RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2095967 - [RFE]Use bridge mode by default for directly attached interfaces (or let users specify the mode during interface attach)
Summary: [RFE]Use bridge mode by default for directly attached interfaces (or let user...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: cockpit-machines
Version: 9.0
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: 9.3
Assignee: Nobody
QA Contact: YunmingYang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-11 12:52 UTC by g.danti
Modified: 2023-11-07 09:05 UTC (History)
10 users (show)

Fixed In Version: cockpit-machines-288-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-07 08:24:46 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-125038 0 None None None 2022-06-11 12:52:59 UTC
Red Hat Product Errata RHBA-2023:6336 0 None None None 2023-11-07 08:24:59 UTC

Description g.danti 2022-06-11 12:52:40 UTC 
Description of problem:
When adding a directly attached interface (interface type == direct attachment), the newly created interface is configured in vepa mode (libvirt default). Considering how rare are vepa-capable switches, this means that guests with directly attached interfaces can not talk each others. This choice basically makes directly attached interfaces created via cockpit-machines useless.

For this reason, virt-manager automatically creates bridge mode direct attached interfaces when selecting macvtap networking. Bridge mode enables guests to talk each other, while ensuring the added security guarantees regarding guest to host networking (which is prevented by design).

While "pure" bridge networking (ie: interface type == bridge to lan) is available, it has two significant drawbacks compared to bridge-mode directly attached interfaces: a) it is slower and b) it does not prevent guest to host communication by design.

Please consider changing the default for "interface type == direct attachment" to create bridge-mode macvtap interfaces. Or, at the very least, please add an option to select the interface mode (defaulting to bridge would be recommended).

Version-Release number of selected component (if applicable):
cockpit-machines-263-1.el9.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. add a directly attached interface via cockpit to two guests 
2. let a guest ping the other one
3. all packet are lost

Actual results:
No communication between guest is possible

Expected results:
Guest-to-guest communication should work out-of-the-box.

Additional info:
None.
Comment 2 Simon Kobyda 2023-04-04 18:25:04 UTC 
This was already merged at: https://github.com/cockpit-project/cockpit-machines/pull/868
Comment 5 YunmingYang 2023-04-27 08:30:21 UTC 
Test Versions:
cockpit-290-1.el9.x86_64
cockpit-machines-288-1.el9.noarch
libvirt-dbus-1.4.1-5.el9.x86_64

Test Steps:
1 Create two closed VM
2 Remove the default network interfaces, and attach "Direct attachment" network interface for the VMs
3 Check the VM XMLs
4 In one of the VM, ping the other VM

Test Results:
1 After step 3, the interface source mode should be "bridge" for the VMs
2 After step 4, ping should be successful

According to the results, move status to VERIFIED.
Comment 8 errata-xmlrpc 2023-11-07 08:24:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cockpit-machines bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6336
Note You need to log in before you can comment on or make changes to this bug.