On 01/27/2010 12:03 PM, Michael S. Tsirkin wrote:
On Wed, Jan 27, 2010 at 12:02:34PM -0600, Anthony Liguori wrote:
On 01/27/2010 11:54 AM, Sridhar Samudrala wrote:
I too think that we should not block raw backend in qemu just because of
security reasons. It should be perfectly fine to use raw backend in
scenarios where qemu can be run as a privileged process.
libvirt need not support raw backend until we figure out a secure way to
start qemu when passing raw fd. using network namespaces seems like a
good option.
Introducing something that is known to be problematic from a security
perspective without any clear idea of what the use-case for it is is a
bad idea IMHO.
vepa on existing kernels is one use-case.
Considering VEPA enabled hardware doesn't exist today and the standards
aren't even finished being defined, I don't think it's a really strong
use case ;-)
Regards,
Anthony Liguori
Regards,
Anthony Liguori
Thanks
Sridhar
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html