Il 22/02/2013 14:02, Dietmar Maurer ha scritto: > >>>>> Why is this needed? >>> Security? I don't want that another process can write nonsense into my >> backup. >> >> They can already write nonsense to your iSCSI target, can't they? > > I am more concerned about software bugs. You need to find a free port, and > then pass that port to kvm. If the original server dies, it is likely that > another > process start using the same port ...
Hardly specific to this case, but indeed you're right. >> But you can always sandbox using SELinux, if you care about that, or use a >> Unix >> socket + SCM_CREDENTIALS. > > unix sockets works with qemu nbd code? Sure. nbd+unix:///exportname?socket=path is the new URI syntax, I honestly forgot the old one. SCM_CREDENTIALS checks (qemu-nbd --pid or something like that) is not supported, but patches would be very welcome. Paolo
