passt (https://passt.top) provides a method for connecting a guest to the larger network without requiring any elevated privileges. This set of patches allows libvirt/QEMU users to easily configure a QEMU domain to use passt for the backend of any emulated network interface. More details are in the individual patches, but the short explanation is that you will use: <interface type='user'> <backend type='passt'> ... to select the passt backend. (We decided to do it this way since the concept is so similar to slirp, which was the original "type='user'") The following caveats currently apply: 1) passt support requires "-netdev stream" in QEMU, which is only available starting with qemu-7.2.0. So if you want to test these patches out, you need the latest upstream release of QEMU. 2) SELinux must be set to "permissive". This is of course temporary. As I understand it, the remedy to this is a new SELinux profile for the passt binary, which is outside the control of libvirt and so not something that can be addressed in this patchset (or any other patch to libvirt). 3) Although there is a a new option for QEMU's -netdev that will tell QEMU to attempt to reconnect to a new incarnation of the same socket if passt unexpectedly exits, and a new QEMU event that will be put into QEMU to inform libvirt that the passt process has exited (so that it can start a new, identical passt process), I think this hasn't been pushed upstream yet (??), and I haven't implemented any support for it here. So, if the passt process unexpectedly exits, the guest will be without networking. However, Stefano (passt author) is emphatic that passt will never unexpectedly exit :-) passt has *many* other options that libvirt could support, but the small subset here are the things that seem most useful (and/or were specifically requested by prospective users of passt). It is always easier to add more stuff in the future than to remove "mistakes", so I tried to no go overboard. Laine Stump (9): conf: rename virDomainNetBackend* to virDomainNetDriver* conf: move anonymous backend struct from virDomainNetDef into its own struct conf: put interface <backend> parsing/formatting separate functions conf: add passt XML additions to schema conf: parse/format passt-related XML additions qemu: new capability QEMU_CAPS_NETDEV_STREAM qemu: add passtStateDir to qemu driver config qemu: hook up passt config to qemu domains specfile: require passt for the build if fedora >= 36 or rhel >= 9 docs/formatdomain.rst | 95 +++++- libvirt.spec.in | 7 + meson.build | 1 + po/POTFILES | 1 + src/conf/domain_conf.c | 303 ++++++++++++++++-- src/conf/domain_conf.h | 64 +++- src/conf/domain_validate.c | 32 +- src/conf/schemas/domaincommon.rng | 65 ++++ src/conf/virconftypes.h | 6 + src/libvirt_private.syms | 1 + src/qemu/meson.build | 2 + src/qemu/qemu_capabilities.c | 4 + src/qemu/qemu_capabilities.h | 3 + src/qemu/qemu_command.c | 11 +- src/qemu/qemu_command.h | 3 +- src/qemu/qemu_conf.c | 2 + src/qemu/qemu_conf.h | 1 + src/qemu/qemu_domain.c | 5 +- src/qemu/qemu_domain.h | 3 +- src/qemu/qemu_driver.c | 12 + src/qemu/qemu_extdevice.c | 25 +- src/qemu/qemu_hotplug.c | 26 +- src/qemu/qemu_interface.c | 8 +- src/qemu/qemu_passt.c | 284 ++++++++++++++++ src/qemu/qemu_passt.h | 38 +++ src/qemu/qemu_process.c | 1 + src/qemu/qemu_validate.c | 9 +- src/security/virt-aa-helper.c | 2 +- .../caps_7.2.0.x86_64.xml | 1 + tests/qemuxml2argvdata/net-user-passt.args | 34 ++ .../net-user-passt.x86_64-latest.args | 37 +++ tests/qemuxml2argvdata/net-user-passt.xml | 57 ++++ tests/qemuxml2argvtest.c | 2 + tests/qemuxml2xmloutdata/net-user-passt.xml | 1 + tests/qemuxml2xmltest.c | 1 + 35 files changed, 1087 insertions(+), 60 deletions(-) create mode 100644 src/qemu/qemu_passt.c create mode 100644 src/qemu/qemu_passt.h create mode 100644 tests/qemuxml2argvdata/net-user-passt.args create mode 100644 tests/qemuxml2argvdata/net-user-passt.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/net-user-passt.xml create mode 120000 tests/qemuxml2xmloutdata/net-user-passt.xml -- 2.38.1