On jeu., 2010-12-16 at 21:08 +0300, Michael Tokarev wrote: 
> 16.12.2010 20:40, Yves-Alexis Perez wrote:
> > Package: qemu-kvm
> > Version: 0.12.5+dfsg-5
> > Severity: important
> > 
> > Hey,
> > 
> > I'm experiencing a weird problem with kvm. It seems that network scripts
> > aren't run at all, and an internal script is always used, which won't
> > work as user:
> > 
> > yape...@oban: kvm -net nic -net tap
> > could not configure /dev/net/tun: Operation not permitted
> 
> There's no such thing as "internal script".  By default qemu - given
> -net tap as above - _creates_ a network device, and runs the script
> specified only _after_ the device is created.  Here, you don't have
> permission to _create_ a network device to start with.

The various howtos found on the net seem to indicate the script is
responsible for creating the device. See
http://en.wikibooks.org/wiki/QEMU/Networking for example.
> 
> > running it as root or through sudo works fine.
> > 
> > By default, manpage says it should use /etc/kvm/kvm-ifup script, which
> > doesn't do anything tun related, which means it's done inside kvm
> > itself.
> 
> The script runs against already created tap device - created either
> by qemu itself, or pre-created (and given with ifname=NNN to qemu).

Ok so passing ifname=NNN should prevent the device to be created by kvm.

> There's no point or ability to _create_ a tap device _inside_ the
> script - because it has the same permissions anyway, and because
> now there's no way to pass the tap device back to qemu.

I thought the name was given has an argument to the script, so qemu
already knows it. And that means it's possible to gain root in the
script using sudo.
> 
> > Using script=no fixes the problem but means one has to setup everything
> > himself.
> 
> Fixes which problem?  Qemu still need the tap device - either created
> internally or pre-created.

I meant that when passing script=no, qemu didn't try to create the tap
device itself, but that's wrong, it's when I used ifname=foo.
> 
> Qemu does nothing with the tap device it created (or took from ifname=XXX)
> except of "connecting" it to guest.  Everything else is done outside -
> either in the script or by external means.  And the steps necessary
> to use this device on the host side does not depend on who created
> the tap device.
> 
> If you want to run in as non-root you may pre-create a tap device
> before running qemu, and give certain user or group access to it.
> You may pre-configure it too, by adding to an appropriate bridge
> or setting up routing.
> 
> Closing this bug right away, which was due to either invalid usage
> or some misunderstanding of how things work.

Yeah, sorry. I still think there's a valid bug against the
documentation, which is a bit scarse on the tap stuff.

Sorry for bothering.

Regards,
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to