[Libvir] libvirt & vde_switch

Mark McLoughlin markmc at redhat.com
Tue Feb 5 08:21:13 UTC 2008


On Tue, 2008-02-05 at 00:25 +0000, Daniel P. Berrange wrote:

> The main problem I know of is not VDE itself, but the means of connecting
> a VDE network to the outside world - namely the SLIRP code. Last time it
> was examined it was found to be non-64-bit clean & have significant question
> around security. We wondered about whether it would be possible to have a
> privileged helper for creating tap devices which could be used to connect
> the VDE network to the outside world. Its possible, but the devil's in the
> details & how you constrain access to not conflict with host networking.

	Nice summary ... that's exactly it.

	The sound part of VDE is it's ability to behave as a userspace ethernet
bridge. The nasty part is its TCP/IP stack - which is equivalent to
"qemu -net user".

	The ideal situation would be to allow unprivileged processes use the
kernel network stack rather than implementing a whole new stack. We
knocked around some ideas on that front but didn't come to any concrete
conclusions.

Cheers,
Mark.




More information about the libvir-list mailing list