Accepting request 558920 from Virtualization
- Close clients before drivers are cleaned up to avoid crash at libvirtd stop (bsc#1073730) daemon-close-crasher.patch - Set a hostname on lxc containers based on guest's name. lxc-hostname.patch - Enhance apparmor rules for virt-aa-helper (bsc#1070916) 0f33025a-virt-aa-helper-handle-more-disk-images.patch OBS-URL: https://build.opensuse.org/request/show/558920 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=245
This commit is contained in:
commit
30ee37b88f
98
0f33025a-virt-aa-helper-handle-more-disk-images.patch
Normal file
98
0f33025a-virt-aa-helper-handle-more-disk-images.patch
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
From 0f33025a43788f7f3483dfac6ab0b9f79c0d7957 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||||
|
Date: Mon, 11 Dec 2017 11:09:31 +0100
|
||||||
|
Subject: [PATCH] virt-aa-helper: handle more disk images
|
||||||
|
|
||||||
|
virt-aa-helper needs read access to the disk image to resolve symlinks
|
||||||
|
and add the proper rules to the profile. Its profile whitelists a few
|
||||||
|
common paths, but users can place their images anywhere.
|
||||||
|
|
||||||
|
This commit helps users allowing access to their images by adding their
|
||||||
|
own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
|
||||||
|
|
||||||
|
This commit also adds rules to allow reading files named:
|
||||||
|
- *.raw as this is a rather common disk image extension
|
||||||
|
- /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox
|
||||||
|
---
|
||||||
|
examples/Makefile.am | 24 ++++++++++++++++++++++--
|
||||||
|
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 5 +++++
|
||||||
|
2 files changed, 27 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/examples/Makefile.am b/examples/Makefile.am
|
||||||
|
index ef2f79db3..7069d74e7 100644
|
||||||
|
--- a/examples/Makefile.am
|
||||||
|
+++ b/examples/Makefile.am
|
||||||
|
@@ -67,6 +67,9 @@ admin_client_info_SOURCES = admin/client_info.c
|
||||||
|
admin_client_close_SOURCES = admin/client_close.c
|
||||||
|
admin_logging_SOURCES = admin/logging.c
|
||||||
|
|
||||||
|
+INSTALL_DATA_LOCAL =
|
||||||
|
+UNINSTALL_LOCAL =
|
||||||
|
+
|
||||||
|
if WITH_APPARMOR_PROFILES
|
||||||
|
apparmordir = $(sysconfdir)/apparmor.d/
|
||||||
|
apparmor_DATA = \
|
||||||
|
@@ -85,20 +88,37 @@ templates_DATA = \
|
||||||
|
apparmor/TEMPLATE.qemu \
|
||||||
|
apparmor/TEMPLATE.lxc \
|
||||||
|
$(NULL)
|
||||||
|
+
|
||||||
|
+APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
|
||||||
|
+install-apparmor-local:
|
||||||
|
+ $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
|
||||||
|
+ echo "# Site-specific additions and overrides for \
|
||||||
|
+ 'usr.lib.libvirt.virt-aa-helper'" \
|
||||||
|
+ >$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper
|
||||||
|
+
|
||||||
|
+INSTALL_DATA_LOCAL += install-apparmor-local
|
||||||
|
+UNINSTALL_LOCAL += uninstall-apparmor-local
|
||||||
|
endif WITH_APPARMOR_PROFILES
|
||||||
|
|
||||||
|
if WITH_NWFILTER
|
||||||
