Sthu Deus (sthu.d...@gmail.com on 2011-11-07 02:18 +0700): > > I try to run KVM network w/o under normal user w/ the following > result: > > /usr/bin/kvm -localtime -m 256 -no-reboot > -cdrom ./debian-6.0.2.1-amd64-netinst/debian-6.0.2.1-amd64-netinst.iso > -boot d -hda ./da -net nic -net tap,ifname=tap0,script=no > > kvm: -net tap,ifname=tap0,script=no: could not configure /dev/net/tun > (tap0): Operation not permitted
Apparently, you need root access to create tap interfaces regardless of the permissions on the tap device. I have it on good authority (http://bugs.debian.org/630701#10) that the preferred way is to precreate the tapX interfaces in /etc/network/interfaces. But if you are like me and you manage multiple virtual machines and you stubbornly insist on using dynamic tap interfaces, you can work around this by setting the CAP_NET_ADMIN capability on kvm: # setcap cap_net_admin+ep /usr/bin/kvm However, there are two problems with this: - every time dpkg upgrades qemu, the capability gets reset - this is INSECURE, because you're now granting all your users full access to your network interfaces. Only do this if you trust your users. The KVM/tap networking documentation seems scattered across the 'net, most of it is incomplete and sometimes contradictory. If someone has a pointer to The Definitive Guide(tm), I'd be interested to read it. > > user ALL = /sbin/ifconfig *, /sbin/ifup br0, /sbin/ifdown > br0, /sbin/ip *, /sbin/brctl *, /sbin/tunctl * If you precreate the tap interface, you won't need these... Regards, Arno -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111107213156.5284c...@neminis.intra.loos.site
