From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Martin Wilck <mwilck@suse.com>
Cc: Cathy Hu <cathy.hu@suse.com>,
qemu-devel@nongnu.org, Cathy Hu <cahu@suse.de>,
Fabiano Rosas <fabiano.rosas@suse.com>
Subject: Re: [PATCH RFC] qga: Add selinux-helper for guest-exec subcommand (bsc#1237450)
Date: Tue, 14 Apr 2026 18:46:16 +0100 [thread overview]
Message-ID: <ad59aPHDUueFq2z7@redhat.com> (raw)
In-Reply-To: <db21d9d4fd3a1489d5a25d7b7f0c49e3787ee9af.camel@suse.com>
On Tue, Apr 14, 2026 at 07:13:14PM +0200, Martin Wilck wrote:
> On Tue, 2026-04-14 at 18:00 +0100, Daniel P. Berrangé wrote:
> > On Tue, Apr 14, 2026 at 06:51:12PM +0200, Martin Wilck wrote:
> >
> >
> > > > If users want to support an ability to have arbitrary command
> > > > execution, then that should be done with SSH over VSock, where
> > > > the guest owner can choose whether to require authentication
> > > > first or not, and use SSH authorized_keys if desired to limit
> > > > what commands can be run for a given recorded key.
> > > >
> > > > These days systemd installs magic to allow SSH'ing directly
> > > > to a guest using VSOCK addresses, and libvirt further
> > > > enhances that to allow SSH'ing to a named VM.
> > >
> > > Thanks, I wasn't aware of this feature so far. I suppose you're
> > > referring to https://libvirt.org/ssh-proxy.html. I'll need to
> > > experiment with it. IIUC this works for local libvirt connections
> > > only?
> >
> > Yes, vsock is exposed to the local host.
>
> And it can't / won't be implemented for remote hosts?
That doesn't make sense conceptually. Think of VSOCK as the equivalent
of a UNIX domain socket, but between host & guest. If you want off
node access, then IP sockets are what you want, either directly from
the guest, or tunnelled to VSOCK via the host.
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
prev parent reply other threads:[~2026-04-14 17:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 10:25 [PATCH RFC] qga: Add selinux-helper for guest-exec subcommand (bsc#1237450) Cathy Hu
2026-03-27 14:33 ` Daniel P. Berrangé
2026-03-27 21:33 ` Kostiantyn Kostiuk
2026-04-14 16:51 ` Martin Wilck
2026-04-14 17:00 ` Daniel P. Berrangé
2026-04-14 17:13 ` Martin Wilck
2026-04-14 17:46 ` Daniel P. Berrangé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad59aPHDUueFq2z7@redhat.com \
--to=berrange@redhat.com \
--cc=cahu@suse.de \
--cc=cathy.hu@suse.com \
--cc=fabiano.rosas@suse.com \
--cc=mwilck@suse.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.