From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1N5oXC-0001LE-7y for qemu-devel@nongnu.org; Wed, 04 Nov 2009 17:40:58 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1N5oXB-0001JU-Ik for qemu-devel@nongnu.org; Wed, 04 Nov 2009 17:40:57 -0500 Received: from [199.232.76.173] (port=57867 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1N5oXB-0001JC-Es for qemu-devel@nongnu.org; Wed, 04 Nov 2009 17:40:57 -0500 Received: from adelie.canonical.com ([91.189.90.139]:34722) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1N5oXA-00049j-U2 for qemu-devel@nongnu.org; Wed, 04 Nov 2009 17:40:57 -0500 From: Dustin Kirkland In-Reply-To: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com> References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-VE2Zwxbf9DW6mr7yrNyu" Date: Wed, 04 Nov 2009 16:40:42 -0600 Message-ID: <1257374442.4417.3.camel@x200> Mime-Version: 1.0 Subject: [Qemu-devel] Re: [PATCH 0/4] net-bridge: rootless bridge support for qemu Reply-To: kirkland@canonical.com List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: Mark McLoughlin , Arnd Bergmann , qemu-devel@nongnu.org, Juan Quintela , Michael Tsirkin --=-VE2Zwxbf9DW6mr7yrNyu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2009-11-03 at 18:28 -0600, Anthony Liguori wrote: > This series solves a problem that I've been struggling with for a few yea= rs now. > One of the best things about qemu is that it's possible to run guests as = an > unprivileged user to improve security. However, if you want to have your= guests > communicate with the outside world, you're pretty much forced to run qemu= as > root. >=20 > At least with KVM support, this is probably the most common use case whic= h means > that most of our users are running qemu as root. That's terrible. Ack. > We address this problem by introducing a new network backend: -net bridge= . This > backend is less flexible than -net tap because it relies on a helper with > elevated privileges to do the heavy lifting of allocating and attaching a= tap > device to a bridge. We use a special purpose helper because we don't wan= t > to elevate the privileges of more generic tools like brctl. >=20 > From a user perspective, to use bridged networking with a guest, you simp= ly use: >=20 > qemu -hda linux.img -net bridge -net nic I know that this patch is less than a day old and untested, but would it be reasonable to make this the "default" network configuration at some point in the future? This certainly seems to be what I want 99% of the time when I launch qemu or kvm by hand from the command line. > And assuming a bridge is defined named qemubr0 and the administrator has = setup > permissions accordingly, it will Just Work. My hope is that distribution= s will > do this work as part of the qemu packaging process such that for most use= rs, > the out-of-the-box experience will also Just Work. Also, ack. I'll handle the Ubuntu packaging to enable this support in Lucid by the time qemu-0.12-rc1 is available. As Alexander mentions, there's a bit more complexity we'll need to account for (wifi, network manager, multiple nic's). :-Dustin --=-VE2Zwxbf9DW6mr7yrNyu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEABECAAYFAkryAucACgkQs7pNXIOmEZTjqgCbBxXrZTapY39p/fwuNeIhcyKe jVAAoMxPuXjxMnzObG6DvQ0GH9pUh0bM =heG9 -----END PGP SIGNATURE----- --=-VE2Zwxbf9DW6mr7yrNyu--