Avi Kivity wrote:
On 11/08/2009 12:11 AM, Anthony Liguori wrote:
You don't need root privileges to use a tap device.
You can access a preconfigured tap device but you cannot allocate a
tap device and connect it to a bridge without CAP_NET_ADMIN.
btw, shouldn't we, in the general case,
Anthony Liguori wrote:
Let's not kid ourselves, no matter what we do we're giving a user
elevated privileges. Even with NAT, if the host can access the NAT'ed
network, then you can run a privileged service (like NFS) in that
network.
I don't see how outgoing NAT (SNAT), where the guest
Jamie Lokier wrote:
Anthony Liguori wrote:
Let's not kid ourselves, no matter what we do we're giving a user
elevated privileges. Even with NAT, if the host can access the NAT'ed
network, then you can run a privileged service (like NFS) in that
network.
I don't see how outgoing NAT
Anthony Liguori wrote:
You are correct except that I qualified this as NAT with host access
which so far is the common model. If the host can access the NAT'd
network behind the NAT, then port privileges are important.
You're right.
This is why QEMU guests should be run inside an LXC
On 11/08/2009 12:11 AM, Anthony Liguori wrote:
You don't need root privileges to use a tap device.
You can access a preconfigured tap device but you cannot allocate a
tap device and connect it to a bridge without CAP_NET_ADMIN.
btw, shouldn't we, in the general case, create a bridge per
On Sunday 08 November 2009 08:27:41 Avi Kivity wrote:
On 11/08/2009 12:11 AM, Anthony Liguori wrote:
You don't need root privileges to use a tap device.
You can access a preconfigured tap device but you cannot allocate a
tap device and connect it to a bridge without CAP_NET_ADMIN.
On 11/08/2009 10:43 AM, Arnd Bergmann wrote:
btw, shouldn't we, in the general case, create a bridge per user and use
IP NAT? If we have a global bridge, users can spoof each other's MAC
addresses and interfere with their virtual machines. They can also
interfere with the real network.
That's
On Tue, 2009-11-03 at 18:28 -0600, Anthony Liguori wrote:
The most common use of -net tap is to connect a tap device to a bridge. This
requires the use of a script and running qemu as root in order to allocate a
tap device to pass to the script.
Does it?
Tap devices can be created (and
David Woodhouse wrote:
On Tue, 2009-11-03 at 18:28 -0600, Anthony Liguori wrote:
The most common use of -net tap is to connect a tap device to a bridge. This
requires the use of a script and running qemu as root in order to allocate a
tap device to pass to the script.
Does it?
Tap
Anthony Liguori wrote:
Avi Kivity wrote:
+int net_init_bridge(QemuOpts *opts, Monitor *mon, const char *name,
VLANState *vlan);
+
Don't we need to tear the interface down after shutdown?
net_init_bridge calls net_tap_fd_init which registers tap_cleanup. That
closes the fd and
Hello Anthony,
Now that I have read the whole series I say again great patch.
-Original Message-
From:
qemu-devel-bounces+chris.krumme=windriver@nongnu.org
[mailto:qemu-devel-bounces+chris.krumme=windriver@nongnu.o
rg] On Behalf Of Anthony Liguori
Sent: Tuesday, November
Krumme, Chris wrote:
Do you need to mention the default name qemubr0 here?
Good suggestion.
Regards,
Anthony Liguori
12 matches
Mail list logo