From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Libvirt on IPFire Date: Sat, 19 Mar 2016 13:16:30 +0000 Message-ID: <1458393390.17935.35.camel@ipfire.org> In-Reply-To: <1458376970.2003.2@smtp.gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3697665437117640899==" List-Id: --===============3697665437117640899== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, thanks for getting in touch. On Sat, 2016-03-19 at 09:42 +0100, Jonatan Schlag wrote: > Hi list, > in October 2014 I began to build libvirt for IPFire. This failed the first > time and second but now I tried it the third time with a lot more knowledge > and it works well. This is indeed something I would personally like to see in IPFire. Although I have many reasons why this is a bad idea... > So I have a running libvirt daemon on my IPFire (Arch is x86_64 works very > well by the way) and want to ask if the project is interested that the libv= irt > package becomes an official addon.=C2=A0 It must be an add-on so that users do not have to install it if they don't wi= sh to do so and to reduce attack surface. > It could save a lot of work because everybody have the chance to install wh= at > he want in a virtual machine. =C2=A0Also, I think it is safer to put my own= cloud > into a virtual machine than to put is directly on my IPFire. Also, it could > save energy because a home user has to run only one real computer. =C2=A0 It is probably not more secure to run a KVM machine. Breaking out of that is easy enough. However, I would also like to see some things installed on a different system instead of on IPFire itself. Just because I think that there are better distributions out there to host owncloud and similar things. It wi= ll also allow to migrate this functionality from a physical machine to IPFire or from IPFire to a physcial machine later. > Otherwise, libvirt is one more security risk and it is possible to break out > of a virtual machine and attack the host.=C2=A0 > So these are some security aspects, but in the moment, I think there are mo= re > =C2=A0benefits than disadvantages.=C2=A0 > But =C2=A0I would like to hear your opinions on this topic.=C2=A0 >=20 > So what are the dependencies for libvirt and what have to be done on existi= ng > packages. >=20 > Hard dependencies >=20 > util-macros > libpciaccess > libyajl >=20 > nice to have ( increase the usability) >=20 > opus > python-six > python-pyparsing > spice-protocol > spice >=20 > These packages provide a protocol similar to vnc (http://www.spice-space.or= g/) These look okay. Basically anything that is free software and actively maintained upstream should be okay. Please consider to reduce size as best as you can. It does not have to fit into a megabyte all together, but avoid addi= ng things that are not useful. > optional ( create errors on start up but nothing more) >=20 > pm-utils > dmidecode Add these too. > what have to be done on existing addons >=20 > nmap: update to the latest version=C2=A0 > (to have a ncat version which supports the -U options, this is required to > communicate over a normal ssh session) Please send updates as individual patches up front. > ebtables: create some links > (libvirt search in the wrong directory =C2=A0for the binaries) Where? > dnsmasq > enable=C2=A0 > HAVE_DHCP > HAVE_SCRIPT > HAVE_TFTP=C2=A0 > but I have to check this again on i686 HAVE_SCRIPT is enough, =C2=A0in the = moment I > have not the time to test where the problem is, but =C2=A0I will do this in= the > next weeks. This will probably be a bigger issue. We are using dnsmasq just as a DNS proxy and do not use the DHCP component. If that should be used we either have to disable this in our other configuration or ship a second copy. I would like to avoid the latter. > So that is it. > Now I am waiting for your opinion and what you think about this :-). Do you have code for this already? Do you have a git repository or do you need one? We could host things if needed. > Regards Jonatan >=20 > Ps. I would maintain these packages if they become official packages.=C2=A0 That is a huge requirement. We just don't have the man power to do this ourselves. Although we are keen to support you when ever needed. > PSS. I use a new e-mail address because my old one is currently blocked by > this server. Which one is that? Could you maybe email me details about that in private? Best, -Michael --===============3697665437117640899== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlc3VkV1QUFvSkVJQjU4UDl2a0FrSG92a1FBTFREaHF3NEFpS2Q2b3d1ZnNxZjBZK28K TGpPQkVLcm9kY0w2Z2lRelNnNmptNDc2anZaNVUzQ2JYOE0zSW9YSE81ZmE2MFFyRjJhaElTOXly QjU5T253VwpGcHlIN3JXU3R5S3JZeU0vODBLUnYzT3ErZUQ0a0E2cmQ5U1c3Q0VLOVJ1amNJWVhN NnlOTnBoa3k3OW1yZDJJCjZXNWx2Rzd0bkxQUFZXQVIyUnM5L1pFaEZpdmI4dUU4ei9LYnRIR3I3 K0dldFA3dWRNZXNua0ZUZ3B4NEJuaVYKcnJTZU15T1Nxdjh6UW5LdWYzQ25pYTNYNUprbE1Wdjhs SXJSYVZnV1JOdXN0MXdVRy9UMjE3Zng2VWZUcXZJagpyaTFxUHhWc3hTeDFOWVBxTkxvL1RxSEFN eHFQTnFuRWhRWVlHUmx2TlIwaE9JSTBab1NnWnR5TEFVRHEzMGFPCnlXRmlCV3NxUWUrUDNNN0Fm NTVFbnduN2xhOVcvZ0NkUWJNMCthM2xmL240VkNPL0E4dlU1aFJmQVBVOWo2ckUKYXNTZmFmL2Nn dHIwV1EvUy9tZUJNOUNzcVVOME1JL1UwWHMxWnBra0I0YUhZM3pUU2JsdXljbVNJb3VFK3BDZgpT QzhZL3lxS0M3U1dpV3pLZXJSMTdmaHl0NnFpdTZVSFc0SkdoU2tsdTZQb0xUQm9LQzZldXFrU2pM Yzk5RlJJClcyVmh0eUtkS3lySDRNZG5LVEt3QTQ2VVRNMEJsLzFIQTJDN1o3aTVsNytCdkU5NE8w c3lQMDRPU2x1NGcyVDgKcWJzaUVwbEpPYk1ZOGNvNjN5NjVkaHFaVXRqNWZTV2w5VEtCY24wb3h3 WVUzMmIyUFE1SysrbXltd2o1amxKTwpVcEV2VkxsRHhDalVBaGExdzNldgo9dDRWcAotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============3697665437117640899==--