[libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates
Laine Stump
laine at laine.org
Tue Jul 31 16:57:28 UTC 2012
On 07/31/2012 12:06 PM, Daniel P. Berrange wrote:
> On Tue, Jul 31, 2012 at 11:26:05AM -0400, Corey Bryant wrote:
>>
>> At this point I wonder if we might be able to get away with no XML
>> modifications since we know that we only want to attempt to run the
>> helper when libvirt is running unprivileged.
> I certainly don't expect there to be any changes to the XML for the
> purposes of supporting this QEMU bridge helper proxy. It should be
> automatically used when type=bridge or type=network on the
> <interface>, as a private implementation detail of libvirt not
> exposed to applications in the XML. When libvirt changes to
> separate its nework setup code out of libvirtd, then we will be able
> to transparently stop using the proxy helper.
I would greatly prefer that as well, as long as nobody is bothered by
the potential upgrade problem I outlined in my previous mail - if there
is config required outside libvirt to enable particular users to use the
qemu helper, and if there is also extra config required to enable the
capability for users when libvirt no longer requires the qemu helper,
there could be cases where a working config would cease to work (until
extra measures were taken) after an upgrade.
If that situation is acceptable, then I also agree that no XML
modifications is much better.
More information about the libvir-list
mailing list