Quoting Eric Blake <eblake@xxxxxxxxxx>:
On 05/10/2012 09:15 AM, rmarwah@xxxxxxxxxxxxxxxxxx wrote:
From: Richa Marwaha <rmarwah@xxxxxxxxxxxxxxxxxx>
QEMU has a new feature which allows QEMU to execute under an
unprivileged user ID and still be able to add a tap device to a
Linux network bridge. Below is
the link to the QEMU patches for the bridge helper feature:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
The existing libvirt tap network device support for adding a tap
device to a bridge (-netdev tap) works only when connected to a
libvirtd instance running
as the privileged system account 'root'. When connected to a
libvirtd instance running as an unprivileged user (ie. using the
session URI) creation of
the tap device fails as follows:
error: Failed to start domain F14_64 error: Unable to create tap
device vnet%d: Operation not permitted
With this support, creating a tap device in the above scenario will
be possible. Additionally, hot attaching a tap device to a bridge
while running when
connected to a libvirtd instance running as an unprivileged user
will be possible.
Signed-off-by: Richa Marwaha <rmarwah@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Corey Bryant<coreyb@xxxxxxxxxxxxxxxxxx>
---
src/qemu/qemu_command.c | 38 +++++++++++++++++++++++++-------------
src/qemu/qemu_command.h | 1 +
src/qemu/qemu_hotplug.c | 19 +++++++++++--------
3 files changed, 37 insertions(+), 21 deletions(-)
Being a new feature, I think this is too late for inclusion in 0.9.12,
but looks like a very nice feature to have post-release!
I didn't spot anything obviously wrong with the code.
Who is responsible for setting up the qemu bridge helper?
qemu bridge helper just needs some setting for it to run. One of which
is to switch ON the setuid bit for bridge helper exec and the second
one is ACL file setup. Below is the link that provides the setup and
execution information of the qemu bridge helper:
http://wiki.qemu.org/Features/HelperNetworking
Is the error
message when the bridge helper is not available (qemu too old, or helper
is not configured to run, ...) sensible, or does libvirt need an
additional qemu_capabilities.h patch to probe for the bridge helper so
that libvirt can give a sane error message?
I think we would need to provide a patch to detect the -netdev bridge
is supported in qemu_capabilites.c, but the errors that the QEMU
issues for mis-configure of the qemu bridge helper provides enough
details to figure out reason.
Also will provide the AppArmor patch with the next version of the
helper patch.
https://www.redhat.com/archives/libvir-list/2012-March/msg00575.html
Eric I have a question as I am new to community, would the distro
provide the bridge config (setuid and ACL File) or libvirt ?
Regards
Richa Marwaha
--
Eric Blake eblake@xxxxxxxxxx +1-919-301-3266
Libvirt virtualization library http://libvirt.org
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list