[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [RFC PATCH 3/2] audit: audit qemu memory and vcpu adjusments



* src/qemu/qemu_audit.h (qemuDomainMemoryAudit)
(qemuDomainVcpuAudit): New prototypes.
* src/qemu/qemu_audit.c (qemuDomainResourceAudit)
(qemuDomainMemoryAudit, qemuDomainVcpuAudit): New functions.
(qemuDomainStartAudit): Call as appropriate.
* src/qemu/qemu_driver.c (qemudDomainSetMemory)
(qemudDomainHotplugVcpus): Likewise.
---

Another round of useful audit points, for tracking hotplug
changes to vcpus and memory allocations.  Again, I'm not sure
if this is the correct amount of information, hence including
this as a continuation of my RFC patches.

I'm not sure if qemudDomainSetMemory is doing the right thing -
it doesn't update vm->def->mem.cur_balloon on success; on the
other hand, dumpXML always recalculates the cur_balloon from a
monitor query, and I don't know if any other API exposes a stale
cur_balloon value from the vm definition.

 src/qemu/qemu_audit.c  |   56 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_audit.h  |   10 ++++++++
 src/qemu/qemu_driver.c |    7 +++++-
 3 files changed, 72 insertions(+), 1 deletions(-)

diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
index c76d49e..6ea31c9 100644
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -148,6 +148,59 @@ cleanup:
 }


+/**
+ * qemuDomainResourceAudit:
+ * @vm: domain making an integer resource change
+ * @resource: name of the resource: "mem" or "vcpu"
+ * @oldval: the old value of the resource
+ * @newval: the new value of the resource
+ * @reason: either "start" or "update"
+ * @success: true if the resource change succeeded
+ *
+ * Log an audit message about an attempted resource change.
+ */
+static void
+qemuDomainResourceAudit(virDomainObjPtr vm,
+                        const char *resource,
+                        unsigned long long oldval,
+                        unsigned long long newval,
+                        const char *reason,
+                        bool success)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    char *vmname;
+
+    virUUIDFormat(vm->def->uuid, uuidstr);
+    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+        VIR_WARN0("OOM while encoding audit message");
+        return;
+    }
+
+    VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+              "resrc=%s reason=%s %s uuid=%s old-%s=%lld new-%s=%lld",
+              resource, reason, vmname, uuidstr,
+              resource, oldval, resource, newval);
+
+    VIR_FREE(vmname);
+}
+
+void
+qemuDomainMemoryAudit(virDomainObjPtr vm,
+                      unsigned long long oldmem, unsigned long long newmem,
+                      const char *reason, bool success)
+{
+    return qemuDomainResourceAudit(vm, "mem", oldmem, newmem, reason, success);
+}
+
+void
+qemuDomainVcpuAudit(virDomainObjPtr vm,
+                    unsigned int oldvcpu, unsigned int newvcpu,
+                    const char *reason, bool success)
+{
+    return qemuDomainResourceAudit(vm, "vcpu", oldvcpu, newvcpu, reason,
+                                   success);
+}
+
 static void qemuDomainLifecycleAudit(virDomainObjPtr vm,
                                      const char *op,
                                      const char *reason,
@@ -185,6 +238,9 @@ void qemuDomainStartAudit(virDomainObjPtr vm, const char *reason, bool success)
         qemuDomainNetAudit(vm, NULL, net, "start", true);
     }

+    qemuDomainMemoryAudit(vm, 0, vm->def->mem.cur_balloon, "start", true);
+    qemuDomainVcpuAudit(vm, 0, vm->def->vcpus, "start", true);
+
     qemuDomainLifecycleAudit(vm, "start", reason, success);
 }

diff --git a/src/qemu/qemu_audit.h b/src/qemu/qemu_audit.h
index 40f4591..cdbb957 100644
--- a/src/qemu/qemu_audit.h
+++ b/src/qemu/qemu_audit.h
@@ -45,6 +45,16 @@ void qemuDomainCgroupAudit(virDomainObjPtr vm,
                            const char *item,
                            const char *name,
                            bool success);
+void qemuDomainMemoryAudit(virDomainObjPtr vm,
+                           unsigned long long oldmem,
+                           unsigned long long newmem,
+                           const char *reason,
+                           bool success);
+void qemuDomainVcpuAudit(virDomainObjPtr vm,
+                         unsigned int oldvcpu,
+                         unsigned int newvcpu,
+                         const char *reason,
+                         bool success);
 void qemuDomainSecurityLabelAudit(virDomainObjPtr vm, bool success);

 #endif /* __QEMU_AUDIT_H__ */
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index a98ceb4..ddd7728 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1605,6 +1605,8 @@ static int qemudDomainSetMemory(virDomainPtr dom, unsigned long newmem) {
     qemuDomainObjEnterMonitor(vm);
     r = qemuMonitorSetBalloon(priv->mon, newmem);
     qemuDomainObjExitMonitor(vm);
+    qemuDomainMemoryAudit(vm, vm->def->mem.cur_balloon, newmem, "update",
+                          r <= 0);
     if (r < 0)
         goto endjob;

@@ -1615,6 +1617,7 @@ static int qemudDomainSetMemory(virDomainPtr dom, unsigned long newmem) {
         goto endjob;
     }

+    /* XXX update vm->def->mem.cur_balloon? */
     ret = 0;
 endjob:
     if (qemuDomainObjEndJob(vm) == 0)
@@ -2518,8 +2521,9 @@ static void processWatchdogEvent(void *data, void *opaque)
 static int qemudDomainHotplugVcpus(virDomainObjPtr vm, unsigned int nvcpus)
 {
     qemuDomainObjPrivatePtr priv = vm->privateData;
-    int i, rc;
+    int i, rc = 1;
     int ret = -1;
+    int oldvcpus = vm->def->vcpus;

     qemuDomainObjEnterMonitor(vm);

@@ -2554,6 +2558,7 @@ static int qemudDomainHotplugVcpus(virDomainObjPtr vm, unsigned int nvcpus)

 cleanup:
     qemuDomainObjExitMonitor(vm);
+    qemuDomainVcpuAudit(vm, oldvcpus, nvcpus, "update", rc <= 0);
     return ret;

 unsupported:
-- 
1.7.4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]