The default networking configuration for QEMU sets up a pure userspace network stack, using the SLIRP protocol for outbound TCP traffic to the host. This does not, however, allow for UDP traffic or any incoming TCP connections. While QEMU does provide an alternative bridged networking mode which uses a TAP device, this has the disadvantage that a separate TAP device is needed for each VM, along with allowing users to run a setup script via sudo.
Fortunately there is a 3rd way to connect VMs to the host network which avoids the problems described for plain TAP devices. This approach uses the VDE software package (an acronym for Virtual Distributed Ethernet) to provide a virtual network switch to which all VMs to connect. This network switch is then also connected to a single TAP device. Since there is only one pre-configured TAP device, no sudo privileges are required for launching new VMs. A little IPTables trickery allows for network traffic between the TAP device and the primary host network interface, and dnsmasq can be used to provide DHCP and DNS services on the virtual network.
The latest version of QEMU-Manager now has support for setting up such a bridged network, and thus has 3 new package dependancies:
So, having run 'yum update' to pull these updated packages down from the OLPC software repository, the next step is to configure virtual network switch. Eventually the 'system-config-qemu' tool will support this, however, currently there is a bug causing it to hang when saving the config, so don't use that just yet.
The master configuration file is /etc/sysconfig/qemu-network. In this file there are 3 sets of options to configure. The first set determine the IP, network, netmask and broadcast addresses for the TAP device. Obviously, if the 10.20.0.0 address range is already used by your local LAN, then this should be changed to an alternate address space, otherwise just leave it as is. The default settings are:
VLAN_IPADDR=10.20.0.1 VLAN_NETMASK=255.255.255.0 VLAN_NETWORK=10.20.0.0 VLAN_BROADCAST=10.20.0.255
The second set of options specify the IP address range for the DHCP server to hand out to clients. This is typically some subset of the address space on the network configured above. If you don't want DHCP at all, then it can be disabled too. The default settings provide for a DHCP address space of 100 IPs:
DHCPD_ENABLE=yes DHCPD_START_ADDR=10.20.0.100 DHCPD_END_ADDR=10.20.0.200
The final set of options determine whether the network should be bridged to the host network interface. If one wants a completely isolated network then turn off the forwarding option. If one is using NetworkManager, then the device can be left on 'auto'. In this scenario, whenever NetworkManager switches between devices (eth0 / ath0 / etc), then the NetworkManager dispatcher will run a script to update the IPTables rules accordingly. NB, don't forget to 'chkconfig NetworkManagerDispatcher on' and also start it with 'service NetworkManagerDispatcher start'. If not using network manager, then an explicit device name can be listed instead of 'auto'.
FORWARD_ENABLE=yes FORWARD_DEVICE=auto
After setting all these options to their desired values, the virtual network switch / dns / dhcp services can be started by running the command 'service qemu-network start' (running 'chkconfig qemu-network on' will make this permanent across reboots). If you are using 'auto' for setting up forwarding, then you'll need to restart network manager for it to take effect (or manually fake a NetworkManager dispatcher event for your active interface by running the action script directly like '/etc/NetworkManager/dispatcher.d/qemu-network ath0 up'
Now, you should verify everything is working by running the following commands as root
# iptables -L FORWARD -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- qemu * 10.20.0.0/24 0.0.0.0/0
# iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 21 packets, 1693 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ath0 10.20.0.0/24 0.0.0.0/0
# ifconfig qemu
qemu Link encap:Ethernet HWaddr 1E:46:15:4E:3B:AE
inet addr:10.20.0.1 Bcast:10.20.0.255 Mask:255.255.255.0
inet6 addr: fe80::1c46:15ff:fe4e:3bae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:53 (53.0 b) TX bytes:1804 (1.7 KiB)
# ls -l /var/run/vde_switch/ctl
srwxrwxr-x 1 root qemu 0 Mar 1 13:32 /var/run/vde_switch/ctl
Notice the group ownership on that socket in that last command. Any user which needs to access the network bridge will thus have to be a member of the QEMU group.
Now to configure a virtual machine to use the network bridge, launch "Applications -> Programming -> Virtual machine emulator", navigate to the ethernet device, and switch the network mode to the 'Bridged to host' option.
Last updated on Wednesday, Mar 1, 2006