[libvirt] [Patch v3 0/3] Add QEMU network helper support
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com> QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and still be able to add a tap device to a Linux network bridge. Below is the link to the QEMU patches for the bridge helper feature: http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html The existing libvirt tap network device support for adding a tap device to a bridge (-netdev tap) works only when connected to a libvirtd instance running as the privileged system account 'root'. When connected to a libvirtd instance running as an unprivileged user (ie. using the session URI) creation of the tap device fails as follows: error: Failed to start domain F14_64 error: Unable to create tap device vnet%d: Operation not permitted With this support, creating a tap device in the above scenario will be possible. Additionally, hot attaching a tap device to a bridge while running when connected to a libvirtd instance running as an unprivileged user will be possible. Richa Marwaha (3): Add -netdev bridge capabilities Add -netdev bridge support apparmor: QEMU bridge helper policy updates AUTHORS | 1 + examples/apparmor/libvirt-qemu | 21 ++++++++++++++- src/qemu/qemu_capabilities.c | 13 ++++++--- src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 57 +++++++++++++++++++++++++++++---------- src/qemu/qemu_command.h | 2 + src/qemu/qemu_hotplug.c | 31 ++++++++++++++------- tests/qemuhelptest.c | 3 +- 8 files changed, 98 insertions(+), 31 deletions(-)
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com> This patch adds the capability in libvirt to check if -netdev bridge option is supported or not. Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com> Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com> --- v2 -This is a new patch that helps libvirt to check if -netdev bridge option is supported in the qemu version that is being used to run the guest. In v1 we didnot have the capability to check if qemu version we are using supported -netdev bridge or not. v3 -Fixed the QEMU_CAPS_NETDEV_BRIDGE capabilities, now it supports QEMU_CAPS_NETDEV which was missing earlier. -Updated the tests/qemuhelptest.c AUTHORS | 1 + src/qemu/qemu_capabilities.c | 13 +++++++++---- src/qemu/qemu_capabilities.h | 1 + tests/qemuhelptest.c | 3 ++- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/AUTHORS b/AUTHORS index e3eadbf..1a7a4ac 100644 --- a/AUTHORS +++ b/AUTHORS @@ -252,6 +252,7 @@ Patches have also been contributed by: Sebastian Wiedenroth <wiedi@frubar.net> Ata E Husain Bohra <ata.husain@hotmail.com> Ján Tomko <jtomko@redhat.com> + Richa Marwaha <rmarwah@linux.vnet.ibm.com> [....send patches to get your name here....] diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 85c49a2..82a2870 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -169,6 +169,8 @@ VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST, "virtio-s390", "balloon-event", + "bridge", /* 100 */ + ); struct qemu_feature_flags { @@ -1020,7 +1022,7 @@ qemuCapsComputeCmdFlags(const char *help, bool check_yajl ATTRIBUTE_UNUSED) { const char *p; - const char *fsdev; + const char *fsdev, *netdev; if (strstr(help, "-no-kqemu")) qemuCapsSet(flags, QEMU_CAPS_KQEMU); @@ -1133,13 +1135,16 @@ qemuCapsComputeCmdFlags(const char *help, if (strstr(help, "-smbios type")) qemuCapsSet(flags, QEMU_CAPS_SMBIOS_TYPE); - if (strstr(help, "-netdev")) { + if ((netdev = strstr(help, "-netdev"))) { /* Disable -netdev on 0.12 since although it exists, * the corresponding netdev_add/remove monitor commands * do not, and we need them to be able to do hotplug. * But see below about RHEL build. */ - if (version >= 13000) - qemuCapsSet(flags, QEMU_CAPS_NETDEV); + if (version >= 13000) { + if (strstr(netdev, "bridge")) + qemuCapsSet(flags, QEMU_CAPS_NETDEV_BRIDGE); + qemuCapsSet(flags, QEMU_CAPS_NETDEV); + } } if (strstr(help, "-sdl")) diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index e8251dc..c1b67a6 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -135,6 +135,7 @@ enum qemuCapsFlags { QEMU_CAPS_NEC_USB_XHCI = 97, /* -device nec-usb-xhci */ QEMU_CAPS_VIRTIO_S390 = 98, /* -device virtio-*-s390 */ QEMU_CAPS_BALLOON_EVENT = 99, /* Async event for balloon changes */ + QEMU_CAPS_NETDEV_BRIDGE = 100, /* bridge helper support */ QEMU_CAPS_LAST, /* this must always be the last item */ }; diff --git a/tests/qemuhelptest.c b/tests/qemuhelptest.c index 012ba26..75c818c 100644 --- a/tests/qemuhelptest.c +++ b/tests/qemuhelptest.c @@ -754,7 +754,8 @@ mymain(void) QEMU_CAPS_IDE_CD, QEMU_CAPS_NO_USER_CONFIG, QEMU_CAPS_HDA_MICRO, - QEMU_CAPS_NEC_USB_XHCI); + QEMU_CAPS_NEC_USB_XHCI, + QEMU_CAPS_NETDEV_BRIDGE); return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; } -- 1.7.1
On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
This patch adds the capability in libvirt to check if -netdev bridge option is supported or not.
Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com> Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com> --- v2 -This is a new patch that helps libvirt to check if -netdev bridge option is supported in the qemu version that is being used to run the guest. In v1 we didnot have the capability to check if qemu version we are using supported -netdev bridge or not.
v3 -Fixed the QEMU_CAPS_NETDEV_BRIDGE capabilities, now it supports QEMU_CAPS_NETDEV which was missing earlier. -Updated the tests/qemuhelptest.c
AUTHORS | 1 + src/qemu/qemu_capabilities.c | 13 +++++++++---- src/qemu/qemu_capabilities.h | 1 + tests/qemuhelptest.c | 3 ++- 4 files changed, 13 insertions(+), 5 deletions(-)
ACK Michal
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com> This patch adds the support to run the QEMU network helper under unprivileged user. It also adds the support for attach-interface option in virsh to run under unprivileged user. Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com> Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com> --- src/qemu/qemu_command.c | 57 ++++++++++++++++++++++++++++++++++------------ src/qemu/qemu_command.h | 2 + src/qemu/qemu_hotplug.c | 31 +++++++++++++++++-------- 3 files changed, 65 insertions(+), 25 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 6ad65a6..83b3d30 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -2964,6 +2964,8 @@ error: char * qemuBuildHostNetStr(virDomainNetDefPtr net, + struct qemud_driver *driver, + virBitmapPtr qemuCaps, char type_sep, int vlan, const char *tapfd, @@ -2972,6 +2974,7 @@ qemuBuildHostNetStr(virDomainNetDefPtr net, bool is_tap = false; virBuffer buf = VIR_BUFFER_INITIALIZER; enum virDomainNetType netType = virDomainNetGetActualType(net); + const char *brname = NULL; if (net->script && netType != VIR_DOMAIN_NET_TYPE_ETHERNET) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, @@ -2981,8 +2984,21 @@ qemuBuildHostNetStr(virDomainNetDefPtr net, } switch (netType) { - case VIR_DOMAIN_NET_TYPE_NETWORK: + /* + * If type='bridge', and we're running as privileged user + * or -netdev bridge is not supported then it will fall + * through, -net tap,fd + */ case VIR_DOMAIN_NET_TYPE_BRIDGE: + if (!driver->privileged && + qemuCapsGet(qemuCaps, QEMU_CAPS_NETDEV_BRIDGE)) { + brname = virDomainNetGetActualBridgeName(net); + virBufferAsprintf(&buf, "bridge%cbr=%s", type_sep, brname); + type_sep = ','; + is_tap = true; + break; + } + case VIR_DOMAIN_NET_TYPE_NETWORK: case VIR_DOMAIN_NET_TYPE_DIRECT: virBufferAsprintf(&buf, "tap%cfd=%s", type_sep, tapfd); type_sep = ','; @@ -5125,7 +5141,7 @@ qemuBuildCommandLine(virConnectPtr conn, for (i = 0 ; i < def->nnets ; i++) { virDomainNetDefPtr net = def->nets[i]; char *nic, *host; - char tapfd_name[50]; + char tapfd_name[50] = ""; char vhostfd_name[50] = ""; int vlan; int bootindex = bootNet; @@ -5162,17 +5178,26 @@ qemuBuildCommandLine(virConnectPtr conn, if (actualType == VIR_DOMAIN_NET_TYPE_NETWORK || actualType == VIR_DOMAIN_NET_TYPE_BRIDGE) { - int tapfd = qemuNetworkIfaceConnect(def, conn, driver, net, - qemuCaps); - if (tapfd < 0) - goto error; + /* + * If type='bridge' then we attempt to allocate the tap fd here only if + * running under a privilged user or -netdev bridge option is not + * supported. + */ + if (actualType == VIR_DOMAIN_NET_TYPE_NETWORK || + driver->privileged || + (!qemuCapsGet(qemuCaps, QEMU_CAPS_NETDEV_BRIDGE))) { + int tapfd = qemuNetworkIfaceConnect(def, conn, driver, net, + qemuCaps); + if (tapfd < 0) + goto error; - last_good_net = i; - virCommandTransferFD(cmd, tapfd); + last_good_net = i; + virCommandTransferFD(cmd, tapfd); - if (snprintf(tapfd_name, sizeof(tapfd_name), "%d", - tapfd) >= sizeof(tapfd_name)) - goto no_memory; + if (snprintf(tapfd_name, sizeof(tapfd_name), "%d", + tapfd) >= sizeof(tapfd_name)) + goto no_memory; + } } else if (actualType == VIR_DOMAIN_NET_TYPE_DIRECT) { int tapfd = qemuPhysIfaceConnect(def, driver, net, qemuCaps, vmop); @@ -5215,8 +5240,9 @@ qemuBuildCommandLine(virConnectPtr conn, if (qemuCapsGet(qemuCaps, QEMU_CAPS_NETDEV) && qemuCapsGet(qemuCaps, QEMU_CAPS_DEVICE)) { virCommandAddArg(cmd, "-netdev"); - if (!(host = qemuBuildHostNetStr(net, ',', vlan, - tapfd_name, vhostfd_name))) + if (!(host = qemuBuildHostNetStr(net, driver, qemuCaps, + ',', vlan, tapfd_name, + vhostfd_name))) goto error; virCommandAddArg(cmd, host); VIR_FREE(host); @@ -5238,8 +5264,9 @@ qemuBuildCommandLine(virConnectPtr conn, if (!(qemuCapsGet(qemuCaps, QEMU_CAPS_NETDEV) && qemuCapsGet(qemuCaps, QEMU_CAPS_DEVICE))) { virCommandAddArg(cmd, "-net"); - if (!(host = qemuBuildHostNetStr(net, ',', vlan, - tapfd_name, vhostfd_name))) + if (!(host = qemuBuildHostNetStr(net, driver, qemuCaps, + ',', vlan, tapfd_name, + vhostfd_name))) goto error; virCommandAddArg(cmd, host); VIR_FREE(host); diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index 3ccf4d7..946a7ac 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -62,6 +62,8 @@ qemuBuildChrDeviceStr (virDomainChrDefPtr serial, /* With vlan == -1, use netdev syntax, else old hostnet */ char * qemuBuildHostNetStr(virDomainNetDefPtr net, + struct qemud_driver *driver, + virBitmapPtr qemuCaps, char type_sep, int vlan, const char *tapfd, diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 71ec484..e128e58 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -695,12 +695,21 @@ int qemuDomainAttachNetDevice(virConnectPtr conn, if (actualType == VIR_DOMAIN_NET_TYPE_BRIDGE || actualType == VIR_DOMAIN_NET_TYPE_NETWORK) { - if ((tapfd = qemuNetworkIfaceConnect(vm->def, conn, driver, net, - priv->qemuCaps)) < 0) - goto cleanup; - iface_connected = true; - if (qemuOpenVhostNet(vm->def, net, priv->qemuCaps, &vhostfd) < 0) - goto cleanup; + /* + * If type=bridge then we attempt to allocate the tap fd here only if + * running under a privilged user or -netdev bridge option is not + * supported. + */ + if (actualType == VIR_DOMAIN_NET_TYPE_NETWORK || + driver->privileged || + (!qemuCapsGet (priv->qemuCaps, QEMU_CAPS_NETDEV_BRIDGE))) { + if ((tapfd = qemuNetworkIfaceConnect(vm->def, conn, driver, net, + priv->qemuCaps)) < 0) + goto cleanup; + iface_connected = true; + if (qemuOpenVhostNet(vm->def, net, priv->qemuCaps, &vhostfd) < 0) + goto cleanup; + } } else if (actualType == VIR_DOMAIN_NET_TYPE_DIRECT) { if ((tapfd = qemuPhysIfaceConnect(vm->def, driver, net, priv->qemuCaps, @@ -748,12 +757,14 @@ int qemuDomainAttachNetDevice(virConnectPtr conn, if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_NETDEV) && qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) { - if (!(netstr = qemuBuildHostNetStr(net, ',', - -1, tapfd_name, vhostfd_name))) + if (!(netstr = qemuBuildHostNetStr(net, driver, priv->qemuCaps, + ',', -1, tapfd_name, + vhostfd_name))) goto cleanup; } else { - if (!(netstr = qemuBuildHostNetStr(net, ' ', - vlan, tapfd_name, vhostfd_name))) + if (!(netstr = qemuBuildHostNetStr(net, driver, priv->qemuCaps, + ' ', vlan, tapfd_name, + vhostfd_name))) goto cleanup; } -- 1.7.1
On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
This patch adds the support to run the QEMU network helper under unprivileged user. It also adds the support for attach-interface option in virsh to run under unprivileged user.
Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com> Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com> --- src/qemu/qemu_command.c | 57 ++++++++++++++++++++++++++++++++++------------ src/qemu/qemu_command.h | 2 + src/qemu/qemu_hotplug.c | 31 +++++++++++++++++-------- 3 files changed, 65 insertions(+), 25 deletions(-)
ACK Michal
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com> This patch provides AppArmor policy updates for the QEMU bridge helper. The QEMU bridge helper is a SUID executable exec'd by QEMU that drops capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge. Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com> Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com> --- examples/apparmor/libvirt-qemu | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 10cdd36..766a334 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -1,4 +1,4 @@ -# Last Modified: Mon Apr 5 15:11:27 2010 +# Last Modified: Fri Mar 9 14:43:22 2012 #include <abstractions/base> #include <abstractions/consoles> @@ -108,3 +108,22 @@ /bin/dash rmix, /bin/dd rmix, /bin/cat rmix, + + /usr/libexec/qemu-bridge-helper Cx, + # child profile for bridge helper process + profile /usr/libexec/qemu-bridge-helper { + #include <abstractions/base> + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/libexec/qemu-bridge-helper rmix, + } -- 1.7.1
On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
This patch provides AppArmor policy updates for the QEMU bridge helper. The QEMU bridge helper is a SUID executable exec'd by QEMU that drops capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com> Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com> --- examples/apparmor/libvirt-qemu | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-)
ACK Michal
On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and still be able to add a tap device to a Linux network bridge. Below is the link to the QEMU patches for the bridge helper feature:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
The existing libvirt tap network device support for adding a tap device to a bridge (-netdev tap) works only when connected to a libvirtd instance running as the privileged system account 'root'. When connected to a libvirtd instance running as an unprivileged user (ie. using the session URI) creation of the tap device fails as follows:
error: Failed to start domain F14_64 error: Unable to create tap device vnet%d: Operation not permitted
With this support, creating a tap device in the above scenario will be possible. Additionally, hot attaching a tap device to a bridge while running when connected to a libvirtd instance running as an unprivileged user will be possible.
Richa Marwaha (3): Add -netdev bridge capabilities Add -netdev bridge support apparmor: QEMU bridge helper policy updates
AUTHORS | 1 + examples/apparmor/libvirt-qemu | 21 ++++++++++++++- src/qemu/qemu_capabilities.c | 13 ++++++--- src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 57 +++++++++++++++++++++++++++++---------- src/qemu/qemu_command.h | 2 + src/qemu/qemu_hotplug.c | 31 ++++++++++++++------- tests/qemuhelptest.c | 3 +- 8 files changed, 98 insertions(+), 31 deletions(-)
So I've went ahead, reviewed, ACKed and pushed whole series. I suggest is worth adding some kind of documentation (either a wiki page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) - how to set up bridge-helper. But I am okay if that's a follow up patch. It's not a show stopper after all. Michal
On 08/06/2012 10:56 AM, Michal Privoznik wrote:
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and still be able to add a tap device to a Linux network bridge. [...] So I've went ahead, reviewed, ACKed and pushed whole series. I suggest is worth adding some kind of documentation (either a wiki
On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote: page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) - how to set up bridge-helper.
