[libvirt] [PATCH 3/8] docs: Add docs and rng schema for new XML cdbfilter
Eric Blake
eblake at redhat.com
Fri Dec 14 20:33:33 UTC 2012
On 12/13/2012 12:05 PM, Osier Yang wrote:
> Since "rawio" and "cdbfilter" are only valid for "lun", this
> groups them together; And since both of them intend to allow
> the unprivledged user to use the SG_IO commands, they must be
s/unprivledged/unprivileged/
> exclusive.
> ---
> docs/formatdomain.html.in | 13 +++++++++-
> docs/schemas/domaincommon.rng | 52 ++++++++++++++++++++++++++++------------
> 2 files changed, 48 insertions(+), 17 deletions(-)
>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index 8e234fd..8c7c682 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -1395,7 +1395,18 @@
> rawio='yes', rawio capability will be enabled for all disks in
> the domain (because, in the case of QEMU, this capability can
> only be set on a per-process basis). This attribute is only
> - valid when device is "lun".
> + valid when device is "lun". NB, <code>rawio</code> intends to
> + confine the capability per-device, however, current QEMU
> + implementation gives the domain process broader capability
> + than that (per-process basis, affects all the domain disks).
> + To confine the capability as much as possible for QEMU driver
> + as this stage, <code>cdbfilter</code> is recommended.
> + The optional <code>cdbfilter</code> attribute
> + (<span class="since">since 1.0.1</span>) indicates whether the
> + kernel will filter unprivileged SG_IO for the disk, valid settings
> + are "yes" or "no" (defaults to "yes"). Note that it's exclusive
> + with attribute <code>rawio</code>; Same with <code>rawio</code>,
> + <code>cdbfilter</code> is only valid for device 'lun'.
Hmm, this doesn't seem like the smartest of designs. If I'm
understanding you right, we have:
rawio cdbfilter result
missing missing kernel prevents SG_IO
missing no kernel prevents SG_IO
missing yes SG_IO allowed for disk
no missing kernel prevents SG_IO
no no kernel prevents SG_IO
no yes SG_IO allowed for disk
yes missing SG_IO allowed for process
yes no SG_IO allowed for process
yes yes error
Why not simplify things, and have a single attribute rawio, with
multiple values?
rawio result
missing kernel prevents SG_IO
no kernel prevents SG_IO
yes SG_IO allowed for process
cdb SG_IO allowed for disk
where we document that 'yes' works on more kernel versions than 'cdb',
but that 'cdb' (new to 1.0.1) is more secure.
> The optional <code>snapshot</code> attribute indicates the default
> behavior of the disk during disk snapshots: "internal"
> requires a file format such as qcow2 that can store both the
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 14344e2..c8cdfd7 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -971,24 +971,44 @@
> -->
> <define name="disk">
> <element name="disk">
> - <optional>
> - <attribute name="device">
> - <choice>
> - <value>floppy</value>
> - <value>disk</value>
> - <value>cdrom</value>
> - <value>lun</value>
> - </choice>
> - </attribute>
> - </optional>
> - <optional>
> - <attribute name="rawio">
> + <choice>
> + <group>
> + <optional>
> + <attribute name="device">
> + <choice>
> + <value>floppy</value>
> + <value>disk</value>
> + <value>cdrom</value>
> + </choice>
> + </attribute>
> + </optional>
> + </group>
I like that you split this up, to enforce that rawio only appears with
device='lun'. However...
> + <group>
> + <optional>
> + <attribute name="device">
> + <value>lun</value>
> + </attribute>
> + </optional>
This device='lun' should not be <optional>, since the default when
device= is omitted is 'disk' (that is, unless you want the absence of
device= and the presence of rawio='...' to imply a lun, but I think we
should require an explicit use of lun before allowing rawio=).
> <choice>
> - <value>yes</value>
> - <value>no</value>
> + <optional>
> + <attribute name="rawio">
> + <choice>
> + <value>yes</value>
> + <value>no</value>
> + </choice>
> + </attribute>
> + </optional>
> + <optional>
> + <attribute name="cdbfilter">
> + <choice>
> + <value>yes</value>
> + <value>no</value>
> + </choice>
And this part would need a major rework if you go with my idea of a
tri-state attribute value for rawio instead of introducing yet another
attribute.
> + </attribute>
> + </optional>
> </choice>
> - </attribute>
> - </optional>
> + </group>
> + </choice>
> <optional>
> <ref name="snapshot"/>
> </optional>
>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20121214/3b40ce7b/attachment-0001.sig>
More information about the libvir-list
mailing list