How do you setup KVM networking on a desktop or laptop
-
I am about to setup KVM on my desktop, and we also had someone ask recently about KVM on a laptop, so I thought I would make a thread about a part of the process. Networking.
In my case I am going to run a Windows instance and maybe some local test stuff, but I generally use my Hyper-V lab for testing.
Once KVM is installed creating the VM for my Windows instance came to the network question. I did not want things NAT or shared, I wanted this to work like it would in a full business KVM deployment.
So after a little reading, I believe I need to create a new bridge on my Korora 25 desktop.
Is this true?
Is this the best choice?
What should I do for networking if this is not the best choice? -
You could choose one of the 3
- Linux bridge
- Open vSwitch
- macvtap interface (simplest to set up but with less features, could be usefull on a desktop.)
I usually use the Linux Bridge since it provides the features I require and they are relatively simple to set up.
-
@Romo said in How do you setup KVM networking on a desktop or laptop:
I usually use the Linux Bridge since it provides the features I require and they are relatively simple to set up.
macvtap should provide better performance cause it is the evolution of Linux bridge, and I use Fedora Virt-Manager to setup this and connect to KVM
-
Would VyOS be a contender for networking, as both a VM and an internal switch/bridge?
-
@Romo That is what I was thinking also.
By default this is the list of options.
So I assume, I need to make a bridge first as I did not see any other settings.
-
@JaredBusch I don't have my Linux machine handy but I beleive in Virt-Manager, not in the VM settings but in Virt-Manager Settings there is a place where you can setup the bridge interfaces.
-
@msff-amman-Itofficer said in How do you setup KVM networking on a desktop or laptop:
@Romo said in How do you setup KVM networking on a desktop or laptop:
I usually use the Linux Bridge since it provides the features I require and they are relatively simple to set up.
macvtap should provide better performance cause it is the evolution of Linux bridge, and I use Fedora Virt-Manager to setup this and connect to KVM
macvtap gives a warning about host to guest communication.
and I have not yet read about the options here, as I have no idea what VEPA means.
-
@JaredBusch said in How do you setup KVM networking on a desktop or laptop:
@Romo That is what I was thinking also.
By default this is the list of options.
So I assume, I need to make a bridge first as I did not see any other settings.
Yes, you have create your bridge first so that it appears in virt-manager.
-
@Romo said in How do you setup KVM networking on a desktop or laptop:
@JaredBusch said in How do you setup KVM networking on a desktop or laptop:
@Romo That is what I was thinking also.
By default this is the list of options.
So I assume, I need to make a bridge first as I did not see any other settings.
Yes, you have create your bridge first so that it appears in virt-manager.
I realize that. and that is why the thread was created. to find out what other people do.
I went with the macvtap for now, but I want discussion on this.
Everyone please continue to give options.
-
-
MacVTap driver considerations
https://www.ibm.com/support/knowledgecenter/linuxonibm/liaag/wkvm/wkvm_c_net_conmac.htm
From purely a performance perspective, based on the workloads tested and the Linux and KVM levels measured, the MacVTap driver consistently demonstrated higher throughputs and better CPU efficiency.
The MacVTap driver provides exceptional transactional throughput and operations/sec results (up to 10-50%) better than either of the two software bridges. Additionally, throughput of MacVTap scales up with load more quickly compared to using a software bridge. This means that MacVTap is more CPU efficient, consuming less CPU resources to complete the same amount of work. Stated another way, MacVTap can do more work using the same amount of CPU resources.
Although MacVTap is the best performing, it suffers from a couple of issues that may limit the use cases where it would be a suitable choice.
The first limitation is that MacVTap can not readily enable network communication between the KVM host and any of the KVM guests using MacVTap.
-
This issue can be overcome in two different ways. The first way to avoid this limitation is to use a special hardware switch that supports hairpin mode to connect the IBM z Systems to the outside world. However, hairpin mode is not a common feature in most hardware switches and those switches that do have this feature tend to be significantly more expensive.
