blob: e379e7684dec36151c36a4c5599dc44f0b705ca1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
RBD Namespaces are not supported
Ceph Nautilus (v14.2.0) introduced the Namespaces concept for RADOS Block Devices. This provides a logical separation within a RADOS Pool for RBD images which enables granular access control. See https://docs.ceph.com/docs/nautilus/releases/nautilus/ for additional details.
librados and librbd support this, however qemu does not. The rbd man page defines how rbd images within a namespace can be referenced. https://docs.ceph.com/docs/nautilus/man/8/rbd/#image-snap-group-and-journal-specs
Adding support for RBD namespaces would be beneficial for security and reducing the impact of a hypervisor being compromised and putting an entire Ceph pool or cluster at risk.
I just posted a patch today on the qemu-devel mailing list, you can find it there : https://lists.gnu.org/archive/html/qemu-devel/2019-12/msg04344.html
Thanks for adding the support. I was actually already play-testing your patch. I'll respond to the mailing list soon.
Patch had been included here:
https://gitlab.com/qemu-project/qemu/-/commit/19ae9ae01471552
|