[libvirt] Notes from the KVM Forum relevant to libvirt
Stefan Hajnoczi
stefanha at gmail.com
Tue Aug 23 15:24:46 UTC 2011
On Tue, Aug 23, 2011 at 12:15 PM, Daniel P. Berrange
<berrange at redhat.com> wrote:
> I was at the KVM Forum / LinuxCon last week and there were many
> interesting things discussed which are relevant to ongoing libvirt
> development. Here was the list that caught my attention. If I have
> missed any, fill in the gaps....
>
> - Sandbox/container KVM. The Solaris port of KVM puts QEMU inside
> a zone so that an exploit of QEMU can't escape into the full OS.
> Containers are Linux's parallel of Zones, and while not nearly as
> secure yet, it would still be worth using more containers support
> to confine QEMU.
Can you elaborate on why Linux containers are "not nearly as secure"
[as Solaris Zones]?
Containers is just another attempt at isolating the QEMU process.
SELinux works differently but can also do many of the same things. I
like containers more because they are simpler than labelling
everything.
> - Native KVM tool. The problem statement was that the QEMU code is too
> big/complex & and command line args are too complex, so lets rewrite
> from scratch to make the code small & CLI simple. They achieve this,
> but of course primarily because they lack so many features compared
> to QEMU. They had libvirt support as a bullet point on their preso,
> but I'm not expecting it to replace the current QEMU KVM support in
> the forseeable future, given its current level of features and the
> size of its dev team compared to QEMU/KVM. They did have some fun
> demos of booting using the host OS filesystem though. We can
> actually do the same with regular KVM/libvirt but there's no nice
> demo tool to show it off. I'm hoping to create one....
Yep it's virtfs which QEMU has supported for a while. The trick is
setting things up so that the Linux guest boots from virtfs.
Stefan
More information about the libvir-list
mailing list