-
The second way to enable KVM host to guest communications is by having multiple network interfaces in the KVM host. Configure the second KVM host interface on the same segment with a different subnet from the first host interface. MacVTap only restricts traffic flow to the same subnet shared between host and guest. While this method works w/o purchasing additional costly hardware, it still requires that a second interface be available and appropriately configured in the KVM host and each KVM guest.
A second limitation of MacVTap is that it must attach to a physical host interface. MacVTap, unlike software bridges, provides no way to enable KVM guests to communicate without first being attached to a host interface which is active and externally facing. In other words, KVM guests using MacVTap will be external facing and exposed to external network traffic. This is not necessarily a bad thing. It just doesn't provide KVM host only isolation and connectivity for KVM guests that other choices allow.
-
-
Macvtap modes:
-
Virtual Ethernet Port Aggregator mode
In this mode, which is the default, data between endpoints on the same lower device are sent via the lower device (Ethernet card) to the physical switch the lower device is connected to. This mode requires that the switch supports ‘Reflective Relay’ mode, also known as ‘Hairpin’ mode. Reflective Relay means the switch can send back a frame on the same port it received it on -
Bridge mode
When the MacVTap device is in Bridge mode, the endpoints can communicate directly without sending the data out via the lower device. When using this mode, there is no need for the physical switch to support Reflective Relay mode. -
Private mode
In Private mode the nodes on the same MacVTap device can never talk to each other, regardless if the physical switch supports Reflective Relay mode or not. Use this mode when you want to isolate the virtual machines connected to the endpoints from each other, but not from the outside network.
-
-
@JaredBusch I run some production machines with macvtap/VEPA: they cannot talk with host or to each other but I'm too lazy and my env is small so it is ok.
I use this as:
- I do not need the VM to talk with the host via LAN
- everytime a VM has to talk to another VM I use internal virtual network to avoid virt2virt network traffic outside the host.
this also allows me to contact the host via the internal LAN (which should be there on 192.168.100.0/24)
[sorry details in Italian]
side note: what actually happens is than in a macvtap interface traffic can't re-enter the NIC: if you had 2 NICs, VMs on NIC1 can talk to other VMs or host via NIC2.
this should be ok for creating a bridge
-
@matteo-nunziati more accurate: VM can re-enter the host, the host can't re-enter in VMs. just double-checked.
-
I kind of have a mix. Most are macvtap over a bond and I just set up a private network between the host and VMs. I set reservations with libvirt for the VMs.
I have a couple with full bridge, but since I'm managing the systems from outside of the host, it really doesn't affect my workflow. The only thing that really changes is I use the private network for grabbing updates from my repo server. But if you are downloading updates and installing from the internet, this will make no difference to you.
-
@Romo said in How do you setup KVM networking on a desktop or laptop:
@JaredBusch said in How do you setup KVM networking on a desktop or laptop:
@Romo That is what I was thinking also.
By default this is the list of options.
So I assume, I need to make a bridge first as I did not see any other settings.
Yes, you have create your bridge first so that it appears in virt-manager.
Virt-manager can create a bridge for you, but you have to disable NetworkManager and use network instead. IIRC Birthday-manager has some issues with NetworkManager.
-
@stacksofplates said in How do you setup KVM networking on a desktop or laptop:
Birthday-manager
Hahahahahah
-
@JaredBusch said in How do you setup KVM networking on a desktop or laptop:
@stacksofplates said in How do you setup KVM networking on a desktop or laptop:
Birthday-manager
Hahahahahah
Idk how I missed that one hahaha.
-
Any further updates here?
What is the "cleanest" method available so vm's can "talk" to the host?
-
@FATeknollogee said in How do you setup KVM networking on a desktop or laptop:
Any further updates here?
What is the "cleanest" method available so vm's can "talk" to the host?
Bridge. But sometimes is messy with the wifi in my experience, so maybe is better to use ZeroTier for a testing environment.
