On Tue, Mar 27, 2012 at 10:17:02AM +0100, Daniel P. Berrange wrote: > On Mon, Mar 26, 2012 at 09:31:44PM +0200, Stef Walter wrote: > > In the GNOME UI we'd like to make use of Avahi discovery and name > > resolution "out of the box". A typical use case is for discovery of > > printers that are advertised using MDNS. This should work even on > > potentially 'hostile' networks such as a wireless access point in a > > print shop or airport. It should work without user configuration. > > > > https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault > > > > In order to turn on Avahi by default, and make it work by default, > > we'd like to make it possible to use Avahi without advertising any > > information to the network by default. Advertising information to > > the network (even the host name) without the user's configuration or > > consent is a privacy issue. > > > > libvirtd advertises itself via MDNS on the network by default. I > > understand that MDNS discovery of libvirtd is really handy in many > > cases. > > > > However since one has to configure network access in libvirtd anyway > > -- none of the access methods work "out of the box" to my > > understanding -- I'd like to suggest turning off libvirtd's MDNS > > publishing by default. As part of setting up libvirtd for network > > access, the user would turn on mdns_adv. > > Actually, it is possible to remotely connect to any libvirtd instance > using an SSH tunnel, which works out of the box. Only the direct, > non-tunnelled TLS/SASL based connections require manual setup. > > But since, IIUC, the default Fedora firewall setup blocks mDNS, > it still wouldn't work out of the box. > > > I hope that makes sense. Let me know if I've gotten something wrong. > > > > Would you accept a patch to do this? Or would you suggest that we > > try and do this downstream in the Fedora/RHEL packages instead? > > Our policy for Fedora / RHEL is to not change upstream behaviour, so this > kind of policy decision should be resolved here. > > > While apps like virt-manager do have the ability to use mDNS to locate > remote libvirtd servers, my gut feeling is that it is probably rarely > used. So given the need to tradeoff off out of the box usability against > privacy concerns, I think we could probably say turning off mDNS by > default is acceptable. > > What do others think ? I agree with you that turning off mDNS by default is probably ok. Dave > Daniel > -- > |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| > |: http://libvirt.org -o- http://virt-manager.org :| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| > > -- > libvir-list mailing list > libvir-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list