Common virtualization management library interface

rmarwah | 29 Jun 2012 20:08

Picon

[libvirt] [Patch v2 0/3] Add QEMU network helper support

From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>

QEMU has a new feature which allows QEMU to execute under an unprivileged user ID and still be able to
add a tap device to a Linux network bridge. Below is the link to the QEMU patches for the bridge helper
feature:

http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html

The existing libvirt tap network device support for adding a tap device to a bridge (-netdev tap) works
only when connected to a libvirtd instance running as the privileged system account 'root'.
When connected to a libvirtd instance running as an unprivileged user (ie. using the session URI) creation of
the tap device fails as follows:

error: Failed to start domain F14_64 error: Unable to create tap device vnet%d: Operation not permitted

With this support, creating a tap device in the above scenario will be possible.  Additionally, hot attaching
a tap device to a bridge while running when connected to a libvirtd instance running as an unprivileged user
will be possible.

Richa Marwaha (3):
  Add -netdev bridge capabilities
  Add -netdev bridge support
  apparmor: QEMU bridge helper policy updates

 examples/apparmor/libvirt-qemu |   21 +++++++++++++-
 src/qemu/qemu_capabilities.c   |   13 ++++++--
 src/qemu/qemu_capabilities.h   |    1 +
 src/qemu/qemu_command.c        |   61 ++++++++++++++++++++++++++++-----------
 src/qemu/qemu_command.h        |    2 +
 src/qemu/qemu_hotplug.c        |   31 ++++++++++++++------

(Continue reading)

rmarwah | 29 Jun 2012 20:08

Picon

[libvirt] [Patch v2 2/3] Add -netdev bridge support

From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>

This patch adds the support to run the QEMU network helper
under unprivileged user. It also adds the support for
attach-interface option in virsh to run under unprivileged
user.

Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
---
v2
- This patch attach-interface option is tested on
commit cd15303fd123146b0ba53e387d08ef22b707223

 src/qemu/qemu_command.c |   61 +++++++++++++++++++++++++++++++++-------------
 src/qemu/qemu_command.h |    2 +
 src/qemu/qemu_hotplug.c |   31 ++++++++++++++++-------
 3 files changed, 67 insertions(+), 27 deletions(-)

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 6549f57..4eb8cd5 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
 <at>  <at>  -2851,6 +2851,8  <at>  <at>  error:

 char *
 qemuBuildHostNetStr(virDomainNetDefPtr net,
+                    struct qemud_driver *driver,
+                    virBitmapPtr qemuCaps,
                     char type_sep,

(Continue reading)

Michal Privoznik | 4 Jul 2012 17:37

Picon

Re: [libvirt] [Patch v2 2/3] Add -netdev bridge support

On 29.06.2012 20:08, rmarwah <at> linux.vnet.ibm.com wrote:
> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> 
> This patch adds the support to run the QEMU network helper
> under unprivileged user. It also adds the support for
> attach-interface option in virsh to run under unprivileged
> user.
> 
> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
> ---
> v2
> - This patch attach-interface option is tested on
> commit cd15303fd123146b0ba53e387d08ef22b707223
> 
>  src/qemu/qemu_command.c |   61 +++++++++++++++++++++++++++++++++-------------
>  src/qemu/qemu_command.h |    2 +
>  src/qemu/qemu_hotplug.c |   31 ++++++++++++++++-------
>  3 files changed, 67 insertions(+), 27 deletions(-)
> 
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 6549f57..4eb8cd5 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
>  <at>  <at>  -2851,6 +2851,8  <at>  <at>  error:
>  
>  char *
>  qemuBuildHostNetStr(virDomainNetDefPtr net,
> +                    struct qemud_driver *driver,
> +                    virBitmapPtr qemuCaps,

(Continue reading)

rmarwah | 29 Jun 2012 20:08

Picon

[libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>

This patch provides AppArmor policy updates for the QEMU bridge helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.

Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
---
 examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 10cdd36..766a334 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
 <at>  <at>  -1,4 +1,4  <at>  <at> 
-# Last Modified: Mon Apr  5 15:11:27 2010
+# Last Modified: Fri Mar 9 14:43:22 2012

   #include <abstractions/base>
   #include <abstractions/consoles>
 <at>  <at>  -108,3 +108,22  <at>  <at> 
   /bin/dash rmix,
   /bin/dd rmix,
   /bin/cat rmix,
+
+  /usr/libexec/qemu-bridge-helper Cx,
+  # child profile for bridge helper process
+  profile /usr/libexec/qemu-bridge-helper {

(Continue reading)

Jamie Strandboge | 2 Jul 2012 14:16

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> 
> This patch provides AppArmor policy updates for the QEMU bridge helper.
> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
> capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
> 
> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
> ---
>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>  1 files changed, 20 insertions(+), 1 deletions(-)
> 
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 10cdd36..766a334 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
>  <at>  <at>  -1,4 +1,4  <at>  <at> 
> -# Last Modified: Mon Apr  5 15:11:27 2010
> +# Last Modified: Fri Mar 9 14:43:22 2012
>  
>    #include <abstractions/base>
>    #include <abstractions/consoles>
>  <at>  <at>  -108,3 +108,22  <at>  <at> 
>    /bin/dash rmix,
>    /bin/dd rmix,
>    /bin/cat rmix,
> +
> +  /usr/libexec/qemu-bridge-helper Cx,
> +  # child profile for bridge helper process

(Continue reading)

rmarwah | 3 Jul 2012 18:05

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates


Quoting Jamie Strandboge <jamie <at> canonical.com>:

> On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>
>> This patch provides AppArmor policy updates for the QEMU bridge helper.
>> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
>> capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
>>
>> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
>> ---
>>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>>  1 files changed, 20 insertions(+), 1 deletions(-)
>>
>> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
>> index 10cdd36..766a334 100644
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>>  <at>  <at>  -1,4 +1,4  <at>  <at> 
>> -# Last Modified: Mon Apr  5 15:11:27 2010
>> +# Last Modified: Fri Mar 9 14:43:22 2012
>>
>>    #include <abstractions/base>
>>    #include <abstractions/consoles>
>>  <at>  <at>  -108,3 +108,22  <at>  <at> 
>>    /bin/dash rmix,
>>    /bin/dd rmix,
>>    /bin/cat rmix,

(Continue reading)

Jamie Strandboge | 6 Jul 2012 22:09

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
> Quoting Jamie Strandboge <jamie <at> canonical.com>:
> 
> > On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
> >> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> >>
> >> This patch provides AppArmor policy updates for the QEMU bridge helper.
> >> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
> >> capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
> >>
> >> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> >> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
> >> ---
> >>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
> >>  1 files changed, 20 insertions(+), 1 deletions(-)
> >>
> >> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> >> index 10cdd36..766a334 100644
> >> --- a/examples/apparmor/libvirt-qemu
> >> +++ b/examples/apparmor/libvirt-qemu
> >>  <at>  <at>  -1,4 +1,4  <at>  <at> 
> >> -# Last Modified: Mon Apr  5 15:11:27 2010
> >> +# Last Modified: Fri Mar 9 14:43:22 2012
> >>
> >>    #include <abstractions/base>
> >>    #include <abstractions/consoles>
> >>  <at>  <at>  -108,3 +108,22  <at>  <at> 
> >>    /bin/dash rmix,
> >>    /bin/dd rmix,
> >>    /bin/cat rmix,

(Continue reading)

rmarwah | 9 Jul 2012 16:22

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates


Quoting Jamie Strandboge <jamie <at> canonical.com>:

> On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>
>> > On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> >> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>> >>
>> >> This patch provides AppArmor policy updates for the QEMU bridge helper.
>> >> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
>> >> capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
>> >>
>> >> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>> >> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
>> >> ---
>> >>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>> >>  1 files changed, 20 insertions(+), 1 deletions(-)
>> >>
>> >> diff --git a/examples/apparmor/libvirt-qemu  
>> b/examples/apparmor/libvirt-qemu
>> >> index 10cdd36..766a334 100644
>> >> --- a/examples/apparmor/libvirt-qemu
>> >> +++ b/examples/apparmor/libvirt-qemu
>> >>  <at>  <at>  -1,4 +1,4  <at>  <at> 
>> >> -# Last Modified: Mon Apr  5 15:11:27 2010
>> >> +# Last Modified: Fri Mar 9 14:43:22 2012
>> >>
>> >>    #include <abstractions/base>
>> >>    #include <abstractions/consoles>

(Continue reading)

Jamie Strandboge | 9 Jul 2012 16:46

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Mon, 2012-07-09 at 10:22 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
> Quoting Jamie Strandboge <jamie <at> canonical.com>:
> 
> > On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
> >> Quoting Jamie Strandboge <jamie <at> canonical.com>:
> >>
> >> > On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
> >> >> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> >> >>
> >> >> This patch provides AppArmor policy updates for the QEMU bridge helper.
> >> >> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
> >> >> capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
> >> >>
> >> >> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> >> >> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
> >> >> ---
> >> >>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
> >> >>  1 files changed, 20 insertions(+), 1 deletions(-)
> >> >>
> >> >> diff --git a/examples/apparmor/libvirt-qemu  
> >> b/examples/apparmor/libvirt-qemu
> >> >> index 10cdd36..766a334 100644
> >> >> --- a/examples/apparmor/libvirt-qemu
> >> >> +++ b/examples/apparmor/libvirt-qemu
> >> >>  <at>  <at>  -1,4 +1,4  <at>  <at> 
> >> >> -# Last Modified: Mon Apr  5 15:11:27 2010
> >> >> +# Last Modified: Fri Mar 9 14:43:22 2012
> >> >>
> >> >>    #include <abstractions/base>
> >> >>    #include <abstractions/consoles>

(Continue reading)

rmarwah | 26 Jul 2012 16:30

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates


Quoting Jamie Strandboge <jamie <at> canonical.com>:

> On Mon, 2012-07-09 at 10:22 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>
>> > On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> >> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>> >>
>> >> > On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> >> >> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>> >> >>
>> >> >> This patch provides AppArmor policy updates for the QEMU  
>> bridge helper.
>> >> >> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
>> >> >> capabilities to CAP_NET_ADMIN and adds a tap device to a  
>> network bridge.
>> >> >>
>> >> >> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>> >> >> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
>> >> >> ---
>> >> >>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>> >> >>  1 files changed, 20 insertions(+), 1 deletions(-)
>> >> >>
>> >> >> diff --git a/examples/apparmor/libvirt-qemu
>> >> b/examples/apparmor/libvirt-qemu
>> >> >> index 10cdd36..766a334 100644
>> >> >> --- a/examples/apparmor/libvirt-qemu
>> >> >> +++ b/examples/apparmor/libvirt-qemu
>> >> >>  <at>  <at>  -1,4 +1,4  <at>  <at>

(Continue reading)

Corey Bryant | 27 Jul 2012 05:54

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates


On 07/26/2012 10:30 AM, rmarwah <at> linux.vnet.ibm.com wrote:
>
> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>
>> On Mon, 2012-07-09 at 10:22 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>>
>>> > On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>>> >> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>> >>
>>> >> > On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com
>>> wrote:
>>> >> >> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>> >> >>
>>> >> >> This patch provides AppArmor policy updates for the QEMU bridge
>>> helper.
>>> >> >> The QEMU bridge helper is a SUID executable exec'd by QEMU that
>>> drops
>>> >> >> capabilities to CAP_NET_ADMIN and adds a tap device to a
>>> network bridge.
>>> >> >>
>>> >> >> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>> >> >> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
>>> >> >> ---
>>> >> >>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>>> >> >>  1 files changed, 20 insertions(+), 1 deletions(-)
>>> >> >>
>>> >> >> diff --git a/examples/apparmor/libvirt-qemu
>>> >> b/examples/apparmor/libvirt-qemu

(Continue reading)

rmarwah | 27 Jul 2012 17:07

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates


Quoting Corey Bryant <coreyb <at> linux.vnet.ibm.com>:

> On 07/26/2012 10:30 AM, rmarwah <at> linux.vnet.ibm.com wrote:
>>
>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>
>>> On Mon, 2012-07-09 at 10:22 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>>>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>>>
>>>>> On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>>>>>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>>>>>
>>>>>> > On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com
>>>> wrote:
>>>>>> >> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>>>>> >>
>>>>>> >> This patch provides AppArmor policy updates for the QEMU bridge
>>>> helper.
>>>>>> >> The QEMU bridge helper is a SUID executable exec'd by QEMU that
>>>> drops
>>>>>> >> capabilities to CAP_NET_ADMIN and adds a tap device to a
>>>> network bridge.
>>>>>> >>
>>>>>> >> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>>>>> >> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
>>>>>> >> ---
>>>>>> >>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>>>>>> >>  1 files changed, 20 insertions(+), 1 deletions(-)
>>>>>> >>

(Continue reading)

Laine Stump | 27 Jul 2012 22:00

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On 07/26/2012 11:54 PM, Corey Bryant wrote:
> On 07/26/2012 10:30 AM, rmarwah <at> linux.vnet.ibm.com wrote:
>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>> On Mon, 2012-07-09 at 10:22 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>>>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>>>
>>>> > On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>>>> >> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>>> >>
>>>> >> > On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com
>>>> wrote:
>>>> >> >> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>>> >> >>
>>>> >> >> This patch provides AppArmor policy updates for the QEMU bridge
>>>> helper.
>>>> >> >> The QEMU bridge helper is a SUID executable exec'd by QEMU that
>>>> drops
>>>> >> >> capabilities to CAP_NET_ADMIN and adds a tap device to a
>>>> network bridge.
>>>> >> >>
>>>> >> >> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>>> >> >> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
>>>> >> >> ---
>>>> >> >>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>>>> >> >>  1 files changed, 20 insertions(+), 1 deletions(-)
>>>> >> >>
>>>> >> >> diff --git a/examples/apparmor/libvirt-qemu
>>>> >> b/examples/apparmor/libvirt-qemu
>>>> >> >> index 10cdd36..766a334 100644
>>>> >> >> --- a/examples/apparmor/libvirt-qemu

(Continue reading)

Jim Fehlig | 31 Jul 2012 02:33

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

Laine Stump wrote:
> The way that I think the problem should be solved is this:
>
> 1) All of the network-related functionality in the system instance of
> libvirt that is used by the qemu, lxc, etc. drivers internal to libvirt
> (including the nwfilter subsystem, and everything in bridge_driver.c)
> should be in a separate daemon from libvirtd, and made available via RPC
> with a public API that uses policykit for authorization/authentication,
> with separate selinux policies from libvirtd; maybe call it
> "libvirt-networkd".
>
> 2) When the system instance of libvirtd is creating a domain, it should
> call to libvirt-networkd via this API to do things like create a tap
> device, connect it to a bridge, add nwfilter rules, etc.
>
> 3) likewise, when a session (unprivileged) instance of libvirt is
> creating a domain, it also should call the same APIs, which (after
> proper authentication/authorization via policykit) will connect it to
> the privileged libvirt-networkd (or whatever its called) to perform the
> operation.
>   

I wonder if the quantum project [1], which IIUC provides a lot of the
functionality you describe, could be used as "libvirtd-networkd".

Regards,
Jim

[1] https://github.com/openstack/quantum

(Continue reading)

Daniel P. Berrange | 31 Jul 2012 11:17

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Mon, Jul 30, 2012 at 06:33:54PM -0600, Jim Fehlig wrote:
> Laine Stump wrote:
> > The way that I think the problem should be solved is this:
> >
> > 1) All of the network-related functionality in the system instance of
> > libvirt that is used by the qemu, lxc, etc. drivers internal to libvirt
> > (including the nwfilter subsystem, and everything in bridge_driver.c)
> > should be in a separate daemon from libvirtd, and made available via RPC
> > with a public API that uses policykit for authorization/authentication,
> > with separate selinux policies from libvirtd; maybe call it
> > "libvirt-networkd".
> >
> > 2) When the system instance of libvirtd is creating a domain, it should
> > call to libvirt-networkd via this API to do things like create a tap
> > device, connect it to a bridge, add nwfilter rules, etc.
> >
> > 3) likewise, when a session (unprivileged) instance of libvirt is
> > creating a domain, it also should call the same APIs, which (after
> > proper authentication/authorization via policykit) will connect it to
> > the privileged libvirt-networkd (or whatever its called) to perform the
> > operation.
> >   
> 
> I wonder if the quantum project [1], which IIUC provides a lot of the
> functionality you describe, could be used as "libvirtd-networkd".

Not as long its its a big mass of python. On the contrary, Quantum could
use libvirt's APIs.

Daniel

(Continue reading)

Corey Bryant | 31 Jul 2012 17:26

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates


On 07/27/2012 04:00 PM, Laine Stump wrote:
> On 07/26/2012 11:54 PM, Corey Bryant wrote:
>> On 07/26/2012 10:30 AM, rmarwah <at> linux.vnet.ibm.com wrote:
>>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>>> On Mon, 2012-07-09 at 10:22 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>>>>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>>>>
>>>>>> On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>>>>>>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>>>>>>
>>>>>>>> On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com
>>>>> wrote:
>>>>>>>>> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>>>>>>>>
>>>>>>>>> This patch provides AppArmor policy updates for the QEMU bridge
>>>>> helper.
>>>>>>>>> The QEMU bridge helper is a SUID executable exec'd by QEMU that
>>>>> drops
>>>>>>>>> capabilities to CAP_NET_ADMIN and adds a tap device to a
>>>>> network bridge.
>>>>>>>>>
>>>>>>>>> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>>>>>>>>> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
>>>>>>>>> ---
>>>>>>>>>   examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>>>>>>>>>   1 files changed, 20 insertions(+), 1 deletions(-)
>>>>>>>>>
>>>>>>>>> diff --git a/examples/apparmor/libvirt-qemu
>>>>>>> b/examples/apparmor/libvirt-qemu

(Continue reading)

Daniel P. Berrange | 31 Jul 2012 18:06

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Tue, Jul 31, 2012 at 11:26:05AM -0400, Corey Bryant wrote:
> 
> 
> At this point I wonder if we might be able to get away with no XML
> modifications since we know that we only want to attempt to run the
> helper when libvirt is running unprivileged.

I certainly don't expect there to be any changes to the XML for the
purposes of supporting this QEMU bridge helper proxy. It should be
automatically used when type=bridge or type=network on the
<interface>, as a private implementation detail of libvirt not
exposed to applications in the XML. When libvirt changes to
separate its nework setup code out of libvirtd, then we will be able
to transparently stop using the proxy helper.

Daniel
--

-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Laine Stump | 31 Jul 2012 18:57

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On 07/31/2012 12:06 PM, Daniel P. Berrange wrote:
> On Tue, Jul 31, 2012 at 11:26:05AM -0400, Corey Bryant wrote:
>>
>> At this point I wonder if we might be able to get away with no XML
>> modifications since we know that we only want to attempt to run the
>> helper when libvirt is running unprivileged.
> I certainly don't expect there to be any changes to the XML for the
> purposes of supporting this QEMU bridge helper proxy. It should be
> automatically used when type=bridge or type=network on the
> <interface>, as a private implementation detail of libvirt not
> exposed to applications in the XML. When libvirt changes to
> separate its nework setup code out of libvirtd, then we will be able
> to transparently stop using the proxy helper.

