Next: Routed network for libvirt, Up: Virtual Machines [Contents][Index]
By default, QEMU uses a so-called “user mode” host network back-end,
which is convenient as it does not require any configuration.
Unfortunately, it is also quite limited. In this mode, the guest
VM (virtual machine) can access the network the same way the host
would, but it cannot be reached from the host. Additionally, since the
QEMU user networking mode relies on ICMP, ICMP-based networking tools
such as ping do not work in this mode. Thus, it is
often desirable to configure a network bridge, which enables the guest
to fully participate in the network. This is necessary, for example,
when the guest is to be used as a server.
There are many ways to create a network bridge. The following command
shows how to use NetworkManager and its nmcli command line
interface (CLI) tool, which should already be available if your
operating system declaration is based on one of the desktop templates:
# nmcli con add type bridge con-name br0 ifname br0
To have this bridge be part of your network, you must associate your network bridge with the Ethernet interface used to connect with the network. Assuming your interface is named ‘enp2s0’, the following command can be used to do so:
# nmcli con add type bridge-slave ifname enp2s0 master br0
Important: Only Ethernet interfaces can be added to a bridge. For wireless interfaces, consider the routed network approach detailed in See Routed network for libvirt.
By default, the network bridge will allow your guests to obtain their IP address via DHCP, if available on your local network. For simplicity, this is what we will use here. To easily find the guests, they can be configured to advertise their host names via mDNS.
QEMU comes with a helper program to conveniently make use of a network
bridge interface as an unprivileged user see Network options in QEMU Documentation. The binary must be made setuid root for proper
operation; this can be achieved by adding it to the
privileged-programs field of your (host) operating-system
definition, as shown below:
(privileged-programs
(cons (privileged-program
(program (file-append qemu "/libexec/qemu-bridge-helper"))
(setuid? #t))
%default-privileged-programs))
The file /etc/qemu/bridge.conf must also be made to allow the bridge interface, as the default is to deny all. Add the following to your list of services to do so:
(extra-special-file "/etc/qemu/host.conf" "allow br0\n")
When invoking QEMU, the following options should be provided so that the network bridge is used, after having selected a unique MAC address for the guest.
Important: By default, a single MAC address is used for all guests, unless provided. Failing to provide different MAC addresses to each virtual machine making use of the bridge would cause networking issues.
$ qemu-system-x86_64 [...] \
-device virtio-net-pci,netdev=user0,mac=XX:XX:XX:XX:XX:XX \
-netdev bridge,id=user0,br=br0 \
[...]
To generate MAC addresses that have the QEMU registered prefix, the following snippet can be employed:
mac_address="52:54:00:$(dd if=/dev/urandom bs=512 count=1 2>/dev/null \
| md5sum \
| sed -E 's/^(..)(..)(..).*$/\1:\2:\3/')"
echo $mac_address
If you use Docker on your machine, you may experience connectivity
issues when attempting to use a network bridge, which are caused by
Docker also relying on network bridges and configuring its own routing
rules. The solution is add the following iptables snippet to
your operating-system declaration:
(service iptables-service-type
(iptables-configuration
(ipv4-rules (plain-file "iptables.rules" "\
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i br0 -o br0 -j ACCEPT
COMMIT
"))
Next: Routed network for libvirt, Up: Virtual Machines [Contents][Index]