[meta-virtualization] [PATCH] libvirt: Don't fail when mounting securityfs with containers
Purcareata Bogdan-B43198
B43198 at freescale.com
Mon Sep 30 06:51:43 PDT 2013
> -----Original Message-----
> From: asselsm at gmail.com [mailto:asselsm at gmail.com] On Behalf Of Mark Asselstine
> Sent: Monday, September 30, 2013 4:24 PM
> To: Purcareata Bogdan-B43198
> Cc: meta-virtualization at yoctoproject.org
> Subject: Re: [meta-virtualization] [PATCH] libvirt: Don't fail when mounting securityfs with
> containers
>
> On Mon, Sep 30, 2013 at 6:40 AM, Bogdan Purcareata
> <bogdan.purcareata at freescale.com> wrote:
> > When starting containers under libvirt, the code will automatically
> > try to mount securityfs in the new mount namespace. Since securityfs
> > support is not available on all embedded platforms, add runtime check
> > of its presence in the current running kernel. Based on this, mount
> > securityfs in libvirt containers.
> >
> > Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> > ---
> > .../Don-t-fail-when-mounting-securityfs.patch | 101 +++++++++++++++++++++
> > recipes-extended/libvirt/libvirt_1.1.2.bb | 3 +-
> > 2 files changed, 103 insertions(+), 1 deletion(-)
> > create mode 100644 recipes-extended/libvirt/libvirt/Don-t-fail-when-mounting-securityfs.patch
>
> Bogdan,
>
> I was actually preparing a similar commit but using a slightly
> different strategy. There are three upstream libvirt commits related
> to this that I had applied (I just hadn't tested it yet so hadn't sent
> this out for review).
>
> 1583dfda7c4e5ad71efe0615c06e5676528d8203
> [LXC: Don't mount securityfs when user namespace enabled]
>
> f27f5f7eddf531159d791a2b5ac438ca011b5f26
> [Move array of mounts out of lxcContainerMountBasicFS]
>
> 1c7037cff42dde35913dde533b31ee1da8c2d6e0
> [LXC: don't try to mount selinux filesystem when user namespace enabled]
>
> These will apply cleanly in this order. I figured if we did this for
> securityfs we might as well also do the same for selinux. The middle
> commit just provides context to allow the 3rd patch to apply cleanly.
> How do you suppose we move ahead?
>
> Mark
Hello Mark,
I also made a version of this patch for upstream libvirt master, and sent it on the developer list [1]. It applies cleanly after the 3 patches you mentioned above.
One option is to include these 3 patches in the libvirt recipe, and then submit our work as well. If you haven't finished work on the selinux patch, I can send you the version of my patch, so you can apply it to your working branch.
Can you describe the strategy you want to use?
[1] https://www.redhat.com/archives/libvir-list/2013-September/msg01449.html
>
>
>
> >
> > diff --git a/recipes-extended/libvirt/libvirt/Don-t-fail-when-mounting-securityfs.patch b/recipes-
> extended/libvirt/libvirt/Don-t-fail-when-mounting-securityfs.patch
> > new file mode 100644
> > index 0000000..865dcb5
> > --- /dev/null
> > +++ b/recipes-extended/libvirt/libvirt/Don-t-fail-when-mounting-securityfs.patch
> > @@ -0,0 +1,101 @@
> > +From 258c44b56fca2b4095fc1cf76e2a3baf0ce3f33f Mon Sep 17 00:00:00 2001
> > +From: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> > +Date: Wed, 25 Sep 2013 13:19:47 +0300
> > +Subject: [PATCH] Don't fail when mounting securityfs when it's not supported
> > +
> > +Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> > +---
> > + src/lxc/lxc_container.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++
> > + 1 file changed, 59 insertions(+)
> > +
> > +diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> > +index 8abaea0..a44c9ef 100644
> > +--- a/src/lxc/lxc_container.c
> > ++++ b/src/lxc/lxc_container.c
> > +@@ -509,6 +509,59 @@ static int lxcContainerChildMountSort(const void *a, const void *b)
> > + # define MS_SLAVE (1<<19)
> > + #endif
> > +
> > ++/*
> > ++ * This function attempts to detect kernel support
> > ++ * for a specific filesystem type. This is done by
> > ++ * inspecting /proc/filesystems.
> > ++ */
> > ++static int lxcCheckFSSupport(const char *fs_type)
> > ++{
> > ++ FILE *fp = NULL;
> > ++ int ret = -1;
> > ++ const char *fslist = "/proc/filesystems";
> > ++ char *line = NULL;
> > ++ const char *type;
> > ++
> > ++ if(!fs_type)
> > ++ return 1;
> > ++
> > ++ VIR_DEBUG("Checking kernel support for %s", fs_type);
> > ++
> > ++ VIR_DEBUG("Open %s", fslist);
> > ++ if (!(fp = fopen(fslist, "r"))) {
> > ++ if (errno == ENOENT)
> > ++
> > ++ virReportSystemError(errno,
> > ++ _("Unable to read %s"),
> > ++ fslist);
> > ++ goto cleanup;
> > ++ }
> > ++
> > ++ while (!feof(fp)) {
> > ++ size_t n;
> > ++ VIR_FREE(line);
> > ++ if (getline(&line, &n, fp) <= 0) {
> > ++ if (feof(fp))
> > ++ break;
> > ++
> > ++ goto cleanup;
> > ++ }
> > ++
> > ++ type = strstr(line, fs_type);
> > ++ if (type) {
> > ++ ret = 1;
> > ++ goto cleanup;
> > ++ }
> > ++ }
> > ++
> > ++ ret = 0;
> > ++
> > ++cleanup:
> > ++ VIR_FREE(line);
> > ++ VIR_FORCE_FCLOSE(fp);
> > ++ return ret;
> > ++}
> > ++
> > + static int lxcContainerGetSubtree(const char *prefix,
> > + char ***mountsret,
> > + size_t *nmountsret)
> > +@@ -784,17 +837,23 @@ static int lxcContainerMountBasicFS(void)
> > +
> > + for (i = 0; i < ARRAY_CARDINALITY(mnts); i++) {
> > + const char *srcpath = NULL;
> > ++ const char *dstpath = NULL;
> > +
> > + VIR_DEBUG("Processing %s -> %s",
> > + mnts[i].src, mnts[i].dst);
> > +
> > + srcpath = mnts[i].src;
> > ++ dstpath = mnts[i].dst;
> > +
> > + /* Skip if mount doesn't exist in source */
> > + if ((srcpath[0] == '/') &&
> > + (access(srcpath, R_OK) < 0))
> > + continue;
> > +
> > ++ if ((access(dstpath, R_OK) < 0) || /* mount is not present on host */
> > ++ (!lxcCheckFSSupport(mnts[i].type))) /* no fs support in kernel */
> > ++ continue;
> > ++
> > + #if WITH_SELINUX
> > + if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
> > + !is_selinux_enabled())
> > +--
> > +1.7.11.7
> > +
> > diff --git a/recipes-extended/libvirt/libvirt_1.1.2.bb b/recipes-extended/libvirt/libvirt_1.1.2.bb
> > index cfb406d..240f3d2 100644
> > --- a/recipes-extended/libvirt/libvirt_1.1.2.bb
> > +++ b/recipes-extended/libvirt/libvirt_1.1.2.bb
> > @@ -25,7 +25,8 @@ RCONFLICTS_${PN}_libvirtd = "connman"
> > SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.gz \
> > file://tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch \
> > file://libvirtd.sh \
> > - file://libvirtd.conf"
> > + file://libvirtd.conf \
> > + file://Don-t-fail-when-mounting-securityfs.patch"
> >
> > SRC_URI[md5sum] = "1835bbfa492099bce12e2934870e5611"
> > SRC_URI[sha256sum] = "16648af54d3e162f5cc5445d970ec29a0bd55b1dbcb568a05533c4c2f25965e3"
> > --
> > 1.7.11.7
> >
> >
> > _______________________________________________
> > meta-virtualization mailing list
> > meta-virtualization at yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/meta-virtualization
More information about the meta-virtualization
mailing list