Nethserver dc installed as guest within kvm/qemu

Support
,
1

Hi community,

I am trying to setup nethserver and it looks promising. I read that a nethserver dc should act as dhcp- and dns server for its domain clients. How can I setup kvm/qemu networking so this works? Are there any guides for that? Crawling the net, I was not able to find something useful yet.

So far I have a windows guest on the same host, and by choosing the default virtual network (nat) the ipadresses are assigned by the kvm host.

Trying to workaround, I added the nethserver ipadress, as dns entry to the windows client. This ipadress was configured as fixed ip within the same range, the default virtual network uses. I then could ping my ad.mydomain.local and also successfully join the domain. But I could not reach internet.

On the nethserver dc guest, I have also configured a second virtual nic, to a virtual network similar to the default network but with an other iprange. This second nic was assigned to the red wan network in nethserver.

If I set the default gateway of (kvm) default network as dns server, I can reach the internet, but not resolve ad.mydomain.local. And when I set the nethserver ipadress as dns, I can resolve ad.mydomain.local, but I have no internet access.

What am I missing?

I am looking forward to learn about nethserver. :slight_smile:

1 Like
2

@Elleni

Hi

I’m user of Nethserver and KVM, but my KVM / QEMU basis is ProxMox. I plan, install and operate several networks for SME Clients (Small & Medium Enterprises), all running ProxMox as Virtualization, most use Synology as a NAS for shared Storage, and NethServer to “make” the Network with DNS, DHCP, AD and whatever else is needed, like Zabbix for monitoring.

Proxmox makes things easy, you can use it free or pay a subscription. My clients pay this, but the fee is very low when compared to say VMWare. Per CPU Socket, the Community Support cost less than 100€ / year. Licencing is by Socket, not Cores of the CPU!

What are you running KVM / QEMU on?
Your solution seems - like virtual box or others in Host-Only mode - to act as compulsive Router and DHCP, meaning it also does NAT to your network.
So called “promiscious mode” of the NIC (KVM) is required by NethServer running AD, as the AD is basically a Linux Container inside NethServer running a dedicated AD-LDAP Samba Version.
Promiscious mode and a preconfigured virtual Router making NAT and DHCP don’t work well together…
Eating pre-chewed food is never tasty, and doesn’t help you with learning anything either!

I’d suggest switching your virtualization basis to Proxmox, then installing NethServer in there.
That presents no headaches, if your Hardware suports virtualization. On average hardware, it installs in 15-20 min…
Proxmox has several advantages, like out of the box live backups for almost anything, but especially Windows. Commercial Backup software for Windows can easily cost 1000.-/Server!
It’s extermly stable, needs maybe 1-2 reboots per year, all updates during live running!
Besides which, a lot here on this forum, including a lot of “key” people here, also use Proxmox underneath and NethServer on top!

My 2 cents
Andy

3

To being able to telling you what you are missing you must provide us some missing information :stuck_out_tongue:
what is the IP of your Nethserver
what is the IP of your machine/laptop/workstation
what is the IP of your KVM host

are they able to ping each other
or better did you make a bridge on your KVM host such as all your VM will be at the same network than your host and your client ?

  1. If your host is Ubuntu 18.04 and/or an OS which use netplan click here

  2. If you use Ubuntu 16.04 or Debian or something similar read this

Sometimes everything is fine, it’s just for security reason your host don’t act as a router
if you believe it’s that execute those command it will allowed temporary your host to act as a router

echo 0 > /proc/sys/net/bridge/bridge-nf-call-arptables
echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables

PS: when I mention host I means the machine with the KVM service

4

Andy_Wismer, thanks, but I think I will look at promox maybe later. For now, we made a concept and so I have setup a centos 8 which acts as kvm/qemu host only.

Within I have created two virtual machines, one with nethserver as dc and one as windows 10 Prof VM to set everything up.

JOduMonT, thanks for your post.

I restarted with a restore of a snapshot I had taken, before creating the domain, so with a basic install of nethserver and now everything works as expected (so I must have done something wrong initially), and there is only a small question left open, that has more to do with kvm than with nethserver.

I have setup two virtual nics on kvm host for nethserver vm, and assigned as following:

“lan” nic1: network 192.168.122.0/24 with dhcp range 192.168.122.11-192.168.122.50
This one was attached to green network in nethserver. Nethserver ip 192.168.122.100 is set to fixed and not dhcp .

