Re: KVM networking.

To: debian-user@lists.debian.org
Subject: Re: KVM networking.
From: Sthu Deus <sthu.deus@gmail.com>
Date: Tue, 8 Nov 2011 14:44:22 +0700
Message-id: <[🔎] 4eb8de14.4713cc0a.5728.121e@mx.google.com>
In-reply-to: <[🔎] 20111107213156.5284cbd1@neminis.intra.loos.site>
References: <[🔎] 4eb6dd81.1478cc0a.2f0e.69b1@mx.google.com> <[🔎] 20111107213156.5284cbd1@neminis.intra.loos.site>

Thank You for Your time and answer, Arno:

>> /usr/bin/kvm -localtime -m 256 -no-reboot
>> -cdrom ./debian-6.0.2.1-amd64-netinst/debian-6.0.2.1-amd64-netinst.iso
>> -boot d -hda ./da -net nic -net tap,ifname=tap0,script=no
>> 
>> kvm: -net tap,ifname=tap0,script=no: could not configure /dev/net/tun
>> (tap0): Operation not permitted
>
>Apparently, you need root access to create tap interfaces regardless
>of the permissions on the tap device. I have it on good authority
>(http://bugs.debian.org/630701#10) that the preferred way is to
>precreate the tapX interfaces in /etc/network/interfaces.

That's why I did include all the possible related commands (in the
up/down scripts of KVM) into sudoers file for the user.

$ ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Nov  6 21:23 /dev/net/tun

- also should be OK...

>But if you are like me and you manage multiple virtual machines and you
>stubbornly insist on using dynamic tap interfaces, you can work around
>this by setting the CAP_NET_ADMIN capability on kvm:
># setcap cap_net_admin+ep /usr/bin/kvm
>
>However, there are two problems with this:
>- every time dpkg upgrades qemu, the capability gets reset
>- this is INSECURE, because you're now granting all your users full
>  access to your network interfaces. Only do this if you trust your
>  users.

I want to make it secure and update independent, let's look may some on
the list will share his/her knowledge w/ us - I do not believe all who
use the standard VM-ing make such work arounds. In the KVM manual it is
clearly written what to do in every case the network one would use -
just a workstation Internet access, bridges (private/public), and
tapped w/ latter routing for the interface.

For me it does not work for the following reasons:

1. The bridges take the Internet connections for itself - thus leaving
the host app.s w/o Internet access, probably routing needed here - but
they do not make any specifications for that.

2. As a workstation - it does not provide access from host to the guest.

3. W/ tap - You have seen already the problem - some unknown to me
permission problem - do You know why is it so? Or may have an idea
what else command I have to add to sudoers file for the user or some
other way by root specify the interface parameters that the user has to
use the interface w/?

>> user   ALL = /sbin/ifconfig *, /sbin/ifup br0, /sbin/ifdown
>> br0, /sbin/ip *, /sbin/brctl *, /sbin/tunctl *
>
>If you precreate the tap interface, you won't need these...

It left from other trials for bridges. I would leave it as it is now
until I will accomplish my goal - then I'll narrow the range of the
allowed or remove it at all - depending on the solution I will work out.

Reply to:

Follow-Ups:
- Re: KVM networking.
  - From: Arno Schuring <aelschuring@hotmail.com>

References:
- KVM networking.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: KVM networking.
  - From: Arno Schuring <aelschuring@hotmail.com>

Prev by Date: Re: Understanding versioning.
Next by Date: Re: OT: laptop choice
Previous by thread: Re: KVM networking.
Next by thread: Re: KVM networking.
Index(es):
- Date
- Thread