The unprivileged libvirtd does not have permission to create firewall
rules, or bridge devices, or do anything to the host network in
general. Historically we still activate the network driver though and
let the network start API call fail.

The startup code path which reloads firewall rules on active networks
would thus effectively be a no-op when unprivileged as it is impossible
for there to be any active networks

With the change to use a global set of firewall chains, however, we now
have code that is run unconditionally.

Ideally we would not register the network driver at all when
unprivileged, but the entanglement with the virt drivers currently makes
that impractical. As a temporary hack, we just make the firewall reload
into a no-op.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/network/bridge_driver.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index c3e1381124..7d95675623 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2095,6 +2095,10 @@ static void
 networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
 {
     VIR_INFO("Reloading iptables rules");
+    /* Ideally we'd not even register the driver when unprivilegd
+     * but until we untangle the virt driver that's not viable */
+    if (!driver->privileged)
+        return;
     if (networkPreReloadFirewallRules(startup) < 0)
         return;
     virNetworkObjListForEach(driver->networks,
-- 
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

ping

On Wed, Mar 13, 2019 at 04:24:02PM +0000, Daniel P. Berrangé wrote:
> The unprivileged libvirtd does not have permission to create firewall
> rules, or bridge devices, or do anything to the host network in
> general. Historically we still activate the network driver though and
> let the network start API call fail.
> 
> The startup code path which reloads firewall rules on active networks
> would thus effectively be a no-op when unprivileged as it is impossible
> for there to be any active networks
> 
> With the change to use a global set of firewall chains, however, we now
> have code that is run unconditionally.
> 
> Ideally we would not register the network driver at all when
> unprivileged, but the entanglement with the virt drivers currently makes
> that impractical. As a temporary hack, we just make the firewall reload
> into a no-op.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  src/network/bridge_driver.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index c3e1381124..7d95675623 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -2095,6 +2095,10 @@ static void
>  networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
>  {
>      VIR_INFO("Reloading iptables rules");
> +    /* Ideally we'd not even register the driver when unprivilegd
> +     * but until we untangle the virt driver that's not viable */
> +    if (!driver->privileged)
> +        return;
>      if (networkPreReloadFirewallRules(startup) < 0)
>          return;
>      virNetworkObjListForEach(driver->networks,
> -- 
> 2.20.1
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

On 3/13/19 5:24 PM, Daniel P. Berrangé wrote:
> The unprivileged libvirtd does not have permission to create firewall
> rules, or bridge devices, or do anything to the host network in
> general. Historically we still activate the network driver though and
> let the network start API call fail.
> 
> The startup code path which reloads firewall rules on active networks
> would thus effectively be a no-op when unprivileged as it is impossible
> for there to be any active networks
> 
> With the change to use a global set of firewall chains, however, we now
> have code that is run unconditionally.
> 
> Ideally we would not register the network driver at all when
> unprivileged, but the entanglement with the virt drivers currently makes
> that impractical. As a temporary hack, we just make the firewall reload
> into a no-op.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>   src/network/bridge_driver.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index c3e1381124..7d95675623 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -2095,6 +2095,10 @@ static void
>   networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
>   {
>       VIR_INFO("Reloading iptables rules");
> +    /* Ideally we'd not even register the driver when unprivilegd
> +     * but until we untangle the virt driver that's not viable */
> +    if (!driver->privileged)
> +        return;
>       if (networkPreReloadFirewallRules(startup) < 0)
>           return;
>       virNetworkObjListForEach(driver->networks,
> 

ACK

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list