Hello,
I'm having some doubts about consuming an existing - already
configured - tap device from libvirt (with `managed='no' ` attribute
set).
In KubeVirt, we want to have the consumer side of the tap device run
without the NET_ADMIN capability, which requires the UID / GID of the
tap creator / opener to match, as per the kernel code in [0]. As such,
we create the tap device (with the qemu user / group on behalf of
qemu), which will ultimately be the tap consumer.
This leads me to question: why is libvirt opening / calling
`ioctl(..., TUNSETIFF, ...) ` on the tap device when it already exists
- [1] & [2] ? Why can't the tap device (already configured) be left
alone, and let qemu consume it ?
The above is problematic for KubeVirt, since our setup currently has
libvirt running as root (while qemu runs as a different user), which
is preventing us from removing NET_ADMIN (libvirt & qemu run as
different users).
Thanks in advance for your time,
Miguel
[0] -
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/d...
[1] -
https://github.com/libvirt/libvirt/blob/99a1cfc43889c6d425a64013a12b234dd...
[2] -
https://github.com/libvirt/libvirt/blob/v6.0.0/src/util/virnetdevtap.c#L274