[libvirt] Turning off libvirtd mdns by default
In the GNOME UI we'd like to make use of Avahi discovery and name resolution "out of the box". A typical use case is for discovery of printers that are advertised using MDNS. This should work even on potentially 'hostile' networks such as a wireless access point in a print shop or airport. It should work without user configuration. https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault In order to turn on Avahi by default, and make it work by default, we'd like to make it possible to use Avahi without advertising any information to the network by default. Advertising information to the network (even the host name) without the user's configuration or consent is a privacy issue. libvirtd advertises itself via MDNS on the network by default. I understand that MDNS discovery of libvirtd is really handy in many cases. However since one has to configure network access in libvirtd anyway -- none of the access methods work "out of the box" to my understanding -- I'd like to suggest turning off libvirtd's MDNS publishing by default. As part of setting up libvirtd for network access, the user would turn on mdns_adv. I hope that makes sense. Let me know if I've gotten something wrong. Would you accept a patch to do this? Or would you suggest that we try and do this downstream in the Fedora/RHEL packages instead? Cheers, Stef
On Mon, Mar 26, 2012 at 2:31 PM, Stef Walter <stefw@gnome.org> wrote:
In the GNOME UI we'd like to make use of Avahi discovery and name resolution "out of the box". A typical use case is for discovery of printers that are advertised using MDNS. This should work even on potentially 'hostile' networks such as a wireless access point in a print shop or airport. It should work without user configuration.
https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault
In order to turn on Avahi by default, and make it work by default, we'd like to make it possible to use Avahi without advertising any information to the network by default. Advertising information to the network (even the host name) without the user's configuration or consent is a privacy issue.
libvirtd advertises itself via MDNS on the network by default. I understand that MDNS discovery of libvirtd is really handy in many cases.
However since one has to configure network access in libvirtd anyway -- none of the access methods work "out of the box" to my understanding -- I'd like to suggest turning off libvirtd's MDNS publishing by default. As part of setting up libvirtd for network access, the user would turn on mdns_adv.
I hope that makes sense. Let me know if I've gotten something wrong.
Would you accept a patch to do this? Or would you suggest that we try and do this downstream in the Fedora/RHEL packages instead?
Cheers,
Stef
A bit off topic for this list but I hope you're adding the ability to configure a network as a friendly/trusted network vs a hostile network. Similar to what Windows has when you connect it to a new network. If you let it know that you're on a friendly network there should be some way to enable all these services to auto-advertise themselves. Otherwise they will becoming an annoying mess of having to enable every service in every way to advertise itself. -- Doug Goldstein
On 2012-03-27 01:03, Doug Goldstein wrote:
A bit off topic for this list but I hope you're adding the ability to configure a network as a friendly/trusted network vs a hostile network. Similar to what Windows has when you connect it to a new network. If you let it know that you're on a friendly network there should be some way to enable all these services to auto-advertise themselves. Otherwise they will becoming an annoying mess of having to enable every service in every way to advertise itself.
There's work being done on that. I agree it's certainly something that needs to be done. But as far as Avahi discovery, we need it working by default on both hostile and friendly networks. Cheers, Stef
On Mon, Mar 26, 2012 at 09:31:44PM +0200, Stef Walter wrote:
In the GNOME UI we'd like to make use of Avahi discovery and name resolution "out of the box". A typical use case is for discovery of printers that are advertised using MDNS. This should work even on potentially 'hostile' networks such as a wireless access point in a print shop or airport. It should work without user configuration.
https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault
In order to turn on Avahi by default, and make it work by default, we'd like to make it possible to use Avahi without advertising any information to the network by default. Advertising information to the network (even the host name) without the user's configuration or consent is a privacy issue.
libvirtd advertises itself via MDNS on the network by default. I understand that MDNS discovery of libvirtd is really handy in many cases.
However since one has to configure network access in libvirtd anyway -- none of the access methods work "out of the box" to my understanding -- I'd like to suggest turning off libvirtd's MDNS publishing by default. As part of setting up libvirtd for network access, the user would turn on mdns_adv.
