[libvirt] PATCH: Fix permissions problem starting QEMU
Daniel P. Berrange
berrange at redhat.com
Thu Jul 30 14:00:53 UTC 2009
There is a minor bug when running QEMU non-root, and having
capng enabled. libvirt is unable to write the PID file in
/var/run/libvirt/qemu, since its now owned by 'qemu', but
libvirtd has dropped all capabilties at this point. The fix
is to delay dropping capabilities until after the PID file
has been created. We should also be sure to kill the child
if writing the PID file fails
Daniel
commit ce246587178bc6539a3ea6181cdf06ea45878fd3
Author: Daniel P. Berrange <berrange at redhat.com>
Date: Thu Jul 30 14:58:16 2009 +0100
Fix problem writing QEMU pidfile
* src/util.c: Don't drop capabilities until after the PID file has
been written. Kill off child if writing the PID file fails
* src/qemu_driver.c: Remove bogus trailing '/' in state dir
diff --git a/src/qemu_driver.c b/src/qemu_driver.c
index 9fb8506..26897d3 100644
--- a/src/qemu_driver.c
+++ b/src/qemu_driver.c
@@ -468,7 +468,7 @@ qemudStartup(int privileged) {
goto out_of_memory;
if (virAsprintf(&qemu_driver->stateDir,
- "%s/run/libvirt/qemu/", LOCAL_STATE_DIR) == -1)
+ "%s/run/libvirt/qemu", LOCAL_STATE_DIR) == -1)
goto out_of_memory;
} else {
uid_t uid = geteuid();
diff --git a/src/util.c b/src/util.c
index ee64b28..39aae24 100644
--- a/src/util.c
+++ b/src/util.c
@@ -513,12 +513,6 @@ __virExec(virConnectPtr conn,
if ((hook)(data) != 0)
_exit(1);
- /* The hook above may need todo something privileged, so
- * we delay clearing capabilities until now */
- if ((flags & VIR_EXEC_CLEAR_CAPS) &&
- virClearCapabilities() < 0)
- _exit(1);
-
/* Daemonize as late as possible, so the parent process can detect
* the above errors with wait* */
if (flags & VIR_EXEC_DAEMON) {
@@ -543,6 +537,9 @@ __virExec(virConnectPtr conn,
if (pid > 0) {
if (pidfile && virFileWritePidPath(pidfile,pid)) {
+ kill(pid, SIGTERM);
+ usleep(500*1000);
+ kill(pid, SIGTERM);
virReportSystemError(conn, errno,
"%s", _("could not write pidfile"));
_exit(1);
@@ -551,6 +548,12 @@ __virExec(virConnectPtr conn,
}
}
+ /* The steps above may need todo something privileged, so
+ * we delay clearing capabilities until the last minute */
+ if ((flags & VIR_EXEC_CLEAR_CAPS) &&
+ virClearCapabilities() < 0)
+ _exit(1);
+
if (envp)
execve(argv[0], (char **) argv, (char**)envp);
else
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list