/srv/irclogs.ubuntu.com/2016/04/28/#ubuntu-s390x.txt

mihajlovxnox, as a followup to the discussion you had with macjl, guest migration between different KVM versions needs more consideration than the security driver used11:15
mihajlove.g. the target hypervisor must understand and support the machine type as defined on the source hypervisor11:17
mihajlova guest defined on KVM for IBM z will by default have a machine type of s390-ccw-kvmibm-1.1.111:19
mihajlovwhich won't be accepted by an upstream QEMU11:20
mihajlovone could define the guest with machine type of s390-ccw-virtio-2.4 on the KVM for IBM z hypervisor which would allow the migration to an upstream hypervisor (like Ubuntu)11:22
xnoxmihajlov, right.11:23
xnoxmihajlov, forgot that part. When I saw this different machine type, i was slightly surprised and confused why a new one got defined.11:24
xnoxmihajlov, I can certainly take that machine type as a patch to Debian & Ubuntu qemu, if we do in fact support / are compatible two way between 2.5 and e.g. s390-ccw-kvmibm-1.1.111:24
mihajlovregarding the selinux <-> apparmor conversion I have doubts whether an automatic conversion can be vouched to be safe11:25
xnoxtrue11:25
mihajlovas a potential way out, it is possible to send a modified domain XML over to the target machine using the --xml option on the migrate command11:26
xnoxmihajlov, i wonder if we can, and/or should enable selinux in qemu on ubuntu. we have selinux anabled in a bunch of things11:26
mihajlovwhere you could omit the security driver11:26
xnox(and e.g. smack too)11:26
xnoxmihajlov, would z/kvm accept --to-ubuntu flag? =)11:26
* xnox is biased and wants everything on ubuntu ;-)11:27
mihajlovxnox, wrt to selinux on Ubuntu I am not a security expert but I thought you'll have to chose one method for your system?11:28
xnoxapparmor is default and integrated throughout.11:29
xnoxhowever other systems are available too, for those that want to use them.11:29
xnoxe.g. we had selinux enabled in upstart as pid 1, because there are selinux usecases that people resonably use.11:29
mihajlovxnox, regarding the flag: to have one would be less of a problem (of course it would be one upstream) then the semantic associated with it11:29
xnox--insecure or some such =)11:30
mihajlovthere's no way to "downgrade" a running virtual machine without impacting the guest11:30
xnoxi dunno if libvirtd can do multiple security models simultaniously.11:30
xnoxouch.11:30
mihajlovwould be a matter of testing I think11:35

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!