From: Corey Bryant <coreyb@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: aliguori@us.ibm.com, rmarwah@linux.vnet.ibm.com
Subject: [Qemu-devel] [PATCH v2 0/4] -net bridge: rootless bridge support for qemu
Date: Fri, 21 Oct 2011 11:07:19 -0400 [thread overview]
Message-ID: <1319209643-3866-1-git-send-email-coreyb@linux.vnet.ibm.com> (raw)
With qemu it is possible to run a guest from an unprivileged user but if
we wanted to communicate with the outside world we had to switch
to root.
We address this problem by introducing a new network backend and a new
network option for -net tap. This is less flexible when compared to
existing -net tap options because it relies on a helper with elevated
privileges to do the heavy lifting of allocating and attaching a tap
device to a bridge. We use a special purpose helper because we don't
want to elevate the privileges of more generic tools like brctl.
Qemu can be run with the default network helper as follows (in these cases
attaching the tap device to the default br0 bridge):
qemu -hda linux.img -net bridge -net nic
or:
qemu -hda linux.img -net tap,helper=/usr/local/libexec/qemu-bridge-helper -net nic
The default helper uses it's own ACL mechanism for access control, but
future network helpers could be developed, for example, to support PolicyKit
for access control.
More details are included in individual patches. The helper is broken into
a series of patches to improve reviewabilty.
v2:
- Updated signed-off-by's
- Updated author's email
- Set default bridge to br0
- Added -net bridge
- Updated ACL example
- Moved from libcap to libcap-ng
- Fail helper when libcap-ng not configured
Corey Bryant (4):
Add basic version of bridge helper
Add access control support to qemu bridge helper
Add cap reduction support to enable use as SUID
Add support for net bridge
Makefile | 12 ++-
configure | 37 +++++
net.c | 29 ++++-
net.h | 3 +
net/tap.c | 190 ++++++++++++++++++++++++-
net/tap.h | 2 +
qemu-bridge-helper.c | 380 ++++++++++++++++++++++++++++++++++++++++++++++++++
qemu-options.hx | 73 ++++++++--
8 files changed, 703 insertions(+), 23 deletions(-)
create mode 100644 qemu-bridge-helper.c
--
1.7.3.4
next reply other threads:[~2011-10-21 15:09 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-21 15:07 Corey Bryant [this message]
2011-10-21 15:07 ` [Qemu-devel] [PATCH v2 1/4] Add basic version of bridge helper Corey Bryant
2011-10-23 12:56 ` Blue Swirl
2011-10-24 13:12 ` Corey Bryant
2011-10-21 15:07 ` [Qemu-devel] [PATCH v2 2/4] Add access control support to qemu " Corey Bryant
2011-10-23 13:10 ` Blue Swirl
2011-10-24 13:44 ` Corey Bryant
2011-10-24 16:58 ` Blue Swirl
2011-10-21 15:07 ` [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID Corey Bryant
2011-10-23 13:22 ` Blue Swirl
2011-10-24 14:13 ` Corey Bryant
2011-10-24 17:10 ` Blue Swirl
2011-10-24 18:38 ` Corey Bryant
2011-10-24 18:58 ` Blue Swirl
2011-10-24 19:13 ` Corey Bryant
2011-10-24 19:21 ` Anthony Liguori
2011-10-24 20:20 ` Corey Bryant
2011-10-24 22:15 ` Anthony Liguori
2011-10-24 19:19 ` Anthony Liguori
2011-10-21 15:07 ` [Qemu-devel] [PATCH v2 4/4] Add support for net bridge Corey Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1319209643-3866-1-git-send-email-coreyb@linux.vnet.ibm.com \
--to=coreyb@linux.vnet.ibm.com \
--cc=aliguori@us.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=rmarwah@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).