Re: KVM networking.

[Arno Schuring <aelschuring@hotmail.com>]

Sthu Deus (sthu.deus@gmail.com on 2011-11-07 02:18 +0700):
> 
> I try to run KVM network w/o under normal user w/ the following
> result:
> 
> /usr/bin/kvm -localtime -m 256 -no-reboot
> -cdrom ./debian-6.0.2.1-amd64-netinst/debian-6.0.2.1-amd64-netinst.iso
> -boot d -hda ./da -net nic -net tap,ifname=tap0,script=no
> 
> kvm: -net tap,ifname=tap0,script=no: could not configure /dev/net/tun
> (tap0): Operation not permitted

Apparently, you need root access to create tap interfaces regardless
of the permissions on the tap device. I have it on good authority
(http://bugs.debian.org/630701#10) that the preferred way is to
precreate the tapX interfaces in /etc/network/interfaces.


But if you are like me and you manage multiple virtual machines and you
stubbornly insist on using dynamic tap interfaces, you can work around
this by setting the CAP_NET_ADMIN capability on kvm:
# setcap cap_net_admin+ep /usr/bin/kvm

However, there are two problems with this:
- every time dpkg upgrades qemu, the capability gets reset
- this is INSECURE, because you're now granting all your users full
  access to your network interfaces. Only do this if you trust your
  users.


The KVM/tap networking documentation seems scattered across the 'net,
most of it is incomplete and sometimes contradictory. If someone has
a pointer to The Definitive Guide(tm), I'd be interested to read it.

> 
> user   ALL = /sbin/ifconfig *, /sbin/ifup br0, /sbin/ifdown
> br0, /sbin/ip *, /sbin/brctl *, /sbin/tunctl *

If you precreate the tap interface, you won't need these...


Regards,
Arno