Jul
5
[原]Asianux 4.0 中KVM 使用桥接
默认情况下,Asianux 4.0 中带的KVM 虚拟机是使用NAT模式的,但为了更方便的使用。(例如,用PXE 安装系统)我们更喜欢像VMware下的桥接(bridge)方式。不过,这有点麻烦,需要手动改改配置。
一、准备工作
当前系统的网卡:
eth0是物理网卡,virbr0是KVM用的虚拟网卡(本身就是一个桥接设备)。我们需要做的,就是创建一个桥接设备,然后把eth0加进去。
要使用桥接,必须安装bridge-utils 组件:
当前状态:
二、配置桥接
1、关闭NetworkManager服务
NetworkManager 会检查网卡状态,并更新。但其不支持桥接设备。因此,当我们修改eth0网卡配置时,会马上生效(网络会中断)。所以,若你是进行远程配置的,请把该服务关掉:
2、创建桥接设备
创建一个新文件,内容如下:
※ 若有多个网卡,可把GATEWAY 写到/etc/sysconfig/network文件中。
※ 若使用DHCP获取该设备IP,可改为BOOTPROTO=dhcp 。
3、修改物理网卡配置
关键在BRIDGE字段,设备名需要与上面创建的桥接设备一致,并关闭NetworkManager监控:
重启网络服务:
查看状态:
可见,桥接已经完成。这时,只要在创建KVM时,选择该桥接设备即可:
三、手动管理桥接设备
用类似下面几个命令参数,可手动配置桥接:
四、防火墙配置
配置iptables
或者 disable iptables on bridges。
在/etc/sysctl.conf 配置文件中,添加如下行:
通过sysctl 命令,然后重新加载kernel parameter
一、准备工作
当前系统的网卡:
引用
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:85:44:3F
inet addr:192.168.228.216 Bcast:192.168.228.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe85:443f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5818 errors:0 dropped:0 overruns:0 frame:0
TX packets:959 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1307576 (1.2 MiB) TX bytes:135507 (132.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
virbr0 Link encap:Ethernet HWaddr 26:F5:C8:B8:B7:67
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:3641 (3.5 KiB)
eth0 Link encap:Ethernet HWaddr 00:50:56:85:44:3F
inet addr:192.168.228.216 Bcast:192.168.228.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe85:443f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5818 errors:0 dropped:0 overruns:0 frame:0
TX packets:959 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1307576 (1.2 MiB) TX bytes:135507 (132.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
virbr0 Link encap:Ethernet HWaddr 26:F5:C8:B8:B7:67
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:3641 (3.5 KiB)
eth0是物理网卡,virbr0是KVM用的虚拟网卡(本身就是一个桥接设备)。我们需要做的,就是创建一个桥接设备,然后把eth0加进去。
要使用桥接,必须安装bridge-utils 组件:
引用
# rpm -qa|grep bridge
bridge-utils-1.2-9.AXS4.x86_64
bridge-utils-1.2-9.AXS4.x86_64
当前状态:
引用
# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.000000000000 yes
bridge name bridge id STP enabled interfaces
virbr0 8000.000000000000 yes
二、配置桥接
1、关闭NetworkManager服务
NetworkManager 会检查网卡状态,并更新。但其不支持桥接设备。因此,当我们修改eth0网卡配置时,会马上生效(网络会中断)。所以,若你是进行远程配置的,请把该服务关掉:
# service NetworkManager stop
2、创建桥接设备
创建一个新文件,内容如下:
引用
# cat /etc/sysconfig/network-scripts/ifcfg-bridge0
DEVICE=bridge0
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.228.216
NETMASK=255.255.255.0
GATEWAY=192.168.228.153
DNS1=192.168.228.153
DELAY=0
DEVICE=bridge0
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.228.216
NETMASK=255.255.255.0
GATEWAY=192.168.228.153
DNS1=192.168.228.153
DELAY=0
※ 若有多个网卡,可把GATEWAY 写到/etc/sysconfig/network文件中。
※ 若使用DHCP获取该设备IP,可改为BOOTPROTO=dhcp 。
3、修改物理网卡配置
关键在BRIDGE字段,设备名需要与上面创建的桥接设备一致,并关闭NetworkManager监控:
引用
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:50:56:85:44:3f
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
USERCTL=no
BRIDGE=bridge0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:50:56:85:44:3f
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
USERCTL=no
BRIDGE=bridge0
重启网络服务:
# service network restart
查看状态:
引用
# ifconfig
bridge0 Link encap:Ethernet HWaddr 00:50:56:85:44:3F
inet addr:192.168.228.216 Bcast:192.168.228.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe85:443f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:137 errors:0 dropped:0 overruns:0 frame:0
TX packets:123 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12303 (12.0 KiB) TX bytes:17023 (16.6 KiB)
eth0 Link encap:Ethernet HWaddr 00:50:56:85:44:3F
inet6 addr: fe80::250:56ff:fe85:443f/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:8069 errors:0 dropped:0 overruns:0 frame:0
TX packets:1403 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1816084 (1.7 MiB) TX bytes:200274 (195.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
virbr0 Link encap:Ethernet HWaddr 26:F5:C8:B8:B7:67
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:3871 (3.7 KiB)
# brctl show
bridge name bridge id STP enabled interfaces
bridge0 8000.00505685443f no eth0
virbr0 8000.000000000000 yes
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.228.0 * 255.255.255.0 U 0 0 0 bridge0
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
link-local * 255.255.0.0 U 1008 0 0 bridge0
default 192.168.228.153 0.0.0.0 UG 0 0 0 bridge0
# ping -c2 www.163.com
PING 163.xdwscache.glb0.lxdns.com (121.14.228.43) 56(84) bytes of data.
