Setting up a network bridge between a QEMU VM and its host on the command line
Setting up a network bridge between a QEMU VM and its host on the command line
A user of ArchLinux can follow relevant parts of the wiki articles “QEMU” and “PCI passthrough via OVMF” for setting up other aspects of a QEMU VM, but these guides don't provide a short method suitable for people who are not network administrators and don't need ramified network topologies. The default network of a QEMU VM, so called “user networking”, frankly, is disconnected from its host. Below is the short method of setting up a VM such that it can communicate with other networks connected to its host like a wired channel to the internet or a home Wi-Fi network.
A user of ArchLinux can follow relevant parts of the wiki articles “QEMU” and “PCI passthrough via OVMF” for setting up other aspects of a QEMU VM, but these guides don't provide a short method suitable for people who are not network administrators and don't need ramified network topologies. The default network of a QEMU VM, so called “user networking”, frankly, is disconnected from its host. Below is the short method of setting up a VM such that it can communicate with other networks connected to its host like a wired channel to the internet or a home Wi-Fi network.
- Enable packet forwarding on the host by setting the net.ipv4.ip_forward kernel parameter to 1 as described in “Internet sharing”.
- Set up a bridge. You can follow “How to use the qemu-bridge-helper on Debian 10” for this part.
- Install libvirt and start its service as described in “libvirt”. This package provides a bridge network device for the host. The following virsh commands must be executed under root on the host so they are executed by the qemu:///system instance of libvirtd.
- A default bridge comes with libvirt. You can see this bridge with virsh net-list --all. Activate the bridge with virsh net-start --network default. A network device virbr0 should appear on the host. You can deactivate the bridge with virsh net-destroy --network default. In order to activate it automatically at boot, execute virsh net-autostart --network default. I don't know how to disable autostart.
- Grant a user running the VM access to the bridge. To this end, create a file /etc/qemu/bridge.conf containing the line allow virbr0. (I suppose this file may have any name.) Grant the user read access to this file. Probably, the most natural way to do this on ArchLinux is to add the user to the kvm group and grant that group read access. The user will implicitly execute the qemu-bridge-helper executable from the qemu package when starting a VM. Check that this executable has setuid. If the user doesn't have permissions, they'll see the message “failed to parse default acl file `/etc/qemu/bridge.conf' qemu-system-x86_64: bridge helper failed” when they start a VM.
- When starting a VM, add the options -netdev bridge,id=hn0,br=virbr0 and -device virtio-net-pci,netdev=hn0,id=nic1 to the QEMU command, for example, to qemu-system-x86_64. The -device option creates a network device in the VM which is connected to a network backend in the host created by the -netdev option. This network backend is visible as a tap network device in the host.
- If the host wants to talk to the VM, it should connect to the IP address of the network device in the VM. If the VM wants to talk to the host, it should connect to the IP address of the bridge in the host.