3:33 p.m.
From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and
still be able to
add a tap device to a Linux network bridge. Below is the link to the QEMU patches for the
bridge helper
feature:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
The existing libvirt tap network device support for adding a tap device to a bridge
(-netdev tap) works
only when connected to a libvirtd instance running as the privileged system account
'root'.
When connected to a libvirtd instance running as an unprivileged user (ie. using the
session URI) creation of
the tap device fails as follows:
error: Failed to start domain F14_64 error: Unable to create tap device vnet%d: Operation
not permitted
With this support, creating a tap device in the above scenario will be possible.
Additionally, hot attaching
a tap device to a bridge while running when connected to a libvirtd instance running as an
unprivileged user
will be possible.
Richa Marwaha (3):
Add -netdev bridge capabilities
Add -netdev bridge support
apparmor: QEMU bridge helper policy updates
AUTHORS | 1 +
examples/apparmor/libvirt-qemu | 21 ++++++++++++++-
src/qemu/qemu_capabilities.c | 13 ++++++---
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 57 +++++++++++++++++++++++++++++----------
src/qemu/qemu_command.h | 2 +
src/qemu/qemu_hotplug.c | 31 ++++++++++++++-------
tests/qemuhelptest.c | 3 +-
8 files changed, 98 insertions(+), 31 deletions(-)
3:33 p.m.
New subject: [libvirt] [Patch v3 1/3] Add -netdev bridge capabilities
From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
This patch adds the capability in libvirt to check if
-netdev bridge option is supported or not.
Signed-off-by: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb(a)linux.vnet.ibm.com>
---
v2
-This is a new patch that helps libvirt to check if -netdev bridge
option is supported in the qemu version that is being used to run
the guest. In v1 we didnot have the capability to check if qemu
version we are using supported -netdev bridge or not.
v3
-Fixed the QEMU_CAPS_NETDEV_BRIDGE capabilities, now it supports
QEMU_CAPS_NETDEV which was missing earlier.
-Updated the tests/qemuhelptest.c
AUTHORS | 1 +
src/qemu/qemu_capabilities.c | 13 +++++++++----
src/qemu/qemu_capabilities.h | 1 +
tests/qemuhelptest.c | 3 ++-
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index e3eadbf..1a7a4ac 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -252,6 +252,7 @@ Patches have also been contributed by:
Sebastian Wiedenroth <wiedi(a)frubar.net>
Ata E Husain Bohra <ata.husain(a)hotmail.com>
Ján Tomko <jtomko(a)redhat.com>
+ Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
[....send patches to get your name here....]
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 85c49a2..82a2870 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -169,6 +169,8 @@ VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST,
"virtio-s390",
"balloon-event",
+ "bridge", /* 100 */
+
);
struct qemu_feature_flags {
@@ -1020,7 +1022,7 @@ qemuCapsComputeCmdFlags(const char *help,
bool check_yajl ATTRIBUTE_UNUSED)
{
const char *p;
- const char *fsdev;
+ const char *fsdev, *netdev;
if (strstr(help, "-no-kqemu"))
qemuCapsSet(flags, QEMU_CAPS_KQEMU);
@@ -1133,13 +1135,16 @@ qemuCapsComputeCmdFlags(const char *help,
if (strstr(help, "-smbios type"))
qemuCapsSet(flags, QEMU_CAPS_SMBIOS_TYPE);
- if (strstr(help, "-netdev")) {
+ if ((netdev = strstr(help, "-netdev"))) {
/* Disable -netdev on 0.12 since although it exists,
* the corresponding netdev_add/remove monitor commands
* do not, and we need them to be able to do hotplug.
* But see below about RHEL build. */
- if (version >= 13000)
- qemuCapsSet(flags, QEMU_CAPS_NETDEV);
+ if (version >= 13000) {
+ if (strstr(netdev, "bridge"))
+ qemuCapsSet(flags, QEMU_CAPS_NETDEV_BRIDGE);
+ qemuCapsSet(flags, QEMU_CAPS_NETDEV);
+ }
}
if (strstr(help, "-sdl"))
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index e8251dc..c1b67a6 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -135,6 +135,7 @@ enum qemuCapsFlags {
QEMU_CAPS_NEC_USB_XHCI = 97, /* -device nec-usb-xhci */
QEMU_CAPS_VIRTIO_S390 = 98, /* -device virtio-*-s390 */
QEMU_CAPS_BALLOON_EVENT = 99, /* Async event for balloon changes */
+ QEMU_CAPS_NETDEV_BRIDGE = 100, /* bridge helper support */
QEMU_CAPS_LAST, /* this must always be the last item */
};
diff --git a/tests/qemuhelptest.c b/tests/qemuhelptest.c
index 012ba26..75c818c 100644
--- a/tests/qemuhelptest.c
+++ b/tests/qemuhelptest.c
@@ -754,7 +754,8 @@ mymain(void)
QEMU_CAPS_IDE_CD,
QEMU_CAPS_NO_USER_CONFIG,
QEMU_CAPS_HDA_MICRO,
- QEMU_CAPS_NEC_USB_XHCI);
+ QEMU_CAPS_NEC_USB_XHCI,
+ QEMU_CAPS_NETDEV_BRIDGE);
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.7.1
9:52 a.m.
New subject: [libvirt] [Patch v3 1/3] Add -netdev bridge capabilities
On 03.08.2012 22:33, rmarwah(a)linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
This patch adds the capability in libvirt to check if
-netdev bridge option is supported or not.
Signed-off-by: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb(a)linux.vnet.ibm.com>
---
v2
-This is a new patch that helps libvirt to check if -netdev bridge
option is supported in the qemu version that is being used to run
the guest. In v1 we didnot have the capability to check if qemu
version we are using supported -netdev bridge or not.
v3
-Fixed the QEMU_CAPS_NETDEV_BRIDGE capabilities, now it supports
QEMU_CAPS_NETDEV which was missing earlier.
-Updated the tests/qemuhelptest.c
AUTHORS | 1 +
src/qemu/qemu_capabilities.c | 13 +++++++++----
src/qemu/qemu_capabilities.h | 1 +
tests/qemuhelptest.c | 3 ++-
4 files changed, 13 insertions(+), 5 deletions(-)
ACK
Michal
3:33 p.m.
New subject: [libvirt] [Patch v3 2/3] Add -netdev bridge support
From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
This patch adds the support to run the QEMU network helper
under unprivileged user. It also adds the support for
attach-interface option in virsh to run under unprivileged
user.
Signed-off-by: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb(a)linux.vnet.ibm.com>
---
src/qemu/qemu_command.c | 57 ++++++++++++++++++++++++++++++++++------------
src/qemu/qemu_command.h | 2 +
src/qemu/qemu_hotplug.c | 31 +++++++++++++++++--------
3 files changed, 65 insertions(+), 25 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 6ad65a6..83b3d30 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -2964,6 +2964,8 @@ error:
char *
qemuBuildHostNetStr(virDomainNetDefPtr net,
+ struct qemud_driver *driver,
+ virBitmapPtr qemuCaps,
char type_sep,
int vlan,
const char *tapfd,
@@ -2972,6 +2974,7 @@ qemuBuildHostNetStr(virDomainNetDefPtr net,
bool is_tap = false;
virBuffer buf = VIR_BUFFER_INITIALIZER;
enum virDomainNetType netType = virDomainNetGetActualType(net);
+ const char *brname = NULL;
if (net->script && netType != VIR_DOMAIN_NET_TYPE_ETHERNET) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
@@ -2981,8 +2984,21 @@ qemuBuildHostNetStr(virDomainNetDefPtr net,
}
switch (netType) {
- case VIR_DOMAIN_NET_TYPE_NETWORK:
+ /*
+ * If type='bridge', and we're running as privileged user
+ * or -netdev bridge is not supported then it will fall
+ * through, -net tap,fd
+ */
case VIR_DOMAIN_NET_TYPE_BRIDGE:
+ if (!driver->privileged &&
+ qemuCapsGet(qemuCaps, QEMU_CAPS_NETDEV_BRIDGE)) {
+ brname = virDomainNetGetActualBridgeName(net);
+ virBufferAsprintf(&buf, "bridge%cbr=%s", type_sep, brname);
+ type_sep = ',';
+ is_tap = true;
+ break;
+ }
+ case VIR_DOMAIN_NET_TYPE_NETWORK:
case VIR_DOMAIN_NET_TYPE_DIRECT:
virBufferAsprintf(&buf, "tap%cfd=%s", type_sep, tapfd);
type_sep = ',';
@@ -5125,7 +5141,7 @@ qemuBuildCommandLine(virConnectPtr conn,
for (i = 0 ; i < def->nnets ; i++) {
virDomainNetDefPtr net = def->nets[i];
char *nic, *host;
- char tapfd_name[50];
+ char tapfd_name[50] = "";
char vhostfd_name[50] = "";
int vlan;
int bootindex = bootNet;
@@ -5162,17 +5178,26 @@ qemuBuildCommandLine(virConnectPtr conn,
if (actualType == VIR_DOMAIN_NET_TYPE_NETWORK ||
actualType == VIR_DOMAIN_NET_TYPE_BRIDGE) {
- int tapfd = qemuNetworkIfaceConnect(def, conn, driver, net,
- qemuCaps);
- if (tapfd < 0)
- goto error;
+ /*
+ * If type='bridge' then we attempt to allocate the tap fd here
only if
+ * running under a privilged user or -netdev bridge option is not
+ * supported.
+ */
+ if (actualType == VIR_DOMAIN_NET_TYPE_NETWORK ||
+ driver->privileged ||
+ (!qemuCapsGet(qemuCaps, QEMU_CAPS_NETDEV_BRIDGE))) {
+ int tapfd = qemuNetworkIfaceConnect(def, conn, driver, net,
+ qemuCaps);
+ if (tapfd < 0)
+ goto error;
- last_good_net = i;
- virCommandTransferFD(cmd, tapfd);
+ last_good_net = i;
+ virCommandTransferFD(cmd, tapfd);
- if (snprintf(tapfd_name, sizeof(tapfd_name), "%d",
- tapfd) >= sizeof(tapfd_name))
- goto no_memory;
+ if (snprintf(tapfd_name, sizeof(tapfd_name), "%d",
+ tapfd) >= sizeof(tapfd_name))
+ goto no_memory;
+ }
} else if (actualType == VIR_DOMAIN_NET_TYPE_DIRECT) {
int tapfd = qemuPhysIfaceConnect(def, driver, net,
qemuCaps, vmop);
@@ -5215,8 +5240,9 @@ qemuBuildCommandLine(virConnectPtr conn,
if (qemuCapsGet(qemuCaps, QEMU_CAPS_NETDEV) &&
qemuCapsGet(qemuCaps, QEMU_CAPS_DEVICE)) {
virCommandAddArg(cmd, "-netdev");
- if (!(host = qemuBuildHostNetStr(net, ',', vlan,
- tapfd_name, vhostfd_name)))
+ if (!(host = qemuBuildHostNetStr(net, driver, qemuCaps,
+ ',', vlan, tapfd_name,
+ vhostfd_name)))
goto error;
virCommandAddArg(cmd, host);
VIR_FREE(host);
@@ -5238,8 +5264,9 @@ qemuBuildCommandLine(virConnectPtr conn,
if (!(qemuCapsGet(qemuCaps, QEMU_CAPS_NETDEV) &&
qemuCapsGet(qemuCaps, QEMU_CAPS_DEVICE))) {
virCommandAddArg(cmd, "-net");
- if (!(host = qemuBuildHostNetStr(net, ',', vlan,
- tapfd_name, vhostfd_name)))
+ if (!(host = qemuBuildHostNetStr(net, driver, qemuCaps,
+ ',', vlan, tapfd_name,
+ vhostfd_name)))
goto error;
virCommandAddArg(cmd, host);
VIR_FREE(host);
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index 3ccf4d7..946a7ac 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -62,6 +62,8 @@ qemuBuildChrDeviceStr (virDomainChrDefPtr serial,
/* With vlan == -1, use netdev syntax, else old hostnet */
char * qemuBuildHostNetStr(virDomainNetDefPtr net,
+ struct qemud_driver *driver,
+ virBitmapPtr qemuCaps,
char type_sep,
int vlan,
const char *tapfd,
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 71ec484..e128e58 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -695,12 +695,21 @@ int qemuDomainAttachNetDevice(virConnectPtr conn,
if (actualType == VIR_DOMAIN_NET_TYPE_BRIDGE ||
actualType == VIR_DOMAIN_NET_TYPE_NETWORK) {
- if ((tapfd = qemuNetworkIfaceConnect(vm->def, conn, driver, net,
- priv->qemuCaps)) < 0)
- goto cleanup;
- iface_connected = true;
- if (qemuOpenVhostNet(vm->def, net, priv->qemuCaps, &vhostfd) < 0)
- goto cleanup;
+ /*
+ * If type=bridge then we attempt to allocate the tap fd here only if
+ * running under a privilged user or -netdev bridge option is not
+ * supported.
