Features/HelperNetworking
Summary
Introduce infrastructure to allowed QEMU network backends to be implemented outside of QEMU in a generic way.
Owner
- Name: Anthony Liguori
- Email: anthony@codemonkey.ws
- Name: Corey Bryant
- Email: coreyb@linux.vnet.ibm.com
- Name: Richa Marwaha
- Email: rmarwah@linux.vnet.ibm.com
Detailed Summary
Infrastructure is introduced to enable a network helper to be executed by QEMU. This also allows third parties to implement user-visible network backends without having to introduce them into QEMU itself.
A default network helper is introduced that implements the same functionality as the common qemu-ifup script. It creates a tap file descriptor, attaches it to a bridge, and passes it back to QEMU. This helper runs with higher privileges and allows QEMU to be invoked as a non-privileged user. (The helper runs as setuid root and privileges are immediately dropped to cap_net_admin.)
The default network helper uses it's own ACL mechanism for access control. Administrators can restrict the bridges that an unprivileged user can put a guest on. A future network helper could be developed to support PolicyKit for access control.
Setup
The setuid attribute needs to be turned on for the default network helper:
sudo chmod u+s /usr/local/libexec/qemu-bridge-helper
ACLs must be implemented for the default network helper. The ACL mechanism that is enforced by qemu-bridge-helper is a fairly simple whitelist/blacklist mechanisms with a wildcard of 'all'. All users are blacklisted by default, and deny takes precedence over allow.
The minimum required to run the default helper with the default bridge br0 is:
/etc/qemu/bridge.conf root:qemu 0640
allow br0
Execution
The following examples run Qemu with the default network helper and default bridge br0:
qemu linux.img -netdev bridge,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1
qemu linux.img -netdev tap,helper=/usr/local/libexec/qemu-bridge-helper,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1
Status
- Patches are in review on the mailing list.
- Latest version of patches: http://www.mail-archive.com/qemu-devel@nongnu.org/msg90423.html