Web lists-archives.com

Create virtual ethernet devices on Debian 9 stretch ?

Riffing on the recent thread, here's the one I thought that was, and
wanted it to be. Alas, twas not so, and thus the inordinately
difficult and challanging task of creating a new thread is weighty
upon my shoulders.  So this is it :)

Have done quite a bit of research over the last couple months,
there's a -lot- of tech, plenty of it "fairly new" too.

Some years back, I ran openvpn to connect a few computers "securely"
(for wild "I hope this works as I cross my fingers" values of
"securely").  I have some vague recollection of creating tap and tun

"Right now" my aim is to run virt-manager or qemu, with kvm
underneath, with a host-only virtual network to which I shall connect
two virtual machines, and the host machine, and run some nfs or samba
thing to share folders between all 3.

My requisite is to have a sense of full control over my virtual
networking - this means setup and tear down primarily via
/etc/network/interfaces unless some other mechanism were more highly
- this means not relying on say the virt-manager gui

However, I'd also like to learn how to use the virt-manager gui to
create a single "host-only virtual network" instance for a virtual
machine (or two :)

The reason I want to learn how to do this virtual host-only network
with virt-manager gui, is so I can teach others, most of whom are
really only comfortable with a gui.

The reason I must learn how to do this virtual host-only network via
/e/n/i is for skills transfer - so that when I must manage a remote
host or VM in the future, I can readily do what I need to do via an
SSH cmd line (i.e. text only) interface.

Here are the examples/ snippets I've gleaned in the last few months:

## temporary ssh vpn:
iface tun0 inet static
   pre-up sleep 3
   #up arp -sD eth0 pub # perhaps just do NAT, eg, on
   up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   up echo "1" /proc/sys/net/ipv4/ip_forward
   down iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
   down echo "0" /proc/sys/net/ipv4/ip_forward
# alternative routing:
   #up ip route add dev tun0 # this happens
   up ip route add dev tun0
   up ip route add dev tun0
   down ip route del
   down ip route del

# Simple case; man bridge-utils-interfaces(5)
# Bridge interface to make VMs bridge to specific networks
auto br0
iface br0 inet dhcp
   bridge-ports eth0
   bridge-ports ve0
   bridge-ports all # WARNING, bridges all ethernet interfaces!

# Not so simple; virtual switch with host as gateway
# See http://debian-handbook.info/browse/stable/sect.virtualization.html
# Virtual interface
auto tap0
iface tap0 inet manual
  vde2-switch -t tap0

# Bridge for containers
auto br0
iface br0 inet static
  bridge-ports tap0

# See http://wiki.debian.org/QEMU#Host_and_guests_on_same_network
auto br0
iface br0 inet dhcp
   pre-up ip tuntap add dev tap0 mode tap user <username>
   pre-up ip link set tap0 up
   bridge_ports all tap0
   bridge_stp off
   bridge_maxwait 0
   bridge_fd      0
   post-down ip link set tap0 down
   post-down ip tuntap del dev tap0 mode tap

# qemu/kvm host only or private/ internal network:
#  - it's a form of "bridge" network - apt-get install bridge-utils
#  - ho0 is the (random) name chosen for this bridge device,
#    e.g. "hostonly0" might be a better memory jog
#  - is the (random) host address for this network
auto ho0
iface ho0 inet static
   pre-up      brctl addbr ho0
   post-down   brctl delbr ho0

See also attached snippets file, with links and my initial notes
regarding differences of different virt networking systems.

AIUI I don't need any exotic networking to try to extract the last
few cycles of CPU performance, just functional, flexible, cmd-line/
text config style virtual networking to link a few virtual machines,
with an eye to remote admin of a host and/ or a few VMs.

Given so many options, and so many variations, I feel completely lost
at this point in time :(

Any suggestions as to which pathway/ program etc would be a
reasonably balanced pathway to follow, would be greatly appreciated.

   http://baturin.org/docs/iproute2/ -- ip cheat sheet
   e.g.: "Link is another name for network interface" (in ip command, e.g. ip link add ...)

   http://doger.io/ - comparison of virtual eth options !!!

   google openvswitch vde comparison

   http://blog.bofh.it/debian/id_379 - ip program does all iface config/add/del on Linux

   man vde_switch ...
   man ip-link
   vde openvswitch

   http://suhu.dlinkddns.com/Presentation/20150203/  --- this compares tun, tap, MacVLAN and MacVTap, and some perf comparo of ovs (openvswitch), vde2, raw host (ethernet phys device)

   libvirt-doc file:///usr/share/doc/libvirt-doc/index.html

   table of brctl and bridge command comparisons:

   http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html - problem solving !
   https://www.iovisor.org/technology/xdp (eXpress Data Path) https://lwn.net/Articles/708087/ snabb https://lwn.net/Articles/713918/

network bridges:
   - are virtual ethernet devices
   - which connect other ethernet devices into a single LAN
   - each connected device connects using a "port" on the bridge
   - a bridge is a virtual hub or switch
   - the devices a bridge connects may be physical or virtual
   - topological loop is handled with optional STP, Spanning Tree Protocol
   - FDB, Forwarding DataBase, is the map of what packets go where, updated over time
   - A bridge is a way to connect two Ethernet segments together in a protocol independent way.
   - Packets are forwarded based on Ethernet address, rather than IP address (like a router).
   - Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.
   - A Linux bridge is more powerful than a pure hardware bridge because it can also filter and shape traffic.
   - The combination of bridging and firewalling is done with the companion project ebtables.