I would greatly prefer that as well, as long as nobody is bothered by
the potential upgrade problem I outlined in my previous mail - if there
is config required outside libvirt to enable particular users to use the
qemu helper, and if there is also extra config required to enable the
capability for users when libvirt no longer requires the qemu helper,
there could be cases where a working config would cease to work (until
extra measures were taken) after an upgrade.

If that situation is acceptable, then I also agree that no XML
modifications is much better.

rmarwah | 31 Jul 2012 17:11

Picon

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates


Quoting Jamie Strandboge <jamie <at> canonical.com>:

> On Mon, 2012-07-09 at 10:22 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>>
>> > On Tue, 2012-07-03 at 12:05 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> >> Quoting Jamie Strandboge <jamie <at> canonical.com>:
>> >>
>> >> > On Fri, 2012-06-29 at 14:08 -0400, rmarwah <at> linux.vnet.ibm.com wrote:
>> >> >> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>> >> >>
>> >> >> This patch provides AppArmor policy updates for the QEMU  
>> bridge helper.
>> >> >> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
>> >> >> capabilities to CAP_NET_ADMIN and adds a tap device to a  
>> network bridge.
>> >> >>
>> >> >> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
>> >> >> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
>> >> >> ---
>> >> >>  examples/apparmor/libvirt-qemu |   21 ++++++++++++++++++++-
>> >> >>  1 files changed, 20 insertions(+), 1 deletions(-)
>> >> >>
>> >> >> diff --git a/examples/apparmor/libvirt-qemu
>> >> b/examples/apparmor/libvirt-qemu
>> >> >> index 10cdd36..766a334 100644
>> >> >> --- a/examples/apparmor/libvirt-qemu
>> >> >> +++ b/examples/apparmor/libvirt-qemu
>> >> >>  <at>  <at>  -1,4 +1,4  <at>  <at>

(Continue reading)

rmarwah | 29 Jun 2012 20:08

Picon

[libvirt] [Patch v2 1/3] Add -netdev bridge capabilities

From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>

This patch adds the capability in libvirt to check if
-netdev bridge option is supported or not.

Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
---
v2
-This is a new patch that helps libvirt to check if -netdev bridge
option is supported in the qemu version that is being used to run
the guest. In v1 we didnot have the capability to check if qemu
version we are using supported -netdev bridge or not.

 src/qemu/qemu_capabilities.c |   13 +++++++++----
 src/qemu/qemu_capabilities.h |    1 +
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 1e12a39..b2d7be2 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
 <at>  <at>  -166,6 +166,7  <at>  <at>  VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST,
               "hda-micro", /* 95 */
               "dump-guest-memory",
               "nec-usb-xhci",
+              "bridge",

     );

(Continue reading)

Michal Privoznik | 4 Jul 2012 17:37

Picon

Re: [libvirt] [Patch v2 1/3] Add -netdev bridge capabilities

On 29.06.2012 20:08, rmarwah <at> linux.vnet.ibm.com wrote:
> From: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> 
> This patch adds the capability in libvirt to check if
> -netdev bridge option is supported or not.
> 
> Signed-off-by: Richa Marwaha <rmarwah <at> linux.vnet.ibm.com>
> Signed-off-by: Corey Bryant<coreyb <at> linux.vnet.ibm.com>
> ---
> v2
> -This is a new patch that helps libvirt to check if -netdev bridge
> option is supported in the qemu version that is being used to run
> the guest. In v1 we didnot have the capability to check if qemu
> version we are using supported -netdev bridge or not.
> 
>  src/qemu/qemu_capabilities.c |   13 +++++++++----
>  src/qemu/qemu_capabilities.h |    1 +
>  2 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index 1e12a39..b2d7be2 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
>  <at>  <at>  -166,6 +166,7  <at>  <at>  VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST,
>                "hda-micro", /* 95 */
>                "dump-guest-memory",
>                "nec-usb-xhci",
> +              "bridge",
>  
>      );

(Continue reading)

Return

Return to gmane.comp.emulators.libvirt.

Project Web Page

Common virtualization management library interface

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane