On Wed, Sep 19, 2007 at 04:03:40AM +0100, Daniel P. Berrange wrote:
We currently have logic in the remote driver so that it handles the
local
QEMU driver URIs, so they get re-directed to the daemon. It also handles
networking APIs for Xen driver. For normal APIs, Xen has the auto-spawned
setuid proxy daemon. This was very useful at the time we wrote it, but it
only supports a handful of operations, and only in read-only mode. One other
factor is that SUSE, for example, do not ship it because it is setuid. I
don't know whether this is just a general policy, or just because they've
not had time to audit it, but that's not very good for their users.
With the development of the remote driver & the flexible UNIX socket perms
& group ownership, or with policykit support it is possible to replace the
proxy with calls straight to the remote daemon. So this patch is the first
step by allowing the remote driver to handle any hypervisor connection URI.
If it doesn't have a hostname or transport specified, then it automatically
tries to connect to the local libvirt daemon over UNIX sockets.
Okay, I think I understand. I assume this is dependant logically on
having the PolicyKit patch applied first to be able to filter the accesses,
right ?
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules:
http://search.cpan.org/~danberr/ -=|
|=- Projects:
http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
diff -r bc9c1ba80870 src/remote_internal.c
--- a/src/remote_internal.c Tue Sep 18 14:13:29 2007 -0400
+++ b/src/remote_internal.c Tue Sep 18 14:23:22 2007 -0400
@@ -232,9 +232,8 @@ remoteForkDaemon(virConnectPtr conn)
/* Must not overlap with virDrvOpenFlags */
enum virDrvOpenRemoteFlags {
VIR_DRV_OPEN_REMOTE_RO = (1 << 0),
- VIR_DRV_OPEN_REMOTE_UNIX = (1 << 1),
- VIR_DRV_OPEN_REMOTE_USER = (1 << 2),
- VIR_DRV_OPEN_REMOTE_AUTOSTART = (1 << 3),
+ VIR_DRV_OPEN_REMOTE_USER = (1 << 1),
+ VIR_DRV_OPEN_REMOTE_AUTOSTART = (1 << 2),
};
I'm just a bit worried about changing those if they end up on the wire
in some ways. If that's the case then just keep he enum as-is.
Looks fine to me, +1,
Daniel
--
Red Hat Virtualization group
http://redhat.com/virtualization/
Daniel Veillard | virtualization library
http://libvirt.org/
veillard(a)redhat.com | libxml GNOME XML XSLT toolkit
http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine
http://rpmfind.net/