[libvirt] ask for help to explain the network about tap
Eric Blake
eblake at redhat.com
Fri Jun 15 04:36:22 UTC 2012
On 06/14/2012 08:49 PM, Yong Sheng Gong wrote:
>
> Hi,
> I don't know who helps qemu-kvm to create and open the tap file and when if I define an interface of a kvm vm like:
> <interface type='bridge'>
> <mac address='52:54:00:e4:2e:c1'/>
> <source bridge='br200'/>
> <model type='virtio'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
> </interface>
>
> The qemu-kvm process's command line will be:
<snip>
>
> Note the -netdev tap,fd=24
That's libvirtd that opened the tap file, and passed it by inheritance
to the new qemu process. Unfortunately, this means that you can't
recreate the same qemu process without also opening the tap device
yourself the same way that libvirtd would do it. But this approach of
fd passing is essential to security, since libvirtd intentionally
removes capabilities that prevent qemu from opening the tap itself, so
libvirtd must pass in the fd pre-opened.
Did you have specific questions about which functions in libvirt source
code open the tap device?
Also, note that libvirtd will issue an audit log event for every tapfd
that it opens and gives to qemu. The fd number is unpredictable, but
the fact that an fd was opened as backed by a tap device is pretty easy
to follow in the audit logs.
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120614/cef3628f/attachment-0001.sig>
More information about the libvir-list
mailing list