On 09/12/2014 07:05 AM, Peter Krempa wrote:
On 09/12/14 13:48, Francesco Romani wrote:
> This patch implements the VIR_DOMAIN_STATS_BALLOON
> group of statistics.
>
> Signed-off-by: Francesco Romani <fromani(a)redhat.com>
> ---
> include/libvirt/libvirt.h.in | 1 +
> src/libvirt.c | 6 ++++
> src/qemu/qemu_driver.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 80 insertions(+)
>
Just one small nit:
> +
> + if (vm->def->memballoon &&
> + vm->def->memballoon->model == VIR_DOMAIN_MEMBALLOON_MODEL_NONE) {
> + *memory = vm->def->mem.max_balloon;
> + } else if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_BALLOON_EVENT)) {
If qemu supports the BALLOON_EVENT, you get the right data even if you
can't acquire the job ...
Oh, that's right. The reason we strongly prefer the event instead of
the old command is that the old command blocked until the guest
responded, but an uncooperative guest can use that to cause denial of
service. Most qemu QMP commands reply immediately without waiting for
guest interaction; and the balloon event allowed the same behavior
there. So I think we do NOT want to allow balloon stats to work UNLESS
qemu is new enough to provide them without guest interaction.
If we DO allow guest interaction, then we need to modify
remote_protocol.x to add ACL checks, so that the ACL controls can deny
an unprivileged user from attempting a query that will potentially
starve a privileged user. So I'd rather go with the stance that we
cannot query stats that would require guest interaction, or at a
minimum, gate things by having an explicit flag the caller must pass to
acknowledge the risk (and having a flag lets us have a conditional ACL
check, where the common case of not using the flag doesn't need to be
slowed down by a check).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org