On Mon, Sep 30, 2013 at 08:59:47AM +0000, P Balaji-B37839 wrote: > On Mon, Sep 30, 2013 at 08:32:51AM +0000, P Balaji-B37839 wrote: > > Hi Daniel, > > > > Thanks for comments and examples. > > > > As you already know that for any application running on Host platform > > can communicate with Guest through Virtio-Serial device. What we are > > looking at is the security provided by Apparmor is crucial so that the > > Host will not allow any software running in Guest can access outside > > of the directories/files dynamically added in the libvirt-qemue > > configuration file of apparmor. > > > > As this file is created dynamically from Libvirt XML file, We are > > thinking that if we can expose Virtio-serial device of Guest through > > Dashboard [Horizon], Then it will be good from host security > > perspective and as well it is upto the User to enable virtio-serial > > interface based on his requirements like Application software requirement > > in Guest. > > This doesn't really answer my question. There are 2 commonly available > agents (SPICE agent + QEMU guest agent) in the KVM world and we have > support for those in Nova at least. There may be UI missing in Horizon > to enable though. Any further agents would require some kind of software > integration on the host with either qemu, libvirt or Nova itself. So any > blueprint should specify what that new agent is, and how it will be > integrated in the Nova compute host. > [P Balaji-B37839] Correct. Nova has support for the commonly available > agents as listed above. We are thinking about generic interface which can > be used by any application software in Guest. More precisely, it will be > like there won't be any agent in VM, Instead any Application Software > can use this generic Virtio-Serial Interface to make use of communicating > with Host. Using libvirt frame work might be best option, so that security > aspects of exposing this interface can be taken care.
Please fix your email client so that it properly indents text you are quoting with '> '. It makes it very hard to follow replies as your do it now. Communicating with *what* on the host ? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
