From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=UH8SRWDM; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 7A0875A026F for ; Tue, 11 Mar 2025 23:45:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1741733103; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E8dOv797OIEiF/ihwVTYpC6Xwy2BCL9imaEsGQAbQgg=; b=UH8SRWDMeHcgQ9B93Vf9IResb6AbCwt1Yw0pmCxhlxwsmGkwAKQiRPul/KHZzdePEBOMvI /NoSgYGM0z3QOLLDzs18plBsRvpcmy52Z1lWvuJcLjm1VgJHqd/VIFVVQ/7kHBakyJrWBr 6LYPtE1h+JUZ4SZFYv5kcV7QH0KiBJ4= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-351-TiIppNX4PuKoFyOaCH2KIg-1; Tue, 11 Mar 2025 18:45:01 -0400 X-MC-Unique: TiIppNX4PuKoFyOaCH2KIg-1 X-Mimecast-MFC-AGG-ID: TiIppNX4PuKoFyOaCH2KIg_1741733100 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-43ceb011ea5so19091455e9.2 for ; Tue, 11 Mar 2025 15:45:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741733099; x=1742337899; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=E8dOv797OIEiF/ihwVTYpC6Xwy2BCL9imaEsGQAbQgg=; b=rnD3RcsRFQjxbu0aylcjYM+q0iDyt5oVlniPJwWKjtrLpgCiJhGdh3LgYLWwmK4Usl nKKShpRP/7rdlvyCBrYZfuHzDZlIlTgCEtDz5HM9/CJHQ17BRQg7hqBa5K0I/hDmioze ta8OzLjZV3pm9BeIrDEYJouO6Z9bncmxT7rNIkW/fK51nlwGM/qaNuwTw5FKNnD3lvGt +lmgm/Coa99r1BK24+JuXN7iEhLtX5V1Fp3OaM2jMuk07hWGe2TGKlxZdxDRMkFmf7II /B2BtUJdED3BGgaLd6Ghi4vXg8ynP+JSant7ZKqlUijvbFImD6pNitGt/50i/68ZBE13 ApQQ== X-Gm-Message-State: AOJu0YxwQo7/xOby4qA02UY+G0teP03Crs44CKDYlNSJhkBRl6rUKxAX Yl0Tx8s30+2rpJ13nS9xV/Kn/Yrf0OCfbKaJ3UvwBgrgx/b/INMQO5F9jcPipHjS+PESgb5BcJ1 QXdPsQ5D+wbJh9rntoGCokNiZGxe3XXPI53w8L87lxE3ebGYfHlnv5Ov9hA== X-Gm-Gg: ASbGncsX+fu6uzQue4Pf7e4A+zEMToRJZOVg0LCZuQor8kTM55B0Nx1J4N5UQ2UCRcU jAAJhPju13FNy9klpfo7Cq3eyGALhKCxCZuwWXS0FoBxTQCct4PEUnabrMWUCbV1mPnIaURnBeo X7zBEwFSAJq6fj3ArOarq/X+a50LGX5kiyp6PHBfeVdh1kR+wa7m/Ev3F1ugad45knEMVtPHIT4 TNDUSdO1R9UhsFAmK24Vvr7i4O/suM2nj/m25WnHWLcXoE+VFViP+eyNSw0kKNB9Bl0lmKD36LA CBy5wXvXVngrV6R6mdj4WhYrzaw= X-Received: by 2002:a5d:648f:0:b0:391:2d97:7d0e with SMTP id ffacd0b85a97d-39132da92f4mr15121045f8f.42.1741733099613; Tue, 11 Mar 2025 15:44:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFZi6TmY4p0kTXT3gU1kLeDalkfjxLPepgJKF8R0o0uJN34HV6nx582ufKDaNq48nFl3DmxQw== X-Received: by 2002:a5d:648f:0:b0:391:2d97:7d0e with SMTP id ffacd0b85a97d-39132da92f4mr15121041f8f.42.1741733099216; Tue, 11 Mar 2025 15:44:59 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3912bfdff57sm19708848f8f.37.2025.03.11.15.44.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Mar 2025 15:44:58 -0700 (PDT) Date: Tue, 11 Mar 2025 23:44:57 +0100 From: Stefano Brivio To: David Gibson Subject: Re: [PATCH] passt-repair: Add directory watch Message-ID: <20250311234457.4986a498@elisabeth> In-Reply-To: References: <20250307224120.2789900-1-sbrivio@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: G-Yha6lc34VLcZigZSrXMyorF49Env-dSzYRn0BWvAM_1741733100 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: GE2VZ5EXHCEBIQAPRPQGOYR6XTEF4X3N X-Message-ID-Hash: GE2VZ5EXHCEBIQAPRPQGOYR6XTEF4X3N X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, 11 Mar 2025 12:35:46 +1100 David Gibson wrote: > On Fri, Mar 07, 2025 at 11:41:20PM +0100, Stefano Brivio wrote: > > It might not be feasible for users to start passt-repair after passt > > is started, on a migration target, but before the migration process > > starts. > > > > For instance, with libvirt, the guest domain (and, hence, passt) is > > started on the target as part of the migration process. At least for > > the moment being, there's no hook a libvirt user (including KubeVirt) > > can use to start passt-repair before the migration starts. > > > > Add a directory watch using inotify: if PATH is a directory, instead > > of connecting to it, we'll watch for a .repair socket file to appear > > in it, and then attempt to connect to that socket. > > So, with this change, running > passt-repair /tmp > > would be a Bad Idea. ...why? On any distribution where it's available, you can make it connect to whatever you want, and it will do nothing else than returning an error when passt tries to switch a socket to repair mode. It will just work in the KubeVirt use case we planned for, for the moment. Then sure, you can give it capabilities or run it as root, disable LSMs, and make it connect to whatever process. But you need root anyway, so there isn't much to be gained. > But that is the default path used by passt. To > use this safely, you really want to have a directory set aside for the > use of just one passt instance, or at least passt-owning uid. Right, that's what happens if libvirt starts it. > I feel like we should enforce, or at least document and encourage that > somewhere. Not really sure where, though, so, with some misgivings I think we'll find a more reasonable solution by the time this becomes actually usable by mere mortals using distribution packages. I would anyway drop all this once we figure out how to make it convenient for libvirt. For stand-alone usage, this is not really needed. -- Stefano