[libvirt] This patch adds the label to lxc-enter-namespace
Daniel P. Berrange
berrange at redhat.com
Tue Mar 12 17:30:55 UTC 2013
On Thu, Mar 07, 2013 at 02:51:05PM -0500, Daniel J Walsh wrote:
> One last strangeness, about half the time I run this, virsh hangs and never
> returns.
> Seems like
>
> if (conn->driver->domainGetSecurityLabel(domain,
> seclabel) == 0) {
>
>
> Gets hung up. I have attached the strace in out1.gz
This is because you are trying to invoke libvirt RPC calls in the
fork()d child process. Now you have both the child & parent trying
to use the same libvirt socket FD, which means it is random which
will see the incoming I/O.
>
> +static int
> +virDomainSetDefaultSecurityLabel(virDomainPtr domain)
> +{
> + int rc = 0;
> + virSecurityLabelPtr seclabel;
> + if (VIR_ALLOC(seclabel) < 0)
> + return -1;
> +
> + if (virDomainGetSecurityLabel(domain, seclabel))
> + return -1;
This causes libvirt todo RPC calls
> @@ -135,7 +168,12 @@ virDomainLxcEnterNamespace(virDomainPtr domain,
> {
> int i;
>
> - virCheckFlags(0, -1);
> + virCheckFlags(SECURITY_LABEL, -1);
> +
> + if (flags & SECURITY_LABEL) {
> + if (virDomainSetDefaultSecurityLabel(domain) < 0)
> + goto error;
> + }
And this is running in the child process.
As with the enter namespace code, we need to split the functionality.
virsh needs to call virDomainGetSecurityLabel before fork, and then
invoke an API to apply the security label after fork.
I've CC'd you on a patch which takes that approach.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list