[libvirt] [PATCH] network: avoid trying to create global firewall rules if unprivileged

[Daniel P. Berrangé]

ping

On Wed, Mar 13, 2019 at 04:24:02PM +0000, Daniel P. Berrangé wrote:
> The unprivileged libvirtd does not have permission to create firewall
> rules, or bridge devices, or do anything to the host network in
> general. Historically we still activate the network driver though and
> let the network start API call fail.
> 
> The startup code path which reloads firewall rules on active networks
> would thus effectively be a no-op when unprivileged as it is impossible
> for there to be any active networks
> 
> With the change to use a global set of firewall chains, however, we now
> have code that is run unconditionally.
> 
> Ideally we would not register the network driver at all when
> unprivileged, but the entanglement with the virt drivers currently makes
> that impractical. As a temporary hack, we just make the firewall reload
> into a no-op.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>  src/network/bridge_driver.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index c3e1381124..7d95675623 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -2095,6 +2095,10 @@ static void
>  networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
>  {
>      VIR_INFO("Reloading iptables rules");
> +    /* Ideally we'd not even register the driver when unprivilegd
> +     * but until we untangle the virt driver that's not viable */
> +    if (!driver->privileged)
> +        return;
>      if (networkPreReloadFirewallRules(startup) < 0)
>          return;
>      virNetworkObjListForEach(driver->networks,
> -- 
> 2.20.1
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|