Re: ask for help to explain the network about tap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Can any one help?

thanks



-----Yong Sheng Gong/China/IBM wrote: -----
To: Eric Blake <eblake@xxxxxxxxxx>
From: Yong Sheng Gong/China/IBM
Date: 06/17/2012 11:11AM
Cc: libvir-list@xxxxxxxxxx
Subject: Re:  ask for help to explain the network about tap

Hi Eric,
Thanks for the reply. I have a new question.
I found I cannot ping the VM with predefined tap device in domain xml from other host(means the machine other than the hyper visor is running on):
   <interface type='ethernet'>
      <mac address='f6:19:e0:6c:84:c3'/>
      <script path=''/>
      <target dev='tap10'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>



But I can ping the VM with libvirtd defined tap device in domain xml from other host:
    <interface type='bridge'>
      <mac address='52:54:00:e4:2e:c1'/>
      <source bridge='br200'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>

[root@robinlinux ~]# brctl show
bridge name    bridge id        STP enabled    interfaces
br100        8000.0021cc6d4440    no        eth0
br200        8000.0021cc6d4443    no        eth0.1000
                                                                  gw200
                                                                  tap10
                                                                   vnet0

And I can ping both of VMs from local host.

What does libvirtd do to allow the bridge to forward the packet to the tap device attached by target VM?
As far as I know all the packets destined to the bridge's ports from outside will be consumed by bridge itself, not xmit to particular port.


Thanks
Yong Sheng Gong

-----Eric Blake <eblake@xxxxxxxxxx> wrote: -----
To: Yong Sheng Gong/China/IBM@IBMCN
From: Eric Blake <eblake@xxxxxxxxxx>
Date: 06/15/2012 12:36PM
Cc: libvir-list@xxxxxxxxxx
Subject: Re:  ask for help to explain the network about tap

On 06/14/2012 08:49 PM, Yong Sheng Gong wrote:
>  
> Hi,
> I don't know who helps qemu-kvm to create and open the tap file and when if I define an interface of a kvm vm like:
>     <interface type='bridge'>
>       <mac address='52:54:00:e4:2e:c1'/>
>       <source bridge='br200'/>
>       <model type='virtio'/>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
>     </interface>
> 
> The qemu-kvm process's command line will be:
<snip>
> 
> Note the -netdev tap,fd=24

That's libvirtd that opened the tap file, and passed it by inheritance
to the new qemu process.  Unfortunately, this means that you can't
recreate the same qemu process without also opening the tap device
yourself the same way that libvirtd would do it.  But this approach of
fd passing is essential to security, since libvirtd intentionally
removes capabilities that prevent qemu from opening the tap itself, so
libvirtd must pass in the fd pre-opened.

Did you have specific questions about which functions in libvirt source
code open the tap device?

Also, note that libvirtd will issue an audit log event for every tapfd
that it opens and gives to qemu.  The fd number is unpredictable, but
the fact that an fd was opened as backed by a tap device is pretty easy
to follow in the audit logs.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org



[attachment "signature.asc" removed by Yong Sheng Gong/China/IBM]

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]