libvir-list-bounces@redhat.com wrote on 08/06/2012 11:18:31 AM:
From:
Laine Stump <laine@laine.org>
To:
libvir-list@redhat.com
Date:
08/06/2012 11:27 AM
Subject:
Re: [libvirt] [Patch v3 0/3] Add QEMU network helper support
Sent by:
libvir-list-bounces@redhat.com
On 08/06/2012 10:56 AM, Michal Privoznik wrote:
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and still be able to add a tap device to a Linux network bridge. [...] So I've went ahead, reviewed, ACKed and pushed whole series. I suggest is worth adding some kind of documentation (either a wiki
On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote: page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) - how to set up bridge-helper.
Yes, it's a bit odd to figure out the right place to document it, since there is no setup done within libvirt - libvirt just silently takes advantage of it if it's there.
By the way, I had earlier expressed concern about the eventuality that we support bridged networking for non-privileged users directly within libvirt (via a separate libvirt-networkd and policykit), and the case where someone had a working config using the qemu helper - I was worried that this person's setup might stop working as a result of the upgrade which changed to the newer method of setting up the network (e.g. if something needed to be configured to allow that user access via policykit, and hadn't been done yet). Since then I've realized that we can handle that problem by continuing to fall back to the qemu helper when this (for now mythical) new method fails. That removes my only concern about this series.
Another issue though - a patch for AppArmor has been included, but I'm unclear of whether this needs something done for selinux (either in libvirt itself, or in selinux-policy). Does somebody have the updated qemu installed on a system with selinux enabled, and could you give it a try?
selinux already has the policies to allow qemu helper , here is the link to the patch adding the policies http://git.fedorahosted.org/cgit/selinux-policy.git/diff/?id=56e0a4b775f29ec... It will be upstream in Fedora. Regards Richa
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list