I have a host machine with Debian 10 & QEMU-KVM. I installed packages and rebooted:
sudo apt install qemu-kvm virt-manager
sudo reboot
So now I want to create a bridge that will enable my virtual servers to (a) connect to network and (b) to be seen to a host machine and other computers on the network.
I read dozen of tutorials on how to do this and failed miserably every time. I had some sucess setting up bridge with (a) package iproute2 and (b) package virt-manager (ran as super user).
Trying as a root:
By folowing archwiki I set up my bridge using these commands:
sudo ip link add virtual_bridge type bridge
sudo ip link set dev virtual_bridge up
I then reset the ethernet card and connect it to the bridge as it's slave:
sudo ip link set dev enx24f5a2f17b27 down
sudo ip addr flush dev enx24f5a2f17b27
sudo ip link set dev enx24f5a2f17b27 up
sudo ip link set dev enx24f5a2f17b27 master virtual_bridge
And then I open the GUI application:
sudo virt-manager
I right click the QEMU/KVM session (qemu:///system) and I choose connect:
When session is connected I start creating a new virtual machine. During it's creation I come to a window asking to choose type of virtual network. There are two options. First one has suboptions while second one enables manual input of the device:
Host device enx24f5a2f17b27: macvtap
- Bridge
- VEPA
- Private
- Passthrough
Specify shared device name
I tried choosing suboptions offered by the first option, but when selected they, issue a warning:
In most configurations macvtap does not work for host to guest network communication
This is not an option for me because my virtual servers will need two-way communication. This is why I choose the second option and I manualy specify my bridge virtual_bridge:
Then I start the virtual machine which can browse the internet and also can the host machine. Both are assigned the IP in the same network. But when I try to ping them ping doesn't work in any direction. Host, can't ping virtual machine and vice versa.
I can't explain this, because archwiki states that bridge should be transparent like a switch and devices should therefore be able to ping eachother:
A bridge is a piece of software used to unite two or more network segments. A bridge behaves like a virtual network switch, working transparently (the other machines do not need to know or care about its existence).
If I check internet settings on a host:
ziga@ziga-laptop:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether c4:85:08:3c:1a:59 brd ff:ff:ff:ff:ff:ff
3: enx24f5a2f17b27: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virtual_bridge state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet 192.168.64.100/24 brd 192.168.64.255 scope global enx24f5a2f17b27
valid_lft forever preferred_lft forever
inet6 fe80::26f5:a2ff:fef1:7b27/64 scope link
valid_lft forever preferred_lft forever
32: virtual_bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet6 fe80::26f5:a2ff:fef1:7b27/64 scope link
valid_lft forever preferred_lft forever
34: vnet0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virtual_bridge state UNKNOWN group default qlen 1000
link/ether fe:54:00:c4:3e:62 brd ff:ff:ff:ff:ff:ff
inet 169.254.82.75/16 brd 169.254.255.255 scope global vnet0
valid_lft forever preferred_lft forever
inet6 fe80::2c93:eff:fea5:c52b/64 scope link
valid_lft forever preferred_lft forever
From the above, I can confirm that my ethernet interface enx24f5a2f17b27 and vnet0 (which was automaticaly created by virtual machine) are both slaves to virtual_bridge *(note the keywords master virtual_bridge)*.
If I am honest I was expecting GUI application to also create TAP device as well but it only created vnet0... Is this actually a TAP device?
How can I make connection two-way?
Trying as a normal user (without bridge):
I deleted virtual_bridge and virtual_tap so that everything was back to normal.
ziga@ziga-laptop:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether c4:85:08:3c:1a:59 brd ff:ff:ff:ff:ff:ff
3: enx24f5a2f17b27: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet 192.168.64.100/24 brd 192.168.64.255 scope global enx24f5a2f17b27
valid_lft forever preferred_lft forever
inet6 fe80::26f5:a2ff:fef1:7b27/64 scope link
valid_lft forever preferred_lft forever
I noticed that if I start virt-manager with sudo and use qcow2 image that image will become owned by root and it will become part of group root. This was part of my problem why I avoided using virt-manager as a normal user. So I fixed this and started virt-manager as a normal user.
I created the identical virtual machine but when a network window pops up it had different (!) options:
- Userspace networking
- Specify shared device name
I was unable to specify my interface enx24f5a2f17b27 manualy with the second option so I chose a userspace networking.
Then I started the virtual machine which can browse the internet and also can the host machine. Both are assigned the IP which is totaly different. When I try to ping them ping doesn't work in any direction. Host, can't ping virtual machine and vice versa.
Trying as a normal user (with bridge)
So now I first set up my my bridge precisely like I did in my first attempt as a sudo user:
sudo ip link add virtual_bridge type bridge sudo ip link set dev virtual_bridge up sudo ip link set dev enx24f5a2f17b27 down sudo ip addr flush dev enx24f5a2f17b27 sudo ip link set dev enx24f5a2f17b27 up sudo ip link set dev enx24f5a2f17b27 master virtual_bridge
so that I have:
ziga@ziga-laptop:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether c4:85:08:3c:1a:59 brd ff:ff:ff:ff:ff:ff
3: enx24f5a2f17b27: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virtual_bridge state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet 192.168.64.100/24 brd 192.168.64.255 scope global enx24f5a2f17b27
valid_lft forever preferred_lft forever
inet6 fe80::26f5:a2ff:fef1:7b27/64 scope link
valid_lft forever preferred_lft forever
11: virtual_bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet6 fe80::805f:cfff:feb6:ec91/64 scope link
valid_lft forever preferred_lft forever
I started the virt-manager as a normal user and created the identical virtual machine. When a network window pops up it has same options than before:
- Userspace networking
- Specify shared device name
I was unable to specify my bridge virtual_bridge manualy with the second option because Qemu reports an internal eror:
