On Fri, Sep 12, 2014 at 06:42:08PM +0200, Pavel Hrdina wrote: > On 09/12/2014 06:25 PM, Daniel P. Berrange wrote: > >On Fri, Sep 12, 2014 at 06:10:44PM +0200, Pavel Hrdina wrote: > >>There was a bug that if libvirtd binary has been updated than the > >>capability file wasn't reloaded therefore new capabilities introduced > >>in libvirt cannot be used because the cached version was loaded. > >> > >>Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1135431 > > > >That bug is all about FIPS support. > > Yes it's about FIPS support but it's already in libvirt. I've tested it > and actually by removing cached file to force detect new capabilities and > after that it worked. > > Now I realized that even checking the selfctime during start of libvirtd > isn't sufficient because you can enable the FIPS support for kenrel without > updating the libvirtd binary. Ah, so the actual bug is that the capabilities we detect have a dependancy on (libvirtd binary, qemu binary, sysfs/procfs settings). It is pretty difficult to deal with sysfs/procfs chances & caching here, since there's no way I know to detect when sysfs/procfs settings change. I wouldn't want to check the sysfs/procfs settings every time. Perhaps it would suffice to just do a check on sysfs/procfs when libvirtd starts up, so we can say that if you change FIPS sysfs settings you must restart libvirtd ? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list