On Sat, Oct 08, 2016 at 02:42:17AM +0200, Cedric Blancher wrote: > So basically you're creating a new (Red Hat) Linux-only wormhole which > bypasses all network security between VM host and guest and needs > extra work&thought&tool support (wireshark, valgrind, ...) to handle, > trace, debug, monitor and secure? vsock is not Linux-only and not Red Hat-only. There are two paravirtualized hardware interfaces (VMware VMCI and KVM's virtio-vsock). Drivers for other operating systems exist and can be written for OSes that are not yet supported. The virtio-vsock spec is public. Regarding bypassing network security, this is a non-routable guest<->host protocol. It is very locked down by design. You can simply not use the device if you prefer to go inside the guest and configure a traditional NFS TCP/IP setup instead. As mentioned in the cover letter, that is not feasible for cloud providers and other scenarios where reaching inside the guest isn't allowed.
Attachment:
signature.asc
Description: PGP signature