Re: [PATCH v2 2/5] conf: add XML schema for domain XML

[Osier Yang <jyang@xxxxxxxxxx>]

On 2011年12月30日 12:06, Osier Yang wrote:
> On 2011年12月22日 15:04, Taku Izumi wrote:
> > This patch introduces XML schema for domains to retain arbitrary
> > capabilities.
> > For example, by adding the following XML to domain configuration,
> > its domain can retain cap_sys_rawio capability.
> >
> > <process>
> > <cap name='sys_rawio'/>
> > </process>
> >
> >
> > Signed-off-by: Taku Izumi<izumi.taku@xxxxxxxxxxxxxx>
> > Signed-off-by: Shota Hirae<m11g1401@xxxxxxxxxxxxxx>
> > ---
> > docs/formatdomain.html.in | 48 ++++++++++++++++++++++++++++++++++++++
> > docs/schemas/domaincommon.rng | 52
> > ++++++++++++++++++++++++++++++++++++++++++
> > src/conf/domain_conf.c | 33 ++++++++++++++++++++++++++
> > src/conf/domain_conf.h | 2 +
> > 4 files changed, 135 insertions(+)
> >
> > Index: libvirt/docs/schemas/domaincommon.rng
> > ===================================================================
> > --- libvirt.orig/docs/schemas/domaincommon.rng
> > +++ libvirt/docs/schemas/domaincommon.rng
> > @@ -35,6 +35,9 @@
> > <ref name="clock"/>
> > <ref name="resources"/>
> > <ref name="features"/>
> > +<optional>
> > +<ref name="process"/>
> > +</optional>
> > <ref name="termination"/>
> > <optional>
> > <ref name="devices"/>
> > @@ -2344,6 +2347,55 @@
> > </optional>
> > </define>
> > <!--
> > + Specification of process element
> > + -->
> > +<define name="process">
> > +<element name="process">
> > +<zeroOrMore>
> > +<element name="cap">
> > +<attribute name="name">
> > +<choice>
> > +<value>chown</value>
> > +<value>dac_override</value>
> > +<value>dac_read_search</value>
> > +<value>fowner</value>
> > +<value>fsetid</value>
> > +<value>kill</value>
> > +<value>setgid</value>
> > +<value>setuid</value>
> > +<value>setpcap</value>
> > +<value>linux_immutable</value>
> > +<value>net_bind_service</value>
> > +<value>net_broadcast</value>
> > +<value>net_admin</value>
> > +<value>net_raw</value>
> > +<value>ipc_lock</value>
> > +<value>ipc_owner</value>
> > +<value>sys_module</value>
> > +<value>sys_rawio</value>
> > +<value>sys_chroot</value>
> > +<value>sys_ptrace</value>
> > +<value>sys_pacct</value>
> > +<value>sys_admin</value>
> > +<value>sys_boot</value>
> > +<value>sys_nice</value>
> > +<value>sys_resource</value>
> > +<value>sys_time</value>
> > +<value>sys_tty_config</value>
> > +<value>mknod</value>
> > +<value>lease</value>
> > +<value>audit_write</value>
> > +<value>audit_control</value>
> > +<value>setfcap</value>
> > +<value>mac_override</value>
> > +<value>mac_admin</value>
> > +</choice>
> > +</attribute>
> > +</element>
> > +</zeroOrMore>
> > +</element>
> > +</define>
> > +<!--
> > CPU specification
> > -->
> > <define name="cpu">
> > Index: libvirt/src/conf/domain_conf.c
> > ===================================================================
> > --- libvirt.orig/src/conf/domain_conf.c
> > +++ libvirt/src/conf/domain_conf.c
> > @@ -7253,6 +7253,23 @@ static virDomainDefPtr virDomainDefParse
> > VIR_FREE(nodes);
> > }
> >
> > + n = virXPathNodeSet("./process/cap", ctxt,&nodes);
> > + if (n< 0)
> > + goto error;
> > + if (n) {
> > + for (i = 0; i< n; i++) {
> > + int val =
> > virCapsProcessCapsTypeFromString(virXMLPropString(nodes[i], "name"));
> > + if (val< 0) {
> > + virDomainReportError(VIR_ERR_INTERNAL_ERROR,
>
> s/VIR_ERR_INTERNAL_ERROR/VIR_ERR_CONFIG_UNSUPPORTED/
>
> > + _("unexpected process cap %s"),
> > + virXMLPropString(nodes[i], "name"));
>
> virXMLPropString is used twice, it can be avoided by something like:
>
> const char *name = virXMLPropString(nodes[i], name);
>
> And use name where you want.
>
>
> > + goto error;
> > + }
> > + def->capabilities |= (1ULL<< val);
> > + }
> > + VIR_FREE(nodes);
> > + }
> > +
> > if (virDomainLifecycleParseXML(ctxt, "string(./on_reboot[1])",
> > &def->onReboot, VIR_DOMAIN_LIFECYCLE_RESTART,
> > virDomainLifecycleTypeFromString)< 0)
> > @@ -11520,6 +11537,22 @@ virDomainDefFormatInternal(virDomainDefP
> > virBufferAddLit(buf, "</features>\n");
> > }
> >
> > + if (def->capabilities) {
> > + virBufferAddLit(buf, "<process>\n");
> > + for (n = 0; n< VIR_PROCESS_CAPABILITY_LAST; n++) {
> > + if (def->capabilities& (1ULL<< n)) {
> > + const char *name = virCapsProcessCapsTypeToString(n);
> > + if (!name) {
> > + virDomainReportError(VIR_ERR_INTERNAL_ERROR,
> > + _("unexpected process cap %d"), n);
> > + goto cleanup;
> > + }
> > + virBufferAsprintf(buf, "<cap name='%s'/>\n", name);
> > + }
> > + }
> > + virBufferAddLit(buf, "</process>\n");
> > + }
> > +
> > virBufferAdjustIndent(buf, 2);
> > if (virCPUDefFormatBufFull(buf, def->cpu)< 0)
> > goto cleanup;
> > Index: libvirt/src/conf/domain_conf.h
> > ===================================================================
> > --- libvirt.orig/src/conf/domain_conf.h
> > +++ libvirt/src/conf/domain_conf.h
> > @@ -1441,6 +1441,8 @@ struct _virDomainDef {
> > char *emulator;
> > int features;
> >
> > + unsigned long long capabilities;
>
> Should we choose another name such like "process_caps"? Considering
> we might need to introduce other capabilities for domain in future.
>
> > +
> > virDomainClockDef clock;
> >
> > int ngraphics;
> > Index: libvirt/docs/formatdomain.html.in
> > ===================================================================
> > --- libvirt.orig/docs/formatdomain.html.in
> > +++ libvirt/docs/formatdomain.html.in
> > @@ -787,6 +787,54 @@
> > </dd>
> > </dl>
> >
> > +<h3><a name="elementsProcess">Process Capability</a></h3>
> > +
> > +<p>
> > + Process of Domain are allowed to retain capabilities specified
>
> Is following better? :-)
>
> Domain process is allowed to...
>
> > + by cap element. What capabilities host supports can be found at
> > + capability XML.
>
> Better to add the virsh command. e.g.
>
> capability XML (virsh capabilities)

