10:35 p.m.
On 2011年12月30日 12:06, Osier Yang wrote:
On 2011年12月22日 15:04, Taku Izumi wrote:
>
> This patch introduces XML schema for domains to retain arbitrary
> capabilities.
> For example, by adding the following XML to domain configuration,
> its domain can retain cap_sys_rawio capability.
>
> <process>
> <cap name='sys_rawio'/>
> </process>
>
>
> Signed-off-by: Taku Izumi<izumi.taku(a)jp.fujitsu.com>
> Signed-off-by: Shota Hirae<m11g1401(a)hibikino.ne.jp>
> ---
> docs/formatdomain.html.in | 48 ++++++++++++++++++++++++++++++++++++++
> docs/schemas/domaincommon.rng | 52
> ++++++++++++++++++++++++++++++++++++++++++
> src/conf/domain_conf.c | 33 ++++++++++++++++++++++++++
> src/conf/domain_conf.h | 2 +
> 4 files changed, 135 insertions(+)
>
> Index: libvirt/docs/schemas/domaincommon.rng
> ===================================================================
> --- libvirt.orig/docs/schemas/domaincommon.rng
> +++ libvirt/docs/schemas/domaincommon.rng
> @@ -35,6 +35,9 @@
> <ref name="clock"/>
> <ref name="resources"/>
> <ref name="features"/>
> +<optional>
> +<ref name="process"/>
> +</optional>
> <ref name="termination"/>
> <optional>
> <ref name="devices"/>
> @@ -2344,6 +2347,55 @@
> </optional>
> </define>
> <!--
> + Specification of process element
> + -->
> +<define name="process">
> +<element name="process">
> +<zeroOrMore>
> +<element name="cap">
> +<attribute name="name">
> +<choice>
> +<value>chown</value>
> +<value>dac_override</value>
> +<value>dac_read_search</value>
> +<value>fowner</value>
> +<value>fsetid</value>
> +<value>kill</value>
> +<value>setgid</value>
> +<value>setuid</value>
> +<value>setpcap</value>
> +<value>linux_immutable</value>
> +<value>net_bind_service</value>
> +<value>net_broadcast</value>
> +<value>net_admin</value>
> +<value>net_raw</value>
> +<value>ipc_lock</value>
> +<value>ipc_owner</value>
> +<value>sys_module</value>
> +<value>sys_rawio</value>
> +<value>sys_chroot</value>
> +<value>sys_ptrace</value>
> +<value>sys_pacct</value>
> +<value>sys_admin</value>
> +<value>sys_boot</value>
> +<value>sys_nice</value>
> +<value>sys_resource</value>
> +<value>sys_time</value>
> +<value>sys_tty_config</value>
> +<value>mknod</value>
> +<value>lease</value>
> +<value>audit_write</value>
> +<value>audit_control</value>
> +<value>setfcap</value>
> +<value>mac_override</value>
> +<value>mac_admin</value>
> +</choice>
> +</attribute>
> +</element>
> +</zeroOrMore>
> +</element>
> +</define>
> +<!--
> CPU specification
> -->
> <define name="cpu">
> Index: libvirt/src/conf/domain_conf.c
> ===================================================================
> --- libvirt.orig/src/conf/domain_conf.c
> +++ libvirt/src/conf/domain_conf.c
> @@ -7253,6 +7253,23 @@ static virDomainDefPtr virDomainDefParse
> VIR_FREE(nodes);
> }
>
> + n = virXPathNodeSet("./process/cap", ctxt,&nodes);
> + if (n< 0)
> + goto error;
> + if (n) {
> + for (i = 0; i< n; i++) {
> + int val =
> virCapsProcessCapsTypeFromString(virXMLPropString(nodes[i], "name"));
> + if (val< 0) {
> + virDomainReportError(VIR_ERR_INTERNAL_ERROR,
s/VIR_ERR_INTERNAL_ERROR/VIR_ERR_CONFIG_UNSUPPORTED/
> + _("unexpected process cap %s"),
> + virXMLPropString(nodes[i], "name"));
virXMLPropString is used twice, it can be avoided by something like:
const char *name = virXMLPropString(nodes[i], name);
And use name where you want.
