On Tue, Aug 23, 2011 at 12:15 PM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > I was at the KVM Forum / LinuxCon last week and there were many > interesting things discussed which are relevant to ongoing libvirt > development. Here was the list that caught my attention. If I have > missed any, fill in the gaps.... > > - Sandbox/container KVM. The Solaris port of KVM puts QEMU inside > a zone so that an exploit of QEMU can't escape into the full OS. > Containers are Linux's parallel of Zones, and while not nearly as > secure yet, it would still be worth using more containers support > to confine QEMU. Can you elaborate on why Linux containers are "not nearly as secure" [as Solaris Zones]? Containers is just another attempt at isolating the QEMU process. SELinux works differently but can also do many of the same things. I like containers more because they are simpler than labelling everything. > - Native KVM tool. The problem statement was that the QEMU code is too > big/complex & and command line args are too complex, so lets rewrite > from scratch to make the code small & CLI simple. They achieve this, > but of course primarily because they lack so many features compared > to QEMU. They had libvirt support as a bullet point on their preso, > but I'm not expecting it to replace the current QEMU KVM support in > the forseeable future, given its current level of features and the > size of its dev team compared to QEMU/KVM. They did have some fun > demos of booting using the host OS filesystem though. We can > actually do the same with regular KVM/libvirt but there's no nice > demo tool to show it off. I'm hoping to create one.... Yep it's virtfs which QEMU has supported for a while. The trick is setting things up so that the Linux guest boots from virtfs. Stefan -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list