On 01/28/2010 08:13 AM, Anthony Liguori wrote:
On 01/28/2010 07:56 AM, Michael S. Tsirkin wrote:
Now, the most important use case I see for the raw socket interface
in qemu is to get vhost-net and the qemu user implementation to
support the same feature set. If you ask for a network setup involving
a raw socket and vhost-net and the kernel can support raw sockets
but for some reason fails to set up vhost-net, you should have a
fallback that has the exact same semantics at a possibly significant
performance loss.
Arnd
Makes sense. A simple reason you can't do vhost-net would be
that you are using tcg.
Some good arguments have been raised in this thread. I really don't
like making our security depend on something external to qemu that is
not widely used or understood.
Thinking about it, I don't think network namespaces actually provides us
the security that we need. It's quite easy to break out of it if not
being used in the context of a full container.
But this discussion belongs in netdev, I'll raise the issue there.
Regards,
Anthony Liguori
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
