Problem
Arista vEOS 4.20.15M running in vrnetlab (QEMU 7.2, hellt/vrnetlab master) cannot accept inbound SSH connections through QEMU's user-mode (slirp) networking. This blocks the lab builder from collecting show commands from vEOS nodes.
Technical Details
The vEOS VM boots successfully, SSH is confirmed running inside the VM (ssh admin@10.0.0.15 works from the VM's own console), and the QEMU hostfwd rules are configured (hostfwd=tcp:0.0.0.0:22-10.0.0.15:22). However, TCP connections to port 22 from outside the container time out during SSH banner exchange.
This was tested with:
- vEOS-lab-combined-4.20.15M.vmdk (combined Aboot+EOS image)
- vEOS-lab-4.20.15M.vmdk (non-combined image, fails vrnetlab ZTP disable due to partition layout)
- QEMU 7.2 (Debian 1:7.2+dfsg-7+deb12u18, from vrnetlab Docker image)
- Ubuntu 24.04 host on m8i.2xlarge EC2 with nested virtualization
- containerlab with
CLAB_MGMT_PASSTHROUGH=true (also fails due to vEOS launch.py hardcoding 10.0.0.15)
The Juniper vrnetlab images (vJunos-router, vJunos-switch) work fine with identical QEMU port forwarding on the same host, so the issue is specific to vEOS.
Investigation Notes
- SSH responds to
SSH-2.0-OpenSSH_6.6.1 inside the VM (verified via serial console)
- ZTP is active and continuously retrying DHCP, which may interfere with the management stack
- The combined VMDK requires ZTP disable via guestfish (
/dev/sda2 mount), but the vEOS launch.py uses vrnetlab's guestfish for this
- The non-combined VMDK has a different partition layout (
/dev/sda1 is vfat, /dev/sda2 is unknown) which breaks the ZTP disable step
- QEMU's slirp
hostfwd rules are set but ss -tlnp in the container namespace doesn't show port 22 (expected -- slirp handles this internally)
- No iptables rules block traffic (checked inside the VM)
- Port 443 (eAPI) also times out -- all port forwarding is broken, not just SSH
Scaffolding
The veos-support branch contains:
ARISTA_VEOS vendor profile in config.py- Sample
veos-ebgp topology
ec2-setup.sh updates for VMDK image building- vEOS image sha512sum files
Possible Fixes to Investigate
- Try a newer vEOS version (4.23/4.24) that may work better with QEMU 7.2 slirp
- Patch the vrnetlab vEOS launch.py to support
CLAB_MGMT_PASSTHROUGH properly (set containerlab-assigned IP instead of hardcoded 10.0.0.15)
- Try disabling ZTP via the startup-config (
zerotouch disable in config) instead of guestfish VMDK modification
- Try an older QEMU version that may have better slirp compatibility
Configuration Patterns
vEOS 4.20 is needed to test pre-4.21 EOS configuration syntax, which changed significantly around that version boundary. Batfish needs to support both old and new syntax.
Problem
Arista vEOS 4.20.15M running in vrnetlab (QEMU 7.2, hellt/vrnetlab master) cannot accept inbound SSH connections through QEMU's user-mode (slirp) networking. This blocks the lab builder from collecting show commands from vEOS nodes.
Technical Details
The vEOS VM boots successfully, SSH is confirmed running inside the VM (
ssh admin@10.0.0.15works from the VM's own console), and the QEMU hostfwd rules are configured (hostfwd=tcp:0.0.0.0:22-10.0.0.15:22). However, TCP connections to port 22 from outside the container time out during SSH banner exchange.This was tested with:
CLAB_MGMT_PASSTHROUGH=true(also fails due to vEOS launch.py hardcoding 10.0.0.15)The Juniper vrnetlab images (vJunos-router, vJunos-switch) work fine with identical QEMU port forwarding on the same host, so the issue is specific to vEOS.
Investigation Notes
SSH-2.0-OpenSSH_6.6.1inside the VM (verified via serial console)/dev/sda2mount), but the vEOS launch.py uses vrnetlab's guestfish for this/dev/sda1is vfat,/dev/sda2is unknown) which breaks the ZTP disable stephostfwdrules are set butss -tlnpin the container namespace doesn't show port 22 (expected -- slirp handles this internally)Scaffolding
The
veos-supportbranch contains:ARISTA_VEOSvendor profile inconfig.pyveos-ebgptopologyec2-setup.shupdates for VMDK image buildingPossible Fixes to Investigate
CLAB_MGMT_PASSTHROUGHproperly (set containerlab-assigned IP instead of hardcoded 10.0.0.15)zerotouch disablein config) instead of guestfish VMDK modificationConfiguration Patterns
vEOS 4.20 is needed to test pre-4.21 EOS configuration syntax, which changed significantly around that version boundary. Batfish needs to support both old and new syntax.