[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [Patch v3 0/3] Add QEMU network helper support



libvir-list-bounces redhat com wrote on 08/06/2012 11:18:31 AM:

> From:

>
> Laine Stump <laine laine org>

>
> To:

>
> libvir-list redhat com

>
> Date:

>
> 08/06/2012 11:27 AM

>
> Subject:

>
> Re: [libvirt] [Patch v3 0/3] Add QEMU network helper support

>
> Sent by:

>
> libvir-list-bounces redhat com

>
> On 08/06/2012 10:56 AM, Michal Privoznik wrote:
> > On 03.08.2012 22:33, rmarwah linux vnet ibm com wrote:
> >> From: Richa Marwaha <rmarwah linux vnet ibm com>
> >>
> >> QEMU has a new feature which allows QEMU to execute under an
> unprivileged user ID and still be able to
> >> add a tap device to a Linux network bridge.
> >> [...]
> > So I've went ahead, reviewed, ACKed and pushed whole series.
> > I suggest is worth adding some kind of documentation (either a wiki
> > page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) -
> > how to set up bridge-helper.
>
> Yes, it's a bit odd to figure out the right place to document it, since
> there is no setup done within libvirt - libvirt just silently takes
> advantage of it if it's there.
>
> By the way, I had earlier expressed concern about the eventuality that
> we support bridged networking for non-privileged users directly within
> libvirt (via a separate libvirt-networkd and policykit), and the case
> where someone had a working config using the qemu helper - I was worried
> that this person's setup might stop working as a result of the upgrade
> which changed to the newer method of setting up the network (e.g. if
> something needed to be configured to allow that user access via
> policykit, and hadn't been done yet). Since then I've realized that we
> can handle that problem by continuing to fall back to the qemu helper
> when this (for now mythical) new method fails. That removes my only
> concern about this series.
>
> Another issue though - a patch for AppArmor has been included, but I'm
> unclear of whether this needs something done for selinux (either in
> libvirt itself, or in selinux-policy). Does somebody have the updated
> qemu installed on a system with selinux enabled, and could you give it a
> try?


selinux already has the policies to allow qemu helper , here is the link to the patch adding the policies

http://git.fedorahosted.org/cgit/selinux-policy.git/diff/?id=56e0a4b775f29ec13e6f887490ec9fbc6f9897f4

It will be upstream in Fedora.

Regards
Richa

>
> --
> libvir-list mailing list
> libvir-list redhat com
> https://www.redhat.com/mailman/listinfo/libvir-list
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]