Re: KVM networking.
Sthu Deus (firstname.lastname@example.org on 2011-11-07 02:18 +0700):
> I try to run KVM network w/o under normal user w/ the following
> /usr/bin/kvm -localtime -m 256 -no-reboot
> -cdrom ./debian-220.127.116.11-amd64-netinst/debian-18.104.22.168-amd64-netinst.iso
> -boot d -hda ./da -net nic -net tap,ifname=tap0,script=no
> kvm: -net tap,ifname=tap0,script=no: could not configure /dev/net/tun
> (tap0): Operation not permitted
Apparently, you need root access to create tap interfaces regardless
of the permissions on the tap device. I have it on good authority
(http://bugs.debian.org/630701#10) that the preferred way is to
precreate the tapX interfaces in /etc/network/interfaces.
But if you are like me and you manage multiple virtual machines and you
stubbornly insist on using dynamic tap interfaces, you can work around
this by setting the CAP_NET_ADMIN capability on kvm:
# setcap cap_net_admin+ep /usr/bin/kvm
However, there are two problems with this:
- every time dpkg upgrades qemu, the capability gets reset
- this is INSECURE, because you're now granting all your users full
access to your network interfaces. Only do this if you trust your
The KVM/tap networking documentation seems scattered across the 'net,
most of it is incomplete and sometimes contradictory. If someone has
a pointer to The Definitive Guide(tm), I'd be interested to read it.
> user ALL = /sbin/ifconfig *, /sbin/ifup br0, /sbin/ifdown
> br0, /sbin/ip *, /sbin/brctl *, /sbin/tunctl *
If you precreate the tap interface, you won't need these...