Kvm and virtual machine manager

Hello everyone

i am using kvm with gui tool called virtual machine manager

but for network option the only option that work is NAT option other option like bridge which i want
does not work mean that i did not get any network connection if i choose anything except NAT

so is there better gui tools or i have to config something to make the bridge work

thanks for your time and have a nice day :slight_smile:

Unverified guess: If you want to create bridge with libvirt, then host can’t use the NIC that the bridge enslaves.

That is why I define the bridge on the host, not in virtualization.

On your machine you have a NIC, “Ethernet connection” on that NIC, and IP address on the connection.

On my machine I have a NIC, “Ethernet connection” on that NIC with no address, a “Bridge connection”, and IP address of the host on that bridge. Then I can attach VM to the same bridge (with virtual machine manager).

I’ve set my network config with command-line tools (like nmcli). Not with GUI.
See man nmcli-examples for bridge setup.

1 Like

This is simple if you want to use bridge network in KVM. The first step is create bridge network interface in host OS. The second step attach your bridge interface network to NIC, choose network device: Bridge device then Device name: your_bridge_network_if_hostOS. See my SS Below

2 Likes

Hello @jlehtone

yes i do :slight_smile:

will dive more into nmcli

thanks again and have a nice day :slight_smile:

thanks @afiadi and have a nice day :slight_smile:

1 Like

Oke siap. You’re Welcome :pray:

1 Like

FWIW, I still use the older network-scripts approach. This lets me create a bridge and do VLANs at the same time pretty easily.

So my main LAN bridge (VLAN10).

$ cd /etc/sysconfig/network-scripts/
$ cat ifcfg-br-lan
TYPE=Bridge
DEVICE=br-lan
ONBOOT=yes
BOOTPROTO=static
DEFROUTE=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=br-lan
IPADDR=10.0.0.134
NETMASK=255.255.255.0
BROADCAST=10.0.0.255
NETWORK=10.0.0.0
GATEWAY=10.0.0.1

$ cat ifcfg-enp1s0.10
DEVICE=enp1s0.10
TYPE=Ethernet
ONBOOT=yes
VLAN=yes
NM_CONTROLLED="no"
BRIDGE="br-lan"

I can do similar for guest/iot/temp VLANs. So it becomes pretty easy to add VMs to whatever network I want:

$ brctl show
bridge name     bridge id               STP enabled     interfaces
br-guest                8000.0025222613c0       no              enp1s0.11
br-iot          8000.0025222613c0       no              enp1s0.12
br-lan          8000.0025222613c0       no              enp1s0.10
                                                        v-brains
                                                        v-hass
                                                        v-mercury7
                                                        v-monitor
                                                        v-plexserver
                                                        v-webssh8
br-temp         8000.0025222613c0       no              enp1s0.13

I like naming the interfaces for my virtual machines so it’s easy to see what is what (in ifconfig/brctl/etc output)

e.g. in the XML file

    <interface type='bridge'>
      <mac address='52:54:00:01:44:62'/>
      <source bridge='br-lan'/>
      <target dev='v-mercury7'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>

It is about the same about of work, whether writing files, calling nmcli, or with some config management system … once you know what you are doing.
Red Hat does its best to remove the network-scripts approach, so learning it is least useful of the three.

This bit:

is obviously correct, but also redundant. Redundant can easily turn into error-prone. One will get the same result with:

IPADDR=10.0.0.134
PREFIX=24

The network-scripts or NetworkManager will compute the NETMASK, NETWORK, and BROADCAST from IPADDR and PREFIX.

The NIC–Bond–VLAN–Bridge–VM. Yes, that has uses.

One could even have a bridge that filters VLAN’s on its ports – without separate VLAN devices. One bridge to rule them all!
Alas, it was easier (for brain) to use the “old ways”.

In my case the VLANs are network wide ( Extending the wireless on my router · Ramblings of a Unix Geek ) including switches and routers. Looking at the diagram at the bottom of that blog post, my VM server sits off the basement switch on a tagged port. Since the host has to be VLAN aware (so it can be accessed!) it made sense just to extend that for the VMs.

I was referring to “VLAN filtering”: VLAN filter support on bridge | Red Hat Developer
(That Red Hat blog does not tell how to create persistent configuration for it; ip is just ad hoc for show.)

A VLAN is just a LAN with peculiar wires. That is, one can have multiple LANs on same wire; VLAN tags keep them separate. An “implementation detail”.

You (and I) want to attach VM to a LAN (aka subnet) that exists also outside of the host. Bridging makes that possible. A bridge is a software version of network switch. When we attach host NIC to the bridge, we effectively plug the Ethernat cable to a “port” of the bridge.

