I work at an institute so as you can imagine we have the typical proxy, AD, DNS and so on in place. My group is looking into transitioning to Linux for our servers (containing several GPUs for various research purposes) due to easier setup of our environments (machine learning, rendering) and access to tools required for our work. But before we do that I took it upon myself (with permission from our IT admin and my boss) to create a simple setup that will give us some perspective on what we need exactly.
I use a normal desktop PC with Ubuntu Server 20.04 LTS set as the host. For managing it I use SSH (via Putty) or web interface (cockpit). On top of the host I run KVM with a bunch of QEMU VMs all of which are sharing the same bridged network interface (only a single VM may run at a time due to PCI passthrouhg in place). The host as well as the VMs have hostnames following the scheme
<hostname>.<domain>
Since our IT guy has been an outspoken anti-Linux driving force in our department every machine in the department that runs Linux has to be administered by the employee, who "owns" it. We are not given any help from the admin if we have an issue regarding those machines. Linux machines also need to have a -L suffix so that he knows they are not his problem. In general the host name for PCs and notebooks follows the scheme
<department>-<machine type><3 digit numeric value>
so the complete will be
<department>-<machine type><3 digit numeric value>.<domain>
Let's say I have the following with foo.bar.com being <domain>:
- ABC-DT001-L.foo.bar.com - PC, host running Ubuntu Server 20.04, IP address
10.21.5.83 - ABC-DT001-L-VM0.foo.bar.com - VM, guest running Xubuntu 20.04, IP address
10.21.5.104 - ABC-NB001.foo.bar.com - notebook, running Windows 10 with AD user, IP address
10.21.5.104 - Network bridge - converted the single network interface of the ABC-DT001-L to a bridge, which in return is used by every VM I am planning to run
- HP ProCurve Switch 1810g-8 J9449A - managed switch my machines are connected to inside my office(I have no access to it), IP address
10.21.99.10(or so the label says) - Default gateway - IP address
10.21.5.1 - DHCP server - IP address
10.21.1.3 - DNS server - IP address
10.21.1.3 - Primary WINS server - IP address
10.21.1.10
From our IT department I was told that if a machine has a permanent MAC address I can always e.g. ABC-DT001-L.foo.bar.com to access my ABC-DT001-L machine.
On a KVM level I have the default bridge (virbr0 or something) that is set upon creating a VM in order to allow the VM's system to synch time somehow as well as my own bridge that binds the VM to the only Ethernet port my host has, allowing it to access the Internet as well as the internal network of our institute. So in terms of MAC addresses on my PC I have
- ABC-DT001-L.foo.bar.com - MAC address
14:b3:1f:07:ee:5a - ABC-DT001-L-VM0.foo.bar.com - MAC address
52:54:00:2a:b8:4f
regarding my bridge.
In case you are interested for the default bridge I have 52:54:00:58:04:50 (host side) and 52:54:00:1e:cf:8b (VM side).
Here is what works:
- ABC-NB001 - can ping and SSH ABC-DT001-L
- ABC-NB001 - can ping, SSH and VNC connect to ABC-DT001-L-VM0 (port 5900 for cockpit, port 5901 for any other VNC viewer since I also run X11VNC in parallel to what cockpit already provides to allow access in the future to just the VM and not the underlying server)
- ABC-DT001-L - can ping and SSH ABC-DT001-L-VM0, can ping ABC-NB001
- ABC-DT001-L-VM0 - can ping and SSH ABC-DT001-L, can ping ABC-NB001
In addition I can ping and access the web console of ABC-DT001-L from our Windows servers (the ones we will be converting to Linux in the future). Colleagues of mine, working in home office, can also (through our VPN) ping and access ABC-DT001-L.
Here is what doesn't work:
- Access to ABC-DT001-L-VM0 from our servers including even just ping
- Access to ABC-DT001-L-VM0 from my colleagues machines through VPN
So it appears anything beyond the switch is unable to access the VM(s) in any manner possible. One thing I have noticed, which I guess is to be expected, is that behind the switch I can also simply use the hostname instead of the full name to get access to all of my machines.
It appears that the problem is the bridge. Before I go poke the bear (our IT department) I would like to give it a shot in solving the issue (with your help of course).
