eth0

The perfect setup, nearly

You installed your Linux server and naturally selected KVM (Kernel Virtual Machine) as hypervisor. Using virt-manager, you also created one or more guest VMs (Virtual Machines).

You want fast networking. So you use the paravirtualized virtio drivers for the guests.

You also want no difference between virtual and non-virtual machines. All should be able to talk over the same LAN, use the same subnet, contact the same DHCP server and talk with each other. So you use the Macvtap driver. Macvtap makes use of Macvlan, also written as MAC VLAN. MAC VLAN allows you to have multiple Ethernet MAC (Media Access Control) addresses on one NIC (Network Interface Card). Network traffic will go directly to and from the physical line to the guest VM. If you enable bridge mode, then all kind-of-virtual NICs attached to the same host (or physical NIC, I’m not sure) can see each other.

It’s just so much easier than having to create and manage traditional brctr bridges. And probably it performs better, too.

The problem: the host cannot talk with the guests

The guests can talk to each other. But the host is excluded from the social event. Look at the picture below. Guest 1 and guest 2 are connected using a red line; they are also connected with the eth0 physical NIC of the host. Packets delivered to eth0 will be sent to the network immediately. The hypervisor cannot intercept them.

macvtap_macvlan

Solution: create a macvlan interface on the host

If you create a macvlan interface on the host, and use that one instead of eth0, than the host can communicate with the guests. Some people don’t like this solution because of bad integration with the NetworkManager, but I like it because I don’t have to modify the guests. And I’m using only one host machine, so I can handle that with ease.

I have tested this solution myself on two different computers, both running Scientific Linux 6.4 (a RHEL derivative). So beware, YMMV.

What I did: I wrote a simple shell script that takes care of the creation of and routing to a macvlan interface on the host. So on the host, you have to run this script on startup, e.g. by adding the full path to the script in /etc/rc.local. Here is the script: 

#!/bin/bash

# let host and guests talk to each other over macvlan
# configures a macvlan interface on the hypervisor
# run this on the hypervisor (e.g. in /etc/rc.local)
# made for IPv4; need modification for IPv6
# meant for a simple network setup with only eth0,
# and a static (manual) ip config
# Evert Mouw, 2013

HWLINK=eth0
MACVLN=macvlan0
TESTHOST=www.google.com

# ------------
# wait for network availability
# ------------

while ! ping -q -c 1 $TESTHOST > /dev/null
do
    echo "$0: Cannot ping $TESTHOST, waiting another 5 secs..."
    sleep 5
done

# ------------
# get network config
# ------------

IP=$(ip address show dev $HWLINK | grep "inet " | awk '{print $2}')
NETWORK=$(ip -o route | grep $HWLINK | grep -v default | awk '{print $1}')
GATEWAY=$(ip -o route | grep default | awk '{print $3}')

# ------------
# setting up $MACVLN interface
# ------------

ip link add link $HWLINK $MACVLN type macvlan mode bridge
ip address add $IP dev $MACVLN
ip link set dev $MACVLN up

# ------------
# routing table
# ------------

# empty routes
ip route flush dev $HWLINK
ip route flush dev $MACVLN

# add routes
ip route add $NETWORK dev $MACVLN metric 0

# ad default gateway
ip route add default via $GATEWAY

Beware: If the underlying eth{n} link is down, then also the macvlan will go to the “down” state. That means that the hardware ethernet link must be up, otherwise macvlan/macvtap based VMs will not be able to communicate with each other, or with the host. Also, NetworkManager can play nasty on your customized routing table when the link comes up again.

The resulting routing table will look like this: 

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 macvlan0
0.0.0.0         10.0.0.2        0.0.0.0         UG    0      0        0 macvlan0

Guest configuration

The guest must be configured to use macvtap in bridge mode. Typically, in the configuration XML (/etc/libvirt/qemu) you will find: 

<interface type='direct'>
  <source dev='eth0' mode='bridge'/>

Remember that the guest will then use the DHCP server of the physical LAN. No need any more for the dnsmasq part on the hypervisor. If all your guests use this trick, then you can do: 

rm /etc/libvirt/qemu/networks/autostart/*

That removes the bridge interfaces you see when you run ifconfig. If you cannot wait until the next reboot, also do for each network: 

virsh net-destroy _network-name_