June 2013 - Devel - Libvirt List Archives

[libvirt] [PATCH] domain_conf: Include the correct console alias

by Michal Privoznik

For some crazy backward compatibility, a console can by just an alias to a serial device. This is detected in the XML formating function which takes the values to format from corresponding serial device. Including the device alias. This results in wrong alias being written into the XML definition: <console type='pty' tty='/dev/pts/5'> ... <alias name='serial0'/> </console> While holding the correct alias still in the memory, it doesn't matter. However, it starts to matter as soon as libvirtd is restarted and the (incorrect) alias is read from status file. --- src/conf/domain_conf.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 011de71..61de836 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -16417,6 +16417,7 @@ virDomainDefFormatInternal(virDomainDefPtr def, memcpy(&console, def->serials[n], sizeof(console)); console.deviceType = VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE; console.targetType = VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL; + memcpy(&console.info, &def->consoles[n]->info, sizeof(console.info)); } else { memcpy(&console, def->consoles[n], sizeof(console)); } @@ -16427,11 +16428,20 @@ virDomainDefFormatInternal(virDomainDefPtr def, def->nconsoles == 0 && def->nserials > 0) { virDomainChrDef console; + char *alias = NULL; memcpy(&console, def->serials[n], sizeof(console)); console.deviceType = VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE; console.targetType = VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL; - if (virDomainChrDefFormat(buf, &console, flags) < 0) + if (console.info.alias) { + if (VIR_STRDUP(alias, "console0") < 0) + goto error; + console.info.alias = alias; + } + if (virDomainChrDefFormat(buf, &console, flags) < 0) { + VIR_FREE(alias); goto error; + } + VIR_FREE(alias); } for (n = 0; n < def->nchannels; n++) -- 1.8.1.5

10 years, 10 months

2
7
0 / 0

[libvirt] [PATCH 0/4] Fix image labeling when saving a guest

by Peter Krempa

This series cleans up a few places related to selinux labels and fixes issues with selinux when saving a machine with static selinux label and relabeling turned off. Peter Krempa (4): qemu: Improve info message and remove a variable in qemuDomainManagedSave conf: refactor virSecurityLabelDefParseXML security: Introduce method for labeling file descriptors of created files qemu: Always label newly created file on migration (save/managedsave) src/conf/domain_conf.c | 72 ++++++++++++++++++----------------------- src/libvirt_private.syms | 1 + src/qemu/qemu_driver.c | 7 ++-- src/qemu/qemu_migration.c | 4 +-- src/security/security_dac.c | 9 ++++++ src/security/security_driver.h | 4 +++ src/security/security_manager.c | 16 +++++++++ src/security/security_manager.h | 3 ++ src/security/security_nop.c | 1 + src/security/security_selinux.c | 21 ++++++++++++ src/security/security_stack.c | 19 +++++++++++ 11 files changed, 111 insertions(+), 46 deletions(-) -- 1.8.2.1

10 years, 10 months

2
10
0 / 0

[libvirt] [PATCH v4 00/10] Add user namespace support for libvirt lxc

by Gao feng

This patchset try to add userns support for libvirt lxc. Since userns is nearly completed in linux-3.9, the old kernel doesn't support userns, I add some New XML elements to let people decide if enable userns.The userns is enabled only when user configure the XML. The format of user namespace related XML file like below: <idmap> <uid start='0' target='1000' count='10'> <gid start='0' target='1000' count='10'> </idmap> it means the user in container (which uid:gid is 0:0) will be mapped to the user in host (uid:gid is 1000:1000), count is used to form an u/gid range: The users in container which uid in [start, start + count -1] will be mapped. You can have multiple lines to map differnet id ranges, caution, you must make sure the root user of container has been mapped. This patchset also does the below jobs. 1, Because the uninit userns has no right to create devices, we should create devices for container on host. 2, Changes the owner of fuse and tty device. Change from v3: 1, fix some bugs that Daniel pointed out 2, reorder the patchset,introduce virLXCControllerChown first. 3, rebase Change from v2: 1, Mount tmpfs on /stateDir/domain.dev 2, Create devices under /stateDir/doamin.dev/ 3, Mount Move the /.oldroot/stateDir/doamin.dev/ on the /dev/ of container 4, Enhance the configuration, disallow the semi configuration Gao feng (10): LXC: Introduce New XML element for user namespace LXC: enable user namespace only when user set the uidmap LXC: sort the uidmap/gidmap of domain LXC: introduce virLXCControllerSetupUserns and lxcContainerSetID LXC: Creating devices for container on host side LXC: controller: change the owner of tty devices to the root user of container LXC: controller: change the owner of /dev to the root user of container LXC: controller: change the owner of devices created on host LXC: controller: change the owner of /dev/pts and ptmx to the root of container LXC: fuse: Change files owner to the root user of container docs/formatdomain.html.in | 23 +++++ docs/schemas/domaincommon.rng | 31 ++++++ src/conf/domain_conf.c | 115 +++++++++++++++++++++ src/conf/domain_conf.h | 22 ++++ src/lxc/lxc_container.c | 173 +++++++++++++++++-------------- src/lxc/lxc_controller.c | 235 ++++++++++++++++++++++++++++++++++++++++-- src/lxc/lxc_fuse.c | 4 + 7 files changed, 516 insertions(+), 87 deletions(-) -- 1.8.1.4

