|
|
| (296 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| | [[Category:Virtualization]] <!-- do not copy into FWN issue --> |
| | |
| {{Anchor|Virtualization}} | | {{Anchor|Virtualization}} |
| | |
|
| |
|
| == Virtualization == | | == Virtualization == |
| In this section, we cover discussion on the @et-mgmnt-tools-list, @fedora-xen-list, @libvirt-list and @ovirt-devel-list of Fedora virtualization technologies. | | In this section, we cover discussion of Fedora virtualization technologies on the |
| | @fedora-virt list. |
|
| |
|
| Contributing Writer: [[DaleBewley | Dale Bewley]] | | Contributing Writer: [[User:Dale | Dale Bewley]] |
|
| |
|
| | | === Fedora Virtualization List === |
| | |
| | |
| | |
| === Libvirt List === | |
| This section contains the discussion happening on the | | This section contains the discussion happening on the |
| [http://www.redhat.com/mailman/listinfo/libvir-list libvir-list]. | | [http://www.redhat.com/mailman/listinfo/fedora-virt fedora-virt list]. |
| | |
| ==== sVirt 0.30 Released ====
| |
| [[JamesMorris|James Morris]] announced[1] "the release of v0.30 of <code>sVirt</code>[2], a project to add security labeling support to Linux-based virtualization.
| |
| | |
| [1] http://www.redhat.com/archives/libvir-list/2009-January/msg00158.html
| |
| | |
| [2] http://selinuxproject.org/page/SVirt
| |
| | |
| ==== sVirt Qemu Hurdles ====
| |
| [[DanielWalsh|Daniel J Walsh]] began to work on the svirt lock down of the <code>qemu</code> process, and
| |
| saw[1] a problem with "the {{package|qemu}} binaries are being used to both setup the guest image
| |
| environment and then to run the guest image."
| |
| | |
| "The problem with this is the act of installing an image or setting up
| |
| the environment an image runs within requires much more privileges then
| |
| actually running the image."
| |
| | |
| "SELinux runs best when one processes forks/execs another process this
| |
| allows us to run the two processes under different labels. Each process
| |
| with the privileges required to run."
| |
| | |
| [1] http://www.redhat.com/archives/libvir-list/2009-January/msg00198.html
| |
| | |
| ==== Fine Grained Access Controls ====
| |
| [[KonradEriksson|Konrad Eriksson]] desired[1] is "an addition[2] to {{package|libvirt}} that enables access control on individual actions and data that can be accessed through the library API. This could take the form of an AC-module that, based on the identity of the caller, checks each call and grants/denies access to carry out the action (could also take parameters in account) and optionally filter the return data. The AC-module could then interface different backend AC solutions (SELinux, RBAC, ...) or alternatively implement an internal scheme."
| |
| | |
| [[DanielBerrange|Daniel P. Berrange]] pointed[3] out how this relates
| |
| to <code>sVirt</code>. "At this stage <code>sVirt</code> is primarily about protecting guests from each other, and protecting the host from guests. Konrad's suggestions are about protecting guests/hosts from administrators, by providing more fine grained control over what libvirt APIs an admin can invoke & on what objects. Both bits of work are required & are complementary to each other."
| |
| | |
| [1] http://www.redhat.com/archives/libvir-list/2009-January/msg00282.html
| |
| | |
| [2] http://wiki.libvirt.org/page/TodoFineGrainedSecurity
| |
|
| |
|
| [3] http://www.redhat.com/archives/libvir-list/2009-January/msg00362.html | | ==== Virt Status Report ==== |
| | [[JustinForbes|Justin Forbes]] |
| | posted<ref>http://www.redhat.com/archives/fedora-virt/2009-December/msg00056.html</ref> a Fedora virtualization status report. |
| | Justin pointed out F13 bugs<ref>http://fedoraproject.org/wiki/Virtualization_bugs</ref> now include Important and Pony classifications in addition to Blocker and Target. |
|
| |
|
| ==== Configuring Host Interfaces RFC ====
| | <references /> |
| [[DavidLutterkort|David Lutterkort]] composed[1] and RFC beginning
| |
| "For certain applications, we want {{package|libvirt}} to be able to configure host
| |
| network interfaces in a variety of ways; currently, we are most
| |
| interested in teaching <code>libvirt</code> how to set up ordinary ethernet
| |
| interfaces, bridges, bonding and vlan's.
| |
| Below is a high-level proposal of how that could be done. Please comment
| |
| copiously ;)"
| |
|
| |
|
| Adding this type of support struck some as a complex open-ended prospect.
| | ==== RHEL and Fedora Virtualization Feature Parity ==== |
| [[JohnLevon|John Levon]] argued[2] "We should be considering why <code>libvirt</code> is /well-placed/ to configure the
| | Robert Day wondered how the virtualization features<ref>http://www.redhat.com/virtualization/rhev/</ref> of Red Hat Enterprise Linux 5.4 |
| host. I think it should be pretty clear that it's actually not: the
| | compared to Fedora 12. |
| problems around distro differences alone is a good indication. The
| |
| proposed API is anaemic enough to not be of much use. This is way beyond carving out the physical system into virtual chunks
| |
| and it's a big step towards lib*virt* becoming libmanagement."
| |
|
| |
|
| [[DanielBerrange|Daniel P. Berrange]] countered[3] | | [[DanielBerrange|Daniel Berrange]] |
| "The existance of many different [implementations] is exactly the reason for <code>libvirt</code>
| | explained<ref>http://www.redhat.com/archives/fedora-virt/2009-December/msg00040.html</ref> |
| to have this capability. <code>Libvirt</code> is providing a consistent mgmt API
| | "The KVM based virtualization in RHEL-5.4 is not nearly so far behind |
| for management of guests and host networking interfaces is as much a
| | Fedora as you might think. The {{package|libvirt}} mgmt stack in RHEL-5.4 was |
| part of this as the storage management. <code>Libvirt</code> is providing this
| | rebased to be near parity with [[Releases/11|Fedora 11]], and KVM in RHEL-5.4 is |
| capability across virtualization technology." Also saying[4] "Network interface APIs are the core missing piece of <code>libvirt</code> API functionality IMHO."
| | also pretty close to that using what's best described as a hybrid of |
| | kvm-83 and kvm-84." |
|
| |
|
| [1] http://www.redhat.com/archives/libvir-list/2009-January/msg00350.html
| | <references /> |
|
| |
|
| [2] http://www.redhat.com/archives/libvir-list/2009-January/msg00398.html
| |
|
| |
|
| [3] http://www.redhat.com/archives/libvir-list/2009-January/msg00403.html
| | ==== ==== |
| | <references /> |
|
| |
|
| [4] http://www.redhat.com/archives/libvir-list/2009-January/msg00414.html
| | ==== ==== |
| | <references /> |
libvirt