From cef348682f51d0ef6a6f65105213ccd1c36f31ea Mon Sep 17 00:00:00 2001
From: Guido Trotter <ultrotter@google.com>
Date: Tue, 30 Mar 2010 16:37:02 +0100
Subject: [PATCH] Move the runas user at execution time

Everything still works the same way, but the user is calculated each
time we start kvm, rather than stored in the config file. This makes it
easier to implement the "pool" security model.

Signed-off-by: Guido Trotter <ultrotter@google.com>
Reviewed-by: Iustin Pop <iustin@google.com>
---
 lib/hypervisor/hv_kvm.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/hypervisor/hv_kvm.py b/lib/hypervisor/hv_kvm.py
index b9f20f3dd..a8a5c3868 100644
--- a/lib/hypervisor/hv_kvm.py
+++ b/lib/hypervisor/hv_kvm.py
@@ -366,10 +366,6 @@ class KVMHypervisor(hv_base.BaseHypervisor):
     boot_cdrom = hvp[constants.HV_BOOT_ORDER] == constants.HT_BO_CDROM
     boot_network = hvp[constants.HV_BOOT_ORDER] == constants.HT_BO_NETWORK
 
-    security_model = hvp[constants.HV_SECURITY_MODEL]
-    if security_model == constants.HT_SM_USER:
-      kvm_cmd.extend(['-runas', hvp[constants.HV_SECURITY_DOMAIN]])
-
     if boot_network:
       kvm_cmd.extend(['-boot', 'n'])
 
@@ -542,6 +538,10 @@ class KVMHypervisor(hv_base.BaseHypervisor):
 
     kvm_cmd, kvm_nics, hvparams = kvm_runtime
 
+    security_model = hvp[constants.HV_SECURITY_MODEL]
+    if security_model == constants.HT_SM_USER:
+      kvm_cmd.extend(["-runas", hvp[constants.HV_SECURITY_DOMAIN]])
+
     if not kvm_nics:
       kvm_cmd.extend(['-net', 'none'])
     else:
-- 
GitLab