On Thu, Aug 30, 2012 at 12:11:18 -0700, Daniel P. Berrange wrote: > On Thu, Aug 30, 2012 at 03:31:05PM -0300, Marcelo Cerri wrote: > > On 08/30/2012 03:20 PM, Daniel P. Berrange wrote: > > >An old libvirtd (ie < 0.10.0) already knows how to parse & accept > > >a <seclabel> for model=selinux. It will reject a <seclabel> > > >which has model=dac, if that is the first <seclabe> element present. > > >(it will of course ignore the 2nd/3rd/etc <seclabel> element, since > > >it only expected one to exist). So if model=dac is added as the > > >second <seclabel> back compat is ok. If the selinux/apparmour > > >security drivers are disabled though, the <seclabel> with model=dac > > >will be the first & only element. This will confuse old libvirtd. > > > > > > > Ok. But in which scenario would this happen? It doesn't seem to make > > sense to save a guest with an earlier libvirt version and restore it > > in an older libvirt. > > I wish that was the case, but unfortunately people do want todo > exactly that :-( More particularly for live-migration betweeen > different releases of RHEL, but save+restore too. Right, people like to upgrade their clusters incrementally and still be able to live-migrate domains between any two nodes of the cluster (of course, except for the ones being upgraded) rather than having to split nodes in two groups and have only uni-directional migration between nodes that do not belong to the same group. Obviously, this needs to work only for domains that do not explicitly use any feature that was introduced by the new libvirt. Jirka -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list