From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Kxm63-0007Vj-EO for qemu-devel@nongnu.org; Wed, 05 Nov 2008 12:23:11 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Kxm61-0007UI-IJ for qemu-devel@nongnu.org; Wed, 05 Nov 2008 12:23:11 -0500 Received: from [199.232.76.173] (port=48171 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Kxm61-0007U8-CX for qemu-devel@nongnu.org; Wed, 05 Nov 2008 12:23:09 -0500 Received: from mx1.redhat.com ([66.187.233.31]:58479) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1Kxm61-0007ug-0R for qemu-devel@nongnu.org; Wed, 05 Nov 2008 12:23:09 -0500 Date: Wed, 5 Nov 2008 17:23:05 +0000 From: "Daniel P. Berrange" Subject: Re: [Qemu-devel] Live migration - exec: support to be reintroduced? Message-ID: <20081105172305.GR25523@redhat.com> References: <49113157.3090101@codemonkey.ws> <20081105100546.GA25523@redhat.com> <491199A2.1040207@redhat.com> <4911AA29.1090101@codemonkey.ws> <20081105143731.GM25523@redhat.com> <4911B966.6070000@codemonkey.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4911B966.6070000@codemonkey.ws> Reply-To: "Daniel P. Berrange" , qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: qemu-devel@nongnu.org On Wed, Nov 05, 2008 at 09:19:02AM -0600, Anthony Liguori wrote: > Daniel P. Berrange wrote: > >It is useful from a security point of view - it means QEMU doesn't > >need to be given permissions to create files, merely append to an > >opened file handle. > > > >On a related note, Avi pointed out to me that SCM_RIGHTS fd passing > >would be important for NIC hotplug to allow parity with -net arg > >on the command line. If the QEMU process is running unprivileged, > >it will not have rights to create TAP devices & giving it a setuid() > >network script is not desirable. The management app invoking QEMU > >could open the TAP device, and do any setup before passing the FD > >to the NIC hotplug command in the monitor. > > > > Yup. If libvirt has a use case for it, then I'm more than happy to > review patches. > > I'm always looking for an excuse to use SCM_RIGHTS :-) > > I think the monitor interface could use improvement. I think it would > look better as: > > (qemu) receivefd /path/to/unix/socket > /* waits until it receives an fd on /path/to/unix/socket */ > fd=10 > (qemu) closefd 10 > > Then all of the existing uses of fd= can be preserved. > > I like the idea of using a temporary socket because you don't have to > rely on the monitor being on a unix socket. This will be especially > useful when we can support tunneling the monitor through VNC. Yes, except that I would wouldn't want to pass "/path/to/unix/socket" via the monitor - that allows any process which can access that path to potentially open the socket & intercept the credentials. If I wasn't using a UNIX socket for the monitor already, then I'd want to be able to pass a FD to a unix socket on the command line so I know who's on the other end of it. eg, if i was using a hypothetical VNC server transport for the monitor, then perhaps allow --monitor vnc,scmrightsfd=7 Or, an explicit --scmrights arg for it Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|