> + goto error;
> + }
> + def->capabilities |= (1ULL<< val);
> + }
> + VIR_FREE(nodes);
> + }
> +
> if (virDomainLifecycleParseXML(ctxt, "string(./on_reboot[1])",
> &def->onReboot, VIR_DOMAIN_LIFECYCLE_RESTART,
> virDomainLifecycleTypeFromString)< 0)
> @@ -11520,6 +11537,22 @@ virDomainDefFormatInternal(virDomainDefP
> virBufferAddLit(buf, "</features>\n");
> }
>
> + if (def->capabilities) {
> + virBufferAddLit(buf, "<process>\n");
> + for (n = 0; n< VIR_PROCESS_CAPABILITY_LAST; n++) {
> + if (def->capabilities& (1ULL<< n)) {
> + const char *name = virCapsProcessCapsTypeToString(n);
> + if (!name) {
> + virDomainReportError(VIR_ERR_INTERNAL_ERROR,
> + _("unexpected process cap %d"), n);
> + goto cleanup;
> + }
> + virBufferAsprintf(buf, "<cap name='%s'/>\n", name);
> + }
> + }
> + virBufferAddLit(buf, "</process>\n");
> + }
> +
> virBufferAdjustIndent(buf, 2);
> if (virCPUDefFormatBufFull(buf, def->cpu)< 0)
> goto cleanup;
> Index: libvirt/src/conf/domain_conf.h
> ===================================================================
> --- libvirt.orig/src/conf/domain_conf.h
> +++ libvirt/src/conf/domain_conf.h
> @@ -1441,6 +1441,8 @@ struct _virDomainDef {
> char *emulator;
> int features;
>
> + unsigned long long capabilities;
Should we choose another name such like "process_caps"? Considering
we might need to introduce other capabilities for domain in future.
> +
> virDomainClockDef clock;
>
> int ngraphics;
> Index: libvirt/docs/formatdomain.html.in
> ===================================================================
> --- libvirt.orig/docs/formatdomain.html.in
> +++ libvirt/docs/formatdomain.html.in
> @@ -787,6 +787,54 @@
> </dd>
> </dl>
>
> +<h3><a name="elementsProcess">Process
Capability</a></h3>
> +
> +<p>
> + Process of Domain are allowed to retain capabilities specified
Is following better? :-)
Domain process is allowed to...
> + by cap element. What capabilities host supports can be found at
> + capability XML.
Better to add the virsh command. e.g.
capability XML (virsh capabilities)
Also we need to declare the caps are OS dependant.
> +</p>
> +
> +<pre>
> + ...
> +<process>
> +<cap name="chown"/>
> +<cap name="dac_override"/>
> +<cap name="dac_read_search"/>
> +<cap name="fowner"/>
> +<cap name="fsetid"/>
> +<cap name="kill"/>
> +<cap name="setgid"/>
> +<cap name="setuid"/>
> +<cap name="setpcap"/>
> +<cap name="linux_immutable"/>
> +<cap name="net_bind_service"/>
> +<cap name="net_broadcast"/>
> +<cap name="net_admin"/>
> +<cap name="net_raw"/>
> +<cap name="ipc_lock"/>
> +<cap name="ipc_owner"/>
> +<cap name="sys_module"/>
> +<cap name="sys_rawio"/>
> +<cap name="sys_chroot"/>
> +<cap name="sys_ptrace"/>
> +<cap name="sys_pacct"/>
> +<cap name="sys_admin"/>
> +<cap name="sys_boot"/>
> +<cap name="sys_nice"/>
> +<cap name="sys_resource"/>
> +<cap name="sys_time"/>
> +<cap name="sys_tty_config"/>
> +<cap name="mknod"/>
> +<cap name="lease"/>
> +<cap name="audit_write"/>
> +<cap name="audit_control"/>
> +<cap name="setfcap"/>
> +<cap name="mac_override"/>
> +<cap name="mac_admin"/>
> +</process>
> + ...</pre>
> +
> <h3><a name="elementsTime">Time keeping</a></h3>
>
> <p>
>
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list