Re: [libvirt] Notes from the KVM Forum relevant to libvirt
On Tue, Aug 23, 2011 at 12:15 PM, Daniel P. Berrange
<berrange(a)redhat.com> wrote:
I was at the KVM Forum / LinuxCon last week and there were many
interesting things discussed which are relevant to ongoing libvirt
development. Here was the list that caught my attention. If I have
missed any, fill in the gaps....
- Sandbox/container KVM. The Solaris port of KVM puts QEMU inside
a zone so that an exploit of QEMU can't escape into the full OS.
Containers are Linux's parallel of Zones, and while not nearly as
secure yet, it would still be worth using more containers support
to confine QEMU.
Can you elaborate on why Linux containers are "not nearly as secure"
[as Solaris Zones]?
Containers is just another attempt at isolating the QEMU process.
SELinux works differently but can also do many of the same things. I
like containers more because they are simpler than labelling
everything.
- Native KVM tool. The problem statement was that the QEMU code is
too
big/complex & and command line args are too complex, so lets rewrite
from scratch to make the code small & CLI simple. They achieve this,
but of course primarily because they lack so many features compared
to QEMU. They had libvirt support as a bullet point on their preso,
but I'm not expecting it to replace the current QEMU KVM support in
the forseeable future, given its current level of features and the
size of its dev team compared to QEMU/KVM. They did have some fun
demos of booting using the host OS filesystem though. We can
actually do the same with regular KVM/libvirt but there's no nice
demo tool to show it off. I'm hoping to create one....
Yep it's virtfs which QEMU has supported for a while. The trick is
setting things up so that the Linux guest boots from virtfs.
Stefan