[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] Tap Devices

From: Frans de Boer
Subject: Re: [Qemu-discuss] Tap Devices
Date: Wed, 28 Nov 2012 20:26:49 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0

On 11/28/2012 05:48 PM, Mike Lovell wrote:
On 11/28/2012 06:43 AM, Frans de Boer wrote:
I would like to use OpenvSwitch + Qemu together with opensuse 12.2. I
have OpenvSwitch and Qemu working correctly...as user root!

The problem is neither of them above, rather it's the creation of tap
devices from Userspace. I see all kinds of possible solutions, some
very dated some newer, but nothing yet I believe will work from
Userspace only.

I have used VDE before, but had to disable the Firewall to have
Internet access from the quests. OpenvSwitch is slightly faster then
VDE so I would like to give that a try.

Any suggestions regarding the creation of tap devices from Userspace
are welcome.

i don't know what version of qemu is distributed with opensuse 12.2 so i
don't know if this will help. in the 1.1 release, there was support
added to use a helper program to configure the tap devices. the program
included with the qemu source, qemu-bridge-helper, creates the tap and
attaches it to a linux bridge. the interesting part is that if the
helper program has the setuid bit and is owned by root, then it is
executed as root and has the ability to configure the networking. qemu
itself does not need to be run as root. the following links have more



i don't know if the included utility will work with openvswitch. it
might if you have the brcompat module loaded.

i hope that helps.

Thanks, I did tried that before and setting the sguid bit did work until the point that the device must be written in the /dev directory, having made the /dev/net/tun node made world RW. Another option is to create a new system group, and assign tunctl, ifconfig and ovs-vsctl to that group. Assigning the new group to the /dev directory does not seem to be a good (security) idea but might solve the issue for now.

Any other suggestions?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]