On Mon, Sep 14, 2015 at 11:47 AM, Karel Hendrych <k+centosv...@karlos.cz> wrote: > Good test, non-buffered dom0 dd write speed is similar with tap2. > > I'll likely stay with the QEMU backend. Are there any best practises > regarding security, at least if QEMU can operate under non-root account?
Not at the moment. Fortunately the attack surface from guest -> qemu in this case is fairly small (just the PV block interface). qemu deprivileging is on our short list of things to look at though. We've already had patches for deprivileging qemu when acting as a stub domain; those will probably make it for 4.7. I'll add qdisk to the list. If you really want to get your hands dirty you could try to set up a storage driver domain; but that's really not as simple to set up as it should be. Hope that helps. -George _______________________________________________ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt