[libvirt] [Qemu-devel] Re: Libvirt debug API
Anthony Liguori
anthony at codemonkey.ws
Mon Apr 26 14:28:02 UTC 2010
On 04/26/2010 09:25 AM, Avi Kivity wrote:
> On 04/26/2010 05:19 PM, Anthony Liguori wrote:
>> On 04/26/2010 09:01 AM, Avi Kivity wrote:
>>> On 04/26/2010 04:43 PM, Anthony Liguori wrote:
>>>> The reason I lean toward the direct launch model is that it gives
>>>> the user a lot of flexibility in terms of using things like
>>>> namespaces, DAC, cgroups, capabilities, etc. A lot of potential
>>>> features are lost when you do indirect launch because you have to
>>>> teach the daemon how to support each of these features.
>>>
>>> But what's the alternative? Teach the user how to do all these things?
>>
>> You can expose layers of API. The lowest layer makes no changes to
>> the security context. A higher (optional) layer could do dynamic
>> labelling.
>
> Or a library that the user-written launcher calls. Or a plugin that
> qemud calls.
A plugin would lose the security context. It could attempt to recreate
it that seems like a lot of unnecessary complexity.
Regards,
Anthony Liguori
More information about the libvir-list
mailing list