8:47 a.m.
Here are a 2 fixes that make virt-sandbox-service work for me.
One allows it to work if selinux isn't handled by libvirtd, the other
safely handles some file copying that can be different across distros.
Cédric Bosdonnat (2):
virt-sandbox-service: check for security label only if they can be
handled
virt-sandbox-service: fix some paths for SUSE
bin/virt-sandbox-service | 42 ++++++++++++++++++++++++++++++++++++------
1 file changed, 36 insertions(+), 6 deletions(-)
--
1.8.4.5
8:47 a.m.
New subject: [libvirt] [libvirt-sandbox PATCH 1/2] virt-sandbox-service: check for security label only if they can be handled
virt-sandbox-service assumes libvirt has selinux security model...
which is not necessarily the case. If no security model is defined,
then don't check for dynamic labels.
---
bin/virt-sandbox-service | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index 9ed37e0..789c732 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -314,10 +314,32 @@ class Container:
context = self.context()
context.undefine()
+ def get_security_model(self):
+ # XXX selinux is the default for the while, needs to be configurable someday
+ model = "selinux"
+ supported = False
+
+ # Make sure we have a connection
+ self.connect()
+
+ # Loop over the security models from the host capabilities
+ configCaps = self.conn.get_capabilities()
+ hostCaps = configCaps.get_host()
+ secmodels = hostCaps.get_secmodels()
+ for secmodel in secmodels:
+ if secmodel.get_model() == model:
+ supported = True
+ break
+
+ if not supported:
+ model = None
+ return model
+
def create(self):
self.connect()
- if self.config.get_security_dynamic() and not self.use_image:
+ if self.get_security_model() is not None and \
+ self.config.get_security_dynamic() and not self.use_image:
raise ValueError([_("Dynamic security label only supported for image
based containers")])
if self.uri != "lxc:///":
self.config.set_shell(True)
--
1.8.4.5
8:47 a.m.
New subject: [libvirt] [libvirt-sandbox PATCH 2/2] virt-sandbox-service: fix some paths for SUSE
Don't fail is /etc/rc.d/init.d/functions doesn't exist: this is
deprecated in LSB and /lib/lsb/init-functions should be used instead.
Similarily, SUSE distros have /etc/skel/.profile instead of
/etc/skel/.bash_profile. Added one more file to check and be more
lennient with missing ones
---
bin/virt-sandbox-service | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index 789c732..5a3f6ab 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -414,7 +414,7 @@ def is_template_unit(unit):
class SystemdContainer(Container):
IGNORE_DIRS = [ "/var/run/", "/etc/logrotate.d/",
"/etc/pam.d" ]
DEFAULT_DIRS = [ "/etc", "/var" ]
- PROFILE_FILES = [ ".bashrc", ".bash_profile" ]
+ PROFILE_FILES = [ ".bashrc", ".bash_profile",
".profile" ]
MACHINE_ID = "/etc/machine-id"
HOSTNAME = "/etc/hostname"
SYSVINIT_PATH = "/etc/rc.d"
@@ -422,7 +422,7 @@ class SystemdContainer(Container):
MULTI_USER_WANTS_PATH = "/usr/lib/systemd/system/multi-user.target.wants"
SYSINIT_WANTS_PATH = "/usr/lib/systemd/system/sysinit.target.wants"
SOCKET_WANTS_PATH = "/usr/lib/systemd/system/sockets.target.wants"
- MAKE_SYSTEM_DIRS = [ "/var/lib/dhclient", "/var/lib/dbus",
"/var/log", "/var/spool", "/var/cache",
"/var/tmp", "/var/lib/nfs/rpc_pipefs", SYSVINIT_PATH ]
+ MAKE_SYSTEM_DIRS = [ "/var/lib/dhclient", "/var/lib/dbus",
"/var/log", "/var/spool", "/var/cache",
"/var/tmp", "/var/lib/nfs/rpc_pipefs", SYSVINIT_PATH,
"/lib/lsb" ]
BIND_SYSTEM_DIRS = [ "/var", "/home", "/root",
"/etc/systemd/system", "/etc/rc.d",
"/usr/lib/systemd/system/basic.target.wants",
"/usr/lib/systemd/system/local-fs.target.wants", ANACONDA_WANTS_PATH,
MULTI_USER_WANTS_PATH, SYSINIT_WANTS_PATH, SOCKET_WANTS_PATH ]
BIND_SYSTEM_FILES = [ MACHINE_ID, "/etc/fstab", HOSTNAME ]
LOCAL_LINK_FILES = { SYSINIT_WANTS_PATH : [
"systemd-tmpfiles-setup.service" ] , SOCKET_WANTS_PATH : [
"dbus.socket", "systemd-journald.socket",
"systemd-shutdownd.socket", "systemd-initctl.socket" ] }
@@ -722,8 +722,15 @@ PrivateNetwork=false
destpath = self.dest + self.SYSVINIT_PATH
for i in range(7):
os.mkdir(destpath+("/rc%s.d" % i))
- os.mkdir(destpath+"/init.d")
- shutil.copy(self.SYSVINIT_PATH + "/init.d/functions" , destpath +
"/init.d")
+
+ # Copy both /etc/rc.d/init.d/functions and /lib/lsb/init-functions, even
+ # though the latter is the one recommended
+ if os.path.exists(self.SYSVINIT_PATH + "/init.d/functions"):
+ os.mkdir(destpath+"/init.d")
+ shutil.copy(self.SYSVINIT_PATH + "/init.d/functions" , destpath +
"/init.d")
+
+ if os.path.exists("/lib/lsb/init-functions"):
+ shutil.copy("/lib/lsb/init-functions" , self.dest +
"/lib/lsb/")
self.gen_machine_id()
self.gen_hostname()
@@ -759,7 +766,8 @@ PrivateNetwork=false
for p in self.PROFILE_FILES:
profile = "/etc/skel/" + p
- shutil.copy(profile, self.dest + "/root/")
+ if os.path.exists(profile):
+ shutil.copy(profile, self.dest + "/root/")
self.fix_protection()
--
1.8.4.5
7:20 a.m.
On 07.07.2014 15:47, Cédric Bosdonnat wrote:
Here are a 2 fixes that make virt-sandbox-service work for me.
One allows it to work if selinux isn't handled by libvirtd, the other
safely handles some file copying that can be different across distros.
Cédric Bosdonnat (2):
virt-sandbox-service: check for security label only if they can be
handled
virt-sandbox-service: fix some paths for SUSE
bin/virt-sandbox-service | 42 ++++++++++++++++++++++++++++++++++++------
1 file changed, 36 insertions(+), 6 deletions(-)
ACK to both patches.
Michal
3765
days inactive
3782
days old
3 comments
2 participants
participants (2)
-
Cédric Bosdonnat -
Michal Privoznik