From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:45057)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1RNnl1-0000H2-IK
	for qemu-devel@nongnu.org; Tue, 08 Nov 2011 10:38:40 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1RNnky-0003IE-Ey
	for qemu-devel@nongnu.org; Tue, 08 Nov 2011 10:38:39 -0500
Received: from e8.ny.us.ibm.com ([32.97.182.138]:60391)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1RNnky-0003Ex-BW
	for qemu-devel@nongnu.org; Tue, 08 Nov 2011 10:38:36 -0500
Received: from /spool/local
	by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Tue, 8 Nov 2011 10:38:33 -0500
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64])
	by d01relay07.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	pA8FbNmg1994896
	for <qemu-devel@nongnu.org>; Tue, 8 Nov 2011 10:37:23 -0500
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1])
	by d01av04.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	pA8FbJAO020513
	for <qemu-devel@nongnu.org>; Tue, 8 Nov 2011 10:37:20 -0500
Message-ID: <4EB94CAB.5000705@linux.vnet.ibm.com>
Date: Tue, 08 Nov 2011 10:37:15 -0500
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1320167638-8895-1-git-send-email-coreyb@linux.vnet.ibm.com>
	<CAEH94Lj81t_iaej8CBZQa_dehVgqvFoXn4SsTzyFoGvkkjBPrw@mail.gmail.com>
In-Reply-To: <CAEH94Lj81t_iaej8CBZQa_dehVgqvFoXn4SsTzyFoGvkkjBPrw@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v4 0/4] -net bridge: rootless bridge
 support for qemu
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Zhi Yong Wu <zwu.kernel@gmail.com>
Cc: rmarwah@linux.vnet.ibm.com, aliguori@us.ibm.com, qemu-devel@nongnu.org



On 11/08/2011 01:46 AM, Zhi Yong Wu wrote:
> Why do you not develop one helper to set up bridge env for qemu guests
> when the host have no bridge interface?
>

I'm not sure that I understand your question.  I think the actual bridge 
setup should be left as an admin task, but the allocation/attaching of a 
tap device should be handled by the helper.

Regards,
Corey


> On Wed, Nov 2, 2011 at 1:13 AM, Corey Bryant<coreyb@linux.vnet.ibm.com>  wrote:
>> With qemu it is possible to run a guest from an unprivileged user but if
>> we wanted to communicate with the outside world we had to switch
>> to root.
>>
>> We address this problem by introducing a new network backend and a new
>> network option for -net tap.  This is less flexible when compared to
>> existing -net tap options because it relies on a helper with elevated
>> privileges to do the heavy lifting of allocating and attaching a tap
>> device to a bridge.  We use a special purpose helper because we don't
>> want to elevate the privileges of more generic tools like brctl.
>>
>> Qemu can be run with the default network helper as follows (in these cases
>> attaching the tap device to the default br0 bridge):
>>
>>      qemu -hda linux.img -net bridge -net nic
>> or:
>>      qemu -hda linux.img -net tap,helper=/usr/local/libexec/qemu-bridge-helper -net nic
>>
>> The default helper uses it's own ACL mechanism for access control, but
>> future network helpers could be developed, for example, to support PolicyKit
>> for access control.
>>
>> More details are included in individual patches.  The helper is broken into
>> a series of patches to improve reviewabilty.
>>
>> v2:
>>   - Updated signed-off-by's
>>   - Updated author's email
>>   - Set default bridge to br0
>>   - Added -net bridge
>>   - Updated ACL example
>>   - Moved from libcap to libcap-ng
>>   - Fail helper when libcap-ng not configured
>>
>> v3:
>>   - Use simple queue to store ACLs
>>   - Added goto cleanup to helper's main
>>   - Allow helper execution if libcap-ng not configured
>>   - Completed static analysis and memory analysis on helper
>>
>> v4:
>>   - Update has_vnet_hdr() to return bool
>>   - Update helper's main() to prevent errno clobbering
>>   - Let Kernel cleanup helper's file descriptors
>>
>> Corey Bryant (4):
>>   Add basic version of bridge helper
>>   Add access control support to qemu bridge helper
>>   Add cap reduction support to enable use as SUID
>>   Add support for net bridge
>>
>>   Makefile             |   12 ++-
>>   configure            |   37 +++++
>>   net.c                |   29 ++++-
>>   net.h                |    3 +
>>   net/tap.c            |  190 ++++++++++++++++++++++-
>>   net/tap.h            |    3 +
>>   qemu-bridge-helper.c |  407 ++++++++++++++++++++++++++++++++++++++++++++++++++
>>   qemu-options.hx      |   73 ++++++++--
>>   8 files changed, 731 insertions(+), 23 deletions(-)
>>   create mode 100644 qemu-bridge-helper.c
>>
>> --
>> 1.7.3.4
>>
>>
>>
>
>
>