forked from pool/libvirt
Accepting request 264662 from home:cbosdonnat:branches:Virtualization
- Get /proc/sys/net/ipv[46] read-write for wicked to work in containers. bsc#904432. ba9b7252-sys-net-rw.patch - Fixed allowing devices for containers. cgroup-all-devices.patch OBS-URL: https://build.opensuse.org/request/show/264662 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=426
This commit is contained in:
parent
69a5f4bf9f
commit
06949b0f82
130
ba9b7252-sys-net-rw.patch
Normal file
130
ba9b7252-sys-net-rw.patch
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
From ba9b7252ea8d87dfa217fb11dc5dadc039176807 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||||
|
Date: Wed, 10 Dec 2014 10:22:28 +0100
|
||||||
|
Subject: [PATCH] lxc: give RW access to /proc/sys/net/ipv[46] to containers
|
||||||
|
|
||||||
|
Some programs want to change some values for the network interfaces
|
||||||
|
configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
|
||||||
|
allows wicked to work on openSUSE 13.2+.
|
||||||
|
|
||||||
|
Reusing the lxcNeedNetworkNamespace function to tell
|
||||||
|
lxcContainerMountBasicFS if the netns is disabled. When no netns is
|
||||||
|
set up, then we don't mount the /proc/sys/net/ipv[46] folder RW as
|
||||||
|
these would provide full access to the host NICs config.
|
||||||
|
---
|
||||||
|
src/lxc/lxc_container.c | 64 +++++++++++++++++++++++++++++++------------------
|
||||||
|
1 file changed, 41 insertions(+), 23 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
|
||||||
|
index 3b08b86..1b9e2f2 100644
|
||||||
|
--- a/src/lxc/lxc_container.c
|
||||||
|
+++ b/src/lxc/lxc_container.c
|
||||||
|
@@ -800,15 +800,18 @@ typedef struct {
|
||||||
|
int mflags;
|
||||||
|
bool skipUserNS;
|
||||||
|
bool skipUnmounted;
|
||||||
|
+ bool skipNoNetns;
|
||||||
|
} virLXCBasicMountInfo;
|
||||||
|
|
||||||
|
static const virLXCBasicMountInfo lxcBasicMounts[] = {
|
||||||
|
- { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
|
||||||
|
- { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false },
|
||||||
|
- { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false },
|
||||||
|
- { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
|
||||||
|
+ { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false },
|
||||||
|
+ { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false },
|
||||||
|
+ { "/.oldroot/proc/sys/net/ipv4", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true },
|
||||||
|
+ { "/.oldroot/proc/sys/net/ipv6", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true },
|
||||||
|
+ { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false },
|
||||||
|
+ { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false },
|
||||||
|
#if WITH_SELINUX
|
||||||
|
- { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
|
||||||
|
+ { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false },
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -940,10 +943,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Skip mounts with missing source without shouting: it may be a
|
||||||
|
+ * missing folder in /proc due to the absence of a kernel feature */
|
||||||
|
+ if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) {
|
||||||
|
+ VIR_DEBUG("Skipping due to missing source: %s", mnt_src);
|
||||||
|
+ VIR_FREE(mnt_src);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (mnt->skipNoNetns && netns_disabled) {
|
||||||
|
+ VIR_DEBUG("Skipping due to absence of network namespace");
|
||||||
|
+ VIR_FREE(mnt_src);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (virFileMakePath(mnt->dst) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("Failed to mkdir %s"),
|
||||||
|
- mnt_src);
|
||||||
|
+ mnt->dst);
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1697,6 +1714,23 @@ static int lxcContainerUnmountForSharedRoot(const char *stateDir,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
+static bool
|
||||||
|
+lxcNeedNetworkNamespace(virDomainDefPtr def)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+ if (def->nets != NULL)
|
||||||
|
+ return true;
|
||||||
|
+ if (def->features[VIR_DOMAIN_FEATURE_PRIVNET] == VIR_TRISTATE_SWITCH_ON)
|
||||||
|
+ return true;
|
||||||
|
+ for (i = 0; i < def->nhostdevs; i++) {
|
||||||
|
+ if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES &&
|
||||||
|
+ def->hostdevs[i]->source.caps.type == VIR_DOMAIN_HOSTDEV_CAPS_TYPE_NET)
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ return false;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* Got a FS mapped to /, we're going the pivot_root
