On 02/03/2014 01:40 PM, Daniel P. Berrange wrote:
> On Mon, Feb 03, 2014 at 12:36:32PM +0100, Michal Privoznik wrote:
>> On 31.01.2014 17:43, Michal Privoznik wrote:
>>> There might be some use cases, where user wants to prepare the host or
>>> its environment prior to starting a network and do some cleanup after
>>> the network has been shut down. Consider all the functionality that
>>> libvirt doesn't currently have as an example what a hook script can
>>> possibly do.
>>>
>>> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
>>> ---
>>> docs/hooks.html.in | 43 +++++++++++++++++++++++++++++--------------
>>> src/network/bridge_driver.c | 29 +++++++++++++++++++++++++++++
>>> src/util/virhook.c | 10 +++++++++-
>>> src/util/virhook.h | 8 ++++++++
>>> 4 files changed, 75 insertions(+), 15 deletions(-)
>>>
>>> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
>>> index 53c2274..2bca5bc 100644
>>> --- a/src/network/bridge_driver.c
>>> +++ b/src/network/bridge_driver.c
>>> @@ -71,6 +71,7 @@
>>> #include "virstring.h"
>>> #include "viraccessapicheck.h"
>>> #include "network_event.h"
>>> +#include "virhook.h"
>>>
>>> #define VIR_FROM_THIS VIR_FROM_NETWORK
>>>
>>> @@ -2011,6 +2012,23 @@ networkStartNetwork(virNetworkDriverStatePtr driver,
>>> if (virNetworkObjSetDefTransient(network, true) < 0)
>>> goto cleanup;
>>>
>>> + /* Run an early hook to set-up missing devices */
>>> + if (virHookPresent(VIR_HOOK_DRIVER_NETWORK)) {
>>> + char *xml = virNetworkDefFormat(network->def, 0);
>>> + int hookret;
>>> +
>>> + hookret = virHookCall(VIR_HOOK_DRIVER_NETWORK, network->def->name,
>>> + VIR_HOOK_NETWORK_OP_START, VIR_HOOK_SUBOP_BEGIN,
>>> + NULL, xml, NULL);
>>> + VIR_FREE(xml);
>>> +
>>> + /*
>>> + * If the script raised an error abort the launch
>>> + */
>>> + if (hookret < 0)
>>> + goto cleanup;
>>> + }
>>> +
>>> switch (network->def->forward.type) {
>> I've just realized, that if the hook is going to be used to
>> insert/delete some iptables rules or some tc work, maybe it's
>> desired to have yet another hook that is executed *after*
>> networkStartNetworkVirtual or networkStartNetworkExternal. Moreover,
>> do we want to taint such networks that use hook scripts (bearing in
>> mind that we don't do nothing like that for domains)? Any thoughts?
Yes, this is very important - there is a big difference between adding
an iptables rule before libvirt starts a network and after it starts the
network, and either may be a valid choice depending on the situation.
Additionally, while we're adding hooks, should there also be hooks pre/post adding a connection to a network and pre/post removing a connection from a network? (and in that case, what exactly should stdin receive? Perhaps the network XML + the domain XML, or maybe the network XML + an abbreviated domain XML that contains the domain name/uuid, and the particular <interface> that is being added/removed?)
> We use 'tainting' as a way to identify anything which could alter the
> operation/behaviour of the VM in a way that isn't obvious from the XML
> config. As such I'd say that use of hooks should cause tainting, and
> likewise we should have a tainting concept for networks too.
I also agree with the concept of tainting a network. In addition to
tainting the network, probably any domain that connects to a tainted
network should itself be tainted.
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list