On Wed, Oct 10, 2012 at 15:11:18 +0100, Daniel P. Berrange wrote: > On Wed, Oct 10, 2012 at 01:35:33PM +0200, Jiri Denemark wrote: > > + <h2><a name="domainconfig">Domain configuration</a></h2> > > + > > + <p> > > + In case sanlock loses access to disk locks for some reason, it will > > + kill all domains that lost their locks. This default behavior may > > + be changed using > > + <a href="formatdomain.html#elementsEvents">on_lockfailure > > + element</a> in domain XML. When this element is present, sanlock > > + will call <code>sanlock_helper</code> (provided by libvirt) with > > + the specified action. This helper binary will connect to libvirtd > > + and thus it may need to authenticate if libvirtd was configured to > > + require that on the read-write UNIX socket. To provide the > > + appropriate credentials to sanlock_helper, a > > + <a href="auth.html#Auth_client_config">client authentication > > + file</a> needs to contain something like the following: > > + </p> > > + <pre> > > +[auth-libvirt-localhost] > > +credentials=sanlock > > + > > +[credentials-sanlock] > > +authname=login > > +password=password > > + </pre> > > Hmm, I think it might be a little more complicated. IIRC, the sanlock > daemon runs under a dedicated user ID, so it will hit the policykit > auth rules by default. So should we be dropping in a .pkla file with > the libvirt sanlock RPM to allow this script to run. Ah, that's possible. I'll prepare an additional patch for that if it appears to be necessary. > We might need to mention where the config file should be located > too. That's done by linking to auth.html#Auth_client_config, which mentions all the possibilities where to store that file. > ACK in any case since this is docs stuff only Thanks, I pushed this series. Jirka -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list