2:43 a.m.
Hi there
I’m not quite proficient with libvirt yet, and have been using it so far primarily to
manage lxc containers
I was hoping to find a means to configure the set of capabilities that guests should drop,
but came across a few web pages suggesting these were set in stone in the code
is this correct, or is there a means to tweak this set from the host via the xml config or
a virsh command ?
any hint / pointer to documentation in this respect would be most appreciated
— Thierry
7:27 a.m.
On Wed, Jan 29, 2014 at 09:43:25AM +0100, Thierry Parmentelat wrote:
Hi there
I’m not quite proficient with libvirt yet, and have been using it
so far primarily to manage lxc containers
I was hoping to find a means to configure the set of capabilities
that guests should drop, but came across a few web pages suggesting
these were set in stone in the code
is this correct, or is there a means to tweak this set from the host
via the xml config or a virsh command ?
any hint / pointer to documentation in this respect would be most
appreciated
That's correct, there's no means to configure this from the libvirt
XML config. The containers will be started with the maximal set of
capabilities we can reasonably allow. The app inside the container
can drop bits they don't require
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
8:33 a.m.
Thanks for the feedback
I take it from your answer that there is no current plan in the direction of adding this
as a feature, right ?
In this case, how would you welcome pull requests if we managed to add this on our side ?
Many thanks — Thierry
On 29 Jan 2014, at 14:27, Daniel P. Berrange <berrange(a)redhat.com> wrote:
On Wed, Jan 29, 2014 at 09:43:25AM +0100, Thierry Parmentelat wrote:
> Hi there
>
> I’m not quite proficient with libvirt yet, and have been using it
> so far primarily to manage lxc containers
> I was hoping to find a means to configure the set of capabilities
> that guests should drop, but came across a few web pages suggesting
> these were set in stone in the code
> is this correct, or is there a means to tweak this set from the host
> via the xml config or a virsh command ?
>
> any hint / pointer to documentation in this respect would be most
> appreciated
That's correct, there's no means to configure this from the libvirt
XML config. The containers will be started with the maximal set of
capabilities we can reasonably allow. The app inside the container
can drop bits they don't require
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
8:38 a.m.
On Wed, Jan 29, 2014 at 03:33:23PM +0100, Thierry Parmentelat wrote:
Thanks for the feedback
I take it from your answer that there is no current plan in the
direction of adding this as a feature, right ?
I'm not aware of anyone currently working on this feature.
In this case, how would you welcome pull requests if we managed
to add this on our side ?
Well it seems the sf.net LXC tools support a 'lxc.caps.drop'
flag to list caps that should be removed. Since we'd like to
have equivalent or greater features in libvirt, it seems that
it would be in scope to add such a config option to libvirt
XML. So if you'd like to work on it feel free to make a
proposal for XML config & patch.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
3950
days inactive
3950
days old
3 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Thierry Parmentelat