From: Jamie Lokier <jamie@shareable.org>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: Mark McLoughlin <markmc@redhat.com>,
Arnd Bergmann <arndbergmann@googlemail.com>,
Juan Quintela <quintela@redhat.com>,
Dustin Kirkland <kirkland@canonical.com>,
qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>,
Avi Kivity <avi@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu
Date: Thu, 5 Nov 2009 16:37:02 +0000 [thread overview]
Message-ID: <20091105163702.GC21630@shareable.org> (raw)
In-Reply-To: <4AF2FAFC.9050606@us.ibm.com>
Anthony Liguori wrote:
> Avi Kivity wrote:
> >No, of course not, I use qemu from the command line and would benefit
> >from -net bridge. My badly-conveyed objection is that qemu should not
> >take a system management role (and enforce system-wide policies) but
> >leave that to system management tools.
>
> I do not consider this system management functional no more than I see
> providing a global configuration file as system management functional.
> They are both mechanisms. The ACL file is a mechanism just like VNC
> sasl ACLs are a mechanism.
That's why I would like there to be options to either pass to the
helper program, or specify a different helper program. (Sorry if
that's already in the patches - for some reason I received 0/4 but
didn't receive the 4 patch emails).
There's no need for QEMU to be cleverer than that, and that puts the
whole policy in the hands of the user - where it should be.
It'd still install the default helper you've provided and use it by
default, of course.
> The only other configuration I've seen with a tap device is to directly
> configure an ip address with it and not use a bridge at all. That's
> covered by -net tap though and really is not all that useful except for
> benchmarking.
Contrarily, it's incredibly useful! Most of my server VMs uses the
tap device without a bridge. They are on private subnets within the
host, and use iptables NAT to access the outside world, with NAT port
forwarding to offer specific services. That isolates them securely
far more effectively than bridging, and the iptables is simpler too.
-- Jamie
next prev parent reply other threads:[~2009-11-05 16:37 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-04 0:28 [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu Anthony Liguori
2009-11-04 0:28 ` [Qemu-devel] [PATCH 1/4] Add basic version of bridge helper Anthony Liguori
2009-11-04 0:28 ` [Qemu-devel] [PATCH 2/4] Add access control support to qemu-bridge-helper Anthony Liguori
2009-11-04 13:38 ` [Qemu-devel] [PATCH 2/4] Add access control support toqemu-bridge-helper Krumme, Chris
2009-11-04 14:23 ` Anthony Liguori
2009-11-04 14:37 ` Krumme, Chris
2009-11-05 15:06 ` [Qemu-devel] [PATCH 2/4] Add access control support to qemu-bridge-helper Daniel P. Berrange
2009-11-04 0:28 ` [Qemu-devel] [PATCH 3/4] Add cap reduction support to enable use as SUID binary Anthony Liguori
2009-11-04 0:28 ` [Qemu-devel] [PATCH 4/4] Add support for -net bridge Anthony Liguori
2009-11-04 13:49 ` Krumme, Chris
2009-11-04 14:23 ` Anthony Liguori
2009-11-05 14:41 ` Avi Kivity
2009-11-05 14:45 ` Anthony Liguori
2009-11-05 14:49 ` Avi Kivity
2009-11-06 2:29 ` Jamie Lokier
2009-11-07 17:29 ` David Woodhouse
2009-11-07 22:11 ` Anthony Liguori
2009-11-08 8:27 ` Avi Kivity
2009-11-08 8:43 ` Arnd Bergmann
2009-11-08 8:55 ` Avi Kivity
2009-11-09 14:20 ` Anthony Liguori
2009-11-09 15:39 ` Jamie Lokier
2009-11-09 15:43 ` Anthony Liguori
2009-11-09 19:19 ` Jamie Lokier
2009-11-10 12:23 ` Avi Kivity
2009-11-04 12:02 ` [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu Alexander Graf
