[libvirt] [RFC PATCH] Add Qemu Network Helper

rmarwah at linux.vnet.ibm.com rmarwah at linux.vnet.ibm.com
Fri May 11 17:05:15 UTC 2012


Quoting Eric Blake <eblake at redhat.com>:

> On 05/10/2012 09:15 AM, rmarwah at linux.vnet.ibm.com wrote:
>> From: Richa Marwaha <rmarwah at linux.vnet.ibm.com>
>>
>> QEMU has a new feature which allows QEMU to execute under an  
>> unprivileged user ID and still be able to add a tap device to a  
>> Linux network bridge. Below is
>> the link to the QEMU patches for the bridge helper feature:
>>
>> http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
>>
>> The existing libvirt tap network device support for adding a tap  
>> device to a bridge (-netdev tap) works only when connected to a  
>> libvirtd instance running
>> as the privileged system account 'root'.  When connected to a  
>> libvirtd instance running as an unprivileged user (ie. using the  
>> session URI) creation of
>> the tap device fails as follows:
>>
>> error: Failed to start domain F14_64 error: Unable to create tap  
>> device vnet%d: Operation not permitted
>>
>> With this support, creating a tap device in the above scenario will  
>> be possible.  Additionally, hot attaching a tap device to a bridge  
>> while running when
>> connected to a libvirtd instance running as an unprivileged user  
>> will be possible.
>>
>> Signed-off-by: Richa Marwaha <rmarwah at linux.vnet.ibm.com>
>> Signed-off-by: Corey Bryant<coreyb at linux.vnet.ibm.com>
>> ---
>>  src/qemu/qemu_command.c |   38 +++++++++++++++++++++++++-------------
>>  src/qemu/qemu_command.h |    1 +
>>  src/qemu/qemu_hotplug.c |   19 +++++++++++--------
>>  3 files changed, 37 insertions(+), 21 deletions(-)
>
> Being a new feature, I think this is too late for inclusion in 0.9.12,
> but looks like a very nice feature to have post-release!
>
> I didn't spot anything obviously wrong with the code.
>
> Who is responsible for setting up the qemu bridge helper?

qemu bridge helper just needs some setting for it to run. One of which  
is to switch ON the setuid bit for bridge helper exec and the second  
one is ACL file setup. Below is the link that provides the setup and  
execution information of the qemu bridge helper:

http://wiki.qemu.org/Features/HelperNetworking

> Is the error
> message when the bridge helper is not available (qemu too old, or helper
> is not configured to run, ...) sensible, or does libvirt need an
> additional qemu_capabilities.h patch to probe for the bridge helper so
> that libvirt can give a sane error message?

I think we would need to provide a patch to detect the -netdev bridge  
is supported in qemu_capabilites.c, but the errors that the QEMU  
issues for mis-configure of the qemu bridge helper provides enough  
details to figure out reason.

Also will provide the AppArmor patch with the next version of the  
helper patch.
https://www.redhat.com/archives/libvir-list/2012-March/msg00575.html

Eric I have a question as I am new to community, would the distro  
provide the bridge config (setuid and ACL File) or libvirt ?

Regards
Richa Marwaha
>
> --
> Eric Blake   eblake at redhat.com    +1-919-301-3266
> Libvirt virtualization library http://libvirt.org






More information about the libvir-list mailing list