From: Anthony Liguori <anthony@codemonkey.ws>
To: Avi Kivity <avi@redhat.com>
Cc: "libvir-list@redhat.com" <libvir-list@redhat.com>,
Paul Brook <paul@codesourcery.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Re: [libvirt] Supporting hypervisor specific APIs in libvirt
Date: Wed, 24 Mar 2010 07:30:47 -0500 [thread overview]
Message-ID: <4BAA05F7.7000507@codemonkey.ws> (raw)
In-Reply-To: <4BAA0544.1060308@redhat.com>
On 03/24/2010 07:27 AM, Avi Kivity wrote:
> On 03/24/2010 02:19 PM, Anthony Liguori wrote:
>>> qemud
>>> - daemonaizes itself
>>> - listens on /var/lib/qemud/guests for incoming guest connections
>>> - listens on /var/lib/qemud/clients for incoming client connections
>>> - filters access according to uid (SCM_CREDENTIALS)
>>> - can pass a new monitor to client (SCM_RIGHTS)
>>> - supports 'list' command to query running guests
>>> - async messages on guest startup/exit
>>
>>
>> Then guests run with the wrong security context.
>
> Why? They run with the security context of whoever launched them
> (could be libvirtd).
Because it doesn't have the same security context as qemud and since
clients have to connect to qemud, qemud has to implement access control.
It's far better to have the qemu instance advertise itself such that and
client connects directly to it. Then all of the various authorization
models will be applied correctly to it.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2010-03-24 12:34 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-22 19:25 [Qemu-devel] Supporting hypervisor specific APIs in libvirt Anthony Liguori
2010-03-22 20:10 ` [Qemu-devel] Re: [libvirt] " Daniel P. Berrange
2010-03-22 21:33 ` Gerd Hoffmann
2010-03-22 21:53 ` Anthony Liguori
2010-03-23 8:54 ` Jes Sorensen
2010-03-23 10:25 ` Gerd Hoffmann
2010-03-23 10:31 ` Jes Sorensen
2010-03-23 10:58 ` Gerd Hoffmann
2010-03-22 23:36 ` Cole Robinson
2010-03-22 21:49 ` Anthony Liguori
2010-03-23 7:35 ` Alexander Graf
2010-03-23 23:25 ` Jamie Lokier
2010-03-24 0:55 ` Anthony Liguori
2010-03-24 10:05 ` Markus Armbruster
2010-03-24 12:25 ` Paul Brook
2010-03-24 12:48 ` Anthony Liguori
2010-03-25 2:43 ` Jamie Lokier
2010-03-23 11:33 ` Daniel P. Berrange
2010-03-24 10:23 ` Daniel P. Berrange
2010-03-22 20:25 ` [Qemu-devel] " Daniel P. Berrange
2010-03-23 10:06 ` [Qemu-devel] " Juan Quintela
2010-03-23 10:41 ` Gerd Hoffmann
2010-03-23 10:50 ` Juan Quintela
2010-03-23 11:08 ` Daniel P. Berrange
2010-03-23 12:19 ` Juan Quintela
2010-03-23 23:13 ` Jamie Lokier
2010-03-24 7:59 ` Gerd Hoffmann
2010-03-24 13:52 ` Cole Robinson
2010-03-24 14:00 ` Gerd Hoffmann
2010-03-23 23:19 ` Jamie Lokier
2010-03-24 2:22 ` Andi Kleen
2010-03-24 8:49 ` Juan Quintela
[not found] ` <20100323145105.GV16253@redhat.com>
2010-03-23 15:05 ` [Qemu-devel] Re: [libvirt] " Anthony Liguori
2010-03-23 15:57 ` Paul Brook
