配置KVM虚拟机NAT网络
目录
NAT网络
如果网络IP资源紧缺,但是希望虚拟机能够联网,这时候NAT模式是最好的选择。NAT模式借助虚拟NAT设备和虚拟DHCP服务器,使得虚拟机可以联网。
在NAT模式中,主机网卡直接与虚拟NAT设备相连,然后虚拟NAT设备与虚拟DHCP服务器一起连接在虚拟交换机VMnet8上,这样就实现了虚拟机联网。
技术原理
建立bridge,设置brdige的内网IP,并且将客户机的网络接口与其绑定,然后打开系统中网络IP包转发的功能,设置iptables的NAT规则,最后启动dnsmasq作为一个简单的DHCP服务器。
DNSmasq是一个小巧且方便地用于配置DNS和DHCP的工具,适用于小型网络,它提供了DNS功能和可选择的DHCP功能。它服务那些只在本地适用的域名,这些域名是不会在全球的DNS服务器中出现的。DHCP服务器和DNS服务器结合,并且允许DHCP分配的地址能在DNS中正常解析,而这些DHCP分配的地址和相关命令可以配置到每台主机中,也可以配置到一台核心设备中(比如路由器),DNSmasq支持静态和动态两种DHCP配置方式。
操作步骤
安装软件包
yum -y install bridge-utils iptables dnsmasq
rpm -qa | egrep "bridge-utils|iptables|dnsmasq"
dnsmasq-2.48-18.el6_9.x86_64 iptables-1.4.7-19.el6.x86_64 bridge-utils-1.2-10.el6.x86_64 iptables-ipv6-1.4.7-19.el6.x86_64
启动脚本编写
#!/bin/bash
# qemu-ifup script for QEMU/KVM with NAT netowrk mode
# set your bridge name
BRIDGE=virbr0
# Network information
NETWORK=192.168.122.0
NETMASK=255.255.255.0
# GATEWAY for internal guests is the bridge in host
GATEWAY=192.168.122.1
DHCPRANGE=192.168.122.2,192.168.122.254
# Optionally parameters to enable PXE support
TFTPROOT=
BOOTP=
function check_bridge()
{
if brctl show | grep "^$BRIDGE" &> /dev/null; then
return 1
else
return 0
fi
}
function create_bridge()
{
brctl addbr "$BRIDGE"
brctl stp "$BRIDGE" on
brctl setfd "$BRIDGE" 0
ifconfig "$BRIDGE" "$GATEWAY" netmask "$NETMASK" up
}
function enable_ip_forward()
{
echo 1 > /proc/sys/net/ipv4/ip_forward
}
function add_filter_rules()
{
iptables -t nat -A POSTROUTING -s "$NETWORK"/"$NETMASK" \
! -d "$NETWORK"/"$NETMASK" -j MASQUERADE
}
function start_dnsmasq()
{
# don't run dnsmasq repeatedly
ps -ef | grep "dnsmasq" | grep -v "grep" &> /dev/null
if [ $? -eq 0 ]; then
echo "Warning:dnsmasq is already running."
return 1
fi
dnsmasq \
--strict-order \
--except-interface=lo \
--interface=$BRIDGE \
--listen-address=$GATEWAY \
--bind-interfaces \
--dhcp-range=$DHCPRANGE \
--conf-file="" \
--pid-file=/var/run/qemu-dhcp-$BRIDGE.pid \
--dhcp-leasefile=/var/run/qemu-dhcp-$BRIDGE.leases \
--dhcp-no-override \
${TFTPROOT:+"--enable-tftp"} \
${TFTPROOT:+"--tftp-root=$TFTPROOT"} \
${BOOTP:+"--dhcp-boot=$BOOTP"}
}
function setup_bridge_nat()
{
check_bridge "$BRIDGE"
if [ $? -eq 0 ]; then
create_bridge
fi
enable_ip_forward
add_filter_rules "$BRIDGE"
start_dnsmasq "$BRIDGE"
}
# need to check $1 arg before setup
if [ -n "$1" ]; then
setup_bridge_nat
ifconfig "$1" 0.0.0.0 up
brctl addif "$BRIDGE" "$1"
exit 0
else
echo "Error: no interface specified."
