Why do you not develop one helper to set up bridge env for qemu guests when the host have no bridge interface?
On Wed, Nov 2, 2011 at 1:13 AM, Corey Bryant <cor...@linux.vnet.ibm.com> wrote: > With qemu it is possible to run a guest from an unprivileged user but if > we wanted to communicate with the outside world we had to switch > to root. > > We address this problem by introducing a new network backend and a new > network option for -net tap. This is less flexible when compared to > existing -net tap options because it relies on a helper with elevated > privileges to do the heavy lifting of allocating and attaching a tap > device to a bridge. We use a special purpose helper because we don't > want to elevate the privileges of more generic tools like brctl. > > Qemu can be run with the default network helper as follows (in these cases > attaching the tap device to the default br0 bridge): > > qemu -hda linux.img -net bridge -net nic > or: > qemu -hda linux.img -net tap,helper=/usr/local/libexec/qemu-bridge-helper > -net nic > > The default helper uses it's own ACL mechanism for access control, but > future network helpers could be developed, for example, to support PolicyKit > for access control. > > More details are included in individual patches. The helper is broken into > a series of patches to improve reviewabilty. > > v2: > - Updated signed-off-by's > - Updated author's email > - Set default bridge to br0 > - Added -net bridge > - Updated ACL example > - Moved from libcap to libcap-ng > - Fail helper when libcap-ng not configured > > v3: > - Use simple queue to store ACLs > - Added goto cleanup to helper's main > - Allow helper execution if libcap-ng not configured > - Completed static analysis and memory analysis on helper > > v4: > - Update has_vnet_hdr() to return bool > - Update helper's main() to prevent errno clobbering > - Let Kernel cleanup helper's file descriptors > > Corey Bryant (4): > Add basic version of bridge helper > Add access control support to qemu bridge helper > Add cap reduction support to enable use as SUID > Add support for net bridge > > Makefile | 12 ++- > configure | 37 +++++ > net.c | 29 ++++- > net.h | 3 + > net/tap.c | 190 ++++++++++++++++++++++- > net/tap.h | 3 + > qemu-bridge-helper.c | 407 > ++++++++++++++++++++++++++++++++++++++++++++++++++ > qemu-options.hx | 73 ++++++++-- > 8 files changed, 731 insertions(+), 23 deletions(-) > create mode 100644 qemu-bridge-helper.c > > -- > 1.7.3.4 > > > -- Regards, Zhi Yong Wu
