Re: linux next: Native Linux KVM tool inclusion request

[Avi Kivity <avi@redhat.com>]

On 08/24/2011 12:19 PM, Pekka Enberg wrote:
> On 8/24/11 11:31 AM, Avi Kivity wrote:
>> On 08/23/2011 08:08 AM, Pekka Enberg wrote:
>>> As for changes, we've implemented rootfs over 9p with "kvm run"
>>> booting to host filesystem "/bin/sh" by default.
>>
>> Isn't this dangerous?  Users expect virtualization to land them in 
>> sandbox, but here an rm -rf / in the guest will happily junk the host 
>> filesystem.
>
> Not really because I never run the tool as root. However, you're right 
> that
> we should not default to /bin/sh if you're root.

Well, just trashing /home/penberg would be bad too, no? (my recent 
experience indicates it's not that catastrophic - anything important 
sits on a server somewhere and the local data is just a cache).

>>
>> Still dangerous (but just to the guest), since it's not a true 
>> snapshot.  If the host filesystem changes underneath the guest, it 
>> will see partial and incoherent updates.  Copy-on-write only works if 
>> the host filesystem doesn't change.
>
> That's a generic problem with overlayfs based solutions, isn't it? 
> We're planning
> to use copy-on-write only on files that aren't supposed to change that 
> often -
> like /usr and /lib.

So the guest won't see bad data that often?

Overlay works fine if the host tree is readonly.  So if you have a 
separate tree for guests, you can share it with any number of them.  
Just don't share the host root.

Note this probably isn't a problem booting to /bin/bash, just booting a 
full-featured guest with package management and other database-like apps 
that expect exclusive control over their data.

> I suppose we should force shared files to be read-only in
> the guest.
>

Yes, that's safer.


-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.