Re: KVM networking.

To: debian-user@lists.debian.org
Subject: Re: KVM networking.
From: Arno Schuring <aelschuring@hotmail.com>
Date: Wed, 9 Nov 2011 22:26:14 +0100
Message-id: <[🔎] 20111109222614.7ef98ec1@neminis.intra.loos.site>
In-reply-to: <[🔎] 4eb8de14.4713cc0a.5728.121e@mx.google.com>
References: <[🔎] 4eb6dd81.1478cc0a.2f0e.69b1@mx.google.com> <[🔎] 20111107213156.5284cbd1@neminis.intra.loos.site> <[🔎] 4eb8de14.4713cc0a.5728.121e@mx.google.com>

Sthu Deus (sthu.deus@gmail.com on 2011-11-08 14:44 +0700):
> 
> >> /usr/bin/kvm -localtime -m 256 -no-reboot
> >> -cdrom ./debian-6.0.2.1-amd64-netinst/debian-6.0.2.1-amd64-netinst.iso
> >> -boot d -hda ./da -net nic -net tap,ifname=tap0,script=no
> >> 
> >> kvm: -net tap,ifname=tap0,script=no: could not
> >> configure /dev/net/tun (tap0): Operation not permitted
> >
[..]
> >But if you are like me and you manage multiple virtual machines and
> >you stubbornly insist on using dynamic tap interfaces, you can work
> >around this by setting the CAP_NET_ADMIN capability on kvm:
> ># setcap cap_net_admin+ep /usr/bin/kvm
> 
> I want to make it secure and update independent, let's look may some
> on the list will share his/her knowledge w/ us - I do not believe all
> who use the standard VM-ing make such work arounds.
> 
Yes, I agree my solution is suboptimal, but it's the best I could do.
Eagerly awaiting input... :)


> In the KVM manual
> it is clearly written what to do in every case the network one would
> use - just a workstation Internet access, bridges (private/public),
> and tapped w/ latter routing for the interface.
> 
> For me it does not work for the following reasons:
> 
> 1. The bridges take the Internet connections for itself - thus leaving
> the host app.s w/o Internet access, probably routing needed here - but
> they do not make any specifications for that.
> 
That sounds weird. What does brctl show? A default setup with these two
lines should already work fine:

iface br0 inet dhcp
	bridge_ports eth0

Just remember to leave eth0 unconfigured...

> 2. As a workstation - it does not provide access from host to the
> guest.
> 
You mean networking access? I've never needed it, but it should work
once your host apps have networking access... (just tested: ping
between host and vm works fine for me).

> 3. W/ tap - You have seen already the problem - some unknown to me
> permission problem - do You know why is it so?
> 
I can make a guess:

$ ls -l /dev/net/tun
crw-rw---- 1 root kvm 10, 200 Nov  9 21:36 tun
$ groups
aschuring users kvm [..]
$ /usr/sbin/tunctl -b    
TUNSETIFF: Operation not permitted
$ sudo setcap cap_net_admin+ep /usr/sbin/tunctl
$ /usr/sbin/tunctl -b             
tap0


> Or may have an idea
> what else command I have to add to sudoers file for the user or some
> other way by root specify the interface parameters that the user has
> to use the interface w/?
>
Yes. You can just add tunctl to your list of sudo commands, and use the
output of ifname=$(sudo tunctl -b -u $(whoami)) on the kvm command
line. Alternatively, set the cap_net_admin capability on tunctl and you
won't need sudo (but still upgrade-unsafe)...

This way, kvm will not need to create the interface and you won't run
into permission problems.


Regards,
Arno

Reply to:

Follow-Ups:
- Re: KVM networking.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: KVM networking.
  - From: Sthu Deus <sthu.deus@gmail.com>

References:
- KVM networking.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: KVM networking.
  - From: Arno Schuring <aelschuring@hotmail.com>
- Re: KVM networking.
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: Re: emacs RMAIL -- help needed
Next by Date: Re: emacs RMAIL -- help needed
Previous by thread: Re: KVM networking.
Next by thread: Re: KVM networking.
Index(es):
- Date
- Thread