Re: [libvirt] [Patch v3 0/3] Add QEMU network helper support
On 08/06/2012 10:56 AM, Michal Privoznik wrote:
On 03.08.2012 22:33, rmarwah(a)linux.vnet.ibm.com wrote:
> From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
>
> QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and
still be able to
> add a tap device to a Linux network bridge.
> [...]
So I've went ahead, reviewed, ACKed and pushed whole series.
I suggest is worth adding some kind of documentation (either a wiki
page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) -
how to set up bridge-helper.
Yes, it's a bit odd to figure out the right place to document it, since
there is no setup done within libvirt - libvirt just silently takes
advantage of it if it's there.
By the way, I had earlier expressed concern about the eventuality that
we support bridged networking for non-privileged users directly within
libvirt (via a separate libvirt-networkd and policykit), and the case
where someone had a working config using the qemu helper - I was worried
that this person's setup might stop working as a result of the upgrade
which changed to the newer method of setting up the network (e.g. if
something needed to be configured to allow that user access via
policykit, and hadn't been done yet). Since then I've realized that we
can handle that problem by continuing to fall back to the qemu helper
when this (for now mythical) new method fails. That removes my only
concern about this series.
Another issue though - a patch for AppArmor has been included, but I'm
unclear of whether this needs something done for selinux (either in
libvirt itself, or in selinux-policy). Does somebody have the updated
qemu installed on a system with selinux enabled, and could you give it a
try?