On Sun, Apr 25, 2010 at 08:53:17PM -0500, Anthony Liguori wrote:
On 04/25/2010 06:51 AM, Avi Kivity wrote:
Qemu is special due to the nonexistence of qemud.
Why is sVirt implemented in libvirt? it's not the logical place for
it; rather the logical place doesn't exist.
sVirt is not just implemented in libvirt. libvirt implements a
mechanism to set the context of a given domain and dynamically label
it's resources to isolate it.
The reason it has to assign a context to a given domain is that all
domains are launched from the same security context (the libvirtd
context) as the original user's context (the consumer of the libvirt
API) has been lost via the domain socket interface.
If you used the /session URL, then the domain would have the security
context of whomever created the guest which means that dynamic labelling
of the resources wouldn't be necessary (you would just do static labelling).
That is not correct. You do *not* ever want the guests to have the same
security context as the thing that created them, because that would allow
the guest to access& compromise resources belonging to the management app.
This is certainly a more secure model and it's a feature of qemu that I
really wish didn't get lost in libvirt. Again, /session can do this too
but right now, /session really isn't usable in libvirt for qemu.
If you really want the qemu instance to inherit the context of the mgmt
app, then you can just declare in the guest XML that it should use a
static label, and pass in the apps' own label. This is *not* a more secure
model though.