External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-04-01 20:05:19 +00:00
Code

qemu: skip granting access during fd migration

Browse Source 
SELinux labeling and cgroup ACLs aren't required if we hand a
pre-opened fd to qemu.  All the more reason to love fd: migration.

* src/qemu/qemu_migration.c (qemuMigrationToFile): Skip steps
that are irrelevant in fd migration.
This commit is contained in:
Eric Blake 2011-03-09 17:49:54 -07:00
parent 6034ddd559
commit 34fa0de05e
1 changed files with 37 additions and 26 deletions

63
src/qemu/qemu_migration.c

@ -1299,36 +1299,49 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
int rc; int rc;
bool restoreLabel = false; bool restoreLabel = false;
if (!is_reg && if (qemuCaps && qemuCapsGet(qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD) &&
qemuCgroupControllerActive(driver, VIR_CGROUP_CONTROLLER_DEVICES)) { !compressor) {
if (virCgroupForDomain(driver->cgroup, vm->def->name, /* All right! We can use fd migration, which means that qemu
&cgroup, 0) != 0) { * doesn't have to open() the file, so we don't have to futz
qemuReportError(VIR_ERR_INTERNAL_ERROR, * around with granting access or revoking it later. */
_("Unable to find cgroup for %s"), is_reg = true;
vm->def->name); bypassSecurityDriver = true;
goto cleanup; } else {
/* Phooey - we have to fall back on exec migration, where qemu
* has to popen() the file by name. We might also stumble on
* a race present in some qemu versions where it does a wait()
* that botches pclose. */
if (!is_reg &&
qemuCgroupControllerActive(driver,
VIR_CGROUP_CONTROLLER_DEVICES)) {
if (virCgroupForDomain(driver->cgroup, vm->def->name,
&cgroup, 0) != 0) {
qemuReportError(VIR_ERR_INTERNAL_ERROR,
_("Unable to find cgroup for %s"),
vm->def->name);
goto cleanup;
}
rc = virCgroupAllowDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc);
if (rc < 0) {
virReportSystemError(-rc,
_("Unable to allow device %s for %s"),
path, vm->def->name);
goto cleanup;
}
} }
rc = virCgroupAllowDevicePath(cgroup, path, if ((!bypassSecurityDriver) &&
VIR_CGROUP_DEVICE_RW); virSecurityManagerSetSavedStateLabel(driver->securityManager,
qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc); vm, path) < 0)
if (rc < 0) {
virReportSystemError(-rc,
_("Unable to allow device %s for %s"),
path, vm->def->name);
goto cleanup; goto cleanup;
} restoreLabel = true;
} }
if ((!bypassSecurityDriver) && qemuDomainObjEnterMonitorWithDriver(driver, vm);
virSecurityManagerSetSavedStateLabel(driver->securityManager,
vm, path) < 0)
goto cleanup;
restoreLabel = true;
if (!compressor) { if (!compressor) {
const char *args[] = { "cat", NULL }; const char *args[] = { "cat", NULL };
qemuDomainObjEnterMonitorWithDriver(driver, vm);
if (qemuCaps && qemuCapsGet(qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD) && if (qemuCaps && qemuCapsGet(qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD) &&
priv->monConfig->type == VIR_DOMAIN_CHR_TYPE_UNIX) { priv->monConfig->type == VIR_DOMAIN_CHR_TYPE_UNIX) {
rc = qemuMonitorMigrateToFd(priv->mon, rc = qemuMonitorMigrateToFd(priv->mon,
@ -1339,7 +1352,6 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
QEMU_MONITOR_MIGRATE_BACKGROUND, QEMU_MONITOR_MIGRATE_BACKGROUND,
args, path, offset); args, path, offset);
} }
qemuDomainObjExitMonitorWithDriver(driver, vm);
} else { } else {
const char *prog = compressor; const char *prog = compressor;
const char *args[] = { const char *args[] = {
@ -1347,12 +1359,11 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
"-c", "-c",
NULL NULL
}; };
qemuDomainObjEnterMonitorWithDriver(driver, vm);
rc = qemuMonitorMigrateToFile(priv->mon, rc = qemuMonitorMigrateToFile(priv->mon,
QEMU_MONITOR_MIGRATE_BACKGROUND, QEMU_MONITOR_MIGRATE_BACKGROUND,
args, path, offset); args, path, offset);
qemuDomainObjExitMonitorWithDriver(driver, vm);
} }
qemuDomainObjExitMonitorWithDriver(driver, vm);
if (rc < 0) if (rc < 0)
goto cleanup; goto cleanup;