|
||||||
|
* approach to do a better-chroot-than-chroot
|
||||||
|
* this is based on this thread http://lkml.org/lkml/2008/3/5/29
|
||||||
|
@@ -1741,7 +1775,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
|
||||||
|
|
||||||
|
/* Mounts the core /proc, /sys, etc filesystems */
|
||||||
|
if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap,
|
||||||
|
- !vmDef->nnets) < 0)
|
||||||
|
+ !lxcNeedNetworkNamespace(vmDef)) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
/* Ensure entire root filesystem (except /.oldroot) is readonly */
|
||||||
|
@@ -2240,22 +2274,6 @@ virArch lxcContainerGetAlt32bitArch(virArch arch)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
-static bool
|
||||||
|
-lxcNeedNetworkNamespace(virDomainDefPtr def)
|
||||||
|
-{
|
||||||
|
- size_t i;
|
||||||
|
- if (def->nets != NULL)
|
||||||
|
- return true;
|
||||||
|
- if (def->features[VIR_DOMAIN_FEATURE_PRIVNET] == VIR_TRISTATE_SWITCH_ON)
|
||||||
|
- return true;
|
||||||
|
- for (i = 0; i < def->nhostdevs; i++) {
|
||||||
|
- if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES &&
|
||||||
|
- def->hostdevs[i]->source.caps.type == VIR_DOMAIN_HOSTDEV_CAPS_TYPE_NET)
|
||||||
|
- return true;
|
||||||
|
- }
|
||||||
|
- return false;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
/**
|
||||||
|
* lxcContainerStart:
|
||||||
|
* @def: pointer to virtual machine structure
|
||||||
|
--
|
||||||
|
2.1.2
|
||||||
|
|
36
cgroup-all-devices.patch
Normal file
36
cgroup-all-devices.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From c3cebcbf0303af428f75c53de99d75885b8a8ce3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||||
|
Date: Wed, 10 Dec 2014 14:32:10 +0100
|
||||||
|
Subject: [PATCH] Avoid getting '-1:-1' in devices cgroup list
|
||||||
|
|
||||||
|
When calling virCgroupAllowAllDevices we get these invalid entries
|
||||||
|
in the device cgroup config.
|
||||||
|
b -1:-1 rw
|
||||||
|
c -1:-1 rw
|
||||||
|
Check for positive values before outputting the major and minor to
|
||||||
|
avoid that.
|
||||||
|
---
|
||||||
|
src/util/vircgroup.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
|
||||||
|
index 166f4dc..3995477 100644
|
||||||
|
--- a/src/util/vircgroup.c
|
||||||
|
+++ b/src/util/vircgroup.c
|
||||||
|
@@ -2767,11 +2767,11 @@ virCgroupAllowDevice(virCgroupPtr group, char type, int major, int minor,
|
||||||
|
char *minorstr = NULL;
|
||||||
|
|
||||||
|
if ((major < 0 && VIR_STRDUP(majorstr, "*") < 0) ||
|
||||||
|
- virAsprintf(&majorstr, "%i", major) < 0)
|
||||||
|
+ (major >= 0 && virAsprintf(&majorstr, "%i", major) < 0))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
if ((minor < 0 && VIR_STRDUP(minorstr, "*") < 0) ||
|
||||||
|
- virAsprintf(&minorstr, "%i", minor) < 0)
|
||||||
|
+ (minor >= 0 && virAsprintf(&minorstr, "%i", minor) < 0))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
if (virAsprintf(&devstr, "%c %s:%s %s", type, majorstr, minorstr,
|
||||||
|
--
|
||||||
|
2.1.2
|
||||||
|
|
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 10 13:22:14 UTC 2014 - cbosdonnat@suse.com
|
||||||
|
|
||||||
|
- Get /proc/sys/net/ipv[46] read-write for wicked to work in
|
||||||
|
containers. bsc#904432. ba9b7252-sys-net-rw.patch
|
||||||
|
- Fixed allowing devices for containers.
|
||||||
|
cgroup-all-devices.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Dec 3 05:01:13 MST 2014 - jfehlig@suse.com
|
Wed Dec 3 05:01:13 MST 2014 - jfehlig@suse.com
|
||||||
|
|
||||||
|
@ -441,7 +441,9 @@ Patch3: 433b427-iplink-name.patch
|
|||||||
Patch4: 72fecf1-lxc-resolve-symlinks.patch
|
Patch4: 72fecf1-lxc-resolve-symlinks.patch
|
||||||
Patch5: e50457d-lxc-unmount-check.patch
|
Patch5: e50457d-lxc-unmount-check.patch
|
||||||
Patch6: 52691f99-qemu-mig-crash.patch
|
Patch6: 52691f99-qemu-mig-crash.patch
|
||||||
|
Patch7: ba9b7252-sys-net-rw.patch
|
||||||
# Patches pending upstream review
|
# Patches pending upstream review
|
||||||
|
Patch100: cgroup-all-devices.patch
|
||||||
# Need to go upstream
|
# Need to go upstream
|
||||||
Patch150: xen-name-for-devid.patch
|
Patch150: xen-name-for-devid.patch
|
||||||
Patch151: xen-pv-cdrom.patch
|
Patch151: xen-pv-cdrom.patch
|
||||||
@ -980,6 +982,8 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
|
|||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
%patch100 -p1
|
||||||
%patch150 -p1
|
%patch150 -p1
|
||||||
%patch151 -p1
|
%patch151 -p1
|
||||||
%patch152 -p1
|
%patch152 -p1
|
||||||
|
Loading…
Reference in New Issue
Block a user