Bug 1760851 - incorrect MAC address for host virtual bridge network interface (virbr0)
Summary: incorrect MAC address for host virtual bridge network interface (virbr0)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 31
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Laine Stump
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-11 13:29 UTC by Cristian Ciupitu
Modified: 2019-11-16 00:23 UTC (History)
13 users (show)

Fixed In Version: libvirt-5.6.0-5.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-16 00:23:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Cristian Ciupitu 2019-10-11 13:29:54 UTC 
Description of problem:
I have a Windows virtual machine connected to the host by a virtual network (named "default") with NAT forwarding. For this libvirt creates a network interface (virbr0) on the host and runs a DHCP server (dnsmasq) listening on it. Unfortunately the MAC address of the interface is not what I want, so the Windows guest asks me to what kind of network it's connected - home, work or public.

Version-Release number of selected component (if applicable):
libvirt-5.6.0-4.fc31.src.rpm

How reproducible:
Every time

Steps to Reproduce:
1. Create a virtual network with NAT forwarding similar to this:  
  <network>
    <name>default</name>
    <uuid>df9804c1-827d-4b2b-b836-10a00ee5343e</uuid>
    <forward mode="nat">
      <nat>
        <port start="1024" end="65535"/>
      </nat>
    </forward>
    <bridge name="virbr0" stp="on" delay="0"/>
    <mac address="52:54:00:e7:29:fa"/>
    <ip address="192.168.122.1" netmask="255.255.255.0">
      <dhcp>
        <range start="192.168.122.2" end="192.168.122.254"/>
      </dhcp>
    </ip>
  </network>


2. Start the network

Actual results:
9: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether fa:b8:9b:41:4d:ad brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
10: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:e7:29:fa brd ff:ff:ff:ff:ff:ff

Expected results:
The network interface virbr0 should have the MAC address specified in the XML (XPath /network/mac/@address), i.e. 52:54:00:e7:29:fa.

Additional info:
kernel-5.3.5-300.fc31.x86_64

I had no problems until last week when I upgraded from Fedora 30 to Fedora 31 (with dnf-plugin-system-upgrade).
Comment 1 Cristian Ciupitu 2019-10-11 14:07:11 UTC 
I have enabled the @virtmaint-sig/virt-preview COPR (libvirt-5.8.0-1.fc31.src.rpm), yet the issue persists.
Comment 2 Beniamino Galvani 2019-10-12 11:51:53 UTC 
I think this is caused by systemd turning on MACAddressPolicy=persistent for virtual devices like bond/bridges/etc, see:

https://github.com/systemd/systemd/blob/master/NEWS#L499
https://github.com/systemd/systemd/issues/3374
Comment 3 Cristian Ciupitu 2019-10-12 14:02:12 UTC 
# systemctl status systemd-networkd.service 
● systemd-networkd.service - Network Service
   Loaded: loaded (/usr/lib/systemd/system/systemd-networkd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
Comment 4 Beniamino Galvani 2019-10-12 15:10:55 UTC 
(In reply to Cristian Ciupitu from comment #3)
> # systemctl status systemd-networkd.service 
> ● systemd-networkd.service - Network Service
>    Loaded: loaded (/usr/lib/systemd/system/systemd-networkd.service;
> disabled; vendor preset: disabled)
>    Active: inactive (dead)

It doesn't matter, the MAC change is performed by udev. To verify if the issue is related to MACAddressPolicy, you can add a file /etc/systemd/network/98-bridge-inherit-mac.link containing:

[Match]
Type=bridge
[Link]
MACAddressPolicy=none

This should restore the old behavior.
Comment 5 Laine Stump 2019-10-14 19:57:33 UTC 
That's interesting information, but if it's going to take a modification to restore previous behavior, then libvirt will just need to explicitly set the MAC address rather than relying on it being set to the lowest numbered MAC of attached devices.

Back in 2011 when we first encountered the problem reported by Cristian, the ability to explicitly set a MAC address for a bridge device was very new, and not many of the distros supported by libvirt yet supported that feature. Since attaching a dummy tap device with the desired MAC address worked properly for all distros, we chose to implement it that way.

In 2019, upstream libvirt no longer supports even RHEL6, which was newly released at the time the bug was fixed, and which *did* have the ability to explicitly set the bridge MAC address. So I think now it is safe to set the MAC address in this way (although I think we will have to keep the virbrN-nic "dummy tap" device around for IPv6 DAD anyway).

I've tried a couple different patches (one that provides the mac address in the netlink message that creates it, another that separately sets the MAC after creation). Both work, and I'm going to figure out the cleanest way to deal with it and send a patch upstream.

Once it's in, we should see if we can get it added into F31 before GA, so that users with Windows guests aren't surprised by the "New Network Connection" dialog after upgrading.
Comment 6 Laine Stump 2019-10-18 02:01:12 UTC 
I just posted a two patch series to fix this to libvir-list:

https://www.redhat.com/archives/libvir-list/2019-October/msg01146.html
Comment 7 Laine Stump 2019-11-08 03:12:13 UTC 
Pushed upstream, will be in libvirt-5.10.0:

commit b596d6c106cd87d6d452c5dd4ad923a034544fbf
Author: Laine Stump <laine>
Date:   Wed Oct 16 14:06:54 2019 -0400

    util: allow sending mac addr to virNetNewLink without ifindex
    
commit 13ec827052fcd79a4350f499aab5f4aa20ea83fa
Author: Laine Stump <laine>
Date:   Thu Oct 17 21:12:30 2019 -0400

    util: set bridge device MAC address explicitly during virNetDevBridgeCreate
Comment 8 Laine Stump 2019-11-08 03:15:35 UTC 
Cole, what's the accepted method of getting patches into a Fedora build these days? The upstream maintenance branches seem to have fallen out of favor.

(This should get into F31 as soon as reasonably possible, since it's going to create problems for anyone with Windows guests when they upgrade).
Comment 9 Cole Robinson 2019-11-11 12:46:56 UTC 
(In reply to Laine Stump from comment #8)
> Cole, what's the accepted method of getting patches into a Fedora build
> these days? The upstream maintenance branches seem to have fallen out of
> favor.
> 
> (This should get into F31 as soon as reasonably possible, since it's going
> to create problems for anyone with Windows guests when they upgrade).

Process is set the bug to POST and reference the upstream commit, and I'll scoop it up eventually.
If it's timely then additionally a ping in the bug or IRC/mail is good too
I'll do a build for this today
Comment 10 Cristian Ciupitu 2019-11-11 16:07:07 UTC 
What about the copr.fedorainfracloud.org/group_virtmaint-sig/virt-preview repository? Can the patch get there sooner?
Comment 11 Fedora Update System 2019-11-11 20:50:12 UTC 
FEDORA-2019-8a6d24ceec has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8a6d24ceec
Comment 12 Fedora Update System 2019-11-13 04:56:55 UTC 
libvirt-5.6.0-5.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8a6d24ceec
Comment 13 Fedora Update System 2019-11-16 00:23:26 UTC 
libvirt-5.6.0-5.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.