|
NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
|
||||||
|
|
||||||
|
-install-data-local:
|
||||||
|
+install-nwfilter-local:
|
||||||
|
$(MKDIR_P) "$(NWFILTER_DIR)"
|
||||||
|
for f in $(FILTERS); do \
|
||||||
|
$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
|
||||||
|
done
|
||||||
|
|
||||||
|
-uninstall-local::
|
||||||
|
+uninstall-nwfilter-local::
|
||||||
|
for f in $(FILTERS); do \
|
||||||
|
rm -f "$(NWFILTER_DIR)/`basename $$f`"; \
|
||||||
|
done
|
||||||
|
-test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR)
|
||||||
|
+
|
||||||
|
+INSTALL_DATA_LOCAL += install-nwfilter-local
|
||||||
|
+UNINSTALL_LOCAL += uninstall-nwfilter-local
|
||||||
|
endif WITH_NWFILTER
|
||||||
|
+
|
||||||
|
+install-data-local: $(INSTALL_DATA_LOCAL)
|
||||||
|
+
|
||||||
|
+uninstall-local: $(UNINSTALL_LOCAL)
|
||||||
|
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||||
|
index bd6181d00..9c822b644 100644
|
||||||
|
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||||
|
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||||
|
@@ -50,11 +50,16 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
|
||||||
|
/var/lib/libvirt/images/ r,
|
||||||
|
/var/lib/libvirt/images/** r,
|
||||||
|
/{media,mnt,opt,srv}/** r,
|
||||||
|
+ # For virt-sandbox
|
||||||
|
+ /run/libvirt/**/[sv]d[a-z] r
|
||||||
|
|
||||||
|
/**.img r,
|
||||||
|
+ /**.raw r,
|
||||||
|
/**.qcow{,2} r,
|
||||||
|
/**.qed r,
|
||||||
|
/**.vmdk r,
|
||||||
|
/**.[iI][sS][oO] r,
|
||||||
|
/**/disk{,.*} r,
|
||||||
|
+
|
||||||
|
+ #include <local/usr.lib.libvirt.virt-aa-helper>
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.15.1
|
||||||
|
|
22
daemon-close-crasher.patch
Normal file
22
daemon-close-crasher.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
Index: libvirt-3.10.0/src/rpc/virnetserver.c
|
||||||
|
===================================================================
|
||||||
|
--- libvirt-3.10.0.orig/src/rpc/virnetserver.c
|
||||||
|
+++ libvirt-3.10.0/src/rpc/virnetserver.c
|
||||||
|
@@ -775,7 +775,6 @@ void virNetServerDispose(void *obj)
|
||||||
|
VIR_FREE(srv->programs);
|
||||||
|
|
||||||
|
for (i = 0; i < srv->nclients; i++) {
|
||||||
|
- virNetServerClientClose(srv->clients[i]);
|
||||||
|
virObjectUnref(srv->clients[i]);
|
||||||
|
}
|
||||||
|
VIR_FREE(srv->clients);
|
||||||
|
@@ -796,6 +795,9 @@ void virNetServerClose(virNetServerPtr s
|
||||||
|
for (i = 0; i < srv->nservices; i++)
|
||||||
|
virNetServerServiceClose(srv->services[i]);
|
||||||
|
|
||||||
|
+ for (i = 0; i < srv->nclients; i++)
|
||||||
|
+ virNetServerClientClose(srv->clients[i]);
|
||||||
|
+
|
||||||
|
virObjectUnlock(srv);
|
||||||
|
}
|
||||||
|
|
@ -1,3 +1,14 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 20 16:58:50 UTC 2017 - cbosdonnat@suse.com
|
||||||
|
|
||||||
|
- Close clients before drivers are cleaned up to avoid crash at
|
||||||
|
libvirtd stop (bsc#1073730)
|
||||||
|
daemon-close-crasher.patch
|
||||||
|
- Set a hostname on lxc containers based on guest's name.
