Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in li

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in li

From:	Anthony Liguori
Subject:	Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in libvirt
Date:	Wed, 24 Mar 2010 07:30:47 -0500
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091209 Fedora/3.0-4.fc12 Lightning/1.0pre Thunderbird/3.0

On 03/24/2010 07:27 AM, Avi Kivity wrote:

On 03/24/2010 02:19 PM, Anthony Liguori wrote:

qemud
  - daemonaizes itself
  - listens on /var/lib/qemud/guests for incoming guest connections
  - listens on /var/lib/qemud/clients for incoming client connections
  - filters access according to uid (SCM_CREDENTIALS)
  - can pass a new monitor to client (SCM_RIGHTS)
  - supports 'list' command to query running guests
  - async messages on guest startup/exit



Then guests run with the wrong security context.

Why? They run with the security context of whoever launched them(could be libvirtd).

Because it doesn't have the same security context as qemud and sinceclients have to connect to qemud, qemud has to implement access control.

It's far better to have the qemu instance advertise itself such that andclient connects directly to it. Then all of the various authorizationmodels will be applied correctly to it.


Regards,

Anthony Liguori

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in libvirt, (continued)

Prev by Date: Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in libvirt
Next by Date: Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in libvirt
Previous by thread: Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in libvirt
Next by thread: Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in libvirt
Index(es):
- Date
- Thread