From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LFaim-0001tf-Qt
	for qemu-devel@nongnu.org; Wed, 24 Dec 2008 15:52:48 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LFaih-0001tT-E6
	for qemu-devel@nongnu.org; Wed, 24 Dec 2008 15:52:47 -0500
Received: from [199.232.76.173] (port=50656 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LFaih-0001tQ-8D
	for qemu-devel@nongnu.org; Wed, 24 Dec 2008 15:52:43 -0500
Received: from mail.sterilesecurity.com ([173.45.227.235]:55921)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <liraz@turnkeylinux.org>) id 1LFaig-0003sS-R7
	for qemu-devel@nongnu.org; Wed, 24 Dec 2008 15:52:43 -0500
Message-ID: <4952A106.3050305@turnkeylinux.org>
Date: Wed, 24 Dec 2008 22:52:22 +0200
From: Liraz Siri <liraz@turnkeylinux.org>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] Merging improvements from VirtualBox OSE into qemu?
References: <49522F8D.4000203@turnkeylinux.org>	<200812241336.01702.paul@codesourcery.com>	<4952484F.6010406@turnkeylinux.org>
	<49525808.9080002@codemonkey.ws>
In-Reply-To: <49525808.9080002@codemonkey.ws>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: turnkey-discuss@lists.turnkeylinux.org, Paul Brook <paul@codesourcery.com>

Anthony Liguori wrote:

> FWIW, we could simplify bridged networking in QEMU but it would require
> root privileges or a setuid helper.

A setuid helper would probably do the trick. You need root privileges to:

1) create the tap device (with appropriate ownership)
2) bridge it to your NIC

Once you take care of that qemu will happily connect to the user-end of
the configured tap device without requiring any special privileges::

    qemu -net nic -net tap,ifname=tap0

> All someone has to do is write an /etc/qemu-ifup and /etc/qemu-ifdown
> that create a bridged interface.  I'd be happy to take patches to pass
> additional parameters to the script.  For instance, you could do:
> 
> -net tap,mode=bridging,if=eth0

The KVM package on Ubuntu is configured to run this tap configuration
script by default::

    #!/bin/sh

    switch=$(ip route ls | awk '/^default / { for(i=0;i<NF;i++) { if
($(i) == "dev") print $(i+1) }}')
    /sbin/ifconfig $1 0.0.0.0 up
    /usr/sbin/brctl addif ${switch} $1
    exit 0

Trouble is, that doesn't work without root privileges, and I understand
running qemu with root privileges isn't a really good idea given it's
complexity.

> And it could Just Work.  /etc/qemu-ifup and /etc/qemu-ifdown would have
> to be setuid helpers of course and they should enforce some sort of
> group access control.

If I understand correctly even if qemu-ifup/qemu-ifdown were setuid
helpers qemu would still need root privileges to create tap devices. You
have to set that up before you launch qemu.

> AFAIK, VDE doesn't actually get a tap file descriptor.  Instead it sends
> all traffic to a daemon for processing.  This implies that performance
> will never be as good as tap.

Thats true. The file descriptor VDE passes to qemu is to a unix socket
connected to an instance of the vde_switch daemon.

In most usage scenarios vde_switch handling packets in userspace is
probably not going to be the bottleneck. In a simple test (e.g., ping -f
-s 31000) I manage to shovel 90Mbit/s full duplex through a single VDE
switch. Granted if I connect the guest directly to the tap interface my
test maxes out at 160Mbit/s full duplex so there is definitely a
performance penalty involved.

Cheers,
Liraz