From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:33264) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOVOk-00008i-Cn for qemu-devel@nongnu.org; Mon, 23 May 2011 09:42:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QOVOg-0006Ik-P4 for qemu-devel@nongnu.org; Mon, 23 May 2011 09:42:18 -0400 Received: from mx1.redhat.com ([209.132.183.28]:64639) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOVOg-0006Id-Hu for qemu-devel@nongnu.org; Mon, 23 May 2011 09:42:14 -0400 Date: Mon, 23 May 2011 14:42:08 +0100 From: "Daniel P. Berrange" Message-ID: <20110523134208.GU24143@redhat.com> References: <4DD6B777.9020800@us.ibm.com> <20110523094558.GA24143@redhat.com> <4DDA5804.9030403@us.ibm.com> <4DDA5F50.8050203@us.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH] Add support for fd: protocol Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: qemu-devel@nongnu.org, Anthony Liguori , Tyler C Hicks , Corey C Bryant On Mon, May 23, 2011 at 02:26:05PM +0100, Stefan Hajnoczi wrote: > On Mon, May 23, 2011 at 2:21 PM, Anthony Liguori = wrote: > > On 05/23/2011 08:09 AM, Stefan Hajnoczi wrote: > >> > >> On Mon, May 23, 2011 at 1:50 PM, Anthony Liguori > >> =C2=A0wrote: > >>> > >>> On 05/23/2011 04:45 AM, Daniel P. Berrange wrote: > >>>> > >>>> On Fri, May 20, 2011 at 02:48:23PM -0400, Corey Bryant wrote: > >>>>> > >>>>> sVirt provides SELinux MAC isolation for Qemu guest processes and= their > >>>>> corresponding resources (image files). sVirt provides this suppor= t > >>>>> by labeling guests and resources with security labels that are st= ored > >>>>> in file system extended attributes. Some file systems, such as NF= S, do > >>>>> not support the extended attribute security namespace, which is n= eeded > >>>>> for image file isolation when using the sVirt SELinux security dr= iver > >>>>> in libvirt. > >>>>> > >>>>> The proposed solution entails a combination of Qemu, libvirt, and > >>>>> SELinux patches that work together to isolate multiple guests' im= ages > >>>>> when they're stored in the same NFS mount. This results in an > >>>>> environment where sVirt isolation and NFS image file isolation ca= n both > >>>>> be provided. > >>>>> > >>>>> Currently, Qemu opens an image file in addition to performing the > >>>>> necessary read and write operations. The proposed solution will m= ove > >>>>> the open out of Qemu and into libvirt. Once libvirt opens an imag= e > >>>>> file for the guest, it will pass the file descriptor to Qemu via = a > >>>>> new fd: protocol. > >>>>> > >>>>> If the image file resides in an NFS mount, the following SELinux = policy > >>>>> changes will provide image isolation: > >>>>> > >>>>> =C2=A0 - A new SELinux boolean is created (e.g. virt_read_write_n= fs) to > >>>>> =C2=A0 =C2=A0 allow Qemu (svirt_t) to only have SELinux read and = write > >>>>> =C2=A0 =C2=A0 permissions on nfs_t files > >>>>> > >>>>> =C2=A0 - Qemu (svirt_t) also gets SELinux use permissions on libv= irt > >>>>> =C2=A0 =C2=A0 (virtd_t) file descriptors > >>>>> > >>>>> Following is a sample invocation of Qemu using the fd: protocol: > >>>>> > >>>>> =C2=A0 =C2=A0 qemu -drive file=3Dfd:4,format=3Dqcow2 > >>>>> > >>>>> This patch contains the Qemu code to support this solution. I wou= ld > >>>>> like to solicit input from the libvirt community prior to startin= g > >>>>> the libvirt patch. > >>>>> > >>>>> This patch was tested with the following formats: raw, cow, qcow, > >>>>> qcow2, vmdk, using the fd: protocol as well as existing file name > >>>>> support. Non-valid file descriptors were also tested. > >>>> > >>>> How can backing files work ? =C2=A0The '-drive' syntax doesn't pro= vide > >>>> any way to set properties against the backing files (which may be > >>>> nested to arbitrary depth). > >>> > >>> This is orthogonal to having an fd: protocol. > >>> > >>>> Also, there are a few places in QEMU, where it re-opens the existi= ng > >>>> block driver on the fly. What is the plan for supporting this, wit= hout > >>>> having QEMU block on waiting for libvirt to pass it a new FD ? > >>> > >>> That's only host CDROM AFAICT. > >> > >> The host page cache on|off option also uses it because fcntl(2) cann= ot > >> change O_DIRECT. =C2=A0Actually for Linux it may be doable with > >> open('/proc/fd/', flags ^ O_DIRECT) and on other hosts SELinux > >> does not exist. > > > > QEMU doesn't actually know which caching mode the fd is in if it's be= ing > > passed to it so this command doesn't make much sense. > > >=20 > fcntl(2) will report the flags. >=20 > Also, we need to make sure that the O_SYNC flag and write caching are > in agreement, although I guess it is libvirt's responsibility to set > that up correctly. This is where fcntl() support for setting/clearing O_DIRECT etc would be useful. It avoids the need for libvirt or other mgmt apps to second guess what flags QEMU expects for a particular cache mode. Regards, Daniel --=20 |: http://berrange.com -o- http://www.flickr.com/photos/dberrange= / :| |: http://libvirt.org -o- http://virt-manager.or= g :| |: http://autobuild.org -o- http://search.cpan.org/~danberr= / :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vn= c :|