On Fri, Apr 17, 2015 at 09:31:58AM -0400, Lee Schermerhorn wrote:
On Fri, 2015-04-17 at 11:30 +0100, Daniel P. Berrange wrote:On Thu, Apr 16, 2015 at 04:46:10PM +0200, Martin Kletzander wrote: > *** BLURB *** > > ... > > Just kidding :) > > Sooo... After very very VERY long time, here's a draft of an admin > interface that is supposed to open up new possibilities to be done on > a live daemon. The aim here is to create some first inches of that > API in order to open up the possibility of new API function creation > to more people. > > I already spent so much time explaining so much of that that I don't > know what else to point at in here. Maybe the fact that last three > patches are just an example on how this might work. Of course there > won't be any functions like listClientIDs with the need of getting > each client info by another API. There's going to be > e.g. virAdmClientInfo and virAdmGetClients() will return the list of > them, etc. Long story short, let's not repeat past mistakes ;) > > With all that said, feel free to hate, love, comment or just try out > compiling this series and let me know how many things I've missed and > screwed up (hopefully zero). Broadly speaking I think this all looks like pretty good approach to me. We should probably think about exactly which API we want to target for inclusion in the first release. Perhaps the ability to change the logging filters & outputs would be the most useful one, as its something people often want to have in the production deployments where restarting libvirtd is not an option.
Logging settings is definitely in the top of the list. My idea is that then we'll design some APIs for the introspection of the virNerServer (i.e. what is virNetSubServer in this series) like services, clients, rpm programs, whatever comes to mind. It would be nice if libvirt-1.3 (2.0 :) ) would have at least logging settings and info about connected clients. I'd say that's enough for the first tryout release. One question came up when we discussed Admin API with Michal. Can we say something in the sense of "this is not stable yet and the API can change"? It would help us speed up some prototyping, but I don't think this is possible simply because we guarantee full backward compatibility.
How about reloading the server TLS certificates? virNetTLSContextNew() contains the comment: /* Generate Diffie Hellman parameters - for use with DHE * kx algorithms. These should be discarded and regenerated * once a day, once a week or once a month. Depending on the * security requirements. */ If I understand correctly, currently one must restart libvirtd to pickup new certificates? I wondered whether Martin's patch 4/15 -- multiple NetSubServers -- would allow introduction of a new cert on a new SubServer w/o restarting libvirtd? E.g., to allow long running migration, blockcopy or other jobs to complete on existing connections before destroying them.
I haven't checked the internals of this, but it sounds like a good idea. However, the introspection mentioned beforehand must be completed first, otherwise we cannot get to the TLS service. Therefore I'd see this arriving a bit later than in the first trial series. However, others should be encouraged to implement APIs for this ;)
If that would be possible, I think would would also be useful for early inclusion for people considering ephemeral certificates. Regards, LeeRegards, Daniel
Description: PGP signature