Logo TIB AV-Portal Logo TIB AV-Portal

New Developments and Advanced Features in the Libvirt Management API

Video in TIB AV-Portal: New Developments and Advanced Features in the Libvirt Management API

Formal Metadata

New Developments and Advanced Features in the Libvirt Management API
Title of Series
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Topics to be covered in the talk include * Capabilities for mutual exclusion / locking of guest disk images * Fine grained access control against individual operations, users and objects in the API * The sVirt mandatory access control framework * Auditing and structured logging via the systemd journal * Integration with systemd and cgroups for resource management In the 8+ years since it has been founded, the libvirt project has grown to become the leading open source API for the management of virtualization hosts, with a strong focus on supporting the open source virtualization & container technologies, KVM, QEMU, Xen and LXC. Many people working in the open source virtualization management space already have an understanding of the core features and architecture of libvirt. This talk will thus focus on a selection of recently developed features and of some of the other important, but less well known, features of libvirt. The talk will be targeted at virtualization application developers using libvirt, with a bias towards those using KVM or LXC. At the end of the talk the audience will better understand how to take advantage of libvirt for their development need
Computer animation Multiplication sign Projective plane Energy level Total S.A. Cartesian coordinate system Number
Point (geometry) Computer animation Keyboard shortcut 1 (number) Stability theory Library (computing) Formal language Number
Voting Computer animation Cross-platform Multiplication sign Cartesian coordinate system
Revision control Message passing Computer animation Open source Parallel port Software testing Liquid Extension (kinesiology) Portable communications device Power (physics) Asynchronous Transfer Mode Computer architecture
Server (computing) Open source Information State of matter Device driver Software maintenance Type theory Computer animation Personal digital assistant Forest Netzwerkverwaltung Hydraulic motor Hyper-V Library (computing) Physical system Computer architecture
Demon Loop (music) Computer animation Open source State of matter Personal digital assistant Connectivity (graph theory) Cartesian coordinate system Event horizon Computer architecture Library (computing)
Demon Process (computing) Computer animation Personal digital assistant View (database) Interface (computing) Multiplication sign Bus (computing) Virtual machine Energy level Bit Library (computing)
Human migration Computer animation Personal digital assistant Multiplication sign Virtual machine Data storage device File system Video game MiniDisc Software testing
Implementation Computer-generated imagery Decision theory Multiplication sign Structural load Physical law Trigonometric functions Protein folding Exclusive or Computer animation Personal digital assistant Netzwerkverwaltung File system Rewriting MiniDisc Right angle Asynchronous Transfer Mode
Dynamical system Computer-generated imagery Open source Information Projective plane Physical law Data storage device Open set Storage area network Cartesian coordinate system Mechanism design Computer animation Netzwerkverwaltung MiniDisc Quicksort Distortion (mathematics)
Game controller Standard deviation Multiplication sign Data storage device Virtual machine Login Cartesian coordinate system Limit (category theory) Mechanism design Goodness of fit Response time (technology) Process (computing) Computer animation Netzwerkverwaltung File system Configuration space Summierbarkeit Virtual reality Form (programming) Asynchronous Transfer Mode Reverse engineering
Point (geometry) Default (computer science) Computer file Block (periodic table) Uniqueness quantification Multiplication sign Patch (Unix) Data storage device Cyberspace Cache (computing) Mechanism design Computer animation Personal digital assistant Different (Kate Ryan album) Program slicing File system Configuration space Position operator Stability theory Computer architecture Social class Task (computing)
Human migration Mathematics Mechanism design Multiplication Process (computing) Computer animation Key (cryptography) Computer-generated imagery Device driver MiniDisc Quicksort Asynchronous Transfer Mode
Domain name Game controller Socket-Schnittstelle Computer animation Information Multiplication sign Network socket Virtual machine Cartesian coordinate system Writing Reading (process) Control system
Game controller Functional (mathematics) Email Open source Multiplication sign Virtual machine Electronic mailing list Device driver Client (computing) Cartesian coordinate system Mereology Rule of inference Operations support system Exclusive or Arithmetic mean Process (computing) Computer animation Network topology Statement (computer science) Right angle Software framework Quicksort Plug-in (computing) Control system
Socket-Schnittstelle Group action Game controller Identifiability Variety (linguistics) Execution unit Virtual machine Mereology Rule of inference Mechanism design Different (Kate Ryan album) Netzwerkverwaltung Integer Condition number Control system Domain name Information Mapping Uniqueness quantification Limit (category theory) Word Computer animation Uniformer Raum Object (grammar) Local ring
