Accepting request 315860 from home:cbosdonnat:branches:Virtualization

Tue Jul  10 13:29:51 UTC 2015 - cbosdonnat@suse.com
- Fixed virt-aa-helper bugs preventing virt-sandbox to work.
  24f3c2f-virt-aa-helper-fix-caps.patch
  61dab0f-virt-aa-helper-renaming.patch
  a55a5e7-virt-aa-helper-log.patch
  e44bcae-virt-aa-helper-trailing-slash.patch
  bsc#936841
- Fixed crasher due to uninitialized values
  qemu-nbd-cleanup-fix.patch bsc#936841

OBS-URL: https://build.opensuse.org/request/show/315860
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=470
This commit is contained in:
Cédric Bosdonnat 2015-07-10 12:21:25 +00:00 committed by Git OBS Bridge
parent 57e1254dfd
commit 37e0137a03
7 changed files with 327 additions and 1 deletions

View File

@ -0,0 +1,104 @@
From 24f3c2f7e0e196df5539616d03e039344768cd26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 25 Jun 2015 16:08:42 +0200
Subject: [PATCH 4/5] virt-aa-helper: add DomainGuest to mockup caps
With commit 3f9868a virt-aa-helper stopped working due to missing
DomainGuest in the caps.
The test with -c without arch also needs to be
removed since the new capabilities code uses the host arch when none is
provided.
---
src/security/virt-aa-helper.c | 25 ++++++++++++++++++++++++-
tests/virt-aa-helper-test | 3 ---
2 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 604fb93..4ce1e7a 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -73,6 +73,7 @@ typedef struct {
virDomainDefPtr def; /* VM definition */
virCapsPtr caps; /* VM capabilities */
virDomainXMLOptionPtr xmlopt; /* XML parser data */
+ char *virtType; /* type of hypervisor (eg qemu, xen, lxc) */
char *os; /* type of os (eg hvm, xen, exe) */
virArch arch; /* machine architecture */
char *newfile; /* newly added file */
@@ -89,6 +90,7 @@ vahDeinit(vahControl * ctl)
virObjectUnref(ctl->caps);
virObjectUnref(ctl->xmlopt);
VIR_FREE(ctl->files);
+ VIR_FREE(ctl->virtType);
VIR_FREE(ctl->os);
VIR_FREE(ctl->newfile);
@@ -641,6 +643,7 @@ verify_xpath_context(xmlXPathContextPtr ctxt)
/*
* Parse the xml we received to fill in the following:
+ * ctl->virtType
* ctl->os
* ctl->arch
*
@@ -668,6 +671,11 @@ caps_mockup(vahControl * ctl, const char *xmlStr)
if (verify_xpath_context(ctxt) != 0)
goto cleanup;
+ ctl->virtType = virXPathString("string(./@type)", ctxt);
+ if (!ctl->virtType) {
+ vah_error(ctl, 0, _("domain type is not defined"));
+ goto cleanup;
+ }
ctl->os = virXPathString("string(./os/type[1])", ctxt);
if (!ctl->os) {
vah_error(ctl, 0, _("os.type is not defined"));
@@ -694,7 +702,7 @@ caps_mockup(vahControl * ctl, const char *xmlStr)
static int
get_definition(vahControl * ctl, const char *xmlStr)
{
- int rc = -1, ostype;
+ int rc = -1, ostype, virtType;
virCapsGuestPtr guest; /* this is freed when caps is freed */
/*
@@ -730,6 +738,21 @@ get_definition(vahControl * ctl, const char *xmlStr)
goto exit;
}
+ if ((virtType = virDomainVirtTypeFromString(ctl->virtType)) < 0) {
+ vah_error(ctl, 0, _("unknown virtualization type"));
+ goto exit;
+ }
+
+ if (virCapabilitiesAddGuestDomain(guest,
+ virtType,
+ NULL,
+ NULL,
+ 0,
+ NULL) == NULL) {
+ vah_error(ctl, 0, _("could not allocate memory"));
+ goto exit;
+ }
+
ctl->def = virDomainDefParseString(xmlStr,
ctl->caps, ctl->xmlopt,
VIR_DOMAIN_DEF_PARSE_INACTIVE);
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
index 96471ff..caf2f97 100755
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@@ -194,9 +194,6 @@ testme "1" "-c with malformed xml" "-c -u $valid_uuid" "$test_xml"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,<type arch='x86_64' machine='pc'>hvm</type>,,g" "$template_xml" > "$test_xml"
testme "1" "-c with no os.type" "-c -u $valid_uuid" "$test_xml"
-sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,<type arch='x86_64' machine='pc'>hvm</type>,<type>hvm</type>,g" "$template_xml" > "$test_xml"
-testme "1" "-c with no architecture" "-c -u $valid_uuid" "$test_xml"
-
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,hvm</type>,hvm_invalid</type>,g" "$template_xml" > "$test_xml"
testme "1" "-c with invalid hvm" "-c -u $valid_uuid" "$test_xml"
--
2.1.4

