[libvirt] [PATCH v3 2/2] qemu: Automaticly create tap device for VIR_DOMAIN_NET_TYPE_ETHERNET

Eric Blake eblake at redhat.com
Fri Dec 5 16:57:36 UTC 2014


On 12/05/2014 04:18 AM, Daniel P. Berrange wrote:
> On Fri, Dec 05, 2014 at 12:12:46PM +0100, Michal Privoznik wrote:
>> From: Vasiliy Tolstov <v.tolstov at selfip.ru>
>>
>> If a user doesn't specify script in network type ethernet, assume
>> that he/she needs a simple tap device created by libvirt. This
>> commit does not need to run external script to create tap device
>> or add root to qemu process. Moreover, some functions need to be
>> mocked now for qemuxml2argvtest, e.g. virNetDevTapCreate() or
>> virNetDevSetOnline().
> 
> Hmm, even if the user does provide a script, perhaps libvirt could
> create the TAP device *and* run the script itself. This would finally
> allow us to run QEMU unprivileged with type=ethernet in all cases.
> eg take QEMU entirely out of the picture for NIC setup

Don't we still have to mark things as tainted, and be careful that
executing an arbitrary script is not going to hose the host if a
less-privileged user (such as via fine-grained ACLs) passes a suspicious
script?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141205/7784277f/attachment-0001.sig>


More information about the libvir-list mailing list