Re: [libvirt] [PATCH v2 3/3] network: Taint networks that are using hook script

On Fri, Feb 07, 2014 at 02:17:10PM +0200, Laine Stump wrote:
> On 02/05/2014 12:11 PM, Michal Privoznik wrote:
> > Basically, the idea is copied from domain code, where tainting
> > exists for a while. Currently, only one taint reason exists -
> > VIR_NETWORK_TAINT_HOOK to mark those networks which caused invoking
> > of hook script.
> What's missing here is that the network status XML doesn't include a
> <taint> element.
> Also, I think if a network is tainted, and domain that connects to that
> network should be tainted as well.
> Of course what would make this more useful would be if would could
> determine when a hook script actually *did* something for a particular
> network/interface (since presumably people are usually going to write
> their network hook scripts to only take action for particular networks
> and/or domains, not for *all* networks). I don't know that there's a way
> to do that without either 1) having a different hook script for each
> network, or 2) trusting the hook script to return some sort of status
> indicating whether or not it did anything. Obviously (2) is not a good
> idea, but we may want to think about (1) in the future (for qemu and lxc
> hook scripts as well) - instead of just looking for
> /etc/libvirt/hook/network, we could first look for
> /etc/libvirt/hook/network.${netname} and exec that instead if found (or
> in addition). But I think that can be deferred until later.

I don't think we should try to second guess what the hook script
is doing. You are basically trying to solve the halting problem
there which is not a winning proposition.

> ACK if you add the <taint> element to the network status XML, and taint
> the domain any time it uses a tainted network.

I think tainting the domain is probably overkill here.

