[libvirt] [PATCH v2 2/5] conf: add XML schema for domain XML
Osier Yang
jyang at redhat.com
Fri Dec 30 04:54:49 UTC 2011
On 2011年12月22日 15:04, Taku Izumi wrote:
>
> This patch introduces XML schema for domains to retain arbitrary capabilities.
> For example, by adding the following XML to domain configuration,
> its domain can retain cap_sys_rawio capability.
>
> <process>
> <cap name='sys_rawio'/>
> </process>
>
>
> Signed-off-by: Taku Izumi<izumi.taku at jp.fujitsu.com>
> Signed-off-by: Shota Hirae<m11g1401 at hibikino.ne.jp>
> ---
> docs/formatdomain.html.in | 48 ++++++++++++++++++++++++++++++++++++++
> docs/schemas/domaincommon.rng | 52 ++++++++++++++++++++++++++++++++++++++++++
> src/conf/domain_conf.c | 33 ++++++++++++++++++++++++++
> src/conf/domain_conf.h | 2 +
> 4 files changed, 135 insertions(+)
>
> Index: libvirt/docs/schemas/domaincommon.rng
> ===================================================================
> --- libvirt.orig/docs/schemas/domaincommon.rng
> +++ libvirt/docs/schemas/domaincommon.rng
> @@ -35,6 +35,9 @@
> <ref name="clock"/>
> <ref name="resources"/>
> <ref name="features"/>
> +<optional>
> +<ref name="process"/>
> +</optional>
> <ref name="termination"/>
> <optional>
> <ref name="devices"/>
> @@ -2344,6 +2347,55 @@
> </optional>
> </define>
> <!--
> + Specification of process element
> + -->
> +<define name="process">
> +<element name="process">
> +<zeroOrMore>
> +<element name="cap">
> +<attribute name="name">
> +<choice>
> +<value>chown</value>
> +<value>dac_override</value>
> +<value>dac_read_search</value>
> +<value>fowner</value>
> +<value>fsetid</value>
> +<value>kill</value>
> +<value>setgid</value>
> +<value>setuid</value>
> +<value>setpcap</value>
> +<value>linux_immutable</value>
> +<value>net_bind_service</value>
> +<value>net_broadcast</value>
> +<value>net_admin</value>
> +<value>net_raw</value>
> +<value>ipc_lock</value>
> +<value>ipc_owner</value>
> +<value>sys_module</value>
> +<value>sys_rawio</value>
> +<value>sys_chroot</value>
> +<value>sys_ptrace</value>
> +<value>sys_pacct</value>
> +<value>sys_admin</value>
> +<value>sys_boot</value>
> +<value>sys_nice</value>
> +<value>sys_resource</value>
> +<value>sys_time</value>
> +<value>sys_tty_config</value>
> +<value>mknod</value>
> +<value>lease</value>
> +<value>audit_write</value>
> +<value>audit_control</value>
> +<value>setfcap</value>
> +<value>mac_override</value>
> +<value>mac_admin</value>
> +</choice>
> +</attribute>
> +</element>
> +</zeroOrMore>
> +</element>
> +</define>
> +<!--
> CPU specification
> -->
> <define name="cpu">
> Index: libvirt/src/conf/domain_conf.c
> ===================================================================
> --- libvirt.orig/src/conf/domain_conf.c
> +++ libvirt/src/conf/domain_conf.c
> @@ -7253,6 +7253,23 @@ static virDomainDefPtr virDomainDefParse
> VIR_FREE(nodes);
> }
>
> + n = virXPathNodeSet("./process/cap", ctxt,&nodes);
> + if (n< 0)
> + goto error;
> + if (n) {
> + for (i = 0; i< n; i++) {
> + int val = virCapsProcessCapsTypeFromString(virXMLPropString(nodes[i], "name"));
> + if (val< 0) {
> + virDomainReportError(VIR_ERR_INTERNAL_ERROR,
> + _("unexpected process cap %s"),
> + virXMLPropString(nodes[i], "name"));
> + goto error;
> + }
> + def->capabilities |= (1ULL<< val);
I don't see any checking on the caps with the capabilities exposed
in the host & driver capabilities XML (virsh capabilities) in the
whole patchset, and IMHO here is the right place to do the checking.
(perhaps some helper function).
As we don't want to pass the the caps actually unsupported by OS
simply to the guest process. And get the error there.
If we don't that, that means the exposed host process caps is just
useless.
Regards,
Osier
More information about the libvir-list
mailing list