If that cable carries tagged VLANs, then either the tagged packets reach the bridge, are filtered/detagged by port of that bridge, or we filter/detag with distinct “VLAN device”.

The “NAT” mode of libvirt/KVM is technically a bridge too. However, it is “disconnected”. A virtual network switch. It creates a virtual NICs for the host and for each VM that is attached to the LAN that the bridge represents. With the “NAT” the host is member of (at least) two LANs, one outside and one inside, and routes between these two subnets. Additionally, the host masquerades that routed traffic, hiding the existence of the virtual subnet from the outside subnet. The NAT is optional; one can have routed setup without NAT, but that seems a rare setup.

There is a yet another software configuration for which I have no idea how to create config for: network namespaces. Linux kernel supports namespaces. Processes run in some namespace. Processes can be created / moved to different namespace. Each network namespace has independent network configuration. Mind-boggling.

thanks for both of you @sweh @jlehtone

i found a command line that give something that looks like dos gui
the command called nmtui

and have a nice day :slight_smile:

1 Like

The nmtui is curses-based. Earlier RHEL releases had plenty of curses-based configuration tools (in addition to CLI – command line interface tools).

Ncurses is a library/framework that creates those “dos gui” elements for a program. There is an implementation of ncurses for MS Windows too, so curses-based programs can be portably build for multiple platforms (although for tool like nmtui that would be moot).

GUI has its merits. However, with CLI I can show (like below) what to do, while for GUI instructions one needs pictures – “click here, there, and oh my”.
These two commands define bridge directly on NIC (no VLANs) with values similar to what @sweh did show in ifcfg-files:

nmcli con add type bridge con-name bridge-br-lan ifname br-lan bridge.stp no ipv4.method manual ipv4.addresses 10.0.0.134/24 ipv4.gateway 10.0.0.1
nmcli con add type ethernet con-name br-port-lan ifname enp1s0 master bridge-br-lan

(These two commands assume that there are no conflicting connections defined. So, that ruins my “CLI is easy to explain”.)
Well, one more. Rather than creating that “br-port-lan” one could create VLAN:

nmcli con add type vlan con-name vlan-10 dev enp1s0 id 10 connection.slave-type bridge connection.master bridge-br-lan

Yeah, I know about bridge VLAN filtering, but my link was meant to show that I wanted consistency across my environment.

OpenWRT uses the sub-interface addressing model for VLANs and creates a bridge for each, so being consistent (on the WAPs, on the router, on the VM host) means I can do “tcpdump -i br-guest” and just see guest traffic flowing through that node, no matter what node it is. Consistency really helps with laziness^Wmanagement :slight_smile:

In addition, virsh/kvm needs additional configuration, probably by hook scripts, to do vlan filtering on a single bridge, whereas just adding it to br-guest is “out of box” functionality. That also makes it easier to manage, and also reduces friction on upgrades.

Also I’m an old school unix geek (I started with SunOS 3 and SVr2). I’ve been using RedHat since RH4 (not RHEL4; RH4), if not earlier, and am a little stuck in my ways (hence the config files!) :rofl:

Namespaces are ways of segregating processes on the same machine (eg network, filestem, process and more). They’re the core construct used by container systems (eg docker) to allow for a separation between containers while still sharing the same kernel. They’re typically used with cgroups to provide resource constraint limits. I think systemd uses namespaces for privatetmp.

2 Likes

I’m so young and reckless that I fell into charms of Ansible. It is files too and at least for me more consistent than direct edits. Some say that the lazy are more inventive and efficient …

I know that I was pointed to a PC that had Linux with “use this” in 1995, but what it had? An incident couple years later inspired a “user” to learn the tool. RH, yes, perhaps 5 or 6. Installed from floppies. Later, had to look after SGI IRIX, but that vanished.

Is RockyLinux your KVM host or another Distro? I personally installed RockyLinux to Bare-Metal, but I have installed it as a KVM VM on a Debian Host. So I’m not sure what version of KVM is available to Rocky.

On Debian Bridge mode used to work on older Debian systems, but with Buster, Bookworm & Testing, if you setup a new VM with Bridge mode didn’t work anymore. Some setups with newer KVM versions changed & so it was no longer supported.

But if I setup “Macvtap” as the Network Device within the Virt-Manager, & I enter the correct device name for the NIC in the appropriate field, it works just like Bridge used to work.

I have Debian 10 and 11 so buster and bullseye in bridge mode. Works fine.

rocky 8.5 is host and the guest is rhel beta 9

the first thing i tried was Macvtap but it did not work for me not sure if there some restriction based on the driver or what

i have only laptop and tried that with the wifi did not tried it with the lan

but will see if it would work with the lan

thanks for your help and have a nice day :slight_smile:

thanks @iwalker and have a nice day :slight_smile: