[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans

To: George Dunlap <george.dunlap@xxxxxxxxxx>
From: Anthony PERARD <anthony.perard@xxxxxxxxxx>
Date: Fri, 23 Mar 2018 12:13:11 +0000
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 23 Mar 2018 12:13:49 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Mar 22, 2018 at 06:24:37PM +0000, George Dunlap wrote:
> +### Disks
> +
> +The chroot (and seccomp?) happens late enough such that QEMU can
> +initialize itself and open its disks. If you want to add a disk at run
> +time via or insert a CD, you can't pass a path because QEMU is
> +chrooted. Instead use the add-fd QMP command and use
> +/dev/fdset/<fdset-id> as the path.
> +
> +A further layer of restriction could be to set RLIMIT_NOFILES to '0',
> +and hand all disks over QMP.

The "add-fd" can work also on the command line. But I guess using only
QMP will be better from libxl point of view, only one code path to add
disks.

Also, with dm_restrict=1, another todo: qdisk backend doesn't work. We
probably needs to start a second QEMU process for pv backends.

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap

Prev by Date: [Xen-devel] [PATCH v2] SUPPORT.md: add PVH Dom0 status
Next by Date: Re: [Xen-devel] [PATCH] x86/cpu: Support a new cpu vendor, which is Shanghai. Shanghai cpu defines two msr registers to enable Random Number Generator and Advanced Cryprography Engine.The cpu supports iommu, which is designed according to Intel's specification.
Previous by thread: Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
Next by thread: Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.