I have used virt-install to create two CentOS 7 virtual machine guests on a CentOS 7 host computer. One virtual machine is called webvm, and hosts web sites on a private network. The other virtual machine is called datavm and has the sole purpose of being the virtual database server for the web apps hosted on webvm. How can I set up networking so that datavm ONLY allows data connections from webvm, and so that those data connections happen WITHIN the physical server box? I want to make sure that the database transactions between webvm and datavm do not travel across the local network.
The network ip of webvm is 10.0.0.6 and the network ip of datavm is 10.0.0.5. The connection string from a typical web app hosted on webvm is:
jdbc:mysql://localhost:3306/somedb?autoReconnect=true
You can see that localhost refers to webvm. How do I change the connection string to refer to datavm? I hesitate to use jdbc:mysql://10.0.0.5:3306/somedb?autoReconnect=true because I do not want data transactions traveling across the network?
Also note that bridge networking already links the host OS to each of the guest OS'. So I don't want to do anything to mess up the host/guest bridge. The code that was used on the HOST to set up bridge networking with the guests is:
//Before creating vms
# nmcli con show (shows network connections before)
# nmcli con add type bridge ifname br0 (adds bridge networking)
# nmcli con show (shows network connections after)
//after creating vms
# nmcli connection modify bridge-br0 ipv4.method manual ipv4.addresses host.ip.addr/24 ipv4.gateway router.ip.addr
# nmcli con down bridge-br0; nmcli con up bridge-br0
# nmcli con up bridge-slave-eno1
# ip link (on host, will show vm connections as vnetX)
# bcrtl addif br0 vnet3 (this adds the vm to the network so you can ping it from elsewhere on the network. the vnet3 is a result from ip link that is a vm)
Now switch to another computer, open a terminal, and ssh [email protected] to connect to the virtual machine via ssh.
Whatever new bridge networking code we add must not conflict with the above bridge networking code that was already used.
So how do I set up a one-to-one, exclusive data connection between datavm and webvm?
UPDATED WORK IN PROGRESS:
I read the red hat nmcli documentation at this link. And I also read this other link about bridged networking and virtual machines.
In chat, @derobert suggested the following steps:
1.) Add a second bridge to the host.
2.) Add a second network interface to webvm, connected to the new host bridge.
3.) Add a second network interface to datavm, connected to the new host bridge.
4.) Configure the new network interfaces inside each guest.
Towards this end, I got a baseline by running the following in the HOST:
[root@localhost ~]# nmcli con show
NAME UUID TYPE DEVICE
bridge-slave-eno1 c36fd051-cacc-4e91-944f-a98f4fee26ff 802-3-ethernet eno1
bridge-br0 d472bc86-0f75-4dd5-bfee-5b8208b3fed2 bridge br0
System eno1 abf4c85b-57cc-4484-4fa9-b4a71689c359 802-3-ethernet --
vnet1 ea985e89-94fb-403c-af33-7daefb378ca5 generic vnet1
vnet0 06deb20d-b0b7-4233-8abc-cbb285165082 generic vnet0
[root@localhost ~]#
Then I ran the following inside webvm:
[root@localhost ~]# nmcli con show
NAME UUID TYPE DEVICE
eth0 71bf7ff1-7574-4364-8c83-5878ed30d028 802-3-ethernet eth0
[root@localhost ~]#
Then I ran the following inside datavm:
[root@localhost ~]# nmcli con show
NAME UUID TYPE DEVICE
Wired connection 1 dd4bbfd2-b309-44b6-ad82-031b88474977 802-3-ethernet enp0s3
[root@localhost ~]#
I am guessing that I type the following in the host:
# nmcli con add type bridge ifname br1
But what else do I type in the host? And what do I type in webvm and in datavm?
I imagine that firewalld will also be involved.