On Tue, Aug 27, 2019 at 09:46:36PM -0400, Laine Stump wrote: > If managed='no', then the tap device must already exist, and setting > of MAC address and online status (IFF_UP) is skipped. > > NB: we still set IFF_VNET_HDR and IFF_MULTI_QUEUE as appropriate, > because those bits must be properly set in the TUNSETIFF we use to set > the tap device name of the handle we've opened - if IFF_VNET_HDR has > not been set and we set it the request will be honored even when > running libvirtd unprivileged; if IFF_MULTI_QUEUE is requested to be > different than how it was created, that will result in an error from > the kernel. This means that you don't need to pay attention to > IFF_VNET_HDR when creating the tap devices, but you *do* need to set > IFF_MULTI_QUEUE if you're going to use multiple queues for your tap > device. > > NB2: /dev/vhost-net normally has permissions 600, so it can't be > opened by an unprivileged process. This would normally cause a warning > message when using a virtio net device from an unprivileged > libvirtd. I've found that setting the permissions for /dev/vhost-net > permits unprivileged libvirtd to use vhost-net for virtio devices, but > have no idea what sort of security implications that has. I haven't > changed libvrit's code to avoid *attempting* to open /dev/vhost-net - > if you are concerned about the security of opening up permissions of > /dev/vhost-net (probably a good idea at least until we ask someone who > knows about the code) then add <driver name='qemu'/> to the interface > definition and you'll avoid the warning message. > > Note that virNetDevTapCreate() is the correct function to call in the > case of an existing device, because the same ioctl() that creates a > new tap device will also open an existing tap device. > > Resolves: https://bugzilla.redhat.com/1723367 (partially) > Signed-off-by: Laine Stump <laine@xxxxxxxxxx> > --- > src/qemu/qemu_interface.c | 77 +++++++++++-------- > src/qemu/qemu_process.c | 2 +- > src/util/virnetdev.h | 2 +- > .../net-eth-unmanaged-tap.args | 32 ++++++++ > tests/qemuxml2argvmock.c | 16 +++- > tests/qemuxml2argvtest.c | 1 + > 6 files changed, 96 insertions(+), 34 deletions(-) > create mode 100644 tests/qemuxml2argvdata/net-eth-unmanaged-tap.args Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
