Re: [libvirt] [Qemu-devel] Re: Libvirt debug API

On 04/26/2010 05:19 PM, Anthony Liguori wrote: > On 04/26/2010 09:01 AM, Avi Kivity wrote: >> On 04/26/2010 04:43 PM, Anthony Liguori wrote: >>> The reason I lean toward the direct launch model is that it gives >>> the user a lot of flexibility in terms of using things like >>> namespaces, DAC, cgroups, capabilities, etc. A lot of potential >>> features are lost when you do indirect launch because you have to >>> teach the daemon how to support each of these features. >> >> But what's the alternative? Teach the user how to do all these things? > > You can expose layers of API. The lowest layer makes no changes to > the security context. A higher (optional) layer could do dynamic > labelling. Or a library that the user-written launcher calls. Or a plugin that qemud calls.