From nobody Sun May 19 01:43:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1662990419; cv=none; d=zohomail.com; s=zohoarc; b=V4+UC7ALFiWqHQM5E5+bZqGGkdXSxkU/jYcnjKmhyAxqDwtUYlIsELrpCB3KCAWi4vnnnwX5nXj3vTAPaR0G4HF+GXiolvkMExJr6o6n8D/4UShvghlo1Fa8UZzEVhjCqFOhdqE6BTcjVoGKIVyX8fDJNQLd9MPlwS88YJJ/CvE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1662990419; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=KOURfiY7r9rZPrcpp7UooBpVIAW0V+65Bs0vdB1VhzE=; b=kQL36OeP5Z+TZXvCOZmyhS+wxLHFodn/ehx9oXS0RtlXN/iqObw+HNtKm8117X3sMG4oTi/j6w8F8ey2V1xBsbgSO4cbh1WabrLr0LhpjBNLKcXxcHcoLV1zYmjpo91+3wHxmeJGR0CDn4hNcwJ/5F+PglF9B1grDm/upvIjko0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1662990419988832.3268614899719; Mon, 12 Sep 2022 06:46:59 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-215-wdnBS03kN1KNnJoYb5H8AA-1; Mon, 12 Sep 2022 09:46:55 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B9AB53C0CD41; Mon, 12 Sep 2022 13:46:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id A885140C6EC2; Mon, 12 Sep 2022 13:46:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 6A9DC1946A44; Mon, 12 Sep 2022 13:46:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CEE451946A43 for ; Mon, 12 Sep 2022 13:46:45 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id BCE3540C6EC4; Mon, 12 Sep 2022 13:46:45 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.193.131]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3CC4A40C6EC2 for ; Mon, 12 Sep 2022 13:46:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662990419; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=KOURfiY7r9rZPrcpp7UooBpVIAW0V+65Bs0vdB1VhzE=; b=eR7csO6o2mTpHJ2VmwkGqXchS0xmZ3NVLooCDxSasQ8NrBVZIqP4fn7WVKYJFlzZlLSxnk X5lvXSZICby4+PiZbTO3hQwSEUIVJKErZfaJTISCZeKZdFK8TdFQJD2B3Sf/4fcomLI5Ep SErNHv1DMM//sYxdmLYPY48R/AKoEvw= X-MC-Unique: wdnBS03kN1KNnJoYb5H8AA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 1/4] qemu_namespace: Tolerate missing ACLs when creating a path in namespace Date: Mon, 12 Sep 2022 15:46:38 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1662990422104100001 Content-Type: text/plain; charset="utf-8"; x-default="true" When creating a path in a domain's mount namespace we try to set ACLs on it, so that it's a verbatim copy of the path in parent's namespace. The ACLs are queried upfront (by qemuNamespaceMknodItemInit()) but this is fault tolerant so the pointer to ACLs might be NULL (meaning no ACLs were queried, for instance because the underlying filesystem does not support them). But then we take this NULL and pass it to virFileSetACLs() which immediately returns an error because NULL is invalid value. Mimic what we do with SELinux label - just set it if we queried it successfully before. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/qemu/qemu_namespace.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index 98cd794666..71e3366ca5 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -1040,8 +1040,7 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data) goto cleanup; } =20 - /* Symlinks don't have ACLs. */ - if (!isLink && + if (data->acl && virFileSetACLs(data->file, data->acl) < 0 && errno !=3D ENOTSUP) { virReportSystemError(errno, --=20 2.35.1 From nobody Sun May 19 01:43:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1662990487; cv=none; d=zohomail.com; s=zohoarc; b=c2u1p7Kk+/YTOSolGdytnSb8IWTd/vtDkivOl5RxIOrnOvnHTdXMkAqXn/0z+U7tWkikXw3qRS0MUQoKVAadjZfZqWxb89Iz3pVo3yBiqHwHIBLoZeA8aB5/eF2uXS6JkwwbSVuxCu7w6MDnXf+y5Kl4GHcQW4BGJLUcvejSXlA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1662990487; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=tGSDjBSrlbU0yJBcq8i4pL/FnKWk+Xe3S0Uz9IwDZiY=; b=ghGH95ecnHfYLDm2LLUw7buB6C0942589AdHC8W6ve1eMSoP6fc4JwougFoeqxdnp0tDRsQLAhfRO2FBxdWb8cA+94q3bAtCyq86FPe1QlKBCcaMtbW5VP24Ik4e6fUREs+KjtyeRJE6NOxIk78SzYZRH47tB7Ljy8UOBpz41yk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1662990487053386.55645226810634; Mon, 12 Sep 2022 06:48:07 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-479-m6dVnOFFNAqP_e87x4Urng-1; Mon, 12 Sep 2022 09:47:14 