1*bb4ee6a4SAndroid Build Coastguard Worker# Network 2*bb4ee6a4SAndroid Build Coastguard Worker 3*bb4ee6a4SAndroid Build Coastguard Worker## Host TAP configuration 4*bb4ee6a4SAndroid Build Coastguard Worker 5*bb4ee6a4SAndroid Build Coastguard WorkerThe most convenient way to provide a network device to a guest is to setup a persistent TAP 6*bb4ee6a4SAndroid Build Coastguard Workerinterface on the host. This section will explain how to do this for basic IPv4 connectivity. 7*bb4ee6a4SAndroid Build Coastguard Worker 8*bb4ee6a4SAndroid Build Coastguard Worker```sh 9*bb4ee6a4SAndroid Build Coastguard Workersudo ip tuntap add mode tap user $USER vnet_hdr crosvm_tap 10*bb4ee6a4SAndroid Build Coastguard Workersudo ip addr add 192.168.10.1/24 dev crosvm_tap 11*bb4ee6a4SAndroid Build Coastguard Workersudo ip link set crosvm_tap up 12*bb4ee6a4SAndroid Build Coastguard Worker``` 13*bb4ee6a4SAndroid Build Coastguard Worker 14*bb4ee6a4SAndroid Build Coastguard WorkerThese commands create a TAP interface named `crosvm_tap` that is accessible to the current user, 15*bb4ee6a4SAndroid Build Coastguard Workerconfigure the host to use the IP address `192.168.10.1`, and bring the interface up. 16*bb4ee6a4SAndroid Build Coastguard Worker 17*bb4ee6a4SAndroid Build Coastguard WorkerThe next step is to make sure that traffic from/to this interface is properly routed: 18*bb4ee6a4SAndroid Build Coastguard Worker 19*bb4ee6a4SAndroid Build Coastguard Worker```sh 20*bb4ee6a4SAndroid Build Coastguard Workersudo sysctl net.ipv4.ip_forward=1 21*bb4ee6a4SAndroid Build Coastguard Worker# Network interface used to connect to the internet. 22*bb4ee6a4SAndroid Build Coastguard WorkerHOST_DEV=$(ip route get 8.8.8.8 | awk -- '{printf $5}') 23*bb4ee6a4SAndroid Build Coastguard Workersudo iptables -t nat -A POSTROUTING -o "${HOST_DEV}" -j MASQUERADE 24*bb4ee6a4SAndroid Build Coastguard Workersudo iptables -A FORWARD -i "${HOST_DEV}" -o crosvm_tap -m state --state RELATED,ESTABLISHED -j ACCEPT 25*bb4ee6a4SAndroid Build Coastguard Workersudo iptables -A FORWARD -i crosvm_tap -o "${HOST_DEV}" -j ACCEPT 26*bb4ee6a4SAndroid Build Coastguard Worker``` 27*bb4ee6a4SAndroid Build Coastguard Worker 28*bb4ee6a4SAndroid Build Coastguard Worker## Start crosvm with network 29*bb4ee6a4SAndroid Build Coastguard Worker 30*bb4ee6a4SAndroid Build Coastguard WorkerThe interface is now configured and can be used by crosvm: 31*bb4ee6a4SAndroid Build Coastguard Worker 32*bb4ee6a4SAndroid Build Coastguard Worker```sh 33*bb4ee6a4SAndroid Build Coastguard Workercrosvm run \ 34*bb4ee6a4SAndroid Build Coastguard Worker ... 35*bb4ee6a4SAndroid Build Coastguard Worker --net tap-name=crosvm_tap \ 36*bb4ee6a4SAndroid Build Coastguard Worker ... 37*bb4ee6a4SAndroid Build Coastguard Worker``` 38*bb4ee6a4SAndroid Build Coastguard Worker 39*bb4ee6a4SAndroid Build Coastguard Worker## Configure network in host 40*bb4ee6a4SAndroid Build Coastguard Worker 41*bb4ee6a4SAndroid Build Coastguard WorkerProvided the guest kernel had support for `VIRTIO_NET`, the network device should be visible and 42*bb4ee6a4SAndroid Build Coastguard Workerconfigurable from the guest. 