Displaying 12 results from an estimated 12 matches for "net_admin".
2020 Nov 04
1
consume existing tap device when libvirt / qemu run as different users
Hello,
I'm having some doubts about consuming an existing - already
configured - tap device from libvirt (with `managed='no' ` attribute
set).
In KubeVirt, we want to have the consumer side of the tap device run
without the NET_ADMIN capability, which requires the UID / GID of the
tap creator / opener to match, as per the kernel code in [0]. As such,
we create the tap device (with the qemu user / group on behalf of
qemu), which will ultimately be the tap consumer.
This leads me to question: why is libvirt opening / calling
`io...
2020 Aug 30
1
Re: plug pre-created tap devices to libvirt guests
...#39;ve
> > > understood better how tap devices work, and that new insight makes me
> > > wonder about a couple of things.
> > >
> > > Our ultimate goal In kubevirt is to consume a pre-created tap device
> > > by a kubernetes pod that doesn't have the NET_ADMIN capability.
> > >
> > > After looking at the current libvirt code, I don't think that is
> > > currently supported, since we'll *always* enter the
> > > `virNetDevTapCreate` function in [1] (I'm interested in the *tap*
> > > scenario).
> &...
2020 Jun 30
1
Re: plug pre-created tap devices to libvirt guests
...since I've started this thread, but lately I've
> understood better how tap devices work, and that new insight makes me
> wonder about a couple of things.
>
> Our ultimate goal In kubevirt is to consume a pre-created tap device
> by a kubernetes pod that doesn't have the NET_ADMIN capability.
>
> After looking at the current libvirt code, I don't think that is
> currently supported, since we'll *always* enter the
> `virNetDevTapCreate` function in [1] (I'm interested in the *tap*
> scenario).
>
> The tap device is effectively created in tha...
2020 Apr 06
4
Re: plug pre-created tap devices to libvirt guests
On 4/6/20 9:54 AM, Daniel P. Berrangé wrote:
> On Mon, Apr 06, 2020 at 03:47:01PM +0200, Miguel Duarte de Mora Barroso wrote:
>> Hi all,
>>
>> I'm aware that it is possible to plug pre-created macvtap devices to
>> libvirt guests - tracked in RFE [0].
>>
>> My interpretation of the wording in [1] and [2] is that it is also
>> possible to plug
2020 Jun 30
0
Re: plug pre-created tap devices to libvirt guests
...;
It's been a while since I've started this thread, but lately I've
understood better how tap devices work, and that new insight makes me
wonder about a couple of things.
Our ultimate goal In kubevirt is to consume a pre-created tap device
by a kubernetes pod that doesn't have the NET_ADMIN capability.
After looking at the current libvirt code, I don't think that is
currently supported, since we'll *always* enter the
`virNetDevTapCreate` function in [1] (I'm interested in the *tap*
scenario).
The tap device is effectively created in that function - [2] - by
opening the c...
2013 Oct 01
2
sshd accepted fingerprint logging
Currently, LogLevel must be set to VERBOSE to see the fingerprint of an
accepted key, and the default LogLevel is INFO. Since this is useful
security information, I would like to propose that the 'Accepted
publickey' message be modified to include the fingerprint of the
accepted key. Is this a reasonable solution?
Here is an example log snippet with LogLevel VERBOSE:
Oct 1 15:23:24
2015 Jan 19
2
CentOS-6.6 Fail2Ban and Postfix Selinux AVCs
I am seeing these in the log of one of our off-site NX hosts running
CentOS-6.6.
type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for
pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket
Was caused by:
Missing type enforcement (TE) allow rule.
You can use
2015 Jan 19
0
CentOS-6.6 Fail2Ban and Postfix Selinux AVCs
...hat host.
We eventually ended up with a custom policy that looks like this:
#============= fail2ban_t ==============
allow fail2ban_t ldconfig_exec_t:file { read execute open getattr
execute_no_trans };
allow fail2ban_t insmod_exec_t:file { read execute open };
allow fail2ban_t self:capability { net_admin net_raw };
allow fail2ban_t self:rawip_socket { getopt create setopt };
allow fail2ban_t sysctl_kernel_t:dir search;
allow fail2ban_t sysctl_modprobe_t:file read;
allow system_mail_t inotifyfs_t:dir read;
I am not sure whether this issue is the result of something that we
have done or left undon...
2024 Jul 07
1
[Bug 1757] New: Alpine 3.19: iptables: Bad rule (does a matching rule exist in that chain?).
...rity: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: quentin.mcgaw at gmail.com
On Alpine Linux 3.19, after adding and removing rules, it doesn't find a rule
that was added previously. To reproduce:
docker run -it --rm --cap-add=NET_ADMIN alpine:3.19
apk add iptables
iptables --policy FORWARD ACCEPT
iptables --append INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables --append INPUT -i lo -j ACCEPT
iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -...
2016 Dec 29
0
Allow direct connection between some (but not all) nodes on the network (Guus Sliepen)
...stnamectl set-hostname master1
export ACLToken=$(uuidgen)
mkdir -p /consul
mkdit -p /caddy
chmod 755 -R /consul
chmod 755 -R /caddy
docker run -d --env ACLToken=${ACLToken:?} --env
ConsulHost=${ConsulHost:?} \
--env master=true --net=host --device=/dev/net/tun --cap-add NET_ADMIN \
--volume /consul:/consul --volume /caddy:/root/.caddy \
--volume /etc/hosts:/etc/hosts --name tzk nebtex/tzk
else
docker run -d --env ACLToken=${ACLToken:?} --env
ConsulHost=${ConsulHost:?} \
--net=host --device=/dev/net/tun --volume /etc/hosts:/etc/hosts
--cap-add NET_ADMIN \...
2009 Nov 02
0
[PATCHv4 3/6] qemu/net: add raw backend
...on the interface
are delivered to the VM and packets sent by the VM are sent to the
interface.
This is functionally similar to the existing pcap network
backend, with the same advantages and problems.
Differences from pcap:
- can get an open socket from the monitor,
which allows running without NET_ADMIN priviledges
- support iovec sends with writev, saving one data copy
- one less dependency on an external library
- we have access to the underlying file descriptor
which makes it possible to connect to vhost net
- don't support polling all interfaces, always bind to a specific one
Signed-off...
2009 Nov 02
0
[PATCHv4 3/6] qemu/net: add raw backend
...on the interface
are delivered to the VM and packets sent by the VM are sent to the
interface.
This is functionally similar to the existing pcap network
backend, with the same advantages and problems.
Differences from pcap:
- can get an open socket from the monitor,
which allows running without NET_ADMIN priviledges
- support iovec sends with writev, saving one data copy
- one less dependency on an external library
- we have access to the underlying file descriptor
which makes it possible to connect to vhost net
- don't support polling all interfaces, always bind to a specific one
Signed-off...