View File

@ -0,0 +1,64 @@
From 61dab0f74ef79d034542bb77921e69fbbab3cf41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 25 Jun 2015 13:01:40 +0200
Subject: [PATCH 3/5] virt-aa-helper: rename ctl->hvm to ctl->os
ctl->hvm contains os.type string value, change the name to reflect it.
---
src/security/virt-aa-helper.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f8a9cf2..604fb93 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -73,7 +73,7 @@ typedef struct {
virDomainDefPtr def; /* VM definition */
virCapsPtr caps; /* VM capabilities */
virDomainXMLOptionPtr xmlopt; /* XML parser data */
- char *hvm; /* type of hypervisor (eg hvm, xen) */
+ char *os; /* type of os (eg hvm, xen, exe) */
virArch arch; /* machine architecture */
char *newfile; /* newly added file */
bool append; /* append to .files instead of rewrite */
@@ -89,7 +89,7 @@ vahDeinit(vahControl * ctl)
virObjectUnref(ctl->caps);
virObjectUnref(ctl->xmlopt);
VIR_FREE(ctl->files);
- VIR_FREE(ctl->hvm);
+ VIR_FREE(ctl->os);
VIR_FREE(ctl->newfile);
return 0;
@@ -641,7 +641,7 @@ verify_xpath_context(xmlXPathContextPtr ctxt)
/*
* Parse the xml we received to fill in the following:
- * ctl->hvm
+ * ctl->os
* ctl->arch
*
* These are suitable for setting up a virCapsPtr
@@ -668,8 +668,8 @@ caps_mockup(vahControl * ctl, const char *xmlStr)
if (verify_xpath_context(ctxt) != 0)
goto cleanup;
- ctl->hvm = virXPathString("string(./os/type[1])", ctxt);
- if (!ctl->hvm) {
+ ctl->os = virXPathString("string(./os/type[1])", ctxt);
+ if (!ctl->os) {
vah_error(ctl, 0, _("os.type is not defined"));
goto cleanup;
}
@@ -714,7 +714,7 @@ get_definition(vahControl * ctl, const char *xmlStr)
goto exit;
}
- if ((ostype = virDomainOSTypeFromString(ctl->hvm)) < 0) {
+ if ((ostype = virDomainOSTypeFromString(ctl->os)) < 0) {
vah_error(ctl, 0, _("unknown OS type"));
goto exit;
}
--
2.1.4

View File

@ -0,0 +1,53 @@
From a55a5e7cfed57223820478da89422756121fb37c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 25 Jun 2015 10:36:52 +0200
Subject: [PATCH 2/5] Get more libvirt errors from virt-aa-helper
Initializing libvirt log in virt-aa-helper and getting it to output
libvirt log to stderr. This will help debugging problems happening in
libvirt functions called from within virt-aa-helper
---
src/security/security_apparmor.c | 4 ++++
src/security/virt-aa-helper.c | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 4134a17..16b8f87 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -196,6 +196,10 @@ load_profile(virSecurityManagerPtr mgr,
}
}
+ virCommandAddEnvFormat(cmd,
+ "LIBVIRT_LOG_OUTPUTS=%d:stderr",
+ virLogGetDefaultPriority());
+
virCommandSetInputBuffer(cmd, xml);
rc = virCommandRun(cmd, NULL);
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 18454c8..f8a9cf2 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -41,6 +41,7 @@
#include "virbuffer.h"
#include "viralloc.h"
#include "vircommand.h"
+#include "virlog.h"
#include "security_driver.h"
#include "security_apparmor.h"
@@ -1272,6 +1273,9 @@ main(int argc, char **argv)
exit(EXIT_FAILURE);
}
+ /* Initialize the log system */
+ virLogSetFromEnv();
+
/* clear the environment */
environ = NULL;
if (setenv("PATH", "/sbin:/usr/sbin", 1) != 0)
--
2.1.4

