On 2011年12月22日 15:04, Taku Izumi wrote:
This patch introduces XML schema for domains to retain arbitrary
capabilities.
For example, by adding the following XML to domain configuration,
its domain can retain cap_sys_rawio capability.
<process>
<cap name='sys_rawio'/>
</process>
Signed-off-by: Taku Izumi<izumi.taku@xxxxxxxxxxxxxx>
Signed-off-by: Shota Hirae<m11g1401@xxxxxxxxxxxxxx>
---
docs/formatdomain.html.in | 48 ++++++++++++++++++++++++++++++++++++++
docs/schemas/domaincommon.rng | 52
++++++++++++++++++++++++++++++++++++++++++
src/conf/domain_conf.c | 33 ++++++++++++++++++++++++++
src/conf/domain_conf.h | 2 +
4 files changed, 135 insertions(+)
Index: libvirt/docs/schemas/domaincommon.rng
===================================================================
--- libvirt.orig/docs/schemas/domaincommon.rng
+++ libvirt/docs/schemas/domaincommon.rng
@@ -35,6 +35,9 @@
<ref name="clock"/>
<ref name="resources"/>
<ref name="features"/>
+<optional>
+<ref name="process"/>
+</optional>
<ref name="termination"/>
<optional>
<ref name="devices"/>
@@ -2344,6 +2347,55 @@
</optional>
</define>
<!--
+ Specification of process element
+ -->
+<define name="process">
+<element name="process">
+<zeroOrMore>
+<element name="cap">
+<attribute name="name">
+<choice>
+<value>chown</value>
+<value>dac_override</value>
+<value>dac_read_search</value>
+<value>fowner</value>
+<value>fsetid</value>
+<value>kill</value>
+<value>setgid</value>
+<value>setuid</value>
+<value>setpcap</value>
+<value>linux_immutable</value>
+<value>net_bind_service</value>
+<value>net_broadcast</value>
+<value>net_admin</value>
+<value>net_raw</value>
+<value>ipc_lock</value>
+<value>ipc_owner</value>
+<value>sys_module</value>
+<value>sys_rawio</value>
+<value>sys_chroot</value>
+<value>sys_ptrace</value>
+<value>sys_pacct</value>
+<value>sys_admin</value>
+<value>sys_boot</value>
+<value>sys_nice</value>
+<value>sys_resource</value>
+<value>sys_time</value>
+<value>sys_tty_config</value>
+<value>mknod</value>
+<value>lease</value>
+<value>audit_write</value>
+<value>audit_control</value>
+<value>setfcap</value>
+<value>mac_override</value>
+<value>mac_admin</value>
+</choice>
+</attribute>
+</element>
+</zeroOrMore>
+</element>
+</define>
+<!--
CPU specification
-->
<define name="cpu">
Index: libvirt/src/conf/domain_conf.c
===================================================================
--- libvirt.orig/src/conf/domain_conf.c
+++ libvirt/src/conf/domain_conf.c
@@ -7253,6 +7253,23 @@ static virDomainDefPtr virDomainDefParse
VIR_FREE(nodes);
}
+ n = virXPathNodeSet("./process/cap", ctxt,&nodes);
+ if (n< 0)
+ goto error;
+ if (n) {
+ for (i = 0; i< n; i++) {
+ int val =
virCapsProcessCapsTypeFromString(virXMLPropString(nodes[i], "name"));
+ if (val< 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
s/VIR_ERR_INTERNAL_ERROR/VIR_ERR_CONFIG_UNSUPPORTED/
+ _("unexpected process cap %s"),
+ virXMLPropString(nodes[i], "name"));
virXMLPropString is used twice, it can be avoided by something like:
const char *name = virXMLPropString(nodes[i], name);
And use name where you want.
+ goto error;
+ }
+ def->capabilities |= (1ULL<< val);
+ }
+ VIR_FREE(nodes);
+ }
+
if (virDomainLifecycleParseXML(ctxt, "string(./on_reboot[1])",
&def->onReboot, VIR_DOMAIN_LIFECYCLE_RESTART,
virDomainLifecycleTypeFromString)< 0)
@@ -11520,6 +11537,22 @@ virDomainDefFormatInternal(virDomainDefP
virBufferAddLit(buf, "</features>\n");
}
+ if (def->capabilities) {
+ virBufferAddLit(buf, "<process>\n");
+ for (n = 0; n< VIR_PROCESS_CAPABILITY_LAST; n++) {
+ if (def->capabilities& (1ULL<< n)) {
+ const char *name = virCapsProcessCapsTypeToString(n);
+ if (!name) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unexpected process cap %d"), n);
+ goto cleanup;
+ }
+ virBufferAsprintf(buf, "<cap name='%s'/>\n", name);
+ }
+ }
+ virBufferAddLit(buf, "</process>\n");
+ }
+
virBufferAdjustIndent(buf, 2);
if (virCPUDefFormatBufFull(buf, def->cpu)< 0)
goto cleanup;
Index: libvirt/src/conf/domain_conf.h
===================================================================
--- libvirt.orig/src/conf/domain_conf.h
+++ libvirt/src/conf/domain_conf.h
@@ -1441,6 +1441,8 @@ struct _virDomainDef {
char *emulator;
int features;
+ unsigned long long capabilities;
Should we choose another name such like "process_caps"? Considering
we might need to introduce other capabilities for domain in future.
+
virDomainClockDef clock;
int ngraphics;
Index: libvirt/docs/formatdomain.html.in
===================================================================
--- libvirt.orig/docs/formatdomain.html.in
+++ libvirt/docs/formatdomain.html.in
@@ -787,6 +787,54 @@
</dd>
</dl>
+<h3><a name="elementsProcess">Process Capability</a></h3>
+
+<p>
+ Process of Domain are allowed to retain capabilities specified
Is following better? :-)
Domain process is allowed to...
+ by cap element. What capabilities host supports can be found at
+ capability XML.
Better to add the virsh command. e.g.
capability XML (virsh capabilities)