Open Stack

> > > Hi Daniel,
> > >
> > > Thanks for comments and examples.
> > >
> > > As you already know that for any application running on Host
> > > platform can communicate with Guest through Virtio-Serial device.
> > > What we are looking at is the security provided by Apparmor is
> > > crucial so that the Host will not allow any software running in
> > > Guest can access outside of the directories/files dynamically added
> > > in the libvirt-qemue configuration file of apparmor.
> > >
> > > As this file is created dynamically from Libvirt XML file, We are
> > > thinking that if we can expose Virtio-serial device of Guest through
> > > Dashboard [Horizon], Then it will be good from host security
> > > perspective and as well it is upto the User to enable virtio-serial
> > > interface based on his requirements like Application software
> requirement in Guest.
> >
> > This doesn't really answer my question. There are 2 commonly available
> > agents (SPICE agent + QEMU guest agent) in the KVM world and we have
> > support for those in Nova at least. There may be UI missing in Horizon
> > to enable though. Any further agents would require some kind of
> > software integration on the host with either qemu, libvirt or Nova
> > itself. So any blueprint should specify what that new agent is, and
> > how it will be integrated in the Nova compute host.
> > [P Balaji-B37839]  Correct. Nova has support for the commonly
> > available agents as listed above. We are thinking about generic
> > interface which can be used by any application software in Guest. More
> > precisely, it will be like there won't be any agent in VM, Instead any
> > Application Software can use this generic Virtio-Serial Interface to
> > make use of communicating with Host. Using libvirt frame work might be
> > best option, so that security aspects of exposing this interface can be
> taken care.
> 
> Please fix your email client so that it properly indents text you are
> quoting with '> '. It makes it very hard to follow replies as your do it
> now.
> 
> Communicating with *what* on the host ?
[P Balaji-B37839] Here *what* refers to any daemon/agent which is proprietary based on the Application architecture inside Guest using the Virtio-Serial Interface created for VM.
> 
> Regards,
> Daniel
> --
> |: http://berrange.com      -o-
> http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-             http://virt-
> manager.org :|
> |: http://autobuild.org       -o-
> http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-
> vnc :|