On 11/08/2009 10:43 AM, Arnd Bergmann wrote:
btw, shouldn't we, in the general case, create a bridge per user and use
IP NAT? If we have a global bridge, users can spoof each other's MAC
addresses and interfere with their virtual machines. They can also
interfere with the real network.
That's not a concern with most one-user-per-machine configurations, but
the default configuration should be safe.
It also depends a lot on what you want to do with the virtual machine.
If you want to run a game or a legacy application in a different operating
system on your desktop, a NATed bridge is ideal, but it does not work
on a server if the guest wants to listen on a socket with its own IP address.
Yes. It also depends on what the system administrator wants you to be
able to do. On desktop machines you are usually the system
administrator so there is no problem. But we should beware of making it
easy to subvert security.
There is also the problem of accidental MAC overlap - qemu uses the same
MAC address for all virtual machines unless overridden, so if two users
create a virtual machine without specifying MAC addresses they will
trample each other. A single user could also have trouble launching two
guests; that's not a security problem, but will lead to a lot of
annoyance and false bug reports ("networking dies as soon as I launch a
second guest").
--
error compiling committee.c: too many arguments to function