2009-11-04 14:42 ` Anthony Liguori
2009-11-04 15:02 ` Alexander Graf
2009-11-04 16:02 ` Anthony Liguori
2009-11-04 17:04 ` [Qemu-devel] " Michael S. Tsirkin
2009-11-04 19:48 ` Anthony Liguori
2009-11-04 20:04 ` Michael S. Tsirkin
2009-11-04 20:44 ` Anthony Liguori
2009-11-05 8:17 ` Michael S. Tsirkin
2009-11-05 13:05 ` Anthony Liguori
2009-11-04 22:40 ` Dustin Kirkland
2009-11-05 0:52 ` Anthony Liguori
2009-11-05 2:12 ` Dustin Kirkland
2009-11-05 4:12 ` [Qemu-devel] " Jamie Lokier
2009-11-05 8:21 ` Michael S. Tsirkin
2009-11-06 2:03 ` Jamie Lokier
2009-11-06 11:58 ` Arnd Bergmann
2009-11-06 20:26 ` Jamie Lokier
2009-11-08 11:55 ` Michael S. Tsirkin
2009-11-05 13:11 ` Anthony Liguori
2009-11-05 14:33 ` Avi Kivity
2009-11-05 14:36 ` Avi Kivity
2009-11-05 14:46 ` Daniel P. Berrange
2009-11-05 14:53 ` Anthony Liguori
2009-11-05 16:41 ` Jamie Lokier
2009-11-05 16:51 ` Daniel P. Berrange
2009-11-06 1:53 ` Jamie Lokier
2009-11-05 14:50 ` Anthony Liguori
2009-11-05 15:05 ` Avi Kivity
2009-11-05 15:50 ` Anthony Liguori
2009-11-05 16:02 ` Avi Kivity
2009-11-05 16:19 ` Anthony Liguori
2009-11-05 16:28 ` Avi Kivity
2009-11-05 16:37 ` Jamie Lokier [this message]
2009-11-05 16:45 ` Anthony Liguori
2009-11-05 17:20 ` Arnd Bergmann
2009-11-05 17:42 ` Anthony Liguori
2009-11-05 18:02 ` Arnd Bergmann
2009-11-05 19:54 ` Anthony Liguori
2009-11-05 18:14 ` Avi Kivity
2009-11-05 18:11 ` Avi Kivity
2009-11-05 19:58 ` Anthony Liguori
2009-11-06 1:48 ` Jamie Lokier
2009-11-06 7:22 ` Avi Kivity
2009-11-06 10:54 ` Jamie Lokier
2009-11-06 12:42 ` Anthony Liguori
2009-11-07 3:44 ` Jamie Lokier
2009-11-06 14:19 ` Anthony Liguori
2009-11-07 9:14 ` Avi Kivity
2009-11-07 9:43 ` Avi Kivity
2009-11-07 14:07 ` Anthony Liguori
2009-11-07 21:50 ` Arnd Bergmann
2009-11-07 22:12 ` Anthony Liguori
2009-11-08 8:11 ` Avi Kivity
2009-11-07 14:04 ` Anthony Liguori
2009-11-06 0:29 ` Anthony Liguori
2009-11-06 7:26 ` Avi Kivity
2009-11-06 16:09 ` Anthony Liguori
2009-11-07 9:27 ` Avi Kivity
2009-11-07 10:44 ` Jamie Lokier
2009-11-07 11:23 ` Avi Kivity
2009-11-09 19:35 ` Jamie Lokier
2009-11-10 12:25 ` Avi Kivity
2009-11-10 13:33 ` Jamie Lokier
2009-11-07 13:59 ` Anthony Liguori
2009-11-05 16:29 ` Jamie Lokier
2009-11-05 14:57 ` Anthony Liguori
2009-11-05 15:11 ` Avi Kivity
2009-11-05 15:33 ` Avi Kivity
2009-11-05 15:58 ` Anthony Liguori
2009-11-05 16:07 ` Avi Kivity
2009-11-06 2:19 ` Jamie Lokier
2009-11-05 16:06 ` Anthony Liguori
2009-11-05 16:15 ` Avi Kivity
2009-11-05 16:25 ` Anthony Liguori
2009-11-05 16:33 ` Avi Kivity
2009-11-05 16:50 ` Anthony Liguori
2009-11-05 17:16 ` Scott Tsai
2009-11-05 18:19 ` Avi Kivity
2009-11-06 2:16 ` Jamie Lokier
2009-11-05 18:19 ` Avi Kivity
2009-11-06 2:17 ` Jamie Lokier
2009-11-05 15:11 ` Daniel P. Berrange
2009-11-05 15:14 ` Avi Kivity
2009-11-05 15:20 ` Daniel P. Berrange
2009-11-05 15:59 ` Anthony Liguori
2009-11-05 16:20 ` Avi Kivity
2009-11-05 16:28 ` Anthony Liguori
2009-11-05 16:35 ` Avi Kivity
2009-11-05 16:53 ` Daniel P. Berrange
2009-11-05 17:03 ` Anthony Liguori
2009-11-05 17:16 ` Daniel P. Berrange
2009-11-06 2:08 ` Jamie Lokier
2009-11-05 17:26 ` Arnd Bergmann
2009-11-05 19:54 ` Gerhard Stenzel
2009-11-06 2:11 ` Jamie Lokier
2009-11-05 15:00 ` [Qemu-devel] " Mark McLoughlin
2009-11-05 15:14 ` Daniel P. Berrange
2009-11-05 15:28 ` Dustin Kirkland
2009-11-05 15:06 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091105163702.GC21630@shareable.org \
--to=jamie@shareable.org \
--cc=aliguori@us.ibm.com \
--cc=arndbergmann@googlemail.com \
--cc=avi@redhat.com \
--cc=kirkland@canonical.com \
--cc=markmc@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).