Re: SSH VM from outside, but not from host

[Wolf]

On 15 Feb 2022, at 20:04, Peter Crowther mailto:peter.crowt...@melandra.com>> wrote:
> 
> And eno1 and eno2 are *both* connected to the same external switch, yes?

Correct, where each NIC has its ip access-list.
XX1.XX1.XX1.150 and XX2.XX2.XX2.100 are on separate NICs.

When I ping the VM, XX2.XX2.XX2.100, from the host, XX1.XX1.XX1.150, the host 
pings itself.

Thanks!

Wolf



> 
> On Tue, 15 Feb 2022 at 17:17, Wolf  > wrote:
>  Hi!
> 
> 1) I have two network ports on my server.
>  -  eno1 has the IP: XX1.XX1.XX1.150
> 
>  -  bridge0 has the IP: XX2.XX2.XX2.100
> and has the interface member: port eno2.
> eno2 is not set up with an IP address.
> 
> 2) The host runs on IP: XX1.XX1.XX1.150
> 
> 3) A VM uses the bridge: bridge0, and has the IP: XX2.XX2.XX2.100
> 
> I have a problem with this setup:
> I can ssh the VM on XX2.XX2.XX2.100 from outside, but from the host, 
> XX1.XX1.XX1.150, I can't ssh the VM on XX2.XX2.XX2.100.
> 
> Have I set up this wrong or is it something I can do to solve this?
> 
> Thanks!
> 
> Wolf
> 
> 

Re: SSH VM from outside, but not from host

[Peter Crowther]

And eno1 and eno2 are *both* connected to the same external switch, yes?

Cheers,

Peter

On Tue, 15 Feb 2022 at 17:17, Wolf  wrote:

>  Hi!
>
> 1) I have two network ports on my server.
>  -  eno1 has the IP: XX1.XX1.XX1.150
>
>  -  bridge0 has the IP: XX2.XX2.XX2.100
> and has the interface member: port eno2.
> eno2 is not set up with an IP address.
>
> 2) The host runs on IP: XX1.XX1.XX1.150
>
> 3) A VM uses the bridge: bridge0, and has the IP: XX2.XX2.XX2.100
>
> I have a problem with this setup:
> I can ssh the VM on XX2.XX2.XX2.100 from outside, but from the host,
> XX1.XX1.XX1.150, I can't ssh the VM on XX2.XX2.XX2.100.
>
> Have I set up this wrong or is it something I can do to solve this?
>
> Thanks!
>
> Wolf
>
>
>

RE: SSH VM from outside, but not from host

[Marc]

> 
> 1) I have two network ports on my server.
>  -eno1 has the IP: XX1.XX1.XX1.150
> 
>  -bridge0 has the IP: XX2.XX2.XX2.100
>   and has the interface member: port eno2.
>   eno2 is not set up with an IP address.
> 
> 2) The host runs on IP: XX1.XX1.XX1.150
> 
> 3) A VM uses the bridge: bridge0, and has the IP: XX2.XX2.XX2.100
> 
> I have a problem with this setup:
> I can ssh the VM on XX2.XX2.XX2.100 from outside, but from the host,
> XX1.XX1.XX1.150, I can't ssh the VM on XX2.XX2.XX2.100.
> 

This can be anything from routing to iptables/firewall rules. Probably least 
likely to do with libvirt ;)
Best to troubleshoot is revert to situation where everything works as you 
expect it, and then do one change at a time to see when your problem appears.

SSH VM from outside, but not from host

[Wolf]

 Hi!
 
1) I have two network ports on my server.
 -  eno1 has the IP: XX1.XX1.XX1.150
 
 -  bridge0 has the IP: XX2.XX2.XX2.100
and has the interface member: port eno2.
eno2 is not set up with an IP address.

2) The host runs on IP: XX1.XX1.XX1.150

3) A VM uses the bridge: bridge0, and has the IP: XX2.XX2.XX2.100

I have a problem with this setup:
I can ssh the VM on XX2.XX2.XX2.100 from outside, but from the host, 
XX1.XX1.XX1.150, I can't ssh the VM on XX2.XX2.XX2.100.

Have I set up this wrong or is it something I can do to solve this?

Thanks!

Wolf

Re: Public IP on virtual machine network issue

[Laine Stump]

On 2/14/22 10:18 AM, Tom Ammon wrote:

Laine,

Though I can't remember the particulars, I have a vague memory of the 
sysctl settings in that article indeed solving the problem of traffic 
not being forwarded on the bridge when I had configured no filtering on 
the guest - hence my attempt to share what worked for me. Perhaps it 
would be good to update that page.