|
||||||
|
lxc-hostname.patch
|
||||||
|
- Enhance apparmor rules for virt-aa-helper (bsc#1070916)
|
||||||
|
0f33025a-virt-aa-helper-handle-more-disk-images.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Dec 18 17:08:28 UTC 2017 - jfehlig@suse.com
|
Mon Dec 18 17:08:28 UTC 2017 - jfehlig@suse.com
|
||||||
|
|
||||||
|
@ -311,6 +311,7 @@ Source100: %{name}-rpmlintrc
|
|||||||
Patch0: 2d07f1f0-fix-storage-crash.patch
|
Patch0: 2d07f1f0-fix-storage-crash.patch
|
||||||
Patch1: 69ed99c7-dom0-persistent.patch
|
Patch1: 69ed99c7-dom0-persistent.patch
|
||||||
Patch2: 8599aedd-libvirt-guests-dom0-filter.patch
|
Patch2: 8599aedd-libvirt-guests-dom0-filter.patch
|
||||||
|
Patch3: 0f33025a-virt-aa-helper-handle-more-disk-images.patch
|
||||||
# Patches pending upstream review
|
# Patches pending upstream review
|
||||||
Patch100: libxl-dom-reset.patch
|
Patch100: libxl-dom-reset.patch
|
||||||
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
|
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
|
||||||
@ -321,6 +322,8 @@ Patch152: libvirt-power8-models.patch
|
|||||||
Patch153: ppc64le-canonical-name.patch
|
Patch153: ppc64le-canonical-name.patch
|
||||||
Patch154: libxl-set-migration-constraints.patch
|
Patch154: libxl-set-migration-constraints.patch
|
||||||
Patch155: libxl-set-cach-mode.patch
|
Patch155: libxl-set-cach-mode.patch
|
||||||
|
Patch156: lxc-hostname.patch
|
||||||
|
Patch157: daemon-close-crasher.patch
|
||||||
# Our patches
|
# Our patches
|
||||||
Patch200: suse-libvirtd-disable-tls.patch
|
Patch200: suse-libvirtd-disable-tls.patch
|
||||||
Patch201: suse-libvirtd-sysconfig-settings.patch
|
Patch201: suse-libvirtd-sysconfig-settings.patch
|
||||||
@ -889,6 +892,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
|
|||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
%patch150 -p1
|
%patch150 -p1
|
||||||
@ -897,6 +901,8 @@ libvirt plugin for NSS for translating domain names into IP addresses.
|
|||||||
%patch153 -p1
|
%patch153 -p1
|
||||||
%patch154 -p1
|
%patch154 -p1
|
||||||
%patch155 -p1
|
%patch155 -p1
|
||||||
|
%patch156 -p1
|
||||||
|
%patch157 -p1
|
||||||
%patch200 -p1
|
%patch200 -p1
|
||||||
%patch201 -p1
|
%patch201 -p1
|
||||||
%patch202 -p1
|
%patch202 -p1
|
||||||
@ -1389,12 +1395,14 @@ fi
|
|||||||
%dir %{_sysconfdir}/apparmor.d
|
%dir %{_sysconfdir}/apparmor.d
|
||||||
%dir %{_sysconfdir}/apparmor.d/abstractions
|
%dir %{_sysconfdir}/apparmor.d/abstractions
|
||||||
%dir %{_sysconfdir}/apparmor.d/libvirt
|
%dir %{_sysconfdir}/apparmor.d/libvirt
|
||||||
|
%dir %{_sysconfdir}/apparmor.d/local
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.sbin.libvirtd
|
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.sbin.libvirtd
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.lib.libvirt.virt-aa-helper
|
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.lib.libvirt.virt-aa-helper
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-qemu
|
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-qemu
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-lxc
|
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-lxc
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE.lxc
|
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE.lxc
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE.qemu
|
