[libvirt] [PATCH v2 6/6] locking: Implement lock failure action in sanlock driver
Jiri Denemark
jdenemar at redhat.com
Thu Oct 11 13:05:15 UTC 2012
On Wed, Oct 10, 2012 at 15:11:18 +0100, Daniel P. Berrange wrote:
> On Wed, Oct 10, 2012 at 01:35:33PM +0200, Jiri Denemark wrote:
> > + <h2><a name="domainconfig">Domain configuration</a></h2>
> > +
> > + <p>
> > + In case sanlock loses access to disk locks for some reason, it will
> > + kill all domains that lost their locks. This default behavior may
> > + be changed using
> > + <a href="formatdomain.html#elementsEvents">on_lockfailure
> > + element</a> in domain XML. When this element is present, sanlock
> > + will call <code>sanlock_helper</code> (provided by libvirt) with
> > + the specified action. This helper binary will connect to libvirtd
> > + and thus it may need to authenticate if libvirtd was configured to
> > + require that on the read-write UNIX socket. To provide the
> > + appropriate credentials to sanlock_helper, a
> > + <a href="auth.html#Auth_client_config">client authentication
> > + file</a> needs to contain something like the following:
> > + </p>
> > + <pre>
> > +[auth-libvirt-localhost]
> > +credentials=sanlock
> > +
> > +[credentials-sanlock]
> > +authname=login
> > +password=password
> > + </pre>
>
> Hmm, I think it might be a little more complicated. IIRC, the sanlock
> daemon runs under a dedicated user ID, so it will hit the policykit
> auth rules by default. So should we be dropping in a .pkla file with
> the libvirt sanlock RPM to allow this script to run.
Ah, that's possible. I'll prepare an additional patch for that if it appears
to be necessary.
> We might need to mention where the config file should be located
> too.
That's done by linking to auth.html#Auth_client_config, which mentions all the
possibilities where to store that file.
> ACK in any case since this is docs stuff only
Thanks, I pushed this series.
Jirka
More information about the libvir-list
mailing list