View File

@ -0,0 +1,28 @@
From e44bcae9f014946d66fad1164080a4e251197f19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 24 Jun 2015 09:56:04 +0200
Subject: [PATCH 1/5] virt-aa-helper: fix rules for paths with trailing slash
Rules generated for a path like '/' were having '//' which isn't
correct for apparmor. Make virt-aa-helper smarter to avoid these.
---
src/security/virt-aa-helper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 4440552..18454c8 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -795,6 +795,9 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
goto cleanup;
}
+ if (tmp[strlen(tmp) - 1] == '/')
+ tmp[strlen(tmp) - 1] = '\0';
+
virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms);
if (readonly) {
virBufferAddLit(buf, " # don't audit writes to readonly files\n");
--
2.1.4

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Tue Jul 10 13:29:51 UTC 2015 - cbosdonnat@suse.com
- Fixed virt-aa-helper bugs preventing virt-sandbox to work.
24f3c2f-virt-aa-helper-fix-caps.patch
61dab0f-virt-aa-helper-renaming.patch
a55a5e7-virt-aa-helper-log.patch
e44bcae-virt-aa-helper-trailing-slash.patch
bsc#936841
- Fixed crasher due to uninitialized values
qemu-nbd-cleanup-fix.patch bsc#936841
-------------------------------------------------------------------
Thu Jul 2 11:23:15 MDT 2015 - jfehlig@suse.com

View File

@ -1,7 +1,7 @@
#
# spec file for package libvirt
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -446,6 +446,10 @@ Source3: libvirtd.init
Source4: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches
Patch0: e44bcae-virt-aa-helper-trailing-slash.patch
Patch1: a55a5e7-virt-aa-helper-log.patch
Patch2: 61dab0f-virt-aa-helper-renaming.patch
Patch3: 24f3c2f-virt-aa-helper-fix-caps.patch
# Patches pending upstream review
# Need to go upstream
Patch150: xen-pv-cdrom.patch
@ -466,6 +470,7 @@ Patch207: disable-virCgroupGetPercpuStats-test.patch
Patch208: apparmor-no-mount.patch
Patch209: qemu-apparmor-screenshot.patch
Patch210: libvirt-suse-netcontrol.patch
Patch211: qemu-nbd-cleanup-fix.patch
# SocketUser and SocketGroup settings were added to systemd.socket in
# version 214. Patch the setting away in earlier systemd
%if 0%{systemd_version} < 214
@ -976,6 +981,10 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1
@ -992,6 +1001,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
%patch208 -p1
%patch209 -p1
%patch210 -p1
%patch211 -p1
%if 0%{systemd_version} < 214
%patch300 -p1
%endif

View File

@ -0,0 +1,55 @@
From 1f17be07e9fbbae6fdba6842546ca86d51f84447 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 9 Jul 2015 16:23:08 +0200
Subject: [PATCH 5/5] Fix qemu-nbd cleanup crashes
The virLXCControllerAppendNBDPids function didn't properly initialize
pids and npids. In case of failure it was crashing when freeing those.
The nbd device pid file doesn't appear immediately after starting
qemu-nbd: adding a small loop to wait for it.
---
src/lxc/lxc_controller.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 828b8a8..78d3eee 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -533,16 +533,31 @@ static int virLXCControllerAppendNBDPids(virLXCControllerPtr ctrl,
const char *dev)
{
char *pidpath = NULL;
- pid_t *pids;
- size_t npids;
+ pid_t *pids = NULL;
+ size_t npids = 0;
size_t i;
int ret = -1;
+ size_t loops = 0;
pid_t pid;
if (!STRPREFIX(dev, "/dev/") ||
virAsprintf(&pidpath, "/sys/devices/virtual/block/%s/pid", dev + 5) < 0)
goto cleanup;
+ /* Wait for the pid file to appear */
+ while (!virFileExists(pidpath)) {
+ /* wait for 100ms before checking again, but don't do it for ever */
+ if (errno == ENOENT && loops < 10) {
+ usleep(100 * 1000);
+ loops++;
+ } else {
+ virReportSystemError(errno,
+ _("Cannot check NBD device %s pid"),
+ dev + 5);
+ goto cleanup;
+ }
+ }
+
if (virPidFileReadPath(pidpath, &pid) < 0)
goto cleanup;
--
2.1.4