From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:54900) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOUaj-00053P-HZ for qemu-devel@nongnu.org; Mon, 23 May 2011 08:50:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QOUai-0004jr-JX for qemu-devel@nongnu.org; Mon, 23 May 2011 08:50:37 -0400 Received: from e36.co.us.ibm.com ([32.97.110.154]:56993) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOUai-0004hh-Db for qemu-devel@nongnu.org; Mon, 23 May 2011 08:50:36 -0400 Received: from d03relay04.boulder.ibm.com (d03relay04.boulder.ibm.com [9.17.195.106]) by e36.co.us.ibm.com (8.14.4/8.13.1) with ESMTP id p4NCiX17019611 for ; Mon, 23 May 2011 06:44:33 -0600 Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167]) by d03relay04.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p4NCpauN160550 for ; Mon, 23 May 2011 06:51:37 -0600 Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1]) by d03av01.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p4NCoEOQ013637 for ; Mon, 23 May 2011 06:50:14 -0600 Message-ID: <4DDA5804.9030403@us.ibm.com> Date: Mon, 23 May 2011 07:50:12 -0500 From: Anthony Liguori MIME-Version: 1.0 References: <4DD6B777.9020800@us.ibm.com> <20110523094558.GA24143@redhat.com> In-Reply-To: <20110523094558.GA24143@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] Add support for fd: protocol List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Tyler C Hicks , Corey C Bryant , qemu-devel@nongnu.org On 05/23/2011 04:45 AM, Daniel P. Berrange wrote: > On Fri, May 20, 2011 at 02:48:23PM -0400, Corey Bryant wrote: >> sVirt provides SELinux MAC isolation for Qemu guest processes and their >> corresponding resources (image files). sVirt provides this support >> by labeling guests and resources with security labels that are stored >> in file system extended attributes. Some file systems, such as NFS, do >> not support the extended attribute security namespace, which is needed >> for image file isolation when using the sVirt SELinux security driver >> in libvirt. >> >> The proposed solution entails a combination of Qemu, libvirt, and >> SELinux patches that work together to isolate multiple guests' images >> when they're stored in the same NFS mount. This results in an >> environment where sVirt isolation and NFS image file isolation can both >> be provided. >> >> Currently, Qemu opens an image file in addition to performing the >> necessary read and write operations. The proposed solution will move >> the open out of Qemu and into libvirt. Once libvirt opens an image >> file for the guest, it will pass the file descriptor to Qemu via a >> new fd: protocol. >> >> If the image file resides in an NFS mount, the following SELinux policy >> changes will provide image isolation: >> >> - A new SELinux boolean is created (e.g. virt_read_write_nfs) to >> allow Qemu (svirt_t) to only have SELinux read and write >> permissions on nfs_t files >> >> - Qemu (svirt_t) also gets SELinux use permissions on libvirt >> (virtd_t) file descriptors >> >> Following is a sample invocation of Qemu using the fd: protocol: >> >> qemu -drive file=fd:4,format=qcow2 >> >> This patch contains the Qemu code to support this solution. I would >> like to solicit input from the libvirt community prior to starting >> the libvirt patch. >> >> This patch was tested with the following formats: raw, cow, qcow, >> qcow2, vmdk, using the fd: protocol as well as existing file name >> support. Non-valid file descriptors were also tested. > > How can backing files work ? The '-drive' syntax doesn't provide > any way to set properties against the backing files (which may be > nested to arbitrary depth). This is orthogonal to having an fd: protocol. > Also, there are a few places in QEMU, where it re-opens the existing > block driver on the fly. What is the plan for supporting this, without > having QEMU block on waiting for libvirt to pass it a new FD ? That's only host CDROM AFAICT. Regards, Anthony Liguori > > Regards, > Daniel