[openstack-dev] [Nova] [Libvirt] Virtio-Serial support for Nova libvirt driver

Daniel P. Berrange berrange at redhat.com
Mon Sep 30 09:18:39 UTC 2013


On Mon, Sep 30, 2013 at 08:59:47AM +0000, P Balaji-B37839 wrote:
> On Mon, Sep 30, 2013 at 08:32:51AM +0000, P Balaji-B37839 wrote:
> > Hi Daniel,
> > 
> > Thanks for comments and examples.
> > 
> > As you already know that for any application running on Host platform 
> > can communicate with Guest through Virtio-Serial device. What we are 
> > looking at is the security provided by Apparmor is crucial so that the 
> > Host will not allow any software running in Guest can access outside 
> > of the directories/files dynamically added in the libvirt-qemue 
> > configuration file of apparmor.
> > 
> > As this file is created dynamically from Libvirt XML file, We are 
> > thinking that if we can expose Virtio-serial device of Guest through 
> > Dashboard [Horizon], Then it will be good from host security 
> > perspective and as well it is upto the User to enable virtio-serial 
> > interface based on his requirements like Application software requirement in Guest.
> 
> This doesn't really answer my question. There are 2 commonly available
> agents (SPICE agent + QEMU guest agent) in the KVM world and we have
> support for those in Nova at least. There may be UI missing in Horizon
> to enable though. Any further agents would require some kind of software
> integration on the host with either qemu, libvirt or Nova itself. So any
> blueprint should specify what that new agent is, and how it will be 
> integrated in the Nova compute host.
> [P Balaji-B37839]  Correct. Nova has support for the commonly available
> agents as listed above. We are thinking about generic interface which can
> be used by any application software in Guest. More precisely, it will be
> like there won't be any agent in VM, Instead any Application Software
> can use this generic Virtio-Serial Interface to make use of communicating
> with Host. Using libvirt frame work might be best option, so that security
> aspects of exposing this interface can be taken care.

Please fix your email client so that it properly indents text you are
quoting with '> '. It makes it very hard to follow replies as your do
it now.

Communicating with *what* on the host ?

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



More information about the OpenStack-dev mailing list