[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Notes from the KVM Forum relevant to libvirt

On Tue, Aug 23, 2011 at 12:15 PM, Daniel P. Berrange
<berrange redhat com> wrote:
> I was at the KVM Forum / LinuxCon last week and there were many
> interesting things discussed which are relevant to ongoing libvirt
> development. Here was the list that caught my attention. If I have
> missed any, fill in the gaps....
>  - Sandbox/container KVM.  The Solaris port of KVM puts QEMU inside
>   a zone so that an exploit of QEMU can't escape into the full OS.
>   Containers are Linux's parallel of Zones, and while not nearly as
>   secure yet, it would still be worth using more containers support
>   to confine QEMU.

Can you elaborate on why Linux containers are "not nearly as secure"
[as Solaris Zones]?

Containers is just another attempt at isolating the QEMU process.
SELinux works differently but can also do many of the same things.  I
like containers more because they are simpler than labelling

>  - Native KVM tool. The problem statement was that the QEMU code is too
>   big/complex & and command line args are too complex, so lets rewrite
>   from scratch to make the code small & CLI simple. They achieve this,
>   but of course primarily because they lack so many features compared
>   to QEMU. They had libvirt support as a bullet point on their preso,
>   but I'm not expecting it to replace the current QEMU KVM support in
>   the forseeable future, given its current level of features and the
>   size of its dev team compared to QEMU/KVM. They did have some fun
>   demos of booting using the host OS filesystem though. We can
>   actually do the same with regular KVM/libvirt but there's no nice
>   demo tool to show it off. I'm hoping to create one....

Yep it's virtfs which QEMU has supported for a while.  The trick is
setting things up so that the Linux guest boots from virtfs.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]