Isolated VirtualBoxes network on a Linux laptop

I like emulation/virtualization a lot. I used to use Win4Lin and VMWare for testing new systems/applications I now have switched to VirtualBox mainly because of the automation scripting tools (VBoxManage and friends).

Animals

I work/play on a linux laptop and need to run several virtual machines interconnected in an isolated network and the VirtualBox network configuration can give headaches, it gave me some : ) During the setup I had to write things down on paper, walk around chewing my pencil, scratch my head .. so I will share theses notes here hoping it will be usefull to someone.

Overview

For a 10000 feet view of the setup explained here, a simple picture is better than many words :

Virtual Network Overview
Virtual Network Overview


Host->VBoxes: permanent
Host->External: independant the virtual network
VBoxes->VBoxes: permanent
opt switchable per vbox
VBoxes-->External: virtualbox nat
end

I’m using gentoo linux as host and debian in virtual machines so the details here apply to theses distributions but everything is really close to what you would do on other systems.

The virtual network is independant of external interfaces

On my laptop, I use NetworkManager to handle eth0 and wlan0 automatic/user configuration dynamically. To keep this handy tool working I stated that eth0/wlan0 configuration is out of control. In other words, the virtual network setup must not be dependant on the eth0/wlan0 state. This way I can use the virtual network if the laptop is wired, wireless or simply not connected at all.

Plus, I use aggressive firewalling on my external interfaces and during this setup I had no iptables rule to change.

The virtual network is isolated with easy ways to open flows

Virtual machines inside the virtual network are reachable from the host and be able to reach each other. It is quite easy to add/remove external network (ie. internet) access to choosen virtual machines.

Configuration in virtual machines is os agnostic

To put a virtual machine on the virtual network only network configuration is needed.

Far

Isolated VirtualBoxes network on a Linux laptop

Creating the virtual network

As we will use the Host Interface mode from VirtualBox, we will setup a network bridge on the host system to interconnect the virtual machines and to connect to them. To isolate the virtual network from the real external network we need a neutral network interface to bridge to, we will use the linux dummy network device for this purpose.

Here is a diagram showing the vnet0 bridge between dummy0 and the virtual machines interfaces starting with vbox :

Bridge Overview
Bridge Overview


note over dummy0,vbox0, ..., vboxN: bridged
dummy0->vnet0: forward to
vbox0->vnet0: forward to
...->vnet0: forward to
vboxN->vnet0: forward to

In the following examples, the virtual network is 10.42.42.0/24.

Kernel configuration
You can skip this if you run your host on a distribution like debian, ubuntu, [open]suse, redhat|fedora|centos etc…

The following kernel options/modules are mandatory :

  • CONFIG_BRIDGE: to create network bridges
  • CONFIG_TUN: to create TUN/TAP virtual network interfaces for the virtual machines
  • CONFIG_DUMMY: to create a dummy network interfaces to bridge to

For the dummy kernel module to bo loaded upon boot time, modify /etc/conf.d/modules to read :


modules_2_6="dummy vboxdrv"

Create the dummy network interface

Add the following lines to /etc/conf.d/net :


config_dummy0="null"

Create a symbolic link in /etc/init.d to provide an init script for dummy0, add it to the default runlevel and start it:


ln -s /etc/init.d/net.lo /etc/init.d/net.dummy0
rc-update add net.dummy0 default
/etc/init.d/net.dummy0 start

Create the network bridge

Add the following lines to /etc/conf.d/net :


config_vnet0="10.42.42.254/24"
bridge_vnet0="dummy0"
brctl_vnet0="setfd 0
sethello 0
stp off"

Create a symbolic link in /etc/init.d to provide an init script for vnet0 and start it:


ln -s /etc/init.d/net.lo /etc/init.d/net.vnet0
/etc/init.d/net.vnet0 start

Check the interfaces status

To see if everything went as expected, look at the output of the ifconfig command. You should read something similar to the following :

dummy0    Lien encap:Ethernet  HWaddr 8a:7f:a4:42:dc:d7
          adr inet6: fe80::887f:c4ff:fe42:bcd7/64 Scope:Lien
          UP BROADCAST RUNNING NOARP PROMISC  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:126 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:0 (0.0 B)  TX bytes:31554 (30.8 KiB)

vnet0     Lien encap:Ethernet  HWaddr 8a:7f:a4:42:dc:d7
          inet adr:10.42.42.254  Bcast:10.42.42.255  Masque:255.255.255.0
          adr inet6: fe80::887f:c4ff:fe42:bcd7/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:0 (0.0 B)  TX bytes:5793 (5.6 KiB)

Buse

Adding a virtual machine

The first virtual machine will use the vbox0 TUN/TAP interface.

Create the virtual machine TUN/TAP interface

Add the following lines to /etc/conf.d/net, replacing ${USER} by the username who run virtualbox :


config_vbox0="null"
tuntap_vbox0="tap"
tunctl_vbox0="-u ${USER}"

Create a symbolic link in /etc/init.d to provide an init script for vbox0 and start it:


ln -s /etc/init.d/net.lo /etc/init.d/net.vbox0
/etc/init.d/net.vbox0 start

Add the virtual machine interface to the bridge

Add vbox0 to the bridge_vnet0 line in /etc/conf.d/net to read:


bridge_vnet0="dummy0 vbox0"

To register the new interface in the bridge, it needs to be restarted:


/etc/init.d/net.vnet0 restart

Each time we add a virtual machine interface we need to restart the bridge. Hopefully, it can be done with virtual machines running.

Check the interfaces status

To see if everything went as expected, look at the output of the ifconfig command. You should read something similar to the following :

dummy0    Lien encap:Ethernet  HWaddr 8a:7f:d4:42:cc:d7
          adr inet6: fe80::887f:c4ff:fe42:bcd7/64 Scope:Lien
          UP BROADCAST RUNNING NOARP PROMISC  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1841 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:0 (0.0 B)  TX bytes:475772 (464.6 KiB)

vbox0     Lien encap:Ethernet  HWaddr 00:fa:5f:f0:69:d8
          adr inet6: fe80::2ff:5fff:fef0:65d8/64 Scope:Lien
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:143 overruns:0 carrier:0
          collisions:0 lg file transmission:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vnet0     Lien encap:Ethernet  HWaddr 00:fa:5f:f0:69:d8
          inet adr:10.42.42.254  Bcast:10.42.42.255  Masque:255.255.255.0
          adr inet6: fe80::2ff:5fff:fef0:65d8/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:0 (0.0 B)  TX bytes:5633 (5.5 KiB)

Configure network in the virtual machine
VirtualBox
We assume here you have already created a virtual machine with a single network adapter in Host Interface mode, configured to use the vbox0 host interface.

Provided the hostif network interface is eth0 in the virtual machine, add the following lines to /etc/network/interfaces:

auto eth0
iface eth0 inet static
       address 10.42.42.1
       netmask 255.255.255.0
       network 10.42.42.0
       broadcast 10.42.42.255

Apply theses changes with this command :


/etc/init.d/networking restart

Testing the virtual network

Now from your host you can reach the virtual machine and consume all it’s services on a dedicated internal IP address : 10.42.42.1.

To check if everything went properly, try to ssh to it. If it is not working, read your configuration again.

ssh username@10.42.42.1

Opening flows

To open a flow from a single virtual machine to the external network (ie. internet) I use the VirtualBox NAT facility by adding a NAT network interface to the virtual machine and using dhcp inside the vm on the new interface. I postponed the openning of a flux from a virtual machine to the host for another blog.

Here is the VBoxManage command :

VBoxManage modifyvm "${VM_NAME}" -nic42 nat

For the VirtualBox NAT to work you’ll have to use a dhcp client inside the virtual machine. For testing purpose you can simply issue the following command, provided eth42 is the NATed interface inside the virtual machine :

dhclient eth42

A simple ping to the external network (google.fr, playboy.com etc..) will tell you if it is working or not.

To make this survive reboots, add the following lines to /etc/network/interfaces :

auto eth42
iface eth42 inet dhcp

Rock Dog

Going plural

You can now repeat the steps below to create more virtual machines :

  • Create another TUN/TAP interface: vbox1
  • Bridge it so you have dummy0, vbox0 and vbox1 bridged by vnet0
  • Configure network in the virtual machine

To be continued…

I’m not fully satisfied by this setup. The next step is to write scripts around all this, maybe moving away from distribution dependant configuration. Later I’d like to find a way to make services from the host reachable by the virtual machines. If you have tech suggestions, I’ll be happy to read from you.

One could imagine providing dhcp/dns service in the virtual network to minimize virtual machines configuration and get rid of the VirtualBox NAT but I feel it would a cumbersome work for a worklaptop running at most 5 vms. I don’t know zeroconf well, could it fit better ?

I hope that this post can be usefull. VirtualBox networking made me feel a little lost at first. Maybe because I’m not a network addict anymore :)

Advertisements

2 thoughts on “Isolated VirtualBoxes network on a Linux laptop

  1. Thanks for posting your thought process on this. I have spent a lot of time trying to get an interface-independant internal network between my host laptop and its VMs. With VBox 2.1 I’ve been able to create a bridge containing only a dummy interface and have VBox attach each VM to the bridge. Reading this helped me a lot.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s