Scripting language Group action Functional (mathematics) Game controller Matching (graph theory) Computer file Observational study Multiplication sign Set (mathematics) Line (geometry) Rule of inference Number 10 (number) Category of being Process (computing) Computer animation Physicist Netzwerkverwaltung Green's function Object (grammar)
Authentication Area Game controller Exterior algebra Process (computing) Computer animation Multiplication sign Feedback Database Right angle Bit Rule of inference
Code Expert system ACID Virtual machine Generic programming Control flow Sound effect Insertion loss Line (geometry) Limit (category theory) Event horizon Semantics (computer science) Process (computing) Computer animation Musical ensemble Information security
Domain name Default (computer science) Standard deviation Wage labour Computer-generated imagery Execution unit 1 (number) ACID Water vapor Bit Event horizon Rule of inference Emulator Process (computing) Computer animation MiniDisc Right angle Software framework Asynchronous Transfer Mode Social class
Game controller Mechanism design Process (computing) Computer animation Uniqueness quantification Proper map Flow separation Writing
Trail Group action Game controller Multiplication sign Virtual machine Set (mathematics) Login Operations support system Mathematics Semiconductor memory Software testing Physical system Domain name Distribution (mathematics) Computer-generated imagery Information Block (periodic table) Data storage device Incidence algebra Computer animation Software Universe (mathematics) Vertex (graph theory) MiniDisc Right angle Quicksort Row (database)
Default (computer science) Group action Information File format Multiplication sign Source code Login Computer animation Causality Hierarchy Singuläres Integral Lebesgue integration Freeware Physical system
Group action Free group Wavelet Computer animation Multiplication sign Forest Virtual machine Singuläres Integral Energy level Canonical ensemble Physical system
Group action Theory of relativity Open source Weight Virtual machine Set (mathematics) Insertion loss Directory service Type theory Frequency Befehlsprozessor Computer animation Program slicing Configuration space Absolute time and space Energy level Software testing Partition (number theory) Physical system
Default (computer science) Befehlsprozessor Computer animation Velocity Semiconductor memory Endliche Modelltheorie System call
Numeral (linguistics) Computer animation Semiconductor memory Personal digital assistant Computer hardware Moment (mathematics) Virtual machine Utility software Endliche Modelltheorie
Web page Pairwise comparison Game controller Virtual machine Bit Stack (abstract data type) Computer animation Software Average Semiconductor memory String (computer science) Singuläres Integral Quicksort
Web page Population density Computer animation Semiconductor memory Virtual machine Limit (category theory) Grass (card game)
Category of being Arithmetic mean Computer animation Block (periodic table) Plotter Virtual machine Data storage device MiniDisc Physicalism Energy level Function (mathematics) Virtual reality
Band matrix Slide rule Computer animation Utility software Shape (magazine) Cartesian coordinate system
Web page Game controller Socket-Schnittstelle Functional (mathematics) State of matter System administrator Multiplication sign Execution unit Virtual machine Insertion loss Open set Student's t-test Mereology Computer configuration Formal verification Metropolitan area network Software development kit Mobile Web Domain name Dependent and independent variables Focus (optics) Physical law Keyboard shortcut Stress (mechanics) Cartesian coordinate system Arithmetic mean Word Befehlsprozessor Computer animation Query language Configuration space Iteration Virtual reality Solomon (pianist)
the when a when instead of saying I between working only live but projects for about 7 or 8 years now is the time just flies in the on and then it's a total of about so the liver projects and I get so and
about a number of features that we've developed over the last year also played a probably less well um but it's interesting and useful to application developers building specialization applications but I assume that and assume a low level of knowledge of the plant and metallization and but for those of you never
heard of that so is that it's courts stable C library
API and with the number of language bindings to have languages like
Perl Python Java
in the a panel and most most of the ones you do care about and some leaders don't care about there and this we we tried to we try to be a pretty simple to use API and we'll see what about Baccelli points is
that we are in a stable API and that means in the in science you live vote has been going we've never broken the
API and incompatible manner and so if you write an application today and the
goal is usually run as an application against it but in 10 years time and without problems
mean it's a cross platform API and its across hypervisor API
and we support so most hypervisors names and KVM
you zen and both the source and commercial versions of and and to some extent and the height of the VMware ESX the where tests all and all the other VMware variants that use the same API as close to
