Centos – KVM Isolated network between host and guest fails after few hours

centoskvm-virtualizationnetworking

I have a KVM CentOS host with several CentOS guests. All of the guests are using a bridge for network communication. The guests have been up and operational for several months and work properly. The guests can not communicate directly with the host due to the bridge based network configuration. As I understand this is normal. Source: Libvirt – macvtap

I now have a scenario where I want a guest to be able to communicate with the host for management purposes. Using the same article above from libvirt.org, I configured an "isolated" virtual network on the host:

<network connections='1'>
  <name>isolated</name>
  <uuid>xxxxx-xxxx-xxxxx-xxxxx-xxxxx</uuid>
  <bridge name='virbr1' stp='on' delay='0' />
  <mac address='xx:xx:xx:xx:xx:xx'/>
  <ip address='10.4.4.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='10.4.4.2' end='10.4.4.6' />
    </dhcp>
    </ip>
</network>

Then I added a new network interface on the guest:

<interface type='network'>
  <mac address='xx:xx:xx:xx:xx:xx'/>
  <source network='isolated'/>
  <target dev='vnet13'/>
  <model type='virtio'/>
  <alias name='net1'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</interface>

When I rebooted the guest, the guest received a new address from the host "isolated" network and everything seemed to be working great. Then a few hours later, the "isolated" network appeared to stop communicating. Restarting networking on the guest would not fix the problem. It appeared the dhcp clinet on the guest could not get an address, and I saw log records in /var/log/messages indicating such:

guest-host NetworkManager[684]: <warn> (eth1): DHCPv4 request timed out.

I reconfigured the isolated network on the host and the guest to be static. The host and guest still would not communicate.

I ended up shutting down the guest, deleting the guest "isolated" network interface, and adding a new interface on the guest for the "isolated" network. When I powered the guest back on, the network was working again. However, an hour later the network was not communicating again and it's failing to obtain a dhcp address. It would seem the issue is with the "isolated" network between the host and guest, and not a DHCP specific problem.

The bridge based network on all the hosts continues to work fine throughout this period.

Best Answer

Looks like I created this problem my self by restarting the firewall on my host, for other reasons. Libvirtd adds network filter rules to the firewall when libvirtd starts up. Restarting your firewall will remove these rules. You need to restart libvirtd if you restart your firewall.

Related Solutions

Linux – Jumbo frames between KVM guest and host

While this was an MTU problem, it turns out that it had nothing to do with the MTU settings on any of the component devices. As I showed in the original question, the host bridge, host tun interface, and guest interface all had the same MTU setting (9000 bytes).

The actual problem was a libvirt/kvm configuration issue. By default, libvirt does not use virtio devices. Absent an explicit configuration you end up with a RealTek RTL-8139 NIC. This virtual NIC does not support jumbo frames.

To use virtio devices, you need to specify an explicit model. When using virt-install:

virt-install ... -w bridge=br1,model=virtio

Or after the fact by adding a <model> tag to the appropriate <interface> element in the domain XML:

<interface type="bridge">
  <model type="virtio"/>
  <source bridge="br1"/>
  <target dev="vnet2"/>
</interface>

With this change in place, everything works as intended.

Kvm Guest Network Unreachable

Part of the problem was solved after a reboot. It maybe that following the advice here: http://wiki.libvirt.org/page/Networking helped fix the network interface.

I added these lines to /etc/sysctl.conf

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

I also changed my interface definition in /etc/network/interfaces to look like this:

auto  br0
iface br0 inet static
  address   176.9.xxx.xxx
  broadcast 176.9.xxx.xxx
  netmask   255.255.255.224
  gateway   176.9.xxx.xxx
  bridge_ports eth0
  bridge_fd 0 
  bridge_maxage 0
  bridge_stp off

After these 2 changes (that may or not have helped) and a reboot curl would no longer run into a timeout and "network unrechable" error, instead it produced a result from my local apache. It became clear that my own port-forwarding in iptables was to blame. I had not specified an incoming interface for the port-forwarding of ports 80 and 443. I added br0 and then everything worked fine.

Here are my iptables rules for the port forwarding. I am using this in combination with ufw as firewall, so I have these lines at the end of /etc/ufw/before.rules

This one is added to the filter table:

-I FORWARD -m state -d 192.168.100.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

And this is my nat table. The error was omitting the --in-interface parameter:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 12345 -j DNAT --to 192.168.100.210:22
-A PREROUTING -p tcp --in-interface br0 --dport 80 -j DNAT --to 192.168.100.210:80
-A PREROUTING -p tcp --in-interface br0 --dport 443 -j DNAT --to 192.168.100.210:443
-A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
COMMIT

(Note: For some reason entering these same rules manually while ufw is disabled doesn't produce a working port-forwarding configuration.)

Best Answer

Related Solutions

Linux – Jumbo frames between KVM guest and host

Kvm Guest Network Unreachable

Related Topic