On 13.02.2014 13:53, Michal Privoznik wrote:
On 13.02.2014 12:40, Laine Stump wrote:
> On 02/04/2014 05:49 PM, Michal Privoznik wrote:
>> This new flag is to be used for tainting domains which
>> XML definition was altered at runtime by a hook script.
>>
>> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
>> ---
>> src/conf/domain_conf.c | 3 ++-
>> src/conf/domain_conf.h | 1 +
>> 2 files changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
>> index 28e24f9..98ac8c8 100644
>> --- a/src/conf/domain_conf.c
>> +++ b/src/conf/domain_conf.c
>> @@ -107,7 +107,8 @@ VIR_ENUM_IMPL(virDomainTaint, VIR_DOMAIN_TAINT_LAST,
>> "shell-scripts",
>> "disk-probing",
>> "external-launch",
>> - "host-cpu");
>> + "host-cpu",
>> + "hook-script");
>
> So I came back to this series after considering network tainting again.
> In the case of networks, your patch just always tainted the network
> whenever a hook script was present. But in the case of domains, you're
> only tainting it if the hook script modified the XML *and* libvirt
> accepted/used that modified XML.
>
> This makes me think two things:
>
> 1) we should probably be consistent, so if we only taint the domain if
> the hook modifies the XML and we use that XML, then maybe we shouldn't
> taint networks just because a hook script was called (or maybe domains
> should always get a "hook-script" taint if a script is run at all, and a
> different taint if the hook modifies the XML - see (2))
>
> 2) The real reason we're tainting the domain here is because a hook
> modified the xml, NOT just because a hook was run, so the reason should
> probably be something like "hook-modified-xml". In the future, we may
> want to also taint all domains that had a script run at all, and in that
> case we would still have "hook-script" available to use.
Yes, I'm aware of this difference. The reason I chose to implement it
because in domain case hook scripts can't cause hypervisor malfunction,
they merely adjust environment that hypervisor runs in. However, in
network case this environment may cause losing connectivity. That's why
I think hook scripts are more dangerous in then network case than in
domain case. But maybe I'm wrong and we should be tainting domain
whenever a hook script is run, regardless of its actual affect on the
domain.
I'll not push this one, until we have a resolution.
I saw DV's plan for freeze and pushed this. We can extend tainting to
other cases anytime. But pushing new features is limited to development
phase. So I've just pushed this even though I said I won't. There hasn't
been much discussion anyway.
Michal