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE.qemu
|
||||||
|
%config(noreplace) %{_sysconfdir}/apparmor.d/local/usr.lib.libvirt.virt-aa-helper
|
||||||
%{_libdir}/%{name}/virt-aa-helper
|
%{_libdir}/%{name}/virt-aa-helper
|
||||||
%endif
|
%endif
|
||||||
%config %{_fwdefdir}/libvirtd-relocation-server
|
%config %{_fwdefdir}/libvirtd-relocation-server
|
||||||
|
176
lxc-hostname.patch
Normal file
176
lxc-hostname.patch
Normal file
@ -0,0 +1,176 @@
|
|||||||
|
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
|
||||||
|
index de4ec4d44..43971db67 100644
|
||||||
|
--- a/src/libvirt_private.syms
|
||||||
|
+++ b/src/libvirt_private.syms
|
||||||
|
@@ -2751,6 +2751,7 @@ virStrcpy;
|
||||||
|
virStrdup;
|
||||||
|
virStringBufferIsPrintable;
|
||||||
|
virStringEncodeBase64;
|
||||||
|
+virStringFilterChars;
|
||||||
|
virStringHasChars;
|
||||||
|
virStringHasControlChars;
|
||||||
|
virStringIsEmpty;
|
||||||
|
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
|
||||||
|
index b7216d6ee..246145fcd 100644
|
||||||
|
--- a/src/lxc/lxc_container.c
|
||||||
|
+++ b/src/lxc/lxc_container.c
|
||||||
|
@@ -2159,6 +2159,37 @@ static int lxcContainerSetUserGroup(virCommandPtr cmd,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static const char hostname_validchars[] =
|
||||||
|
+ "abcdefghijklmnopqrstuvwxyz"
|
||||||
|
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||||
|
+ "0123456789-";
|
||||||
|
+
|
||||||
|
+static int lxcContainerSetHostname(virDomainDefPtr def)
|
||||||
|
+{
|
||||||
|
+ int ret = -1;
|
||||||
|
+ char *name = NULL;
|
||||||
|
+ char *hostname = NULL;
|
||||||
|
+
|
||||||
|
+ /* Filter the VM name to get a valid hostname */
|
||||||
|
+ if (VIR_STRDUP(name, def->name) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ /* RFC 1123 allows 0-9 digits as a first character in hostname */
|
||||||
|
+ virStringFilterChars(name, hostname_validchars);
|
||||||
|
+ hostname = name;
|
||||||
|
+ if (strlen(name) > 0 && name[0] == '-')
|
||||||
|
+ hostname = name + 1;
|
||||||
|
+
|
||||||
|
+ if (sethostname(hostname, strlen(hostname)) < 0) {
|
||||||
|
+ virReportSystemError(errno, "%s", _("Failed to set hostname"));
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ ret = 0;
|
||||||
|
+
|
||||||
|
+ cleanup:
|
||||||
|
+ VIR_FREE(name);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* lxcContainerChild:
|
||||||
|
@@ -2269,6 +2300,10 @@ static int lxcContainerChild(void *data)
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (lxcContainerSetHostname(vmDef) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* drop a set of root capabilities */
|
||||||
|
if (lxcContainerDropCapabilities(vmDef, !!hasReboot) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
diff --git a/src/util/virstring.c b/src/util/virstring.c
|
||||||
|
index b2ebce27f..b808aff2c 100644
|
||||||
|
--- a/src/util/virstring.c
|
||||||
|
+++ b/src/util/virstring.c
|
||||||
|
@@ -1293,6 +1293,30 @@ virStringStripControlChars(char *str)
|
||||||
|
str[j] = '\0';
|
||||||
|
}
|
||||||
|
|
||||||
|
+/**
|
||||||
|
+ * virStringFilterChars:
|
||||||
|
+ * @str: the string to strip
|
||||||
|
+ * @valid: the valid characters for the string
|
||||||
|
+ *
|
||||||
|
+ * Modify the string in-place to remove the characters that aren't
|
||||||
|
+ * in the list of valid ones.
