From nobody Mon May 13 21:52:39 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1647270500; cv=none; d=zohomail.com; s=zohoarc; b=SsBkeRYe7l5hxOSJlGTYuF+2rdIBdrwXRgOV9ihELQDrP71urCclT7lg7EW0U4qvj+zrfzKRb7Du14HU0X3F2xrL/d82dumGExDs8av5fxfmJ+2WyE8DodkHchCG7EEmr0gqSvX8xP/dLrXqEqKjSlPWXAJEeChbO04nVMNGaes= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1647270500; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=WLC/SsjqwiHoAktBP+xGpYCuHKyCIq9P4MkQp7L457w=; b=h9xTzH6UUzxUF1Ca3Dq0SAEpXYSy7q/AS59RH9AbQzgyY+iNMAa1CtV6+At/IRkTawH8SpoFBpXRARdUUAr+g5GGqbwWlNTHTXLcZ6e0ioIi5NNegNZvEeMppr80dyy0kppfKrBwo7EnmNQ12XrmZeCr1n5OD/n6IUgRkXmT8V8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1647270500203122.338898013522; Mon, 14 Mar 2022 08:08:20 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-99-Ce4xjSeXNEmD9tImKutjEg-1; Mon, 14 Mar 2022 11:08:19 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BCDB783395C; Mon, 14 Mar 2022 15:08:16 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id A96EB141DECD; Mon, 14 Mar 2022 15:08:16 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 6012C193713C; Mon, 14 Mar 2022 15:07:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id B1CC1194E018 for ; Mon, 14 Mar 2022 15:07:44 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 906D81410DD5; Mon, 14 Mar 2022 15:07:44 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id 38AD6140EBFE for ; Mon, 14 Mar 2022 15:07:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647270500; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=WLC/SsjqwiHoAktBP+xGpYCuHKyCIq9P4MkQp7L457w=; b=IkkaZZryMzS9C8l0w4Jc7tRgJYjBC6KwKk0vFvn2U8PkNbjT8+BTk0nF6fp9viDHSAxJVD GmHNOuNEuXQjq5UtVX2exwFu5OA+7YCH0HLYVWPX7Z2id+dHR/fHEQr4MqpEBfD7lu40iC OlJ7ePp5706qv7TgDG2kvt58YGsG76I= X-MC-Unique: Ce4xjSeXNEmD9tImKutjEg-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 1/2] qemu_namespace: Don't unlink paths from cgroupDeviceACL Date: Mon, 14 Mar 2022 16:07:41 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1647270502311100003 Content-Type: text/plain; charset="utf-8" When building namespace for a domain there are couple of devices that are created independent of domain config (see qemuDomainPopulateDevices()). The idea behind is that these devices are crucial for QEMU or one of its libraries, or user is passing through a device and wants us to create it in the namespace too. That's the reason that these devices are allowed in the devices CGroup controller as well. However, during unplug it may happen that a device is configured to use one of such devices and since we remove /dev nodes on hotplug we would remove such device too. For example, /dev/urandom belongs onto the list of implicit devices and users can hotplug and hotunplug an RNG device with /dev/urandom as backend. The fix is fortunately simple - just consult the list of implicit devices before removing the device from the namespace. Signed-off-by: Michal Privoznik --- src/qemu/qemu_namespace.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index 3b41d72630..1132fd04e5 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -1364,6 +1364,8 @@ qemuNamespaceUnlinkPaths(virDomainObj *vm, if (STRPREFIX(path, QEMU_DEVPREFIX)) { GStrv mount; bool inSubmount =3D false; + const char *const *devices =3D (const char *const *)cfg->cgrou= pDeviceACL; + bool inDevices =3D false; =20 for (mount =3D devMountsPath; *mount; mount++) { if (STREQ(*mount, "/dev")) @@ -1375,8 +1377,23 @@ qemuNamespaceUnlinkPaths(virDomainObj *vm, } } =20 - if (!inSubmount) - unlinkPaths =3D g_slist_prepend(unlinkPaths, g_strdup(path= )); + if (inSubmount) + continue; + + if (!devices) + devices =3D defaultDeviceACL; + + for (; devices; devices++) { + if (STREQ(path, *devices)) { + inDevices =3D true; + break; + } + } + + if (inDevices) + continue; + + unlinkPaths =3D g_slist_prepend(unlinkPaths, g_strdup(path)); } } =20 --=20 2.34.1 From nobody Mon May 13 21:52:39 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1647270499; cv=none; d=zohomail.com; s=zohoarc; b=HePaMACu+NPg7unpTqMML5NAaKduZPWNvd9x042rP96T+KakBn8cM5R/KCfpEF9innmBRC7wYvLi1lnj8nh7Mp6tTppIVKEklnJct7/OLpeELY/jPaSWr0H2KmVkMAz9bIBDp2rCmOz/7xOCjoFJ1fvsWqjI55T/VBKotDQjTSs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1647270499; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=4zyJIhcsfbFGY0+4SaONWHk07+dXHVlH2HtGoRh0nPE=; b=Rtj/W8MJOl4SwOL2IV9/VTdZTafpik51CQMTGona1gb03qrvonodV1TzlKyau57COUp9DOvoVQsG0+FtvtcPE6uPiV5wMGknQCSyd1axHRYOuie3n8l1AdR5sZ+xMXiSZQ/hPlB+Nte6w3Q5ggeYv0F6+jLhNSSpZpX+3DUN/1A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1647270499923584.1881588692991; Mon, 14 Mar 2022 08:08:19 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-130-fi1LVgE1NCuen_909qLmCQ-1; Mon, 14 Mar 2022 11:08:17 