Sunday, July 12, 2015

QEMU/KVM Bridged Network with TAP interfaces

In my previous post, Rapid Linux Kernel Dev/Test with QEMU, KVM and Dracut, I described how build and boot a Linux kernel quickly, making use of port forwarding between hypervisor and guest VM for virtual network traffic.

This post describes how to plumb the Linux VM directly into a hypervisor network, through the use of a bridge.

Start by creating a bridge on the hypervisor system:
> sudo /sbin/brctl addbr br0

Clear the IP address on the network interface that you'll be bridging (e.g. eth0).
Note: This will disable network traffic on eth0!
> sudo ip addr flush dev eth0
Add the interface to the bridge:
> sudo /sbin/brctl addif br0 eth0


Next up, create a TAP interface:
> sudo /sbin/tunctl -u $(whoami)
Set 'tap0' persistent and owned by uid 1001
The -u parameter ensures that the current user will be able to connect to the TAP interface.

Add the TAP interface to the bridge:
> sudo /sbin/brctl addif br0 tap0

Make sure everything is up:
> sudo ip link set dev br0 up
> sudo ip link set dev tap0 up

The TAP interface is now ready for use. Assuming that a DHCP server is available on the bridged network, the VM can now obtain an IP address during boot via:
> qemu-kvm -kernel arch/x86/boot/bzImage \
           -initrd initramfs \
           -device e1000,netdev=network0,mac=52:55:00:d1:55:01 \
           -netdev tap,id=network0,ifname=tap0,script=no,downscript=no \
           -append "ip=dhcp rd.shell=1 console=ttyS0" -nographic

The MAC address is explicitly specified, so care should be taken to ensure its uniqueness.

The DHCP server response details are printed alongside network interface configuration. E.g.
[    3.792570] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[    3.796085] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    3.812083] Sending DHCP requests ., OK
[    4.824174] IP-Config: Got DHCP answer from 10.155.0.42, my address is 10.155.0.1
[    4.825119] IP-Config: Complete:
[    4.825476]      device=eth0, hwaddr=52:55:00:d1:55:01, ipaddr=10.155.0.1, mask=255.255.0.0, gw=10.155.0.254
[    4.826546]      host=rocksolid-sles, domain=suse.de, nis-domain=suse.de
...

Didn't get an IP address? There are a few things to check:
  • Confirm that the kernel is built with boot-time DHCP client (CONFIG_IP_PNP_DHCP=y) and E1000 network driver (CONFIG_E1000=y) support.
  • Check the -device and -netdev arguments specify a valid e1000 TAP interface.
  • Ensure that ip=dhcp is provided as a kernel boot parameter, and that the DHCP server is up and running.
Happy hacking!

9 comments:

  1. I was looking for solid, simple examples for how to bridge a QEMU guest to my host without using SLIRP. This is the most distro agnostic and to the point example I've found so far, thank you for putting this together!

    ReplyDelete
  2. Glad to hear it was helpful. Thanks for the feedback Kenneth!

    ReplyDelete
  3. Thank you for simple instructions you put together. It has been great help to us.

    ReplyDelete
  4. Great tutorial, will be using this to create VM to VM taps for SDN services.

    ReplyDelete
  5. Thank you very .. it was very helpful for me

    ReplyDelete
  6. An important note for static ip addresses: the ip address that was previously at eth0, now have to be set to `br0` device, then LAN starts working.

    I also think `sudo /sbin/brctl addbr br0` can be changed to `sudo ip link add br0 type bridge`, and `sudo /sbin/brctl addif br0 eth0` → `sudo ip link set eth0 master br0`.

    ReplyDelete
    Replies
    1. Thanks for the brctl -> ip link type bridge recommendation. I'll give it a test and update the tutorial

      Delete
  7. Thanks for the short and informative tutorial. I have followed this and it worked. I can ping guests from host. From guests I can ping host, my internet router and internet hosts. However I can't ping guest from guest. Would you update your article on how to accomplish this?

    ReplyDelete
    Replies
    1. Hi Dimon, guest to guest communication works fine for me. Could your firewall be getting in the way?

      Delete

Comments are moderated due to spammer abuse.