Connecting a Cloud Hypervisor guest to the internet using NAT

Cloud Hypervisor is a Virtual Machine Monitor (VMM) for modern cloud workloads. Recently, I found myself in the need of a simple way to connect a Cloud Hypervisor guest to the internet. Unfortunately, no such method has been documented in the in-tree documentation. So, I set out experimenting with iptables and NAT (network address translation). After playing around with the iptables rules required to set this up I finally arrived at a simple setup that worked.

For this to work, Cloud Hypervisor needs to be started with the --net argument like so:

cloud-hypervisor \
        --kernel ./vmlinux.bin \
        --cmdline "console=ttyS0 root=/dev/vda1 rw" \
        --disk path=/home/cloud/focal-server-cloudimg-amd64.raw path=/home/cloud/ubuntu-cloudinit.img \
        --cpus boot=8 \
        --memory size=0 \
        --memory-zone id=mem0,size=4G,host_numa_node=0 \
        --net "tap=,mac=12:34:56:78:90:ab,ip=192.168.249.1,mask=255.255.255.0" \
        --serial tty \
        --console off

When tap=  is left empty, Cloud Hypervisor will create a tap device with the default naming vmtapN where N is 0,1,2,3 and so on. mac= can be any valid MAC address. The ip= value will later be the default gateway IP for the guest.

Let's say the host is connected to the internet via the eth0 interface. We need to define iptables rules to enable traffic to be routed between vmtap0 and eth0. Here are the rules:

sudo iptables -A INPUT -i vmtap0 -j ACCEPT
sudo iptables -A INPUT -i vmtap0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i eth0 -o vmtap0 -j ACCEPT
sudo iptables -A FORWARD -i vmtap0 -o eth0 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Next, configure a static IP for the guest via cloud-init. Here are the contents of my cloud-init network-config file:

version: 2
ethernets:
  id0:
    match:
       macaddress: 12:34:56:78:90:ab
    addresses: [192.168.249.55/24]
    gateway4: 192.168.249.1

The above file configures 192.168.245.55 as the guest IP.

The last thing to do is to configure a DNS server in the guest (/etc/resolv.conf). Configure any public DNS server you like.

And that's it! The guest should now be able to connect to the internet.

Location: India

Comments

Post a Comment

Popular posts from this blog

Problem discussion: ShufflingCardsDiv2 - Topcoder SRM 641 900pt

Topcoder SRM 641 happened a few days ago and featured an unusually easy problem set for division 2. Before continuing reading the post, please read the problem statement (login required). Now that you have read the problem statement, let me state the most important fact in the problem statement The cards are shuffled exactly twice. This is very important because it makes the problem much easier. Since there are only two shuffles, there are a limited number of steps to be followed. Let’s analyze the shuffling procedure closely. In the beginning we have \(2N\) cards numbered from \(1\) to \(2N\). These cards are divided into two piles: one containing the first half cards \(1 \cdots N\) and the other containing the remaining cards. Let’s denote the cards which have number less than or equal to \(N\) as \(A\) and the others as \(B\). Now, the two piles will look like this \(\text{A A A A A …}\) \(\text{B B B B B …}\) After performing the interleaving, we will get a deck that look
Read more

Introduction to tries through Facebook Hacker Cup 2015 Round 1 - Autocomplete

Image
In the last week's post I discussed the solution to the problem "Homework" from Facebook Hacker Cup 2015 Round 1. This post is about the problem "Autocomplete" from the same round. You can  read the problem statement  available on the Facebook website. If you don't have a Facebook account, you can download problem statements from Codeforces Gym . I will re-state the problem in fewer lines. You have a new phone which has an auto-complete feature. But, it will complete your word only if there is there is no ambiguity on how the word should be completed. Formally, it will complete a word iff there is exactly one way to complete the word. It so happens that the phone's dictionary is empty by default. So, for the auto-complete feature to work, before typing a word you need to add that word to the dictionary. You need to send a message containing \(N\) words. What is the minimum number of characters must you type to send all \(N\) words? (Note that the
Read more

Problem discussion: Facebook Hacker Cup 2015 Round 1 - Homework

It's been a long time since I last wrote on this blog and a lot has happened since then. The most important of all is that my personal website is up at  anirudhrb.com  and consequently this blog can now be accessed at  blog.anirudhrb.com . Also, you can now reach through email at  mail@anirudhrb.com . Let's get down to business now. The online part of Facebook Hacker Cup 2015 concluded recently and the top 25 contestants have been selected to compete in the onsite finals. The problem I am writing about in this post appeared in the Round 1 (there were 3 rounds). The title of the problem is "Homework" and here is the abridged statement: Given three integers \(A\), \(B\) and \(K\), find the number of integers in range \(\big[A, B\big] \) that have a "primacity" of \(K\). Primacity of a number \(N\) is defined as the number of distinct prime factors of \(N\). You have to process \(T\) such queries. The constraints are as follows: \(2 \le A \le B \le 10^
Read more