[ovs-dev] [PATCH 2/2] xenserver: Support network names with spaces

Justin Pettit jpettit at nicira.com
Tue Mar 2 17:09:38 UTC 2010


On Mar 2, 2010, at 5:50 AM, Ian Campbell wrote:

> XenServer 5.6 has role-based access control so not all root access (via
> the XenAPI at least) is equal. To be honest I'm not sure what the
> available roles are but I worry that someone might be able to escalated
> their supposed privilege. (I'm pretty sure ssh/console login is a
> specific separate role).

That thought had crossed my mind, but since I haven't played with that part of the 5.6 betas, I wasn't sure at what granularity roles are defined.

>> I haven't had a chance to look at Ben's fix yet, but he wasn't certain
>> that it wasn't going to have its own problems with having to taint
>> user input.  Until we have something that we're certain actually fixes
>> the problem and has the security implications thought through, it
>> seemed reasonable to at least allow the default case to work in a
>> feature branch.  All that said, if this still gives you the
>> heebie-jeebies*, I'm happy to hold off if you don't think it's the
>> bee's knees.
> 
> Perhaps we could leave it out for now? (Sorry, I couldn't find a
> suitable rhyme). It's absence isn't a blocker for the current drop and
> there's certainly scope for putting it back when we figure out the
> issues.

Okey-dokey.

> What about adding an option to ovs-vsctl which takes a xenstore root and
> pulls the extra keys out itself? Since ovs-vsctl is in a "proper"
> language(*) it ought to be trivial to get the quoting correct. Something
> like "set interface vif${DOMID}.${DEVID} xs-keys=${PRIVATE}".
> 
> It's a bit skanky to build the XS specific knowledge into ovs-vsctl
> though. At the risk of complete over engineering things what about
> allowing ovs-vsctl to call out to one or more hooks to provide this sort
> of additional data for various commands?

I'll see how things are looking today.  If we have time, we'll try to come up with a more permanent solution than my original patch that makes us all happy.

> (*) I was expecting python but it seems to have become a compiled binary
> at some point...

It's been changed in the "next" branch.  It was originally written in Python to be used to aid scripts in parsing certain parts of the ovs-vswitchd.conf file.  With the new config db, we mere humans (I'm not including Ben here) need help grokking config, too.  It was rewritten in C to interact with the IDL and can manipulate and display every aspect of the vswitch's config.

--Justin






More information about the dev mailing list