Daniel P. Berrange wrote:
Being able to specify an qemu-ifdown script is reasonable, since we already support an qemu-ifup script, but I don't want to just add that without a clearer understanding of exactly what type of network config you are trying to achieve. So rather than describing a desired implementation can you describe the deployment scenario / level of network connectivity you're trying to provide.
I want similar behavior to <interface type='ethernet'/> with no tap device precreated, in a scenario where CAP_NET_ADMIN (not just write access to /dev/net/tun) is necessary to create new tap devices and kvm isn't running as root. Is that an adequate description, or do I need to expand? I'm using my ifup script to select a bridge to connect to (and actually create that connection), and the ifdown script to clean up unused tap devices; these scripts use sudo where necessary. The problem, though, is that these scripts can't create the tap device themselves, so they can't use sudo for that. So -- just a bridge (or, rather, a selection of one of a few bridges), but with the tap devices dynamically created in a situation where privilege escalation is necessary for that device creation.