Re: [Libvir] libvirt & vde_switch
On Tue, 2008-02-05 at 00:25 +0000, Daniel P. Berrange wrote:
The main problem I know of is not VDE itself, but the means of
connecting
a VDE network to the outside world - namely the SLIRP code. Last time it
was examined it was found to be non-64-bit clean & have significant question
around security. We wondered about whether it would be possible to have a
privileged helper for creating tap devices which could be used to connect
the VDE network to the outside world. Its possible, but the devil's in the
details & how you constrain access to not conflict with host networking.
Nice summary ... that's exactly it.
The sound part of VDE is it's ability to behave as a userspace ethernet
bridge. The nasty part is its TCP/IP stack - which is equivalent to
"qemu -net user".
The ideal situation would be to allow unprivileged processes use the
kernel network stack rather than implementing a whole new stack. We
knocked around some ideas on that front but didn't come to any concrete
conclusions.
Cheers,
Mark.