On 11/24/2017 04:42 PM, Paolo Bonzini wrote:
> On 24/11/2017 15:52, Daniel P. Berrange wrote:
>>> So what has been suggested so far is:
>>>
>>>   <disk type='block' device='disk'>
>>>     <source dev='/dev/sda'>
>>>     <target dev='sda' bus='scsi'/>
>>>     <reservations enable='yes'/>
>>>   </disk>
> 
> <reservations> without an inner <source> element leaves libvirtd with
> the choice of a daemon per QEMU, or a daemon per host in a well-known
> location.  Unprivileged libvirtd would always use the latter; for
> privileged libvirtd it is implementation-defined.  I like it.
> 
> <reservations> with an inner <source> always gives a daemon per host in
> a custom location.  It can be used by either unprivileged or privileged
> libvirtd.
> 
>>> Now, my question is, in the first case - how should libvirt chose the
>>> path? Should it be different for each disk/domain? How is the daemon
>>> started in the first place - should libvirt start it? And when should
>>> libvirt kill it?
>>
>> The core question is one daemon per QEMU, or one daemon per host. I'd be
>> more inclined to have one daemon per QEMU so we always have isolation
>> and thus do't have to worry about a shared daemon being a potential
>> attack point between distinct QEMU's.
> 
> One daemon per QEMU is nicer IMO because it lets us do MCS.  Of course
> one daemon per QEMU can only apply to system libvirtd; session must use
> one daemon per host.

Agreed. One daemon per QEMU it is then. Just to make sure whether I
understand correctly - libvirtd would start it *before* exec()-ing qemu
(so that qemu can connect) and kill it after qemu dies. But what should
happen if the helper dies while qemu is running? Should qemu pause
itself, fire up an event on the monitor so that libvirtd can spawn the
helper again? The helper is going to be daemonized (for the same reason
that qemu process is) => there's no SIGCHLD for libvirtd to receive.

Also, I don't really expect anything special when it comes to migration,
just want to make sure I'm not mislead.

> 
> One daemon per host is easy, because it's just a couple new command-line
> options as far as libvirtd is concerned, but we need to check that it
> works well with MCS.

It's very likely that it wouldn't. Users can chose arbitrary DAC/SELinux
labels for their qemus. In general we will not find any intersection
that the helper socket can have.

> 
>> If one daemon per host, then for privileged libvirtd, we should make sure
>> the daemon ships with a systemd unit file + socket activation file, then
>> we have a well-known cross-distro standardized socket path.
> 
> Ok, then I will send a patch for upstream QEMU that adds the Fedora
> systemd unit files to contrib/.  They are useful anyway.

Yup. In case of a unprivileged libvirtd there'll be a system-wide helper
daemon that:
a) will not be managed by libvirtd
b) has wide permissions so that any user can connect to it

This basically follows what we have for vhostuser. Except that vhostuser
is not an implementation detail of qemu :-)

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to