+ */
+ if (actualType == VIR_DOMAIN_NET_TYPE_NETWORK ||
+ driver->privileged ||
+ (!qemuCapsGet (priv->qemuCaps, QEMU_CAPS_NETDEV_BRIDGE))) {
+ if ((tapfd = qemuNetworkIfaceConnect(vm->def, conn, driver, net,
+ priv->qemuCaps)) < 0)
+ goto cleanup;
+ iface_connected = true;
+ if (qemuOpenVhostNet(vm->def, net, priv->qemuCaps, &vhostfd) <
0)
+ goto cleanup;
+ }
} else if (actualType == VIR_DOMAIN_NET_TYPE_DIRECT) {
if ((tapfd = qemuPhysIfaceConnect(vm->def, driver, net,
priv->qemuCaps,
@@ -748,12 +757,14 @@ int qemuDomainAttachNetDevice(virConnectPtr conn,
if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_NETDEV) &&
qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) {
- if (!(netstr = qemuBuildHostNetStr(net, ',',
- -1, tapfd_name, vhostfd_name)))
+ if (!(netstr = qemuBuildHostNetStr(net, driver, priv->qemuCaps,
+ ',', -1, tapfd_name,
+ vhostfd_name)))
goto cleanup;
} else {
- if (!(netstr = qemuBuildHostNetStr(net, ' ',
- vlan, tapfd_name, vhostfd_name)))
+ if (!(netstr = qemuBuildHostNetStr(net, driver, priv->qemuCaps,
+ ' ', vlan, tapfd_name,
+ vhostfd_name)))
goto cleanup;
}
--
1.7.1
9:52 a.m.
New subject: [libvirt] [Patch v3 2/3] Add -netdev bridge support
On 03.08.2012 22:33, rmarwah(a)linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
This patch adds the support to run the QEMU network helper
under unprivileged user. It also adds the support for
attach-interface option in virsh to run under unprivileged
user.
Signed-off-by: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb(a)linux.vnet.ibm.com>
---
src/qemu/qemu_command.c | 57 ++++++++++++++++++++++++++++++++++------------
src/qemu/qemu_command.h | 2 +
src/qemu/qemu_hotplug.c | 31 +++++++++++++++++--------
3 files changed, 65 insertions(+), 25 deletions(-)
ACK
Michal
3:33 p.m.
New subject: [libvirt] [Patch v3 3/3] apparmor: QEMU bridge helper policy updates
From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
This patch provides AppArmor policy updates for the QEMU bridge helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
Signed-off-by: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb(a)linux.vnet.ibm.com>
---
examples/apparmor/libvirt-qemu | 21 ++++++++++++++++++++-
1 files changed, 20 insertions(+), 1 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 10cdd36..766a334 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -1,4 +1,4 @@
-# Last Modified: Mon Apr 5 15:11:27 2010
+# Last Modified: Fri Mar 9 14:43:22 2012
#include <abstractions/base>
#include <abstractions/consoles>
@@ -108,3 +108,22 @@
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
+
+ /usr/libexec/qemu-bridge-helper Cx,
+ # child profile for bridge helper process
+ profile /usr/libexec/qemu-bridge-helper {
+ #include <abstractions/base>
+
+ capability setuid,
+ capability setgid,
+ capability setpcap,
+ capability net_admin,
+
+ network inet stream,
+
+ /dev/net/tun rw,
+ /etc/qemu/** r,
+ owner @{PROC}/*/status r,
+
+ /usr/libexec/qemu-bridge-helper rmix,
+ }
--
1.7.1
9:52 a.m.
