[libvirt] [PATCH v5 02/16] qemu: Introduce qemuDomainDeviceDefValidateControllerAttributes

Ján Tomko jtomko at redhat.com
Mon Jan 29 09:28:32 UTC 2018

On Sun, Jan 28, 2018 at 09:48:19AM +0100, Michal Privoznik wrote:
>On 01/06/2018 12:47 AM, John Ferlan wrote:
>> Move the checks that various attributes are not set on any controller
>> other than SCSI controller using virtio-scsi model into the common
>> controller validate checks.
>> Need to also add a qemuDomainResetSCSIControllerModel call in order
>> to ensure we get the "right" SCSI model if it's not set by default
>> since it wouldn't be set during post parse processing.
>> Signed-off-by: John Ferlan <jferlan at redhat.com>
>> ---
>>  src/qemu/qemu_command.c | 24 ------------------------
>>  src/qemu/qemu_domain.c  | 41 +++++++++++++++++++++++++++++++++++++++++
>>  2 files changed, 41 insertions(+), 24 deletions(-)
>The only problem I have with this approach is that while previously
>we've checked for QEMU caps at domain start time, now we check for them
>at define time. So I guess in general it's not a safe thing to do.
>For instance, I'd be against moving all checks done at cmd line time to
>DefPostParse as they introduce TOCTOU problem.

This is not DefPostParse, this is DefValidate.

PostParse is called on all XML parsing (and as of <7c5cf4983> allowed
to fail and then re-run on domain startup).

Validate is run when defining some new domains (the _VALIDATE flag has
to be added to the APIs) and then unconditionally on domain startup.

So the only problem here would be that we might not allow to define
a domain until you install QEMU with the requested features.

>However, some checks
>(mostly semantic ones) can be done in post parse callbacks. For example,
>trying to plug a disk onto ISA bus will fail regardless of qemu caps.
>However, whether qemu supports VIRTIO_SCSI or not should not matter at
>define time as this might change after domain is defined.
>However, SCSI controllers have been around for quite some time, so
>unless somebody is upgrading from ancient qemu, we are safe.

Generally we try not to break parsing existing configs (even with
unusable domains), which is why Validate functions are separate
from PostParse.


>libvir-list mailing list
>libvir-list at redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180129/4915c9bd/attachment-0001.sig>

More information about the libvir-list mailing list