On Wed, 2017-11-01 at 16:19 -0400, John Ferlan wrote: > > + </summary> > > + <description> > > + This new API, also exposed through the > > + <code>set-lifecycle-action</code> <code>virsh</code> command, allows > > + the user to dynamically control how the guest will react to being > > + powered off, being restarted or crashing. > > This one reads strangely to me... As a suggestion > > Provided a new API to allow dynamic guest lifecycle control for guest > reactions to poweroff, restart, or crash type events related to the > domain XML <code>on_poweroff</code>, <code>on_reboot</code>, and > <code>on_crash</code> elements. The <code>virsh > set-lifecycle-action<code> command was created to control the actions. You forgot to close the <code> element here ;) > > + constraints that log have to be bigger than 100 KiB before they can > > + be rotated solves the issue. > > s/issue.$/issue. However, this may increase the number of files until > they are automatically rotated. I don't think that's true: the same number of log files will be created, it's just that now more files will be rotated. So I left out that part. > (Personally, not quite sure how that rotation actually occurs). Not sure myself. I think the logrotate profile is installed along with libvirt, but you have to enable it explicitly for rotation to actually occur? > > + <change> > > + <summary> > > + qemu: Ensure TLS clients always verify the server certificate > > + </summary> > > + <description> > > + While it's reasonable to turn off client certificate validation, > > + as setting it up can be non-trivial, clients should always verify > > + the server certificate to avoid MITM attacks. libvirt was, however, > > + using the same knob to control both checks, leading to > > + CVE-2017-1000256 / LSN-2017-0002. > > + </description> > > + </change> As suggested by Peter, I've moved this to a separate "Security" section, and pushed the whole thing. Thanks for the review and all the improvements :) -- Andrea Bolognani / Red Hat / Virtualization -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
