Re: [Qemu-devel] Re: [libvirt] Libvirt debug API

[Anthony Liguori]

On 04/26/2010 09:25 AM, Avi Kivity wrote:
> On 04/26/2010 05:19 PM, Anthony Liguori wrote:
> > On 04/26/2010 09:01 AM, Avi Kivity wrote:
> > > On 04/26/2010 04:43 PM, Anthony Liguori wrote:
> > > > The reason I lean toward the direct launch model is that it gives 
> > > > the user a lot of flexibility in terms of using things like 
> > > > namespaces, DAC, cgroups, capabilities, etc.  A lot of potential 
> > > > features are lost when you do indirect launch because you have to 
> > > > teach the daemon how to support each of these features.
> > >
> > > But what's the alternative?  Teach the user how to do all these things?
> >
> > You can expose layers of API.  The lowest layer makes no changes to 
> > the security context.  A higher (optional) layer could do dynamic 
> > labelling.
>
> Or a library that the user-written launcher calls.  Or a plugin that 
> qemud calls.

A plugin would lose the security context.  It could attempt to recreate 
it that seems like a lot of unnecessary complexity.

Regards,

Anthony Liguori