Re: ssh into kvm-clients

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/31/2010 11:02 AM, Bill Davidsen wrote:
> Phil Meyer wrote:
>    
>> On 05/30/2010 11:02 AM, brizly vaan van Ulciputz wrote:
>>      
>>> Hello Everyone,
>>>
>>> ich wonder why i am not able to ssh-in in this case:
>>>
>>> i have an kvm-'server' running 4 'guests'.
>>>
>>> the guests are behind nat (default in kvm?).
>>>
>>> running fresh fedora on all machine (host and guest), installed from
>>> live-cd, enabled sshd and made sure system-config-firewall allows
>>> ssh-in, i am not able to reach the guests by ssh.
>>>
>>> i can ping them, by there from kvm-server given ip, by
>>> openvpn-client-ip, all good.
>>> [brizly@s28 ~]$ ping 192.168.24.22
>>> PING 192.168.24.22 (192.168.24.22) 56(84) bytes of data.
>>> 64 bytes from 192.168.24.22: icmp_seq=1 ttl=64 time=2.50 ms
>>> 64 bytes from 192.168.24.22: icmp_seq=2 ttl=64 time=1.80 ms
>>> 64 bytes from 192.168.24.22: icmp_seq=3 ttl=64 time=2.01 ms
>>>
>>>
>>> but ssh - i just got:
>>> [brizly@s28 ~]$ ssh 192.168.24.22
>>> ssh: connect to host 192.168.24.22 port 22: No route to host
>>>
>>>
>>> i don't know were to start searching, firewall, selinux, openvpn...
>>>
>>> Other openvpn-clients - installed the same way, but 'real' machines, not
>>> kvm-clients - are reachable. although from kvm-client to outside-host.
>>>
>>> Any ideas?
>>>
>>>
>>>        
>> You will notice that qemu when running in NATed mode will set up rules
>> for iptables by default.  In effect, a NATed interface accepts NO
>> inbound connections, and qemu insures that with iptables rules.
>>
>> There are at least two ways to allow ssh to a KVM based guest that is NATed.
>>
>> One method involves the qemu automatically starting a deamon on the host
>> that listens on a port you specify and redirects traffic on that port to
>> a port you specify on the VM.  This requires adding an appropriate '-net
>> user' rule to the  the qemu process when it runs.  Virt Manager does not
>> have an interface into all of the qemu options, so you will have to edit
>> the xml file by hand to add it.  And if you make a change to the guest
>> using Virt manager, you could your changes.
>>
>> Since qemu uses iptables to implement its NATed firewall for the KVMs,
>> you can also use iptables to allow ports into guests.
>> The qemu rules are added dynamically, so you can't modify those
>> particular rules, but you can add permanent rules that allow what you
>> want, even when the qemu NAT is in place.
>>
>> I think that the rule set qemu uses is called DNAT by default, so we add:
>>
>> -A PREROUTING -i eth0 -p tcp -m tcp -d<IP>  --dport 22 -j DNAT
>> --to-destination<VMIP>
>>
>> For each VM.
>>
>> I realize that this is sketchy, but it would be inappropriate to show
>> real IPs and destinations in a mailing list posting. :)
>>
>> Hopefully, this is enough of a pointer to be of some help.
>>
>>      
> This is an excellent introduction. Alternatively you can set up a bridge of your
> own, and use "-net nic -net tap" to get a unique IP for the VM. I combine this
> with setting the MAC address so my DHCP server assigns the proper IP to servers
> and persistent clients (such as the VM I use for desktop).
>
> I have no idea how to do this with libvirt, I learned qemu-kvm before that was
> an option, and I'm comfortable being able to set my own options.
>
>    


If you have your bridge set up as br0, virt manager will see that and 
allow you to use the bridged device when selecting and ethernet device.  
Its pretty slick.

Also, just FYI, a lot of work has gone into virt-install, which allows 
you to build VMs using a cli tool that can do whatever Virt Manager can 
do during an install.  Its quite nice, but beware of bugs in the 
RHE6-beta version of virt-install :)  Someone forgot to use KB instead 
of bytes when setting up the balloon memory driver.  Quite catastrophic!

If you prefer building VMs from the command line, I can recommend 
virt-install.  It gives you nearly the same level of control, and builds 
the xml file for libvirt at the same time.  It also informs libvirt so 
you can watch it build using the libvirt tools.

Good Luck!

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux