[Engine-devel] Clone VM from snapshot feature
Yair Zaslavsky
yzaslavs at redhat.com
Sun Feb 26 13:20:45 UTC 2012
On 02/26/2012 03:04 PM, Itamar Heim wrote:
> On 02/26/2012 02:38 PM, Yair Zaslavsky wrote:
>> On 02/26/2012 02:05 PM, Itamar Heim wrote:
>>> On 02/14/2012 10:06 AM, Yair Zaslavsky wrote:
>>>> Hi all,
>>>> I modified the Wiki pages of this feature:
>>>>
>>>> http://www.ovirt.org/wiki/Features/CloneVmFromSnapshot
>>>>
>>>> http://www.ovirt.org/wiki/Features/DetailedCloneVmFromSnapshot
>>>>
>>>> Comments are more than welcome
>>>
>>> 1. "Shared disks and direct LUN diskes behavior - For shared disks and
>>> direct LUN based disks, the user who performs the snapshot will specify
>>> during snapshot creation whether the disk should be plugged or unplugged
>>> upon performing the clone."
>>>
>>> direct lun - if it is not already in shared mode, cannot be used by more
>>> than one VM, hence should not be cloned, unless already flagged as
>>> shared.
>> Understood. What should be the behavior if shared flag is set to false?
>
> warning to audit log that the disk isn't part of the clone.
>
>>
>>>
>>> 2. it sounds like there should be some general code shared for import vm
>>> and clone vm for handling items which can't be duplicate by default
>>> (say, mac addresses).
>> True, I will revisit this. Aren't we facing actually this issue also in
>> creating a VM from template?
>
> I assume it already has such logic. I'm suggesting to check how
> redundant it is across the various commands (if it is), before creating
> another care.
Just checked, and you're correct. We do have such logic at AddVmCommand
(adding network of new VM part).
>
>>>
>>> 3. MLA - are you cloning the permissions on the VM as well, or only
>>> creating an owner permission on the new entity?
>>>
>>> 4. MLA - what permission does one need to have on source VM/snapsot to
>>> clone it?
>>> if a non-owner can clone a VM/snapshot, and become owner of the new
>>> entity, need to make sure no privilege escalation flows exist.
>>> is the intent to share the code of clone VM with AddVm (which is what
>>> clone is), with a task to clone the disks rather than create them
>>> (otherwise you need to duplicate the code for quota and permission
>>> handling?)
>> If I understand you correctly - Cloning images commands
>> (AddVmFromTemplate, cloning vm from snapshot, etc..) will invoke a
>> CopyImage internal command.
>
> iiuc, internal commands don't perform permission checks?
Correct, they do not.
More information about the Engine-devel
mailing list