[fedora-virt] F12 feature: Host information

[Richard W.M. Jones]

On Tue, Jun 16, 2009 at 02:21:02PM -0400, Bill McGonigle wrote:
> On 06/16/2009 01:03 PM, Richard W.M. Jones wrote:
>
>> It isn't that there is no network, it's that the guest and the host
>> networks are strictly separated from each other, often physically.
>
> Could you clarify that - you mean like PCI network card assignment?  
> Because the guest can't be safe from its host, from a security stance,  
> unless SELinux does more than I realize.
>
> It would be straightforward to create an isolated monitoring bridge with  
> a private address space if one wanted to do SNMP between guests and  
> hosts.  (OK, to be fair, I haven't ever tried this with virtual 
> interfaces).

There's all sorts of issues with this: Should it be firewalled (on
either the host or guest side)?  Will other daemons on the host
accidentally bind to ports on this interface, and how do we stop that?

How does it appear in the guest?  As an extra network interface?

What "private address space" should we give it?  The guest could and
likely is using RFC1918 addresses for its own purposes.

This is the motivation for wanting 'vmchannel' - a simple, network-
independent guest to host communication channel.  However we don't
have vmchannel now, and are no nearer to having it, so we use serial
ports instead.

I'd also dispute the statement that "it would be straightforward to
create an isolated monitoring bridge with a private address space if
one wanted to do SNMP between guests and hosts."  There's nothing at
all straightforward about setting up interfaces, bridges or SNMP.
Compared to setting up an extra serial port which involves precisely
adding a <serial/> clause to the libvirt configuration.

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 75 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora