[libvirt] [PATCH 6/9] qemu: support unmanaged target tap dev for <interface type='ethernet'>

Daniel P. Berrangé berrange at redhat.com
Fri Sep 6 09:12:50 UTC 2019 

On Tue, Aug 27, 2019 at 09:46:36PM -0400, Laine Stump wrote:
> If managed='no', then the tap device must already exist, and setting
> of MAC address and online status (IFF_UP) is skipped.
> 
> NB: we still set IFF_VNET_HDR and IFF_MULTI_QUEUE as appropriate,
> because those bits must be properly set in the TUNSETIFF we use to set
> the tap device name of the handle we've opened - if IFF_VNET_HDR has
> not been set and we set it the request will be honored even when
> running libvirtd unprivileged; if IFF_MULTI_QUEUE is requested to be
> different than how it was created, that will result in an error from
> the kernel. This means that you don't need to pay attention to
> IFF_VNET_HDR when creating the tap devices, but you *do* need to set
> IFF_MULTI_QUEUE if you're going to use multiple queues for your tap
> device.
> 
> NB2: /dev/vhost-net normally has permissions 600, so it can't be
> opened by an unprivileged process. This would normally cause a warning
> message when using a virtio net device from an unprivileged
> libvirtd. I've found that setting the permissions for /dev/vhost-net
> permits unprivileged libvirtd to use vhost-net for virtio devices, but
> have no idea what sort of security implications that has. I haven't
> changed libvrit's code to avoid *attempting* to open /dev/vhost-net -
> if you are concerned about the security of opening up permissions of
> /dev/vhost-net (probably a good idea at least until we ask someone who
> knows about the code) then add <driver name='qemu'/> to the interface
> definition and you'll avoid the warning message.
> 
> Note that virNetDevTapCreate() is the correct function to call in the
> case of an existing device, because the same ioctl() that creates a
> new tap device will also open an existing tap device.
> 
> Resolves: https://bugzilla.redhat.com/1723367 (partially)
> Signed-off-by: Laine Stump <laine at redhat.com>
> ---
>  src/qemu/qemu_interface.c                     | 77 +++++++++++--------
>  src/qemu/qemu_process.c                       |  2 +-
>  src/util/virnetdev.h                          |  2 +-
>  .../net-eth-unmanaged-tap.args                | 32 ++++++++
>  tests/qemuxml2argvmock.c                      | 16 +++-
>  tests/qemuxml2argvtest.c                      |  1 +
>  6 files changed, 96 insertions(+), 34 deletions(-)
>  create mode 100644 tests/qemuxml2argvdata/net-eth-unmanaged-tap.args

Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list