[libvirt] [PATCH] RFC: audit: add shmem resource type
Provide information about shared memory resources in audit log. Notes: - the same shm used several times will add up. This is a very uncommon case, but we may want to account only the different shm names instead. - the shm may exist before the VMs was started, so the shm may not actually be created by the VM (it can be there before, or created by the server for instance). https://bugzilla.redhat.com/show_bug.cgi?id=1218603 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> --- docs/auditlog.html.in | 17 +++++++++++++++++ src/conf/domain_audit.c | 10 ++++++++++ src/conf/domain_audit.h | 6 ++++++ src/conf/domain_conf.c | 21 +++++++++++++++++++++ src/conf/domain_conf.h | 1 + src/libvirt_private.syms | 2 ++ 6 files changed, 57 insertions(+) diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in index 8a007ca..a6e5f6d 100644 --- a/docs/auditlog.html.in +++ b/docs/auditlog.html.in @@ -172,6 +172,23 @@ <dd>Updated memory size in bytes</dd> </dl> + <h4><a name="typeresourceshmem">Shared Memory</a></h4> + + <p> + The <code>msg</code> field will include the following sub-fields + </p> + + <dl> + <dt>reason</dt> + <dd>The reason which caused the resource to be assigned to happen</dd> + <dt>resrc</dt> + <dd>The type of resource assigned. Set to <code>shmem</code></dd> + <dt>old-shmem</dt> + <dd>Original memory size in bytes, or 0</dd> + <dt>new-shmem</dt> + <dd>Updated memory size in bytes</dd> + </dl> + <h4><a name="typeresourcedisk">Disk</a></h4> <p> The <code>msg</code> field will include the following sub-fields diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c index caebdba..bc81aec 100644 --- a/src/conf/domain_audit.c +++ b/src/conf/domain_audit.c @@ -783,6 +783,14 @@ virDomainAuditMemory(virDomainObjPtr vm, } void +virDomainAuditShmem(virDomainObjPtr vm, + unsigned long long oldmem, unsigned long long newmem, + const char *reason, bool success) +{ + return virDomainAuditResource(vm, "shmem", oldmem, newmem, reason, success); +} + +void virDomainAuditVcpu(virDomainObjPtr vm, unsigned int oldvcpu, unsigned int newvcpu, const char *reason, bool success) @@ -885,6 +893,8 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success) virDomainAuditMemory(vm, 0, virDomainDefGetMemoryActual(vm->def), "start", true); + virDomainAuditShmem(vm, 0, virDomainDefGetShmem(vm->def), + "start", true); virDomainAuditVcpu(vm, 0, vm->def->vcpus, "start", true); if (vm->def->iothreads) virDomainAuditIOThread(vm, 0, vm->def->iothreads, "start", true); diff --git a/src/conf/domain_audit.h b/src/conf/domain_audit.h index 97dadca..3db6ace 100644 --- a/src/conf/domain_audit.h +++ b/src/conf/domain_audit.h @@ -96,6 +96,12 @@ void virDomainAuditMemory(virDomainObjPtr vm, const char *reason, bool success) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4); +void virDomainAuditShmem(virDomainObjPtr vm, + unsigned long long oldmem, + unsigned long long newmem, + const char *reason, + bool success) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4); void virDomainAuditVcpu(virDomainObjPtr vm, unsigned int oldvcpu, unsigned int newvcpu, diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 5a9a88d..378aa1a 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -7575,6 +7575,27 @@ virDomainDefGetMemoryActual(virDomainDefPtr def) } +/** + * virDomainDefGetShmem: + * @def: domain definition + * + * Returns the current shared memory size usable by the domain described by + * @def. + */ +unsigned long long +virDomainDefGetShmem(virDomainDefPtr def) +{ + unsigned long long ret = 0; + size_t i; + + for (i = 0; i < def->nshmems; i++) { + ret += def->shmems[i]->size; + } + + return ret; +} + + static int virDomainControllerModelTypeFromString(const virDomainControllerDef *def, const char *model) diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 50750c1..041d619 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2287,6 +2287,7 @@ struct _virDomainDef { unsigned long long virDomainDefGetMemoryInitial(virDomainDefPtr def); void virDomainDefSetMemoryInitial(virDomainDefPtr def, unsigned long long size); unsigned long long virDomainDefGetMemoryActual(virDomainDefPtr def); +unsigned long long virDomainDefGetShmem(virDomainDefPtr def); typedef enum { VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_AES, diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 720afdf..0bb4513 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -134,6 +134,7 @@ virDomainAuditNetDevice; virDomainAuditRedirdev; virDomainAuditRNG; virDomainAuditSecurityLabel; +virDomainAuditShmem; virDomainAuditStart; virDomainAuditStop; virDomainAuditVcpu; @@ -214,6 +215,7 @@ virDomainDefGetDefaultEmulator; virDomainDefGetMemoryActual; virDomainDefGetMemoryInitial; virDomainDefGetSecurityLabelDef; +virDomainDefGetShmem; virDomainDefHasDeviceAddress; virDomainDefMaybeAddController; virDomainDefMaybeAddInput; -- 2.4.3
On Fri, Jul 10, 2015 at 06:11:35PM +0200, Marc-André Lureau wrote:
Provide information about shared memory resources in audit log.
Notes:
- the same shm used several times will add up. This is a very uncommon case, but we may want to account only the different shm names instead.