the and and power hypervisor Annex containers parallels this problem all I'm forgetting that you get you get a
message will work with cross Hypervisor portable and I well GPL-licensed the liquids that architecture and is basically 2 modes which about
works is what we call the stateless architecture and and this is why you just using the liberal arts library and is talking to some other external
system that's maintains the vocalization state and so this architecture is used most notably for the the and where ESX driver and the Microsoft Hyper-V driver because in both cases you've got some an external management server that is maintaining all information and motorization hosts so this talk that elected maintainable state forests then yeah the other type of architecture is
what we call the stateful architecture and this is what we use when there is no other
of component in the stack is maintaining state so we use this to cure mu KVM and so the open and integration and in this case the loop but library is talking to believe that the money and event demon maintains state about tialization Harris and you can see in this example of the application source that that's
library and the library users are generic RPC
mechanism so that the moon the lipid demon and talks to the Curia processes and In the case accumulates that also hear me about the and q mew monitor interface so so that's a very high level view of the architecture of in general that and I wanna get
us talking a bit about some of the interesting features that you may or may not be aware of the half million on that that's the yeah when when you're running virtual machines and bus majority of the time you have some
storage attached to the virtual machines
and and unless you really plus the file system inside emotion machine you don't want to have to the ends using the same as the same time because if you have EXT 3 file-system inside your guests and to just like that of same time young body data left that and so that's that's that's the scenario and now narrative scenarios involving tests is your single and and you're doing saying life migration from 1 place to another you know make sure that 1 motion machine doesn't up running on both halves of the same time as again that stuff is going to happen due dates it so lipids has some notion of access methods and associated with each disk and a disk can either be set up so it's read-only in which case it's safe to share amongst those many guests as you like and that this can be set up as
shared writable in which case and again it can be attached to multiple motion
machines but if you're using decision right moll you using a cluster file system or some other and foster some was
aware of the fact that you can have multiple Our writers at the same time the
all of the folds method of complete this sales as rewrite exclusive and in this case only 1 of the VN access and anyone disk image at a time lose the access modes now the dirty little secret that you may may not be aware of that's never never really enforce this very well that you can set up your disk as rewrites exclusive and liberty was never going to stop the running to guests using the same bestseller mirrors access modes of doing things notice that show the yeah so the past want to use really know we introduce a new structural of events and for all this lease or lock management and this is a way of actually enforcing this access loads the 1st implementation we did have this was using technology technology cosine law which was developed by on the
overt projects and san lock users on something called disk also algorithm and and
maintaining active leases on and virtual this and the actual the actual sound law and locking mechanism uses of distortion cytosolic fleshy looking your disk images directly you know you're quantity of storage was set aside as your and storage for holding leases and dynamics of the method application how they associate these with this image and if you can read the that the Sandler project so although you can use it and with storage on Fs the asset not maintain really don't like doing that we really want you to use science storage for maintaining and this is and and when you've integrated into the 1st this there's 2 ways it can work and what we call the manual approach and the automatic approach not in the manual approach the management applications say about is responsible for saying this leads is associated with this this carriage In a liberal distrust that's when it gets cold that information and so when the guest starts up live but will acquire all of the leases are associated with that and the and and only if administered manages to acquire all races will they have sort of actually succeed and this is a in
in the automatic marriage and you