Actually, it is possible to remotely connect to any libvirtd instance using an SSH tunnel, which works out of the box. Only the direct, non-tunnelled TLS/SASL based connections require manual setup. But since, IIUC, the default Fedora firewall setup blocks mDNS, it still wouldn't work out of the box.
I hope that makes sense. Let me know if I've gotten something wrong.
Would you accept a patch to do this? Or would you suggest that we try and do this downstream in the Fedora/RHEL packages instead?
Our policy for Fedora / RHEL is to not change upstream behaviour, so this kind of policy decision should be resolved here. While apps like virt-manager do have the ability to use mDNS to locate remote libvirtd servers, my gut feeling is that it is probably rarely used. So given the need to tradeoff off out of the box usability against privacy concerns, I think we could probably say turning off mDNS by default is acceptable. What do others think ? Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 2012-03-27 11:17, Daniel P. Berrange wrote:
Actually, it is possible to remotely connect to any libvirtd instance using an SSH tunnel, which works out of the box. Only the direct, non-tunnelled TLS/SASL based connections require manual setup.
Doesn't this require setting installing an ssh server on your machine? openssh-server doesn't seem to be installed/enabled by default on many (most?) distros, including Fedora. In addition doesn't this only work when you ssh as root to the box that the libvirtd instance is running on? I couldn't get this working with my user account and a qemu-ssh uri. I'm probably missing something ...
I hope that makes sense. Let me know if I've gotten something wrong.
Would you accept a patch to do this? Or would you suggest that we try and do this downstream in the Fedora/RHEL packages instead?
Our policy for Fedora / RHEL is to not change upstream behaviour, so this kind of policy decision should be resolved here.
Okay, good to know. Cheers, Stef
On Tue, Mar 27, 2012 at 11:29:15AM +0200, Stef Walter wrote:
On 2012-03-27 11:17, Daniel P. Berrange wrote:
Actually, it is possible to remotely connect to any libvirtd instance using an SSH tunnel, which works out of the box. Only the direct, non-tunnelled TLS/SASL based connections require manual setup.
Doesn't this require setting installing an ssh server on your machine? openssh-server doesn't seem to be installed/enabled by default on many (most?) distros, including Fedora.
Yes you need an SSH server.
In addition doesn't this only work when you ssh as root to the box that the libvirtd instance is running on? I couldn't get this working with my user account and a qemu-ssh uri. I'm probably missing something ...
You can ssh in as non-root, but it requires some manual config steps with policykit to allow libvirtd access first. You can't use the qemu:///session instance remotely either.
I hope that makes sense. Let me know if I've gotten something wrong.
Would you accept a patch to do this? Or would you suggest that we try and do this downstream in the Fedora/RHEL packages instead?
Our policy for Fedora / RHEL is to not change upstream behaviour, so this kind of policy decision should be resolved here.
Okay, good to know.
Cheers,
Stef
-- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 2012-03-27 11:17, Daniel P. Berrange wrote:
While apps like virt-manager do have the ability to use mDNS to locate remote libvirtd servers, my gut feeling is that it is probably rarely used. So given the need to tradeoff off out of the box usability against privacy concerns, I think we could probably say turning off mDNS by default is acceptable.
What do others think ?
BTW, I filed a bug that implements this change: https://bugzilla.redhat.com/show_bug.cgi?id=807273 Cheers, Stef
On 2012-03-27 14:08, Stef Walter wrote:
On 2012-03-27 11:17, Daniel P. Berrange wrote:
While apps like virt-manager do have the ability to use mDNS to locate remote libvirtd servers, my gut feeling is that it is probably rarely used. So given the need to tradeoff off out of the box usability against privacy concerns, I think we could probably say turning off mDNS by default is acceptable.
What do others think ?
BTW, I filed a bug that implements this change:
And here's the actual patch. Cheers, Stef
On 03/27/2012 08:20 AM, Stef Walter wrote:
From ef831d7c35871f26964742ca1de49ef464dd7bbb Mon Sep 17 00:00:00 2001 From: Stef Walter <stefw@gnome.org> Date: Tue, 27 Mar 2012 13:59:07 +0200 Subject: [PATCH] Change the default of mdns_adv to false
* Don't advertise information on the network without consent of the user, either through manual configuration, or a user interface that drives this option. * Since libvirtd must be configured for network access anyway this setting was not useful "out of the box", so changing this default setting does not remove "out of the box" functionality.
I tweaked this wording slightly, since ssh access doesn't need tweaking; but agree with the patch in general.
--- daemon/libvirtd.c | 2 +- daemon/libvirtd.conf | 4 ++-- daemon/test_libvirtd.aug | 8 ++++---- docs/remote.html.in | 2 +- tests/confdata/libvirtd.conf | 4 ++-- tests/confdata/libvirtd.out | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-)
ACK. I've added your name to AUTHORS, and pushed the patch. Let me know if you prefer an alternate spelling. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 2012-03-27 17:59, Eric Blake wrote:
On 03/27/2012 08:20 AM, Stef Walter wrote:
From ef831d7c35871f26964742ca1de49ef464dd7bbb Mon Sep 17 00:00:00 2001 From: Stef Walter<stefw@gnome.org> Date: Tue, 27 Mar 2012 13:59:07 +0200 Subject: [PATCH] Change the default of mdns_adv to false
* Don't advertise information on the network without consent of the user, either through manual configuration, or a user interface that drives this option. * Since libvirtd must be configured for network access anyway this setting was not useful "out of the box", so changing this default setting does not remove "out of the box" functionality.
I tweaked this wording slightly, since ssh access doesn't need tweaking; but agree with the patch in general.
--- daemon/libvirtd.c | 2 +- daemon/libvirtd.conf | 4 ++-- daemon/test_libvirtd.aug | 8 ++++---- docs/remote.html.in | 2 +- tests/confdata/libvirtd.conf | 4 ++-- tests/confdata/libvirtd.out | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-)
ACK. I've added your name to AUTHORS, and pushed the patch. Let me know if you prefer an alternate spelling.
Thanks! Much appreciated. Cheers, Stef
On Tue, Mar 27, 2012 at 10:17:02AM +0100, Daniel P. Berrange wrote:
On Mon, Mar 26, 2012 at 09:31:44PM +0200, Stef Walter wrote:
In the GNOME UI we'd like to make use of Avahi discovery and name resolution "out of the box". A typical use case is for discovery of printers that are advertised using MDNS. This should work even on potentially 'hostile' networks such as a wireless access point in a print shop or airport. It should work without user configuration.
https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault
In order to turn on Avahi by default, and make it work by default, we'd like to make it possible to use Avahi without advertising any information to the network by default. Advertising information to the network (even the host name) without the user's configuration or consent is a privacy issue.
libvirtd advertises itself via MDNS on the network by default. I understand that MDNS discovery of libvirtd is really handy in many cases.
However since one has to configure network access in libvirtd anyway -- none of the access methods work "out of the box" to my understanding -- I'd like to suggest turning off libvirtd's MDNS publishing by default. As part of setting up libvirtd for network access, the user would turn on mdns_adv.
Actually, it is possible to remotely connect to any libvirtd instance using an SSH tunnel, which works out of the box. Only the direct, non-tunnelled TLS/SASL based connections require manual setup.
But since, IIUC, the default Fedora firewall setup blocks mDNS, it still wouldn't work out of the box.
I hope that makes sense. Let me know if I've gotten something wrong.
Would you accept a patch to do this? Or would you suggest that we try and do this downstream in the Fedora/RHEL packages instead?
Our policy for Fedora / RHEL is to not change upstream behaviour, so this kind of policy decision should be resolved here.
While apps like virt-manager do have the ability to use mDNS to locate remote libvirtd servers, my gut feeling is that it is probably rarely used. So given the need to tradeoff off out of the box usability against privacy concerns, I think we could probably say turning off mDNS by default is acceptable.
What do others think ?
I agree with you that turning off mDNS by default is probably ok. Dave
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
participants (5)
-
Daniel P. Berrange -
Dave Allan -
Doug Goldstein -
Eric Blake -
Stef Walter