On 06/25/2014 10:54 AM, Peter Krempa wrote: > virSecurityManagerSetDiskLabel and virSecurityManagerRestoreDiskLabel > don't have complementary semantics. Document the semantics to avoid > possible problems. > --- > src/security/security_manager.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/src/security/security_manager.c b/src/security/security_manager.c > index bb12e8e..06e5123 100644 > --- a/src/security/security_manager.c > +++ b/src/security/security_manager.c > @@ -331,6 +331,17 @@ virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr) > } > > > +/** > + * virSecurityManagerRestoreDiskLabel: > + * @mgr: security manager object > + * @vm: domain definition object > + * @disk: disk definition to operate on > + * > + * Removes security label from the source image of the disk. Note that this > + * function doesn't restore labels on backing chain elements of @disk. which probably ought to be considered a bug, and something that we might change in the future - but accurate documentation of what it does now. Restoring labels on backing chains is tricky - we need to start keeping a reference count of all places that are using a backing file (as it can be in use by more than one chain, even by more than one domain), and really the label restore ought to be part of releasing the last use of a storage volume after all domains are done sharing the same backing file. The disk lease manager may be helpful, as backing files are shared (readonly) leases. ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list