[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH v3 0/5] RFC: grant KVM guests retain arbitrary capabilities



On 01/27/2012 08:18 AM, Taku Izumi wrote:
>  In any case adding rawio (which is a per-process capability) to a<disk>
>  element would be wrong.

It is true that process capability affects not per disk but a domain.
It's a bit strange, but it is OK in my personal opinion.

No, this must be made very clear in the XML! Remember that rawio lets you send dangerous commands such as WRITE BUFFER and any vendor specific thing. I absolutely don't think it's okay to enable them on disks just because _another_ disk gets a rawio="yes" attribute.

If you want to add it to the <disk> element, you should first add support for an arbitrary whitelist in the kernel (e.g. by extending the devices cgroups). The whitelisting code is in the kernel, just not the cgroups interface.

Paolo


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]