On Tue, Feb 07, 2012 at 13:39:17 -0700, Eric Blake wrote:
On 02/07/2012 01:10 PM, Jiri Denemark wrote:
In case the caller specifies that confined guests are required but the security driver turns out to be 'none', we should return an error since this driver clearly cannot meet that requirement. As a result of this error, libvirtd fails to start when the host admin explicitly sets confined guests are required but there is no security driver available.
Since security driver 'none' cannot create confined guests, we override default confined setting so that hypervisor drivers do not thing they
s/thing/think/
Oops, I mistakenly pushed this without fixing the typo.
should create confined guests. --- src/security/security_manager.c | 20 ++++++++++++++++++++ tests/seclabeltest.c | 2 +- 2 files changed, 21 insertions(+), 1 deletions(-)
ACK that this fixes the issue, but I'm wondering whether we should move the logic that rejects requireConfig out of security_manager.c and into security_nop.c:virSecurityDriverOpenNop(). That is, the special casing is a property of the 'none' security manager. Is it worth a v2 patch that moves the error messages in that manner?
I went ahead and pushed this version (see my other email for reasons). We can refactor the whole thing later if we feel like it's a good idea. Jirka