passt (
https://passt.top) provides a method for connecting a guest to
the larger network without requiring any elevated privileges. This set
of patches allows libvirt/QEMU users to easily configure a QEMU domain to
use passt for the backend of any emulated network interface.
More details are in the individual patches, but the short explanation is that
you will use:
<interface type='user'>
<backend type='passt'>
...
to select the passt backend. (We decided to do it this way since the
concept is so similar to slirp, which was the original "type='user'")
The following caveats currently apply:
1) passt support requires "-netdev stream" in QEMU, which is only
available starting with qemu-7.2.0. So if you want to test these
patches out, you need the latest upstream release of QEMU.
2) SELinux must be set to "permissive". This is of course
temporary. As I understand it, the remedy to this is a new SELinux
profile for the passt binary, which is outside the control of
libvirt and so not something that can be addressed in this patchset
(or any other patch to libvirt).
3) Although there is a a new option for QEMU's -netdev that will tell
QEMU to attempt to reconnect to a new incarnation of the same
socket if passt unexpectedly exits, and a new QEMU event that will
be put into QEMU to inform libvirt that the passt process has
exited (so that it can start a new, identical passt process), I
think this hasn't been pushed upstream yet (??), and I haven't
implemented any support for it here. So, if the passt process
unexpectedly exits, the guest will be without networking. However,
Stefano (passt author) is emphatic that passt will never
unexpectedly exit :-)
passt has *many* other options that libvirt could support, but the
small subset here are the things that seem most useful (and/or were
specifically requested by prospective users of passt). It is always
easier to add more stuff in the future than to remove "mistakes", so I
tried to no go overboard.
Laine Stump (9):
conf: rename virDomainNetBackend* to virDomainNetDriver*
conf: move anonymous backend struct from virDomainNetDef into its own
struct
conf: put interface <backend> parsing/formatting separate functions
conf: add passt XML additions to schema
conf: parse/format passt-related XML additions
qemu: new capability QEMU_CAPS_NETDEV_STREAM
qemu: add passtStateDir to qemu driver config
qemu: hook up passt config to qemu domains
specfile: require passt for the build if fedora >= 36 or rhel >= 9
docs/formatdomain.rst | 95 +++++-
libvirt.spec.in | 7 +
meson.build | 1 +
po/POTFILES | 1 +
src/conf/domain_conf.c | 303 ++++++++++++++++--
src/conf/domain_conf.h | 64 +++-
src/conf/domain_validate.c | 32 +-
src/conf/schemas/domaincommon.rng | 65 ++++
src/conf/virconftypes.h | 6 +
src/libvirt_private.syms | 1 +
src/qemu/meson.build | 2 +
src/qemu/qemu_capabilities.c | 4 +
src/qemu/qemu_capabilities.h | 3 +
src/qemu/qemu_command.c | 11 +-
src/qemu/qemu_command.h | 3 +-
src/qemu/qemu_conf.c | 2 +
src/qemu/qemu_conf.h | 1 +
src/qemu/qemu_domain.c | 5 +-
src/qemu/qemu_domain.h | 3 +-
src/qemu/qemu_driver.c | 12 +
src/qemu/qemu_extdevice.c | 25 +-
src/qemu/qemu_hotplug.c | 26 +-
src/qemu/qemu_interface.c | 8 +-
src/qemu/qemu_passt.c | 284 ++++++++++++++++
src/qemu/qemu_passt.h | 38 +++
src/qemu/qemu_process.c | 1 +
src/qemu/qemu_validate.c | 9 +-
src/security/virt-aa-helper.c | 2 +-
.../caps_7.2.0.x86_64.xml | 1 +
tests/qemuxml2argvdata/net-user-passt.args | 34 ++
.../net-user-passt.x86_64-latest.args | 37 +++
tests/qemuxml2argvdata/net-user-passt.xml | 57 ++++
tests/qemuxml2argvtest.c | 2 +
tests/qemuxml2xmloutdata/net-user-passt.xml | 1 +
tests/qemuxml2xmltest.c | 1 +
35 files changed, 1087 insertions(+), 60 deletions(-)
create mode 100644 src/qemu/qemu_passt.c
create mode 100644 src/qemu/qemu_passt.h
create mode 100644 tests/qemuxml2argvdata/net-user-passt.args
create mode 100644 tests/qemuxml2argvdata/net-user-passt.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/net-user-passt.xml
create mode 120000 tests/qemuxml2xmloutdata/net-user-passt.xml
--
2.38.1