qemu: skip granting access during fd migration

SELinux labeling and cgroup ACLs aren't required if we hand a pre-opened fd to qemu. All the more reason to love fd: migration. * src/qemu/qemu_migration.c (qemuMigrationToFile): Skip steps that are irrelevant in fd migration.

qemu: skip granting access during fd migration
SELinux labeling and cgroup ACLs aren't required if we hand a pre-opened fd to qemu. All the more reason to love fd: migration. * src/qemu/qemu_migration.c (qemuMigrationToFile): Skip steps that are irrelevant in fd migration.
34fa0de0 · Eric Blake · 6034ddd5 · 34fa0de0
隐藏空白更改
内联并排

Showing with 37 addition and 26 deletion

src/qemu/qemu_migration.c src/qemu/qemu_migration.c +37 -26

未找到文件。
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1299,36 +1299,49 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
    int rc;
    bool restoreLabel = false;
-    if (!is_reg &&
+    if (qemuCaps && qemuCapsGet(qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD) &&
-        qemuCgroupControllerActive(driver, VIR_CGROUP_CONTROLLER_DEVICES)) {
+        !compressor) {
-        if (virCgroupForDomain(driver->cgroup, vm->def->name,
+        /* All right! We can use fd migration, which means that qemu
-                               &cgroup, 0) != 0) {
+         * doesn't have to open() the file, so we don't have to futz
-            qemuReportError(VIR_ERR_INTERNAL_ERROR,
+         * around with granting access or revoking it later.  */
-                            _("Unable to find cgroup for %s"),
+        is_reg = true;
-                            vm->def->name);
+        bypassSecurityDriver = true;
-            goto cleanup;
+    } else {
+        /* Phooey - we have to fall back on exec migration, where qemu
+         * has to popen() the file by name.  We might also stumble on
+         * a race present in some qemu versions where it does a wait()
+         * that botches pclose.  */
+        if (!is_reg &&
+            qemuCgroupControllerActive(driver,
+                                       VIR_CGROUP_CONTROLLER_DEVICES)) {
+            if (virCgroupForDomain(driver->cgroup, vm->def->name,
+                                   &cgroup, 0) != 0) {
+                qemuReportError(VIR_ERR_INTERNAL_ERROR,
+                                _("Unable to find cgroup for %s"),
+                                vm->def->name);
+                goto cleanup;
+            }
+            rc = virCgroupAllowDevicePath(cgroup, path,
+                                          VIR_CGROUP_DEVICE_RW);
+            qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc);
+            if (rc < 0) {
+                virReportSystemError(-rc,
+                                     _("Unable to allow device %s for %s"),
+                                     path, vm->def->name);
+                goto cleanup;
+            }
        }
-        rc = virCgroupAllowDevicePath(cgroup, path,
+        if ((!bypassSecurityDriver) &&
-                                      VIR_CGROUP_DEVICE_RW);
+            virSecurityManagerSetSavedStateLabel(driver->securityManager,
-        qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc);
+                                                 vm, path) < 0)
-        if (rc < 0) {
-            virReportSystemError(-rc,
-                                 _("Unable to allow device %s for %s"),
-                                 path, vm->def->name);
            goto cleanup;
-        }
+        restoreLabel = true;
    }
-    if ((!bypassSecurityDriver) &&
+    qemuDomainObjEnterMonitorWithDriver(driver, vm);
-        virSecurityManagerSetSavedStateLabel(driver->securityManager,
-                                             vm, path) < 0)
-        goto cleanup;
-    restoreLabel = true;
    if (!compressor) {
        const char *args[] = { "cat", NULL };
-        qemuDomainObjEnterMonitorWithDriver(driver, vm);
        if (qemuCaps && qemuCapsGet(qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD) &&
            priv->monConfig->type == VIR_DOMAIN_CHR_TYPE_UNIX) {
            rc = qemuMonitorMigrateToFd(priv->mon,
@@ -1339,7 +1352,6 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
                                          QEMU_MONITOR_MIGRATE_BACKGROUND,
                                          args, path, offset);
        }
-        qemuDomainObjExitMonitorWithDriver(driver, vm);
    } else {
        const char *prog = compressor;
        const char *args[] = {
@@ -1347,12 +1359,11 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
            "-c",
            NULL
        };
-        qemuDomainObjEnterMonitorWithDriver(driver, vm);
        rc = qemuMonitorMigrateToFile(priv->mon,
                                      QEMU_MONITOR_MIGRATE_BACKGROUND,
                                      args, path, offset);
-        qemuDomainObjExitMonitorWithDriver(driver, vm);
    }
+    qemuDomainObjExitMonitorWithDriver(driver, vm);
    if (rc < 0)
        goto cleanup;