[CentOS-virt] libvirt, xen PV, qemu-system-i386, root user
George Dunlap
dunlapg at umich.eduMon Sep 14 13:52:15 UTC 2015
- Previous message: [CentOS-virt] libvirt, xen PV, qemu-system-i386, root user
- Next message: [CentOS-virt] Enabling enhanced neetworking for CentOS 6 bqse images in AWS
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Sep 14, 2015 at 11:47 AM, Karel Hendrych <k+centosvirt at karlos.cz> wrote: > Good test, non-buffered dom0 dd write speed is similar with tap2. > > I'll likely stay with the QEMU backend. Are there any best practises > regarding security, at least if QEMU can operate under non-root account? Not at the moment. Fortunately the attack surface from guest -> qemu in this case is fairly small (just the PV block interface). qemu deprivileging is on our short list of things to look at though. We've already had patches for deprivileging qemu when acting as a stub domain; those will probably make it for 4.7. I'll add qdisk to the list. If you really want to get your hands dirty you could try to set up a storage driver domain; but that's really not as simple to set up as it should be. Hope that helps. -George
- Previous message: [CentOS-virt] libvirt, xen PV, qemu-system-i386, root user
- Next message: [CentOS-virt] Enabling enhanced neetworking for CentOS 6 bqse images in AWS
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS-virt mailing list