<interface type='user'> versus <interface type='vhostuser'>:
- Seems like only
vhostusersupports unix domain socket files but requires shared memory. userdoesn’t need shared memory but doesn’t support unix domain socket files.
That’s a mess. Need to find some way to configure libvirt / qemu command line so it fulfills both requirements, unix domain socket files + no shared memory.
Path:
If avoiding AppArmor (and sVirt [1]) issues is a consideration, it’s best to keep standard paths, i.e. keep using: $HOME/.local/share/libvirt/images
/opt or /srv is probably the wrong choice.
If it should be something else… The system wide standard path chosen by libvirt is inside /var/lib. The standard path is /var/lib/libvirt/images. So that would indicate to use some newly invented path inside /var/lib or /var/lib/libvirt.
The problem with any folder outside of $HOME is that rebooting into sysmaint session is required. Creating folders inside /srv or /opt requires sudo/root (sudo mkdir) and then makign the folder accessible to yourlinuxusername (sudo chmod).
Any setup instructions that require sudo/root and booting into sysmaint mode are more complicated than telling users to edit the libvirt XML files and go with standard paths. I think.
/home/user/.local/share/libvirt/images and a libvirt feature request to support $HOME seems to be the most simple, standard compliant and reliable solution.
Has been added to the PR in commit 2.
Tested, confirmed issue?
Potentially ask:
- ChatGPT
- Claude Code
- Upstream libvirt mailing list.
I think our first priority here needs to be being fail-safe and leak-proof.
Inspection of inter guest traffic can be treated as a lower priority. That should be possible with both IP and Unix domain socket files. One can always add a proxy in between.
If there’s a host IP address, it seems like host VPN software (or corridor) can break it.
Unix domain socket files will be unaffected. So that’s the gold standard. Also, Unix domain socket files are subject to standard Linux permissions, so there may be an opportunity to harden access to them.
Unix domain socket files for VM-to-VM internal traffic likely fix VPN killswitch issues reliably once and for all. With Unix domain socket files, there is no host IP address or host network interface to interfere with. From the perspective of any firewall rules on the host, it’s just yet another file on the file system, so it does not notice it.
[1] Depending on whether sVirt is functional today or at some point in the future.