Re: reaching the guest from the host through network

From: Lucas Meneghel Rodrigues <lmr redhat com>
To: Laine Stump <laine redhat com>
Cc: gnome-boxes-list gnome org
Subject: Re: reaching the guest from the host through network
Date: Fri, 08 Feb 2013 19:51:30 -0200

On 02/08/2013 05:45 PM, Laine Stump wrote:

Bridging requires root access, something that boxes can't provide
you right
now, since it can only access the unprivileged qemu session.


Well, to be exact, qemu is *always* unprivileged. It's libvirt that must
be running privileged in order to do full network setup.

Recent libvirt has an addition that causes an unprivileged libvirt given
an <interface type='bridge'> configuration to tell the (also
unprivileged) qemu it creates to use the new qemu "suid network helper"
to create a tap device and connect it to an existing bridge. This is
about 1/10th of the capabilities possible from a privileged libvirt, but
it may be sufficient in some cases (in particular, if a bridge has
already been setup on the host).

Since
virt-manager can access the privileged qemu session, it also has
access to
the libvirt bridge, and it will all work fine.


With qemu's suid network helper, boxes could also have access to "the
bridge created by libvirt". This isn't exactly the same as
"libvirt-created virtual networks" (it's really just a happy coincidence
that "virbr0" usually happens to be libvirt's "default" network), and in
particular, since that bridge is behind NAT rules, you will only get
incoming connections from the host itself, not from anywhere beyond, and
you won't be able to use libvirt's "hook" functions to setup port
forwarding rules for incoming connections from beyond the host (without
becoming root, that is).

If you could give me some pointers on how to use the suid networkhelper, that would be great. 1/10 of the capabilities of libvirtnetworking is way better than 1/1 of the capabilities of userspacenetworking. If you has some doc resource easy great, otherwise don'tworry, I'll look for it.

virt-tests by default running as an unprivileged user has to useuserspace networking, and that's such a pity, given that we could do somuch more non root testing if we could access the virbr0 bridge.

Oh, and also because of that bridge situation, our libvirt related testshave to run as root, which is even more pitful.

Follow-Ups:
- Re: reaching the guest from the host through network
  - From: Christophe Fergeau

References:
- reaching the guest from the host through network
  - From: Emmanuel Touzery
- Re: reaching the guest from the host through network
  - From: Emmanuel Touzery
- Re: reaching the guest from the host through network
  - From: Emmanuel Touzery
- Re: reaching the guest from the host through network
  - From: Lucas Meneghel Rodrigues
- Re: reaching the guest from the host through network
  - From: Zeeshan Ali (Khattak)
- Re: reaching the guest from the host through network
  - From: Lucas Meneghel Rodrigues
- Re: reaching the guest from the host through network
  - From: Laine Stump

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]