[libvirt] [PATCH] qemu: don't fill in nicindexes for session mode libvirtd
Commit 4bbe1029f fixed a problem in commit f7afeddc by moving the call to virNetDevGetIndex() to a location common to all interface types (so that the niceindex array would be filled in for macvtap as well as tap interfaces), but the location was *too* common, as the original call to virNetDevGetIndex() had been in a section qualified by "if (cfg->privileged)". The result was that the "fixed" libvirtd would try to call virNetDevGetIndex() even for session mode libvirtd, and end up failing with the log message: Unable to open control socket: Operation not permitted To remedy that, this patch qualifies the call to virNetDevGetIndex() in its new location with cfg->privileged. This resolves https://bugzilla.redhat.com/show_bug.cgi?id=1198244 --- If someone (Rich?) needs this pushed before I am awake, please feel free to push it. (also push to the 1.2.13-maint branch if you do) src/qemu/qemu_command.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 1510797..3d1483e 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7861,6 +7861,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, char **tapfdName = NULL; char **vhostfdName = NULL; int actualType = virDomainNetGetActualType(net); + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); virNetDevBandwidthPtr actualBandwidth; size_t i; @@ -7936,7 +7937,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, /* network and bridge use a tap device, and direct uses a * macvtap device */ - if (nicindexes && nnicindexes && net->ifname) { + if (cfg->privileged && nicindexes && nnicindexes && net->ifname) { if (virNetDevGetIndex(net->ifname, &nicindex) < 0 || VIR_APPEND_ELEMENT(*nicindexes, *nnicindexes, nicindex) < 0) goto cleanup; -- 2.1.0
On Tue, Mar 10, 2015 at 02:32:04AM -0400, Laine Stump wrote:
Commit 4bbe1029f fixed a problem in commit f7afeddc by moving the call to virNetDevGetIndex() to a location common to all interface types (so that the niceindex array would be filled in for macvtap as well as tap interfaces), but the location was *too* common, as the original call to virNetDevGetIndex() had been in a section qualified by "if (cfg->privileged)". The result was that the "fixed" libvirtd would try to call virNetDevGetIndex() even for session mode libvirtd, and end up failing with the log message:
Unable to open control socket: Operation not permitted
To remedy that, this patch qualifies the call to virNetDevGetIndex() in its new location with cfg->privileged.
This resolves https://bugzilla.redhat.com/show_bug.cgi?id=1198244 ---
If someone (Rich?) needs this pushed before I am awake, please feel free to push it. (also push to the 1.2.13-maint branch if you do)
src/qemu/qemu_command.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 1510797..3d1483e 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7861,6 +7861,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, char **tapfdName = NULL; char **vhostfdName = NULL; int actualType = virDomainNetGetActualType(net); + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); virNetDevBandwidthPtr actualBandwidth; size_t i;
@@ -7936,7 +7937,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, /* network and bridge use a tap device, and direct uses a * macvtap device */ - if (nicindexes && nnicindexes && net->ifname) { + if (cfg->privileged && nicindexes && nnicindexes && net->ifname) { if (virNetDevGetIndex(net->ifname, &nicindex) < 0 || VIR_APPEND_ELEMENT(*nicindexes, *nnicindexes, nicindex) < 0) goto cleanup;
Looks sensible, ACK. As Laine says, please make sure this gets into 1.2.13-maint because it currently affects all 1.2.13 / Rawhide users. Also, why isn't there a regression test that would have picked this up? A trivial reproducer is: $ guestfish -a /dev/null --network run but any test case that launches a guest with a network interface as non-root would have caught this. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW
On 03/10/2015 04:39 AM, Richard W.M. Jones wrote:
On Tue, Mar 10, 2015 at 02:32:04AM -0400, Laine Stump wrote:
Commit 4bbe1029f fixed a problem in commit f7afeddc by moving the call to virNetDevGetIndex() to a location common to all interface types (so that the niceindex array would be filled in for macvtap as well as tap interfaces), but the location was *too* common, as the original call to virNetDevGetIndex() had been in a section qualified by "if (cfg->privileged)". The result was that the "fixed" libvirtd would try to call virNetDevGetIndex() even for session mode libvirtd, and end up failing with the log message:
Unable to open control socket: Operation not permitted
To remedy that, this patch qualifies the call to virNetDevGetIndex() in its new location with cfg->privileged.
This resolves https://bugzilla.redhat.com/show_bug.cgi?id=1198244 ---
If someone (Rich?) needs this pushed before I am awake, please feel free to push it. (also push to the 1.2.13-maint branch if you do)
src/qemu/qemu_command.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 1510797..3d1483e 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7861,6 +7861,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, char **tapfdName = NULL; char **vhostfdName = NULL; int actualType = virDomainNetGetActualType(net); + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); virNetDevBandwidthPtr actualBandwidth; size_t i;
@@ -7936,7 +7937,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, /* network and bridge use a tap device, and direct uses a * macvtap device */ - if (nicindexes && nnicindexes && net->ifname) { + if (cfg->privileged && nicindexes && nnicindexes && net->ifname) { if (virNetDevGetIndex(net->ifname, &nicindex) < 0 || VIR_APPEND_ELEMENT(*nicindexes, *nnicindexes, nicindex) < 0) goto cleanup; Looks sensible, ACK.
