I have noticed that you can't have multiple separate NAT style libvirt networks defined with the same private IP blocks.
For example I have this default network:
<network>
<name>default</name>
<uuid>13baf167-02ff-4312-928c-b82ed4df5785</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:9c:8f:7c'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.25'/>
</dhcp>
</ip>
</network>
<name>default</name>
<uuid>13baf167-02ff-4312-928c-b82ed4df5785</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:9c:8f:7c'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.25'/>
</dhcp>
</ip>
</network>
I can't define another nat network that uses the same IP address range. I assume this is an implementation limit because of how the iptables rules are written/work for doing the NAT.
I'd like to have 10 networks with the same default IP address, attached to 10 vms that all run off the same read-only image. I know that I could use different ranges and then have my vms use dhcp, and or a few other similar ways. I'm limited by the virtual image I want to run (close source OS, licensed-and-IP-locked software - I have plenty of licences for instances).
I'd love to replace my 10 instances all with their own IPs on a public bridge with 10 NAT'd instances all using the same IP each on their own little network world - so I'd make a separate bridge for each, but of course it doesn't work.
I have a proof-of-concept setup where I use a routed private network + nat with the application vm and a small linux vm in pairs. The linux vms have a public IP, and a private bridge with a fixed ip to be the default route of the app vm. Then the app vm can have a fixed ip, route to a fixed default route, and get natted to whatever it's buddy router vm's public IP is. This works - but then I have 20 vms instead of 10. They are small and dont use much cpu, but they use ram... which is somewhat constraining. And I have to maintain a router image. I'm going to settle for this setup If I have to, but I'd rather not.
So I had the bright idea of somehow routing/natting each vm through a network namespace. I could perhaps avoid having to have a whole separate linux instance just to get a copy of the network stack to do nat with. I'm kind of struggling to see how I'd could have each libvirt vm run in it's own namespace. I don't think it is possible actually. But perhaps I could use an extra set of IPs and an extra bridge/veth-pair to work some kind of magic.
Anyone out there doing something like this? Can you help me wrap my head around how to mix libvirt kvm VMs and network namespaces?
Is there some other simpler way to achieve what I want?
Thanks.
Fred Clift
_______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
