[libvirt] Notes from the KVM Forum relevant to libvirt

Daniel P. Berrange berrange at redhat.com
Tue Aug 23 15:31:11 UTC 2011 

On Tue, Aug 23, 2011 at 04:24:46PM +0100, Stefan Hajnoczi wrote:
> On Tue, Aug 23, 2011 at 12:15 PM, Daniel P. Berrange
> <berrange at redhat.com> wrote:
> > I was at the KVM Forum / LinuxCon last week and there were many
> > interesting things discussed which are relevant to ongoing libvirt
> > development. Here was the list that caught my attention. If I have
> > missed any, fill in the gaps....
> >
> >  - Sandbox/container KVM.  The Solaris port of KVM puts QEMU inside
> >   a zone so that an exploit of QEMU can't escape into the full OS.
> >   Containers are Linux's parallel of Zones, and while not nearly as
> >   secure yet, it would still be worth using more containers support
> >   to confine QEMU.
> 
> Can you elaborate on why Linux containers are "not nearly as secure"
> [as Solaris Zones]?

Mostly because the Linux namespace functionality is far from complete,
notably lacking proper UID/GID/capability separation, and UID/GID
virtualization wrt filesystems. The longer answer is here:

   https://wiki.ubuntu.com/UserNamespace

So at this time you can't build a secure container on Linux, relying
just on DAC alone. You have to add in a MAC layer ontop of the container
to get full security benefits, which obviously defeats the point of
using the container as a backup for failure in the MAC layer.

> >  - Native KVM tool. The problem statement was that the QEMU code is too
> >   big/complex & and command line args are too complex, so lets rewrite
> >   from scratch to make the code small & CLI simple. They achieve this,
> >   but of course primarily because they lack so many features compared
> >   to QEMU. They had libvirt support as a bullet point on their preso,
> >   but I'm not expecting it to replace the current QEMU KVM support in
> >   the forseeable future, given its current level of features and the
> >   size of its dev team compared to QEMU/KVM. They did have some fun
> >   demos of booting using the host OS filesystem though. We can
> >   actually do the same with regular KVM/libvirt but there's no nice
> >   demo tool to show it off. I'm hoping to create one....
> 
> Yep it's virtfs which QEMU has supported for a while.  The trick is
> setting things up so that the Linux guest boots from virtfs.

It isn't actually that hard from a technical POV, it is just that most
(all?) distros typical  initrd files lack support for specifying 9p over
virtio as a root filesystem.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list