consume existing tap device when libvirt / qemu run as different users

Hello, I'm having some doubts about consuming an existing - already configured - tap device from libvirt (with `managed='no' ` attribute set). In KubeVirt, we want to have the consumer side of the tap device run without the NET_ADMIN capability, which requires the UID / GID of the tap creator / opener to match, as per the kernel code in [0]. As such, we create the tap device (with the qemu user / group on behalf of qemu), which will ultimately be the tap consumer. This leads me to question: why is libvirt opening / calling `ioctl(..., TUNSETIFF, ...) ` on the tap device when it already exists - [1] & [2] ? Why can't the tap device (already configured) be left alone, and let qemu consume it ? The above is problematic for KubeVirt, since our setup currently has libvirt running as root (while qemu runs as a different user), which is preventing us from removing NET_ADMIN (libvirt & qemu run as different users). Thanks in advance for your time, Miguel [0] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/d... [1] - https://github.com/libvirt/libvirt/blob/99a1cfc43889c6d425a64013a12b234dd... [2] - https://github.com/libvirt/libvirt/blob/v6.0.0/src/util/virnetdevtap.c#L274