Yeah, I had completely forgot of its existence until there were two 
unrelated references suddenly made to it in the last week.


I looked around for a link to create 
an account on the libvirt wiki but could find none. I'm happy to go do 
some more research around the items you mentioned and add a quick note 
to that page to keep from leading people astray in the future, if I 
could get an account on the wiki. Do you know how I would do that?


I actually tried to update the article after this second reference, and 
found that my password no longer works. Awhile back the decision was 
made to deprecate the wiki and slowly move content into "knowledgebase" 
articles that are included in the project git repo, and I think the wiki 
may have been made read-only at that time. I had planned to ask about 
that in IRC yesterday, but either forgot, or it was too late to catch 
anyone by the time I asked (I've even forgotten what happened yesterday :-/)


Anyway, even in the days when the wiki was "active", automatic account 
creation was disabled to prevent spam articles, so creating an account 
required sending a message to danpb asking for an account; these days I 
think he'd just say "don't bother - it's going away anyway".


Thanks anyway for the offer to update it though (and also for piping in 
with the idea in the first place - hopefully my response didn't come off 
as discouraging responses - even though it wasn't the source of the 
problem this time, next time yours might be the idea that solves the 
issue :-)).


I'll try to take care of the wiki article in the next day or two.



Thanks,
Tom

On Mon, Feb 14, 2022 at 8:12 AM Laine Stump > wrote:




On 2/13/22 5:38 PM, Tom Ammon wrote:
 > Can you post the output of iptables -L?
 >
 > By default, the bridge module in the kernel sends packets
traversing the
 > bridge to iptables (in the FORWARD chain I believe) for
processing. So
 > if you have configured a DENY policy on the FORWARD chain, or are
 > otherwise filtering in the forward chain, you'll be affecting
packets
 > traversing the bridge. Check out this page for details on how to
change
 > this behavior:
 >
https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf


 >
>

That information is *very* out of date; the situation has changed quite
a lot since that was written in 2014.

Filtering of packets traversing a bridge device are now only
filtered if
the br_netfilter module is loaded, which isn't done by default. It *is*
autoloaded if certain types of iptables rules are added(I can't
remember
the details of the type of rule though - there was a bug in iptables a
year or so ago where autoload of br_netfilter was triggered by libvirt
attempting to *remove* a rule of whatever type it was).

Anyway, unless "lsmod | grep br_netfilter" shows that you have
br_netfilter loaded, this entire path is a red herring (if you do have
it loaded, unload it, and try to figure out why it was loaded).

(Interestingly, this is the 2nd time this particular outdated page has
come up in the last week. Has something else broken somewhere that's
causing people to search out this page?)

 >
 > Tom
 >
 > On Sun, Feb 13, 2022 at 4:08 PM Marcin Groszek
mailto:mar...@voipplus.net>
 > >> wrote:
 >
 >     I have been struggling with this for weeks and I was unable
to find an
 >     answer on line. Perhaps someone here can help me.
 >
 >     Oracle linux 8 running virtualization:
 >
 >     hardware node has a public IP address on interface bridge0
and physical
 >     eno1 is a member of the bridge0
 >
 >     a virtual OS has interface bridged to lan and source is
bridge0, Ip
 >     address of virtual OS is also a public from same class as the
 >     hardware node.
 >
 >     I can route in and out of virtual, I can ping from hardware
node to
 >     virtual and vice versa, so the routing works as it should,
sort of.
 >
 >     When I try tracepath or traceroute from outside to virtual I
get !H on
 >     last hup
 >
 >     same result when I try to do the same form hardware node to
virtual
 

Re: libvirtd daemon missing in LFS

[Sai Kiran Kumar Reddy]

Hi Michal,

I am able to build qemu with the options you have suggested. It indeed is a
qemu issue. Thank you for pointing that out.

On Mon, Feb 14, 2022 at 3:51 PM Michal Prívozník 
wrote:

> On 2/14/22 10:09, Sai Kiran Kumar Reddy wrote:
> > Hi Peter,
> >
> > Thanks for your inputs. I have looked at all the dependencies and built
> > libvirt with the appropriate dependencies enabled. I am able to run
> > virt-manager also, without any errors. I am trying to create a VM using
> > virsh. I get an error saying "domain configuration does not support
> > video mode qxl". Could you please let me know if it is libvirt related
> > error or qemu related one?
>
> This is QEMU related and your qemu was probably build without SPICE
> support:
>
>   https://www.spice-space.org/
>
> pass --enable-spice to QEMU ./configure script. Alternatively, Gentoo
> has all these dependencies recorded and maintained. So it's easier to
> install.
>
> Michal
>
>

-- 
Regards,
Sai Kiran.