Domain created and assigned 192.168.122.200. nethserver DHCP Server activated and given the range 192.168.122.101-192.168.122.150

“wan” nic2 created on kvm host with network 10.0.0.0/24 - range 10.0.0.10-10.0.0.100 -> assigned to red within nethserver.

The windows client vm was given a nic in lan network, thus it got an ip 192.168.122.39, thus obviously from kvm/host dhcp server.

For being able to join domain, I had to add 192.168.122.100 as additional dns entry, and so everything works fine. Joinded domain, can ping ad.mydomain.local all good. Also internet access and dns resolution works.

Now my question: How would I be able to accomplish, that clients are served with ips from nethserver dhcp client, and not from kvm host?

5

Hi

OK, that clarifies what’s most likely your current issue. What GUI-Interface (if any) did you use to set up the KVM machines? Or just plain old config file editing?

I’d say you need to activate Bridging for all your VMs. At the moment your setup is acting as a Router, creating a so called “Host-Only” Network, available only for virtual machines inside that host. This means the guest machines (Installed in KVM) are not connected directly, but via NAT (Done on the Centos Host).

This also means that your AD can’t properly get a NIC or Network connectivity, as NAT / Host-Only Networking almost always excludes “Promisious Mode”, needed for your Nethserver AD.

Note: The AD in NethServer is a Linux Container (another virtualization method) running inside NethServer, the NethServer is itself running virtualized in KVM. This virtualization inside virtualization, with the accociated networking issues are basically your problem…

This is actually not a big issue and can be solved!

If possible, change your network Settings to Bridge Mode for all KVM guests, and Promisious Mode specifically for the NethServer Guest.

You’ll need to refer to Google or such, as this is a NethServer Forum - and even if I could help, I’d need to know what exactly was used to setup KVM. :wink:

BTW. How is that Centos connected to the Internet? Is it in itself a firewal or is there another box doing this?

My 2 cents
Andy

6

Hi and thanks for the quick reply :smiley:

I use virt-manager for set up the kvm guests.

You are right, that all that’s behind a nat network, but it seems to work fine, besides the fact, that I would like to disable the kvm/host dhcp server and get ips served from nethserver. But if thats not possible, then I’ll try to setup brigded and promisious mode if really needed.

The centos kvm host has a fixed ip and can connect to internet directly and is a barebone root server (no vm), that we rent from a hosting provider. So there is no firewall in between, it acts as firewall itself actually for the guests

I dont understand bridged networking yet, would that be even possible to set things up with bridged with the above setup? I mean the hosting server only has one ip, I can reach via ssh, so I am not even sure, bridging is an option, but I 'll crawl the net and try to find out and learn.

I still think that if I could disable dhcp on kvm host, thus make the windows guest vm get the ip from nethserver dhcp service, it would be enough, but I don’t know.

Besides that, with adding nethserver ip as additional dns already helps me workaround the problem, and I can play with nethserver and see what it is able to provide us, and it seems very promising :smiley:

7

Hi

Simple Analogy / Lingo of virtualization:

Host: The machine providing virtualization, in your case the KVM Centos
Guest: Any virtualized machines setup inside the KVM Host

Host-Only Network:
Server acts as Firewall (NAT) and provides an internal network with DHCP and a virtual Switch, to which other virtual Guests can be connected.

Bridged network:
This acts as if the NIC is a virtual Switch, with all Guests connected to this virtual Switch, even the Centos KVM is connected to this virtual Switch.

Now the BIG Gotcha:

You need at least two NICs on your Host - it is acting as firewall, and as any firewall, that alone needs two NICs, the unprotected Internet, and the safe zone. If in a hosted environment, quite often the issue is simply nothing physically connected to the second interface, it doesn’t switch to active and screws up your planned networking!

With Host-Only networking, you WILL have problems getting AD to work properly!
That’s due to the required (This is, after all, a form of cascaded virtualization) promiscious mode for the NethServer AD.

Check that part out…

Accessing anything inside this whole setup would mean adding adequate rules for firewalling and passing eg. RDP to access the Windows10 box from outside the network. I’m assuming this whole setup is on a hosted server at some Providers NOC, and normal access would be via RDP or VPN or such.

Note that this concept / setup brings more pitfalls and sandtraps than expected. Sometimes it’s easier, especially until you get the experience, to have separate, dedicated boxes doing their duties. Then consolidate them when you feel safe enough in the saddle!

