Anthony, On 6/13/07, Anthony Liguori <[EMAIL PROTECTED]> wrote:
> One thing to consider is that if a userspace process can create KVM > guests, they are capable of pinning large quantities of physical > memory. This could be used as a DoS attack so consider VM creation a > privileged operation. No, that's not what is intended. I was asking about possibility to run KVM at users privileges after some necessary actions have been completed, and tried to compile a list of such actions. That is, - adjust RTC (I just added this to the system startup script) - create a tap - add tap to the bridge (if bridging is used)/adjust iptables if no bridging (another example in qemu wiki) - open /dev/kvm (as it has been found, group membership is sufficient if group can write to /dev/kvm) After that, process privileges might be dropped to those of the user who logged (ssh'd) in. Images of disk volumes and CDs may then be assigned proper permissions, so users may be more flexible on what to run, and regular Unix filesystem mechanisms will control access. BTW if qemu_system_x86-64 runs at user privileges, can the memory consumed be subject to whatever per-user limits that may be set systemwide? -- Dimitry Golubovsky Anywhere on the Web ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ kvm-devel mailing list kvm-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/kvm-devel
