LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Virtualization and Cloud (https://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/)
-   -   Permissions for bridged network with Qemu (https://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/permissions-for-bridged-network-with-qemu-4175550092/)

Gerard Lally 08-06-2015 08:31 PM
Permissions for bridged network with Qemu
 
Slackware64 14.1 host; kvm modules loaded; qemu 2.3.0

Some years ago I successfully set up a qemu-kvm host with bridged networking. My setup was a little unusual: instead of bridging to a physical adapter I created a dummy interface on the host and bridged to that; I also created a tap interface for the guest and connected that tap interface to the same bridge. The bridge got an address like 10.40.40.1; ip forwarding was set up and iptables masqueraded connections from 10.50.50.0 to the physical adapter, which was something like 192.168.1.100, and then on to the router. Don't ask me why I prefer this setup; I just don't like bridging to the external adapter.

I used brctl and tunctl to bring up the interfaces.

It worked well, but I had to invoke qemu as root user, which always left me uncomfortable.

I am now trying to implement a similar setup with the iproute2 suite, hoping to invoke qemu this time as a regular user. Here's how I bring the virtual network up as root user:

Code:
# create bridge br0 and bring it up
ip link add br0 type bridge
ip link set br0 up

# create tap adapter tap0 and allow regular user to attach it to guest
ip tuntap add tap0 mode tap user gerard group users
ip link set tap0 promisc on
ip link set tap0 up
ip link set tap0 master br0

# create dummy adapter dummy0
ip link add dummy0 type dummy
ip link set dummy0 promisc on
ip link set dummy0 up
ip link set dummy0 master br0

# assign address to br0
ip address add 10.40.40.1/32 dev br0
Here's how I invoke qemu as a regular user (irrelevant portions snipped):

Code:
/usr/local/bin/qemu-system-x86_64 -enable-kvm \
    -net nic \
    -net tap,ifname=tap0,script=no,downscript=no \
    -drive ... etc
Here's what ip link show reports when the virtual network is up:

Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:22:15:4b:cb:39 brd ff:ff:ff:ff:ff:ff
122: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 7e:ea:f6:8d:ef:ed brd ff:ff:ff:ff:ff:ff
123: tap0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN mode DEFAULT group default qlen 500
    link/ether d6:b8:f6:df:58:61 brd ff:ff:ff:ff:ff:ff
124: dummy0: <BROADCAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN mode DEFAULT group default
    link/ether 7e:ea:f6:8d:ef:ed brd ff:ff:ff:ff:ff:ff
And here's what the same shows when the guest is started:

Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:22:15:4b:cb:39 brd ff:ff:ff:ff:ff:ff
122: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 7e:ea:f6:8d:ef:ed brd ff:ff:ff:ff:ff:ff
123: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP mode DEFAULT group default qlen 500
    link/ether d6:b8:f6:df:58:61 brd ff:ff:ff:ff:ff:ff
124: dummy0: <BROADCAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN mode DEFAULT group default
    link/ether 7e:ea:f6:8d:ef:ed brd ff:ff:ff:ff:ff:ff
Here's what bridge link show br0 reports:

Code:
123: tap0 state UP : <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 100
124: dummy0 state UNKNOWN : <BROADCAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 100
I assign a fixed address to the guest - 10.40.40.100, 255.255.255.0 and gw 10.40.40.1 with nameserver 8.8.8.8. However, I am unable to get a connection to the outside world, or even to the gateway for that matter. ping 10.40.40.1 returns host unreachable. Since I am not too well up on iptables and netfilter I generate the firewall script using Eric Hameleer's easy firewall generator for Slackware, setting eth0 to my external interface and br0 to the LAN side, with gateway enabled.

Is this a permissions issue, or have I something wrong in the configuration above?

Gerard Lally 08-07-2015 07:43 PM
I spent yesterday studying the qemu documentation more closely, and ended up getting netdev bridge working with the qemu-bridge-helper script. I had to add the s bit to this script (chmod u+s /usr/local/libexec/qemu-bridge-helper), as suggested in one of the resources I found online. Once I did that and created /usr/local/etc/qemu/bridge.conf with the single line "allow br0" I was able to run guests as a regular user. All that is required on the host is to create a bridge; no need to create tap or dummy adapters at all, and eth0 is not added to the bridge either, so I'm satisfied with this setup.


All times are GMT -5. The time now is 10:23 AM.