have to do any special configuration and in automatic mode Lippert's will automatically creates 1 lease for each much of this people associated with your your guests and this pluses and minuses to using automatic road versus manual mode and if your application like reverse all OpenStack than manual mode is probably what using because it's gives you much greater control of exactly how your leases of a stored and maintained that he doing a lightweight virtualization management application and you don't want have to worry about this too much then the automatic mode would do what you need most of the time and 1 last thing about sound log and the sum of places and it's is an active least mechanisms of releases of being continually refreshed and so if there's any I O problems of and refreshing released and then that is detected immediately and the virtual machine is immediately fence by the new processes killed that that gives good response time to uh and storage failures or form looking problems whatever they may be in now 1 of the 1 of the limitations of standard approach I mentioned there is a goes that's the sum of developers only like using it was and storage so if you're and storage is all and has placed on some of the shared file system like plus the oral
and set whatever you might using some not for reusing the solution you want and so we develop this 2nd blocking like infinite that's what you call that look the and and this is not intended to be the default locking mechanism deliberate when you play at all hours in and in the absence of any other configuration and this just takes locks using the posits SC cncl locking mechanism being the on the requires that this deposits features supported by a file system the majority of file system
support this time when you you get the odd cases where and either not supported all possible developers slices using it and I think Oracle O CFs to was the last class is my hurdle when really like using SCNT unlocks account render the exact reason why but I'm in a majority of cases and this is going to be workable notion file system the and at this point in time it only works with an automatic and automatic method this is when the birds automatically determines what blocks are and the way we do that is based on the file all the and much of this backing store and we're we're we will either take a shot 256 patch of the final task and that's the full mechanism you can also tell it's and that's if you're using LDA and storages you'll have but you just you intend to do lots based on the LVM UUID and off using and Fibre Channel or some other the storage mechanism it intended to do lot space on the scuzzy and unique ID of love that just slightly better than doing it based on the final path because if you storage appears in different file Pavel different hosts then and the latter 2 mechanisms and stable across hosts plus slightly safer if q who is looking at the architecture
has and that change when you're kind of looking mode the answer is not really very much and that you're a new driver inside let's just sort of look even using a simple RPC mechanism so whenever you start a guest the 1st thing it does is it the but multi answers and acquire lock all of these disk images and only that succeeds with will URI process then actually started the and and these slots are also actually and release them reacquired whenever you pause virtual-machine uh which is the key to making migration work that's not enough
about this blocking the next thing I want to talk
about this and access control In historically
looked at a very simple access control mechanism and if you're talking to live but over Unix domain sockets you can either talk to it so that we could read only sockets or the read write sockets that basically does exactly what it sounds like it because if you talk to the read-only socket you can get information about the your virtual machines in your host the any changes in and it you told to the read write socket you can do whatever you like with no restrictions whatsoever this is fine for many applications and OpenStack over and those applications basically want you do anything at any time so that's the problem and other
applications and say the talk with the monitoring application that any a once we have the
access to the query by alive in but every now and then people crop up on a mailing list saying well we go do fine grained access control and so are we have to say user Frank can access the virtual machine and he can do X Y and Z operations on it so we developed and access control mechanism and about which allows you to express rules like that and his access control mechanism operates across all of the drivers that live inside with that statement that's KTN here mu lxy meaning and user-mode Linux anyone really uses that's still an who the access control mechanism doesn't affect the status drivers like VMware or height of the because that would be really pretty pointless to do something that would involve to ask access control in the liver to clients flowing around the access control just by talking directly to the endless of so we don't even attempt to access control follows radioactive control things well it that is the exclusive right of access to the functionality and the access control mechanism was done in a pluggable manner because we anticipate what over over time people will want to integrate with different and access control mechanisms and which we explicitly don't want allow closed-source out of tree plug-ins and all of the access control buttons and it works we will not be open source and maintained as a normal part of the liberal arts and care development process so although we are pluggable framework was a sort of free-for-all for anyone to do whatever they like and if you have other requirements for access control mechanisms comes about making this proposal and and we can work them into the and corner that relates the in so the 1st
