Dev Ups

Published 2022-02-06 in networking

Assign an Internet address to a Vagrant VM

I evaluate the pros and cons of giving each VM its own IP address. After that I look at a "better" alternative, port-forwarding.

Allocating an IP

In order to be able to SSH in to a dedicated (private) IP address this line belongs near the top of the Vagrantfile:

config.vm.network :private_network, ip: "192.168.68.8"

We are free to choose the fourth octet here, but I avoid using .1 as that is used by the host, as we are about to see.

Cost of an IP

Allocating an IP makes life very simple solution for VM users. Any difficulties are transferred to the aspiring sysadmin. Here's the dent it caused to my networking config (ipconfig /all) in Windows:

Ethernet adapter VirtualBox Host-Only Network #2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter #2
   Physical Address. . . . . . . . . : 0A-30-47-21-00-5A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::91c6:7f24:df8d:4afe%49(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.68.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 822738983
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-14-2F-3B-64-6C-80-CC-22-2B
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

This is VirtualBox's second adapter. The first adapter is always present on Windows (only) once VirtualBox is installed. It has an IP address on the guest too, by default. It prefers 192.168.56.1. I can't do anything other than ping it from the guest:

IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)

I wanted to be sure about this so repeated on a fresh installation of Windows (10, Pro). The only warning given was that VirtualBox 6.1.32 would "reset your network connection and temporarily disconnect you from the network." That was followed by a prompt to install more stuff:

Installing Oracle Network Adapters

Install the Oracle Network Adapters. These are removed if and when VirtualBox gets uninstalled.

I've since repeated this on a fresh Windows 11 installation. I'm running VirtualBox 7.0.x by this time. It doesn't prompt to install Oracle Network Adapters.

Cost on Linux

On Linux, the Host Network Adapter table is empty in VirtualBox. ip a shows only the loopback device and my WiFi.

When I launch my first VM to have its own private IP address, an address is created on the guest corresponding to this on the host:

3: vboxnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.68.1/24 brd 192.168.68.255 scope global vboxnet0
       valid_lft forever preferred_lft forever
    inet6 fe80::800:27ff:fe00:0/64 scope link 
       valid_lft forever preferred_lft forever

vboxnet0 also now shows up in VirtualBox's Host Network Manager. vagrant destroy does not undo these additions. The difference if my VM has its own IP and not just a port is that vboxnet0 gets the lines beginning inet and inet6. Ordinarily it would need just the layer-2/MAC address (link/ether, above).

Benefit of an IP

The VM on the new interface only requires apt-get install apache2 and I can cURL a webpage from 192.168.68.8. The guest, however, cannot ping the Windows host on 192.168.68.1.

The other benefit is only apparent when we consider the alternative; an IP is the more natural virtualisation of a network adapter.

Cleaning up

Upon deleting this VM with vagrant destroy, "Ethernet adapter VirtualBox Host-Only Network #2:" stubbornly remained in place.

For Windows, I like using Device Manager to delete them en-masse.

Using device manager to uninstall virtualbox network

Even better is using VirtualBox itself to cleanup. Ctrl+H or

First find the network manager tool

"Remove host network", feels more appropriate than the uninstalling Windows might call it:

Remove host network

The problem remains that these are very manual solutions, prone to neglect, and it appears that Windows can't avoid using the first virtual adapter for default networking of the VMs.

For Linux, VirtualBox's interface should again be preferred. It's easy to spot the virtual entries in, eg, ip a results. They are succinctly named, like 4: vboxnet0. Since most network engineers will be Linux based, or Linux users tend to do more network engineering, it should be less anxiety inducing to just leave them be.

Port forwarding alternative

Vagrant network configuration uses an ssh id to select the SSH port that is used by both vagrant ssh and ssh vagrant@10.0.2.2 -p 10022:

config.vm.network :forwarded_port, guest: 22, host: 10022, id: 'ssh'

ssh vagrant@10.0.2.2 only works on Windows. On Linux, ssh vagrant@127.0.0.1 is used from the host. Communication between guests uses 10.0.2.2 regardless of OS. who, on the guest still reveals that address.

Conclusion

My preference would be against assigning an IP to each VM as a means to inter-VM communication. I can accomplish inter-VM communication with port forwarding.

Port forwarding required some investigation. The IP address that links the guests when using port forwarding, is outside the subnets of both those given by the static IP allocation and the default, VirtualBox on Windows, virtual ethernet adaptor, 192.168.56.1/24, above.

Guests without an explicit IP address get implicitly linked, via the host, on 10.0.2.2, as seen beside "Last login", upon login. You can double check this using the who command.

This solution began with the networking layer. Port numbers are part of TCP and slightly more abstract. Being standards, there is no great jeopardy in building solutions around them. The details of authentication and authorization are still constantly evolving.


6 months later:

After exploring authentication and TLS in more detail, I changed my conclusion with: Overcoming the fear of doling out IPs to Vagrant VMs

When I initially wrote this post, I did not appreciate that port redirects, from say port 80 to port 443, are broken by forwarding a single port. I don't have a solution to this other than to avoid port forwarding.