Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2014-12-10 23:45:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2014-12-03 22:49:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2014-12-10 23:45:05.000000000 +0100 @@ -1,0 +2,8 @@ +Wed Dec 10 13:22:14 UTC 2014 - cbosdonnat@suse.com + +- Get /proc/sys/net/ipv[46] read-write for wicked to work in + containers. bsc#904432. ba9b7252-sys-net-rw.patch +- Fixed allowing devices for containers. + cgroup-all-devices.patch + +------------------------------------------------------------------- New: ---- ba9b7252-sys-net-rw.patch cgroup-all-devices.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.drqEpr/_old 2014-12-10 23:45:08.000000000 +0100 +++ /var/tmp/diff_new_pack.drqEpr/_new 2014-12-10 23:45:08.000000000 +0100 @@ -441,7 +441,9 @@ Patch4: 72fecf1-lxc-resolve-symlinks.patch Patch5: e50457d-lxc-unmount-check.patch Patch6: 52691f99-qemu-mig-crash.patch +Patch7: ba9b7252-sys-net-rw.patch # Patches pending upstream review +Patch100: cgroup-all-devices.patch # Need to go upstream Patch150: xen-name-for-devid.patch Patch151: xen-pv-cdrom.patch @@ -980,6 +982,8 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch100 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 ++++++ ba9b7252-sys-net-rw.patch ++++++
From ba9b7252ea8d87dfa217fb11dc5dadc039176807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
Date: Wed, 10 Dec 2014 10:22:28 +0100 Subject: [PATCH] lxc: give RW access to /proc/sys/net/ipv[46] to containers
Some programs want to change some values for the network interfaces configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them allows wicked to work on openSUSE 13.2+. Reusing the lxcNeedNetworkNamespace function to tell lxcContainerMountBasicFS if the netns is disabled. When no netns is set up, then we don't mount the /proc/sys/net/ipv[46] folder RW as these would provide full access to the host NICs config. --- src/lxc/lxc_container.c | 64 +++++++++++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 23 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 3b08b86..1b9e2f2 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -800,15 +800,18 @@ typedef struct { int mflags; bool skipUserNS; bool skipUnmounted; + bool skipNoNetns; } virLXCBasicMountInfo; static const virLXCBasicMountInfo lxcBasicMounts[] = { - { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false }, - { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false }, - { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false }, - { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true }, + { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false }, + { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false }, + { "/.oldroot/proc/sys/net/ipv4", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true }, + { "/.oldroot/proc/sys/net/ipv6", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true }, + { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false }, + { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false }, #if WITH_SELINUX - { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true }, + { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false }, #endif }; @@ -940,10 +943,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled, continue; } + /* Skip mounts with missing source without shouting: it may be a + * missing folder in /proc due to the absence of a kernel feature */ + if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) { + VIR_DEBUG("Skipping due to missing source: %s", mnt_src); + VIR_FREE(mnt_src); + continue; + } + + if (mnt->skipNoNetns && netns_disabled) { + VIR_DEBUG("Skipping due to absence of network namespace"); + VIR_FREE(mnt_src); + continue; + } + if (virFileMakePath(mnt->dst) < 0) { virReportSystemError(errno, _("Failed to mkdir %s"), - mnt_src); + mnt->dst); goto cleanup; } @@ -1697,6 +1714,23 @@ static int lxcContainerUnmountForSharedRoot(const char *stateDir, } +static bool +lxcNeedNetworkNamespace(virDomainDefPtr def) +{ + size_t i; + if (def->nets != NULL) + return true; + if (def->features[VIR_DOMAIN_FEATURE_PRIVNET] == VIR_TRISTATE_SWITCH_ON) + return true; + for (i = 0; i < def->nhostdevs; i++) { + if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES && + def->hostdevs[i]->source.caps.type == VIR_DOMAIN_HOSTDEV_CAPS_TYPE_NET) + return true; + } + return false; +} + + /* Got a FS mapped to /, we're going the pivot_root * approach to do a better-chroot-than-chroot * this is based on this thread http://lkml.org/lkml/2008/3/5/29 @@ -1741,7 +1775,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, /* Mounts the core /proc, /sys, etc filesystems */ if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap, - !vmDef->nnets) < 0) + !lxcNeedNetworkNamespace(vmDef)) < 0) goto cleanup; /* Ensure entire root filesystem (except /.oldroot) is readonly */ @@ -2240,22 +2274,6 @@ virArch lxcContainerGetAlt32bitArch(virArch arch) } -static bool -lxcNeedNetworkNamespace(virDomainDefPtr def) -{ - size_t i; - if (def->nets != NULL) - return true; - if (def->features[VIR_DOMAIN_FEATURE_PRIVNET] == VIR_TRISTATE_SWITCH_ON) - return true; - for (i = 0; i < def->nhostdevs; i++) { - if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES && - def->hostdevs[i]->source.caps.type == VIR_DOMAIN_HOSTDEV_CAPS_TYPE_NET) - return true; - } - return false; -} - /** * lxcContainerStart: * @def: pointer to virtual machine structure -- 2.1.2 ++++++ cgroup-all-devices.patch ++++++
From c3cebcbf0303af428f75c53de99d75885b8a8ce3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
Date: Wed, 10 Dec 2014 14:32:10 +0100 Subject: [PATCH] Avoid getting '-1:-1' in devices cgroup list
When calling virCgroupAllowAllDevices we get these invalid entries in the device cgroup config. b -1:-1 rw c -1:-1 rw Check for positive values before outputting the major and minor to avoid that. --- src/util/vircgroup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c index 166f4dc..3995477 100644 --- a/src/util/vircgroup.c +++ b/src/util/vircgroup.c @@ -2767,11 +2767,11 @@ virCgroupAllowDevice(virCgroupPtr group, char type, int major, int minor, char *minorstr = NULL; if ((major < 0 && VIR_STRDUP(majorstr, "*") < 0) || - virAsprintf(&majorstr, "%i", major) < 0) + (major >= 0 && virAsprintf(&majorstr, "%i", major) < 0)) goto cleanup; if ((minor < 0 && VIR_STRDUP(minorstr, "*") < 0) || - virAsprintf(&minorstr, "%i", minor) < 0) + (minor >= 0 && virAsprintf(&minorstr, "%i", minor) < 0)) goto cleanup; if (virAsprintf(&devstr, "%c %s:%s %s", type, majorstr, minorstr, -- 2.1.2 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org