On Mon, Oct 14, 2013 at 01:58:29PM -0600, Eric Blake wrote:
On 10/14/2013 11:06 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Start a page describing some of the things that applications using libvirt need to bear in mind to ensure security of their systems.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- docs/secureusage.html.in | 169 +++++++++++++++++++++++++++++++++++++++++++++++ docs/sitemap.html.in | 4 ++ 2 files changed, 173 insertions(+) create mode 100644 docs/secureusage.html.in
+ + <p> + This page details information that application developers and + administrators of libvirt should be aware of when working with + libvirt, that may have a bearing on security of the system. + </p>
Maybe worth a mention that granting someone access to the system libvirtd with the permission for writing domain XML is effectively granting them full access to the entire machine (since they can create a domain that points to an arbitrary file and use the guest to alter that file's contents). Also: while sVirt protects one guest from another, it does not protect guests from a bad admin on the host. But this could be added in a followup patch, if you wanted to get the framework in and still get a content review of new text.
Ahhh, yes, I knew there was one thing section I wanted to a write. I'll send a followup with more data.
+ <ul> + <li>Use a specific address for establishing the migration + connection which is accessible only to the virtualization + hosts themselves, not libvirt clients or virtual guests. + Most hypervisors allow the mgmt application to provide
s/mgmt/management/
+ the IP address of the target host as a way to + determine which network migration takes place on</li> + <li>Use an encrypted migration protocol. Some hypervisors + have support for encrypting the migration memory/storage + data. In other cases it can be tunnelled over the libvirtd + RPC protocol connections.</li> + <li>Use a specific address for listening for incoming migration + connections which is accessible only to the virtualization + hosts themselves, not libvirt clients or virtual guests. + Most hypervisors allow the mgmt application to configure + the IP address on which the target host listens.</li>
Are 1 and 3 identical?
One is about the connect() address for source QEMU and the other is about bind() address for dest QEMU. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|