On 11/09/2009 04:20 PM, Anthony Liguori wrote:
Avi Kivity wrote:
On 11/08/2009 12:11 AM, Anthony Liguori wrote:
You don't need root privileges to use a tap device.
You can access a preconfigured tap device but you cannot allocate a
tap device and connect it to a bridge without CAP_NET_ADM
Anthony Liguori wrote:
> You are correct except that I qualified this as NAT with host access
> which so far is the common model. If the host can access the NAT'd
> network behind the NAT, then port privileges are important.
You're right.
This is why QEMU guests should be run inside an LXC con
Jamie Lokier wrote:
Anthony Liguori wrote:
Let's not kid ourselves, no matter what we do we're giving a user
elevated privileges. Even with NAT, if the host can access the NAT'ed
network, then you can run a privileged service (like NFS) in that
network.
I don't see how outgoing NAT
Anthony Liguori wrote:
> Let's not kid ourselves, no matter what we do we're giving a user
> elevated privileges. Even with NAT, if the host can access the NAT'ed
> network, then you can run a privileged service (like NFS) in that
> network.
I don't see how outgoing NAT (SNAT), where the guest
Avi Kivity wrote:
On 11/08/2009 12:11 AM, Anthony Liguori wrote:
You don't need root privileges to use a tap device.
You can access a preconfigured tap device but you cannot allocate a
tap device and connect it to a bridge without CAP_NET_ADMIN.
btw, shouldn't we, in the general case, cr
On 11/08/2009 10:43 AM, Arnd Bergmann wrote:
btw, shouldn't we, in the general case, create a bridge per user and use
IP NAT? If we have a global bridge, users can spoof each other's MAC
addresses and interfere with their virtual machines. They can also
interfere with the real network.
That's
On Sunday 08 November 2009 08:27:41 Avi Kivity wrote:
> On 11/08/2009 12:11 AM, Anthony Liguori wrote:
> >
> >> You don't need root privileges to use a tap device.
> >
> > You can access a preconfigured tap device but you cannot allocate a
> > tap device and connect it to a bridge without CAP_NET
On 11/08/2009 12:11 AM, Anthony Liguori wrote:
You don't need root privileges to use a tap device.
You can access a preconfigured tap device but you cannot allocate a
tap device and connect it to a bridge without CAP_NET_ADMIN.
btw, shouldn't we, in the general case, create a bridge per u
David Woodhouse wrote:
On Tue, 2009-11-03 at 18:28 -0600, Anthony Liguori wrote:
The most common use of -net tap is to connect a tap device to a bridge. This
requires the use of a script and running qemu as root in order to allocate a
tap device to pass to the script.
Does it?
Tap d
On Tue, 2009-11-03 at 18:28 -0600, Anthony Liguori wrote:
> The most common use of -net tap is to connect a tap device to a bridge. This
> requires the use of a script and running qemu as root in order to allocate a
> tap device to pass to the script.
Does it?
Tap devices can be created (and co
Anthony Liguori wrote:
> Avi Kivity wrote:
> >>+int net_init_bridge(QemuOpts *opts, Monitor *mon, const char *name,
> >>VLANState *vlan);
> >>+
> >>
> >
> >Don't we need to tear the interface down after shutdown?
>
> net_init_bridge calls net_tap_fd_init which registers tap_cleanup. That
> c
Krumme, Chris wrote:
Do you need to mention the default name qemubr0 here?
Good suggestion.
Regards,
Anthony Liguori
> Sent: Tuesday, November 03, 2009 6:28 PM
> To: qemu-devel@nongnu.org
> Cc: Mark McLoughlin; Anthony Liguori; Arnd Bergmann; Dustin
> Kirkland; Michael Tsirkin; Juan Quintela
> Subject: [Qemu-devel] [PATCH 4/4] Add support for -net bridge
>
> The most common use of -net tap is to
The most common use of -net tap is to connect a tap device to a bridge. This
requires the use of a script and running qemu as root in order to allocate a
tap device to pass to the script.
This model is great for portability and flexibility but it's incredibly
difficult to eliminate the need to ru
14 matches
Mail list logo
