Re: [PATCH v2 6/7] domain_lock: Implement metadata locking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 20, 2018 at 07:13:46PM +0200, Michal Prívozník wrote:
> On 08/20/2018 05:07 PM, Daniel P. Berrangé wrote:
> > On Tue, Aug 14, 2018 at 01:19:42PM +0200, Michal Privoznik wrote:
> >> In order for our drivers to lock resources for metadata change we
> >> need set of new APIs. Fortunately, we don't have to care about
> >> every possible device a domain can have. We care only about those
> >> which can live on a network filesystem and hence can be accessed
> >> by multiple daemons at the same time. These devices are covered
> >> in virDomainLockMetadataLock() and only a small fraction of
> >> those can be hotplugged (covered in the rest of the introduced
> >> APIs).
> > 
> > I'm not sure I understand the rationale behind saying we only care
> > about resources on network filesystems.
> > 
> > If I have 2 locally running guests, and both have a serial port
> > backed by a physical serial port, eg
> > 
> >   <serial type="dev">
> >     <source path="/dev/ttyS0"/>
> >     <target port="1"/>
> >   </serial>
> > 
> > we *do* care about locking /dev/ttyS0, as libvirtd isn't doing
> > mutual exclusion checks anywhere else for the /dev/ttyS0 device
> > node.
> 
> Ah you mean that the system wide daemon and session daemon could clash
> when relabeling /dev/ttyS0? Well, we don't do relabeling for session
> daemons and running two system daemons is not supported (you're gonna
> hit more serious problems when trying that anyway).

We certainly *do* have relabelling for session daemons, for SELinux:

$ ls -alZ ~/VirtualMachines/demo.img 
-rw-r--r--. 1 berrange berrange unconfined_u:object_r:virt_home_t:s0 1073741824 Aug 21 09:25 /home/berrange/VirtualMachines/demo.img

$ virsh uri
qemu:///session

$ virsh start QEMUGuest1
Domain QEMUGuest1 started

$ ls -alZ ~/VirtualMachines/demo.img 
-rw-r--r--. 1 berrange berrange unconfined_u:object_r:svirt_image_t:s0:c310,c831 1073741824 Aug 21 09:25 /home/berrange/VirtualMachines/demo.img


but I was more thinking about the future where we have the libvirt shim
concept that allows starting & managing of QEMU processes independantly,
and libvirtd is merely there for aggregated data reporting. In that case
you'd have many instances of the security driver operating in parallel.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux