我正在尝试按照 Michael Jang 的 RHCSA/RHCE 设置指南设置一个 RHCE 研究实验室。我已经按照书中的指南进行了操作,尽管我认为缺少很多信息(对于这样的书来说,一步一步来就很好了)。
TL;DR - 我无法让虚拟机在我的 KVM 设置中的同一子网中相互通信。我的学习指南说将转发 NAT 与 virbr# 设备一起使用...但它不起作用。
我遇到的主要问题是我的虚拟机无法 ping 网络上的任何内容:“目标主机无法访问”。 server1 无法 ping 通其默认网关、主机,甚至无法 ping 通位于同一子网上的 tester1。尝试访问 Outsider1 也是如此,它是同一 KVM 主机 PC 上的不同子网。 VM tester1 和 Outsider1 上也存在相同的行为。
对于设置,我在专用网络 (192.168.5.0/24) 上有一台主机,并且根据本书,我创建了两个 KVM 虚拟网络和三个虚拟机。以下是每个虚拟机的配置摘要。
server1.example.com
- 连接到虚拟网络“example.com”:NAT
- 设备型号:virtio
- vNIC MAC 52:54:00:86:51:d2
- 静态IP:192.168.122.50/24,gw=192.168.122.1
tester1.example.com
- 连接到虚拟网络“example.com”:NAT
- 设备型号:virtio
- vNIC MAC 52:54:00:89:20:c7
- 静态IP:192.168.122.150/24,gw=192.168.122.1
Outsider1.example.org
- 连接到虚拟网络“example.org”:NAT
- 设备型号:virtio
- vNIC MAC 52:54:00:03:c3:0a
- 静态IP:192.168.100.100/24,gw=192.168.100.1
我按照说明创建了两个虚拟网络,从虚拟化主机 PC 看到的设置如下:
# virsh list
Id Name State
----------------------------------------------------
1 outsider1 running
2 tester1 running
4 server1 running
# virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
example.com active yes yes
example.org active yes yes
# virsh net-info example.com
Name: example.com
UUID: 6d2a6e12-2d72-4720-9427-630a608bae6f
Active: yes
Persistent: yes
Autostart: yes
Bridge: virbr0
# virsh net-info example.org
Name: example.org
UUID: 3d564af8-4d3e-484b-846e-7ad76bd4be4a
Active: yes
Persistent: yes
Autostart: yes
Bridge: virbr1
# virsh net-dumpxml example.com
<network>
<name>example.com</name>
<uuid>6d2a6e12-2d72-4720-9427-630a608bae6f</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:7f:b9:50'/>
<domain name='example.com'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.151' end='192.168.122.254'/>
</dhcp>
</ip>
<ip family='ipv6' address='fd00:a81d:a6d7:55::1' prefix='64'>
<dhcp>
<range start='fd00:a81d:a6d7:55::100' end='fd00:a81d:a6d7:55::1ff'/>
</dhcp>
</ip>
</network>
# virsh net-dumpxml example.org
<network>
<name>example.org</name>
<uuid>3d564af8-4d3e-484b-846e-7ad76bd4be4a</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:49:c7:35'/>
<domain name='example.org'/>
<ip address='192.168.100.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.100.128' end='192.168.100.254'/>
</dhcp>
</ip>
<ip family='ipv6' address='fd00:e81d:a6d7:56::1' prefix='64'>
<dhcp>
<range start='fd00:e81d:a6d7:56::100' end='fd00:e81d:a6d7:56::1ff'/>
</dhcp>
</ip>
</network>
# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02428a3f4914 no
virbr0 8000.5254007fb950 yes virbr0-nic
virbr1 8000.52540049c735 yes virbr1-nic
# ip route show
default via 192.168.5.1 dev enp0s31f6 proto dhcp metric 100
192.168.5.0/24 dev enp0s31f6 proto kernel scope link src 192.168.5.45 metric 100
192.168.100.0/24 dev virbr1 proto kernel scope link src 192.168.100.1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 2c:4d:54:d2:c5:89 brd ff:ff:ff:ff:ff:ff
inet 192.168.5.45/24 brd 192.168.5.255 scope global noprefixroute dynamic enp0s31f6
valid_lft 71762sec preferred_lft 71762sec
inet6 fe80::7abc:be60:6633:d94/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:8a:3f:49:14 brd ff:ff:ff:ff:ff:ff
10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether fe:54:00:03:c3:0a brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe03:c30a/64 scope link
valid_lft forever preferred_lft forever
11: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether fe:54:00:89:20:c7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe89:20c7/64 scope link
valid_lft forever preferred_lft forever
13: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether fe:54:00:86:51:d2 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe86:51d2/64 scope link
valid_lft forever preferred_lft forever
14: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:49:c7:35 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1
valid_lft forever preferred_lft forever
inet6 fd00:e81d:a6d7:56::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe49:c735/64 scope link
valid_lft forever preferred_lft forever
15: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr1 state DOWN group default qlen 1000
link/ether 52:54:00:49:c7:35 brd ff:ff:ff:ff:ff:ff
16: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:7f:b9:50 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
inet6 fd00:a81d:a6d7:55::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe7f:b950/64 scope link
valid_lft forever preferred_lft forever
17: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:7f:b9:50 brd ff:ff:ff:ff:ff:ff
我尝试在所有虚拟机上重新启动 NetworkManager,并重新启动虚拟机,但没有一个虚拟机可以与任何其他设备通信。显然,为了让这些设备相互通信,我错过了一个步骤......
