View previous topic :: View next topic |
Author |
Message |
jbryner n00b
Joined: 03 Sep 2004 Posts: 47 Location: pdx
|
Posted: Thu Apr 30, 2009 10:26 pm Post subject: [HOWTO] kvm with vde instead of bridging |
|
|
Couldn't find this for gentoo, so here's a how to get gentoo kvm up with using vde for networking instead of using bridging. Using vde gives you virtual switches where you can tightly control who talks to who, etc using iptables, etc.
Assuming you've already got kvm and vde and you are root on your box:
First kernel modules you'll need
Code: |
grep -i config_tun /usr/src/linux/.config
CONFIG_TUN=m
grep -i conntrack /usr/src/linux/.config
CONFIG_NF_CONNTRACK=m
grep -i iptables /usr/src/linux/.config
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP6_NF_IPTABLES=m
grep NF_NAT /usr/src/linux/.config
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
|
Load up your modules
Code: |
modprobe kvm
modprobe kvm-intel
modprobe tun
|
make yourself a virtual hub
Code: |
vde_switch --numports 4 --hub --mod 777 --group users --tap tap0
|
configure your tap interface
Code: |
ifconfig tap0 10.1.1.1 broadcast 10.1.1.255 netmask 255.255.255.0
ifconfig tap0 up
|
If these vms should talk to the outside world then you'll be forwarding packets:
Code: |
echo "1" > /proc/sys/net/ipv4/ip_forward
|
and you'll need iptables NAT:
Code: |
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
I'll assume you want to control IP space on your switch with dnsmasq:
Code: |
emerge -av dnsmasq
dnsmasq --log-queries --dhcp-range=10.1.1.1,10.1.1.20,255.255.255.0,2h --interface=tap0 --domain=kvm.lan
|
Last, but not least, start up a bootable CD in your new virtual ethernet environment:
Code: |
kvm -net vde,ifname=tap0,vlan=0 -net nic,vlan=0,macaddr=52:54:00:00:EE:03,script=no,downscript=no -m 256 -localtime -cdrom SomeCDrom.iso
|
You can spy on the hub/switch in a new session with tcpdump
If you can ping something, then your NAT and routes are working:
wiki version of this same cruft: http://en.gentoo-wiki.com/wiki/KVMwithVDE |
|
Back to top |
|
|
vaxbrat l33t
Joined: 05 Oct 2005 Posts: 731 Location: DC Burbs
|
Posted: Fri May 01, 2009 4:03 am Post subject: We must be in sync somehow |
|
|
I just updated the kvm secton on the gentoo wiki with a writeup on using transparent tuntap bridging to provide a "virtual hub". |
|
Back to top |
|
|
jbryner n00b
Joined: 03 Sep 2004 Posts: 47 Location: pdx
|
Posted: Fri May 01, 2009 5:23 pm Post subject: great minds |
|
|
Apparently great minds think alike! |
|
Back to top |
|
|
opotonil l33t
Joined: 17 Jun 2005 Posts: 801 Location: 127.0.0.1
|
Posted: Sat Jan 16, 2010 1:10 pm Post subject: |
|
|
Example VDE bridge with VLANs. Host with only one interface on VLAN0 (untagged).
Network configuration (/etc/conf.d/net)
Code: |
config_eth0=( "null" )
tuntap_tap0="tap"
config_tap0=( "null" )
RC_NEED_br0="net.eth0 net.tap0"
bridge_br0="eth0 tap0"
config_br0=( "192.168.100.2/24 brd 192.168.100.255")
routes_br0=( "default via 192.168.100.1" )
|
VDE configuration (/etc/conf.d/vde):
Code: |
VDE_MODPROBE_TUN="no"
VDE_TAP="tap0"
VDE_SOCK_CHMOD="770"
VDE_SOCK_CHOWN=":kvm"
|
VDE switch configuration, port 2 on VLAN0, ports 3, 4, 5 and 6 on VLAN1 (tagged). When "/etc/init.d/vde start" load this config (/etc/vde2/vde_switch.rc):
Code: |
vlan/create 1
vlan/addport 1 1
port/create 2
port/allocatable 2 1
port/create 3
port/allocatable 3 1
port/setvlan 3 1
port/create 4
port/allocatable 4 1
port/setvlan 4 1
port/create 5
port/allocatable 5 1
port/setvlan 5 1
port/create 6
port/allocatable 6 1
port/setvlan 6 1
|
iptables forwarding:
Code: |
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
|
KVM init VM on port 3 VLAN1:
Code: |
#!/bin/bash
qemu -name base -daemonize -vnc 192.168.100.2:1 \
-monitor unix:/var/run/kvm/base.sock,server,nowait \
-m 1024 -localtime -k es -usb -usbdevice tablet \
-drive file=/dev/mapper/vg-kvm--base,index=0,media=disk,if=virtio,boot=on \
-net nic,macaddr=52:54:10:09:34:58,model=virtio \
-net vde,sock=/var/run/vde.ctl,port=3
|
Sorry for my english, bye. |
|
Back to top |
|
|
disperato Tux's lil' helper
Joined: 27 Apr 2004 Posts: 120
|
Posted: Wed Feb 17, 2010 12:18 am Post subject: Re: [HOWTO] kvm with vde instead of bridging |
|
|
sorry for resuming an old thread, but this action is meant not to pollute the forum with same questions on known topics.
Well, I need a virtual switch (oops... hub) to make my kvm machines connect to the internet but when I do this command:
Code: |
vde_switch --numports 4 --hub --mod 777 --group users --tap tap0
|
it stays there indefinitely until I press Ctrl+C. Obviously I followed the steps before. Any hint? Is this behaviour normal?
Not only that:
Code: |
clark@pc ~ $ kvm -net vde,ifname=tap0,vlan=0 -net nic,vlan=0,macaddr=52:54:00:00:EE:03,script=no,downscript=no -m 256 -localtime -cdrom myvm/iso_images/systemrescuecd-x86-1.3.1.iso
Invalid -net type 'vde'
|
Please help, I'm lost. |
|
Back to top |
|
|
disperato Tux's lil' helper
Joined: 27 Apr 2004 Posts: 120
|
Posted: Wed Feb 17, 2010 1:16 am Post subject: |
|
|
ok, my fault
I have realized that app-emulation/qemu-kvm had to be emerged with vde use flag while dnsmasq was advisable to compile with dhcp use flag. |
|
Back to top |
|
|
guid0 Guru
Joined: 06 Jul 2003 Posts: 370 Location: The Netherlands / Nederland
|
Posted: Thu Sep 08, 2011 9:15 am Post subject: |
|
|
Hi, this seems like good thread for a KVM - VDE - VLAN question.
I have KVM working nicely and virtual machines are booting fine. However for some reason the VDE switch is not picking up VLAN config
Below is my config:
/etc/conf.d/vde
Code: |
# load the tun module
VDE_MODPROBE_TUN="no"
# virtual tap networking device to be used for vde
VDE_TAP="tap0"
# mode and group for the socket
VDE_SOCK_CHMOD="770"
VDE_SOCK_CHOWN=":kvm"
