[libvirt] [PATCH 6/7] Use cgroups for block device whitelisting in QEMU guests

Daniel Veillard veillard at redhat.com
Mon Jul 20 12:09:28 UTC 2009 

On Mon, Jul 20, 2009 at 11:48:45AM +0100, Daniel P. Berrange wrote:
> On Fri, Jul 17, 2009 at 05:15:15PM +0200, Daniel Veillard wrote:
> > > +static const char *const devs[] = {
> > > +    "/dev/null", "/dev/full", "/dev/zero",
> > > +    "/dev/random", "/dev/urandom",
> > > +    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
> > > +};
> > 
> >   Hum, that list sounds a bit arbitrary, this could break for random
> > reasons  maybe this should be extended through the configuration, I
> > assume a mismatch may result in domain failing to start or operate
> > properly, right ?
> 
> Yes, QEMU will get -EPERM if it attempts to access a block device
> we've not permitted, and hopefully exit.
> 
> Looking at it again, I've missed a couple of devices I should have
> allowed. I'll check the QEMU source to match up the list properly

  okay :-)

> >    The idea sounds good but I'm a bit afraid of the inflexibility,
> > this has the potential of making qemu/kvm far more fragile without
> > a way to fix this by patching and recompiling.
> 
> Perhaps we should make it a config in /etc/libvirt/qemu.conf too

  yes, agreed.

> >    Again I'm not a cgroup expert but I feel a bit uneasy, can we get
> > at least an option to disable it at runtime in the configuration (sorry
> > if I missed that !) ?
> 
> Well the simplest way to disable it at runtime, is to simply not
> mount the cgroups device ACL controller on the host. If this is
> not mounted, then libvirt will just skip this functionality.
> 
> NB, no cgroups stuff is enabled by default on any current distro I'm
> aware of. Arguably this should be changed, but that's not libvirt's
> problem

  Well, yes and no :-) First if there are uses, it's more likely that
the service will be activated, and on the other hand we should try to
avoid too much problems for our users when used as the guinea pig for
the feature, IMHO the simplest is to make it optional into libvirt, but
actiavted by default if present.

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list