[libvirt] [PATCH v2 08/21] qemu: Spawn qemu under mount namespace

Michal Privoznik mprivozn at redhat.com
Mon Dec 12 15:34:00 UTC 2016 

On 12.12.2016 12:47, Daniel P. Berrange wrote:
> On Mon, Dec 12, 2016 at 10:55:55AM +0000, Daniel P. Berrange wrote:
>> On Wed, Dec 07, 2016 at 09:36:15AM +0100, Michal Privoznik wrote:
>>> Prime time. When it comes to spawning qemu process and
>>> relabelling all the devices it's going to touch, there's inherent
>>> race with other applications in the system (e.g. udev). Instead
>>> of trying convincing udev to not touch libvirt managed devices,
>>> we can create a separate mount namespace for the qemu, and mount
>>> our own /dev there. Of course this puts more work onto us as we
>>> have to maintain /dev files on each domain start and device
>>> hot(un-)plug. On the other hand, this enhances security also.
>>>
>>> >From technical POV, on domain startup process the parent
>>> (libvirtd) creates:
>>>
>>>   /var/lib/libvirt/qemu/$domain.dev
>>>   /var/lib/libvirt/qemu/$domain.devpts
>>>
>>> The child (which is going to be qemu eventually) calls unshare()
>>> to create new mount namespace. From now on anything that child
>>> does is invisible to the parent. Child then mounts tmpfs on
>>> $domain.dev (so that it still sees original /dev from the host)
>>> and creates some devices (as explained in one of the previous
>>> patches). The devices have to be created exactly as they are in
>>> the host (including perms, seclabels, ACLs, ...). After that it
>>> moves $domain.dev mount to /dev.
>>>
>>> What's the $domain.devpts mount there for then you ask? QEMU can
>>> create PTYs for some chardevs. And historically we exposed the
>>> host ends in our domain XML allowing users to connect to them.
>>> Therefore we must preserve devpts mount to be shared with the
>>> host's one.
>>>
>>> To make this patch as small as possible, creating of devices
>>> configured for domain in question is implemented in next patches.
>>>
>>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>>> ---
>>>  src/qemu/qemu_domain.c  | 377 +++++++++++++++++++++++++++++++++++++++++++++++-
>>>  src/qemu/qemu_domain.h  |  20 +++
>>>  src/qemu/qemu_process.c |  13 ++
>>>  3 files changed, 408 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
>>> index 4aae14d9d..50b401f79 100644
>>> --- a/src/qemu/qemu_domain.c
>>> +++ b/src/qemu/qemu_domain.c
>>> @@ -55,6 +55,9 @@
>>>  
>>>  #include <sys/time.h>
>>>  #include <fcntl.h>
>>> +#if defined(HAVE_SYS_MOUNT_H)
>>> +# include <sys/mount.h>
>>> +#endif
>>>  
>>>  #include <libxml/xpathInternals.h>
>>>  
>>> @@ -86,6 +89,10 @@ VIR_ENUM_IMPL(qemuDomainAsyncJob, QEMU_ASYNC_JOB_LAST,
>>>                "start",
>>>  );
>>>  
>>> +VIR_ENUM_IMPL(qemuDomainNamespace, QEMU_DOMAIN_NS_LAST,
>>> +              "mount",
>>> +);
>>> +
>>>  
>>>  struct _qemuDomainLogContext {
>>>      int refs;
>>> @@ -146,6 +153,31 @@ qemuDomainAsyncJobPhaseFromString(qemuDomainAsyncJob job,
>>>  }
>>>  
>>>  
>>> +bool
>>> +qemuDomainNamespaceEnabled(virDomainObjPtr vm,
>>> +                           qemuDomainNamespace ns)
>>> +{
>>> +    qemuDomainObjPrivatePtr priv = vm->privateData;
>>> +
>>> +    return priv->namespaces &&
>>> +        virBitmapIsBitSet(priv->namespaces, ns);
>>> +}
>>> +
>>> +
>>> +static bool
>>> +qemuDomainEnableNamespace(virDomainObjPtr vm,
>>> +                          qemuDomainNamespace ns)
>>> +{
>>> +    qemuDomainObjPrivatePtr priv = vm->privateData;
>>> +
>>> +    if (!priv->namespaces &&
>>> +        !(priv->namespaces = virBitmapNew(QEMU_DOMAIN_NS_LAST)))
>>> +        return -1;
>>> +
>>> +    return virBitmapSetBit(priv->namespaces, ns);
>>
>>
>> Returning -1 from a method returning 'bool' is not what you want :-)
>> Also causes a compile warning in the caller about comparing
>> bool with '< 0'. Looking at the callers, I think you probably
>> wanted

Btw: my compiler does not warn me. Even with -Wextra :-(

>>
>> @@ -169,7 +169,7 @@ qemuDomainNamespaceEnabled(virDomainObjPtr vm,
>>  }
>>  
>>  
>> -static bool
>> +static int
>>  qemuDomainEnableNamespace(virDomainObjPtr vm,
>>                            qemuDomainNamespace ns)
>>  {
>> @@ -179,7 +179,9 @@ qemuDomainEnableNamespace(virDomainObjPtr vm,
>>          !(priv->namespaces = virBitmapNew(QEMU_DOMAIN_NS_LAST)))
>>          return -1;
>>  
>> -    return virBitmapSetBit(priv->namespaces, ns);
>> +    virBitmapSetBit(priv->namespaces, ns);
>> +
>> +    return 0;
>>  }
>>  
>>
>> ACK with such a change made.
> 
> Except that checking return value of virBitmapSetBit is also required.

Okay, I'm sticking with:

-    return virBitmapSetBit(priv->namespaces, ns);
+    if (virBitmapSetBit(priv->namespaces, ns) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Unable to enable namespace: %s"),
+                       qemuDomainNamespaceTypeToString(ns));
+        return -1;
+    }
+
+    return 0;

Which makes sense from another POV: if virBitmapNew() fails, it also
reports error, however virBitmapSetBit() does not. So upon failure
qemuDomainEnableNamespace() might and might not reported error.

Michal

More information about the libvir-list mailing list