and currently only access control mechanism we have it is based on policy gives and every every Lippert's API as 1 or more conditions associated with that's when he the API documentation it'll tell you exactly what conditions are required for which API and then we map was permissions into policy kids um actions so if you want the start commission on and the the main objects like it's not in the policy action cold all Lippert's API to make it got started and there's a whole bunch of these missions which you again find in the online API documentation for the words so you figure out what the mapping is running the eyes now and the same as any part of the information you need to know and was gonna identify the object your manager inside the virtual machine for example the and this 3 unique identifiers for virtual machine there's an integer ID and there's a human-friendly name or there's a globally unique uniform and unique identifier UUID harmed and very is a variety of different ways to identify the objects that you're wanting to control and finally even identify the use of different restrict access to and partly due to limitations of policy we can only identify local units you those and so this this mechanism is only useful if the finitary control is running on the same host of let's talk into it over the Unix domain sockets really need to know the local units user and the ideas and once you have all that information the mission we objects only use up you know and
defining some rules for managing its policy kids and has
a jobless scripts and and see your actual access control rules and of a written in JavaScript and in and the number of objects provided to you the than actually action object which tells you this 1 at the I think of it as a subject object which tells you the user is invoking it and eliminate the actual date has a number of properties so identified and the objects this short example I'm looking at API tool the mission of contact from green and user in ferreting myself and an looking at the next really only Annex C hypervisor with enabling them and all things match them we allow access if they don't match that we deny access I mean this is a supernova a trivial example that is not really the way you do it in the real world because if you have defined will be everything 11 individual permission for every individual objects you you get a job script file tens or hundreds of thousands of lines long if and so if you do use of real world you probably set of roles assigned and the final set of users which and same role set of objects which you are manager the same way and then write your also the American roles study groups of objects that would and readily compresses the amount of and rules you have to write we don't we don't provide a thing so particularly helpful lessons this time and physicists fairly new functionality we're really looking for people to
try it out and give us feedback on what works and what doesn't work and what's extra things would be helpful for that but to provide and this area in and know the reason why we
chose to use policy get was the 1st time and the 1st engine for access control is because we had the idea that if you guess right transferred back and well I'm using a right of jobs trips to integrate with held at that you would find all of your rules another database vendors query them use when jobs 15 repairs technical policy gets to held and rules database and all 1 and the other databases access control rules you might have once again we're looking for feedback on whether this actually works out in practice or whether we need to write a dedicated out authentication back ends as an alternative that we we need feedback on this area and doesn't the
access control now and and our at a little bit about found
experts as 1st is the generic term for our and socialization security there this started out with an implementation for as the limits and the idea here was that's you running running loss aversion machines 1st machine is that you and your process of here you while this is attempting to be secure all and if they've got the code exactly perfect but it might be secure but it's reassuring us that the cumulative is actually effects and this may come as a surprise to some people in my notes and the idea with semantics is that we have an extra line of defense In the event that there's some Florida you're mu but allows the castle them to break out into the host acidic so we used to confine that break out within and they within the
Curia process so like can compromise here music the common don't compromise the entire
host did and the of q mew
processes or also running as the
same user ID by default so if you are a Conway's 1 q and you can easily compromise all the other ones so as the Linux also actually protects class Pentagon won't get something like the other guests this and this is a been around for quite a while and but in the in the past year or 2 we made this a bit more flexible the given more choice over and the acid and its domain from users the that she now what's the both KB and and can you and emulation modes the and water and even if it's the defined customer of rights for those for the labeling so if it's if the standard residents policy doesn't work for you you can write a customers as events policy in tell about use that 1 instead being we've also made it possible to override the labeling on individual disk images city have some disk images you would have labeled 1 way or or another this unit labor that different ways you can you can now and so that was kind of rules and and the other thing about having the framework and we now
