Guest unikernel on KVM can't reach host, but host can reach the guest
I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.
I am able to make the host access the guest using the nginx example here:
https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel
Pretty much what I do is:
ip tuntap add tap0 mode tap
ip addr add 10.0.0.10/24 dev tap0
ip link set dev tap0 up
Then launch rumprun with the parameters:
rumprun kvm -i -M 128
-I if,vioif,'-net tap,script=no,ifname=tap0'
-W if,inet,static,10.0.0.11/24
-b images/data.iso,/data
-- <my python script>
Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:
nc 10.0.0.11 2010
And I can see it connecting.
The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
ip = "10.0.0.10"
try:
s.connect( (ip, 9999) )
#send some data
And running the same script that does listen as before, binding on 10.0.0.10:9999.
The guest just gets stuck on trying to connect and eventually times out.
I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):
15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
...
15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0
Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
And still nothing.
Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.
networking virtual-machine linux-kvm
add a comment |
I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.
I am able to make the host access the guest using the nginx example here:
https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel
Pretty much what I do is:
ip tuntap add tap0 mode tap
ip addr add 10.0.0.10/24 dev tap0
ip link set dev tap0 up
Then launch rumprun with the parameters:
rumprun kvm -i -M 128
-I if,vioif,'-net tap,script=no,ifname=tap0'
-W if,inet,static,10.0.0.11/24
-b images/data.iso,/data
-- <my python script>
Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:
nc 10.0.0.11 2010
And I can see it connecting.
The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
ip = "10.0.0.10"
try:
s.connect( (ip, 9999) )
#send some data
And running the same script that does listen as before, binding on 10.0.0.10:9999.
The guest just gets stuck on trying to connect and eventually times out.
I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):
15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
...
15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0
Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
And still nothing.
Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.
networking virtual-machine linux-kvm
add a comment |
I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.
I am able to make the host access the guest using the nginx example here:
https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel
Pretty much what I do is:
ip tuntap add tap0 mode tap
ip addr add 10.0.0.10/24 dev tap0
ip link set dev tap0 up
Then launch rumprun with the parameters:
rumprun kvm -i -M 128
-I if,vioif,'-net tap,script=no,ifname=tap0'
-W if,inet,static,10.0.0.11/24
-b images/data.iso,/data
-- <my python script>
Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:
nc 10.0.0.11 2010
And I can see it connecting.
The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
ip = "10.0.0.10"
try:
s.connect( (ip, 9999) )
#send some data
And running the same script that does listen as before, binding on 10.0.0.10:9999.
The guest just gets stuck on trying to connect and eventually times out.
I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):
15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
...
15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0
Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
And still nothing.
Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.
networking virtual-machine linux-kvm
I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.
I am able to make the host access the guest using the nginx example here:
https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel
Pretty much what I do is:
ip tuntap add tap0 mode tap
ip addr add 10.0.0.10/24 dev tap0
ip link set dev tap0 up
Then launch rumprun with the parameters:
rumprun kvm -i -M 128
-I if,vioif,'-net tap,script=no,ifname=tap0'
-W if,inet,static,10.0.0.11/24
-b images/data.iso,/data
-- <my python script>
Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:
nc 10.0.0.11 2010
And I can see it connecting.
The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
ip = "10.0.0.10"
try:
s.connect( (ip, 9999) )
#send some data
And running the same script that does listen as before, binding on 10.0.0.10:9999.
The guest just gets stuck on trying to connect and eventually times out.
I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):
15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
...
15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0
Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
And still nothing.
Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.
networking virtual-machine linux-kvm
networking virtual-machine linux-kvm
asked Dec 5 at 22:08
hfingler
101
101
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.
Hint was in this: Configure FirewallD to allow bridged virtual machine network access
I checked iptables and logs, and found this on /var/log/ufw.log
Dec 5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=
0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0
Turns out there is a firewall running, and it was blocking the connection.
I added a new rule as specified here: https://help.ubuntu.com/community/UFW
and it's working now. Apparently.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381155%2fguest-unikernel-on-kvm-cant-reach-host-but-host-can-reach-the-guest%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.
Hint was in this: Configure FirewallD to allow bridged virtual machine network access
I checked iptables and logs, and found this on /var/log/ufw.log
Dec 5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=
0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0
Turns out there is a firewall running, and it was blocking the connection.
I added a new rule as specified here: https://help.ubuntu.com/community/UFW
and it's working now. Apparently.
add a comment |
Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.
Hint was in this: Configure FirewallD to allow bridged virtual machine network access
I checked iptables and logs, and found this on /var/log/ufw.log
Dec 5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=
0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0
Turns out there is a firewall running, and it was blocking the connection.
I added a new rule as specified here: https://help.ubuntu.com/community/UFW
and it's working now. Apparently.
add a comment |
Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.
Hint was in this: Configure FirewallD to allow bridged virtual machine network access
I checked iptables and logs, and found this on /var/log/ufw.log
Dec 5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=
0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0
Turns out there is a firewall running, and it was blocking the connection.
I added a new rule as specified here: https://help.ubuntu.com/community/UFW
and it's working now. Apparently.
Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.
Hint was in this: Configure FirewallD to allow bridged virtual machine network access
I checked iptables and logs, and found this on /var/log/ufw.log
Dec 5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=
0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0
Turns out there is a firewall running, and it was blocking the connection.
I added a new rule as specified here: https://help.ubuntu.com/community/UFW
and it's working now. Apparently.
answered Dec 5 at 22:49
hfingler
101
101
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381155%2fguest-unikernel-on-kvm-cant-reach-host-but-host-can-reach-the-guest%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown