[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 3/5] qemu_conf: add new configuration key bridge_helper



On 04/18/2013 11:35 AM, Laine Stump wrote:

>> +# Path to the setuid helper for creating tap devices.  This executable
>> +# is used to create <source type='bridge'> interfaces when libvirtd is
>> +# running unprivileged.  libvirt invokes the helper directly, instead
>> +# of using "-netdev bridge", for security reasons.
>> +#bridge_helper = "/usr/libexec/qemu-bridge-helper"
>> +
>> +
> 
> Are we sure we want to allow this to be configured? That could lead to
> some "interesting" troubleshooting incidents :-)

About the only time it would be configured is if qemu is installed in an
alternate location.

> 
> On the other hand, I guess the path to qemu itself is right there in the
> domain config file, so how much worse could this be...

Yeah, sometimes we've got to just trust the user to not be insane.

> 
> ACK. (But I'd like at least one other ACK from someone else due to the
> fact that this is polluting the config namespace with something we would
> like to eventually eliminate.)

Even if we add a way for libvirt to get the tap device without depending
on qemu's helper program, we'll have to leave the config item present
(so we don't reject an older .conf file as invalid), but we can then
ignore the entry at that point.  I can live with this change going in,
so I agree with your ACK, and have pushed it.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]