[Libvir] Re: Proposal: More script hooks for <interface type='ethernet'>

Charles Duffy charles at dyfis.net
Sun Feb 24 23:00:17 UTC 2008


Daniel P. Berrange wrote:
> Being able to specify an qemu-ifdown script is reasonable, since we already
> support an qemu-ifup script, but I don't want to just add that without 
> a clearer understanding of exactly what type of network config you are
> trying to achieve. So rather than describing a desired implementation can
> you describe the deployment scenario / level of network connectivity you're
> trying to provide.

I want similar behavior to <interface type='ethernet'/> with no tap 
device precreated, in a scenario where CAP_NET_ADMIN (not just write 
access to /dev/net/tun) is necessary to create new tap devices and kvm 
isn't running as root.

Is that an adequate description, or do I need to expand? I'm using my 
ifup script to select a bridge to connect to (and actually create that 
connection), and the ifdown script to clean up unused tap devices; these 
scripts use sudo where necessary. The problem, though, is that these 
scripts can't create the tap device themselves, so they can't use sudo 
for that.


So -- just a bridge (or, rather, a selection of one of a few bridges), 
but with the tap devices dynamically created in a situation where 
privilege escalation is necessary for that device creation.




More information about the libvir-list mailing list