-
-
Save networkop/4e04ef70b8c5f96d20cdf73ea32900d1 to your computer and use it in GitHub Desktop.
| ## Prep work | |
| curl -O http://download.cirros-cloud.net/0.5.1/cirros-0.5.1-x86_64-disk.img | |
| cat << EOF > Dockerfile | |
| FROM centos:7 | |
| RUN yum -y install epel-release && \ | |
| yum makecache fast && \ | |
| yum install -y qemu-kvm bridge-utils iproute libvirt libvirt-client genisoimage virt-install telnet tcpdump && \ | |
| yum clean all | |
| COPY cirros-0.5.1-x86_64-disk.img . | |
| COPY entrypoint.sh / | |
| ENTRYPOINT /entrypoint.sh | |
| EOF | |
| cat << EOF > entrypoint.sh | |
| #!/bin/bash | |
| trap : TERM INT; sleep infinity & wait | |
| EOF | |
| ## Image build | |
| docker build -t macvtap . | |
| docker rm -f test | |
| docker run -d -v /dev:/dev --name test --privileged macvtap | |
| docker exec -it test bash | |
| ## Inside the container | |
| ip link show dev eth0 | |
| ip link add link eth0 name macvtap0 type macvtap mode bridge | |
| ip link set dev macvtap0 up | |
| /usr/libexec/qemu-kvm -daemonize \ | |
| -name test \ | |
| -no-user-config -nodefaults \ | |
| -machine pc \ | |
| -enable-kvm \ | |
| -cpu host \ | |
| -display none \ | |
| -serial telnet:0.0.0.0:23,server,nowait \ | |
| -boot order=d,menu=on \ | |
| -drive file=/cirros-0.5.1-x86_64-disk.img,format=qcow2,if=ide \ | |
| -netdev tap,fd=88,id=hostnet0,vhost=on,vhostfd=99 88<>/dev/tap$(cat /sys/class/net/macvtap0/ifindex) 99<>/dev/vhost-net \ | |
| -device virtio-net-pci,netdev=hostnet0,id=net0,mac=$(cat /sys/class/net/macvtap0/address) |
yep, everything after line #25 is inside container's shell
oh, hang on, i think i forgot to paste a few commands
now that's better
it seems this indeed works.
Today I again tried to avoid shell expansion and create sockets with python but to no avail. Although the sockets are appear open in linux, they are seen under /proc/<pid>/fd the traffic didn't pass through.
In the end I decided to use the variant with shell expansion strings such as $num<>/dev/.... And it indeed worked.
A few caveats that I will mention here for completeness:
- the subprocess.Popen should not only have
shell=Trueto open sockets with shell expansion stringy, but also make use of/bin/bash, since the default shell used by Popen isshand inshthe<>doesn't exist. - the space separated arguments (like smbios string) needs to be properly escaped or quoted in that approach
With these two requirements honoured, I made it work hellt/vrnetlab#22
Thanks @networkop for encouraging me to look at it again with your successful example!
imagine my frustration when macvtap started to work, but the prime reason for it - LACP - didn't get through =((((
hm... have you tried a different macvtap mode?
The default "bridge" mode may use the standard Linux bridge under the hood.
@hellt have you seen this? "Using tc redirect to connect a virtual machine to a container network · GitHub" https://gist.github.com/mcastelino/7d85f4164ffdaf48242f9281bb1d0f9b
no, haven't tried it, just stumbled across it by accident, thought you'd find it interesting
that account's got a lot of interesting gists, like this one https://gist.github.com/mcastelino/fb841c7e7d26b08240e0a19d3b95c0a7 showing the use of trace-cmd
I noticed 'ip' in the filter rule,
where?
it seems like it was build for packet mirroring, link, which most likely means it'll redirect all packets
where?
mislooked. I was reading the original post where he saw this technique for the first time, and it was using ip protocol match.
but indeed in his pasting he uses all which should be all frames. Will test it.
Thanks, that might be a groundbreaking approach if it works
I suppose you create
macvtap0withipinside the docker before calling qemu-kvm?