[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qem

From: Alexander Graf
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu
Date: Wed, 4 Nov 2009 13:02:36 +0100

On 04.11.2009, at 01:28, Anthony Liguori wrote:

This series solves a problem that I've been struggling with for a few years now. One of the best things about qemu is that it's possible to run guests as an unprivileged user to improve security. However, if you want to have your guests communicate with the outside world, you're pretty much forced to run qemu as

At least with KVM support, this is probably the most common use case which means
that most of our users are running qemu as root.  That's terrible.

Yeah. Worse than the "run as root" part is the "it's hard" part though. I hate how I feel when I try to explain someone how to use non- slirp networking :-(.

The response to that is then usually "oh whatever, it's too complicated anyways".

We address this problem by introducing a new network backend: -net bridge. This backend is less flexible than -net tap because it relies on a helper with elevated privileges to do the heavy lifting of allocating and attaching a tap device to a bridge. We use a special purpose helper because we don't want
to elevate the privileges of more generic tools like brctl.

From a user perspective, to use bridged networking with a guest, you simply use:

 qemu -hda linux.img -net bridge -net nic

And assuming a bridge is defined named qemubr0 and the administrator has setup permissions accordingly, it will Just Work. My hope is that distributions will do this work as part of the qemu packaging process such that for most users,
the out-of-the-box experience will also Just Work.

Yeah, that won't work as easily.

When your customer has 2 NICs this will already break. But let's imagine we only have a single NIC.

So that NIC is a wifi card. When I set up the qemubr0 bridge for that one now, how does network manager configure my wifi access? It can't use the bridge device, as that doesn't have wifi extensions. It also can't use the wifi device, because setting up networking on that will break.

IMHO the only customer friendly choice I see is the ugly way. The way VMware and Vbox do it. To make it a bit less ugly, maybe we could create some way to "glue" a tap device and an eth together, the same way the bridge code does, just without the extra device.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]