Configuring qemu-kvm for bridged networking
We want qemu-kvm to use bridged networking and have a normal user to be able to start up the virtual machines using these bridged interfaces.
Several steps are involved in making this happen:
- Set up qemu-kvm for bridging
- Configuring everything so that a normal user has the proper access
- Configuring the network interfaces
- configuring all necessary modules
Doing the Work
- Open a terminal and become root
- We want to use the linux ethernet bridge, so we need to install the bridge-utils package. Execute the following to install it, and answer yes to install it and any necessary dependencies. tunctl is needed to setup and maintain persistent tun/tap network inferfaces. bridge-utils contains the utilities to configure bridging.
- NetworkManager can't deal with bridged interfaces. We need to turn it off and disable it. Then enable the regular network service.
- Disable NetworkManager.
- Enable the network service.
chkconfig network on
- Add a new bridge. Substitute br0 with whatever name you want for the bridge.
- We need to create a script for the bridge interface. Inside /etc/sysconfig/network-scripts, create a file called ifcfg-br0. Change the DEVICE if you aren't going to use br0 for the name of your bridge
- You will need to find out the name of your current network interface and the mac address of your network card. To get all of this information, execute
- The first item there, eth0 is the device name of your interface. The stuff after the HWaddr is your mac address
- In /etc/sysconfig/network-scripts, create another file called ifcfg-<your device>. Put the mac address in this file. If your bridge is not called br0, substitute br0 with the correct name. From the example above, the filename should be called ifcfg-eth0.
- Running programs as root is generally a bad idea, so we need to set things up so that your regular user account can run qemu. The network bridge and the tap device all need to be up and running before you can run qemu. Add the following to /etc/rc.d/rc.local to configure the tap interface, and bring it up. Make sure you put YOUR USERNAME in where it says <your username>. For example, if your username is fedora, then that line will look like:
- Add yourself to the kvm group. Make sure you put YOUR USERNAME in where it says <your username>.
- iptables will prevent the guest OS from getting access to the network. More information about this issue can be found at https://bugzilla.redhat.com/show_bug.cgi?id=512206 Create a firewall rule to fix this:
- Load the new rule
- restart the libvirtd daemon
- Run the rc.local script, to configure the tap interface and add it to the bridge
- For good measure, and to make sure everything works like it should on subsequent reboots, restart your system.
- If you do not reboot your box, you'll need to bring up everything
- Make sure the bridge is up and has an ip address. Substitute br0 if you didn't use that name for the bridge
- Make sure you have a tap0 interface
su --login root
yum install bridge-utils tunctl libvirt qemu-kvm
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
brctl addbr br0
# Networking Interface DEVICE=br0 ONBOOT=yes BOOTPROTO=dhcp TYPE=Bridge USERCTL=yes NM_CONTROLLED=no IPV6INIT=no NAME="bridge" PEERNTP=yes
eth0 Link encap:Ethernet HWaddr 00:12:34:56:78:90
DEVICE=<your device> HWADDR=<your mac address, ifconfig to get this> NAME="<your device>" NM_CONTROLLED=no ONBOOT=yes USERCTL=no BRIDGE=br0
#substitute tap0, br0, username to whatever your information is
#add a tap interface owned by your user
tunctl -u $username -t $interface
#add this interface to the bridge
brctl addif $bridge $interface
#bring the interface up
ifconfig $interface up
usermod -a -G kvm <your username>
echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" > /etc/sysconfig/iptables-forward-bridged
systemctl restart libvirtd.service
systemctl start network.service
How to test
Start up a virtual machine with a network interface that is part of a bridge
- Start up a virtual machine.
qemu-kvm -hda <path to your image> -net nic -net tap,ifname=tap0,script=no,downscript=no
We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #fedora on irc.freenode.net