introduce the proper discretionary access control
mechanism and so a few minutes ago I said every q mew process once the same
his right knee well now it's possible to give them all their own unique user writing and so rely on traditional Unix commissioning so seperates and your cure processes securely and and you have Lippert's and current once cardiac assigned those those user ID is
podcasts and statically and little take care of dynamically setting
the ownership of the disk images and to match whatever use right gas runs on the the slightly related and a also not
entirely related and is called logging that if if you always keep
track of who's doing what universalization Harris you wanna know what you want 1 know what's operations of of happens the audit log provides a way to find this out so whenever live that starts or stops of emotion machine will generate an audit record that's that operation saying and when it starts at what incidents domain is running under and the UUID of the gas than a few other pieces of information it will also tell you how many vertices use I guess has and how much memory was assigned all of the disk images that were assigned to that test so you can look back in your old enough to say well which guess was accessing this disk image of what time means you can find out what networks is connected to when it started on whole blood operations were done I and what you find out what some see groups access control settings where were done for block storage this this 1 the audit information recorded about emotion machine any time any changes made to it so if you have an exploited the galactic audit logs and find out what what I guest was allowed to do that may help you diagnose the problem here is also general dividing and debug logging historically we we use sort assist uh but now and system B is available in many distributions we've integrated with the
system the journal so involved information we sent to the journal by
default if it's available and in a structured format so that makes it a lot easier to extract information from the logs for a radically and match on and anything right down to individual source file minds the the last thing a free time for romance is syrups integration now live but pregnancy C groups for quite a long time but the way we do that information was not really was already to useful it turns out in the 1st the way we laid out cigarettes of very deep hierarchy cause a lot of pathological kernel performance problems the sense
that time it was completely unusable if we had and largest in the
guests I'm more lots of just running the canon guys thankfully fixed most of the kernel all problems and the same time we simplify the wavelet that uses the groups to avoid tickling has come from the 1st place the and we know what 1 of the top example that was the review where it in its we was had 3 levels deep enough of C groups and I'm in a new way if you're not using a system the as we've got some 1 naming convention if you are using a system the host then we're a lot rely system beat creates leaders forests so the system the naming convention in the key takeaway is that at the very top level you got a lot of free group of the next level antibody a bunch machines so you cannot easily set of arbitrary groups of larger machines and and that of my resource controls the whole groups of the ends of the time and when you do this in
the XML configuration field tests you can
attain resource partitioning and that on a known system the host with napus insert and and a C group directory I'm using very straightforward and intention and since the initial tests as well and we really when that in using the system the naming conventions so the VM groups have long thought slice and appended to the name possess the system the name for our a generic resource for you can of the type of the and the devotion machines have telescope depended on the end of the name just on the source of this kind of 1 thousand 2 levels deeper grouping and and so you can multiple levels of grouping virtual machines and and once you once you set up your your secrets is there is a whole bunch of performance to have also become available to you the set of relative CPU weighting which is the new shares tunable or you can set up absolute time slices and most of them listening and quarter and the period
both this both in microsecond rightly In a related to
Tunis CP years and you can set up the named CPU models if you have some CPU model you would get you to get some generic default the KVM things aplicable and you another be making best use of the all a your intent or NBC features so that you really wanna set up named CPU models which is closely match your physical views as possible you use these every last ounce of velocity of calls did memory and this
is another another very important thing if you want to maximize the utilization of your hardware as dictated by the new machine if you're not doing um numer placements then your straight away and the
