diff --git a/ba9b7252-sys-net-rw.patch b/ba9b7252-sys-net-rw.patch new file mode 100644 index 0000000..b6c9332 --- /dev/null +++ b/ba9b7252-sys-net-rw.patch @@ -0,0 +1,130 @@ +From ba9b7252ea8d87dfa217fb11dc5dadc039176807 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Wed, 10 Dec 2014 10:22:28 +0100 +Subject: [PATCH] lxc: give RW access to /proc/sys/net/ipv[46] to containers + +Some programs want to change some values for the network interfaces +configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them +allows wicked to work on openSUSE 13.2+. + +Reusing the lxcNeedNetworkNamespace function to tell +lxcContainerMountBasicFS if the netns is disabled. When no netns is +set up, then we don't mount the /proc/sys/net/ipv[46] folder RW as +these would provide full access to the host NICs config. +--- + src/lxc/lxc_container.c | 64 +++++++++++++++++++++++++++++++------------------ + 1 file changed, 41 insertions(+), 23 deletions(-) + +diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c +index 3b08b86..1b9e2f2 100644 +--- a/src/lxc/lxc_container.c ++++ b/src/lxc/lxc_container.c +@@ -800,15 +800,18 @@ typedef struct { + int mflags; + bool skipUserNS; + bool skipUnmounted; ++ bool skipNoNetns; + } virLXCBasicMountInfo; + + static const virLXCBasicMountInfo lxcBasicMounts[] = { +- { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false }, +- { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false }, +- { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false }, +- { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true }, ++ { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false }, ++ { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false }, ++ { "/.oldroot/proc/sys/net/ipv4", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true }, ++ { "/.oldroot/proc/sys/net/ipv6", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true }, ++ { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false }, ++ { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false }, + #if WITH_SELINUX +- { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true }, ++ { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false }, + #endif + }; + +@@ -940,10 +943,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled, + continue; + } + ++ /* Skip mounts with missing source without shouting: it may be a ++ * missing folder in /proc due to the absence of a kernel feature */ ++ if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) { ++ VIR_DEBUG("Skipping due to missing source: %s", mnt_src); ++ VIR_FREE(mnt_src); ++ continue; ++ } ++ ++ if (mnt->skipNoNetns && netns_disabled) { ++ VIR_DEBUG("Skipping due to absence of network namespace"); ++ VIR_FREE(mnt_src); ++ continue; ++ } ++ + if (virFileMakePath(mnt->dst) < 0) { + virReportSystemError(errno, + _("Failed to mkdir %s"), +- mnt_src); ++ mnt->dst); + goto cleanup; + } + +@@ -1697,6 +1714,23 @@ static int lxcContainerUnmountForSharedRoot(const char *stateDir, + } + + ++static bool ++lxcNeedNetworkNamespace(virDomainDefPtr def) ++{ ++ size_t i; ++ if (def->nets != NULL) ++ return true; ++ if (def->features[VIR_DOMAIN_FEATURE_PRIVNET] == VIR_TRISTATE_SWITCH_ON) ++ return true; ++ for (i = 0; i < def->nhostdevs; i++) { ++ if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES && ++ def->hostdevs[i]->source.caps.type == VIR_DOMAIN_HOSTDEV_CAPS_TYPE_NET) ++ return true; ++ } ++ return false; ++} ++ ++ + /* Got a FS mapped to /, we're going the pivot_root + * approach to do a better-chroot-than-chroot + * this is based on this thread http://lkml.org/lkml/2008/3/5/29 +@@ -1741,7 +1775,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, + + /* Mounts the core /proc, /sys, etc filesystems */ + if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap, +- !vmDef->nnets) < 0) ++ !lxcNeedNetworkNamespace(vmDef)) < 0) + goto cleanup; + + /* Ensure entire root filesystem (except /.oldroot) is readonly */ +@@ -2240,22 +2274,6 @@ virArch lxcContainerGetAlt32bitArch(virArch arch) + } + + +-static bool +-lxcNeedNetworkNamespace(virDomainDefPtr def) +-{ +- size_t i; +- if (def->nets != NULL) +- return true; +- if (def->features[VIR_DOMAIN_FEATURE_PRIVNET] == VIR_TRISTATE_SWITCH_ON) +- return true; +- for (i = 0; i < def->nhostdevs; i++) { +- if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES && +- def->hostdevs[i]->source.caps.type == VIR_DOMAIN_HOSTDEV_CAPS_TYPE_NET) +- return true; +- } +- return false; +-} +- + /** + * lxcContainerStart: + * @def: pointer to virtual machine structure +-- +2.1.2 + diff --git a/cgroup-all-devices.patch b/cgroup-all-devices.patch new file mode 100644 index 0000000..f8946f4 --- /dev/null +++ b/cgroup-all-devices.patch @@ -0,0 +1,36 @@ +From c3cebcbf0303af428f75c53de99d75885b8a8ce3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Wed, 10 Dec 2014 14:32:10 +0100 +Subject: [PATCH] Avoid getting '-1:-1' in devices cgroup list + +When calling virCgroupAllowAllDevices we get these invalid entries +in the device cgroup config. + b -1:-1 rw + c -1:-1 rw +Check for positive values before outputting the major and minor to +avoid that. +--- + src/util/vircgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c +index 166f4dc..3995477 100644 +--- a/src/util/vircgroup.c ++++ b/src/util/vircgroup.c +@@ -2767,11 +2767,11 @@ virCgroupAllowDevice(virCgroupPtr group, char type, int major, int minor, + char *minorstr = NULL; + + if ((major < 0 && VIR_STRDUP(majorstr, "*") < 0) || +- virAsprintf(&majorstr, "%i", major) < 0) ++ (major >= 0 && virAsprintf(&majorstr, "%i", major) < 0)) + goto cleanup; + + if ((minor < 0 && VIR_STRDUP(minorstr, "*") < 0) || +- virAsprintf(&minorstr, "%i", minor) < 0) ++ (minor >= 0 && virAsprintf(&minorstr, "%i", minor) < 0)) + goto cleanup; + + if (virAsprintf(&devstr, "%c %s:%s %s", type, majorstr, minorstr, +-- +2.1.2 + diff --git a/libvirt.changes b/libvirt.changes index e110a16..a0bd104 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Dec 10 13:22:14 UTC 2014 - cbosdonnat@suse.com + +- Get /proc/sys/net/ipv[46] read-write for wicked to work in + containers. bsc#904432. ba9b7252-sys-net-rw.patch +- Fixed allowing devices for containers. + cgroup-all-devices.patch + ------------------------------------------------------------------- Wed Dec 3 05:01:13 MST 2014 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 9f9a872..88767ce 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -441,7 +441,9 @@ Patch3: 433b427-iplink-name.patch Patch4: 72fecf1-lxc-resolve-symlinks.patch Patch5: e50457d-lxc-unmount-check.patch Patch6: 52691f99-qemu-mig-crash.patch +Patch7: ba9b7252-sys-net-rw.patch # Patches pending upstream review +Patch100: cgroup-all-devices.patch # Need to go upstream Patch150: xen-name-for-devid.patch Patch151: xen-pv-cdrom.patch @@ -980,6 +982,8 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch100 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1