43*bb4ee6a4SAndroid Build Coastguard Worker 44*bb4ee6a4SAndroid Build Coastguard Worker```sh 45*bb4ee6a4SAndroid Build Coastguard Worker# Replace with the actual network interface name of the guest 46*bb4ee6a4SAndroid Build Coastguard Worker# (use "ip addr" to list the interfaces) 47*bb4ee6a4SAndroid Build Coastguard WorkerGUEST_DEV=enp0s5 48*bb4ee6a4SAndroid Build Coastguard Workersudo ip addr add 192.168.10.2/24 dev "${GUEST_DEV}" 49*bb4ee6a4SAndroid Build Coastguard Workersudo ip link set "${GUEST_DEV}" up 50*bb4ee6a4SAndroid Build Coastguard Workersudo ip route add default via 192.168.10.1 51*bb4ee6a4SAndroid Build Coastguard Worker# "8.8.8.8" is chosen arbitrarily as a default, please replace with your local (or preferred global) 52*bb4ee6a4SAndroid Build Coastguard Worker# DNS provider, which should be visible in `/etc/resolv.conf` on the host. 53*bb4ee6a4SAndroid Build Coastguard Workerecho "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf 54*bb4ee6a4SAndroid Build Coastguard Worker``` 55*bb4ee6a4SAndroid Build Coastguard Worker 56*bb4ee6a4SAndroid Build Coastguard WorkerThese commands assign IP address `192.168.10.2` to the guest, activate the interface, and route all 57*bb4ee6a4SAndroid Build Coastguard Workernetwork traffic to the host. The last line also ensures DNS will work. 58*bb4ee6a4SAndroid Build Coastguard Worker 59*bb4ee6a4SAndroid Build Coastguard WorkerPlease refer to your distribution's documentation for instructions on how to make these settings 60*bb4ee6a4SAndroid Build Coastguard Workerpersistent for the host and guest if desired. 61*bb4ee6a4SAndroid Build Coastguard Worker 62*bb4ee6a4SAndroid Build Coastguard Worker## Device hotplug (experimental) 63*bb4ee6a4SAndroid Build Coastguard Worker 64*bb4ee6a4SAndroid Build Coastguard WorkerOn a [hotplug-enabled VM](index.md#device-hotplug-experimental), a TAP device can be hotplugged 65*bb4ee6a4SAndroid Build Coastguard Workerusing the `virtio-net` command: 66*bb4ee6a4SAndroid Build Coastguard Worker 67*bb4ee6a4SAndroid Build Coastguard Worker```sh 68*bb4ee6a4SAndroid Build Coastguard Workercrosvm virtio-net add crosvm_tap ${VM_SOCKET} 69*bb4ee6a4SAndroid Build Coastguard Worker``` 70*bb4ee6a4SAndroid Build Coastguard Worker 71*bb4ee6a4SAndroid Build Coastguard WorkerUpon success, `crosvm virtio_net` will report the PCI bus number the device is plugged into: 72*bb4ee6a4SAndroid Build Coastguard Worker 73*bb4ee6a4SAndroid Build Coastguard Worker```sh 74*bb4ee6a4SAndroid Build Coastguard Worker[[time redacted] INFO crosvm] Tap device crosvm_tap plugged to PCI bus 3 75*bb4ee6a4SAndroid Build Coastguard Worker``` 76*bb4ee6a4SAndroid Build Coastguard Worker 77*bb4ee6a4SAndroid Build Coastguard WorkerThe hotplugged device can then be configured inside the guest OS similar to a statically configured 78*bb4ee6a4SAndroid Build Coastguard Workerdevice. (Replace `${GUEST_DEV}` with the hotplugged device, e.g.: `enp3s0`.) 79*bb4ee6a4SAndroid Build Coastguard Worker 80*bb4ee6a4SAndroid Build Coastguard WorkerDue to [sandboxing](../architecture/overview.md#sandboxing-policy), crosvm do not have CAP_NET_ADMIN 81*bb4ee6a4SAndroid Build Coastguard Workereven if crosvm is started using sudo. Therefore, hotplug only accepts a persistent TAP device owned 82*bb4ee6a4SAndroid Build Coastguard Workerby the user running crosvm, unless 83*bb4ee6a4SAndroid Build Coastguard Worker[sandboxing is disabled.](../running_crosvm/advanced_usage.md#multiprocess-mode) 84*bb4ee6a4SAndroid Build Coastguard Worker 85*bb4ee6a4SAndroid Build Coastguard WorkerThe device can be removed from the guest using the PCI bus number: 86*bb4ee6a4SAndroid Build Coastguard Worker 87*bb4ee6a4SAndroid Build Coastguard Worker```sh 88*bb4ee6a4SAndroid Build Coastguard Workercrosvm virtio-net remove 3 ${VM_SOCKET} 89*bb4ee6a4SAndroid Build Coastguard Worker``` 90