--- xen-unstable.hg/tools/python/xen/xend/XendDomain.py | 27 ++-- xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py | 103 ++++++++-------- 2 files changed, 71 insertions(+), 59 deletions(-) Index: root/xen-unstable.hg/tools/python/xen/xend/XendDomain.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/XendDomain.py +++ root/xen-unstable.hg/tools/python/xen/xend/XendDomain.py @@ -93,6 +93,8 @@ class XendDomain: self.managed_domains = {} self.domains_lock = threading.RLock() + self.restore_lock = threading.RLock() + # xen api instance vars # TODO: nothing uses this at the moment self._allow_new_domains = True @@ -1133,16 +1135,21 @@ class XendDomain: """ try: - return XendCheckpoint.restore(self, fd, paused=paused, relocating=relocating) - except XendError, e: - log.exception("Restore failed") - raise - except: - # I don't really want to log this exception here, but the error - # handling in the relocation-socket handling code (relocate.py) is - # poor, so we need to log this for debugging. - log.exception("Restore failed") - raise XendError("Restore failed") + self.restore_lock.acquire() + + try: + return XendCheckpoint.restore(self, fd, paused=paused, relocating=relocating) + except XendError, e: + log.exception("Restore failed") + raise + except: + # I don't really want to log this exception here, but the error + # handling in the relocation-socket handling code (relocate.py) is + # poor, so we need to log this for debugging. + log.exception("Restore failed") + raise XendError("Restore failed") + finally: + self.restore_lock.release() def domain_unpause(self, domid): """Unpause domain execution. Index: root/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py +++ root/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py @@ -2740,64 +2740,69 @@ class XendDomainInfo: if not xspol: xspol = poladmin.get_policy_by_name(policy) - if state in [ DOM_STATE_RUNNING, DOM_STATE_PAUSED ]: - #if domain is running or paused try to relabel in hypervisor - if not xspol: - return (-xsconstants.XSERR_POLICY_NOT_LOADED, "", "", 0) - - if typ != xspol.get_type_name() or \ - policy != xspol.get_name(): - return (-xsconstants.XSERR_BAD_LABEL, "", "", 0) - - if typ == xsconstants.ACM_POLICY_ID: - new_ssidref = xspol.vmlabel_to_ssidref(label) - if new_ssidref == xsconstants.INVALID_SSIDREF: - return (-xsconstants.XSERR_BAD_LABEL, "", "", 0) + try: + xen.xend.XendDomain.instance().restore_lock.acquire() + + if state in [ DOM_STATE_RUNNING, DOM_STATE_PAUSED ]: + #if domain is running or paused try to relabel in hypervisor + if not xspol: + return (-xsconstants.XSERR_POLICY_NOT_LOADED, "", "", 0) - # Check that all used resources are accessible under the - # new label - if not is_policy_update and \ - not security.resources_compatible_with_vmlabel(xspol, - self, label): + if typ != xspol.get_type_name() or \ + policy != xspol.get_name(): return (-xsconstants.XSERR_BAD_LABEL, "", "", 0) - #Check label against expected one. Can only do this - # if the policy hasn't changed underneath in the meantime - if xspol_old == None: - old_label = self.get_security_label() - if old_label != old_seclab: - log.info("old_label != old_seclab: %s != %s" % - (old_label, old_seclab)) + if typ == xsconstants.ACM_POLICY_ID: + new_ssidref = xspol.vmlabel_to_ssidref(label) + if new_ssidref == xsconstants.INVALID_SSIDREF: return (-xsconstants.XSERR_BAD_LABEL, "", "", 0) - # relabel domain in the hypervisor - rc, errors = security.relabel_domains([[domid, new_ssidref]]) - log.info("rc from relabeling in HV: %d" % rc) - else: - return (-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED, "", "", 0) + # Check that all used resources are accessible under the + # new label + if not is_policy_update and \ + not security.resources_compatible_with_vmlabel(xspol, + self, label): + return (-xsconstants.XSERR_BAD_LABEL, "", "", 0) - if rc == 0: - # HALTED, RUNNING or PAUSED - if domid == 0: - if xspol: - self.info['security_label'] = seclab - ssidref = poladmin.set_domain0_bootlabel(xspol, label) + #Check label against expected one. Can only do this + # if the policy hasn't changed underneath in the meantime + if xspol_old == None: + old_label = self.get_security_label() + if old_label != old_seclab: + log.info("old_label != old_seclab: %s != %s" % + (old_label, old_seclab)) + return (-xsconstants.XSERR_BAD_LABEL, "", "", 0) + + # relabel domain in the hypervisor + rc, errors = security.relabel_domains([[domid, new_ssidref]]) + log.info("rc from relabeling in HV: %d" % rc) else: - return (-xsconstants.XSERR_POLICY_NOT_LOADED, "", "", 0) - else: - if self.info.has_key('security_label'): - old_label = self.info['security_label'] - # Check label against expected one, unless wildcard - if old_label != old_seclab: - return (-xsconstants.XSERR_BAD_LABEL, "", "", 0) + return (-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED, "", "", 0) - self.info['security_label'] = seclab + if rc == 0: + # HALTED, RUNNING or PAUSED + if domid == 0: + if xspol: + self.info['security_label'] = seclab + ssidref = poladmin.set_domain0_bootlabel(xspol, label) + else: + return (-xsconstants.XSERR_POLICY_NOT_LOADED, "", "", 0) + else: + if self.info.has_key('security_label'): + old_label = self.info['security_label'] + # Check label against expected one, unless wildcard + if old_label != old_seclab: + return (-xsconstants.XSERR_BAD_LABEL, "", "", 0) - try: - xen.xend.XendDomain.instance().managed_config_save(self) - except: - pass - return (rc, errors, old_label, new_ssidref) + self.info['security_label'] = seclab + + try: + xen.xend.XendDomain.instance().managed_config_save(self) + except: + pass + return (rc, errors, old_label, new_ssidref) + finally: + xen.xend.XendDomain.instance().restore_lock.release() def get_on_shutdown(self): after_shutdown = self.info.get('actions_after_shutdown')