On Mon, May 28, 2012 at 10:39:08AM -0400, Federico Simoncelli wrote:
> ----- Original Message -----
> > From: "Lei Li" <li...@linux.vnet.ibm.com>
> > To: email@example.com
> > Cc: "Adam Litke" <a...@us.ibm.com>, "Dan Kenigsberg" <dan...@redhat.com>,
> > "Federico Simoncelli" <fsimo...@redhat.com>,
> > "Ryan Harper" <ry...@linux.vnet.ibm.com>
> > Sent: Monday, May 28, 2012 11:18:03 AM
> > Subject: Move some of code from spec file into vdsm-tool function issue
> > Hi guys,
> > Adam point out a problem about my patch moving some of the
> > post and preun section in vdsm spec file into vdsm-tool, and
> > I have the same concern.
> > After some discussion, I'd like to ask for your suggestion
> > on the patch as link below.
> > http://gerrit.ovirt.org/#patch,sidebyside,4528,3,vdsm.spec.in
> > Please let me know your idea, thanks!
> VDSM is/was adding a password to libvirt to prevent anyone or anything
> (eg: virt-manager, etc...) from managing the VMs that are controlled by
> In general I don't like this idea for a couple of reasons: it's too much
> intrusive (making modifications that are not expected) and it's using a
> standard and known password, which is something debatable for many reasons
> (even if it's doing well it's job of preventing careless mistakes).
> I already tried to use polkit upstream (so that the vdsm user can manage
> libvirt) and it worked pretty well, but it's not preventing other users
> or other applications from connecting to libvirt and controlling the VMs.
> Does anyone know if we still need this precaution? Is there any new feature
> of libvirt that we can easily use to seal the access to our VMs?
Not yet, but the intention is that the role based access control code I
am working on will allow VDSM to drop in a policy file which says allow
read-only access to any user, read-write access to VDSM only. Which is
what you were trying to achieve with this password setting.
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
vdsm-devel mailing list