[libvirt] [PATCH v4 00/23] Introduce metadata locking
Michal Privoznik
mprivozn at redhat.com
Mon Sep 10 09:36:01 UTC 2018
Technically, this is v4 of:
https://www.redhat.com/archives/libvir-list/2018-August/msg01627.html
However, this is implementing different approach than any of the
previous versions.
One of the problems with previous version was that it was too
complicated. The main reason for that was that we could not close the
connection whilst there was a file locked. So we had to invent a
mechanism that would prevent that (on the client side).
These patches implement different approach. They rely on secdriver's
transactions which bring all the paths we want to label into one place
so that they can be relabelled within different namespace.
I'm extending this idea so that transactions run all the time
(regardless of domain namespacing) and only at the very last moment is
decided which namespace would the relabeling run in.
Metadata locking is then as easy as putting lock/unlock calls around one
function.
You can find the patches at my github too:
https://github.com/zippy2/libvirt/tree/disk_metadata_lock_v4_alt
Michal Prívozník (23):
qemu_security: Fully implement qemuSecurityDomainSetPathLabel
qemu_security: Fully implement
qemuSecurity{Set,Restore}SavedStateLabel
qemu_security: Require full wrappers for APIs that might touch a file
virSecurityManagerTransactionCommit: Accept pid == -1
qemu_security: Run transactions more frequently
virlockspace: Allow caller to specify start and length offset in
virLockSpaceAcquireResource
lock_driver_lockd: Introduce
VIR_LOCK_SPACE_PROTOCOL_ACQUIRE_RESOURCE_METADATA flag
lock_driver: Introduce new VIR_LOCK_MANAGER_OBJECT_TYPE_DAEMON
_virLockManagerLockDaemonPrivate: Move @hasRWDisks into dom union
lock_driver: Introduce VIR_LOCK_MANAGER_RESOURCE_TYPE_METADATA
lock_driver: Introduce VIR_LOCK_MANAGER_ACQUIRE_ROLLBACK
lock_daemon_dispatch: Check for ownerPid rather than ownerId
lock_manager: Allow disabling configFile for virLockManagerPluginNew
qemu_conf: Introduce metadata_lock_manager
security_manager: Load lock plugin on init
security_manager: Introduce metadata locking APIs
security_dac: Move transaction handling up one level
security_dac: Fix info messages when chown()-ing
security_dac: Lock metadata when running transaction
virSecuritySELinuxRestoreFileLabel: Rename 'err' label
virSecuritySELinuxRestoreFileLabel: Adjust code pattern
security_selinux: Move transaction handling up one level
security_dac: Lock metadata when running transaction
cfg.mk | 4 +-
src/locking/lock_daemon_dispatch.c | 25 ++-
src/locking/lock_driver.h | 12 ++
src/locking/lock_driver_lockd.c | 417 +++++++++++++++++++++++++------------
src/locking/lock_driver_lockd.h | 1 +
src/locking/lock_driver_sanlock.c | 44 ++--
src/locking/lock_manager.c | 10 +-
src/lxc/lxc_controller.c | 3 +-
src/lxc/lxc_driver.c | 2 +-
src/qemu/libvirtd_qemu.aug | 1 +
src/qemu/qemu.conf | 8 +
src/qemu/qemu_conf.c | 13 ++
src/qemu/qemu_conf.h | 1 +
src/qemu/qemu_domain.c | 3 +-
src/qemu/qemu_driver.c | 10 +-
src/qemu/qemu_process.c | 15 +-
src/qemu/qemu_security.c | 272 +++++++++++++++++-------
src/qemu/qemu_security.h | 18 +-
src/qemu/test_libvirtd_qemu.aug.in | 1 +
src/security/security_dac.c | 134 ++++++++----
src/security/security_manager.c | 171 ++++++++++++++-
src/security/security_manager.h | 9 +
src/security/security_selinux.c | 118 ++++++++---
src/util/virlockspace.c | 15 +-
src/util/virlockspace.h | 4 +
tests/seclabeltest.c | 2 +-
tests/securityselinuxlabeltest.c | 2 +-
tests/securityselinuxtest.c | 2 +-
tests/testutilsqemu.c | 2 +-
tests/virlockspacetest.c | 29 ++-
30 files changed, 1006 insertions(+), 342 deletions(-)
--
2.16.4
More information about the libvir-list
mailing list