On Mon, Sep 30, 2013 at 08:32:51AM +0000, P Balaji-B37839 wrote: > Hi Daniel, > > Thanks for comments and examples. > > As you already know that for any application running on Host platform > can communicate with Guest through Virtio-Serial device. What we are > looking at is the security provided by Apparmor is crucial so that the > Host will not allow any software running in Guest can access outside > of the directories/files dynamically added in the libvirt-qemue > configuration file of apparmor. > > As this file is created dynamically from Libvirt XML file, We are > thinking that if we can expose Virtio-serial device of Guest through > Dashboard [Horizon], Then it will be good from host security > perspective and as well it is upto the User to enable virtio-serial > interface based on his requirements like Application software requirement in > Guest.
This doesn't really answer my question. There are 2 commonly available agents (SPICE agent + QEMU guest agent) in the KVM world and we have support for those in Nova at least. There may be UI missing in Horizon to enable though. Any further agents would require some kind of software integration on the host with either qemu, libvirt or Nova itself. So any blueprint should specify what that new agent is, and how it will be integrated in the Nova compute host. [P Balaji-B37839] Correct. Nova has support for the commonly available agents as listed above. We are thinking about generic interface which can be used by any application software in Guest. More precisely, it will be like there won't be any agent in VM, Instead any Application Software can use this generic Virtio-Serial Interface to make use of communicating with Host. Using libvirt frame work might be best option, so that security aspects of exposing this interface can be taken care. Please comment. Regards, Balaji.P Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
