[libvirt] [Qemu-devel] Re: Supporting hypervisor specific APIs in libvirt
Anthony Liguori
anthony at codemonkey.ws
Wed Mar 24 12:23:01 UTC 2010
On 03/24/2010 05:42 AM, Avi Kivity wrote:
>
>> The filtering access part of this daemon is also not mapping well onto
>> libvirt's access model, because we don't soley filter based on UID in
>> libvirtd. We have it configurable based on UID, policykit, SASL,
>> TLS/x509
>> already, and intend adding role based access control to further filter
>> things, integrating with the existing apparmour/selinux security models.
>> A qemud that filters based on UID only, gives users a side-channel to
>> get
>> around libvirt's access control.
>
> That's true. Any time you write a multiplexer these issues crop up.
> Much better to stay in single process land where everything is already
> taken care of.
What does a multiplexer give you that making individual qemu instances
discoverable doesn't give you? The later doesn't suffer from these
problems.
Regards,
Anthony Liguori
> So, at best qemud is a toy for people who are annoyed by libvirt.
>
More information about the libvir-list
mailing list