Re: [PATCH v1 21/21] qemu: Let users opt-out from containerization

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Mon, 5 Dec 2016 13:41:56 +0000

On Thu, Nov 24, 2016 at 03:48:10PM +0100, Michal Privoznik wrote:
> Given how intrusive previous patches are, it might happen that
> there's a bug or imperfection. Lets give users a way out: if they
> set 'containerize' to false in qemu.conf the feature is
> suppressed.
> 
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
>  src/qemu/libvirtd_qemu.aug         | 1 +
>  src/qemu/qemu.conf                 | 8 ++++++++
>  src/qemu/qemu_conf.c               | 5 +++++
>  src/qemu/qemu_conf.h               | 2 ++
>  src/qemu/qemu_domain.c             | 3 ++-
>  src/qemu/test_libvirtd_qemu.aug.in | 1 +
>  6 files changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index f3cc9e6..5bd7f2f 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -70,6 +70,7 @@ module Libvirtd_qemu =
>                   | str_array_entry "cgroup_controllers"
>                   | str_array_entry "cgroup_device_acl"
>                   | int_entry "seccomp_sandbox"
> +                 | bool_entry "containerize"
>  
>     let save_entry =  str_entry "save_image_format"
>                   | str_entry "dump_image_format"
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 2b2bd60..26308a3 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -665,3 +665,11 @@
>  # Defaults to 4
>  #
>  #gluster_debug_level = 9
> +
> +# To enhance security, QEMU driver is capable of mounting private
> +# devtmpfs for each domain started. This means qemu process is
> +# unable to see all the devices on the system, just those
> +# configured for the domain in question. Libvirt manages device
> +# entries throughout the domain lifetime. This is turned on by
> +# default.
> +#containerize = 1

Similarly to my earlier question, I wonder if we're better off
explicitly referring to the namespace we're actually using to
make future enhancements simpler. eg allow either

  namespaces = [ "mount" ]

or

  namespaces = [ ]

so we can extend this to non-mount namespaces later if desired.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list