On 02/07/2012 01:10 PM, Jiri Denemark wrote: > In case the caller specifies that confined guests are required but the > security driver turns out to be 'none', we should return an error since > this driver clearly cannot meet that requirement. As a result of this > error, libvirtd fails to start when the host admin explicitly sets > confined guests are required but there is no security driver available. > > Since security driver 'none' cannot create confined guests, we override > default confined setting so that hypervisor drivers do not thing they s/thing/think/ > should create confined guests. > --- > src/security/security_manager.c | 20 ++++++++++++++++++++ > tests/seclabeltest.c | 2 +- > 2 files changed, 21 insertions(+), 1 deletions(-) ACK that this fixes the issue, but I'm wondering whether we should move the logic that rejects requireConfig out of security_manager.c and into security_nop.c:virSecurityDriverOpenNop(). That is, the special casing is a property of the 'none' security manager. Is it worth a v2 patch that moves the error messages in that manner? > +++ b/tests/seclabeltest.c > @@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) > virSecurityManagerPtr mgr; > const char *doi, *model; > > - mgr = virSecurityManagerNew(NULL, false, true, true); > + mgr = virSecurityManagerNew(NULL, false, true, false); And here's a classic example that proves Laine's point that any interface with more than one bool parameter is hard to read (you have to check the implementation), compared to consolidating those into a flags argument. But no need to change the signature for this particular patch. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list