From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1O6Pc6-0000ay-7b
	for qemu-devel@nongnu.org; Mon, 26 Apr 2010 10:48:46 -0400
Received: from [140.186.70.92] (port=40869 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1O6Pc4-0000Zw-V2
	for qemu-devel@nongnu.org; Mon, 26 Apr 2010 10:48:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <anthony@codemonkey.ws>) id 1O6Pc3-0004zG-0Y
	for qemu-devel@nongnu.org; Mon, 26 Apr 2010 10:48:44 -0400
Received: from mail-pw0-f45.google.com ([209.85.160.45]:35715)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <anthony@codemonkey.ws>) id 1O6Pc2-0004z1-RG
	for qemu-devel@nongnu.org; Mon, 26 Apr 2010 10:48:42 -0400
Received: by pwi6 with SMTP id 6so7667769pwi.4
	for <qemu-devel@nongnu.org>; Mon, 26 Apr 2010 07:48:41 -0700 (PDT)
Message-ID: <4BD5A7C5.7010706@codemonkey.ws>
Date: Mon, 26 Apr 2010 09:48:37 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] Re: [libvirt] Libvirt debug API
References: <4BD1971B.7060907@redhat.com>
	<4BD1A543.1050004@codemonkey.ws>	<4BD1ADA2.2050605@redhat.com>
	<4BD1E723.6070005@codemonkey.ws>	<4BD2BDE0.7020907@redhat.com>
	<4BD3B965.3060205@codemonkey.ws>	<4BD42CDB.2030901@redhat.com>
	<4BD4F20D.8030901@codemonkey.ws>	<20100426095949.GA1342@redhat.com>
	<4BD5915F.3060405@codemonkey.ws>	<20100426133120.GD1342@redhat.com>
	<4BD59874.2000207@codemonkey.ws> <4BD59C9E.2000506@redhat.com>
	<4BD5A109.9060004@codemonkey.ws> <4BD5A263.3070908@redhat.com>
	<4BD5A2F2.7070805@codemonkey.ws> <4BD5A57E.3060602@redhat.com>
In-Reply-To: <4BD5A57E.3060602@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Avi Kivity <avi@redhat.com>
Cc: "libvir-list@redhat.com" <libvir-list@redhat.com>, qemu-devel <qemu-devel@nongnu.org>, Luiz Capitulino <lcapitulino@redhat.com>, Chris Lalancette <clalance@redhat.com>, Jiri Denemark <jdenemar@redhat.com>

On 04/26/2010 09:38 AM, Avi Kivity wrote:
> On 04/26/2010 05:28 PM, Anthony Liguori wrote:
>>> Or a library that the user-written launcher calls.  Or a plugin that 
>>> qemud calls.
>>
>>
>> A plugin would lose the security context.  It could attempt to 
>> recreate it that seems like a lot of unnecessary complexity.
>>
>
> A plugin would create the security context instead of the launcher.
>
> Currently security contexts are created by the login process.

It's not always that centralized.  An initial context is created by the 
login process, but then later something may come along and create a 
network namespace as part of containerization.

>   We could easily reuse that.  Any other security context code would 
> be custom written; so it can be written as a qemud plugin instead of a 
> bit of code that goes before a qemu launch.

I think we're mostly in agreement with respect to the need to have more 
control over the security context the qemu runs in.  Whether it's 
launched via a daemon or directly I think is an implementation detail 
that we can debate when we get closer to an actual implementation.

Regards,

Anthony Liguori