On Thu, Mar 07, 2013 at 02:51:05PM -0500, Daniel J Walsh wrote: > One last strangeness, about half the time I run this, virsh hangs and never > returns. > Seems like > > if (conn->driver->domainGetSecurityLabel(domain, > seclabel) == 0) { > > > Gets hung up. I have attached the strace in out1.gz This is because you are trying to invoke libvirt RPC calls in the fork()d child process. Now you have both the child & parent trying to use the same libvirt socket FD, which means it is random which will see the incoming I/O. > > +static int > +virDomainSetDefaultSecurityLabel(virDomainPtr domain) > +{ > + int rc = 0; > + virSecurityLabelPtr seclabel; > + if (VIR_ALLOC(seclabel) < 0) > + return -1; > + > + if (virDomainGetSecurityLabel(domain, seclabel)) > + return -1; This causes libvirt todo RPC calls > @@ -135,7 +168,12 @@ virDomainLxcEnterNamespace(virDomainPtr domain, > { > int i; > > - virCheckFlags(0, -1); > + virCheckFlags(SECURITY_LABEL, -1); > + > + if (flags & SECURITY_LABEL) { > + if (virDomainSetDefaultSecurityLabel(domain) < 0) > + goto error; > + } And this is running in the child process. As with the enter namespace code, we need to split the functionality. virsh needs to call virDomainGetSecurityLabel before fork, and then invoke an API to apply the security label after fork. I've CC'd you on a patch which takes that approach. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list