Bug 2095967

Summary: [RFE]Use bridge mode by default for directly attached interfaces (or let users specify the mode during interface attach)
Product: Red Hat Enterprise Linux 9 Reporter: g.danti
Component: cockpit-machinesAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: YunmingYang <yunyang>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.0CC: g.danti, kkoukiou, mmarusak, mpitt, qzhang, wshi, xchen, yalzhang, ymao, yunyang
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 9.3Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: cockpit-machines-288-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:24:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description g.danti 2022-06-11 12:52:40 UTC 
Description of problem:
When adding a directly attached interface (interface type == direct attachment), the newly created interface is configured in vepa mode (libvirt default). Considering how rare are vepa-capable switches, this means that guests with directly attached interfaces can not talk each others. This choice basically makes directly attached interfaces created via cockpit-machines useless.

For this reason, virt-manager automatically creates bridge mode direct attached interfaces when selecting macvtap networking. Bridge mode enables guests to talk each other, while ensuring the added security guarantees regarding guest to host networking (which is prevented by design).

While "pure" bridge networking (ie: interface type == bridge to lan) is available, it has two significant drawbacks compared to bridge-mode directly attached interfaces: a) it is slower and b) it does not prevent guest to host communication by design.

Please consider changing the default for "interface type == direct attachment" to create bridge-mode macvtap interfaces. Or, at the very least, please add an option to select the interface mode (defaulting to bridge would be recommended).

Version-Release number of selected component (if applicable):
cockpit-machines-263-1.el9.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. add a directly attached interface via cockpit to two guests 
2. let a guest ping the other one
3. all packet are lost

Actual results:
No communication between guest is possible

Expected results:
Guest-to-guest communication should work out-of-the-box.

Additional info:
None.
Comment 2 Simon Kobyda 2023-04-04 18:25:04 UTC 
This was already merged at: https://github.com/cockpit-project/cockpit-machines/pull/868
Comment 5 YunmingYang 2023-04-27 08:30:21 UTC 
Test Versions:
cockpit-290-1.el9.x86_64
cockpit-machines-288-1.el9.noarch
libvirt-dbus-1.4.1-5.el9.x86_64

Test Steps:
1 Create two closed VM
2 Remove the default network interfaces, and attach "Direct attachment" network interface for the VMs
3 Check the VM XMLs
4 In one of the VM, ping the other VM

Test Results:
1 After step 3, the interface source mode should be "bridge" for the VMs
2 After step 4, ping should be successful

According to the results, move status to VERIFIED.
Comment 8 errata-xmlrpc 2023-11-07 08:24:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cockpit-machines bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6336