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EBD3C29AB45A; Mon, 12 Sep 2022 13:47:11 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id D865440C6EC3; Mon, 12 Sep 2022 13:47:11 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C12E01946A4A; Mon, 12 Sep 2022 13:47:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C54A21946A48 for ; Mon, 12 Sep 2022 13:46:51 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id B12A040C6EC4; Mon, 12 Sep 2022 13:46:46 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.193.131]) by smtp.corp.redhat.com (Postfix) with ESMTP id 28E2540C6EC2 for ; Mon, 12 Sep 2022 13:46:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662990486; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=tGSDjBSrlbU0yJBcq8i4pL/FnKWk+Xe3S0Uz9IwDZiY=; b=UDeqKnP0R31EFp01s5T8KrNP5Mj6D9Aj49gzfSk3Uw+w4tuPZ1yuBGD0aO4Ki0YkfCQ9QN KnZbv8awosPiJ0YajvTJaLN1/u3mG8oJAi95L16WBfckew8dmNxrz8vOAVg8wc9W9XIPWG 2sdJODFB3TdkZLWtkhj2OCJabQEhDJ8= X-MC-Unique: m6dVnOFFNAqP_e87x4Urng-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 2/4] qemu_namespace: Fix a corner case in qemuDomainGetPreservedMounts() Date: Mon, 12 Sep 2022 15:46:39 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1662990488523100001 Content-Type: text/plain; charset="utf-8"; x-default="true" When setting up namespace for QEMU we look at mount points under /dev (like /dev/pts, /dev/mqueue/, etc.) because we want to preserve those (which is done by moving them to a temp location, unshare(), and then moving them back). We have a convenience helper - qemuDomainGetPreservedMounts() - that processes the mount table and (optionally) moves the other filesystems too. This helper is also used when attempting to create a path in NS, because the path, while starting with "/dev/" prefix, may actually lead to one of those filesystems that we preserved. And here comes the corner case: while we require the parent mount table to be in shared mode (equivalent of `mount --make-rshared /'), these mount events propagate iff the target path exist inside the slave mount table (=3D QEMU's private namespace). And since we create only a subset of /dev nodes, well, that assumption is not always the case. For instance, assume that a domain is already running, no hugepages were configured for it nor any hugetlbfs is mounted. Now, when a hugetlbfs is mounted into '/dev/hugepages', this is propagated into the QEMU's namespace, but since the target dir does not exist in the private /dev, the FS is not mounted in the namespace. Fortunately, this difference between namespaces is visible when comparing /proc/mounts and /proc/$PID/mounts (where PID is the QEMU's PID). Therefore, if possible we should look at the latter. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/qemu/qemu_namespace.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index 71e3366ca5..807ec37c91 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -109,6 +109,8 @@ qemuDomainGetPreservedMountPath(virQEMUDriverConfig *cf= g, * b) generate backup path for all the entries in a) * * Any of the return pointers can be NULL. Both arrays are NULL-terminated. + * Get the mount table either from @vm's PID (if running), or from the + * namespace we're in (if @vm's not running). * * Returns 0 on success, -1 otherwise (with error reported) */ @@ -123,12 +125,18 @@ qemuDomainGetPreservedMounts(virQEMUDriverConfig *cfg, size_t nmounts =3D 0; g_auto(GStrv) paths =3D NULL; g_auto(GStrv) savePaths =3D NULL; + g_autofree char *mountsPath =3D NULL; size_t i; =20 if (ndevPath) *ndevPath =3D 0; =20 - if (virFileGetMountSubtree(QEMU_PROC_MOUNTS, "/dev", &mounts, &nmounts= ) < 0) + if (vm->pid > 0) + mountsPath =3D g_strdup_printf("/proc/%lld/mounts", (long long) vm= ->pid); + else + mountsPath =3D g_strdup(QEMU_PROC_MOUNTS); + + if (virFileGetMountSubtree(mountsPath, "/dev", &mounts, &nmounts) < 0) return -1; =20 if (nmounts =3D=3D 0) --=20 2.35.1 From nobody Sun May 19 