Re: [libvirt] [Qemu-devel] Re: Supporting hypervisor specific APIs in libvirt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/24/2010 02:30 PM, Anthony Liguori wrote:
On 03/24/2010 07:27 AM, Avi Kivity wrote:
On 03/24/2010 02:19 PM, Anthony Liguori wrote:
qemud
  - daemonaizes itself
  - listens on /var/lib/qemud/guests for incoming guest connections
  - listens on /var/lib/qemud/clients for incoming client connections
  - filters access according to uid (SCM_CREDENTIALS)
  - can pass a new monitor to client (SCM_RIGHTS)
  - supports 'list' command to query running guests
  - async messages on guest startup/exit


Then guests run with the wrong security context.

Why? They run with the security context of whoever launched them (could be libvirtd).

Because it doesn't have the same security context as qemud and since clients have to connect to qemud, qemud has to implement access control.

Yeah.

It's far better to have the qemu instance advertise itself such that and client connects directly to it. Then all of the various authorization models will be applied correctly to it.

Agreed.  qemud->exit().

--
error compiling committee.c: too many arguments to function

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]