[libvirt] [PATCH 0/3] Misc improvements & fixes to LXC startup
This fixes a startup problem with LXC and security drivers, and adds / improves debugging.
From: "Daniel P. Berrange" <berrange@redhat.com> The driver->securityDriverName field may be NULL, if automatic probing is used to determine security driver. This meant that unless selinux was explicitly requested in lxc.conf, it was not being sent to the libvirt_lxc process. The driver->securityManager field is guaranteed non-NULL, since there will always be the 'none' security driver present if nothing else exists. So use that to set the driver name for libvirt_lxc Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index ffdd4ac..03783ff 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -1616,8 +1616,8 @@ lxcBuildControllerCmd(lxc_driver_t *driver, virCommandPreserveFD(cmd, ttyFDs[i]); } - if (driver->securityDriverName) - virCommandAddArgPair(cmd, "--security", driver->securityDriverName); + virCommandAddArgPair(cmd, "--security", + virSecurityManagerGetModel(driver->securityManager)); virCommandAddArg(cmd, "--handshake"); virCommandAddArgFormat(cmd, "%d", handshakefd); -- 1.7.10
On 05/01/2012 06:10 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange"<berrange@redhat.com>
The driver->securityDriverName field may be NULL, if automatic probing is used to determine security driver. This meant that unless selinux was explicitly requested in lxc.conf, it was not being sent to the libvirt_lxc process.
The driver->securityManager field is guaranteed non-NULL, since there will always be the 'none' security driver present if nothing else exists. So use that to set the driver name for libvirt_lxc
Signed-off-by: Daniel P. Berrange<berrange@redhat.com> --- src/lxc/lxc_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index ffdd4ac..03783ff 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -1616,8 +1616,8 @@ lxcBuildControllerCmd(lxc_driver_t *driver, virCommandPreserveFD(cmd, ttyFDs[i]); }
- if (driver->securityDriverName) - virCommandAddArgPair(cmd, "--security", driver->securityDriverName); + virCommandAddArgPair(cmd, "--security", + virSecurityManagerGetModel(driver->securityManager));
virCommandAddArg(cmd, "--handshake"); virCommandAddArgFormat(cmd, "%d", handshakefd);
ACK
From: "Daniel P. Berrange" <berrange@redhat.com> The virLogSetFromEnv call was done too late in startup to catch many log messages (eg from security driver initialization). To assist debugging also explicitly log the security details at startup --- src/lxc/lxc_controller.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 1e3ec30..26b3115 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1668,6 +1668,9 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } + /* Initialize logging */ + virLogSetFromEnv(); + while (1) { int c; @@ -1784,6 +1787,12 @@ int main(int argc, char *argv[]) 0)) == NULL) goto cleanup; + VIR_DEBUG("Security model %s type %s label %s imagelabel %s", + NULLSTR(def->seclabel.model), + virDomainSeclabelTypeToString(def->seclabel.type), + NULLSTR(def->seclabel.label), + NULLSTR(def->seclabel.imagelabel)); + if (def->nnets != nveths) { fprintf(stderr, "%s: expecting %d veths, but got %d\n", argv[0], def->nnets, nveths); @@ -1828,9 +1837,6 @@ int main(int argc, char *argv[]) } } - /* Initialize logging */ - virLogSetFromEnv(); - /* Accept initial client which is the libvirtd daemon */ if ((client = accept(monitor, NULL, 0)) < 0) { virReportSystemError(errno, "%s", -- 1.7.10
On 05/01/2012 06:10 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange"<berrange@redhat.com>
The virLogSetFromEnv call was done too late in startup to catch many log messages (eg from security driver initialization). To assist debugging also explicitly log the security details at startup --- src/lxc/lxc_controller.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 1e3ec30..26b3115 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1668,6 +1668,9 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); }
+ /* Initialize logging */ + virLogSetFromEnv(); + while (1) { int c;
@@ -1784,6 +1787,12 @@ int main(int argc, char *argv[]) 0)) == NULL) goto cleanup;
+ VIR_DEBUG("Security model %s type %s label %s imagelabel %s", + NULLSTR(def->seclabel.model), + virDomainSeclabelTypeToString(def->seclabel.type), + NULLSTR(def->seclabel.label), + NULLSTR(def->seclabel.imagelabel)); + if (def->nnets != nveths) { fprintf(stderr, "%s: expecting %d veths, but got %d\n", argv[0], def->nnets, nveths); @@ -1828,9 +1837,6 @@ int main(int argc, char *argv[]) } }
- /* Initialize logging */ - virLogSetFromEnv(); - /* Accept initial client which is the libvirtd daemon */ if ((client = accept(monitor, NULL, 0))< 0) { virReportSystemError(errno, "%s",
ACK
From: "Daniel P. Berrange" <berrange@redhat.com> Once lxcContainerSetStdio is invoked, logging will not work as expected in libvirt_lxc. So make sure this is the last thing to be called, in particular after setting the security process label --- src/lxc/lxc_container.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 9bb6218..0636eab 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1366,14 +1366,14 @@ static int lxcContainerChild( void *data ) goto cleanup; } - if (lxcContainerSetStdio(argv->monitor, ttyfd, argv->handshakefd) < 0) { - goto cleanup; - } - VIR_DEBUG("Setting up security labeling"); if (virSecurityManagerSetProcessLabel(argv->securityDriver, vmDef) < 0) goto cleanup; + if (lxcContainerSetStdio(argv->monitor, ttyfd, argv->handshakefd) < 0) { + goto cleanup; + } + ret = 0; cleanup: VIR_FREE(ttyPath); -- 1.7.10
On 05/01/2012 06:10 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange"<berrange@redhat.com>
Once lxcContainerSetStdio is invoked, logging will not work as expected in libvirt_lxc. So make sure this is the last thing to be called, in particular after setting the security process label --- src/lxc/lxc_container.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 9bb6218..0636eab 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1366,14 +1366,14 @@ static int lxcContainerChild( void *data ) goto cleanup; }
- if (lxcContainerSetStdio(argv->monitor, ttyfd, argv->handshakefd)< 0) { - goto cleanup; - } - VIR_DEBUG("Setting up security labeling"); if (virSecurityManagerSetProcessLabel(argv->securityDriver, vmDef)< 0) goto cleanup;
+ if (lxcContainerSetStdio(argv->monitor, ttyfd, argv->handshakefd)< 0) { + goto cleanup; + } + ret = 0; cleanup: VIR_FREE(ttyPath);
ACK
On 05/01/2012 04:10 AM, Daniel P. Berrange wrote:
This fixes a startup problem with LXC and security drivers, and adds / improves debugging.
ACK series. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Stefan Berger