Network setup for production KVM

JaredBusch

So for those who have KVM in production, how do you setup the network?

In Hyper-V i always team the NICs in switch independent mode and then make the vSwitch on the team. The host will have access to the guest VM networks.

For my home lab (Fedora 26) and on my desktop (F25) and laptop (F26) I just use the macvtap in bridged mode. But I have no host to guest communication. This is not an issue for my lab or desktop. But I do not want this in production.

0_1510330763991_92fdf487-e62e-412d-967c-c8583e5fe2f4-image.png

So if I have 2-4 NICs in a server, assuming Fedora 26 or RHEL 7:

How should I team them?
Should I create a bridge?
What source mode should I use?

FATeknollogee

@jaredbusch I always do bridge (using virtio) so I have host to guest communication.
0_1510333686518_Screenshot from 2017-11-10 09-06-54.png

FATeknollogee

Easiest way for me to create a bridge is via Cockpit (see image) 0_1510335176097_Screenshot from 2017-11-10 09-26-18.png

scottalanmiller

@fateknollogee said in Network setup for production KVM:

Easiest way for me to create a bridge is via Cockpit (see image)

I kind of hate how easy Cockpit is making everything, lol.

BRRABill

@scottalanmiller said in Network setup for production KVM:

@fateknollogee said in Network setup for production KVM:

Easiest way for me to create a bridge is via Cockpit (see image)

I kind of hate how easy Cockpit is making everything, lol.

I told @scottalanmiller I was going to select the hell out of Cockpit on initial install.

FATeknollogee

@scottalanmiller said in Network setup for production KVM:

@fateknollogee said in Network setup for production KVM:

Easiest way for me to create a bridge is via Cockpit (see image)

I kind of hate how easy Cockpit is making everything, lol.

They've realized some of us need that GUI!!
But on a serious note, I agree, I like the direction that Cockpit is headed.

stacksofplates

@fateknollogee said in Network setup for production KVM:

Easiest way for me to create a bridge is via Cockpit (see image)

Do you lose access after you create the bridge?

FATeknollogee

@stacksofplates No loss of access.
But that is me creating a bridge from my Fedora desktop, the bridge is on a remote server

stacksofplates

@jaredbusch said in Network setup for production KVM:

So for those who have KVM in production, how do you setup the network?

In Hyper-V i always team the NICs in switch independent mode and then make the vSwitch on the team. The host will have access to the guest VM networks.

For my home lab (Fedora 26) and on my desktop (F25) and laptop (F26) I just use the macvtap in bridged mode. But I have no host to guest communication. This is not an issue for my lab or desktop. But I do not want this in production.

So if I have 2-4 NICs in a server, assuming Fedora 26 or RHEL 7:

How should I team them?

Should I create a bridge?

What source mode should I use?

I have stuff in prod running with macvtap and then there is a separate network for access to the host if the VM needs it. But I also have stuff in prod with a bridge and full access. Just depends on what you want.

IIRC NetworkManager doesn't play nicely sometimes with libvirt and other bits (or it may have just been with bridging in general). You can build a bridge or bond directly from Virt-Manager as well, but I believe it uses network and not NetworkManager.

Obsolesce

Doesn't using a bridge have a negative impact network performance of the VM?

JaredBusch

@tim_g said in Network setup for production KVM:

Doesn't using a bridge have a negative impact network performance of the VM?

Not usually.

marcinozga

@jaredbusch why don't you add host interface to macvtap bridge and route all traffic through it? I'm doing that with my LXD containers and host.
Here's how to do it:
http://noyaudolive.net/2012/05/09/lxc-and-macvlan-host-to-guest-connection/

JaredBusch

@marcinozga said in Network setup for production KVM:

@jaredbusch why don't you add host interface to macvtap bridge and route all traffic through it? I'm doing that with my LXD containers and host.
Here's how to do it:
http://noyaudolive.net/2012/05/09/lxc-and-macvlan-host-to-guest-connection/

All you are doing there is making a bridge on the host.

Also LXC is containerization not virtualization..

scottalanmiller

@jaredbusch said in Network setup for production KVM:

@marcinozga said in Network setup for production KVM:

@jaredbusch why don't you add host interface to macvtap bridge and route all traffic through it? I'm doing that with my LXD containers and host.
Here's how to do it:
http://noyaudolive.net/2012/05/09/lxc-and-macvlan-host-to-guest-connection/

All you are doing there is making a bridge on the host.

Also LXC is containerization not virtualization..

It's both. Containerization is Type-C Virtualization. It's always been considered a form of virtualization, even though it is a totally different technological approach.

scottalanmiller

Containers are the trendy new term for OS Level Virtualization. https://en.wikipedia.org/wiki/Operating-system-level_virtualization

marcinozga

@jaredbusch no, you're creating macvlan interface on physical host adapter. And by routing traffic through it, you allow host to communicate with guests.
Containers or VM guests makes no difference here.

marcinozga

Perhaps this explains it better: https://superuser.com/a/368023

Reid Cooper

@marcinozga said in Network setup for production KVM:

Containers or VM guests makes no difference here.

Rarely does.