01:43:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1662990418; cv=none; d=zohomail.com; s=zohoarc; b=V7Kegh8qNDCtD3yz7au1PDdA8xYDToLjNFSXvnKCCrEXPYKUbY4uostlx/Y8wKufEQwFmpfLKIsxSzTIWPO0dBEuoj8qh+8Rk3deZC2/WCtduBlfUoleb0rhLQByKxhgdeX2+tce6Fhb7oLEE50f3Lf5Ts3fcfziuCH3Infviak= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1662990418; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=D7xN8CiRnf+0uUUtotlqFXEF+Xpy/B2u1NCVEe/91Ik=; b=LNv1xqTcy+kOI7nPVQgDP5NUcuovIUlJ6Hd5NLAeeR7dH/b0yRcHH8ZkSaT/K+j5XYqGrLEsfYJI1p6s1cVP9AlTIs8fjmaynFlcgqGpS4IklIqOdzPm/WO1z81EPGpM9bVX9cPvU/jVj67SvITbeTFBghsFsZcMB5U2du++C5s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 16629904184491018.8536508304961; Mon, 12 Sep 2022 06:46:58 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-8-iGv057-uN7aV18ANmnyyUQ-1; Mon, 12 Sep 2022 09:46:54 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4B9193C0CD3E; Mon, 12 Sep 2022 13:46:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 179104B3FC6; Mon, 12 Sep 2022 13:46:49 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id AC5E31946A50; Mon, 12 Sep 2022 13:46:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id B265B1946A50 for ; Mon, 12 Sep 2022 13:46:47 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id A68F940C6EC5; Mon, 12 Sep 2022 13:46:47 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.193.131]) by smtp.corp.redhat.com (Postfix) with ESMTP id 09F0240C6EC2 for ; Mon, 12 Sep 2022 13:46:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662990417; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=D7xN8CiRnf+0uUUtotlqFXEF+Xpy/B2u1NCVEe/91Ik=; b=d1K4QhkvHFyjebMtLeul1Gb/VKpcKaP3dfGyxA6pdt8Z1flFZVmoTpF8W5FTgI1C6FNsG9 ce8U72eQiijz0bgBEZRXeg7M7RiCUCLfVLzLEX3zrtDXaK6+KIgtes8QFzVpJ1ag4Q5jP9 kBLXoqLt+oWB2/DETuyqZ3Rscflzw8c= X-MC-Unique: iGv057-uN7aV18ANmnyyUQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 3/4] qemu_namespace: Introduce qemuDomainNamespaceSetupPath() Date: Mon, 12 Sep 2022 15:46:40 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1662990420073100003 Content-Type: text/plain; charset="utf-8"; x-default="true" Sometimes it may come handy to just bind mount a directory/file into domain's namespace. Implement a thin wrapper over qemuNamespaceMknodPaths() which has all the logic we need. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/qemu/qemu_namespace.c | 19 +++++++++++++++++++ src/qemu/qemu_namespace.h | 4 ++++ 2 files changed, 23 insertions(+) diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index 807ec37c91..09e235e120 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -1424,6 +1424,25 @@ qemuNamespaceUnlinkPaths(virDomainObj *vm, } =20 =20 +int +qemuDomainNamespaceSetupPath(virDomainObj *vm, + const char *path, + bool *created) +{ + g_autoptr(virGSListString) paths =3D NULL; + + if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) + return 0; + + paths =3D g_slist_prepend(paths, g_strdup(path)); + + if (qemuNamespaceMknodPaths(vm, paths, created) < 0) + return -1; + + return 0; +} + + int qemuDomainNamespaceSetupDisk(virDomainObj *vm, virStorageSource *src, diff --git a/src/qemu/qemu_namespace.h b/src/qemu/qemu_namespace.h index fbea865c70..85d990f460 100644 --- a/src/qemu/qemu_namespace.h +++ b/src/qemu/qemu_namespace.h @@ -48,6 +48,10 @@ void qemuDomainDestroyNamespace(virQEMUDriver *driver, =20 bool qemuDomainNamespaceAvailable(qemuDomainNamespace ns); =20 +int qemuDomainNamespaceSetupPath(virDomainObj *vm, + const char *path, + bool *created); + int qemuDomainNamespaceSetupDisk(virDomainObj *vm, virStorageSource *src, bool *created); --=20 2.35.1 From nobody Sun May 19 01:43:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1662990416; cv=none; d=zohomail.com; s=zohoarc; b=Frah0RC8NKsJZBCz3YHSUTv2z2pZHVGcrBcVFZD1xw5Fhk6acLm1ETDrkvnaMwKFB8oAeJk/e7MsO1AIEjqU0W8BRYBQA9az8/7sMkLVLqpp0wocnrPcu5ci29jMNSWvbh97HBD22aGZa7u8tKqxiwowYlMiHhmHIQPEFza/bvM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1662990416; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=n9+CgvAobumcHAXSQo8X06g9d0QrfzxxZifn1XRBjJc=; b=jFDxZ2FBWJZerCMQGx6oWkXynOv8m9qGn/cOAzrYNBPSmfXBszWRNcdZtVo5kmpU49obYnkn1TRQkXXlgT934NCV7juxmA5V7fMCpUZBoea/2gC0K1WY4/gPBI1BWhbbEu4RebmWCKhXyf8KXJUZLCLdQNFknmKh+RkuncPwSps= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1662990416752255.59772496539517; Mon, 