|
Daniel P. Berrangé |
d670e2 |
From 3e02ee9b5da7fc7197aaa6d57563349a7670b8a1 Mon Sep 17 00:00:00 2001
|
|
Daniel P. Berrangé |
d670e2 |
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
Daniel P. Berrangé |
d670e2 |
Date: Wed, 13 Mar 2019 16:21:15 +0000
|
|
Daniel P. Berrangé |
d670e2 |
Subject: [PATCH 5/5] network: avoid trying to create global firewall rules if
|
|
Daniel P. Berrangé |
d670e2 |
unprivileged
|
|
Daniel P. Berrangé |
d670e2 |
MIME-Version: 1.0
|
|
Daniel P. Berrangé |
d670e2 |
Content-Type: text/plain; charset=UTF-8
|
|
Daniel P. Berrangé |
d670e2 |
Content-Transfer-Encoding: 8bit
|
|
Daniel P. Berrangé |
d670e2 |
|
|
Daniel P. Berrangé |
d670e2 |
The unprivileged libvirtd does not have permission to create firewall
|
|
Daniel P. Berrangé |
d670e2 |
rules, or bridge devices, or do anything to the host network in
|
|
Daniel P. Berrangé |
d670e2 |
general. Historically we still activate the network driver though and
|
|
Daniel P. Berrangé |
d670e2 |
let the network start API call fail.
|
|
Daniel P. Berrangé |
d670e2 |
|
|
Daniel P. Berrangé |
d670e2 |
The startup code path which reloads firewall rules on active networks
|
|
Daniel P. Berrangé |
d670e2 |
would thus effectively be a no-op when unprivileged as it is impossible
|
|
Daniel P. Berrangé |
d670e2 |
for there to be any active networks
|
|
Daniel P. Berrangé |
d670e2 |
|
|
Daniel P. Berrangé |
d670e2 |
With the change to use a global set of firewall chains, however, we now
|
|
Daniel P. Berrangé |
d670e2 |
have code that is run unconditionally.
|
|
Daniel P. Berrangé |
d670e2 |
|
|
Daniel P. Berrangé |
d670e2 |
Ideally we would not register the network driver at all when
|
|
Daniel P. Berrangé |
d670e2 |
unprivileged, but the entanglement with the virt drivers currently makes
|
|
Daniel P. Berrangé |
d670e2 |
that impractical. As a temporary hack, we just make the firewall reload
|
|
Daniel P. Berrangé |
d670e2 |
into a no-op.
|
|
Daniel P. Berrangé |
d670e2 |
|
|
Daniel P. Berrangé |
d670e2 |
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
Daniel P. Berrangé |
d670e2 |
(cherry picked from commit 5d010c3df6152cf5fb00f1f67d22151241f4a8a2)
|
|
Daniel P. Berrangé |
d670e2 |
---
|
|
Daniel P. Berrangé |
d670e2 |
src/network/bridge_driver.c | 4 ++++
|
|
Daniel P. Berrangé |
d670e2 |
1 file changed, 4 insertions(+)
|
|
Daniel P. Berrangé |
d670e2 |
|
|
Daniel P. Berrangé |
d670e2 |
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
|
|
Daniel P. Berrangé |
d670e2 |
index 1da60f0a21..0e1d5efd8e 100644
|
|
Daniel P. Berrangé |
d670e2 |
--- a/src/network/bridge_driver.c
|
|
Daniel P. Berrangé |
d670e2 |
+++ b/src/network/bridge_driver.c
|
|
Daniel P. Berrangé |
d670e2 |
@@ -2108,6 +2108,10 @@ static void
|
|
Daniel P. Berrangé |
d670e2 |
networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
|
|
Daniel P. Berrangé |
d670e2 |
{
|
|
Daniel P. Berrangé |
d670e2 |
VIR_INFO("Reloading iptables rules");
|
|
Daniel P. Berrangé |
d670e2 |
+ /* Ideally we'd not even register the driver when unprivilegd
|
|
Daniel P. Berrangé |
d670e2 |
+ * but until we untangle the virt driver that's not viable */
|
|
Daniel P. Berrangé |
d670e2 |
+ if (!driver->privileged)
|
|
Daniel P. Berrangé |
d670e2 |
+ return;
|
|
Daniel P. Berrangé |
d670e2 |
networkPreReloadFirewallRules(startup);
|
|
Daniel P. Berrangé |
d670e2 |
virNetworkObjListForEach(driver->networks,
|
|
Daniel P. Berrangé |
d670e2 |
networkReloadFirewallRulesHelper,
|
|
Daniel P. Berrangé |
d670e2 |
--
|
|
Daniel P. Berrangé |
d670e2 |
2.20.1
|
|
Daniel P. Berrangé |
d670e2 |
|