64 bytes from 121.14.228.43: icmp_seq=1 ttl=56 time=3.49 ms
64 bytes from 121.14.228.43: icmp_seq=2 ttl=56 time=18.4 ms
--- 163.xdwscache.glb0.lxdns.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1020ms
rtt min/avg/max/mdev = 3.497/10.962/18.428/7.466 ms
# nslookup www.163.com
Server: 192.168.228.153
Address: 192.168.228.153#53
Non-authoritative answer:
www.163.com canonical name = www.cache.wangsu.netease.com.
www.cache.wangsu.netease.com canonical name = www.163.com.lxdns.com.
www.163.com.lxdns.com canonical name = www.163.z.lxdns.com.
www.163.z.lxdns.com canonical name = 163.xdwscache.glb0.lxdns.com.
Name: 163.xdwscache.glb0.lxdns.com
Address: 183.60.136.64
Name: 163.xdwscache.glb0.lxdns.com
Address: 121.14.228.43
bridge0 Link encap:Ethernet HWaddr 00:50:56:85:44:3F
inet addr:192.168.228.216 Bcast:192.168.228.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe85:443f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:137 errors:0 dropped:0 overruns:0 frame:0
TX packets:123 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12303 (12.0 KiB) TX bytes:17023 (16.6 KiB)
eth0 Link encap:Ethernet HWaddr 00:50:56:85:44:3F
inet6 addr: fe80::250:56ff:fe85:443f/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:8069 errors:0 dropped:0 overruns:0 frame:0
TX packets:1403 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1816084 (1.7 MiB) TX bytes:200274 (195.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
virbr0 Link encap:Ethernet HWaddr 26:F5:C8:B8:B7:67
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:3871 (3.7 KiB)
# brctl show
bridge name bridge id STP enabled interfaces
bridge0 8000.00505685443f no eth0
virbr0 8000.000000000000 yes
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.228.0 * 255.255.255.0 U 0 0 0 bridge0
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
link-local * 255.255.0.0 U 1008 0 0 bridge0
default 192.168.228.153 0.0.0.0 UG 0 0 0 bridge0
# ping -c2 www.163.com
PING 163.xdwscache.glb0.lxdns.com (121.14.228.43) 56(84) bytes of data.
64 bytes from 121.14.228.43: icmp_seq=1 ttl=56 time=3.49 ms
64 bytes from 121.14.228.43: icmp_seq=2 ttl=56 time=18.4 ms
--- 163.xdwscache.glb0.lxdns.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1020ms
rtt min/avg/max/mdev = 3.497/10.962/18.428/7.466 ms
# nslookup www.163.com
Server: 192.168.228.153
Address: 192.168.228.153#53
Non-authoritative answer:
www.163.com canonical name = www.cache.wangsu.netease.com.
www.cache.wangsu.netease.com canonical name = www.163.com.lxdns.com.
www.163.com.lxdns.com canonical name = www.163.z.lxdns.com.
www.163.z.lxdns.com canonical name = 163.xdwscache.glb0.lxdns.com.
Name: 163.xdwscache.glb0.lxdns.com
Address: 183.60.136.64
Name: 163.xdwscache.glb0.lxdns.com
Address: 121.14.228.43
可见,桥接已经完成。这时,只要在创建KVM时,选择该桥接设备即可:
三、手动管理桥接设备
用类似下面几个命令参数,可手动配置桥接:
# brctl delif virbr0 vnet0
# brctl delif virbr0 vnet1
# brctl addif bridge0 vnet0
# brctl addif bridge0 vnet1
# brctl delif virbr0 vnet1
# brctl addif bridge0 vnet0
# brctl addif bridge0 vnet1
四、防火墙配置
配置iptables
引用
Configure iptables to allow all traffic to be forwarded across the bridge.
# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# service iptables save
# service iptables restart
# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# service iptables save
# service iptables restart
或者 disable iptables on bridges。
在/etc/sysctl.conf 配置文件中,添加如下行:
引用
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
通过sysctl 命令,然后重新加载kernel parameter
# sysctl –p /etc/sysctl.conf