Re: [libvirt] [PATCH v2 6/6] locking: Implement lock failure action in sanlock driver
On Wed, Oct 10, 2012 at 15:11:18 +0100, Daniel P. Berrange wrote:
On Wed, Oct 10, 2012 at 01:35:33PM +0200, Jiri Denemark wrote:
> + <h2><a name="domainconfig">Domain
configuration</a></h2>
> +
> + <p>
> + In case sanlock loses access to disk locks for some reason, it will
> + kill all domains that lost their locks. This default behavior may
> + be changed using
> + <a href="formatdomain.html#elementsEvents">on_lockfailure
> + element</a> in domain XML. When this element is present, sanlock
> + will call <code>sanlock_helper</code> (provided by libvirt) with
> + the specified action. This helper binary will connect to libvirtd
> + and thus it may need to authenticate if libvirtd was configured to
> + require that on the read-write UNIX socket. To provide the
> + appropriate credentials to sanlock_helper, a
> + <a href="auth.html#Auth_client_config">client authentication
> + file</a> needs to contain something like the following:
> + </p>
> + <pre>
> +[auth-libvirt-localhost]
> +credentials=sanlock
> +
> +[credentials-sanlock]
> +authname=login
> +password=password
> + </pre>
Hmm, I think it might be a little more complicated. IIRC, the sanlock
daemon runs under a dedicated user ID, so it will hit the policykit
auth rules by default. So should we be dropping in a .pkla file with
the libvirt sanlock RPM to allow this script to run.
Ah, that's possible. I'll prepare an additional patch for that if it appears
to be necessary.
We might need to mention where the config file should be located
too.
That's done by linking to auth.html#Auth_client_config, which mentions all the
possibilities where to store that file.
ACK in any case since this is docs stuff only
Thanks, I pushed this series.
Jirka