|
||||||
|
+ */
|
||||||
|
+void
|
||||||
|
+virStringFilterChars(char *str, const char *valid)
|
||||||
|
+{
|
||||||
|
+ size_t len, i, j;
|
||||||
|
+
|
||||||
|
+ if (!str)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ len = strlen(str);
|
||||||
|
+ for (i = 0, j = 0; i < len; i++) {
|
||||||
|
+ if (strchr(valid, str[i]))
|
||||||
|
+ str[j++] = str[i];
|
||||||
|
+ }
|
||||||
|
+ str[j] = '\0';
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* virStringToUpper:
|
||||||
|
* @str: string to capitalize
|
||||||
|
diff --git a/src/util/virstring.h b/src/util/virstring.h
|
||||||
|
index b19abaf9f..8af054bce 100644
|
||||||
|
--- a/src/util/virstring.h
|
||||||
|
+++ b/src/util/virstring.h
|
||||||
|
@@ -293,6 +293,7 @@ bool virStringHasChars(const char *str,
|
||||||
|
const char *chars);
|
||||||
|
bool virStringHasControlChars(const char *str);
|
||||||
|
void virStringStripControlChars(char *str);
|
||||||
|
+void virStringFilterChars(char *str, const char *valid);
|
||||||
|
|
||||||
|
bool virStringIsPrintable(const char *str);
|
||||||
|
bool virStringBufferIsPrintable(const uint8_t *buf, size_t buflen);
|
||||||
|
diff --git a/tests/virstringtest.c b/tests/virstringtest.c
|
||||||
|
index 320f7a398..e8518ede1 100644
|
||||||
|
--- a/tests/virstringtest.c
|
||||||
|
+++ b/tests/virstringtest.c
|
||||||
|
@@ -767,6 +767,36 @@ static int testStripControlChars(const void *args)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+struct testFilterData {
|
||||||
|
+ const char *string;
|
||||||
|
+ const char *valid;
|
||||||
|
+ const char *result;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static int testFilterChars(const void *args)
|
||||||
|
+{
|
||||||
|
+ const struct testFilterData *data = args;
|
||||||
|
+ int ret = -1;
|
||||||
|
+ char *res = NULL;
|
||||||
|
+
|
||||||
|
+ if (VIR_STRDUP(res, data->string) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ virStringFilterChars(res, data->valid);
|
||||||
|
+
|
||||||
|
+ if (STRNEQ_NULLABLE(res, data->result)) {
|
||||||
|
+ fprintf(stderr, "Returned '%s', expected '%s'\n",
|
||||||
|
+ NULLSTR(res), NULLSTR(data->result));
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = 0;
|
||||||
|
+
|
||||||
|
+ cleanup:
|
||||||
|
+ VIR_FREE(res);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
mymain(void)
|
||||||
|
{
|
||||||
|
@@ -1085,6 +1115,22 @@ mymain(void)
|
||||||
|
TEST_STRIP_CONTROL_CHARS("\x01H\x02" "E\x03L\x04L\x05O", "HELLO");
|
||||||
|
TEST_STRIP_CONTROL_CHARS("\x01\x02\x03\x04HELL\x05O", "HELLO");
|
||||||
|
TEST_STRIP_CONTROL_CHARS("\nhello \x01\x07hello\t", "\nhello hello\t");
|
||||||
|
+
|
||||||
|
+#define TEST_FILTER_CHARS(str, filter, res) \
|
||||||
|
+ do { \
|
||||||
|
+ struct testFilterData filterData = { \
|
||||||
|
+ .string = str, \
|
||||||
|
+ .valid = filter, \
|
||||||
|
+ .result = res, \
|
||||||
|
+ }; \
|
||||||
|
+ if (virTestRun("Filter chars from " #str, \
|
||||||
|
+ testFilterChars, &filterData) < 0) \
|
||||||
|
+ ret = -1; \
|
||||||
|
+ } while (0)
|
||||||
|
+
|
||||||
|
+ TEST_FILTER_CHARS(NULL, NULL, NULL);
|
||||||
|
+ TEST_FILTER_CHARS("hello 123 hello", "helo", "hellohello");
|
||||||
|
+
|
||||||
|
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user