[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 1/6] docs/qemu-deprivilege: Revise and update with status and future plans

To: George Dunlap <dunlapg@xxxxxxxxx>
From: Anthony PERARD <anthony.perard@xxxxxxxxxx>
Date: Fri, 28 Sep 2018 13:59:08 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>
Delivery-date: Fri, 28 Sep 2018 12:59:35 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Sep 28, 2018 at 12:37:22PM +0100, George Dunlap wrote:
> On Tue, Sep 25, 2018 at 12:20 PM Anthony PERARD
> <anthony.perard@xxxxxxxxxx> wrote:
> >
> > On Fri, Sep 21, 2018 at 06:04:23PM +0100, George Dunlap wrote:
> > > +## Migration
> > > +
> > > +When calling xen-save-devices-state, since QEMU is running in a chroot
> > > +it is not useful to pass a filename (it doesn't even have write access
> > > +inside the chroot). Instead, give it an open fd using the add-fd
> > > +mechanism.
> >
> > That describe an issue only on save. The restore part of a migration
> > also have an issue:
> >
> > On restore, QEMU signal to libxl that it is ready only after priviledge
> > restriction have been put in place (and after or when it receive the
> > migration data). But xenstore isn't available anymore, so restore fails
> > from libxl point-of-view.
> >
> >
> > Or maybe you describe here an issue that would arise when an hypothetic
> > chroot is apply. But the migration issue describe here still apply
> > without chroot and with only -runas, the path libxl give to QEMU is
> > accessible by root only.
> 
> Do our other restrictions -- chroot, deprivilege, &c -- all work on
> restore at the moment?

chroot isn't an issue for restore. But running QEMU as non-root user is
currently an issue for restore.

I think the only issue with restore that doesn't also exist when
creating a guest is restricted access to xenstore.

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH v2 1/6] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap
- Re: [Xen-devel] [PATCH v2 1/6] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: Anthony PERARD
- Re: [Xen-devel] [PATCH v2 1/6] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap

Prev by Date: [Xen-devel] [xen-4.10-testing baseline-only test] 75307: trouble: blocked/broken
Next by Date: [Xen-devel] Xen performance related work needed
Previous by thread: Re: [Xen-devel] [PATCH v2 1/6] docs/qemu-deprivilege: Revise and update with status and future plans
Next by thread: [Xen-devel] [libvirt test] 127869: regressions - FAIL
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.