Skip to main content
Unix & Linux

Return to Revisions

8 of 17
added results of ongoing work towards solution.
CodeMed
CodeMed
  • 5.4k
  • 50
  • 111
  • 152

how do i build a bridge between two virtual machines?

I have used virt-install to create two CentOS 7 virtual machine guests on a CentOS 7 host computer. One virtual machine is called webvm, and hosts web sites on a private network. The other virtual machine is called datavm and has the sole purpose of being the virtual database server for the web apps hosted on webvm. How can I set up networking so that datavm ONLY allows data connections from webvm, and so that those data connections happen WITHIN the physical server box? I want to make sure that the database transactions between webvm and datavm do not travel across the local network.

The network ip of webvm is 10.0.0.6 and the network ip of datavm is 10.0.0.5. The connection string from a typical web app hosted on webvm is:

jdbc:mysql://localhost:3306/somedb?autoReconnect=true

You can see that localhost refers to webvm. How do I change the connection string to refer to datavm? I hesitate to use jdbc:mysql://10.0.0.5:3306/somedb?autoReconnect=true because I do not want data transactions traveling across the network?

Also note that bridge networking already links the host OS to each of the guest OS'. So I don't want to do anything to mess up the host/guest bridge. The code that was used on the HOST to set up bridge networking with the guests is:

//Before creating vms
# nmcli con show         (shows network connections before)
# nmcli con add type bridge ifname br0          (adds bridge networking)
# nmcli con show         (shows network connections after)

//after creating vms
# nmcli connection modify bridge-br0 ipv4.method manual ipv4.addresses host.ip.addr/24 ipv4.gateway router.ip.addr
# nmcli con down bridge-br0; nmcli con up bridge-br0 
# nmcli con up bridge-slave-eno1 
# ip link (on host, will show vm connections as vnetX)

# bcrtl addif br0 vnet3  (this adds the vm to the network so you can ping it from elsewhere on the network.  the vnet3 is a result from ip link that is a vm)

Now switch to another computer, open a terminal, and ssh [email protected] to connect to the virtual machine via ssh.

Whatever new bridge networking code we add must not conflict with the above bridge networking code that was already used.

So how do I set up a one-to-one, exclusive data connection between datavm and webvm?

UPDATED WORK IN PROGRESS:

I read the red hat nmcli documentation at this link. And I also read this other link about bridged networking and virtual machines.

In chat, @derobert suggested the following steps:

1.) Add a second bridge to the host. 
2.) Add a second network interface to webvm, connected to the new host bridge. 
3.) Add a second network interface to datavm, connected to the new host bridge.
4.) Configure the new network interfaces inside each guest.

Towards this end, I got a baseline by running the following in the HOST:

[root@localhost ~]# nmcli con show
NAME               UUID                                  TYPE            DEVICE 
bridge-slave-eno1  c36fd051-cacc-4e91-944f-a98f4fee26ff  802-3-ethernet  eno1   
bridge-br0         d472bc86-0f75-4dd5-bfee-5b8208b3fed2  bridge          br0    
System eno1        abf4c85b-57cc-4484-4fa9-b4a71689c359  802-3-ethernet  --     
vnet1              ea985e89-94fb-403c-af33-7daefb378ca5  generic         vnet1  
vnet0              06deb20d-b0b7-4233-8abc-cbb285165082  generic         vnet0  
[root@localhost ~]#

Then I ran the following inside webvm:

[root@localhost ~]# nmcli con show
NAME  UUID                                  TYPE            DEVICE 
eth0  71bf7ff1-7574-4364-8c83-5878ed30d028  802-3-ethernet  eth0   
[root@localhost ~]#

Then I ran the following inside datavm:

[root@localhost ~]# nmcli con show
NAME  UUID                                  TYPE            DEVICE 
eth0  d976f7ca-ab7f-4fd0-ab2b-6213815bd1a1  802-3-ethernet  eth0   
[root@localhost ~]#

Then based on @JeffShaller's comment in chat, I found the following in man virsh:

   attach-interface domain type source [[[--live] [--config] | [--current]] | [--persistent]] [--target target] [--mac mac] [--script script] [--model
   model] [--config] [--inbound average,peak,burst] [--outbound average,peak,burst]
       Attach a new network interface to the domain.  type can be either network to indicate connection via a libvirt virtual network or bridge to
       indicate connection via a bridge device on the host.  source indicates the source of the connection (either the name of a network, or of a bridge
       device).  target is used to specify the tap/macvtap device to be used to connect the domain to the source. Names starting with 'vnet' are
       considered as auto-generated and are blanked out/regenerated each time the interface is attached.  mac specifies the MAC address of the network
       interface; if a MAC address is not given, a new address will be automatically generated (and stored in the persistent configuration if "--config"
       is given on the commandline).  script is used to specify a path to a custom script to be called while attaching to a bridge - this will be called
       instead of the default script not in addition to it; --script is valid only for interfaces of type bridge and only for Xen domains.  model
       specifies the network device model to be presented to the domain.  inbound and outbound control the bandwidth of the interface.  peak and burst
       are optional, so "average,peak", "average,,burst" and "average" are also legal. Values for average and peak are expressed in kilobytes per
       second, while burst is expressed in kilobytes in a single burst at -peak speed as described in the Network XML documentation at
       <http://libvirt.org/formatnetwork.html#elementQoS>.