Server1配置如下:
[root@server1 ~]# ip route show
default via 192.168.122.1 dev eth0 proto static metric 100
192.168.122.0/24 dev eth0 proto kernel scope link src 192.168.122.50 metric 100
[root@server1 ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 52:54:00:86:51:d2 brd ff:ff:ff:ff:ff:ff
[root@server1 ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:86:51:d2 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.50/24 brd 192.168.122.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe86:51d2/64 scope link
valid_lft forever preferred_lft forever
Tester1配置如下:
[root@tester1 ~]# ip route show
default via 192.168.122.1 dev eth0 proto static metric 100
192.168.122.0/24 dev eth0 proto kernel scope link src 192.168.122.150 metric 100
[root@tester1 ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 52:54:00:89:20:c7 brd ff:ff:ff:ff:ff:ff
[root@tester1 ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:89:20:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.150/24 brd 192.168.122.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe89:20c7/64 scope link
valid_lft forever preferred_lft forever
Outsider1 配置如下:
[root@outsider1 ~]# ip route show
default via 192.168.100.1 dev eth0 proto static metric 100
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100 metric 100
[root@outsider1 ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 52:54:00:03:c3:0a brd ff:ff:ff:ff:ff:ff
[root@outsider1 ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:03:c3:0a brd ff:ff:ff:ff:ff:ff
inet 192.168.100.100/24 brd 192.168.100.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe03:c30a/64 scope link
valid_lft forever preferred_lft forever
我很确定我需要在主机上创建静态路由,以使流量从 Outsider1 流向 tester1/server1,反之亦然。但真正让我陷入困境的是,我什至无法让 tester1 和 server1 相互通信,甚至无法与默认网关 virbr0 通信。
有任何想法吗?
答案1
该设置意味着许多重要参数未在问题中显示(iptables/使用的步骤/内核网络配置/br 设置/等),这里有一些解决通信问题的可能性(在主主机端):
可能的解决方案:
桥接接口,顾名思义,是您设置中多个网络接口之间的网关,您似乎拥有:
[KVM1-ETH0] <---> [Bridge][virbr0] <---> [Master][Bridge][virbr0-nic]
[KVM2-ETH0] <---> [Bridge][virbr1] <---> [Master][Bridge][virbr1-nic]
首先我不明白为什么你需要2个桥接接口,然后第二个问题正如@LL3提到的接口virbr0-nic未打开。
其次,更干净的设置如下所示(取决于您的需求)
[KVM1-ETH0] <---> [Bridge][virbr0] <---> [Master][Bridge][virbr0-nic]
[KVM2-ETH0] <---> [Bridge][virbr1] <---> [Master][Bridge][virbr0-nic]
或者
[KVM1-ETH0] <---> [Bridge][virbr0] <---> [Master][enp0s31f6]
[KVM2-ETH0] <---> [Bridge][virbr0] <---> [Master][enp0s31f6]
或者
[KVM1-ETH0] <---> [Bridge][virbr0]
[KVM2-ETH0] <---> [Bridge][virbr0]
可能的解决方案:
调出virbr0-nic并virbr1-nic(根据您的需要调整ip)
ifconfig virbr0-nic 192.168.122.254/24 up
ifconfig virbr1-nic 192.168.122.254/24 up
但仍然virbr0-nic并virbr1-nic没有联系在一起。
可能的解决方案:
如果您想使用主界面,您可以将其作为主界面添加到您的网桥中(根据您的需要)
ip link set enp0s31f6 master virbr0
ip link set enp0s31f6 master virbr1
可能的解决方案:
检查您的 iptables/防火墙设置(例如,如果您使用类似 shorewall 的防火墙),出于测试目的,您可以在开始设置之前清空 iptables。
#Netfilter cleanup
iptables --flush
iptables -t nat -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
可能的解决方案:
主机路由/转发功能。通常,ip_forward桥接接口的工作不需要内核功能,但如果桥接器首先配置得不好,这可能会有所帮助。 (请注意,启用 ip_forward 会使主控主机充当路由器,在生产环境中,这需要使用 iptables 或其他设备进行额外的预防措施)
#Enabling ipv4 forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
可能的解决方案:
按照ip_forward可能的解决方案,您可以使用伪装来强制桥接流量使用特定接口
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
在此示例中,IP 192.168.0.0/24 的网桥的流量将转发到 eth0(这需要ip_forward)
可能的解决方案:
您可以考虑其他设置解决方案(桥接接口除外),例如 macvlan、ipvlan 或 veth 接口(一些例子)