|
From: | Anthony Liguori |
Subject: | Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in libvirt |
Date: | Wed, 24 Mar 2010 07:23:01 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091209 Fedora/3.0-4.fc12 Lightning/1.0pre Thunderbird/3.0 |
On 03/24/2010 05:42 AM, Avi Kivity wrote:
The filtering access part of this daemon is also not mapping well onto libvirt's access model, because we don't soley filter based on UID inlibvirtd. We have it configurable based on UID, policykit, SASL, TLS/x509already, and intend adding role based access control to further filter things, integrating with the existing apparmour/selinux security models.A qemud that filters based on UID only, gives users a side-channel to getaround libvirt's access control.That's true. Any time you write a multiplexer these issues crop up. Much better to stay in single process land where everything is already taken care of.
What does a multiplexer give you that making individual qemu instances discoverable doesn't give you? The later doesn't suffer from these problems.
Regards, Anthony Liguori
So, at best qemud is a toy for people who are annoyed by libvirt.
[Prev in Thread] | Current Thread | [Next in Thread] |