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 13FAC899EC5; Mon, 14 Mar 2022 15:08:15 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id F3F9F40F9D56; Mon, 14 Mar 2022 15:08:14 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 7FF941937130; Mon, 14 Mar 2022 15:07:46 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 567B41937117 for ; Mon, 14 Mar 2022 15:07:45 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 2E0BE1410DD5; Mon, 14 Mar 2022 15:07:45 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id CA6D5140EBFE for ; Mon, 14 Mar 2022 15:07:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647270498; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=4zyJIhcsfbFGY0+4SaONWHk07+dXHVlH2HtGoRh0nPE=; b=C5bMtIJ9PnTfeKZ7oMLeLXOa2JEZm6SeN4cMjaetlLuMpvr7e+XBrl9VggbeNu6LX9tZ+Y yAMR+wcl69bm581eWtpoddxHlv6EEI5x6J0J8EzPZFupT63W93pZuVQk3s8gbqkUj8y1Sm mY93XAMJsOrKqnT9XbKGrYJAcijYkLU= X-MC-Unique: fi1LVgE1NCuen_909qLmCQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 2/2] qemu_namespace: Be less aggressive in removing /dev nodes from namespace Date: Mon, 14 Mar 2022 16:07:42 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1647270500299100001 Content-Type: text/plain; charset="utf-8" When creating /dev nodes in a QEMU domain's namespace the first thing we simply do is unlink() the path and create it again. This aims to solve the case when a file changed type/major/minor in the host and thus we need to reflect this in the guest's namespace. Fair enough, except we can be a bit more clever about it: firstly check whether the path doesn't already exist or isn't already of the correct type/major/minor and do the unlink+creation only if needed. Currently, this is implemented only for symlinks and block/character devices. For regular files/directories (which are less common) this might be implemented one day, but not today. Signed-off-by: Michal Privoznik --- Use --ignore-space-change for the best experience. src/qemu/qemu_namespace.c | 71 ++++++++++++++++++++++++--------------- 1 file changed, 44 insertions(+), 27 deletions(-) diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index 1132fd04e5..0714a2d0de 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -948,38 +948,55 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data) } =20 if (isLink) { - VIR_DEBUG("Creating symlink %s -> %s", data->file, data->target); + g_autoptr(GError) gerr =3D NULL; + g_autofree char *target =3D NULL; =20 - /* First, unlink the symlink target. Symlinks change and - * therefore we have no guarantees that pre-existing - * symlink is still valid. */ - if (unlink(data->file) < 0 && - errno !=3D ENOENT) { - virReportSystemError(errno, - _("Unable to remove symlink %s"), - data->file); - goto cleanup; - } - - if (symlink(data->target, data->file) < 0) { - virReportSystemError(errno, - _("Unable to create symlink %s (pointing = to %s)"), - data->file, data->target); - goto cleanup; + if ((target =3D g_file_read_link(data->file, &gerr)) && + STREQ(target, data->target)) { + VIR_DEBUG("Skipping symlink %s -> %s which exists and points t= o correct target", + data->file, data->target); } else { - delDevice =3D true; + VIR_DEBUG("Creating symlink %s -> %s", data->file, data->targe= t); + + /* First, unlink the symlink target. Symlinks change and + * therefore we have no guarantees that pre-existing + * symlink is still valid. */ + if (unlink(data->file) < 0 && + errno !=3D ENOENT) { + virReportSystemError(errno, + _("Unable to remove symlink %s"), + data->file); + goto cleanup; + } + + if (symlink(data->target, data->file) < 0) { + virReportSystemError(errno, + _("Unable to create symlink %s (point= ing to %s)"), + data->file, data->target); + goto cleanup; + } else { + delDevice =3D true; + } } } else if (isDev) { - VIR_DEBUG("Creating dev %s (%d,%d)", - data->file, major(data->sb.st_rdev), minor(data->sb.st_r= dev)); - unlink(data->file); - if (mknod(data->file, data->sb.st_mode, data->sb.st_rdev) < 0) { - virReportSystemError(errno, - _("Unable to create device %s"), - data->file); - goto cleanup; + GStatBuf sb; + + if (g_lstat(data->file, &sb) >=3D 0 && + sb.st_rdev =3D=3D data->sb.st_rdev) { + VIR_DEBUG("Skipping dev %s (%d,%d) which exists and has correc= t MAJ:MIN", + data->file, major(data->sb.st_rdev), minor(data->sb= .st_rdev)); } else { - delDevice =3D true; + VIR_DEBUG("Creating dev %s (%d,%d)", + data->file, major(data->sb.st_rdev), minor(data->sb.= st_rdev)); + unlink(data->file); + if (mknod(data->file, data->sb.st_mode, data->sb.st_rdev) < 0)= { + virReportSystemError(errno, + _("Unable to create device %s"), + data->file); + goto cleanup; + } else { + delDevice =3D true; + } } } else if (isReg || isDir) { /* We are not cleaning up disks on virDomainDetachDevice --=20 2.34.1