brctl command - older, 2001
   - package: bridge-utils
   - create a delete ethernet bridges
   - config some STP params
   - some FDB control
   - replaces the old/ancient linux brcfg command

bridge command - newer, 2012
   - package: iproute2
   - operates on port level
   - full config of (Linux bridge) port parameters
   - "VLAN" management (some sort of LAN "tagging" apparently)
   - full FDB management

ip command - newer, 2012
   - ip: the modern ifconfig replacement
   - can also add and del bridges, e.g. ip add link ...

ebtables command - 2011
   - package: ebtables
   - man ebtables: set up and maintain the tables of rules (inside the Linux kernel) that
     inspect Ethernet frames.  It is analogous to the iptables application, but less
     complicated, due to the fact that the Ethernet protocol is much simpler than the IP

package: iproute2 - newer, 2012
   - commands: ip ss rtmon tc rtacct bridge arpd lnstat nstat routel routef rtstat ctstat

package: net-tools - older, 2001
   - commands: ifconfig / route
   - legacy commands
   - limited functionality


dual displays:
remote-viewer spice://myhost:3001
# not working properly on Debian 8/ Jessie
MUST RUN spice-vdagent ! (and obviously, install)

From: http://www.pocketnix.org/posts/Linux%20Networking%3A%20MAC%20VLANs%20and%20Virtual%20Ethernets
Virtual Ethernet Device

Virtual Ethernet device pairs are a pair of fake Ethernet devices that act as a pipe, Traffic sent via one interface comes out the other. As these are Ethernet devices and not point to point devices you can handle broadcast traffic on these interfaces and use protocols other than IP.

The are most useful in conjunction with containers and are the main way to get traffic into and out of a container with a separate network namespace. Where the host can then route the traffic or attach the interface to a bridge.


    Creating virtual networks between containers
    Providing a routed link for a container
    Providing an endpoint that can be bound to a bridge device for a container
    Emulating high latency internet links (see links section below)
    Emulate Networks in conjunction with bridges


To create a virtual ethernet pipe with one end called veth0 and the other called veth1, use the following command:

$ /sbin/ip li add veth0 type veth peer name veth1

You can also set values for either end of the link in the same command using the normal syntax for the left hand side link and by adding the values after the peer statement for the right hand side of the link.

the above command uses this to explicitly set the name of the right hand side of the link, which if not specified will be set to the same as the left hand side and fail with the following error:

Error: argument "peer" is wrong: "name" too long


    The pair of interfaces are identical and act as a dumb pipe, there is no master or slave end
    Deleting either end will cause both interfaces to be deleted
    The pair of interfaces implement carrier detection and can tell when one side of the link is in the 'DOWN' state. if the other link is in the 'DOWN' state it will indicate 'NO-CARRIER' until the other end is brought up
    If you wish to have the same interface name in both a guest container and the host, i would recommend using the following command: /sbin/ip li add veth0-master type veth peer name veth0 And then renaming the left hand side interface (veth0-master) to veth0 after executing the following command to place the network interface in the guest container: /sbin/ip li set veth0 netns <guest pid>


    Previous article that uses veth devices and network namespaces to emulate a high latency link

qemu/kvm networking: See https://help.ubuntu.com/community/KVM/Networking
man virsh # e.g.:
sudo virsh net-define znet0.xml
sudo virsh net-start znet0

see also https://unix.stackexchange.com/questions/52855/what-is-the-difference-between-virbr-and-vnet
   virbr0 is virtual bridge, vnet0 is virtual tap interfaces attached to e.g. qemu/kvm

run virt-manager as a user (not root) - add user to groups kvm and libvirt - but apparently
networking options might be significantly reduced... so run with sudo instead
See here: - https://ask.fedoraproject.org/en/question/45805/how-to-use-virt-manager-as-a-non-root-user/

virt-manager config files are under /etc/libvirt (when run as root)
virt-manager config files are under ~/.gconf/apps/virt-manager/ (when run as a user)

Debian KVM wiki: - https://wiki.debian.org/KVM - download virtio drivers from:
RedHat Windows virtio drivers for running on KVM (QEMU): - https://fedoraproject.org/wiki/Windows_Virtio_Drivers#Direct_download

Windows 10:
 - https://social.technet.microsoft.com/Forums/en-US/695c8997-52cf-4c30-a3f7-f26a40dc703a/failed-install-of-build-10041-in-the-kvm-virtual-machine-system-thread-exception-not-handled?forum=WinPreview2014Setup
   I get error when model of cpu my virtual machine is Sandy Bridge.
   Try this solution.
   Edit your virtual machine's xml-file. In <cpu> section set
   <model fallback='allow'>Nehalem</model>.

   I've found that with Nehalem chips you have to tell kvm to report them as core2duo or you
   get this error. Ran into this problem with e5430, e5540, and e5640, all worked fine after
   changing to core2duo.

   Also had one machine that I had to add the following to the features list for Windows to
   not crash constantly:
      <relaxed state='on'/>

* Windows guest:

# vim: wrap