[libvirt] [libvirt-sandbox PATCH 0/2] virt-sandbox-service fixes

Here are a 2 fixes that make virt-sandbox-service work for me. One allows it to work if selinux isn't handled by libvirtd, the other safely handles some file copying that can be different across distros. Cédric Bosdonnat (2): virt-sandbox-service: check for security label only if they can be handled virt-sandbox-service: fix some paths for SUSE bin/virt-sandbox-service | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) -- 1.8.4.5

virt-sandbox-service assumes libvirt has selinux security model... which is not necessarily the case. If no security model is defined, then don't check for dynamic labels. --- bin/virt-sandbox-service | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 9ed37e0..789c732 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -314,10 +314,32 @@ class Container: context = self.context() context.undefine() + def get_security_model(self): + # XXX selinux is the default for the while, needs to be configurable someday + model = "selinux" + supported = False + + # Make sure we have a connection + self.connect() + + # Loop over the security models from the host capabilities + configCaps = self.conn.get_capabilities() + hostCaps = configCaps.get_host() + secmodels = hostCaps.get_secmodels() + for secmodel in secmodels: + if secmodel.get_model() == model: + supported = True + break + + if not supported: + model = None + return model + def create(self): self.connect() - if self.config.get_security_dynamic() and not self.use_image: + if self.get_security_model() is not None and \ + self.config.get_security_dynamic() and not self.use_image: raise ValueError([_("Dynamic security label only supported for image based containers")]) if self.uri != "lxc:///": self.config.set_shell(True) -- 1.8.4.5

Don't fail is /etc/rc.d/init.d/functions doesn't exist: this is deprecated in LSB and /lib/lsb/init-functions should be used instead. Similarily, SUSE distros have /etc/skel/.profile instead of /etc/skel/.bash_profile. Added one more file to check and be more lennient with missing ones --- bin/virt-sandbox-service | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 789c732..5a3f6ab 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -414,7 +414,7 @@ def is_template_unit(unit): class SystemdContainer(Container): IGNORE_DIRS = [ "/var/run/", "/etc/logrotate.d/", "/etc/pam.d" ] DEFAULT_DIRS = [ "/etc", "/var" ] - PROFILE_FILES = [ ".bashrc", ".bash_profile" ] + PROFILE_FILES = [ ".bashrc", ".bash_profile", ".profile" ] MACHINE_ID = "/etc/machine-id" HOSTNAME = "/etc/hostname" SYSVINIT_PATH = "/etc/rc.d" @@ -422,7 +422,7 @@ class SystemdContainer(Container): MULTI_USER_WANTS_PATH = "/usr/lib/systemd/system/multi-user.target.wants" SYSINIT_WANTS_PATH = "/usr/lib/systemd/system/sysinit.target.wants" SOCKET_WANTS_PATH = "/usr/lib/systemd/system/sockets.target.wants" - MAKE_SYSTEM_DIRS = [ "/var/lib/dhclient", "/var/lib/dbus", "/var/log", "/var/spool", "/var/cache", "/var/tmp", "/var/lib/nfs/rpc_pipefs", SYSVINIT_PATH ] + MAKE_SYSTEM_DIRS = [ "/var/lib/dhclient", "/var/lib/dbus", "/var/log", "/var/spool", "/var/cache", "/var/tmp", "/var/lib/nfs/rpc_pipefs", SYSVINIT_PATH, "/lib/lsb" ] BIND_SYSTEM_DIRS = [ "/var", "/home", "/root", "/etc/systemd/system", "/etc/rc.d", "/usr/lib/systemd/system/basic.target.wants", "/usr/lib/systemd/system/local-fs.target.wants", ANACONDA_WANTS_PATH, MULTI_USER_WANTS_PATH, SYSINIT_WANTS_PATH, SOCKET_WANTS_PATH ] BIND_SYSTEM_FILES = [ MACHINE_ID, "/etc/fstab", HOSTNAME ] LOCAL_LINK_FILES = { SYSINIT_WANTS_PATH : [ "systemd-tmpfiles-setup.service" ] , SOCKET_WANTS_PATH : [ "dbus.socket", "systemd-journald.socket", "systemd-shutdownd.socket", "systemd-initctl.socket" ] } @@ -722,8 +722,15 @@ PrivateNetwork=false destpath = self.dest + self.SYSVINIT_PATH for i in range(7): os.mkdir(destpath+("/rc%s.d" % i)) - os.mkdir(destpath+"/init.d") - shutil.copy(self.SYSVINIT_PATH + "/init.d/functions" , destpath + "/init.d") + + # Copy both /etc/rc.d/init.d/functions and /lib/lsb/init-functions, even + # though the latter is the one recommended + if os.path.exists(self.SYSVINIT_PATH + "/init.d/functions"): + os.mkdir(destpath+"/init.d") + shutil.copy(self.SYSVINIT_PATH + "/init.d/functions" , destpath + "/init.d") + + if os.path.exists("/lib/lsb/init-functions"): + shutil.copy("/lib/lsb/init-functions" , self.dest + "/lib/lsb/") self.gen_machine_id() self.gen_hostname() @@ -759,7 +766,8 @@ PrivateNetwork=false for p in self.PROFILE_FILES: profile = "/etc/skel/" + p - shutil.copy(profile, self.dest + "/root/") + if os.path.exists(profile): + shutil.copy(profile, self.dest + "/root/") self.fix_protection() -- 1.8.4.5

On 07.07.2014 15:47, Cédric Bosdonnat wrote:
Here are a 2 fixes that make virt-sandbox-service work for me. One allows it to work if selinux isn't handled by libvirtd, the other safely handles some file copying that can be different across distros.
Cédric Bosdonnat (2): virt-sandbox-service: check for security label only if they can be handled virt-sandbox-service: fix some paths for SUSE
bin/virt-sandbox-service | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-)
ACK to both patches. Michal
participants (2)
-
Cédric Bosdonnat
-
Michal Privoznik