On 02/24/2015 02:50 AM, Wen Congyang wrote: >> Script files are in general very hard to secure. Libvirt marks any >> domain that uses a script file for controlling networking as tainted, >> because it cannot guarantee that the script did not do arbitrary >> actions. Can you come up with any better solution that does not require >> a script file, such as having management software responsible for >> passing in an already-opened fd? > > Do you mean that opening the script in libvirt? >
No, I mean a solution that needs no script file at all. Have libvirt pre-open the TAP device you will need, then pass in the fd that will be used for the colo NIC. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
