[Libvir] Re: Proposal: More script hooks for <interface type='ethernet'>
Daniel P. Berrange wrote:
Being able to specify an qemu-ifdown script is reasonable, since we
already
support an qemu-ifup script, but I don't want to just add that without
a clearer understanding of exactly what type of network config you are
trying to achieve. So rather than describing a desired implementation can
you describe the deployment scenario / level of network connectivity you're
trying to provide.
I want similar behavior to <interface type='ethernet'/> with no tap
device precreated, in a scenario where CAP_NET_ADMIN (not just write
access to /dev/net/tun) is necessary to create new tap devices and kvm
isn't running as root.
Is that an adequate description, or do I need to expand? I'm using my
ifup script to select a bridge to connect to (and actually create that
connection), and the ifdown script to clean up unused tap devices; these
scripts use sudo where necessary. The problem, though, is that these
scripts can't create the tap device themselves, so they can't use sudo
for that.
So -- just a bridge (or, rather, a selection of one of a few bridges),
but with the tap devices dynamically created in a situation where
privilege escalation is necessary for that device creation.