Features/HelperNetworking: Difference between revisions
mNo edit summary |
m (moved Features-Done/HelperNetworking to Features/HelperNetworking over redirect) |
||
(9 intermediate revisions by 3 users not shown) | |||
Line 23: | Line 23: | ||
sudo chmod u+s /usr/local/libexec/qemu-bridge-helper | sudo chmod u+s /usr/local/libexec/qemu-bridge-helper | ||
If invoking QEMU as a non-privileged user, make sure the user has necessary permissions (ie. access to image file). | |||
ACLs must be implemented for the default network helper. The ACL mechanism that is enforced by qemu-bridge-helper is a fairly simple whitelist/blacklist mechanisms with a wildcard of 'all'. All users are blacklisted by default, and deny takes precedence over allow. | ACLs must be implemented for the default network helper. The ACL mechanism that is enforced by qemu-bridge-helper is a fairly simple whitelist/blacklist mechanisms with a wildcard of 'all'. All users are blacklisted by default, and deny takes precedence over allow. | ||
Line 40: | Line 42: | ||
== Status == | == Status == | ||
* Patches are in | * Patches are upstream in QEMU 1.1. | ||
* Latest version of patches: http:// | * Latest version of patches: http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html | ||
[[Category:Completed feature pages]] |
Latest revision as of 14:55, 11 October 2016
Summary
Introduce infrastructure to allow QEMU network backends to be implemented outside of QEMU in a generic way.
Owner
- Name: Anthony Liguori
- Email: anthony@codemonkey.ws
- Name: Corey Bryant
- Email: coreyb@linux.vnet.ibm.com
- Name: Richa Marwaha
- Email: rmarwah@linux.vnet.ibm.com
Detailed Summary
Infrastructure is introduced to enable a network helper to be executed by QEMU. This also allows third parties to implement user-visible network backends without having to introduce them into QEMU itself.
A default network helper is introduced that implements the same functionality as the common qemu-ifup script. It creates a tap file descriptor, attaches it to a bridge, and passes it back to QEMU. This helper runs with higher privileges and allows QEMU to be invoked as a non-privileged user. (The helper runs as setuid root and privileges are immediately dropped to cap_net_admin.)
The default network helper uses it's own ACL mechanism for access control. Administrators can restrict the bridges that an unprivileged user can put a guest on. A future network helper could be developed to support PolicyKit for access control.
Setup
The setuid attribute needs to be turned on for the default network helper:
sudo chmod u+s /usr/local/libexec/qemu-bridge-helper
If invoking QEMU as a non-privileged user, make sure the user has necessary permissions (ie. access to image file).
ACLs must be implemented for the default network helper. The ACL mechanism that is enforced by qemu-bridge-helper is a fairly simple whitelist/blacklist mechanisms with a wildcard of 'all'. All users are blacklisted by default, and deny takes precedence over allow.
The minimum required to run the default helper with the default bridge br0 is:
/etc/qemu/bridge.conf root:qemu 0640
allow br0
Execution
The following examples run Qemu with the default network helper and default bridge br0:
qemu linux.img -netdev bridge,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1
qemu linux.img -netdev tap,helper=/usr/local/libexec/qemu-bridge-helper,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1
Status
- Patches are upstream in QEMU 1.1.
- Latest version of patches: http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html