On Mon, Dec 08, 2014 at 09:48:12AM +0000, Daniel P. Berrange wrote: > My long term desired approach to deal with this problem in OpenStack (and > other libvirt based mgmt apps) is to have a separate log daemon in libvirt > eg a virtlogd daemon. Take QEMU out of the business of writing to files > entirely and instead it would always just be a given a pipe FD which is > connected to the daemon. This avoidis the need to give QEMU permission to > open files at all, which is inline with our general security strategy for > host resources QEMU accesses.
Hi Daniel, that sounds like a good plan and would certainly address the openstack case but I still feel like hving something in qemu is a good idea as that doesn't stop an alternate fix in libvirt and it helps users that aren't using libvirt and qemu together. Having said that I'm willing to be directed by the qemu community. If they feel that a libvirt only fix is best then that's where I'll spend my effort. Yours Tony.
pgp9HOvFjMtvq.pgp
Description: PGP signature