[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] ifname=xxx for -netdev bridge
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] [PATCH] ifname=xxx for -netdev bridge |
Date: |
Mon, 25 Mar 2013 10:03:00 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Thu, Mar 21, 2013 at 07:05:09PM +0100, Alexandre Kandalintsev wrote:
> Hi!
>
>
> Here is the patch that allows us to specify the name of tap interface
> when -netdev bridge is used. It's like -netdev tap,ifname=xxx, but for
> bridges.
>
>
> ** Motivation **
>
> We've got zillions of VMs and would like to see meaningful names of tap
> interfaces. This is really useful for for, e.g., system administrators
> in case they want to run tcpdump on it.
>
>
> ** How it works **
>
> Just specify a ifname= parameter as it is done if --netdev tap is used.
> However, as it requires root privs, the interface renaming is
> actually done by qemu-bridge-helper. --netdev tap,ifname=xxx will fail
> if qemu is launched not from root.
>
>
> ** TODO **
>
> 1. Update docs
> 2. I'm afraid that net_init_tap should not run helper with
> --br=DEFAULT_BRIDGE_INTERFACE . At least bridge name should be tunnable.
> But this is a future work.
> 3. May be we should call qemu-bridge-helper for tap interface renamings
> because it always has root privs?
qemu-bridge-helper is a setuid root binary. It allows access to things
an unprivileged user normally cannot do. We need to be very careful
that new features cannot be abused.
There needs to be a policy in qemu-bridge-helper to control network
interface naming.
Imagine an existing qemu-bridge-helper deployment. Now if your patch is
merged and the new qemu-bridge-helper is installed, unprivileged users
can create arbitrarily named network interfaces.
It was previously not possible to create arbitrarily named network
interfaces. This might pose a security problem given firewall
configuration, monitoring software, etc which isn't configured to deal
with these new interface names.
By default, custom names should not be allowed. Perhaps the
qemu-bridge-helper configuration file needs an option to specify a glob
pattern, e.g. vm*.
This way the host system administrator can restrict network interface
names while still allowing humand-friendly names.
Stefan