[libvirt] [PATCH] nwfilter: serialize execution of scripts with ebtables cmds
While testing the SIGHUP handling and reloading of the nwfilter
driver, I found that when the filters are rebuilt and mutlipe threads
handled the individual interfaces, concurrently running multiple
external bash scripts causes strange failures even though the executed
ebtables commands are working on different tables for different
interfaces. I cannot say for sure where the concurrency problems are
caused, but introducing this lock definitely helps.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -104,6 +104,7 @@ static int ebiptablesDriverInit(void);
static void ebiptablesDriverShutdown(void);
static int ebtablesCleanAll(const char *ifname);
+static virMutex execCLIMutex;
struct ushort_map {
unsigned short attr;
@@ -2309,8 +2310,13 @@ ebiptablesExecCLI(virBufferPtr buf,
return 1;
argv[0] = filename;
+
+ virMutexLock(&execCLIMutex);
+
rc = virRun(argv, status);
+ virMutexUnlock(&execCLIMutex);
+
*status >>= 8;
VIR_DEBUG("rc = %d, status = %d",rc, *status);
@@ -3163,8 +3169,9 @@ tear_down_tmpebchains:
ebiptablesExecCLI(&buf, &cli_status);
virNWFilterReportError(VIR_ERR_BUILD_FIREWALL,
- "%s",
- _("Some rules could not be created."));
+ _("Some rules could not be created for "
+ "interface %s."),
+ ifname);
return 1;
}
@@ -3364,6 +3371,9 @@ ebiptablesDriverInit(void)
virBuffer buf = VIR_BUFFER_INITIALIZER;
int cli_status;
+ if (virMutexInit(&execCLIMutex))
+ return EINVAL;
+
bash_cmd_path = virFindFileInPath("bash");
gawk_cmd_path = virFindFileInPath("gawk");
grep_cmd_path = virFindFileInPath("grep");