2:55 p.m.
Sent: Monday, July 01, 2024 at 2:32 PM
From: "Michal Prívozník" <mprivozn(a)redhat.com>
To: "daggs" <daggs(a)gmx.com>
Cc: users(a)lists.libvirt.org
Subject: Re: per user vm isolation with shared network
On 7/1/24 12:28, daggs wrote:
> Greetings,
>
>> Sent: Monday, July 01, 2024 at 10:35 AM
>> From: "Michal Prívozník" <mprivozn(a)redhat.com>
>> To: "daggs" <daggs(a)gmx.com>, users(a)lists.libvirt.org
>> Subject: Re: per user vm isolation with shared network
>>
>> On 6/30/24 01:01, daggs via Users wrote:
>>> Greetings,
>>>
>>> I have two vm which I want to isolate per user, if I'm not mistaken, I
can to that with per session uri.
>>> but I want to setup a virtual bridge so they will get connected with each
other.
>>> looks like that if I define the network as system, it isn't visible in
the session.
>>> is there a way to do that? if I define the same network in both sessions,
will it work?
>>>
>>> Thanks,
>>>
>>> Dagg
>>>
>>
>> Yeah, this is known issue:
>>
>> https://gitlab.com/libvirt/libvirt/-/issues/438
>>
>> what you can do is create a bridge and then use qemu-bridge-helper to
>> plug TAPs from qemu:///session VMs into the bridge. Theoretically, you
>> could even misuse virbr0.
>>
>> Michal
>
> thanks, I've started looking into it however I'm unable to see the network
from the dedicated user, see:
> $ id; virsh -c qemu:///session net-list --all; virsh -c qemu:///system net-list
--all
> uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
> Name State Autostart Persistent
> --------------------------------------------
> default active yes yes
>
> Name State Autostart Persistent
> --------------------------------------------
> default active yes yes
>
> $ su -c "id; virsh -c qemu:///session net-list --all; virsh -c qemu:///system
net-list --all" foo
> uid=1002(foo) gid=1002(foo) groups=1002(foo),34(kvm),36(qemu),102(libvirt)
> Name State Autostart Persistent
> ----------------------------------------
>
> error: failed to connect to the hypervisor
> error: internal error: Unable to get system bus connection: Could not connect: No
such file or directory
This is expected and in fact it's what the issue I've linked earlier is
all about.
> $ cat /etc/qemu/bridge.conf
> # This should have the following permissions: root:qemu 0640
>
> # Allow users in the "qemu" group to add devices to "br0".
> allow br0
put "allow virbr0" here.
And then have your qemu:///session domain use:
<interface type='bridge'>
<source bridge='virbr0'/>
</interface>
OR, if you don't want to use virbr0 from qemu:///system you can
s/virbr0/br0/ in the XML snippet and create br0 yourself. virbr0 has NAT
which is something you may not want.
Michal
thanks, seems like I'm past this part, the vm start fails because of insufficient
permissions to detach/reattach the pci nodes, I assumed that there is no fast solution so
I fixed it with a script that uses doas to preform the detach/reattach.
now I get this error: error: Unable to create tap device vnet0: Operation not permitted
seems like I need special permissions to create the tap device.
to I need to create the tap device and attach it to the bridge as part of the prepare
stage?