Re: [Qemu-discuss] use veth device with qemu

qemu-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] use veth device with qemu

From:	Vlad Yasevich
Subject:	Re: [Qemu-discuss] use veth device with qemu
Date:	Tue, 29 Sep 2015 12:56:51 -0400
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

On 09/26/2015 04:44 AM, Corin Langosch wrote:
> Hi guys,
> 
> I'd the like to run each qemu in its own netns, while still giving it full/ 
> transparent network access. I can connect
> qemu to the network by creating another bridge inside the guest netns with 
> the veth peer and qemu tap device like this:
> 
> ip link add qemu1-h type veth peer name qemu1-g
> brctl addif br0 qemu1-h
> ip netns add qemu1
> ip link set qemu1-g netns qemu1
> ip netns exec qemu1 brctl addbr br0
> ip netns exec qemu1 brctl addif br0 qemu1-g
> ip netns exec qemu1 ip tuntap add tap0 mode tap
> ip netns exec qemu1 brctl addif br0 tap0
> 
> ip netns exec qemu1 /opt/qemu/current/bin/qemu-system-x86_64 -enable-kvm -m 
> 1024 -netdev
> tap,id=netdev1,ifname=tap0,script=,downscript= -device 
> virtio-net-pci,id=nic1,addr=0x0a,mac=02:d6:c0:2c:ab:a1,netdev=netdev1
> 
> It works, but is there an easier (probably also more performant) solution to 
> this? One without having to create another
> bridge in each qemu netns and somehow use the veth peer with qemu directly?

No, you can't give a veth directly to a qemu, but you might be able to use a
macvtap device on top of a veth and give that macvtap device to qemu
instead.

This way you don't necessary have to crate a bridge and if you use libvirt 
inside
the netns, it will create the macvtap devices for you.

As for manual steps,  they might look like this:
# ip link add qemu1-h type veth peer name qemu1-g
# ip link set qemu1-g netns qemu1
# ip netns exec qemu1 ip link add link qemu1-g type macvtap mode vepa
# ip netns exec qemu1 ip link set macvtap0 up

To pass macvtap to qemu, look at /dev/tapX device and redirect it to qemu.

For example:

# ip netns exec qemu1 /opt/qemu/current/bin/qemu-system-x86_64 -enable-kvm \
-m 1024 -netdev tap,id=netdev1,vhost=on,fd=6 6<>/dev/tap6 \
-device virtio-net-pci,id=nic1,addr=0x0a,mac=02:d6:c0:2c:ab:a1,netdev=netdev1

-vlad

> 
> Background information: I'm running many qemu guests with each guest having 
> its own tap device on the host for
> networking. For firewalling of the guests I use iptables on the host with 
> connection tracking enabled (I cannot do the
> firewalling inside the guests). However a single (very busy) guest can 
> overflow the conntrack table on the host. As this
> table is shared among all guests (and the host) this can render the whole 
> host/ guests unreachable because the host
> starts dropping packets/ connections. I hope (anybody knows?) conntrack is 
> using separate data structures for each netns
> and so putting each guest in its own netns would prevent overflowing 
> conntrack on the host/ other guests.
> 
> Other suggestions to this problem are welcome.
> 
> Cheers
> Corin
>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-discuss] use veth device with qemu, Vlad Yasevich <=

Prev by Date: [Qemu-discuss] "-net udp,..." not working on QEMU 2.0.0 ?
Next by Date: Re: [Qemu-discuss] "-net udp,..." not working on QEMU 2.0.0 ?
Previous by thread: [Qemu-discuss] "-net udp,..." not working on QEMU 2.0.0 ?
Next by thread: Re: [Qemu-discuss] "-net udp,..." not working on QEMU 2.0.0 ?
Index(es):
- Date
- Thread