On Tue, 30 Apr 2019 at 16:43, Michal Privoznik <mprivozn(a)redhat.com> wrote:
Long story short, why bother with /system if you can't use it and
not
use /session instead?
Because according to the FAQ, /session isn't suitable for my use:
- You will definitely want to use qemu:///system if your VMs are acting
as servers. VM autostart on host boot only works for 'system' [Yes, my VMs
are acting as servers]
- the root libvirtd instance has necessary permissions to use proper
networkings via bridges or virtual networks. [Yes, I use OVS, with quite a
complex bridge+VLAN system configured at boot]
- qemu:///session has a serious drawback: [...] the only out of the box
network option is qemu's usermode networking, which has nonobvious
limitations, so its usage is discouraged.
(Source:
https://wiki.libvirt.org/page/FAQ#What_is_the_difference_between_qemu:.2F...
)
So I have to use /system, according to the FAQ. But it'd be nice to nail
the daemon down to reduce the attack surface.
- Peter