blob: e442f2653531f95ea32228b1f9a9c0e403f2b585 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
semantic: 0.708
device: 0.667
graphic: 0.607
network: 0.594
hypervisor: 0.588
mistranslation: 0.550
register: 0.476
ppc: 0.471
permissions: 0.454
socket: 0.453
user-level: 0.451
vnc: 0.416
architecture: 0.410
kernel: 0.408
PID: 0.394
virtual: 0.390
boot: 0.364
risc-v: 0.343
files: 0.316
debug: 0.316
VMM: 0.315
TCG: 0.314
i386: 0.291
arm: 0.263
performance: 0.213
x86: 0.202
assembly: 0.195
peripherals: 0.142
KVM: 0.123
RBD Namespaces are not supported
Ceph Nautilus (v14.2.0) introduced the Namespaces concept for RADOS Block Devices. This provides a logical separation within a RADOS Pool for RBD images which enables granular access control. See https://docs.ceph.com/docs/nautilus/releases/nautilus/ for additional details.
librados and librbd support this, however qemu does not. The rbd man page defines how rbd images within a namespace can be referenced. https://docs.ceph.com/docs/nautilus/man/8/rbd/#image-snap-group-and-journal-specs
Adding support for RBD namespaces would be beneficial for security and reducing the impact of a hypervisor being compromised and putting an entire Ceph pool or cluster at risk.
I just posted a patch today on the qemu-devel mailing list, you can find it there : https://lists.gnu.org/archive/html/qemu-devel/2019-12/msg04344.html
Thanks for adding the support. I was actually already play-testing your patch. I'll respond to the mailing list soon.
Patch had been included here:
https://gitlab.com/qemu-project/qemu/-/commit/19ae9ae01471552
|