[CentOS-virt] IP aliases from a QEMU/KVM guest

Fri Aug 13 14:06:00 UTC 2010
Alexander Dalloz <ad+lists at uni-x.org>

> Hello,
> I'm trying to set up IP aliases within a QEMU/KVM guest on CentOS 5.5
> x86_64, going through a bridged virtualized interface.
> The virtualized interface in the guest is configured as follow:
> # ifcfg-eth1
> DEVICE=eth1
> HWADDR=11:11:11:11:11:11
> ONBOOT=yes
> ARP=yes
> # route-eth1
> default via IP.OF.HOST.GATEWAY dev eth1
> This is the configuration recommended by the provider (OVH) after a
> virtual MAC address has been allocated for IP.OF.GUEST.ETH1:
> http://help.ovh.com/BridgeClient
> It works fine for virtual interfaces added via libvirt/QEMU.

On first reading I thought eth1 would have been your second interface
within the guest, besides eth0. Meanwhile I think you just skipped eth0.

That is because you can have just 1 default route. The OVH document does
not describe a setup for a 2nd interface.

Well, even for the 1st interface some settings are strange / unnecessary.

Especially when dealing with more than 1 interface, do NOT set the GATEWAY
in ifcfg-ethX. By principle always set GATEWAY (in your case
GATEWAY=x.y.z.254) in /etc/sysconfig/network. Thus you do not need the
route-ethX configuration file, defining a network and a default route. All
that is done automatically.

If you would have more than 1 interface (the OVH doc does not indicate to
be written for such a case, neither notes explicitly to give problems in
that case), then following the OVH doc gives you trouble.

> But when I try to configure an IP alias on another IP address aliasing
> a virtualized interface, as per the instructions from
> http://help.ovh.co.uk/IpAlias (and after assigning it a virtual mac
> just like for eth1) :
> # ifcfg-eth1:1
> DEVICE=eth1:1
> HWADDR=22:22:22:22:22:22

An aliases interface does not have an own MAC, it is physically the same
MAC as the primary interface.

> ONBOOT=yes
> ARP=yes
> I get the following error when restarting the network:
> SIOCADDRT: Network is unreachable

You created a route-eth1:1 file?

> and IP.OF.GUEST.ETH1:1 is:
> - pingable from the same guest
> - not pingable from other guests by the same provider
> - not pingable from outside

The network infrastructure of the hoster must permit the IP address used
to come from MAC of your system.

> Setting
> BOOTPROTO=static
> or commenting out
> or setting:
> (the IP block was a /30, but I don't think that has something to do here)
> did not change the behavior.

The netmask of is given by intention because of the
network layout of your hoster.

> I'll be interested to hear from experiences with setting IP alias from
> within a guest.
> Maybe my problem is due to the configuration of the provider network
> and it is actually impossible to use IP aliases on virtualized
> interfaces.

Yes, as said, the security design of the hoster must permit the use of
defined IPs bound with a dedicated MAC. Ask you hoster.

You can add additional IPs to virtualized interfaces - either by
definining aliased devices or by adding IPs with the help of "ip addr add"
- but that does not mean they are usable automatically. It is a matter of
security in a hosting / virtualized hosting environment.

> Any opinion/idea welcome!
> Mathieu