2010-03-23 16:06 ` Anthony Liguori
2010-03-23 18:00 ` Avi Kivity
2010-03-23 18:23 ` [libvirt] [Qemu-devel] " Daniel P. Berrange
2010-03-24 1:05 ` Anthony Liguori
2010-03-24 4:48 ` Avi Kivity
2010-03-23 19:28 ` [Qemu-devel] Re: [libvirt] " Anthony Liguori
2010-03-23 23:09 ` Jamie Lokier
2010-03-24 5:17 ` Avi Kivity
2010-03-24 10:36 ` Daniel P. Berrange
2010-03-24 10:42 ` Avi Kivity
2010-03-24 12:23 ` Anthony Liguori
2010-03-24 12:29 ` Avi Kivity
2010-03-24 12:32 ` Anthony Liguori
2010-03-24 12:33 ` Avi Kivity
2010-03-25 0:28 ` Jamie Lokier
2010-03-24 16:42 ` Luiz Capitulino
2010-03-24 19:49 ` Avi Kivity
2010-03-24 20:12 ` Luiz Capitulino
2010-03-24 20:32 ` Anthony Liguori
2010-03-24 20:54 ` Alexander Graf
2010-03-24 21:33 ` Luiz Capitulino
2010-03-25 7:49 ` Alexander Graf
2010-03-24 21:25 ` Luiz Capitulino
2010-03-24 21:40 ` Anthony Liguori
2010-03-25 8:26 ` Vincent Hanquez
2010-03-25 8:49 ` Avi Kivity
2010-03-25 12:33 ` Anthony Liguori
2010-03-25 12:37 ` Avi Kivity
2010-03-25 13:44 ` Anthony Liguori
2010-03-25 13:48 ` Avi Kivity
2010-03-25 13:57 ` Anthony Liguori
2010-03-25 14:09 ` Luiz Capitulino
2010-03-25 15:59 ` Anthony Liguori
2010-03-26 2:11 ` Jamie Lokier
2010-03-25 14:21 ` Avi Kivity
2010-03-25 14:22 ` Vincent Hanquez
2010-03-25 16:50 ` Markus Armbruster
2010-03-25 17:40 ` Anthony Liguori
2010-03-26 7:37 ` Markus Armbruster
2010-03-26 9:26 ` [libvirt] [Qemu-devel] " Paolo Bonzini
2010-03-26 9:51 ` [Qemu-devel] Re: [libvirt] " Avi Kivity
2010-03-26 12:53 ` Anthony Liguori
2010-03-26 13:53 ` Anthony Liguori
2010-03-25 13:37 ` Gildas Le Nadan
2010-03-25 13:59 ` Daniel P. Berrange
2010-03-25 14:56 ` Vincent Hanquez
2010-03-25 15:07 ` Daniel P. Berrange
2010-03-25 15:14 ` Vincent Hanquez
2010-03-25 15:16 ` Daniel P. Berrange
2010-03-25 16:01 ` Anthony Liguori
2010-03-25 16:30 ` Alexander Graf
2010-03-26 2:18 ` Jamie Lokier
2010-03-25 13:23 ` Luiz Capitulino
2010-03-25 13:55 ` Anthony Liguori
2010-03-26 12:52 ` Luiz Capitulino
2010-03-25 6:37 ` Avi Kivity
2010-03-25 8:18 ` Alexander Graf
2010-03-26 16:01 ` Avi Kivity
2010-03-24 12:19 ` Anthony Liguori
2010-03-24 12:27 ` Avi Kivity
2010-03-24 12:30 ` Anthony Liguori [this message]
2010-03-24 12:32 ` Avi Kivity
2010-03-23 18:07 ` Daniel P. Berrange
2010-03-23 19:24 ` Anthony Liguori
2010-03-24 5:49 ` Avi Kivity
2010-03-24 12:30 ` Paul Brook
2010-03-24 12:34 ` Avi Kivity
2010-03-24 13:03 ` Paul Brook
2010-03-24 15:55 ` Markus Armbruster
2010-03-24 16:12 ` Paul Brook
2010-03-23 23:22 ` Jamie Lokier
2010-03-23 17:57 ` [Qemu-devel] " Avi Kivity
2010-03-23 19:31 ` Anthony Liguori
2010-03-24 4:53 ` Avi Kivity
2010-03-26 2:31 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BAA05F7.7000507@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=libvir-list@redhat.com \
--cc=paul@codesourcery.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).