[libvirt] [PATCH v3 03/13] security: Always spawn process for transactions
John Ferlan
jferlan at redhat.com
Tue Nov 13 20:52:17 UTC 2018
[...]
>>
>> I understand (generically) why we need the lock. I'm OK with it being
>> enabled by default. That's not the question/ask. Building in a way to
>> allow disabling usage of virFork and/or metadata lock knowing the
>> "penalty" or downside to doing so goes beyond bug free or performance,
>> it's just that "choice" we allow someone to make. You know there are
>> those out there that will bemoan "choosing" this is as the default. If
>> they want to disable in order to gain whatever at the cost of something
>> else, then so be it. In some ways it's a CYA exercise.
>
> Just an idea that I got, what if there won't be any config knob but this
> would use namespaces? I mean, if namespaces are on then metadata locking
> is happening and if they are off then no metadata locking is happening.
>
> Since namespaces do mean extra fork(), doing things this way there won't
> be any extra fork() if namespaces are off.
>
I'd prefer to not make metadata locking (files) rely on namespaces
(devices). I get the relationship though.
John
More information about the libvir-list
mailing list