Also we need to declare the caps are OS dependant.
> > +</p>
> > +
> > +<pre>
> > + ...
> > +&lt;process&gt;
> > +&lt;cap name="chown"/&gt;
> > +&lt;cap name="dac_override"/&gt;
> > +&lt;cap name="dac_read_search"/&gt;
> > +&lt;cap name="fowner"/&gt;
> > +&lt;cap name="fsetid"/&gt;
> > +&lt;cap name="kill"/&gt;
> > +&lt;cap name="setgid"/&gt;
> > +&lt;cap name="setuid"/&gt;
> > +&lt;cap name="setpcap"/&gt;
> > +&lt;cap name="linux_immutable"/&gt;
> > +&lt;cap name="net_bind_service"/&gt;
> > +&lt;cap name="net_broadcast"/&gt;
> > +&lt;cap name="net_admin"/&gt;
> > +&lt;cap name="net_raw"/&gt;
> > +&lt;cap name="ipc_lock"/&gt;
> > +&lt;cap name="ipc_owner"/&gt;
> > +&lt;cap name="sys_module"/&gt;
> > +&lt;cap name="sys_rawio"/&gt;
> > +&lt;cap name="sys_chroot"/&gt;
> > +&lt;cap name="sys_ptrace"/&gt;
> > +&lt;cap name="sys_pacct"/&gt;
> > +&lt;cap name="sys_admin"/&gt;
> > +&lt;cap name="sys_boot"/&gt;
> > +&lt;cap name="sys_nice"/&gt;
> > +&lt;cap name="sys_resource"/&gt;
> > +&lt;cap name="sys_time"/&gt;
> > +&lt;cap name="sys_tty_config"/&gt;
> > +&lt;cap name="mknod"/&gt;
> > +&lt;cap name="lease"/&gt;
> > +&lt;cap name="audit_write"/&gt;
> > +&lt;cap name="audit_control"/&gt;
> > +&lt;cap name="setfcap"/&gt;
> > +&lt;cap name="mac_override"/&gt;
> > +&lt;cap name="mac_admin"/&gt;
> > +&lt;/process&gt;
> > + ...</pre>
> > +
> > <h3><a name="elementsTime">Time keeping</a></h3>
> >
> > <p>
> >
> > --
> > libvir-list mailing list
> > libvir-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/libvir-list
>
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list