search for: net_admin

Hello, I'm having some doubts about consuming an existing - already configured - tap device from libvirt (with `managed='no' ` attribute set). In KubeVirt, we want to have the consumer side of the tap device run without the NET_ADMIN capability, which requires the UID / GID of the tap creator / opener to match, as per the kernel code in [0]. As such, we create the tap device (with the qemu user / group on behalf of qemu), which will ultimately be the tap consumer. This leads me to question: why is libvirt opening / calling `io...

...#39;ve > > > understood better how tap devices work, and that new insight makes me > > > wonder about a couple of things. > > > > > > Our ultimate goal In kubevirt is to consume a pre-created tap device > > > by a kubernetes pod that doesn't have the NET_ADMIN capability. > > > > > > After looking at the current libvirt code, I don't think that is > > > currently supported, since we'll *always* enter the > > > `virNetDevTapCreate` function in [1] (I'm interested in the *tap* > > > scenario). > &...

...since I've started this thread, but lately I've > understood better how tap devices work, and that new insight makes me > wonder about a couple of things. > > Our ultimate goal In kubevirt is to consume a pre-created tap device > by a kubernetes pod that doesn't have the NET_ADMIN capability. > > After looking at the current libvirt code, I don't think that is > currently supported, since we'll *always* enter the > `virNetDevTapCreate` function in [1] (I'm interested in the *tap* > scenario). > > The tap device is effectively created in tha...

On 4/6/20 9:54 AM, Daniel P. Berrangé wrote: > On Mon, Apr 06, 2020 at 03:47:01PM +0200, Miguel Duarte de Mora Barroso wrote: >> Hi all, >> >> I'm aware that it is possible to plug pre-created macvtap devices to >> libvirt guests - tracked in RFE [0]. >> >> My interpretation of the wording in [1] and [2] is that it is also >> possible to plug

...; It's been a while since I've started this thread, but lately I've understood better how tap devices work, and that new insight makes me wonder about a couple of things. Our ultimate goal In kubevirt is to consume a pre-created tap device by a kubernetes pod that doesn't have the NET_ADMIN capability. After looking at the current libvirt code, I don't think that is currently supported, since we'll *always* enter the `virNetDevTapCreate` function in [1] (I'm interested in the *tap* scenario). The tap device is effectively created in that function - [2] - by opening the c...

Currently, LogLevel must be set to VERBOSE to see the fingerprint of an accepted key, and the default LogLevel is INFO. Since this is useful security information, I would like to propose that the 'Accepted publickey' message be modified to include the fingerprint of the accepted key. Is this a reasonable solution? Here is an example log snippet with LogLevel VERBOSE: Oct 1 15:23:24

I am seeing these in the log of one of our off-site NX hosts running CentOS-6.6. type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use

...hat host. We eventually ended up with a custom policy that looks like this: #============= fail2ban_t ============== allow fail2ban_t ldconfig_exec_t:file { read execute open getattr execute_no_trans }; allow fail2ban_t insmod_exec_t:file { read execute open }; allow fail2ban_t self:capability { net_admin net_raw }; allow fail2ban_t self:rawip_socket { getopt create setopt }; allow fail2ban_t sysctl_kernel_t:dir search; allow fail2ban_t sysctl_modprobe_t:file read; allow system_mail_t inotifyfs_t:dir read; I am not sure whether this issue is the result of something that we have done or left undon...

...stnamectl set-hostname master1 export ACLToken=$(uuidgen) mkdir -p /consul mkdit -p /caddy chmod 755 -R /consul chmod 755 -R /caddy docker run -d --env ACLToken=${ACLToken:?} --env ConsulHost=${ConsulHost:?} \ --env master=true --net=host --device=/dev/net/tun --cap-add NET_ADMIN \ --volume /consul:/consul --volume /caddy:/root/.caddy \ --volume /etc/hosts:/etc/hosts --name tzk nebtex/tzk else docker run -d --env ACLToken=${ACLToken:?} --env ConsulHost=${ConsulHost:?} \ --net=host --device=/dev/net/tun --volume /etc/hosts:/etc/hosts --cap-add NET_ADMIN \...

...on the interface are delivered to the VM and packets sent by the VM are sent to the interface. This is functionally similar to the existing pcap network backend, with the same advantages and problems. Differences from pcap: - can get an open socket from the monitor, which allows running without NET_ADMIN priviledges - support iovec sends with writev, saving one data copy - one less dependency on an external library - we have access to the underlying file descriptor which makes it possible to connect to vhost net - don't support polling all interfaces, always bind to a specific one Signed-off...

...on the interface are delivered to the VM and packets sent by the VM are sent to the interface. This is functionally similar to the existing pcap network backend, with the same advantages and problems. Differences from pcap: - can get an open socket from the monitor, which allows running without NET_ADMIN priviledges - support iovec sends with writev, saving one data copy - one less dependency on an external library - we have access to the underlying file descriptor which makes it possible to connect to vhost net - don't support polling all interfaces, always bind to a specific one Signed-off...