[libvirt] [PATCH v1 21/21] qemu: Let users opt-out from containerization

Michal Privoznik mprivozn at redhat.com
Thu Nov 24 14:48:10 UTC 2016 

Given how intrusive previous patches are, it might happen that
there's a bug or imperfection. Lets give users a way out: if they
set 'containerize' to false in qemu.conf the feature is
suppressed.

Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
 src/qemu/libvirtd_qemu.aug         | 1 +
 src/qemu/qemu.conf                 | 8 ++++++++
 src/qemu/qemu_conf.c               | 5 +++++
 src/qemu/qemu_conf.h               | 2 ++
 src/qemu/qemu_domain.c             | 3 ++-
 src/qemu/test_libvirtd_qemu.aug.in | 1 +
 6 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index f3cc9e6..5bd7f2f 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -70,6 +70,7 @@ module Libvirtd_qemu =
                  | str_array_entry "cgroup_controllers"
                  | str_array_entry "cgroup_device_acl"
                  | int_entry "seccomp_sandbox"
+                 | bool_entry "containerize"
 
    let save_entry =  str_entry "save_image_format"
                  | str_entry "dump_image_format"
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 2b2bd60..26308a3 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -665,3 +665,11 @@
 # Defaults to 4
 #
 #gluster_debug_level = 9
+
+# To enhance security, QEMU driver is capable of mounting private
+# devtmpfs for each domain started. This means qemu process is
+# unable to see all the devices on the system, just those
+# configured for the domain in question. Libvirt manages device
+# entries throughout the domain lifetime. This is turned on by
+# default.
+#containerize = 1
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 9be5b60..5578edd 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -314,6 +314,8 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
     cfg->glusterDebugLevel = 4;
     cfg->stdioLogD = true;
 
+    cfg->containerize = true;
+
 #ifdef DEFAULT_LOADER_NVRAM
     if (virFirmwareParseList(DEFAULT_LOADER_NVRAM,
                              &cfg->firmwares,
@@ -798,6 +800,9 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
     if (virConfGetValueUInt(conf, "gluster_debug_level", &cfg->glusterDebugLevel) < 0)
         goto cleanup;
 
+    if (virConfGetValueBool(conf, "containerize", &cfg->containerize) < 0)
+        goto cleanup;
+
     ret = 0;
 
  cleanup:
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index d191e10..a21bba4 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -90,6 +90,8 @@ struct _virQEMUDriverConfig {
     gid_t group;
     bool dynamicOwnership;
 
+    bool containerize;
+
     int cgroupControllers;
     char **cgroupDeviceACL;
 
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 0b46336..0719bf9 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7238,7 +7238,8 @@ qemuDomainCreateNamespace(virQEMUDriverPtr driver,
     return 0;
 #endif
 
-    if (!virQEMUDriverIsPrivileged(driver)) {
+    if (!cfg->containerize ||
+        !virQEMUDriverIsPrivileged(driver)) {
         ret = 0;
         goto cleanup;
     }
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index f586e95..7b8ebd2 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -91,3 +91,4 @@ module Test_libvirtd_qemu =
 }
 { "stdio_handler" = "logd" }
 { "gluster_debug_level" = "9" }
+{ "containerize" = "1" }
-- 
2.8.4

More information about the libvir-list mailing list