qemu:///embed and isolation from global components

Daniel P. Berrangé berrange at redhat.com
Wed Mar 11 09:53:44 UTC 2020 

On Tue, Mar 10, 2020 at 07:25:46PM +0100, Andrea Bolognani wrote:
> On Tue, 2020-03-10 at 16:00 +0000, Daniel P. Berrangé wrote:
> > The split daemon model is intended to allow us to address this
> > long standing design flaw, by allowing the QEMU session driver
> > to optionally talk to a secondary driver running with different
> > privileges, instead of the instance running with the same privs.
> > 
> > So currently we have
> > 
> >   <interface type='network'>
> >     <source network='default'/>
> >   </interface>
> > 
> > This refers to a secondary driver running at the same privilege
> > level.
> > 
> > I expected we'd extend it to allow
> > 
> >   <interface type='network'>
> >     <source scope='system' network='default'/>
> >   </interface>
> > 
> > This explicitly requests the secondary driver running with elevated
> > privileges.
> 
> This makes perfect sense to me, and in fact I believe you're
> basically suggesting what I was arguing for earlier :)
> 
> In your scenario, when you don't specify a scope you get the same
> one as the primary driver is using (this matches the current
> behavior): so if you are using qemu:///session, every <interface>
> will use network:///session unless you explicitly specify
> scope='system', at which point network:///system will be used; in
> the same fashion, if you're connected to qemu:///embed, the default
> for <interface>s should be network:///embed, with the possibility
> to use either network:///session (with scope='session') or, most
> likely, network:///system (with scope='system').

No, I'm not talking about using the same URI for the secondary
drivers, I'm talking about using the same *privilege* level.
ie, qemu:///system and a qemu:///embed running as root should
both use the privileged network/storage driver. The qemu:///session
and qemu:///embed running as non-root should both default to
the  unprivileged network/storage drivers.

> > With such functionality present, it logically then also extends to
> > cover connections to daemons running in different namespaces.
> 
> I'm still unclear on how this scenario, which would apparently have
> multiple eg. privileged virtnetworkd, running at the same time but in
> different network namespaces, would work.

There would need to be some selection method, most likely a way
to explicitly specify the socket path, but this is a longish way
into the future.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list