On 6/11/24 12:47 PM, Daniel P. Berrangé wrote:
Running any of the firewall tools is unsupported when non-root.
Rather
than attempt to initialize the driver, which will then be unusable,
just skip initialization entirely and decline startup.
This allows libvirtd to carry on operating with the network driver
disabled, while ensuring virtnetworkd will shutdown.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/bridge_driver.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 371bc2bae6..ce69c56464 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -596,6 +596,12 @@ networkStateInitialize(bool privileged,
return -1;
}
+ /* Can't manipulate the firewall when non-root */
+ if (!privileged) {
+ ret = VIR_DRV_STATE_INIT_SKIPPED;
+ goto error;
+ }
+
Reviewed-by: Laine Stump <laine(a)redhat.com>
About once every 3 or 4 years I've wondered why we load the network
driver for unprivileged libvirt, since it's unusable. I haven't had the
attention span to ask anyone and write this patch though :-)