[libvirt] path for user provided all-guest-read-only content
Christian Ehrhardt
christian.ehrhardt at canonical.com
Wed Apr 11 15:01:04 UTC 2018
Feel free to read [1] for context, here the quote that made me poll for
opinions:
"it would be nice in the future to have some standardized path for user
provided guest-read-only stuff"
The TL;DR of their case is:
- extra info they want to pass, but is not part of libvirts guest
description (qemu-cmdline in their case)
- apparmor blocks their access to an unknown path
There are no reliable paths today to put data for a guest. Guests are names
with their ID in the paths - so even knowing the guest name - they are not
predictable (for example /var/lib/libvirt/qemu/domain-1-guestname/ might be
different next time).
Due to that I can see their use-case for "let all read from there", but
OTOH "let all" always feels wrong at first from a security POV.
Therefore i wanted to poll for opinions on this before suggesting any
change.
[1]: https://github.com/coreos/bugs/issues/2083#issuecomment-380404427
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180411/3dffb8f5/attachment-0001.htm>
More information about the libvir-list
mailing list