LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Virtualization and Cloud (http://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/)
-   -   How to securley run qemu with tap device for networking (http://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/how-to-securley-run-qemu-with-tap-device-for-networking-4175490596/)

insectiod 01-08-2014 01:39 PM

How to securley run qemu with tap device for networking
 
I run qemu without libvirt. I want to use a tap device on host for networking. I'm suspect that running qemu as root is insecure, so I would like to run it as an ordinary user (correct me if I'm wrong). It seems like the easiest way to do this is to set up the bridge and tap0 manually, and then just tell qemu to use the tap interface. This is what I got so far:
Code:

>>>ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.112  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::21c:25ff:fe7e:60fa  prefixlen 64  scopeid 0x20<link>
        ether 00:1c:25:7e:60:fa  txqueuelen 0  (Ethernet)
        RX packets 10161  bytes 679450 (663.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6437  bytes 1046638 (1022.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::21c:25ff:fe7e:60fa  prefixlen 64  scopeid 0x20<link>
        ether 00:1c:25:7e:60:fa  txqueuelen 1000  (Ethernet)
        RX packets 69655  bytes 6728140 (6.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 67272  bytes 26923616 (25.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xfe200000-fe220000

tap0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 1a:59:cd:a4:ea:ae  txqueuelen 500  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Code:

>>>sudo brctl show
bridge name    bridge id              STP enabled    interfaces
br0            8000.001c257e60fa      no              eth0
                                                        tap0

Code:

>>>qemu-system-i386 -netdev tap,ifname=tap0,id=mynet0,script=no -device i82559c,netdev=mynet0 -m 1024 slack.qcow2
qemu-system-i386: -netdev tap,ifname=tap0,id=mynet0,script=no: could not configure /dev/net/tun (tap0): Operation not permitted
qemu-system-i386: -netdev tap,ifname=tap0,id=mynet0,script=no: Device 'tap' could not be initialized

However, running the above as superuser works fine. What I'm I doing wrong?

Versions: qemu 1.7.0 on slackware 32bit 14.1

mostlyharmless 01-08-2014 02:16 PM

Not that it answers your question, but you could use
-runas <username> on your command line.

Or you could chmod /dev/net/tun but I suspect that's not any more secure than running qemu as root.

jefro 01-08-2014 07:04 PM

You should never be on as root is a common thought.

Qemu is fine running as a user but you may have to give that user some extra small permission. This is where I think the standard user is failing for you. I don't use qemu on linux enough to tell so others could maybe fix your code or permissions.

ericson007 01-08-2014 10:05 PM

I never used qemu by itself, on KVM with libvirt, i specify network details in the individual xml of the virtual machine and then I normally specify br0. It seems to work fine without setting up a tap device. Could it possibly work like that in your case?

insectiod 01-09-2014 10:55 AM

I've solved it by using the -u option for user when creating the tap device:
Code:

sudo tunctl -t tap0 -u me

jefro 01-11-2014 02:22 PM

Thanks for the update and solution. Good job.


All times are GMT -5. The time now is 11:55 PM.