[pve-devel] Running KVM as root is a security issue

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Jul 27 21:49:19 CEST 2015


> > A document is already describing something similar.
> > http://docs.ganeti.org/ganeti/2.13/html/design-kvmd.html
> 
> I always tried to avoid that.

We can still use a shutdown "script", but it needs to be something
that can be compiled in order to get the necessary capabilities.

Hmm, what's actually the current behavior regarding network interfaces
when a kvm process is SIGKILLed?

Also... tap devices can be made non-persistent. I wonder if there's a
nice way to hand over a non-persistent tap device to qemu. It would
then automatically be removed when the process shuts down.



More information about the pve-devel mailing list