New subject: [libvirt] [Patch v3 3/3] apparmor: QEMU bridge helper policy updates
On 03.08.2012 22:33, rmarwah(a)linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
This patch provides AppArmor policy updates for the QEMU bridge helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
Signed-off-by: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb(a)linux.vnet.ibm.com>
---
examples/apparmor/libvirt-qemu | 21 ++++++++++++++++++++-
1 files changed, 20 insertions(+), 1 deletions(-)
ACK
Michal
9:56 a.m.
On 03.08.2012 22:33, rmarwah(a)linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and
still be able to
add a tap device to a Linux network bridge. Below is the link to the QEMU patches for the
bridge helper
feature:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
The existing libvirt tap network device support for adding a tap device to a bridge
(-netdev tap) works
only when connected to a libvirtd instance running as the privileged system account
'root'.
When connected to a libvirtd instance running as an unprivileged user (ie. using the
session URI) creation of
the tap device fails as follows:
error: Failed to start domain F14_64 error: Unable to create tap device vnet%d: Operation
not permitted
With this support, creating a tap device in the above scenario will be possible.
Additionally, hot attaching
a tap device to a bridge while running when connected to a libvirtd instance running as
an unprivileged user
will be possible.
Richa Marwaha (3):
Add -netdev bridge capabilities
Add -netdev bridge support
apparmor: QEMU bridge helper policy updates
AUTHORS | 1 +
examples/apparmor/libvirt-qemu | 21 ++++++++++++++-
src/qemu/qemu_capabilities.c | 13 ++++++---
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 57 +++++++++++++++++++++++++++++----------
src/qemu/qemu_command.h | 2 +
src/qemu/qemu_hotplug.c | 31 ++++++++++++++-------
tests/qemuhelptest.c | 3 +-
8 files changed, 98 insertions(+), 31 deletions(-)
So I've went ahead, reviewed, ACKed and pushed whole series.
I suggest is worth adding some kind of documentation (either a wiki
page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) -
how to set up bridge-helper. But I am okay if that's a follow up patch.
It's not a show stopper after all.
Michal
10:18 a.m.
On 08/06/2012 10:56 AM, Michal Privoznik wrote:
On 03.08.2012 22:33, rmarwah(a)linux.vnet.ibm.com wrote:
> From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
>
> QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and
still be able to
> add a tap device to a Linux network bridge.
> [...]
So I've went ahead, reviewed, ACKed and pushed whole series.
I suggest is worth adding some kind of documentation (either a wiki
page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) -
how to set up bridge-helper.
Yes, it's a bit odd to figure out the right place to document it, since
there is no setup done within libvirt - libvirt just silently takes
advantage of it if it's there.
By the way, I had earlier expressed concern about the eventuality that
we support bridged networking for non-privileged users directly within
libvirt (via a separate libvirt-networkd and policykit), and the case
where someone had a working config using the qemu helper - I was worried
that this person's setup might stop working as a result of the upgrade
which changed to the newer method of setting up the network (e.g. if
something needed to be configured to allow that user access via
policykit, and hadn't been done yet). Since then I've realized that we
can handle that problem by continuing to fall back to the qemu helper
when this (for now mythical) new method fails. That removes my only
concern about this series.
Another issue though - a patch for AppArmor has been included, but I'm
unclear of whether this needs something done for selinux (either in
libvirt itself, or in selinux-policy). Does somebody have the updated
qemu installed on a system with selinux enabled, and could you give it a
try?
12:46 p.m.
libvir-list-bounces(a)redhat.com wrote on 08/06/2012 11:18:31 AM:
From:
Laine Stump <laine(a)laine.org>
To:
libvir-list(a)redhat.com
Date:
08/06/2012 11:27 AM
Subject:
Re: [libvirt] [Patch v3 0/3] Add QEMU network helper support
Sent by:
libvir-list-bounces(a)redhat.com
On 08/06/2012 10:56 AM, Michal Privoznik wrote:
> On 03.08.2012 22:33, rmarwah(a)linux.vnet.ibm.com wrote:
>> From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
>>
>> QEMU has a new feature which allows QEMU to execute under an
unprivileged user ID and still be able to
>> add a tap device to a Linux network bridge.
