Guest unikernel on KVM can't reach host, but host can reach the guest












0














I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.



I am able to make the host access the guest using the nginx example here:
https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel



Pretty much what I do is:



ip tuntap add tap0 mode tap
ip addr add 10.0.0.10/24 dev tap0
ip link set dev tap0 up


Then launch rumprun with the parameters:



rumprun kvm -i -M 128 
-I if,vioif,'-net tap,script=no,ifname=tap0'
-W if,inet,static,10.0.0.11/24
-b images/data.iso,/data
-- <my python script>


Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:



nc 10.0.0.11 2010


And I can see it connecting.
The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:



with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:                                                                                       
ip = "10.0.0.10"
try:
s.connect( (ip, 9999) )
#send some data


And running the same script that does listen as before, binding on 10.0.0.10:9999.
The guest just gets stuck on trying to connect and eventually times out.



I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):



15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
...
15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0


Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d



net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0


And still nothing.



Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.










share|improve this question



























    0














    I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.



    I am able to make the host access the guest using the nginx example here:
    https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel



    Pretty much what I do is:



    ip tuntap add tap0 mode tap
    ip addr add 10.0.0.10/24 dev tap0
    ip link set dev tap0 up


    Then launch rumprun with the parameters:



    rumprun kvm -i -M 128 
    -I if,vioif,'-net tap,script=no,ifname=tap0'
    -W if,inet,static,10.0.0.11/24
    -b images/data.iso,/data
    -- <my python script>


    Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:



    nc 10.0.0.11 2010


    And I can see it connecting.
    The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:



    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:                                                                                       
    ip = "10.0.0.10"
    try:
    s.connect( (ip, 9999) )
    #send some data


    And running the same script that does listen as before, binding on 10.0.0.10:9999.
    The guest just gets stuck on trying to connect and eventually times out.



    I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):



    15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
    ...
    15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
    15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
    15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0


    Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d



    net.bridge.bridge-nf-call-ip6tables = 0
    net.bridge.bridge-nf-call-iptables = 0
    net.bridge.bridge-nf-call-arptables = 0


    And still nothing.



    Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.










    share|improve this question

























      0












      0








      0







      I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.



      I am able to make the host access the guest using the nginx example here:
      https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel



      Pretty much what I do is:



      ip tuntap add tap0 mode tap
      ip addr add 10.0.0.10/24 dev tap0
      ip link set dev tap0 up


      Then launch rumprun with the parameters:



      rumprun kvm -i -M 128 
      -I if,vioif,'-net tap,script=no,ifname=tap0'
      -W if,inet,static,10.0.0.11/24
      -b images/data.iso,/data
      -- <my python script>


      Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:



      nc 10.0.0.11 2010


      And I can see it connecting.
      The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:



      with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:                                                                                       
      ip = "10.0.0.10"
      try:
      s.connect( (ip, 9999) )
      #send some data


      And running the same script that does listen as before, binding on 10.0.0.10:9999.
      The guest just gets stuck on trying to connect and eventually times out.



      I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):



      15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
      ...
      15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
      15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
      15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0


      Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d



      net.bridge.bridge-nf-call-ip6tables = 0
      net.bridge.bridge-nf-call-iptables = 0
      net.bridge.bridge-nf-call-arptables = 0


      And still nothing.



      Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.










      share|improve this question













      I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.



      I am able to make the host access the guest using the nginx example here:
      https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel



      Pretty much what I do is:



      ip tuntap add tap0 mode tap
      ip addr add 10.0.0.10/24 dev tap0
      ip link set dev tap0 up


      Then launch rumprun with the parameters:



      rumprun kvm -i -M 128 
      -I if,vioif,'-net tap,script=no,ifname=tap0'
      -W if,inet,static,10.0.0.11/24
      -b images/data.iso,/data
      -- <my python script>


      Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:



      nc 10.0.0.11 2010


      And I can see it connecting.
      The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:



      with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:                                                                                       
      ip = "10.0.0.10"
      try:
      s.connect( (ip, 9999) )
      #send some data


      And running the same script that does listen as before, binding on 10.0.0.10:9999.
      The guest just gets stuck on trying to connect and eventually times out.



      I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):



      15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
      ...
      15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
      15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
      15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0


      Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d



      net.bridge.bridge-nf-call-ip6tables = 0
      net.bridge.bridge-nf-call-iptables = 0
      net.bridge.bridge-nf-call-arptables = 0


      And still nothing.



      Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.







      networking virtual-machine linux-kvm






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 5 at 22:08









      hfingler

      101




      101






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.



          Hint was in this: Configure FirewallD to allow bridged virtual machine network access



          I checked iptables and logs, and found this on /var/log/ufw.log



          Dec  5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=


          0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0



          Turns out there is a firewall running, and it was blocking the connection.
          I added a new rule as specified here: https://help.ubuntu.com/community/UFW
          and it's working now. Apparently.






          share|improve this answer





















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381155%2fguest-unikernel-on-kvm-cant-reach-host-but-host-can-reach-the-guest%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.



            Hint was in this: Configure FirewallD to allow bridged virtual machine network access



            I checked iptables and logs, and found this on /var/log/ufw.log



            Dec  5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=


            0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0



            Turns out there is a firewall running, and it was blocking the connection.
            I added a new rule as specified here: https://help.ubuntu.com/community/UFW
            and it's working now. Apparently.






            share|improve this answer


























              0














              Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.



              Hint was in this: Configure FirewallD to allow bridged virtual machine network access



              I checked iptables and logs, and found this on /var/log/ufw.log



              Dec  5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=


              0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0



              Turns out there is a firewall running, and it was blocking the connection.
              I added a new rule as specified here: https://help.ubuntu.com/community/UFW
              and it's working now. Apparently.






              share|improve this answer
























                0












                0








                0






                Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.



                Hint was in this: Configure FirewallD to allow bridged virtual machine network access



                I checked iptables and logs, and found this on /var/log/ufw.log



                Dec  5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=


                0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0



                Turns out there is a firewall running, and it was blocking the connection.
                I added a new rule as specified here: https://help.ubuntu.com/community/UFW
                and it's working now. Apparently.






                share|improve this answer












                Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.



                Hint was in this: Configure FirewallD to allow bridged virtual machine network access



                I checked iptables and logs, and found this on /var/log/ufw.log



                Dec  5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=


                0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0



                Turns out there is a firewall running, and it was blocking the connection.
                I added a new rule as specified here: https://help.ubuntu.com/community/UFW
                and it's working now. Apparently.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 5 at 22:49









                hfingler

                101




                101






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381155%2fguest-unikernel-on-kvm-cant-reach-host-but-host-can-reach-the-guest%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Plaza Victoria

                    Puebla de Zaragoza

                    Musa