10 years, 10 months

2
25
0 / 0

[libvirt] [PATCH] Drop iptablesContext

by Roman Bogorodskiy

iptablesContext holds only 4 pairs of iptables (table, chain) and there's no need to pass it around. This is a first step towards separating bridge_driver.c in platform-specific parts. --- src/libvirt_private.syms | 2 - src/network/bridge_driver.c | 253 +++++++++++++++++-------------------------- src/util/viriptables.c | 257 +++++++++++--------------------------------- src/util/viriptables.h | 65 ++++------- 4 files changed, 183 insertions(+), 394 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 795e011..062c7fb 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1417,8 +1417,6 @@ iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum; iptablesAddTcpInput; iptablesAddUdpInput; -iptablesContextFree; -iptablesContextNew; iptablesRemoveForwardAllowCross; iptablesRemoveForwardAllowIn; iptablesRemoveForwardAllowOut; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 2cf49bb..062ec85 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -75,7 +75,6 @@ struct network_driver { virNetworkObjList networks; - iptablesContext *iptables; char *networkConfigDir; char *networkAutostartDir; char *stateDir; @@ -106,8 +105,7 @@ static int networkShutdownNetwork(struct network_driver *driver, static int networkStartNetworkVirtual(struct network_driver *driver, virNetworkObjPtr network); -static int networkShutdownNetworkVirtual(struct network_driver *driver, - virNetworkObjPtr network); +static int networkShutdownNetworkVirtual(virNetworkObjPtr network); static int networkStartNetworkExternal(struct network_driver *driver, virNetworkObjPtr network); @@ -420,10 +418,6 @@ networkStateInitialize(bool privileged, } } - if (!(driverState->iptables = iptablesContextNew())) { - goto out_of_memory; - } - /* if this fails now, it will be retried later with dnsmasqCapsRefresh() */ driverState->dnsmasqCaps = dnsmasqCapsNewFromBinary(DNSMASQ); @@ -531,9 +525,6 @@ networkStateCleanup(void) { VIR_FREE(driverState->dnsmasqStateDir); VIR_FREE(driverState->radvdStateDir); - if (driverState->iptables) - iptablesContextFree(driverState->iptables); - virObjectUnref(driverState->dnsmasqCaps); networkDriverUnlock(driverState); @@ -1544,8 +1535,7 @@ networkRefreshDaemons(struct network_driver *driver) } static int -networkAddMasqueradingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddMasqueradingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); @@ -1559,8 +1549,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* allow forwarding packets from the bridge interface */ - if (iptablesAddForwardAllowOut(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1573,8 +1562,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, /* allow forwarding packets to the bridge interface if they are * part of an existing connection */ - if (iptablesAddForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1608,8 +1596,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, */ /* First the generic masquerade rule for other protocols */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1626,8 +1613,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* UDP with a source port restriction */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1644,8 +1630,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* TCP with a source port restriction */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1664,30 +1649,26 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, return 0; masqerr5: - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "udp"); masqerr4: - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, NULL); masqerr3: - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf); masqerr2: - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1696,43 +1677,37 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } static void -networkRemoveMasqueradingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveMasqueradingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); const char *forwardIf = virNetworkDefForwardIf(network->def, 0); if (prefix >= 0) { - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "tcp"); - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "udp"); - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, NULL); - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf); - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1740,8 +1715,7 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver, } static int -networkAddRoutingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddRoutingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); @@ -1755,8 +1729,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, } /* allow routing packets from the bridge interface */ - if (iptablesAddForwardAllowOut(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1767,8 +1740,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, } /* allow routing packets to the bridge interface */ - if (iptablesAddForwardAllowIn(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowIn(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1781,8 +1753,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, return 0; routeerr2: - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1791,22 +1762,19 @@ routeerr1: } static void -networkRemoveRoutingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveRoutingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); const char *forwardIf = virNetworkDefForwardIf(network->def, 0); if (prefix >= 0) { - iptablesRemoveForwardAllowIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowIn(&ipdef->address, prefix, network->def->bridge, forwardIf); - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1819,8 +1787,7 @@ networkRemoveRoutingIptablesRules(struct network_driver *driver, * If any IPv6 addresses are defined, then add the rules for regular operation. */ static int -networkAddGeneralIp6tablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddGeneralIp6tablesRules(virNetworkObjPtr network) { if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && @@ -1830,16 +1797,14 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, /* Catch all rules to block forwarding to/from bridges */ - if (iptablesAddForwardRejectOut(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectOut(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to block outbound traffic from '%s'"), network->def->bridge); goto err1; } - if (iptablesAddForwardRejectIn(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectIn(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to block inbound traffic to '%s'"), network->def->bridge); @@ -1847,8 +1812,7 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, } /* Allow traffic between guests on the same bridge */ - if (iptablesAddForwardAllowCross(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardAllowCross(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow cross bridge traffic on '%s'"), network->def->bridge); @@ -1860,24 +1824,21 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, return 0; /* allow DNS over IPv6 */ - if (iptablesAddTcpInput(driver->iptables, AF_INET6, - network->def->bridge, 53) < 0) { + if (iptablesAddTcpInput(AF_INET6, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DNS requests from '%s'"), network->def->bridge); goto err4; } - if (iptablesAddUdpInput(driver->iptables, AF_INET6, - network->def->bridge, 53) < 0) { + if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DNS requests from '%s'"), network->def->bridge); goto err5; } - if (iptablesAddUdpInput(driver->iptables, AF_INET6, - network->def->bridge, 547) < 0) { + if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 547) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DHCP6 requests from '%s'"), network->def->bridge); @@ -1888,44 +1849,42 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, /* unwind in reverse order from the point of failure */ err6: - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53); err5: - iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53); err4: - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge); err3: - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge); err2: - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge); err1: return -1; } static void -networkRemoveGeneralIp6tablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveGeneralIp6tablesRules(virNetworkObjPtr