Open Stack

On Mon, Sep 30, 2013 at 08:32:51AM +0000, P Balaji-B37839 wrote:
> Hi Daniel,
> 
> Thanks for comments and examples.
> 
> As you already know that for any application running on Host platform
> can communicate with Guest through Virtio-Serial device. What we are
> looking at is the security provided by Apparmor is crucial so that the
> Host will not allow any software running in Guest can access outside of
> the directories/files dynamically added in the libvirt-qemue configuration
> file of apparmor.
> 
> As this file is created dynamically from Libvirt XML file, We are thinking
> that if we can expose Virtio-serial device of Guest through Dashboard
> [Horizon], Then it will be good from host security perspective and as
> well it is upto the User to enable virtio-serial interface based on his
> requirements like Application software requirement in Guest.

This doesn't really answer my question. There are 2 commonly available
agents (SPICE agent + QEMU guest agent) in the KVM world and we have
support for those in Nova at least. There may be UI missing in Horizon
to enable though. Any further agents would require some kind of software
integration on the host with either qemu, libvirt or Nova itself. So any
blueprint should specify what that new agent is, and how it will be
integrated in the Nova compute host.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|