virt-install: Add --security option for specifying <seclabel> XML

Author: crobinso

man/en/virt-install.pod.in

@@ -118,6 +118,12 @@ an optimal cpu pinning using NUMA data, if available.
 Human readable text description of the virtual machine. This will be stored
 in the guests XML configuration for access by other applications.
 
+=item --security type=TYPE[,label=LABEL]
+
+Configure domain security driver settings. Type can be either 'static' or
+'dynamic'. 'static' configuration requires a security LABEL. Specifying
+LABEL without TYPE implies static configuration.
+
 =back
 
 

tests/clitest.py

@@ -368,6 +368,10 @@
         "--hvm --nodisks --pxe --sound",
         # --soundhw option
         "--hvm --nodisks --pxe --soundhw default --soundhw ac97",
+        # --security dynamic
+        "--hvm --nodisks --pxe --security type=dynamic",
+        # --security implicit static
+        "--hvm --nodisks --pxe --security label=foobar.label",
       ],
 
       "invalid": [
@@ -379,6 +383,8 @@
         "--hvm --nodisks --pxe --watchdog default,action=foobar",
         # Busted --soundhw
         "--hvm --nodisks --pxe --soundhw default --soundhw foobar",
+        # Busted --security
+        "--hvm --nodisks --pxe --security type=foobar",
       ],
      }, # category "misc"
 

virt-install

@@ -177,6 +177,40 @@ def get_watchdog(watchdogs, guest):
         except Exception, e:
             fail(_("Error in watchdog device parameters: %s") % str(e))
 
+def get_security(security, guest):
+    seclist = cli.listify(security)
+    secopts = seclist and seclist[0] or None
+    if not secopts:
+        return
+
+    # Parse security opts
+    opts = cli.parse_optstr(secopts)
+    secmodel = virtinst.Seclabel(guest.conn)
+
+    def get_and_clear(dictname):
+        val = None
+        if opts.has_key(dictname):
+            val = opts[dictname]
+            del(opts[dictname])
+        return val
+
+    mode = get_and_clear("type")
+    label = get_and_clear("label")
+
+    if label:
+        secmodel.label = label
+        if not mode:
+            mode = secmodel.SECLABEL_TYPE_STATIC
+    if mode:
+        secmodel.type = mode
+
+    # If extra parameters, then user passed some garbage param
+    if opts:
+        raise ValueError(_("Unknown option(s) %s") % opts.keys())
+
+    secmodel.get_xml_config()
+    guest.seclabel = secmodel
+
 def parse_disk_option(guest, path, size):
     """helper to properly parse --disk options"""
     abspath = None
@@ -554,6 +588,9 @@ def parse_args():
                     action="callback", callback=cli.check_before_store,
                     help=_("Human readable description of the VM to store in "
                            "the generated XML."))
+    geng.add_option("", "--security", type="string", dest="security",
+                    action="callback", callback=cli.check_before_store,
+                    help=_("Set domain security driver configuration."))
     parser.add_option_group(geng)
 
     insg = OptionGroup(parser, _("Installation Method Options"))
@@ -790,6 +827,7 @@ def main():
     cli.get_uuid(options.uuid, guest)
     cli.get_vcpus(options.vcpus, options.check_cpu, guest, conn)
     cli.get_cpuset(options.cpuset, guest.memory, guest, conn)
+    get_security(options.security, guest)
 
     get_watchdog(options.watchdog, guest)
     cli.get_sound(options.sound, options.soundhw, guest)

virtinst/Seclabel.py

@@ -17,6 +17,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 # MA 02110-1301 USA.
 
+import CapabilitiesParser
+
 class Seclabel(object):
     """
     Class for generating <seclabel> XML
@@ -28,15 +30,24 @@ class Seclabel(object):
 
     def __init__(self, conn):
         self.conn = conn
+        self._caps = CapabilitiesParser.parse(conn.getCapabilities())
 
         self._type = self.SECLABEL_TYPE_DYNAMIC
         self._model = None
         self._label = None
         self._imagelabel = None
 
+        model = self._caps.host.secmodel.model
+        if not model:
+            raise ValueError("Hypervisor does not have any security driver"
+                             "enabled")
+        self.model = model
+
     def get_type(self):
         return self._type
     def set_type(self, val):
+        if val not in self.SECLABEL_TYPES:
+            raise ValueError("Unknown security type '%s'" % val)
         self._type = val
     type = property(get_type, set_type)