12 Sep 2022 06:46:56 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-74-X_ZmLbq8NRGAPgXw4UPXcg-1; Mon, 12 Sep 2022 09:46:54 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4C5038032F6; Mon, 12 Sep 2022 13:46:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 906111121315; Mon, 12 Sep 2022 13:46:50 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 73E141946A47; Mon, 12 Sep 2022 13:46:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id B71CD1946A53 for ; Mon, 12 Sep 2022 13:46:48 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id B2C7140C6EC2; Mon, 12 Sep 2022 13:46:48 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.193.131]) by smtp.corp.redhat.com (Postfix) with ESMTP id 213BA40C6EC5 for ; Mon, 12 Sep 2022 13:46:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662990415; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=n9+CgvAobumcHAXSQo8X06g9d0QrfzxxZifn1XRBjJc=; b=V3Dvk/L/5vvY+D4IjIYmJ6UdwxVF6GmsxuXCsMiSHw2LnB5sLyg0bO4tQSXrcgKNmvNLR4 pJ/YufGpQ17z1TG9P7OiFD+M1NHzxJZ7W1s+5U4HhWz8SHl9nsYj3Tn3XxifrCWB2gi1tW T4DJC05GoAEGL49l4ANNdBFUXcmTHC8= X-MC-Unique: X_ZmLbq8NRGAPgXw4UPXcg-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 4/4] qemu_process.c: Propagate hugetlbfs mounts on reconnect Date: Mon, 12 Sep 2022 15:46:41 +0200 Message-Id: <0badb1083471e46d9975b91fd8b24ceb40ff6b4c.1662990291.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1662990418126100001 Content-Type: text/plain; charset="utf-8"; x-default="true" When reconnecting to a running QEMU process, we construct the per-domain path in all hugetlbfs mounts. This is a relict from the past (v3.4.0-100-g5b24d25062) where we switched to a per-domain path and we want to create those paths when libvirtd restarts on upgrade. And with namespaces enabled there is one corner case where the path is not created. In fact an error is reported and the reconnect fails. Ideally, all mount events are propagated into the QEMU's namespace. And they probably are, except when the target path does not exist inside the namespace. Now, it's pretty common for users to mount hugetlbfs under /dev (e.g. /dev/hugepages), but if domain is started without hugepages (or more specifically - private hugetlbfs path wasn't created on domain startup), then the reconnect code tries to create it. But it fails to do so, well, it fails to set seclabels on the path because, because the path does not exist in the private namespace. And it doesn't exist because we specifically create only a subset of all possible /dev nodes. Therefore, the mount event, whilst propagated, is not successful and hence the filesystem is not mounted. We have to do it ourselves. If hugetlbfs is mount anywhere else there's no problem and this is effectively a dead code. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D2123196 Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- docs/kbase/qemu-passthrough-security.rst | 6 ------ src/qemu/qemu_process.c | 3 +++ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-pas= sthrough-security.rst index 106c3cc5b9..ef10d8af9b 100644 --- a/docs/kbase/qemu-passthrough-security.rst +++ b/docs/kbase/qemu-passthrough-security.rst @@ -172,9 +172,3 @@ command before any guest is started: :: =20 # mount --make-rshared / - -Another requirement for dynamic mount point propagation is to not place -``hugetlbfs`` mount points under ``/dev`` because these won't be propagate= d as -corresponding directories do not exist in the private namespace. Or just u= se -``memfd`` memory backend instead which does not require ``hugetlbfs`` mount -points. diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index cbfdd3bda5..b05ad059c3 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -3976,6 +3976,9 @@ qemuProcessBuildDestroyMemoryPathsImpl(virQEMUDriver = *driver, return -1; } =20 + if (qemuDomainNamespaceSetupPath(vm, path, NULL) < 0) + return -1; + if (qemuSecurityDomainSetPathLabel(driver, vm, path, true) < 0) return -1; } else { --=20 2.35.1