Yes, it's a bit odd to figure out the right place to document it, since there is no setup done within libvirt - libvirt just silently takes advantage of it if it's there. By the way, I had earlier expressed concern about the eventuality that we support bridged networking for non-privileged users directly within libvirt (via a separate libvirt-networkd and policykit), and the case where someone had a working config using the qemu helper - I was worried that this person's setup might stop working as a result of the upgrade which changed to the newer method of setting up the network (e.g. if something needed to be configured to allow that user access via policykit, and hadn't been done yet). Since then I've realized that we can handle that problem by continuing to fall back to the qemu helper when this (for now mythical) new method fails. That removes my only concern about this series. Another issue though - a patch for AppArmor has been included, but I'm unclear of whether this needs something done for selinux (either in libvirt itself, or in selinux-policy). Does somebody have the updated qemu installed on a system with selinux enabled, and could you give it a try?
libvir-list-bounces@redhat.com wrote on 08/06/2012 11:18:31 AM:
From:
Laine Stump <laine@laine.org>
To:
libvir-list@redhat.com
Date:
08/06/2012 11:27 AM
Subject:
Re: [libvirt] [Patch v3 0/3] Add QEMU network helper support
Sent by:
libvir-list-bounces@redhat.com
On 08/06/2012 10:56 AM, Michal Privoznik wrote:
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and still be able to add a tap device to a Linux network bridge. [...] So I've went ahead, reviewed, ACKed and pushed whole series. I suggest is worth adding some kind of documentation (either a wiki
On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote: page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) - how to set up bridge-helper.
Yes, it's a bit odd to figure out the right place to document it, since there is no setup done within libvirt - libvirt just silently takes advantage of it if it's there.
By the way, I had earlier expressed concern about the eventuality that we support bridged networking for non-privileged users directly within libvirt (via a separate libvirt-networkd and policykit), and the case where someone had a working config using the qemu helper - I was worried that this person's setup might stop working as a result of the upgrade which changed to the newer method of setting up the network (e.g. if something needed to be configured to allow that user access via policykit, and hadn't been done yet). Since then I've realized that we can handle that problem by continuing to fall back to the qemu helper when this (for now mythical) new method fails. That removes my only concern about this series.
Another issue though - a patch for AppArmor has been included, but I'm unclear of whether this needs something done for selinux (either in libvirt itself, or in selinux-policy). Does somebody have the updated qemu installed on a system with selinux enabled, and could you give it a try?
selinux already has the policies to allow qemu helper , here is the link to the patch adding the policies http://git.fedorahosted.org/cgit/selinux-policy.git/diff/?id=56e0a4b775f29ec... It will be upstream in Fedora. Regards Richa
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Quoting Michal Privoznik <mprivozn@redhat.com>:
On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote:
From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and still be able to add a tap device to a Linux network bridge. Below is the link to the QEMU patches for the bridge helper feature:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
The existing libvirt tap network device support for adding a tap device to a bridge (-netdev tap) works only when connected to a libvirtd instance running as the privileged system account 'root'. When connected to a libvirtd instance running as an unprivileged user (ie. using the session URI) creation of the tap device fails as follows:
error: Failed to start domain F14_64 error: Unable to create tap device vnet%d: Operation not permitted
With this support, creating a tap device in the above scenario will be possible. Additionally, hot attaching a tap device to a bridge while running when connected to a libvirtd instance running as an unprivileged user will be possible.
Richa Marwaha (3): Add -netdev bridge capabilities Add -netdev bridge support apparmor: QEMU bridge helper policy updates
AUTHORS | 1 + examples/apparmor/libvirt-qemu | 21 ++++++++++++++- src/qemu/qemu_capabilities.c | 13 ++++++--- src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 57 +++++++++++++++++++++++++++++---------- src/qemu/qemu_command.h | 2 + src/qemu/qemu_hotplug.c | 31 ++++++++++++++------- tests/qemuhelptest.c | 3 +- 8 files changed, 98 insertions(+), 31 deletions(-)
So I've went ahead, reviewed, ACKed and pushed whole series. I suggest is worth adding some kind of documentation (either a wiki page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) - how to set up bridge-helper. But I am okay if that's a follow up patch. It's not a show stopper after all.
Thanks a lot Michal for reviewing n pushing the patches. We have the following wiki which gives the information on how to set up bridge-helper http://wiki.qemu.org/Features/HelperNetworking Regards Richa
Michal
participants (4)
-
Laine Stump -
Michal Privoznik -
Richa Marwaha -
rmarwah@linux.vnet.ibm.com