>> [...]
> So I've went ahead, reviewed, ACKed and pushed whole series.
> I suggest is worth adding some kind of documentation (either a wiki
> page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) -
> how to set up bridge-helper.
Yes, it's a bit odd to figure out the right place to document it, since
there is no setup done within libvirt - libvirt just silently takes
advantage of it if it's there.
By the way, I had earlier expressed concern about the eventuality that
we support bridged networking for non-privileged users directly within
libvirt (via a separate libvirt-networkd and policykit), and the case
where someone had a working config using the qemu helper - I was worried
that this person's setup might stop working as a result of the upgrade
which changed to the newer method of setting up the network (e.g. if
something needed to be configured to allow that user access via
policykit, and hadn't been done yet). Since then I've realized that we
can handle that problem by continuing to fall back to the qemu helper
when this (for now mythical) new method fails. That removes my only
concern about this series.
Another issue though - a patch for AppArmor has been included, but I'm
unclear of whether this needs something done for selinux (either in
libvirt itself, or in selinux-policy). Does somebody have the updated
qemu installed on a system with selinux enabled, and could you give it a
try?
selinux already has the policies to allow qemu helper , here is the link to
the patch adding the policies
http://git.fedorahosted.org/cgit/selinux-policy.git/diff/?id=56e0a4b775f2...
It will be upstream in Fedora.
Regards
Richa
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
10:26 a.m.
Quoting Michal Privoznik <mprivozn(a)redhat.com>:
On 03.08.2012 22:33, rmarwah(a)linux.vnet.ibm.com wrote:
> From: Richa Marwaha <rmarwah(a)linux.vnet.ibm.com>
>
> QEMU has a new feature which allows QEMU to execute under an
> unprivileged user ID and still be able to
> add a tap device to a Linux network bridge. Below is the link to
> the QEMU patches for the bridge helper
> feature:
>
> http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
>
> The existing libvirt tap network device support for adding a tap
> device to a bridge (-netdev tap) works
> only when connected to a libvirtd instance running as the
> privileged system account 'root'.
> When connected to a libvirtd instance running as an unprivileged
> user (ie. using the session URI) creation of
> the tap device fails as follows:
>
> error: Failed to start domain F14_64 error: Unable to create tap
> device vnet%d: Operation not permitted
>
> With this support, creating a tap device in the above scenario will
> be possible. Additionally, hot attaching
> a tap device to a bridge while running when connected to a libvirtd
> instance running as an unprivileged user
> will be possible.
>
> Richa Marwaha (3):
> Add -netdev bridge capabilities
> Add -netdev bridge support
> apparmor: QEMU bridge helper policy updates
>
> AUTHORS | 1 +
> examples/apparmor/libvirt-qemu | 21 ++++++++++++++-
> src/qemu/qemu_capabilities.c | 13 ++++++---
> src/qemu/qemu_capabilities.h | 1 +
> src/qemu/qemu_command.c | 57
> +++++++++++++++++++++++++++++----------
> src/qemu/qemu_command.h | 2 +
> src/qemu/qemu_hotplug.c | 31 ++++++++++++++-------
> tests/qemuhelptest.c | 3 +-
> 8 files changed, 98 insertions(+), 31 deletions(-)
>
So I've went ahead, reviewed, ACKed and pushed whole series.
I suggest is worth adding some kind of documentation (either a wiki
page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) -
how to set up bridge-helper. But I am okay if that's a follow up patch.
It's not a show stopper after all.
Thanks a lot Michal for reviewing n pushing the patches. We have the
following wiki
which gives the information on how to set up bridge-helper
http://wiki.qemu.org/Features/HelperNetworking
Regards
Richa
Michal
4491
days inactive
4494
days old
10 comments
4 participants
participants (4)
-
Laine Stump -
Michal Privoznik -
Richa Marwaha -
rmarwah@linux.vnet.ibm.com