[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] conf: Fix parsing of seclabels without model



On Thu, Aug 30, 2012 at 12:11:18 -0700, Daniel P. Berrange wrote:
> On Thu, Aug 30, 2012 at 03:31:05PM -0300, Marcelo Cerri wrote:
> > On 08/30/2012 03:20 PM, Daniel P. Berrange wrote:
> > >An old libvirtd (ie < 0.10.0) already knows how to parse & accept
> > >a <seclabel> for model=selinux. It will reject a <seclabel>
> > >which has model=dac, if that is the first <seclabe> element present.
> > >(it will of course ignore the 2nd/3rd/etc <seclabel> element, since
> > >it only expected one to exist).  So if  model=dac is added as the
> > >second <seclabel> back compat is ok. If the selinux/apparmour
> > >security drivers are disabled though, the <seclabel> with model=dac
> > >will be the first & only element. This will confuse old libvirtd.
> > >
> > 
> > Ok. But in which scenario would this happen? It doesn't seem to make
> > sense to save a guest with an earlier libvirt version and restore it
> > in an older libvirt.
> 
> I wish that was the case, but unfortunately people do want todo
> exactly that :-(  More particularly for live-migration betweeen
> different releases of RHEL, but save+restore too.

Right, people like to upgrade their clusters incrementally and still be able
to live-migrate domains between any two nodes of the cluster (of course,
except for the ones being upgraded) rather than having to split nodes in two
groups and have only uni-directional migration between nodes that do not
belong to the same group. Obviously, this needs to work only for domains that
do not explicitly use any feature that was introduced by the new libvirt.

Jirka


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]