[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH V9 3/3] Add support for file descriptor sets

On Mon, Mar 11, 2013 at 03:36:56PM -0600, Eric Blake wrote:
> On 03/07/2013 11:14 AM, Stefan Berger wrote:
> > Add support for file descriptor sets by converting some of the 
> > command line parameters to use /dev/fdset/%d if -add-fd is found
> > to be supported by QEMU. For those devices libvirt now open()s
> > the device to obtain the file descriptor and 'transfers' the 
> > fd using virCommand.
> > 
> > For the following fragments of domain XML
> > 
> > 
> >     <disk type='file' device='disk'>
> >       <driver name='qemu' type='raw'/>
> >       <source file='/var/lib/libvirt/images/fc14-x86_64.img'/>
> >       <target dev='hda' bus='ide'/>
> >       <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> >     </disk>
> Discussion on the qemu list has made it obvious that we want this for
> NFS-mounted images, but maybe not for local images or on other file
> systems that actually support SELinux labeling (after all, the point of
> fd passing is not to move DAC checking out of the kernel and into
> user-space libvirtd, but to make up for lack of SELinux labeling on
> NFS).  Still, we are waiting for a qemu solution on how to do fd passing
> for backing files (the so-called -blockdev design), which means that for
> now, the best we could do with the selinux bool virt_use_nfs disabled is
> support only flat images (no backing file, no creation of snapshots).

If the fd passing code doesn't work for backing files, then IMHO
we should not apply this at all. We need a fully working solution
or none at all. A half-implemented solution will just cause pain
for everyone involved

I also agree that we should *NOT* use FD passing, unless we absolutely
need it. ie we should only be using with NFS, when virt_use_nfs is not

Every place where we use FD passing makes it harder for people to
take the ARGV from /var/log/libvirt/qemu/$GUEST.log and run it
directly. This is quite important from a support POV.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]