[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100322140711.GC14201@elte.hu>
Date: Mon, 22 Mar 2010 15:07:11 +0100
From: Ingo Molnar <mingo@...e.hu>
To: "Richard W.M. Jones" <rjones@...hat.com>
Cc: "Daniel P. Berrange" <berrange@...hat.com>,
Pekka Enberg <penberg@...helsinki.fi>,
Avi Kivity <avi@...hat.com>,
Antoine Martin <antoine@...afix.co.uk>,
Olivier Galibert <galibert@...ox.com>,
Anthony Liguori <anthony@...emonkey.ws>,
"Zhang, Yanmin" <yanmin_zhang@...ux.intel.com>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Sheng Yang <sheng@...ux.intel.com>,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
Marcelo Tosatti <mtosatti@...hat.com>,
oerg Roedel <joro@...tes.org>,
Jes Sorensen <Jes.Sorensen@...hat.com>,
Gleb Natapov <gleb@...hat.com>,
Zachary Amsden <zamsden@...hat.com>, ziteng.huang@...el.com,
Arnaldo Carvalho de Melo <acme@...hat.com>,
Fr?d?ric Weisbecker <fweisbec@...il.com>, libguestfs@...hat.com
Subject: Re: [RFC] Unify KVM kernel-space and user-space code into a single
project
* Richard W.M. Jones <rjones@...hat.com> wrote:
> On Mon, Mar 22, 2010 at 02:56:47PM +0100, Ingo Molnar wrote:
> > Just curious: any plans to extend this to include live read/write access as
> > well?
> >
> > I.e. to have the 'agent' (guestfsd) running universally, so that
> > tools such as perf and by users could rely on the VFS integration as
> > well, not just disaster recovery tools?
>
> Totally. That's not to say there is a definite plan, but we're very open to
> doing this. We already wrote the daemon in such a way that it doesn't
> require the appliance part, but could run inside any existing guest (we've
> even ported bits of it to Windoze ...).
>
> The only remaining issue is how access control would be handled. You
> obviously wouldn't want anything in the host that can get access to the
> vmchannel socket to start sending destructive write commands into guests.
By default i'd suggest to put it into a maximally restricted mount point. I.e.
restrict access to only the security context running libguestfs or so.
( Which in practice will be the user starting the guest, so there will be
proper protection from other users while still allowing easy access to the
user that has access already. )
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists