[libvirt] [PATCH] nwfilter: Handle opening for session

Daniel P. Berrangé berrange at redhat.com
Fri Aug 24 10:26:47 UTC 2018 

On Thu, Aug 23, 2018 at 08:54:53AM -0400, John Ferlan wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1608275
> 
> Commit id 2870419eb (in part) added virGetConnectNWFilter to
> allow opening drivers (interface, network, nwfilter, nodedev,
> secret, and storage) based on context and commit id f14c37ce4c
> started using the API; however, the nwfilterConnectOpen did
> not handle session mode resulting in the following message
> being logged when virDomainConfVMNWFilterTeardown was called
> during the domain shutdown processing:
> 
> error : nwfilterConnectOpen:383 : internal error: unexpected
> nwfilter URI path '/session', try nwfilter:///system
> 
> So similar to the other drivers add code in to check for
> /session when not privileged.
> 
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
>  src/nwfilter/nwfilter_driver.c | 19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
> index ac3a964388..6c25293fd9 100644
> --- a/src/nwfilter/nwfilter_driver.c
> +++ b/src/nwfilter/nwfilter_driver.c
> @@ -377,11 +377,20 @@ nwfilterConnectOpen(virConnectPtr conn,
>          return VIR_DRV_OPEN_ERROR;
>      }
>  
> -    if (STRNEQ(conn->uri->path, "/system")) {
> -        virReportError(VIR_ERR_INTERNAL_ERROR,
> -                       _("unexpected nwfilter URI path '%s', try nwfilter:///system"),
> -                       conn->uri->path);
> -        return VIR_DRV_OPEN_ERROR;
> +    if (driver->privileged) {
> +        if (STRNEQ(conn->uri->path, "/system")) {
> +            virReportError(VIR_ERR_INTERNAL_ERROR,
> +                           _("unexpected nwfilter URI path '%s', try nwfilter:///system"),
> +                           conn->uri->path);
> +            return VIR_DRV_OPEN_ERROR;
> +        }
> +    } else {
> +        if (STRNEQ(conn->uri->path, "/session")) {
> +            virReportError(VIR_ERR_INTERNAL_ERROR,
> +                           _("unexpected nwfilter URI path '%s', try nwfilter:///session"),
> +                           conn->uri->path);
> +            return VIR_DRV_OPEN_ERROR;
> +        }
>      }

This isn't right - we should never open the driver in session mode - the
nwfilterStateInitialize() method explicitly skips initialization in an
unprivileged daemon because sesson mode is not supported.

So I think we need to change the virt drivers to not blindly run this
cleanup code in session mode.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list