# This is the actual options string passed to VDE. Change this at your own risk.
VDE_OPTS="--numports 40 --group kvm -tap ${VDE_TAP} -mgmt /var/run/vde.ctl/ctl.mgmt -daemon"
|
/etc/vde2/vde_switch.rc
Code: |
vlan/create 1
vlan/create 2
vlan/create 3
vlan/create 4
vlan/create 5
port/create 1
vlan/addport 1 1
port/setvlan 1 1
port/create 2
port/setvlan 2 1
port/create 3
port/setvlan 3 1
port/create 4
port/setvlan 4 1
port/create 5
port/setvlan 5 1
port/create 6
port/setvlan 6 1
port/create 7
port/setvlan 7 1
port/create 8
port/setvlan 8 1
port/create 9
port/setvlan 9 1
port/create 10
port/setvlan 10 1
port/create 11
port/setvlan 11 1
port/create 12
port/setvlan 12 1
port/create 13
port/setvlan 13 1
port/create 14
port/setvlan 14 1
port/create 15
port/setvlan 15 1
port/create 16
port/setvlan 16 1
port/create 17
port/setvlan 17 2
port/create 18
port/setvlan 18 2
port/create 19
port/setvlan 19 2
port/create 20
port/setvlan 20 2
port/create 21
port/setvlan 21 3
port/create 22
port/setvlan 22 3
port/create 23
port/setvlan 23 3
port/create 24
port/setvlan 24 3
port/create 25
port/setvlan 25 4
port/create 26
port/setvlan 26 4
port/create 27
port/setvlan 27 5
port/sethub 27 0
port/create 28
port/setvlan 28 5
port/sethub 28 0
port/create 29
port/setvlan 29 5
port/sethub 29 0
|
I start my virtual machines in the following way:
Code: | cd /var/virtual/guests/zb1 && kvm -smp 1 -net vde,vlan=5 -net nic,vlan=5,model=e1000,macaddr=0b:ad:c0:ff:ee:71 zb1.img -m 384 -cdrom /var/virtual/iso/SL.56.061711.DVD.x86_64.disc1.iso -boot c -vnc :71,password -monitor stdio |
where I expect this machine to bind its nic to vlan #5.
However this does not seem to be the case... as VDE just generates a new port (#30) and assigns it to vlan #0
Code: | unixterm /var/run/vde.ctl/ctl.mgmt
VDE switch V.2.3.1
(C) Virtual Square Team (coord. R. Davoli) 2005,2006,2007 - GPLv2
vde$ vlan/allprint
0000 DATA END WITH '.'
VLAN 0000
-- Port 0030 tagged=0 active=1 status=Forwarding
VLAN 0001
-- Port 0001 tagged=0 active=1 status=Forwarding
-- Port 0002 tagged=0 active=0 status=Learning
-- Port 0003 tagged=0 active=0 status=Learning
-- Port 0004 tagged=0 active=0 status=Learning
-- Port 0005 tagged=0 active=0 status=Learning
-- Port 0006 tagged=0 active=0 status=Learning
-- Port 0007 tagged=0 active=0 status=Learning
-- Port 0008 tagged=0 active=0 status=Learning
-- Port 0009 tagged=0 active=0 status=Learning
-- Port 0010 tagged=0 active=0 status=Learning
-- Port 0011 tagged=0 active=0 status=Learning
-- Port 0012 tagged=0 active=0 status=Learning
-- Port 0013 tagged=0 active=0 status=Learning
-- Port 0014 tagged=0 active=0 status=Learning
-- Port 0015 tagged=0 active=0 status=Learning
-- Port 0016 tagged=0 active=0 status=Learning
VLAN 0002
-- Port 0017 tagged=0 active=0 status=Learning
-- Port 0018 tagged=0 active=0 status=Learning
-- Port 0019 tagged=0 active=0 status=Learning
-- Port 0020 tagged=0 active=0 status=Learning
VLAN 0003
-- Port 0021 tagged=0 active=0 status=Learning
-- Port 0022 tagged=0 active=0 status=Learning
-- Port 0023 tagged=0 active=0 status=Learning
-- Port 0024 tagged=0 active=0 status=Learning
VLAN 0004
-- Port 0025 tagged=0 active=0 status=Learning
-- Port 0026 tagged=0 active=0 status=Learning
VLAN 0005
-- Port 0027 tagged=0 active=0 status=Learning
-- Port 0028 tagged=0 active=0 status=Learning
-- Port 0029 tagged=0 active=0 status=Learning
.
1000 Success
|
If someone can shed some light on what I might be doing wrong here that would be great.
Tnx,
guid0 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|