       If --live is specified, affect a running domain.  If --config is specified, affect the next startup of a persistent domain.  If --current is
       specified, affect the current domain state.  Both --live and --config flags may be given, but --current is exclusive. When no flag is specified
       legacy API is used whose behavior depends on the hypervisor driver.

       For compatibility purposes, --persistent behaves like --config for an offline domain, and like --live --config for a running domain.

       Note: the optional target value is the name of a device to be created as the back-end on the node. If not provided a device named "vnetN" or
       "vifN" will be created automatically.

So I am guessing that I type the following in the host:

# nmcli con add type bridge ifname br1  
# virsh attach-interface datavm bridge br1
# virsh attach-interface webvm bridge br1

I therefore implemented these commands by running the following on the HOST:

[root@localhost ~]# nmcli con show
NAME               UUID                                  TYPE            DEVICE 
bridge-slave-eno1  c36fd051-cacc-4e91-944f-a98f4fee26ff  802-3-ethernet  eno1   
bridge-br0         d472bc86-0f75-4dd5-bfee-5b8208b3fed2  bridge          br0    
System eno1        abf4c85b-57cc-4484-4fa9-b4a71689c359  802-3-ethernet  --     
vnet1              ea985e89-94fb-403c-af33-7daefb378ca5  generic         vnet1  
vnet0              06deb20d-b0b7-4233-8abc-cbb285165082  generic         vnet0  
[root@localhost ~]# nmcli con add type bridge ifname br1
Connection 'bridge-br1' (8b9fd6d9-bcb4-4e1c-85ab-55905d08667e) successfully added.
[root@localhost ~]# nmcli con show
NAME               UUID                                  TYPE            DEVICE 
bridge-slave-eno1  c36fd051-cacc-4e91-944f-a98f4fee26ff  802-3-ethernet  eno1   
bridge-br0         d472bc86-0f75-4dd5-bfee-5b8208b3fed2  bridge          br0    
System eno1        abf4c85b-57cc-4484-4fa9-b4a71689c359  802-3-ethernet  --     
bridge-br1         8b9fd6d9-bcb4-4e1c-85ab-55905d08667e  bridge          br1    
vnet1              ea985e89-94fb-403c-af33-7daefb378ca5  generic         vnet1  
vnet0              06deb20d-b0b7-4233-8abc-cbb285165082  generic         vnet0  
[root@localhost ~]# virsh --list-all
error: unsupported option '--list-all'. See --help.
[root@localhost ~]# virsh
Welcome to virsh, the virtualization interactive terminal.
virsh # list
 Id    Name                           State
----------------------------------------------------
 2     public4-centos7                running
 4     data-centos7                   running

virsh # attach-interface data-centos7 bridge br1
Interface attached successfully

virsh # attach-interface public4-centos7 bridge br1
Interface attached successfully

virsh #

I then logged in to each of the virtual machines separately, and the new connections to the bridge network were shown with the name Wired connection 1, as follows:

In the web vm:

[root@localhost ~]# nmcli con show
NAME                UUID                                  TYPE            DEVICE 
Wired connection 1  44f1f791-0d86-4587-8a2d-48dfa217ee99  802-3-ethernet  ens7   
eth0                71bf7ff1-7574-4364-8c83-5878ed30d028  802-3-ethernet  eth0   
[root@localhost ~]#

And in the data vm:

[root@localhost ~]# nmcli con show
NAME                UUID                                  TYPE            DEVICE 
Wired connection 1  448101d7-1f8f-4b78-ad90-7efd5be23b08  802-3-ethernet  ens7   
eth0                d976f7ca-ab7f-4fd0-ab2b-6213815bd1a1  802-3-ethernet  eth0   
[root@localhost ~]#

What else do I type to finish what @derobert suggested? Remember that all data traffic needs to stay INSIDE THE PHYSICAL BOX, so that the new bridge will have to include new ip addresses for datavm and webvm to use ONLY in the new bridge.

I imagine that firewalld will also be involved.

CodeMed
  • 5.4k
  • 50
  • 111
  • 152