[libvirt] [PATCH] network: avoid trying to create global firewall rules if unprivileged
Michal Privoznik
mprivozn at redhat.com
Tue Mar 19 09:55:37 UTC 2019
On 3/13/19 5:24 PM, Daniel P. Berrangé wrote:
> The unprivileged libvirtd does not have permission to create firewall
> rules, or bridge devices, or do anything to the host network in
> general. Historically we still activate the network driver though and
> let the network start API call fail.
>
> The startup code path which reloads firewall rules on active networks
> would thus effectively be a no-op when unprivileged as it is impossible
> for there to be any active networks
>
> With the change to use a global set of firewall chains, however, we now
> have code that is run unconditionally.
>
> Ideally we would not register the network driver at all when
> unprivileged, but the entanglement with the virt drivers currently makes
> that impractical. As a temporary hack, we just make the firewall reload
> into a no-op.
>
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
> src/network/bridge_driver.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index c3e1381124..7d95675623 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -2095,6 +2095,10 @@ static void
> networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
> {
> VIR_INFO("Reloading iptables rules");
> + /* Ideally we'd not even register the driver when unprivilegd
> + * but until we untangle the virt driver that's not viable */
> + if (!driver->privileged)
> + return;
> if (networkPreReloadFirewallRules(startup) < 0)
> return;
> virNetworkObjListForEach(driver->networks,
>
ACK
Michal
More information about the libvir-list
mailing list