network) { if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && !network->def->ipv6nogw) { return; } if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) { - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 547); - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53); - iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 547); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53); } /* the following rules are there if no IPv6 address has been defined * but network->def->ipv6nogw == true */ - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge); - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge); - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge); } static int -networkAddGeneralIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddGeneralIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipv4def; @@ -1941,16 +1900,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* allow DHCP requests through to dnsmasq */ - if (iptablesAddTcpInput(driver->iptables, AF_INET, - network->def->bridge, 67) < 0) { + if (iptablesAddTcpInput(AF_INET, network->def->bridge, 67) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DHCP requests from '%s'"), network->def->bridge); goto err1; } - if (iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 67) < 0) { + if (iptablesAddUdpInput(AF_INET, network->def->bridge, 67) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DHCP requests from '%s'"), network->def->bridge); @@ -1964,24 +1921,21 @@ networkAddGeneralIptablesRules(struct network_driver *driver, */ if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) && - (iptablesAddOutputFixUdpChecksum(driver->iptables, - network->def->bridge, 68) < 0)) { + (iptablesAddOutputFixUdpChecksum(network->def->bridge, 68) < 0)) { VIR_WARN("Could not add rule to fixup DHCP response checksums " "on network '%s'.", network->def->name); VIR_WARN("May need to update iptables package & kernel to support CHECKSUM rule."); } /* allow DNS requests through to dnsmasq */ - if (iptablesAddTcpInput(driver->iptables, AF_INET, - network->def->bridge, 53) < 0) { + if (iptablesAddTcpInput(AF_INET, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DNS requests from '%s'"), network->def->bridge); goto err3; } - if (iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 53) < 0) { + if (iptablesAddUdpInput(AF_INET, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DNS requests from '%s'"), network->def->bridge); @@ -1990,8 +1944,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* allow TFTP requests through to dnsmasq if necessary */ if (ipv4def && ipv4def->tftproot && - iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 69) < 0) { + iptablesAddUdpInput(AF_INET, network->def->bridge, 69) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow TFTP requests from '%s'"), network->def->bridge); @@ -2000,16 +1953,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* Catch all rules to block forwarding to/from bridges */ - if (iptablesAddForwardRejectOut(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectOut(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to block outbound traffic from '%s'"), network->def->bridge); goto err6; } - if (iptablesAddForwardRejectIn(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectIn(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to block inbound traffic to '%s'"), network->def->bridge); @@ -2017,8 +1968,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, } /* Allow traffic between guests on the same bridge */ - if (iptablesAddForwardAllowCross(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardAllowCross(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow cross bridge traffic on '%s'"), network->def->bridge); @@ -2026,7 +1976,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, } /* add IPv6 general rules, if needed */ - if (networkAddGeneralIp6tablesRules(driver, network) < 0) { + if (networkAddGeneralIp6tablesRules(network) < 0) { goto err9; } @@ -2034,35 +1984,34 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* unwind in reverse order from the point of failure */ err9: - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge); err8: - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge); err7: - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge); err6: if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69); } err5: - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53); err4: - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53); err3: - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67); err2: - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67); err1: return -1; } static void -networkRemoveGeneralIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveGeneralIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipv4def; - networkRemoveGeneralIp6tablesRules(driver, network); + networkRemoveGeneralIp6tablesRules(network); for (ii = 0; (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, ii)); @@ -2071,25 +2020,23 @@ networkRemoveGeneralIptablesRules(struct network_driver *driver, break; } - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge); - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge); - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge); if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69); } - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53); - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53); if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) { - iptablesRemoveOutputFixUdpChecksum(driver->iptables, - network->def->bridge, 68); + iptablesRemoveOutputFixUdpChecksum(network->def->bridge, 68); } - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67); - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67); } static int -networkAddIpSpecificIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddIpSpecificIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { /* NB: in the case of IPv6, routing rules are added when the @@ -2098,48 +2045,46 @@ networkAddIpSpecificIptablesRules(struct network_driver *driver, if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) - return networkAddMasqueradingIptablesRules(driver, network, ipdef); + return networkAddMasqueradingIptablesRules(network, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - return networkAddRoutingIptablesRules(driver, network, ipdef); + return networkAddRoutingIptablesRules(network, ipdef); } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - return networkAddRoutingIptablesRules(driver, network, ipdef); + return networkAddRoutingIptablesRules(network, ipdef); } return 0; } static void -networkRemoveIpSpecificIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveIpSpecificIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) - networkRemoveMasqueradingIptablesRules(driver, network, ipdef); + networkRemoveMasqueradingIptablesRules(network, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - networkRemoveRoutingIptablesRules(driver, network, ipdef); + networkRemoveRoutingIptablesRules(network, ipdef); } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - networkRemoveRoutingIptablesRules(driver, network, ipdef); + networkRemoveRoutingIptablesRules(network, ipdef); } } /* Add all rules for all ip addresses (and general rules) on a network */ static int -networkAddIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipdef; virErrorPtr orig_error; /* Add "once per network" rules */ - if (networkAddGeneralIptablesRules(driver, network) < 0) + if (networkAddGeneralIptablesRules(network) < 0) return -1; for (ii = 0; (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii)); ii++) { /* Add address-specific iptables rules */ - if (networkAddIpSpecificIptablesRules(driver, network, ipdef) < 0) { + if (networkAddIpSpecificIptablesRules(network, ipdef) < 0) { goto err; } } @@ -2155,9 +2100,9 @@ err: */ while ((--ii >= 0) && (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii))) { - networkRemoveIpSpecificIptablesRules(driver, network, ipdef); + networkRemoveIpSpecificIptablesRules(network, ipdef); } - networkRemoveGeneralIptablesRules(driver, network); + networkRemoveGeneralIptablesRules(network); /* return the original error */ virSetError(orig_error); @@ -2167,8 +2112,7 @@ err: /* Remove all rules for all ip addresses (and general rules) on a network */ static void -networkRemoveIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipdef; @@ -2176,9 +2120,9 @@ networkRemoveIptablesRules(struct network_driver *driver, for (ii = 0; (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii)); ii++) { - networkRemoveIpSpecificIptablesRules(driver, network, ipdef); + networkRemoveIpSpecificIptablesRules(network, ipdef); } - networkRemoveGeneralIptablesRules(driver, network); + networkRemoveGeneralIptablesRules(network); } static void @@ -2199,8 +2143,8 @@ networkReloadIptablesRules(struct network_driver *driver) /* Only the three L3 network types that are configured by libvirt * need to have iptables rules reloaded. */ - networkRemoveIptablesRules(driver, network); - if (networkAddIptablesRules(driver, network) < 0) { + networkRemoveIptablesRules(network); + if (networkAddIptablesRules(network) < 0) { /* failed to add but already logged */ } } @@ -2526,7 +2470,7 @@ networkStartNetworkVirtual(struct network_driver *driver, goto err1; /* Add "once per network" rules */ - if (networkAddIptablesRules(driver, network) < 0) + if (networkAddIptablesRules(network) < 0) goto err1; for (ii = 0; @@ -2619,7 +2563,7 @@ networkStartNetworkVirtual(struct network_driver *driver, err2: if (!save_err) save_err = virSaveLastError(); - networkRemoveIptablesRules(driver, network); + networkRemoveIptablesRules(network); err1: if (!save_err) @@ -2644,8 +2588,7 @@ networkStartNetworkVirtual(struct network_driver *driver, return -1; } -static int networkShutdownNetworkVirtual(struct network_driver *driver, - virNetworkObjPtr network) +static int networkShutdownNetworkVirtual(virNetworkObjPtr network) { virNetDevBandwidthClear(network->def->bridge); @@ -2677,7 +2620,7 @@ static int networkShutdownNetworkVirtual(struct network_driver *driver, ignore_value(virNetDevSetOnline(network->def->bridge, 0)); - networkRemoveIptablesRules(driver, network); + networkRemoveIptablesRules(network); ignore_value(virNetDevBridgeDelete(network->def->bridge)); @@ -2802,7 +2745,7 @@ static int networkShutdownNetwork(struct network_driver *driver, case VIR_NETWORK_FORWARD_NONE: case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: - ret = networkShutdownNetworkVirtual(driver, network); + ret = networkShutdownNetworkVirtual(network); break; case VIR_NETWORK_FORWARD_BRIDGE: @@ -3490,8 +3433,8 @@ networkUpdate(virNetworkPtr net, network->def->forward.type == VIR_NETWORK_FORWARD_NAT || network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE)) { /* these could affect the iptables rules */ - networkRemoveIptablesRules(driver, network); - if (networkAddIptablesRules(driver, network) < 0) + networkRemoveIptablesRules(network); + if (networkAddIptablesRules(network) < 0) goto cleanup; } diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 16fbe9c..63a8031 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -88,52 +88,8 @@ enum { REMOVE }; -typedef struct -{ - char *table; - char *chain; -} iptRules; - -struct _iptablesContext -{ - iptRules *input_filter; - iptRules *forward_filter; - iptRules *nat_postrouting; - iptRules *mangle_postrouting; -}; - -static void -iptRulesFree(iptRules *rules) -{ - VIR_FREE(rules->table); - VIR_FREE(rules->chain); - VIR_FREE(rules); -} - -static iptRules * -iptRulesNew(const char *table, - const char *chain) -{ - iptRules *rules; - - if (VIR_ALLOC(rules) < 0) - return NULL; - - if (VIR_STRDUP(rules->table, table) < 0) - goto error; - - if (VIR_STRDUP(rules->chain, chain) < 0) - goto error; - - return rules; - - error: - iptRulesFree(rules); - return NULL; -} - static virCommandPtr -iptablesCommandNew(iptRules *rules, int family, int action) +iptablesCommandNew(const char *table, const char *chain, int family, int action) { virCommandPtr cmd = NULL; #if HAVE_FIREWALLD @@ -150,9 +106,9 @@ iptablesCommandNew(iptRules *rules, int family, int action) ? IP6TABLES_PATH : IPTABLES_PATH); } - virCommandAddArgList(cmd, "--table", rules->table, + virCommandAddArgList(cmd, "--table", table, action == ADD ? "--insert" : "--delete", - rules->chain, NULL); + chain, NULL); return cmd; } @@ -166,14 +122,14 @@ iptablesCommandRunAndFree(virCommandPtr cmd) } static int ATTRIBUTE_SENTINEL -iptablesAddRemoveRule(iptRules *rules, int family, int action, +iptablesAddRemoveRule(const char *table, const char *chain, int family, int action, const char *arg, ...) { va_list args; virCommandPtr cmd = NULL; const char *s; - cmd = iptablesCommandNew(rules, family, action); + cmd = iptablesCommandNew(table, chain, family, action); virCommandAddArg(cmd, arg); va_start(args, arg); @@ -184,63 +140,8 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action, return iptablesCommandRunAndFree(cmd); } -/** - * iptablesContextNew: - * - * Create a new IPtable context - * - * Returns a pointer to the new structure or NULL in case of error - */ -iptablesContext * -iptablesContextNew(void) -{ - iptablesContext *ctx; - - if (VIR_ALLOC(ctx) < 0) - return NULL; - - if (!(ctx->input_filter = iptRulesNew("filter", "INPUT"))) - goto error; - - if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD"))) - goto error; - - if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING"))) - goto error; - - if (!(ctx->mangle_postrouting = iptRulesNew("mangle", "POSTROUTING"))) - goto error; - - return ctx; - - error: - iptablesContextFree(ctx); - return NULL; -} - -/** - * iptablesContextFree: - * @ctx: pointer to the IP table context - * - * Free the resources associated with an IP table context - */ -void -iptablesContextFree(iptablesContext *ctx) -{ - if (ctx->input_filter) - iptRulesFree(ctx->input_filter); - if (ctx->forward_filter) - iptRulesFree(ctx->forward_filter); - if (ctx->nat_postrouting) - iptRulesFree(ctx->nat_postrouting); - if (ctx->mangle_postrouting) - iptRulesFree(ctx->mangle_postrouting); - VIR_FREE(ctx); -} - static int -iptablesInput(iptablesContext *ctx, - int family, +iptablesInput(int family, const char *iface, int port, int action, @@ -251,7 +152,7 @@ iptablesInput(iptablesContext *ctx, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule(ctx->input_filter, + return iptablesAddRemoveRule("filter", "INPUT", family, action, "--in-interface", iface, @@ -274,12 +175,11 @@ iptablesInput(iptablesContext *ctx, */ int -iptablesAddTcpInput(iptablesContext *ctx, - int family, +iptablesAddTcpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, ADD, 1); + return iptablesInput(family, iface, port, ADD, 1); } /** @@ -294,12 +194,11 @@ iptablesAddTcpInput(iptablesContext *ctx, * Returns 0 in case of success or an error code in case of error */ int -iptablesRemoveTcpInput(iptablesContext *ctx, - int family, +iptablesRemoveTcpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, REMOVE, 1); + return iptablesInput(family, iface, port, REMOVE, 1); } /** @@ -315,12 +214,11 @@ iptablesRemoveTcpInput(iptablesContext *ctx, */ int -iptablesAddUdpInput(iptablesContext *ctx, - int family, +iptablesAddUdpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, ADD, 0); + return iptablesInput(family, iface, port, ADD, 0); } /** @@ -335,12 +233,11 @@ iptablesAddUdpInput(iptablesContext *ctx, * Returns 0 in case of success or an error code in case of error */ int -iptablesRemoveUdpInput(iptablesContext *ctx, - int family, +iptablesRemoveUdpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, REMOVE, 0); + return iptablesInput(family, iface, port, REMOVE, 0); } @@ -381,8 +278,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, * to proceed to WAN */ static int -iptablesForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -395,7 +291,7 @@ iptablesForwardAllowOut(iptablesContext *ctx, if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; - cmd = iptablesCommandNew(ctx->forward_filter, + cmd = iptablesCommandNew("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action); virCommandAddArgList(cmd, @@ -426,13 +322,12 @@ iptablesForwardAllowOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD); } /** @@ -449,13 +344,12 @@ iptablesAddForwardAllowOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE); } @@ -463,8 +357,7 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx, * and associated with an existing connection */ static int -iptablesForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -477,7 +370,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, return -1; if (physdev && physdev[0]) { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -488,7 +381,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -516,13 +409,12 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD); } /** @@ -539,20 +431,18 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int -iptablesForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -565,7 +455,7 @@ iptablesForwardAllowIn(iptablesContext *ctx, return -1; if (physdev && physdev[0]) { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -574,7 +464,7 @@ iptablesForwardAllowIn(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -600,13 +490,12 @@ iptablesForwardAllowIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD); } /** @@ -623,13 +512,12 @@ iptablesAddForwardAllowIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE); } @@ -637,12 +525,11 @@ iptablesRemoveForwardAllowIn(iptablesContext *ctx, * with a valid network address */ static int -iptablesForwardAllowCross(iptablesContext *ctx, - int family, +iptablesForwardAllowCross(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--in-interface", iface, @@ -663,11 +550,10 @@ iptablesForwardAllowCross(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowCross(iptablesContext *ctx, - int family, +iptablesAddForwardAllowCross(int family, const char *iface) { - return iptablesForwardAllowCross(ctx, family, iface, ADD); + return iptablesForwardAllowCross(family, iface, ADD); } /** @@ -682,11 +568,10 @@ iptablesAddForwardAllowCross(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowCross(iptablesContext *ctx, - int family, +iptablesRemoveForwardAllowCross(int family, const char *iface) { - return iptablesForwardAllowCross(ctx, family, iface, REMOVE); + return iptablesForwardAllowCross(family, iface, REMOVE); } @@ -694,12 +579,11 @@ iptablesRemoveForwardAllowCross(iptablesContext *ctx, * ie the bridge is the in interface */ static int -iptablesForwardRejectOut(iptablesContext *ctx, - int family, +iptablesForwardRejectOut(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--in-interface", iface, @@ -718,11 +602,10 @@ iptablesForwardRejectOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardRejectOut(iptablesContext *ctx, - int family, +iptablesAddForwardRejectOut(int family, const char *iface) { - return iptablesForwardRejectOut(ctx, family, iface, ADD); + return iptablesForwardRejectOut(family, iface, ADD); } /** @@ -736,11 +619,10 @@ iptablesAddForwardRejectOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardRejectOut(iptablesContext *ctx, - int family, +iptablesRemoveForwardRejectOut(int family, const char *iface) { - return iptablesForwardRejectOut(ctx, family, iface, REMOVE); + return iptablesForwardRejectOut(family, iface, REMOVE); } @@ -750,12 +632,11 @@ iptablesRemoveForwardRejectOut(iptablesContext *ctx, * ie the bridge is the out interface */ static int -iptablesForwardRejectIn(iptablesContext *ctx, - int family, +iptablesForwardRejectIn(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--out-interface", iface, @@ -774,11 +655,10 @@ iptablesForwardRejectIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardRejectIn(iptablesContext *ctx, - int family, +iptablesAddForwardRejectIn(int family, const char *iface) { - return iptablesForwardRejectIn(ctx, family, iface, ADD); + return iptablesForwardRejectIn(family, iface, ADD); } /** @@ -792,11 +672,10 @@ iptablesAddForwardRejectIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardRejectIn(iptablesContext *ctx, - int family, +iptablesRemoveForwardRejectIn(int family, const char *iface) { - return iptablesForwardRejectIn(ctx, family, iface, REMOVE); + return iptablesForwardRejectIn(family, iface, REMOVE); } @@ -804,8 +683,7 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx, * with the bridge */ static int -iptablesForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, @@ -841,7 +719,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, } } - cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action); + cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action); virCommandAddArgList(cmd, "--source", networkstr, NULL); if (protocol && protocol[0]) @@ -922,15 +800,14 @@ cleanup: * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port, + return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port, protocol, ADD); } @@ -948,22 +825,20 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port, + return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port, protocol, REMOVE); } static int -iptablesOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesOutputFixUdpChecksum(const char *iface, int port, int action) { @@ -972,7 +847,7 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule(ctx->mangle_postrouting, + return iptablesAddRemoveRule("mangle", "POSTROUTING", AF_INET, action, "--out-interface", iface, @@ -998,11 +873,10 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx, */ int -iptablesAddOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesAddOutputFixUdpChecksum(const char *iface, int port) { - return iptablesOutputFixUdpChecksum(ctx, iface, port, ADD); + return iptablesOutputFixUdpChecksum(iface, port, ADD); } /** @@ -1019,9 +893,8 @@ iptablesAddOutputFixUdpChecksum(iptablesContext *ctx, * return an error, which should be ignored) */ int -iptablesRemoveOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesRemoveOutputFixUdpChecksum(const char *iface, int port) { - return iptablesOutputFixUdpChecksum(ctx, iface, port, REMOVE); + return iptablesOutputFixUdpChecksum(iface, port, REMOVE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index b7ce59b..447f4a8 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -26,102 +26,77 @@ # include "virsocketaddr.h" -typedef struct _iptablesContext iptablesContext; - -iptablesContext *iptablesContextNew (void); -void iptablesContextFree (iptablesContext *ctx); - -int iptablesAddTcpInput (iptablesContext *ctx, - int family, +int iptablesAddTcpInput (int family, const char *iface, int port); -int iptablesRemoveTcpInput (iptablesContext *ctx, - int family, +int iptablesRemoveTcpInput (int family, const char *iface, int port); -int iptablesAddUdpInput (iptablesContext *ctx, - int family, +int iptablesAddUdpInput (int family, const char *iface, int port); -int iptablesRemoveUdpInput (iptablesContext *ctx, - int family, +int iptablesRemoveUdpInput (int family, const char *iface, int port); -int iptablesAddForwardAllowOut (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowOut (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowOut (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowOut (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowIn (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowIn (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowIn (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowIn (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowCross (iptablesContext *ctx, - int family, +int iptablesAddForwardAllowCross (int family, const char *iface); -int iptablesRemoveForwardAllowCross (iptablesContext *ctx, - int family, +int iptablesRemoveForwardAllowCross (int family, const char *iface); -int iptablesAddForwardRejectOut (iptablesContext *ctx, - int family, +int iptablesAddForwardRejectOut (int family, const char *iface); -int iptablesRemoveForwardRejectOut (iptablesContext *ctx, - int family, +int iptablesRemoveForwardRejectOut (int family, const char *iface); -int iptablesAddForwardRejectIn (iptablesContext *ctx, - int family, +int iptablesAddForwardRejectIn (int family, const char *iface); -int iptablesRemoveForwardRejectIn (iptablesContext *ctx, - int family, +int iptablesRemoveForwardRejectIn (int family, const char *iface); -int iptablesAddForwardMasquerade (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardMasquerade (virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol); -int iptablesRemoveForwardMasquerade (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardMasquerade (virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol); -int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx, - const char *iface, +int iptablesAddOutputFixUdpChecksum (const char *iface, int port); -int iptablesRemoveOutputFixUdpChecksum (iptablesContext *ctx, - const char *iface, +int iptablesRemoveOutputFixUdpChecksum (const char *iface, int port); #endif /* __QEMUD_IPTABLES_H__ */ -- 1.8.1.4

10 years, 10 months

3
3
0 / 0

[libvirt] [PATCH v5] qemu: Implement CPUs check against machine type's cpu-max

by Michal Novotny

Implement check whether (maximum) vCPUs doesn't exceed machine type's cpu-max settings. Differences between v4 and v5 (this one): - Changed type to unsigned int - Renamed variable to maxCpus to match previous naming - When machines types are parsed from command line set maxCpus = 0 to don't show Differences between v3 and v4: - Rebased to latest libvirt version - Capability XML output extended by maxCpus field - Extended caps-qemu-kvm.xml test by maxCpus for one of test emulators On older versions of QEMU the check is disabled. Signed-off-by: Michal Novotny <minovotn(a)redhat.com> --- docs/schemas/capability.rng | 5 ++++ src/conf/capabilities.c | 4 +++ src/conf/capabilities.h | 1 + src/qemu/qemu_capabilities.c | 40 +++++++++++++++++++++++++++- src/qemu/qemu_capabilities.h | 3 ++- src/qemu/qemu_monitor.h | 1 + src/qemu/qemu_monitor_json.c | 6 +++++ src/qemu/qemu_process.c | 21 +++++++++++++++ tests/capabilityschemadata/caps-qemu-kvm.xml | 16 +++++------ 9 files changed, 87 insertions(+), 10 deletions(-) diff --git a/docs/schemas/capability.rng b/docs/schemas/capability.rng index 106ca73..65c7c72 100644 --- a/docs/schemas/capability.rng +++ b/docs/schemas/capability.rng @@ -290,6 +290,11 @@ <text/> </attribute> </optional> + <optional> + <attribute name='maxCpus'> + <ref name='unsignedInt'/> + </attribute> + </optional> <text/> </element> </define> diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c index da92c78..5aeb2ab 100644 --- a/src/conf/capabilities.c +++ b/src/conf/capabilities.c @@ -853,6 +853,8 @@ virCapabilitiesFormatXML(virCapsPtr caps) virBufferAddLit(&xml, " <machine"); if (machine->canonical) virBufferAsprintf(&xml, " canonical='%s'", machine->canonical); + if (machine->maxCpus > 0) + virBufferAsprintf(&xml, " maxCpus='%d'", machine->maxCpus); virBufferAsprintf(&xml, ">%s</machine>\n", machine->name); } @@ -871,6 +873,8 @@ virCapabilitiesFormatXML(virCapsPtr caps) virBufferAddLit(&xml, " <machine"); if (machine->canonical) virBufferAsprintf(&xml, " canonical='%s'", machine->canonical); + if (machine->maxCpus > 0) + virBufferAsprintf(&xml, " maxCpus='%d'", machine->maxCpus); virBufferAsprintf(&xml, ">%s</machine>\n", machine->name); } virBufferAddLit(&xml, " </domain>\n"); diff --git a/src/conf/capabilities.h b/src/conf/capabilities.h index abcf6de..6c7efde 100644 --- a/src/conf/capabilities.h +++ b/src/conf/capabilities.h @@ -46,6 +46,7 @@ typedef virCapsGuestMachine *virCapsGuestMachinePtr; struct _virCapsGuestMachine { char *name; char *canonical; + unsigned int maxCpus; }; typedef struct _virCapsGuestDomainInfo virCapsGuestDomainInfo; diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index c4e076a..969b001 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -256,6 +256,7 @@ struct _virQEMUCaps { size_t nmachineTypes; char **machineTypes; char **machineAliases; + unsigned int *machineMaxCpus; }; struct _virQEMUCapsCache { @@ -335,6 +336,7 @@ virQEMUCapsSetDefaultMachine(virQEMUCapsPtr qemuCaps, { char *name = qemuCaps->machineTypes[defIdx]; char *alias = qemuCaps->machineAliases[defIdx]; + unsigned int maxCpus = qemuCaps->machineMaxCpus[defIdx]; memmove(qemuCaps->machineTypes + 1, qemuCaps->machineTypes, @@ -342,8 +344,12 @@ virQEMUCapsSetDefaultMachine(virQEMUCapsPtr qemuCaps, memmove(qemuCaps->machineAliases + 1, qemuCaps->machineAliases, sizeof(qemuCaps->machineAliases[0]) * defIdx); + memmove(qemuCaps->machineMaxCpus + 1, + qemuCaps->machineMaxCpus, + sizeof(qemuCaps->machineMaxCpus[0]) * defIdx); qemuCaps->machineTypes[0] = name; qemuCaps->machineAliases[0] = alias; + qemuCaps->machineMaxCpus[0] = maxCpus; } /* Format is: @@ -390,7 +396,8 @@ virQEMUCapsParseMachineTypesStr(const char *output, } if (VIR_REALLOC_N(qemuCaps->machineTypes, qemuCaps->nmachineTypes + 1) < 0 || - VIR_REALLOC_N(qemuCaps->machineAliases, qemuCaps->nmachineTypes + 1) < 0) { + VIR_REALLOC_N(qemuCaps->machineAliases, qemuCaps->nmachineTypes + 1) < 0 || + VIR_REALLOC_N(qemuCaps->machineMaxCpus, qemuCaps->nmachineTypes + 1) < 0) { VIR_FREE(name); VIR_FREE(canonical); virReportOOMError(); @@ -404,6 +411,8 @@ virQEMUCapsParseMachineTypesStr(const char *output, qemuCaps->machineTypes[qemuCaps->nmachineTypes-1] = name; qemuCaps->machineAliases[qemuCaps->nmachineTypes-1] = NULL; } + /* When parsing from command line we don't have information about maxCpus */ + qemuCaps->machineMaxCpus[qemuCaps->nmachineTypes-1] = 0; } while ((p = next)); @@ -1764,11 +1773,14 @@ virQEMUCapsPtr virQEMUCapsNewCopy(virQEMUCapsPtr qemuCaps) goto no_memory; if (VIR_ALLOC_N(ret->machineAliases, qemuCaps->nmachineTypes) < 0) goto no_memory; + if (VIR_ALLOC_N(ret->machineMaxCpus, qemuCaps->nmachineTypes) < 0) + goto no_memory; ret->nmachineTypes = qemuCaps->nmachineTypes; for (i = 0; i < qemuCaps->nmachineTypes; i++) { if (VIR_STRDUP(ret->machineTypes[i], qemuCaps->machineTypes[i]) < 0 || VIR_STRDUP(ret->machineAliases[i], qemuCaps->machineAliases[i]) < 0) goto error; + ret->machineMaxCpus[i] = qemuCaps->machineMaxCpus[i]; } return ret; @@ -1792,6 +1804,7 @@ void virQEMUCapsDispose(void *obj) } VIR_FREE(qemuCaps->machineTypes); VIR_FREE(qemuCaps->machineAliases); + VIR_FREE(qemuCaps->machineMaxCpus); for (i = 0; i < qemuCaps->ncpuDefinitions; i++) { VIR_FREE(qemuCaps->cpuDefinitions[i]); @@ -1932,6 +1945,7 @@ int virQEMUCapsGetMachineTypesCaps(virQEMUCapsPtr qemuCaps, if (VIR_STRDUP(mach->name, qemuCaps->machineTypes[i]) < 0) goto error; } + mach->maxCpus = qemuCaps->machineMaxCpus[i]; (*machines)[i] = mach; } @@ -1966,6 +1980,25 @@ const char *virQEMUCapsGetCanonicalMachine(virQEMUCapsPtr qemuCaps, } +int virQEMUCapsGetMachineMaxCpus(virQEMUCapsPtr qemuCaps, + const char *name) +{ + size_t i; + + if (!name) + return 0; + + for (i = 0; i < qemuCaps->nmachineTypes; i++) { + if (!qemuCaps->machineMaxCpus[i]) + continue; + if (STREQ(qemuCaps->machineTypes[i], name)) + return qemuCaps->machineMaxCpus[i]; + } + + return 0; +} + + static int virQEMUCapsProbeQMPCommands(virQEMUCapsPtr qemuCaps, qemuMonitorPtr mon) @@ -2083,6 +2116,10 @@ virQEMUCapsProbeQMPMachineTypes(virQEMUCapsPtr qemuCaps, virReportOOMError(); goto cleanup; } + if (VIR_ALLOC_N(qemuCaps->machineMaxCpus, nmachines) < 0) { + virReportOOMError(); + goto cleanup; + } for (i = 0; i < nmachines; i++) { if (VIR_STRDUP(qemuCaps->machineAliases[i], machines[i]->alias) < 0 || @@ -2090,6 +2127,7 @@ virQEMUCapsProbeQMPMachineTypes(virQEMUCapsPtr qemuCaps, goto cleanup; if (machines[i]->isDefault) defIdx = i; + qemuCaps->machineMaxCpus[i] = machines[i]->maxCpus; } qemuCaps->nmachineTypes = nmachines; diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index 64a4b1d..7088747 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -234,7 +234,8 @@ size_t virQEMUCapsGetMachineTypes(virQEMUCapsPtr qemuCaps, char ***names); const char *virQEMUCapsGetCanonicalMachine(virQEMUCapsPtr qemuCaps, const char *name); - +int virQEMUCapsGetMachineMaxCpus(virQEMUCapsPtr qemuCaps, + const char *name); int virQEMUCapsGetMachineTypesCaps(virQEMUCapsPtr qemuCaps, size_t *nmachines, virCapsGuestMachinePtr **machines); diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index 3d9afa3..86ef635 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -654,6 +654,7 @@ struct _qemuMonitorMachineInfo { char *name; bool isDefault; char *alias; + unsigned int maxCpus; }; int qemuMonitorGetMachines(qemuMonitorPtr mon, diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 88a0dc9..c0d7960 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -4042,6 +4042,12 @@ int qemuMonitorJSONGetMachines(qemuMonitorPtr mon, if (VIR_STRDUP(info->alias, tmp) < 0) goto cleanup; } + if (virJSONValueObjectHasKey(child, "cpu-max") && + virJSONValueObjectGetNumberUint(child, "cpu-max", &info->maxCpus) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("query-machines reply has malformed 'cpu-max' data")); + goto cleanup; + } } ret = n; diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 5a0f18b..ac5ffcf 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -3330,6 +3330,24 @@ error: } +static bool +qemuValidateCpuMax(virDomainDefPtr def, virQEMUCapsPtr qemuCaps) +{ + unsigned int maxCpus; + + maxCpus = virQEMUCapsGetMachineMaxCpus(qemuCaps, def->os.machine); + if (!maxCpus) + return true; + + if (def->maxvcpus > maxCpus) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + "%s", _("Maximum CPUs greater than specified machine type limit")); + return false; + } + + return true; +} + int qemuProcessStart(virConnectPtr conn, virQEMUDriverPtr driver, virDomainObjPtr vm, @@ -3519,6 +3537,9 @@ int qemuProcessStart(virConnectPtr conn, vm->def->emulator))) goto cleanup; + if (!qemuValidateCpuMax(vm->def, priv->qemuCaps)) + goto cleanup; + if (qemuAssignDeviceAliases(vm->def, priv->qemuCaps) < 0) goto cleanup; diff --git a/tests/capabilityschemadata/caps-qemu-kvm.xml b/tests/capabilityschemadata/caps-qemu-kvm.xml index 36c4b49..1fbc22b 100644 --- a/tests/capabilityschemadata/caps-qemu-kvm.xml +++ b/tests/capabilityschemadata/caps-qemu-kvm.xml @@ -33,18 +33,18 @@ <arch name='i686'> <wordsize>32</wordsize> <emulator>/usr/bin/qemu</emulator> - <machine>pc-0.11</machine> - <machine canonical='pc-0.11'>pc</machine> - <machine>pc-0.10</machine> - <machine>isapc</machine> + <machine maxCpus='255'>pc-0.11</machine> + <machine canonical='pc-0.11' maxCpus='255'>pc</machine> + <machine maxCpus='255'>pc-0.10</machine> + <machine maxCpus='1'>isapc</machine> <domain type='qemu'> </domain> <domain type='kvm'> <emulator>/usr/bin/qemu-kvm</emulator> - <machine>pc-0.11</machine> - <machine canonical='pc-0.11'>pc</machine> - <machine>pc-0.10</machine> - <machine>isapc</machine> + <machine maxCpus='255'>pc-0.11</machine> + <machine canonical='pc-0.11' maxCpus='255'>pc</machine> + <machine maxCpus='255'>pc-0.10</machine> + <machine maxCpus='1'>isapc</machine> </domain> </arch> <features> -- 1.7.11.7

10 years, 10 months

2
3
0 / 0

[libvirt] [RFC PATCH 1/2] LXC: Drop capabilities only if we're not within a user namespace

by Richard Weinberger

Dropping capabilities within a user namespace makes no sense because any uid 0 process will regain all caps upon execve(). Signed-off-by: Richard Weinberger <richard(a)nod.at> --- src/lxc/lxc_container.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 958e20d..4f00420 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1896,6 +1896,15 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED) return 0; } +static int userns_supported(void) +{ + return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0; +} + +static int userns_required(virDomainDefPtr def) +{ + return def->idmap.uidmap && def->idmap.gidmap; +} /** * lxcContainerChild: @@ -1992,7 +2001,7 @@ static int lxcContainerChild(void *data) } /* drop a set of root capabilities */ - if (lxcContainerDropCapabilities(!!hasReboot) < 0) + if (!userns_required(vmDef) && lxcContainerDropCapabilities(!!hasReboot) < 0) goto cleanup; if (lxcContainerSendContinue(argv->handshakefd) < 0) { @@ -2025,16 +2034,6 @@ cleanup: return ret; } -static int userns_supported(void) -{ - return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0; -} - -static int userns_required(virDomainDefPtr def) -{ - return def->idmap.uidmap && def->idmap.gidmap; -} - virArch lxcContainerGetAlt32bitArch(virArch arch) { /* Any Linux 64bit arch which has a 32bit -- 1.8.1.4

10 years, 10 months

3
27
0 / 0

[libvirt] [PATCH] Document security reporting & handling process

by Daniel P. Berrange

From: "Daniel P. Berrange" <berrange(a)redhat.com> Historically security issues in libvirt have been primarily triaged & fixed by the Red Hat libvirt members & Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address "libvirt-security(a)redhat.com" for end users to report bugs which have (possible) security implications. This email addr is backed by an invitation only, private archive, mailing list. The intent is for the list membership to comprise a subset of the libvirt core team, along with any vendor security team engineers who wish to participate in a responsible disclosure process for libvirt. Members of the list will be responsible for analysing the problem to determine if a security issue exists and then issue fixes for all current official stable branches & git master. I am proposing the following libvirt core team people as members of the security team / list (all cc'd): Daniel Berrange (Red Hat) Eric Blake (Red Hat) Jiri Denemar (Red Hat) Daniel Veillard (Red Hat) Jim Fehlig (SUSE) Doug Goldstein (Gentoo) Guido Günther (Debian) We don't have anyone from Ubuntu on the libvirt core team. Serge Hallyn is the most frequent submitter of patches from Ubuntu in recent history, so I'd like to invite him to join. Alternatively, Serge, feel free to suggest someone else to represent Ubuntu's interests. If any other vendors/distros have security people who are responsible for dealing with libvirt security issues, and want to join to get early disclosure of issues, they can suggest people. Existing security team members will vet / approve such requests to ensure they are genuine. Anyone on the team / list will be **required** to honour any embargo period agreed between members for non-public issues that are reported. The aim will be to have a maximum 2 week embargo period in the common case, extendable to 1 month if there is sufficient justification made. If anyone feels they are unable to follow such an embargo process for whatever reason, please decline membership of the security list/team. The patch which follows puts up some docs on the website about all of this.... Document how to report security bugs and the process that will be used for addressing them. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- docs/bugs.html.in | 12 +++++ docs/contact.html.in | 12 +++++ docs/securityprocess.html.in | 113 +++++++++++++++++++++++++++++++++++++++++++ docs/sitemap.html.in | 4 ++ 4 files changed, 141 insertions(+) create mode 100644 docs/securityprocess.html.in diff --git a/docs/bugs.html.in b/docs/bugs.html.in index 3d79b32..71e43e4 100644 --- a/docs/bugs.html.in +++ b/docs/bugs.html.in @@ -7,6 +7,18 @@ <ul id="toc"></ul> + <h2><a name="security">Security Issues</a></h2> + + <p> + If you think that an issue with libvirt may have security + implications, <strong>please do not</strong> publically + report it in the bug tracker, mailing lists, or irc. Libvirt + has <a href="securityprocess.html">a dedicated process for handling (potential) security issues</a> + that should be used instead. So if your issue has security + implications, ignore the rest of this page and follow the + <a href="securityprocess.html">security process</a> instead. + </p> + <h2><a name="bugzilla">Bug Tracking</a></h2> <p> diff --git a/docs/contact.html.in b/docs/contact.html.in index e34de67..51cc775 100644 --- a/docs/contact.html.in +++ b/docs/contact.html.in @@ -6,6 +6,18 @@ <ul id="toc"></ul> + <h2><a name="security">Security Issues</a></h2> + + <p> + If you think that an issue with libvirt may have security + implications, <strong>please do not</strong> publically + report it in the bug tracker, mailing lists, or irc. Libvirt + has <a href="securityprocess.html">a dedicated process for handling (potential) security issues</a> + that should be used instead. So if your issue has security + implications, ignore the rest of this page and follow the + <a href="securityprocess.html">security process</a> instead. + </p> + <h2><a name="email">Mailing lists</a></h2> <p> diff --git a/docs/securityprocess.html.in b/docs/securityprocess.html.in new file mode 100644 index 0000000..c29ae80 --- /dev/null +++ b/docs/securityprocess.html.in @@ -0,0 +1,113 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + <body> + + <h1>Security Process</h1> + + <ul id="toc"></ul> + + <p> + The libvirt project believes in responsible disclosure of + security problems, to allow vendors time to prepare and + distribute patches for problems ahead of their publication. + This page describes how the process works and how to report + potential security issues. + </p> + + <h2><a name="reporting">Reporting security issues</a></h2> + + <p> + In the event that a bug in libvirt is found which is + believed to have (potential) security implications there + is a dedicated contact to which a bug report / notification + should be directed. Send an email with as many details of + the problem as possible (ideally with steps to reproduce) + to the following email address: + </p> + + <pre> +<a href="mailto:libvirt-security@redhat.com">libvirt-security(a)redhat.com</a></pre> + + <p> + NB. while this email address is backed by a mailing list, it + is invitation only and moderated for non-members. As such you + will receive an auto-reply indicating the report is held for + moderation. Postings by non-members will be approved by a + moderator and the reporter copied on any replies. + </p> + + <h2><a name="seclist">Security team</a></h2> + + <p> + The libvirt security team is made up of a subset of the libvirt + core development team which covers the various distro maintainers + of libvirt, along with nominated security engineers representing + the various vendors who distribute libvirt. The team is responsible + for analysing incoming reports from users to identify whether a + security problem exists and its severity. It then works to produce + a fix for all official stable branches of libvirt and co-ordinate + embargo dates between vendors to allow simultaneous release of the + fix by all affected parties. + </p> + + <p> + If you are a security representative of a vendor distributing + libvirt and would like to join the security team, send an email + to the afore-mentioned security address. Typically an existing + member of the security team will have to vouch for your credentials + before membership is approved. All members of the security team + are <strong>required to respect the embargo policy</strong> + described below. + </p> + + <h2><a name="embargo">Publication embargo policy</a></h2> + + <p> + The libvirt security team operates a policy of + <a href="http://en.wikipedia.org/wiki/Responsible_disclosure">responsible disclosure</a>. + As such any security issue reported, that is not already publically disclosed + elswhere, will have an embargo date assigned. Members of the security team agree + not to publically disclose any details of the security issue until the embargo + date expires. + </p> + + <p> + The general aim of the team is to have embargo dates which + are two weeks or less in duration. If a problem is identified + with a proposed patch for a security issue, requiring further + investigation and bug fixing, the embargo clock may be restarted. + In exceptional circumstances longer initial embargos may be + negotiated by mutual agreement between members of the security + team and other relevant parties to the problem. Any such extended + embargoes will aim to be at most one month in duration. + </p> + + + <h2><a name="cve">CVE allocation</a></h2> + + <p> + The libvirt security team will associate each security issue with + a CVE number. The CVE numbers will usually be allocated by one of + the vendor security engineers on the security team. + </p> + + <h2><a name="branches">Branch fixing policy</a></h2> + + <p> + The libvirt community maintains one or more stable release branches + at any given point in time. The security team will aim to publish + fixes for GIT master (which will become the next major release) and + each currently maintained stable release branch. The distro maintainers + will be responsible for backporting the officially published fixes to + other release branches where applicable. + </p> + + <h2><a name="notification">Notification of issues</a></h2> + + <p> + When an embargo expires, security issues will be announced on both + the libvirt development and announcement <a href="http://libvirt.org/contact.html#email">mailing lists</a>. + </p> + </body> +</html> diff --git a/docs/sitemap.html.in b/docs/sitemap.html.in index cb7cc5b..fd10caf 100644 --- a/docs/sitemap.html.in +++ b/docs/sitemap.html.in @@ -349,6 +349,10 @@ <span>How and where to report bugs and request features</span> <ul> <li> + <a href="securityprocess.html">Security Process</a> + <span>Security bug reporting and resolution process</span> + </li> + <li> <a href="todo.html">Todo list</a> <span>Main feature request list</span> </li> -- 1.8.1.4

10 years, 10 months

6
8
0 / 0

[libvirt] [PATCH] node device driver: update driver name during dumpxml

by Laine Stump

This fixes: https://bugzilla.redhat.com/show_bug.cgi?id=979290 https://bugzilla.redhat.com/show_bug.cgi?id=979330 The node device driver was written with the assumption that udev would use a "change" event to notify libvirt of any change to device status (including the name of the driver it was bound to). It turns out this is not the case (see Comment 4 of BZ 979290). That means that a dumpxml for a device would always show whatever driver happened to be bound at the time libvirt was started (when the node device cache was built). There was already code in the driver (for the benefit of the HAL backend) that updated the driver name from sysfs each time a device's info was retrieved from the cache. This patch just enables that manual update for the udev backend as well. --- src/node_device/node_device_driver.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c index 67e90a1..8e6911a 100644 --- a/src/node_device/node_device_driver.c +++ b/src/node_device/node_device_driver.c @@ -60,10 +60,15 @@ static int update_caps(virNodeDeviceObjPtr dev) } -#if defined (__linux__) && defined (WITH_HAL) -/* Under libudev changes to the driver name should be picked up as - * "change" events, so we don't call update driver name unless we're - * using the HAL backend. */ +#if defined (__linux__) && ( defined (WITH_HAL) || defined(WITH_UDEV)) +/* NB: It was previously believed that changes in driver name were + * relayed to libvirt as "change" events by udev, and the udev event + * notification is setup to recognize such events and effectively + * recreate the device entry in the cache. However, neither the kernel + * nor udev sends such an event, so it is necessary to manually update + * the driver name for a device each time its entry is used, both for + * udev *and* HAL backends. + */ static int update_driver_name(virNodeDeviceObjPtr dev) { char *driver_link = NULL; -- 1.7.11.7

10 years, 10 months

2
2
0 / 0

[libvirt] [PATCH] spec: require xen-devel for libxl driver

by Eric Blake

When using 'rpmbuild --define "_without_xen"', but on a new enough Fedora where %{with_libxl} still gets set to 1 by default, the build dependencies were incomplete, which could result in 'make rpm' failing because ./configure failed to build the libxl driver. * libvirt.spec.in (BuildRequires): Fix xen-devel condition. Signed-off-by: Eric Blake <eblake(a)redhat.com> --- Pushing under the build-breaker rule. I found this on a machine with 'xen-devel' uninstalled, while running ./autobuild.sh; it took me a while to find the root cause, since autobuild.sh uses 'rpmbuild --nodeps' and therefore failed to tell me which packages I did not have installed. libvirt.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index f40b614..aee61fa 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -412,7 +412,7 @@ BuildRequires: python-devel %if %{with_systemd} BuildRequires: systemd-units %endif -%if %{with_xen} +%if %{with_xen} || %{with_libxl} BuildRequires: xen-devel %endif BuildRequires: libxml2-devel -- 1.8.1.4

10 years, 10 months

1
0
0 / 0

[libvirt] [PATCH 0/4] Resolve some recent Valgrind errors

by John Ferlan

Ran Valgrind today and found, investigated, and resolved the errors seen. John Ferlan (4): Resolve valgrind error in virNetDevVlanParse() Resolve valgrind error in virStorageBackendCreateQemuImgCmd() Resolve valgrind error in remoteConfigGetStringList() Resolve valgrind errors for nodedev cap parsing daemon/libvirtd-config.c | 6 ++++++ src/conf/netdev_vlan_conf.c | 24 +++++++++++++----------- src/conf/node_device_conf.c | 3 +++ src/storage/storage_backend.c | 4 +++- 4 files changed, 25 insertions(+), 12 deletions(-) -- 1.8.1.4

10 years, 10 months

2
9
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel June 2013