Hi Daniel, Not sure that I conveyed the use case of this in Nova clearly. Please find the below as few more data points on this.
i) Host to Guest Communication feature is good to have through Nova-Libvirt. Using generic Virtio-Serial Interface for this will be a better option because the dynamic apparmor abstractions file created for libvirt-qemu will take care of security aspects of Host. ii) KVM Hypervisor using Libvirt needs VMCI [VMWare] kind of library which can support secure way of host-guest communication. Though this kind of library support in Libvirt is not available now, Using the existing Virtio-Serial Interface will be good to start with. iii) We want to make KVM hypervisor with Libvirt more flexible enough so that different Networking Vendors can make use of it based on their Network Application Software Architecture. iv)Though we can make use of Guest Agent, But it will add another daemon in Guest which is not optimal. Regards, Balaji.P > -----Original Message----- > From: Daniel P. Berrange [mailto:berra...@redhat.com] > Sent: Monday, September 30, 2013 5:21 PM > To: P Balaji-B37839 > Cc: OpenStack Development Mailing List > Subject: Re: [openstack-dev] [Nova] [Libvirt] Virtio-Serial support for > Nova libvirt driver > > On Mon, Sep 30, 2013 at 11:31:58AM +0000, P Balaji-B37839 wrote: > > > > > Hi Daniel, > > > > > > > > > > Thanks for comments and examples. > > > > > > > > > > As you already know that for any application running on Host > > > > > platform can communicate with Guest through Virtio-Serial device. > > > > > What we are looking at is the security provided by Apparmor is > > > > > crucial so that the Host will not allow any software running in > > > > > Guest can access outside of the directories/files dynamically > > > > > added in the libvirt-qemue configuration file of apparmor. > > > > > > > > > > As this file is created dynamically from Libvirt XML file, We > > > > > are thinking that if we can expose Virtio-serial device of Guest > > > > > through Dashboard [Horizon], Then it will be good from host > > > > > security perspective and as well it is upto the User to enable > > > > > virtio-serial interface based on his requirements like > > > > > Application software > > > requirement in Guest. > > > > > > > > This doesn't really answer my question. There are 2 commonly > > > > available agents (SPICE agent + QEMU guest agent) in the KVM world > > > > and we have support for those in Nova at least. There may be UI > > > > missing in Horizon to enable though. Any further agents would > > > > require some kind of software integration on the host with either > > > > qemu, libvirt or Nova itself. So any blueprint should specify what > > > > that new agent is, and how it will be integrated in the Nova > compute host. > > > > [P Balaji-B37839] Correct. Nova has support for the commonly > > > > available agents as listed above. We are thinking about generic > > > > interface which can be used by any application software in Guest. > > > > More precisely, it will be like there won't be any agent in VM, > > > > Instead any Application Software can use this generic > > > > Virtio-Serial Interface to make use of communicating with Host. > > > > Using libvirt frame work might be best option, so that security > > > > aspects of exposing this interface can be > > > taken care. > > > > > > Please fix your email client so that it properly indents text you > > > are quoting with '> '. It makes it very hard to follow replies as > > > your do it now. > > > > > > Communicating with *what* on the host ? > > [P Balaji-B37839] Here *what* refers to any daemon/agent which is > > proprietary based on the Application architecture inside Guest using > > the Virtio-Serial Interface created for VM. > > I'm not convinced that we should be in the business of adding features to > Nova for integration with arbitrary, closed source host components which > we have no information about. > > Daniel > -- > |: http://berrange.com -o- > http://www.flickr.com/photos/dberrange/ :| > |: http://libvirt.org -o- http://virt- > manager.org :| > |: http://autobuild.org -o- > http://search.cpan.org/~danberr/ :| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk- > vnc :| _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