exit 1
fi
关闭客户机时调用的网络脚本示例(/etc/qemu-ifdown-NAT)如下,它主要完成解除bridge绑定、删除bridge和清空iptalbes的NAT规则。
#!/bin/bash
# qemu-ifdown script for QEMU/KVM with NAT network mode
# set your bridge name
BRIDGE="virbr0"
if [ -n "$1" ]; then
echo "Tearing down network bridge for $1"
ip link set $1 down
brctl delif "$BRIDGE" $1
ip link set "$BRIDGE" down
brctl delbr "$BRIDGE"
iptables -t nat -F
exit 0
else
echo "Error: no interface specified"
exit 1
fi
创建脚本执行权限
检查配置宿主机内核编译的配置,将网络配置选项中与NAT相关的选项配置好,否则在启动客户机使用NAT网络配“ffi”时可能会遇到如下错误提示,因为无法按需加载iptable nat、nf nat等模块。
在KVM中配置客户机的NAT网络方式,需要在宿主机中运行一个DHCP服务器给宿主机分配NAT内网地址。默认情况下均为NAT模式,无需多配置。
赋予权限
chmod +x /etc/qemu-ifup-NAT
通过命令启动虚拟机
wget http://download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-disk.img
[root@victory ~]# service libvirtd restart
Stopping libvirtd daemon: [ OK ] Starting libvirtd daemon: [ OK ]
[root@localhost ~]# virsh -c qemu:///system list //用libvirt连接到超级管理程序
Id Name State ----------------------------------------------------
[root@localhost ~]# lsmod |grep kvm // lsmod 命令:是一个小程序,用来显示文件、proc/modules的信息,也就是显示当前内核模块装载的模块
kvm_intel 54285 0 kvm 333172 1 kvm_intel
[root@localhost ~]# virsh --version
0.10.2
[root@localhost ~]# virt-install --version
0.600.0
[root@localhost ~]# ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-kvm //创建软链接
/usr/bin/qemu-kvm -m 1024 -drive file=cirros-0.3.3-x86_64-disk.img,if=virtio -net nic,model=virtio -net tap,script=/etc/qemu-ifup-NAT -nographic -vnc :1
如果提示vnc错误,可以把1换成3
如果出现以下输出,说明虚拟机创建成功
login as 'cirros' user. default password: 'cubswin:)'. use 'sudo' for root. cirros login: cirros Password: $
查询系统路由信息
通过以上的命令生成了一个虚拟机和一个网桥,还有一个虚拟机对应的接口tap0,完成后通过VNC Viewer软件远程访问该虚拟机,列举出此虚拟机的IP地址、子网掩码等信息,也可以看出此系统的路由信息,如图2-18所示。
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.140/24 brd 192.168.122.255 scope global eth0
inet6 fe80::5054:ff:fe12:3456/64 scope link
valid_lft forever preferred_lft forever
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.122.1 0.0.0.0 UG 0 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
查询网桥的接口信息
查看系统的网桥信息可以看出virbro网桥的挂载的接口信息。
[root@victory ~]# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.525400e68dc2 yes tap0
virbr0-nic
查看TAP接口
ip addr list
[root@victory ~]# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:24:3d:91 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.48/24 brd 10.0.0.255 scope global eth0
inet6 fe80::20c:29ff:fe24:3d91/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 52:54:00:e6:8d:c2 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
link/ether 52:54:00:e6:8d:c2 brd ff:ff:ff:ff:ff:ff
8: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/ether 7e:6c:51:c2:69:cf brd ff:ff:ff:ff:ff:ff
inet6 fe80::7c6c:51ff:fec2:69cf/64 scope link
valid_lft forever preferred_lft forever
检查网络的联通性
虚拟机实例的eth0接口PING宿主机的网关,检查网络的联通性。
$ sudo ping -I eth0 10.0.0.2 -c 4
PING 10.0.0.2 (10.0.0.2): 56 data bytes 64 bytes from 10.0.0.2: seq=0 ttl=127 time=0.418 ms 64 bytes from 10.0.0.2: seq=1 ttl=127 time=1.362 ms 64 bytes from 10.0.0.2: seq=2 ttl=127 time=1.878 ms 64 bytes from 10.0.0.2: seq=3 ttl=127 time=1.440 ms --- 10.0.0.2 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.418/1.274/1.878 ms
查询主机防火墙NAT规则信息
查询宿主机iptables nat表信息。
[root@victory ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination
参考文档:
