Features/HelperNetworking
Summary
Introduce infrastructure to allowed QEMU network backends to be implemented outside of QEMU in a generic way.
Owner
- Name: Anthony Liguori
- Email: anthony@codemonkey.ws
- Name: Corey Bryant
- Email: coreyb@linux.vnet.ibm.com
- Name: Richa Marwaha
- Email: rmarwah@linux.vnet.ibm.com
Detailed Summary
A network helper (and supporting infrastructure) is introduced that can be invoked to create appropriate tap file descriptors, attach them to a bridge, and pass them back to QEMU. This helper runs with higher privileges and allows QEMU to be invoked as a non-privileged user. This also allows third parties to implement user-visible network backends without having to introduce them into QEMU itself. The helper that is provided could just as easily be run by libvirt, and the open fd passed to QEMU with -net tap,fd=.
Network Helper
The default helper, qemu_network_helper, can be invoked by using -net bridge or -net tap (examples are shown below). The default helper implements the most common qemu-ifup script, and does so with cap_net_admin capability.
QEMU launches the helper, passing a bridge name and the name of an inherited file descriptor that is one end of a socketpair() of domain sockets. This domain socket is used to transmit a file descriptor of the opened tap device from the helper back to QEMU. The helper then exits and lets QEMU use the tap device.
The helper needs to be suid: sudo chmod u+s /usr/local/libexec/qemu-bridge-helper
Administrators can restrict the bridges that an unprivileged user can put a guest on (ie. what should be isolated networks).
The default network helper uses it's own ACL mechanism for access control as default, but future network helpers could be developed to support PolicyKit for access control. The ACL mechanism that is enforced by qemu-bridge-helper, is a fairly simple whitelist/blacklist mechanisms with a wildcard of 'all'. All users are blacklisted by default, and deny takes precedence over allow.
An interesting feature of this ACL mechanism is that you can include external ACL files. The main reason to support this is so that you can set different file system permissions on those external ACL files. This allows an administrator to implement rather sophisticated ACL policies based on user/group policies via the file system.
As an example:
/etc/qemu/bridge.conf root:qemu 0640
allow br0 include /etc/qemu/alice.conf include /etc/qemu/bob.conf include /etc/qemu/charlie.conf
/etc/qemu/alice.conf root:alice 0640
allow br1
/etc/qemu/bob.conf root:bob 0640
allow br2
/etc/qemu/charlie.conf root:charlie 0640
deny all
This ACL pattern allows any user in the qemu group to get a tap device connected to br0 (which is bridged to the physical network).
Users in the alice group can additionally get a tap device connected to br1. This allows br1 to act as a private bridge for the alice group.
Users in the bob group can additionally get a tap device connected to br2. This allows br2 to act as a private bridge for the bob group.
Users in the charlie group cannot get a tap device connected to any bridge.
Under no circumstance can the bob group get access to br1 or can the alice group get access to br2. And under no cicumstance can the charlie group get access to any bridge.
Examples
The following examples run Qemu with the default network helper, attaching a tap device to the default br0 bridge:
qemu linux.img -net bridge -net nic,model=virtio
qemu linux.img -net tap,helper=/usr/local/libexec/qemu-bridge-helper -net nic,model=virtio
qemu linux.img -netdev bridge,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1
qemu linux.img -netdev tap,helper=/usr/local/libexec/qemu-bridge-helper,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1