Skip to content

Commit

Permalink
Merge pull request #3573 from canonical/qemu-bridging-v2
Browse files Browse the repository at this point in the history 
[linux/qemu] Qemu bridging v2
  • Loading branch information
@ricab
ricab authored Aug 28, 2024
2 parents e740c06 + 64f0649 commit c9f3ace
Show file tree
Hide file tree
Showing 14 changed files with 499 additions and 35 deletions.
2 changes: 1 addition & 1 deletion CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@ else()
add_definitions(-DMULTIPASS_COMPILER_GCC)
endif()

add_compile_options(-Wextra -Wempty-body -Wformat-security -Winit-self -Warray-bounds -Wnon-virtual-dtor)
add_compile_options(-Wextra -Wempty-body -Wformat-security -Winit-self -Warray-bounds $<$<COMPILE_LANGUAGE:CXX>:-Wnon-virtual-dtor>)

if(NOT ${CMAKE_HOST_SYSTEM_PROCESSOR} MATCHES "^arm")
add_compile_options(-Wcast-align)
Expand Down
9 changes: 9 additions & 0 deletions src/platform/backends/qemu/linux/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,16 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

set(BRIDGE_HELPER_EXEC_NAME "bridge_helper")

add_library(qemu_platform_detail
dnsmasq_process_spec.cpp
dnsmasq_server.cpp
firewall_config.cpp
qemu_platform_detail_linux.cpp)

target_compile_definitions(qemu_platform_detail PRIVATE BRIDGE_HELPER_EXEC_NAME_CPP="${BRIDGE_HELPER_EXEC_NAME}")

target_include_directories(qemu_platform_detail PRIVATE ../)

target_link_libraries(qemu_platform_detail
Expand All @@ -27,3 +31,8 @@ target_link_libraries(qemu_platform_detail
utils
Qt6::Core)

add_executable(${BRIDGE_HELPER_EXEC_NAME} bridge_helper.c)

install(TARGETS ${BRIDGE_HELPER_EXEC_NAME}
DESTINATION bin
COMPONENT bridge_helper)
331 changes: 331 additions & 0 deletions src/platform/backends/qemu/linux/bridge_helper.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,331 @@
/*
* QEMU Bridge Helper
*
* Copyright IBM, Corp. 2011
* Copyright (C) Canonical, Ltd.
*
* Authors:
* Anthony Liguori <[email protected]>
* Richa Marwaha <[email protected]>
* Corey Bryant <[email protected]>
* Luis Peñaranda <[email protected]>
*
* This work is licensed under the terms of the GNU GPL, version 2. See
* the COPYING file in the top-level directory.
*/

/* This version of the bridge helper was adapted for use with Multipass.
The changes are:
- the authorization via ACL was removed;
- dependencies on other QEMU functions were replaced by common includes;
- functionality was wrapped inside a function.
*/

#include <errno.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/un.h>

#include <fcntl.h>
#include <linux/if_tun.h>
#include <net/if.h>

#include <linux/sockios.h>

#ifndef SIOCBRADDIF
#include <linux/if_bridge.h>
#endif

#ifdef CONFIG_LIBCAP_NG
#include <cap-ng.h>
#endif

static void usage(void)
{
fprintf(stderr, "Usage: bridge_helper [--use-vnet] --br=bridge --fd=unixfd\n");
}

static bool has_vnet_hdr(int fd)
{
unsigned int features = 0;

if (ioctl(fd, TUNGETFEATURES, &features) == -1)
{
return false;
}

if (!(features & IFF_VNET_HDR))
{
return false;
}

return true;
}

static void prep_ifreq(struct ifreq* ifr, const char* ifname)
{
memset(ifr, 0, sizeof(*ifr));
snprintf(ifr->ifr_name, IFNAMSIZ, "%s", ifname);
}

static int send_fd(int c, int fd)
{
char msgbuf[CMSG_SPACE(sizeof(fd))];
struct msghdr msg = {
.msg_control = msgbuf,
.msg_controllen = sizeof(msgbuf),
};
struct cmsghdr* cmsg;
struct iovec iov;
char req[1] = {0x00};

cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
msg.msg_controllen = cmsg->cmsg_len;

iov.iov_base = req;
iov.iov_len = sizeof(req);

msg.msg_iov = &iov;
msg.msg_iovlen = 1;
memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd));

return sendmsg(c, &msg, 0);
}

#ifdef CONFIG_LIBCAP_NG
static int drop_privileges(void)
{
/* clear all capabilities */
capng_clear(CAPNG_SELECT_BOTH);

if (capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_NET_ADMIN) < 0)
{
return -1;
}

/* change to calling user's real uid and gid, retaining supplemental
* groups and CAP_NET_ADMIN */
if (capng_change_id(getuid(), getgid(), CAPNG_CLEAR_BOUNDING))
{
return -1;
}

return 0;
}
#endif

int bridge_helper(const char* bridge, const int unixfd, const int use_vnet)
{
struct ifreq ifr;
#ifndef SIOCBRADDIF
unsigned long ifargs[4];
#endif
int ifindex;
int fd = -1, ctlfd = -1;
int mtu;
char iface[IFNAMSIZ];
int ret = EXIT_SUCCESS;

#ifdef CONFIG_LIBCAP_NG
/* if we're run from an suid binary, immediately drop privileges preserving
* cap_net_admin */
if (geteuid() == 0 && getuid() != geteuid())
{
if (drop_privileges() == -1)
{
fprintf(stderr, "failed to drop privileges\n");
return 1;
}
}
#endif

if (bridge == NULL || unixfd == -1)
{
usage();
return EXIT_FAILURE;
}
if (strlen(bridge) >= IFNAMSIZ)
{
fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge));
return EXIT_FAILURE;
}

/* open a socket to use to control the network interfaces */
ctlfd = socket(AF_INET, SOCK_STREAM, 0);
if (ctlfd == -1)
{
fprintf(stderr, "failed to open control socket: %s\n", strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* open the tap device */
fd = open("/dev/net/tun", O_RDWR);
if (fd == -1)
{
fprintf(stderr, "failed to open /dev/net/tun: %s\n", strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* request a tap device, disable PI, and add vnet header support if
* requested and it's available. */
prep_ifreq(&ifr, "tap%d");
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
if (use_vnet && has_vnet_hdr(fd))
{
ifr.ifr_flags |= IFF_VNET_HDR;
}

if (ioctl(fd, TUNSETIFF, &ifr) == -1)
{
fprintf(stderr, "failed to create tun device: %s\n", strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* save tap device name */
snprintf(iface, sizeof(iface), "%s", ifr.ifr_name);

/* get the mtu of the bridge */
prep_ifreq(&ifr, bridge);
if (ioctl(ctlfd, SIOCGIFMTU, &ifr) == -1)
{
fprintf(stderr, "failed to get mtu of bridge `%s': %s\n", bridge, strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* save mtu */
mtu = ifr.ifr_mtu;

/* set the mtu of the interface based on the bridge */
prep_ifreq(&ifr, iface);
ifr.ifr_mtu = mtu;
if (ioctl(ctlfd, SIOCSIFMTU, &ifr) == -1)
{
fprintf(stderr, "failed to set mtu of device `%s' to %d: %s\n", iface, mtu, strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* Linux uses the lowest enslaved MAC address as the MAC address of
* the bridge. Set MAC address to a high value so that it doesn't
* affect the MAC address of the bridge.
*/
if (ioctl(ctlfd, SIOCGIFHWADDR, &ifr) < 0)
{
fprintf(stderr, "failed to get MAC address of device `%s': %s\n", iface, strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}
ifr.ifr_hwaddr.sa_data[0] = (char)0xFE;
if (ioctl(ctlfd, SIOCSIFHWADDR, &ifr) < 0)
{
fprintf(stderr, "failed to set MAC address of device `%s': %s\n", iface, strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* add the interface to the bridge */
prep_ifreq(&ifr, bridge);
ifindex = if_nametoindex(iface);
#ifndef SIOCBRADDIF
ifargs[0] = BRCTL_ADD_IF;
ifargs[1] = ifindex;
ifargs[2] = 0;
ifargs[3] = 0;
ifr.ifr_data = (void*)ifargs;
ret = ioctl(ctlfd, SIOCDEVPRIVATE, &ifr);
#else
ifr.ifr_ifindex = ifindex;
ret = ioctl(ctlfd, SIOCBRADDIF, &ifr);
#endif
if (ret == -1)
{
fprintf(stderr, "failed to add interface `%s' to bridge `%s': %s\n", iface, bridge, strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* bring the interface up */
prep_ifreq(&ifr, iface);
if (ioctl(ctlfd, SIOCGIFFLAGS, &ifr) == -1)
{
fprintf(stderr, "failed to get interface flags for `%s': %s\n", iface, strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

ifr.ifr_flags |= IFF_UP;
if (ioctl(ctlfd, SIOCSIFFLAGS, &ifr) == -1)
{
fprintf(stderr, "failed to bring up interface `%s': %s\n", iface, strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* write fd to the domain socket */
if (send_fd(unixfd, fd) == -1)
{
fprintf(stderr, "failed to write fd to unix socket: %s\n", strerror(errno));
ret = EXIT_FAILURE;
goto cleanup;
}

/* ... */

/* profit! */

cleanup:
if (fd >= 0)
{
close(fd);
}
if (ctlfd >= 0)
{
close(ctlfd);
}

return ret;
}

int main(int argc, char** argv)
{
int use_vnet = 0;
const char* bridge = NULL;
int unixfd = -1;
int index;

for (index = 1; index < argc; index++)
{
if (strcmp(argv[index], "--use-vnet") == 0)
{
use_vnet = 1;
}
else if (strncmp(argv[index], "--br=", 5) == 0)
{
bridge = &argv[index][5];
}
else if (strncmp(argv[index], "--fd=", 5) == 0)
{
unixfd = atoi(&argv[index][5]);
}
else
{
usage();
return EXIT_FAILURE;
}
}

return bridge_helper(bridge, unixfd, use_vnet);
}
6 changes: 4 additions & 2 deletions src/platform/backends/qemu/linux/qemu_platform_detail.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,10 @@ class QemuPlatformDetail : public QemuPlatform
void remove_resources_for(const std::string& name) override;
void platform_health_check() override;
QStringList vm_platform_args(const VirtualMachineDescription& vm_desc) override;
void add_network_interface(VirtualMachineDescription& desc, const NetworkInterface& extra_interface) override;
void prepare_networking(std::vector<NetworkInterface>& extra_interfaces) const override;
bool is_network_supported(const std::string& network_type) const override;
bool needs_network_prep() const override;
std::string create_bridge_with(const NetworkInterfaceInfo& interface) const override;
void set_authorization(std::vector<NetworkInterfaceInfo>& networks) override;

private:
const QString bridge_name;
Expand Down
Loading

0 comments on commit c9f3ace

Please sign in to comment.