My 2 cents
Andy

8

Hi

This setup at a friends home is the closest I have to your Setup:

44
Bildschirmfoto 2020-01-17 um 14.13.44.jpg1290Ă—904 197 KB

Here, the Proxmox Server ABHO-PVE-1 corresponds to your KVM box.
The main difference is that the Proxmox does ONLY virtualization here.

The Firewall is a virtual OPNsense (A PFsense fork) inside Proxmox and uses the second NIC of that HP Microserver (Bridged to the VDSL Box).

NethServer and its AD run inside the HP, the NethServer is actually the DHCP and DNS Server for that Network.

This network is available from the outside using DynDNS or the real DNS name (Actually a CNAME to the DynDNS name).

The HP first NIC is connected to a simple Netgear Switch, which has a WLan, a Printer and a Raspberry PI hooked up.

Proxmox is setup in Bridged mode here, connected to NIC1.
NIC2 does physically connect to the Proxmox, but NOT logically. It is basically a VDSL Interface now… :slight_smile:

Hope this helps to undestand the situation / setup.
The image is from Zabbix Monitoring, installed inside NethServer.

My 2 cents
Andy

9

Thanks again, for your very kind explanations. I come from gentoo community and am setting this up for my job, as we will repalce our current infrastructure.

And similarly to the gentoo community I here also feel very welcome, with all your kind replys. Thanks! I’ll be back to report how it went, as soon as possible.

Btw. This will be our environnement only for fallback. We have ordered new hardware to setup everything locally, that has not arrived yet, so I thought, I should already start to setup domain and everything on a virtual env. This servers final purpose will be primarly for backup and fail over when everything else goes south.

10

@Elleni

Sounds reasonable. (And better than getting all the new stuff except the one component you need, eg switch!)

Good Luck, and do report!

Andy

11

Ok, I am making some progress here. I was able to configure kvm with bridged network and disabling dhcp and activating promiscous mode on nic1.

That way, my windows guest gets ipadress served from activated nethserver dhcp server.

nic1 has been assigned to green network, and nethserver got configured a fixed ip. But I dont have internet connectivity, when setting the red network to bridged modus too, so I put nic2 back to nat host only and assigned it to red network with dhcp in nethserver. Is that corretly setup? Apparently it works as now I have internet connectivity on both, nethserver and windows guest.

Though, I still have to find out how virtbr0-nic is persitently set to promiscuous mode.

12

Hi
Check from your Windows PC, It’s Win10, if I recall, so go to settings, there under ethernet you’ll find the me Windows Network & Sharing thingy (Mine appears in german, so I don’t know what the english one is called…). On the upper right you’ll see LAN (As in Win7…). See what IP adresses your PC get’s. Do a tracert (From CMD) to Google’s 8.8.8.8 and see what route that takes.

As I understand it, the NethServer now has two interfaces and is acting as router?
That would be a very good situation. NethServer can handle firewalling, dhcp, dns AND ad if needed.

Try the same thing from the nethserver, traceroute is written out in Linux/UNIX…

→ Google is your friend…

If you’ve got a PC with 4 GB RAM or more, grab yourself a Proxmox ISO and set up a Proxmox for playing around. Worth it!

My 2 cents
Andy

13

Hi Andy, exactly that’s how it is. Its router and dhcp and dns server. Thats fine. Trace shows it goes to internet throurgh red interface :slight_smile:

Yeah, I know about google, it was not a question. Just a status report. The thing is, in the linked description they explain how to set persistence for a normal nic, while I doubt its the same for kvm virtual virbr0, but no problem. I signed in centos forum, to ask and confirm if I can do it the same way.

Having to tinker with zillions of group policies to setup a new active directory for our companywhile also learning about nethserver and all its possibilities, there is no time for now to look into promox. But I keep it in mind, and will check out later. Thanke you!

I will report back, when I found out the solution for persistence promiscuous mode. Then this thread can be marked as solved :wink:

Thanks again for all the usefull comments, really appreciated!

14

@Elleni

You’re welcome!

It’s part of my way of giving back to the community of open source.

Once your net is up and running, you might want to look into serious monitoring, with something like Zabbix on your NethServer. Can give more than a few pointers in that direction…

My 2 cents
Andy

15

Yep, definitely on my to do list :smiley: