qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Laurent Vivier" <lvivier@redhat.com>,
	"Thomas Huth" <thuth@redhat.com>,
	"Juan Quintela" <quintela@redhat.com>,
	qemu-devel@nongnu.org,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/3] Add dbus-vmstate
Date: Wed, 10 Jul 2019 10:03:50 +0100	[thread overview]
Message-ID: <20190710090350.GC30831@redhat.com> (raw)
In-Reply-To: <8914dc43-0b99-ff83-7ff9-8f7b8f256909@redhat.com>

On Wed, Jul 10, 2019 at 10:53:10AM +0200, Paolo Bonzini wrote:
> On 08/07/19 18:04, Daniel P. Berrangé wrote:
> > The downside of using the bus daemon is that we have to spawn a new
> > instance of dbus-daemon for every QEMU VM that's running on the host,
> > which is yet more memory overhead for each VM & another process to
> > manage, and yet another thing to go wrong.
> > 
> > QEMU already has a direct UNIX socket connection to the helper
> > processes in question. I'd much rather we just had another direct
> > UNIX socket  connection to that helper, using D-Bus peer-to-peer.
> > The benefit of debugging doesn't feel compelling enough to justify
> > running an extra daemon for each VM.
> 
> Would it be possible to make QEMU the broker?  That is, how hard would it
> be to embed a minimal DBus broker (which only takes care of connecting servers
> and clients---stuff like launching servers would be completely out of scope)?

What would be the benefit of embedding it in QEMU ? I see significant
security downside to that which would mean its not something I'd want
to support.

If we accept the need for a bus then this implies there's a need for
service <-> service messages, where neither service is QEMU. This in
turn requires enforcement of security policies for the separation of
services. It is highly desirable, if not mandatory, to have such
security enforcement outside the QEMU address space, given that QEMU
is an untrustworthy component.


> Would it for example make sense to split the bus handling part of dbus-broker
> into a library that QEMU could reuse?  (And if we plan to do this, should QEMU
> use sd-bus instead of gdbus?)
> 
> In QOM that would be something like
> 
>   -object dbus-connection,id=client1,chardev=...,addr=foo       # p2p
>   -object dbus-vmstate,connection=client1                       # the interface
> 
>   -object dbus-connection,id=client1,addr=foo                   # via external daemon
>   -object dbus-vmstate,client=client1                           # the interface
> 
>   -object dbus-session,id=session1,chardev=...
>   -object dbus-connection,id=client1,session=session1,addr=foo  # via internal daemon
>   -object dbus-vmstate,client=client1                           # the interface

From my POV I only see two viable options. Either p2p with no bus & QEMU
being one endpoint so there's no requirement for security policies, or
bus based mesh with an external process to enforce security policy.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|


  reply	other threads:[~2019-07-10  9:05 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-08  7:24 [Qemu-devel] [PATCH 0/3] Add dbus-vmstate Marc-André Lureau
2019-07-08  7:24 ` [Qemu-devel] [PATCH 1/3] qemu-file: move qemu_{get, put}_counted_string() declarations Marc-André Lureau
2019-07-08  8:03   ` Juan Quintela
2019-07-08  7:24 ` [Qemu-devel] [PATCH 2/3] tests: add qtest_set_exit_status() Marc-André Lureau
2019-07-08  8:04   ` Juan Quintela
2019-07-17 11:50   ` Thomas Huth
2019-07-08  7:24 ` [Qemu-devel] [PATCH 3/3] Add dbus-vmstate object Marc-André Lureau
2019-07-08  8:41   ` Juan Quintela
2019-07-08 16:11     ` Eric Blake
2019-07-10  6:14   ` Paolo Bonzini
2019-07-10  8:05     ` Daniel P. Berrangé
2019-07-08  8:01 ` [Qemu-devel] [PATCH 0/3] Add dbus-vmstate no-reply
2019-07-08  9:35 ` no-reply
2019-07-08 15:44 ` Dr. David Alan Gilbert
2019-07-08 16:08   ` Daniel P. Berrangé
2019-07-08 16:04 ` Daniel P. Berrangé
2019-07-09  8:26   ` Marc-André Lureau
2019-07-09  9:01     ` Daniel P. Berrangé
2019-07-09 10:47       ` Marc-André Lureau
2019-07-10  9:10         ` Daniel P. Berrangé
2019-07-10  8:53   ` Paolo Bonzini
2019-07-10  9:03     ` Daniel P. Berrangé [this message]
2019-07-10  9:54       ` Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190710090350.GC30831@redhat.com \
    --to=berrange@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=lvivier@redhat.com \
    --cc=marcandre.lureau@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=quintela@redhat.com \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).