benefits of the machine in the you can control this manually by telling that that's
what the memory nodes you want said at the end of
or you can tell me what do it automatically then the automatic case the model talks about something called him the and this is just a very simple odel at the moment when the this Newman notice that a lot of
resources for what is the average and it is also 1 have control over what you want
to use huge pages and
again this this give you a bit of a performance benefits although with sort of string kernels you now have automatic huge page supports there's not as much benefit doing huge page manually anymore the and you can also turn on and off there the memory sharing so if you have lots of pleasure machines all running same software stack chances are legal lot of memory pages which have the same data in them and so there's something called that a feature comparison which might
find as many pages which are identical an emergency you only have 1 copy of this memory
page shared amongst but multiple virtual machines and the gets the higher density of virtual machines this value can squeeze more what machines into your and who the and what they can also define various limits on how memory is used by such machines and whether our shared physical rarely have uh I was the grass that guaranteed to have a a few other
things in the all and only the output disk you tho because at a whole bunch of policies against virtual disks insects
and how many I O operations per 2nd there about how much the and mean bytes per 2nd they're allowed and he also said there's only 1 of the 11 level as a whole serious if such machines using physical property prices you can even set of policy against individual physical plot devices will to and all of a disk so that the end users so that the end use on land lives on a block storage and so it
is but it has this is not the last
slide the old men where again dataset of various policies on and bandwidth utilization which just delegates to the next extract shape and that's basically it's less of wage floor of some of the features of live that arrived in the
last year that's a useful for application developers to know about the rest of your heart so now we gotta find 10 minutes for questions 5 5 minutes for questions if anyone has any the the OK again the
the 1 question that I got actually 3 questions the produce about talking about applications of about 1 simple application which is which which are like a little stress that man it's the best I can generate good with the shell and I can also you will use words miniature firmly lazy and about this whole thing is you told about the would probably related to worship you can blend implemented in the new feature in worship as well like like you said the bubble looking thing and think of like that at all part application like verify that's what the goal of our State as directly to the functionality to the Administrator we don't we inside we don't fully policy and that's what we want we really people control of the so we don't want to make use of this blocking they have to explicitly specify that in in the configuration they provide a bunch machines but there won't be something like an example of the option where can say do walking the election remained in the domains this cation Solomon locking because of the whole you have administrator you can turn on locking on the highest and all that machine bind the habitat loss properly you have but will like to do the the the little machine like this said about that mn looking thing that you have to do you have in Europe and explicitly specify the law in XML iteration but it's possible that and OK and then the 2nd I try to keep vote them you saw this book about policy kit and and and you have you thought about using them in a larger bill against in mobile and that yes we have but it's it doesn't really it is we do what we needed to do as far as I'm afraid I can't tell if and only if you said he think otherwise the freedom rides out of my response and I think efficiently tractable OK always and then use both the bulk of the units in the back and you want to use that x about the UDC the bag and yet the esthetic through with the bald local users but when I would use the yellow pages them the I can do that always had the opening of the use of having any application connected with the Unix domain sockets as a navigation anything over that the the sockets OK but if you make the main focus we can bring our query what the user ID on the other end of it and that the 3rd I'm quite sure about the the CPU mobile about the features like that they emanates for example that uh and all those things that the multithreaded perceive you so when I got the 1 CPU with that say 8 costs about got 16 we st can I use the the feature at 60 wins or just that nearly as paying a fee and actually doing what the impending firing of the you I can only go see the same feature set but it you can use them at the same time the mean of the virtualization take care of take care about alienating the lot but the this is is from this is that then can they use let's say this is the 4th 1 is something for all 60 machines ended yet with that I think I had a 5 questions that come find me haven't always opposite there have got questions
thank students you know what the