我想过滤和捕获来自虚拟机的流量。该虚拟机必须在用户空间中运行。我知道捕获需要 root(尽管我希望尽量减少以后所需的 root 活动)。
据我了解,捕获和过滤的最简单方法是拥有一个专用的虚拟网络接口,就像vnet0虚拟机专用的那样。然后我可以在上面运行tshark、tcpdump等。iptables
如何设置(创建)网络接口(以 root 身份),以及如何使用 KVM/QEMU 虚拟机连接到它们(以非 root 身份)?
我正在寻找ip命令(iproute2 样式)和 qemu 配置选项。
我已经开始研究这样的界面:
(root 1) ip link add br0 type bridge
(root 2) ip addr add dev br0 10.10.0.1/24
(root 3) ip link set dev br0 up
(root 4) ip link add vm1-host type veth peer name vm1-net
(root 5) ip link set dev vm1-host master br0
(root 6) ip link set dev vm1-host up
(root 7) ip tuntap add vm1-tap mode tap
(root 8) ip addr add 10.10.0.2/24 dev vm1-net
(root 9) ip addr add 10.0.2.2/24 dev vm1-tap
(root 10) ip link set dev vm1-tap up
(root 10b) echo 1 > /proc/sys/net/ipv4/ip_forward
然后尝试使用 QEMU 连接到网桥,但无法以非 root 用户身份执行此操作。
我编辑/etc/qemu/bridge.conf以允许用户通过 /usr/libexec 连接到网桥/qemu-bridge-helper:
(root 11) grep -v # /etc/qemu/bridge.conf
allow veth0
allow vm1-tap
allow vm1-host
allow vm1-net
(root 12) ll /usr/libexec/qemu-bridge-helper
-rwsr-x--- 1 root kvm 312888 Aug 25 16:16 /usr/libexec/qemu-bridge-helper
用户确实是该kvm组的成员(id显示它)。但是,当使用桥接接口virt-manager运行时,我收到以下错误消息:$USERNAME
Error starting domain: /usr/libexec/qemu-bridge-helper --use-vnet --br=vm1-tap --fd=34: failed to communicate with bridge helper: stderr=failed to add interface `tap0' to bridge `vm1-tap': Operation not supported
: Transport endpoint is not connected
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb
callback(*args, **kwargs)
File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
ret = fn(self, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/object/domain.py", line 1425, in startup
self._backend.create()
File "/usr/lib64/python3.10/site-packages/libvirt.py", line 1362, in create
raise libvirtError('virDomainCreate() failed')
libvirt.libvirtError: /usr/libexec/qemu-bridge-helper --use-vnet --br=vm1-tap --fd=34: failed to communicate with bridge helper: stderr=failed to add interface `tap0' to bridge `vm1-tap': Operation not supported
: Transport endpoint is not connected
一些能力可能还需要吗? -如何让用户只拥有它们来启动虚拟机?
也许这会有帮助?
(root 13) ip tuntap add vm1-tap mode tap user $USERNAME
ioctl(TUNSETIFF): Device or resource busy
我尝试了网上找到的命令,但是我需要 tun/tap 吗?,而且我找不到正确的方法来做到这一点。
参考文献(有帮助,但不能解决我的问题):