Re: [libvirt] [PATCH 2/6] tpm: Add support for external swtpm TPM emulator
On 04/06/2018 10:54 AM, Daniel P. Berrangé wrote:
On Fri, Apr 06, 2018 at 10:49:23AM -0400, Stefan Berger wrote:
>>>> I would feel better if we just directly killed the process - with
>>>> this approach if something goes wrong with swtpm it may never
>>>> respond to this request and stay running.
>>> swtpm can write a pidfile. I am only adding this later in this series.
>>> Problem is with --daemon libvirt doesn't know the pid of the swtpm
anymore.
>> The other option is to not use --daemon, and let libvirt write the pid
>> file, but that introduces the race with socket path creation again
>> which is not good.
> Sounds like we should leave this as it is? Unless swtpm was broken, there
> shouldn't be a reason why the we wouldn't be able to shut down swtpm by
> sending a command to it. The socket and its directory must not have
> disappeared of course.
Agreed.
I reworked this patch series quite a bit. Primarily in regards to the
directories for where the data, socket, logfile, and pidfiles are
stored. At the moment I need the following two additional SELinux rules
for svirt on Fedora 23 (old).
allow svirt_t virtd_t:fifo_file write;
allow svirt_t virtd_t:process sigchld;
Not sure where I can find the sources for the policy, but maybe there's
a more recent version that already has it?
Should this first patch be split? Take out the XML parser and generator ?
Regards,
Stefan
Regards,
Daniel