On Wed, Oct 10, 2012 at 01:35:33PM +0200, Jiri Denemark wrote:
While the changes to sanlock driver should be stable, the actual
implementation of sanlock_helper is supposed to be replaced in the
future. However, before we can implement a better sanlock_helper, we
need an administrative interface to libvirtd so that the helper can just
pass a "leases lost" event to the particular libvirt driver and
everything else will be taken care of internally. This approach will
also allow libvirt to pass such event to applications and use
appropriate reasons when changing domain states.
The temporary implementation handles all actions directly by calling
appropriate libvirt APIs (which among other things means that it needs
to know the credentials required to connect to libvirtd).
---
Notes:
Version 2:
- take URI rather than driver name as the first argument
- make use of built-in infrastructure for loading credentials
- add docs for sanlock_helper configuration
- mark for sanlock_helper translation
diff --git a/docs/locking.html.in b/docs/locking.html.in
index 0d039da..6d7b517 100644
--- a/docs/locking.html.in
+++ b/docs/locking.html.in
@@ -208,5 +208,29 @@
</pool>
</pre>
+ <h2><a name="domainconfig">Domain
configuration</a></h2>
+
+ <p>
+ In case sanlock loses access to disk locks for some reason, it will
+ kill all domains that lost their locks. This default behavior may
+ be changed using
+ <a href="formatdomain.html#elementsEvents">on_lockfailure
+ element</a> in domain XML. When this element is present, sanlock
+ will call <code>sanlock_helper</code> (provided by libvirt) with
+ the specified action. This helper binary will connect to libvirtd
+ and thus it may need to authenticate if libvirtd was configured to
+ require that on the read-write UNIX socket. To provide the
+ appropriate credentials to sanlock_helper, a
+ <a href="auth.html#Auth_client_config">client authentication
+ file</a> needs to contain something like the following:
+ </p>
+ <pre>
+[auth-libvirt-localhost]
+credentials=sanlock
+
+[credentials-sanlock]
+authname=login
+password=password
+ </pre>
Hmm, I think it might be a little more complicated. IIRC, the sanlock
daemon runs under a dedicated user ID, so it will hit the policykit
auth rules by default. So should we be dropping in a .pkla file with
the libvirt sanlock RPM to allow this script to run.
We might need to mention where the config file should be located
too.
ACK in any case since this is docs stuff only
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|