- the shm may exist before the VMs was started, so the shm may not actually be created by the VM (it can be there before, or created by the server for instance).
https://bugzilla.redhat.com/show_bug.cgi?id=1218603
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> --- docs/auditlog.html.in | 17 +++++++++++++++++ src/conf/domain_audit.c | 10 ++++++++++ src/conf/domain_audit.h | 6 ++++++ src/conf/domain_conf.c | 21 +++++++++++++++++++++ src/conf/domain_conf.h | 1 + src/libvirt_private.syms | 2 ++ 6 files changed, 57 insertions(+)
As said in previous attempt by Luyao to do this, the auditing should be handled differently, there's also lot more info to audit. Thanks for the patch, but this must be done in another way.
diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in index 8a007ca..a6e5f6d 100644 --- a/docs/auditlog.html.in +++ b/docs/auditlog.html.in @@ -172,6 +172,23 @@ <dd>Updated memory size in bytes</dd> </dl>
+ <h4><a name="typeresourceshmem">Shared Memory</a></h4> + + <p> + The <code>msg</code> field will include the following sub-fields + </p> + + <dl> + <dt>reason</dt> + <dd>The reason which caused the resource to be assigned to happen</dd> + <dt>resrc</dt> + <dd>The type of resource assigned. Set to <code>shmem</code></dd> + <dt>old-shmem</dt> + <dd>Original memory size in bytes, or 0</dd> + <dt>new-shmem</dt> + <dd>Updated memory size in bytes</dd> + </dl> + <h4><a name="typeresourcedisk">Disk</a></h4> <p> The <code>msg</code> field will include the following sub-fields diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c index caebdba..bc81aec 100644 --- a/src/conf/domain_audit.c +++ b/src/conf/domain_audit.c @@ -783,6 +783,14 @@ virDomainAuditMemory(virDomainObjPtr vm, }
void +virDomainAuditShmem(virDomainObjPtr vm, + unsigned long long oldmem, unsigned long long newmem, + const char *reason, bool success) +{ + return virDomainAuditResource(vm, "shmem", oldmem, newmem, reason, success); +} + +void virDomainAuditVcpu(virDomainObjPtr vm, unsigned int oldvcpu, unsigned int newvcpu, const char *reason, bool success) @@ -885,6 +893,8 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
virDomainAuditMemory(vm, 0, virDomainDefGetMemoryActual(vm->def), "start", true); + virDomainAuditShmem(vm, 0, virDomainDefGetShmem(vm->def), + "start", true); virDomainAuditVcpu(vm, 0, vm->def->vcpus, "start", true); if (vm->def->iothreads) virDomainAuditIOThread(vm, 0, vm->def->iothreads, "start", true); diff --git a/src/conf/domain_audit.h b/src/conf/domain_audit.h index 97dadca..3db6ace 100644 --- a/src/conf/domain_audit.h +++ b/src/conf/domain_audit.h @@ -96,6 +96,12 @@ void virDomainAuditMemory(virDomainObjPtr vm, const char *reason, bool success) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4); +void virDomainAuditShmem(virDomainObjPtr vm, + unsigned long long oldmem, + unsigned long long newmem, + const char *reason, + bool success) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4); void virDomainAuditVcpu(virDomainObjPtr vm, unsigned int oldvcpu, unsigned int newvcpu, diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 5a9a88d..378aa1a 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -7575,6 +7575,27 @@ virDomainDefGetMemoryActual(virDomainDefPtr def) }
+/** + * virDomainDefGetShmem: + * @def: domain definition + * + * Returns the current shared memory size usable by the domain described by + * @def. + */ +unsigned long long +virDomainDefGetShmem(virDomainDefPtr def) +{ + unsigned long long ret = 0; + size_t i; + + for (i = 0; i < def->nshmems; i++) { + ret += def->shmems[i]->size; + } + + return ret; +} + + static int virDomainControllerModelTypeFromString(const virDomainControllerDef *def, const char *model) diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 50750c1..041d619 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2287,6 +2287,7 @@ struct _virDomainDef { unsigned long long virDomainDefGetMemoryInitial(virDomainDefPtr def); void virDomainDefSetMemoryInitial(virDomainDefPtr def, unsigned long long size); unsigned long long virDomainDefGetMemoryActual(virDomainDefPtr def); +unsigned long long virDomainDefGetShmem(virDomainDefPtr def);
typedef enum { VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_AES, diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 720afdf..0bb4513 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -134,6 +134,7 @@ virDomainAuditNetDevice; virDomainAuditRedirdev; virDomainAuditRNG; virDomainAuditSecurityLabel; +virDomainAuditShmem; virDomainAuditStart; virDomainAuditStop; virDomainAuditVcpu; @@ -214,6 +215,7 @@ virDomainDefGetDefaultEmulator; virDomainDefGetMemoryActual; virDomainDefGetMemoryInitial; virDomainDefGetSecurityLabelDef; +virDomainDefGetShmem; virDomainDefHasDeviceAddress; virDomainDefMaybeAddController; virDomainDefMaybeAddInput; -- 2.4.3
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Sun, Jul 12, 2015 at 12:36 PM, Martin Kletzander <mkletzan@redhat.com> wrote:
As said in previous attempt by Luyao to do this, the auditing should be handled differently, there's also lot more info to audit. Thanks for the patch, but this must be done in another way.
Could you please give me a pointer? thanks -- Marc-André Lureau
Hi Marc-André: On 07/13/2015 05:49 AM, Marc-André Lureau wrote:
On Sun, Jul 12, 2015 at 12:36 PM, Martin Kletzander <mkletzan@redhat.com> wrote:
As said in previous attempt by Luyao to do this, the auditing should be handled differently, there's also lot more info to audit. Thanks for the patch, but this must be done in another way.
Could you please give me a pointer?
Here : http://www.redhat.com/archives/libvir-list/2015-July/msg00316.html As Martin's reply in this mail, the memory size is not enought, we need audit more information (just like shmobj name, the server socket path). Thanks a lot for your patch.
thanks
Luyao
participants (4)
-
lhuang -
Marc-André Lureau -
Marc-André Lureau -
Martin Kletzander