As Laine says, please make sure this gets into 1.2.13-maint because it currently affects all 1.2.13 / Rawhide users.
I just pushed it to master and to v1.2.13-maint.
Also, why isn't there a regression test that would have picked this up? A trivial reproducer is:
$ guestfish -a /dev/null --network run
but any test case that launches a guest with a network interface as non-root would have caught this.
This fails only if a tap device is used, which requires a properly configured qemu-bridge-helper and a bridge device with a particular name (and that no other session mode libvirtd be currently running for the user running the test), and we can't require that for the unit tests in " make check", so it would need to be done in the tck tests.
On Tue, Mar 10, 2015 at 02:32:04AM -0400, Laine Stump wrote:
Commit 4bbe1029f fixed a problem in commit f7afeddc by moving the call to virNetDevGetIndex() to a location common to all interface types (so that the niceindex array would be filled in for macvtap as well as tap
s/niceindex/nicindex/ if you haven't pushed already.
interfaces), but the location was *too* common, as the original call to virNetDevGetIndex() had been in a section qualified by "if (cfg->privileged)". The result was that the "fixed" libvirtd would try to call virNetDevGetIndex() even for session mode libvirtd, and end up failing with the log message:
Unable to open control socket: Operation not permitted
To remedy that, this patch qualifies the call to virNetDevGetIndex() in its new location with cfg->privileged.
This resolves https://bugzilla.redhat.com/show_bug.cgi?id=1198244 ---
If someone (Rich?) needs this pushed before I am awake, please feel free to push it. (also push to the 1.2.13-maint branch if you do)
src/qemu/qemu_command.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 1510797..3d1483e 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7861,6 +7861,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, char **tapfdName = NULL; char **vhostfdName = NULL; int actualType = virDomainNetGetActualType(net); + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); virNetDevBandwidthPtr actualBandwidth; size_t i;
@@ -7936,7 +7937,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, /* network and bridge use a tap device, and direct uses a * macvtap device */ - if (nicindexes && nnicindexes && net->ifname) { + if (cfg->privileged && nicindexes && nnicindexes && net->ifname) { if (virNetDevGetIndex(net->ifname, &nicindex) < 0 || VIR_APPEND_ELEMENT(*nicindexes, *nnicindexes, nicindex) < 0) goto cleanup; -- 2.1.0
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Mar 10, 2015 at 02:32:04AM -0400, Laine Stump wrote:
Commit 4bbe1029f fixed a problem in commit f7afeddc by moving the call to virNetDevGetIndex() to a location common to all interface types (so that the niceindex array would be filled in for macvtap as well as tap interfaces), but the location was *too* common, as the original call to virNetDevGetIndex() had been in a section qualified by "if (cfg->privileged)". The result was that the "fixed" libvirtd would try to call virNetDevGetIndex() even for session mode libvirtd, and end up failing with the log message:
Unable to open control socket: Operation not permitted
To remedy that, this patch qualifies the call to virNetDevGetIndex() in its new location with cfg->privileged.
This resolves https://bugzilla.redhat.com/show_bug.cgi?id=1198244 ---
If someone (Rich?) needs this pushed before I am awake, please feel free to push it. (also push to the 1.2.13-maint branch if you do)
src/qemu/qemu_command.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 1510797..3d1483e 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7861,6 +7861,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, char **tapfdName = NULL; char **vhostfdName = NULL; int actualType = virDomainNetGetActualType(net); + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); virNetDevBandwidthPtr actualBandwidth; size_t i;
@@ -7936,7 +7937,7 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, /* network and bridge use a tap device, and direct uses a * macvtap device */ - if (nicindexes && nnicindexes && net->ifname) { + if (cfg->privileged && nicindexes && nnicindexes && net->ifname) { if (virNetDevGetIndex(net->ifname, &nicindex) < 0 || VIR_APPEND_ELEMENT(*nicindexes, *nnicindexes, nicindex) < 0) goto cleanup;
Just tested with this patch locally, using Rich's reproducer. Fixes the issue. Before applying this patch, tested with version libvirt-daemon-kvm-1.2.13-1.fc23.x86_64: $ whoami kashyapc $ guestfish -a /dev/null --network run libguestfs: error: could not create appliance through libvirt. . . . Original error from libvirt: Unable to open control socket: Operation not permitted [code=38 domain=0] After applying this patch (applied on current git): $ git describe v1.2.13-100-gb7d027b $ guestfish -a /dev/null --network run $ echo $? 0 So, FWIW: Tested-By: Kashyap Chamarthy <kchamart@redhat.com> -- /kashyap
participants (4)
-
Kashyap Chamarthy -
Laine Stump -
Martin Kletzander -
Richard W.M. Jones