From 37e0137a03ad5e43ee86c0dcab03dae6d593f910ca65e96b87a4190a1187f3e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Date: Fri, 10 Jul 2015 12:21:25 +0000 Subject: [PATCH] Accepting request 315860 from home:cbosdonnat:branches:Virtualization Tue Jul 10 13:29:51 UTC 2015 - cbosdonnat@suse.com - Fixed virt-aa-helper bugs preventing virt-sandbox to work. 24f3c2f-virt-aa-helper-fix-caps.patch 61dab0f-virt-aa-helper-renaming.patch a55a5e7-virt-aa-helper-log.patch e44bcae-virt-aa-helper-trailing-slash.patch bsc#936841 - Fixed crasher due to uninitialized values qemu-nbd-cleanup-fix.patch bsc#936841 OBS-URL: https://build.opensuse.org/request/show/315860 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=470 --- 24f3c2f-virt-aa-helper-fix-caps.patch | 104 ++++++++++++++++++++ 61dab0f-virt-aa-helper-renaming.patch | 64 ++++++++++++ a55a5e7-virt-aa-helper-log.patch | 53 ++++++++++ e44bcae-virt-aa-helper-trailing-slash.patch | 28 ++++++ libvirt.changes | 12 +++ libvirt.spec | 12 ++- qemu-nbd-cleanup-fix.patch | 55 +++++++++++ 7 files changed, 327 insertions(+), 1 deletion(-) create mode 100644 24f3c2f-virt-aa-helper-fix-caps.patch create mode 100644 61dab0f-virt-aa-helper-renaming.patch create mode 100644 a55a5e7-virt-aa-helper-log.patch create mode 100644 e44bcae-virt-aa-helper-trailing-slash.patch create mode 100644 qemu-nbd-cleanup-fix.patch diff --git a/24f3c2f-virt-aa-helper-fix-caps.patch b/24f3c2f-virt-aa-helper-fix-caps.patch new file mode 100644 index 0000000..c293602 --- /dev/null +++ b/24f3c2f-virt-aa-helper-fix-caps.patch @@ -0,0 +1,104 @@ +From 24f3c2f7e0e196df5539616d03e039344768cd26 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Thu, 25 Jun 2015 16:08:42 +0200 +Subject: [PATCH 4/5] virt-aa-helper: add DomainGuest to mockup caps + +With commit 3f9868a virt-aa-helper stopped working due to missing +DomainGuest in the caps. + +The test with -c without arch also needs to be +removed since the new capabilities code uses the host arch when none is +provided. +--- + src/security/virt-aa-helper.c | 25 ++++++++++++++++++++++++- + tests/virt-aa-helper-test | 3 --- + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 604fb93..4ce1e7a 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -73,6 +73,7 @@ typedef struct { + virDomainDefPtr def; /* VM definition */ + virCapsPtr caps; /* VM capabilities */ + virDomainXMLOptionPtr xmlopt; /* XML parser data */ ++ char *virtType; /* type of hypervisor (eg qemu, xen, lxc) */ + char *os; /* type of os (eg hvm, xen, exe) */ + virArch arch; /* machine architecture */ + char *newfile; /* newly added file */ +@@ -89,6 +90,7 @@ vahDeinit(vahControl * ctl) + virObjectUnref(ctl->caps); + virObjectUnref(ctl->xmlopt); + VIR_FREE(ctl->files); ++ VIR_FREE(ctl->virtType); + VIR_FREE(ctl->os); + VIR_FREE(ctl->newfile); + +@@ -641,6 +643,7 @@ verify_xpath_context(xmlXPathContextPtr ctxt) + + /* + * Parse the xml we received to fill in the following: ++ * ctl->virtType + * ctl->os + * ctl->arch + * +@@ -668,6 +671,11 @@ caps_mockup(vahControl * ctl, const char *xmlStr) + if (verify_xpath_context(ctxt) != 0) + goto cleanup; + ++ ctl->virtType = virXPathString("string(./@type)", ctxt); ++ if (!ctl->virtType) { ++ vah_error(ctl, 0, _("domain type is not defined")); ++ goto cleanup; ++ } + ctl->os = virXPathString("string(./os/type[1])", ctxt); + if (!ctl->os) { + vah_error(ctl, 0, _("os.type is not defined")); +@@ -694,7 +702,7 @@ caps_mockup(vahControl * ctl, const char *xmlStr) + static int + get_definition(vahControl * ctl, const char *xmlStr) + { +- int rc = -1, ostype; ++ int rc = -1, ostype, virtType; + virCapsGuestPtr guest; /* this is freed when caps is freed */ + + /* +@@ -730,6 +738,21 @@ get_definition(vahControl * ctl, const char *xmlStr) + goto exit; + } + ++ if ((virtType = virDomainVirtTypeFromString(ctl->virtType)) < 0) { ++ vah_error(ctl, 0, _("unknown virtualization type")); ++ goto exit; ++ } ++ ++ if (virCapabilitiesAddGuestDomain(guest, ++ virtType, ++ NULL, ++ NULL, ++ 0, ++ NULL) == NULL) { ++ vah_error(ctl, 0, _("could not allocate memory")); ++ goto exit; ++ } ++ + ctl->def = virDomainDefParseString(xmlStr, + ctl->caps, ctl->xmlopt, + VIR_DOMAIN_DEF_PARSE_INACTIVE); +diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test +index 96471ff..caf2f97 100755 +--- a/tests/virt-aa-helper-test ++++ b/tests/virt-aa-helper-test +@@ -194,9 +194,6 @@ testme "1" "-c with malformed xml" "-c -u $valid_uuid" "$test_xml" + sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,hvm,,g" "$template_xml" > "$test_xml" + testme "1" "-c with no os.type" "-c -u $valid_uuid" "$test_xml" + +-sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,hvm,hvm,g" "$template_xml" > "$test_xml" +-testme "1" "-c with no architecture" "-c -u $valid_uuid" "$test_xml" +- + sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,hvm,hvm_invalid,g" "$template_xml" > "$test_xml" + testme "1" "-c with invalid hvm" "-c -u $valid_uuid" "$test_xml" + +-- +2.1.4 + diff --git a/61dab0f-virt-aa-helper-renaming.patch b/61dab0f-virt-aa-helper-renaming.patch new file mode 100644 index 0000000..5015952 --- /dev/null +++ b/61dab0f-virt-aa-helper-renaming.patch @@ -0,0 +1,64 @@ +From 61dab0f74ef79d034542bb77921e69fbbab3cf41 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Thu, 25 Jun 2015 13:01:40 +0200 +Subject: [PATCH 3/5] virt-aa-helper: rename ctl->hvm to ctl->os + +ctl->hvm contains os.type string value, change the name to reflect it. +--- + src/security/virt-aa-helper.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index f8a9cf2..604fb93 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -73,7 +73,7 @@ typedef struct { + virDomainDefPtr def; /* VM definition */ + virCapsPtr caps; /* VM capabilities */ + virDomainXMLOptionPtr xmlopt; /* XML parser data */ +- char *hvm; /* type of hypervisor (eg hvm, xen) */ ++ char *os; /* type of os (eg hvm, xen, exe) */ + virArch arch; /* machine architecture */ + char *newfile; /* newly added file */ + bool append; /* append to .files instead of rewrite */ +@@ -89,7 +89,7 @@ vahDeinit(vahControl * ctl) + virObjectUnref(ctl->caps); + virObjectUnref(ctl->xmlopt); + VIR_FREE(ctl->files); +- VIR_FREE(ctl->hvm); ++ VIR_FREE(ctl->os); + VIR_FREE(ctl->newfile); + + return 0; +@@ -641,7 +641,7 @@ verify_xpath_context(xmlXPathContextPtr ctxt) + + /* + * Parse the xml we received to fill in the following: +- * ctl->hvm ++ * ctl->os + * ctl->arch + * + * These are suitable for setting up a virCapsPtr +@@ -668,8 +668,8 @@ caps_mockup(vahControl * ctl, const char *xmlStr) + if (verify_xpath_context(ctxt) != 0) + goto cleanup; + +- ctl->hvm = virXPathString("string(./os/type[1])", ctxt); +- if (!ctl->hvm) { ++ ctl->os = virXPathString("string(./os/type[1])", ctxt); ++ if (!ctl->os) { + vah_error(ctl, 0, _("os.type is not defined")); + goto cleanup; + } +@@ -714,7 +714,7 @@ get_definition(vahControl * ctl, const char *xmlStr) + goto exit; + } + +- if ((ostype = virDomainOSTypeFromString(ctl->hvm)) < 0) { ++ if ((ostype = virDomainOSTypeFromString(ctl->os)) < 0) { + vah_error(ctl, 0, _("unknown OS type")); + goto exit; + } +-- +2.1.4 + diff --git a/a55a5e7-virt-aa-helper-log.patch b/a55a5e7-virt-aa-helper-log.patch new file mode 100644 index 0000000..eb6cd46 --- /dev/null +++ b/a55a5e7-virt-aa-helper-log.patch @@ -0,0 +1,53 @@ +From a55a5e7cfed57223820478da89422756121fb37c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Thu, 25 Jun 2015 10:36:52 +0200 +Subject: [PATCH 2/5] Get more libvirt errors from virt-aa-helper + +Initializing libvirt log in virt-aa-helper and getting it to output +libvirt log to stderr. This will help debugging problems happening in +libvirt functions called from within virt-aa-helper +--- + src/security/security_apparmor.c | 4 ++++ + src/security/virt-aa-helper.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c +index 4134a17..16b8f87 100644 +--- a/src/security/security_apparmor.c ++++ b/src/security/security_apparmor.c +@@ -196,6 +196,10 @@ load_profile(virSecurityManagerPtr mgr, + } + } + ++ virCommandAddEnvFormat(cmd, ++ "LIBVIRT_LOG_OUTPUTS=%d:stderr", ++ virLogGetDefaultPriority()); ++ + virCommandSetInputBuffer(cmd, xml); + rc = virCommandRun(cmd, NULL); + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 18454c8..f8a9cf2 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -41,6 +41,7 @@ + #include "virbuffer.h" + #include "viralloc.h" + #include "vircommand.h" ++#include "virlog.h" + + #include "security_driver.h" + #include "security_apparmor.h" +@@ -1272,6 +1273,9 @@ main(int argc, char **argv) + exit(EXIT_FAILURE); + } + ++ /* Initialize the log system */ ++ virLogSetFromEnv(); ++ + /* clear the environment */ + environ = NULL; + if (setenv("PATH", "/sbin:/usr/sbin", 1) != 0) +-- +2.1.4 + diff --git a/e44bcae-virt-aa-helper-trailing-slash.patch b/e44bcae-virt-aa-helper-trailing-slash.patch new file mode 100644 index 0000000..a555551 --- /dev/null +++ b/e44bcae-virt-aa-helper-trailing-slash.patch @@ -0,0 +1,28 @@ +From e44bcae9f014946d66fad1164080a4e251197f19 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Wed, 24 Jun 2015 09:56:04 +0200 +Subject: [PATCH 1/5] virt-aa-helper: fix rules for paths with trailing slash + +Rules generated for a path like '/' were having '//' which isn't +correct for apparmor. Make virt-aa-helper smarter to avoid these. +--- + src/security/virt-aa-helper.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 4440552..18454c8 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -795,6 +795,9 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi + goto cleanup; + } + ++ if (tmp[strlen(tmp) - 1] == '/') ++ tmp[strlen(tmp) - 1] = '\0'; ++ + virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms); + if (readonly) { + virBufferAddLit(buf, " # don't audit writes to readonly files\n"); +-- +2.1.4 + diff --git a/libvirt.changes b/libvirt.changes index 773298b..1b13b09 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Tue Jul 10 13:29:51 UTC 2015 - cbosdonnat@suse.com + +- Fixed virt-aa-helper bugs preventing virt-sandbox to work. + 24f3c2f-virt-aa-helper-fix-caps.patch + 61dab0f-virt-aa-helper-renaming.patch + a55a5e7-virt-aa-helper-log.patch + e44bcae-virt-aa-helper-trailing-slash.patch + bsc#936841 +- Fixed crasher due to uninitialized values + qemu-nbd-cleanup-fix.patch bsc#936841 + ------------------------------------------------------------------- Thu Jul 2 11:23:15 MDT 2015 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index b456fb7..36dc31d 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,7 +1,7 @@ # # spec file for package libvirt # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -446,6 +446,10 @@ Source3: libvirtd.init Source4: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches +Patch0: e44bcae-virt-aa-helper-trailing-slash.patch +Patch1: a55a5e7-virt-aa-helper-log.patch +Patch2: 61dab0f-virt-aa-helper-renaming.patch +Patch3: 24f3c2f-virt-aa-helper-fix-caps.patch # Patches pending upstream review # Need to go upstream Patch150: xen-pv-cdrom.patch @@ -466,6 +470,7 @@ Patch207: disable-virCgroupGetPercpuStats-test.patch Patch208: apparmor-no-mount.patch Patch209: qemu-apparmor-screenshot.patch Patch210: libvirt-suse-netcontrol.patch +Patch211: qemu-nbd-cleanup-fix.patch # SocketUser and SocketGroup settings were added to systemd.socket in # version 214. Patch the setting away in earlier systemd %if 0%{systemd_version} < 214 @@ -976,6 +981,10 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 @@ -992,6 +1001,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %patch208 -p1 %patch209 -p1 %patch210 -p1 +%patch211 -p1 %if 0%{systemd_version} < 214 %patch300 -p1 %endif diff --git a/qemu-nbd-cleanup-fix.patch b/qemu-nbd-cleanup-fix.patch new file mode 100644 index 0000000..bf675a2 --- /dev/null +++ b/qemu-nbd-cleanup-fix.patch @@ -0,0 +1,55 @@ +From 1f17be07e9fbbae6fdba6842546ca86d51f84447 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Thu, 9 Jul 2015 16:23:08 +0200 +Subject: [PATCH 5/5] Fix qemu-nbd cleanup crashes + +The virLXCControllerAppendNBDPids function didn't properly initialize +pids and npids. In case of failure it was crashing when freeing those. + +The nbd device pid file doesn't appear immediately after starting +qemu-nbd: adding a small loop to wait for it. +--- + src/lxc/lxc_controller.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c +index 828b8a8..78d3eee 100644 +--- a/src/lxc/lxc_controller.c ++++ b/src/lxc/lxc_controller.c +@@ -533,16 +533,31 @@ static int virLXCControllerAppendNBDPids(virLXCControllerPtr ctrl, + const char *dev) + { + char *pidpath = NULL; +- pid_t *pids; +- size_t npids; ++ pid_t *pids = NULL; ++ size_t npids = 0; + size_t i; + int ret = -1; ++ size_t loops = 0; + pid_t pid; + + if (!STRPREFIX(dev, "/dev/") || + virAsprintf(&pidpath, "/sys/devices/virtual/block/%s/pid", dev + 5) < 0) + goto cleanup; + ++ /* Wait for the pid file to appear */ ++ while (!virFileExists(pidpath)) { ++ /* wait for 100ms before checking again, but don't do it for ever */ ++ if (errno == ENOENT && loops < 10) { ++ usleep(100 * 1000); ++ loops++; ++ } else { ++ virReportSystemError(errno, ++ _("Cannot check NBD device %s pid"), ++ dev + 5); ++ goto cleanup; ++ } ++ } ++ + if (virPidFileReadPath(pidpath, &pid) < 0) + goto cleanup; + +-- +2.1.4 +