>>>>> 82543GC
>>>>>
>>>>> And that provided me functional two-way networking, assigning a new IP
>>>>> address from the router, and allows incoming and outgoing networking
>>>>> transparently.
>>>>>
>>>>> On KVM, I did:
>>>>>
>>>>> virt-install --name p1 --ram 512 --disk path=~/p.img,size=2 --cdrom
>>>>> ./media/precise64/ubuntu-12.04.4-server-amd64.iso --boot cdrom
>>>> --network
>>>>> bridge=eth0
>>>>>
>>>>> That would not work because it requires root (VirtualBox worked without
>>>>> sudo).
>>>>>
>>>>> So, I need to use sudo before that command. But when I do this, I get
>>>> the
>>>>> error:
>>>>>
>>>>> ERROR    Unable to add bridge eth0 port vnet0: Operation not supported
>>>>>
>>>>> Googling for that error suggests that this command should fix it:
>>>>>
>>>>> virsh iface-bridge eth0 br0
>>>>>
>>>>> But it does not work, with or without sudo, with the following error:
>>>>>
>>>>> error: failed to get interface 'eth0'
>>>>> error: this function is not supported by the connection driver:
>>>>> virInterfaceLookupByName
>>>>>
>>>>> So, the question is, using libvirt and kvm, how does one get bridged
>>>>> networking to work?
>>>>
>>>>  From memory, QEMU simply adds its tap interface to existing bridge.  I
>>>> had to setup bridge and add wlan0 (my wireless connection) to it.  Then,
>>>> the virtual machine got its IP from the wireless router.
>>>> --
>>>> William
>>>>
>>>>
>>>> _______________________________________________
>>>> kwlug-disc mailing list
>>>> kwlug-disc at kwlug.org
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>
>>>
>>>
>>>
>>> --
>>> Khalid M. Baheyeldin
>>> 2bits.com, Inc.
>>> Fast Reliable Drupal
>>> Drupal optimization, development, customization and consulting.
>>> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>>> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>>> For every complex problem, there is an answer that is clear, simple, and
>>> wrong." -- H.L. Mencken
>>>
>>
>>
>>
>> --
>> Khalid M. Baheyeldin
>> 2bits.com, Inc.
>> Fast Reliable Drupal
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>> For every complex problem, there is an answer that is clear, simple, and
>> wrong." -- H.L. Mencken
>>
>
>
>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>