src/lxc/lxc_conf.c | 3 ++- src/lxc/lxc_conf.h | 3 ++- src/lxc/lxc_controller.c | 2 +- src/lxc/lxc_driver.c | 5 ++++- tests/testutilslxc.c | 2 +- 5 files changed, 10 insertions(+), 5 deletions(-)
Attempting to create a lxc domain with <seclabel type='none'/> fails
virsh --connect lxc:/// create distro_nosec.xml
error: Failed to create domain from distro_nosec.xml
error: unsupported configuration: Security driver model '(null)' is not available
The lxc driver does not set a default security driver model in the XML
parser config, causing seclabels of type='none' to have a null model.
The lxc driver's security manager is initialized in lxcStateInitialize()
by calling lxcSecurityInit(). Use the model of this manager as the
default in the XML parser config.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
Kind'a, sort'a a V2 of
https://www.redhat.com/archives/libvir-list/2020-December/msg00186.html
It's quite a different approach to solving the problem than that patch.
src/lxc/lxc_conf.c | 3 ++-
src/lxc/lxc_conf.h | 3 ++-
src/lxc/lxc_controller.c | 2 +-
src/lxc/lxc_driver.c | 5 ++++-
tests/testutilslxc.c | 2 +-
5 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
index 13da6c4586..e6ad91205e 100644
--- a/src/lxc/lxc_conf.c
+++ b/src/lxc/lxc_conf.c
@@ -209,9 +209,10 @@ virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver,
virDomainXMLOptionPtr
-lxcDomainXMLConfInit(virLXCDriverPtr driver)
+lxcDomainXMLConfInit(virLXCDriverPtr driver, const char *defsecmodel)
{
virLXCDriverDomainDefParserConfig.priv = driver;
+ virLXCDriverDomainDefParserConfig.defSecModel = defsecmodel;
return virDomainXMLOptionNew(&virLXCDriverDomainDefParserConfig,
&virLXCDriverPrivateDataCallbacks,
&virLXCDriverDomainXMLNamespace,
diff --git a/src/lxc/lxc_conf.h b/src/lxc/lxc_conf.h
index f2f0e0a570..664bafc7b9 100644
--- a/src/lxc/lxc_conf.h
+++ b/src/lxc/lxc_conf.h
@@ -112,7 +112,8 @@ int virLXCLoadDriverConfig(virLXCDriverConfigPtr cfg,
virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver);
virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver,
bool refresh);
-virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver);
+virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver,
+ const char *defsecmodel);
static inline void lxcDriverLock(virLXCDriverPtr driver)
{
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 97de0408b6..67e5e63d00 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -169,7 +169,7 @@ virLXCControllerDriverNew(void)
}
driver->caps = virLXCDriverCapsInit(NULL);
- driver->xmlopt = lxcDomainXMLConfInit(driver);
+ driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
return driver;
}
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index d0503ef2ea..9d94c703ea 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1470,6 +1470,7 @@ static int lxcStateInitialize(bool privileged,
{
virLXCDriverConfigPtr cfg = NULL;
bool autostart = true;
+ const char *defsecmodel;
if (root != NULL) {
virReportError(VIR_ERR_INVALID_ARG, "%s",
@@ -1525,7 +1526,9 @@ static int lxcStateInitialize(bool privileged,
if (!(lxc_driver->hostdevMgr = virHostdevManagerGetDefault()))
goto cleanup;
- if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver)))
+ defsecmodel = virSecurityManagerGetModel(lxc_driver->securityManager);
+
+ if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver, defsecmodel)))
goto cleanup;
if (!(lxc_driver->closeCallbacks = virCloseCallbacksNew()))
diff --git a/tests/testutilslxc.c b/tests/testutilslxc.c
index b5e2f542e7..e15ea2bd32 100644
--- a/tests/testutilslxc.c
+++ b/tests/testutilslxc.c
@@ -71,7 +71,7 @@ testLXCDriverInit(void)
}
driver->caps = testLXCCapsInit();
- driver->xmlopt = lxcDomainXMLConfInit(driver);
+ driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
return driver;
}
--
2.29.2
On 12/4/20 12:25 AM, Jim Fehlig wrote:
> Attempting to create a lxc domain with <seclabel type='none'/> fails
>
> virsh --connect lxc:/// create distro_nosec.xml
> error: Failed to create domain from distro_nosec.xml
> error: unsupported configuration: Security driver model '(null)' is not available
>
> The lxc driver does not set a default security driver model in the XML
> parser config, causing seclabels of type='none' to have a null model.
> The lxc driver's security manager is initialized in lxcStateInitialize()
> by calling lxcSecurityInit(). Use the model of this manager as the
> default in the XML parser config.
>
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>
> Kind'a, sort'a a V2 of
>
> https://www.redhat.com/archives/libvir-list/2020-December/msg00186.html
>
> It's quite a different approach to solving the problem than that patch.
>
> src/lxc/lxc_conf.c | 3 ++-
> src/lxc/lxc_conf.h | 3 ++-
> src/lxc/lxc_controller.c | 2 +-
> src/lxc/lxc_driver.c | 5 ++++-
> tests/testutilslxc.c | 2 +-
> 5 files changed, 10 insertions(+), 5 deletions(-)
>
> }
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> index d0503ef2ea..9d94c703ea 100644
> --- a/src/lxc/lxc_driver.c
> +++ b/src/lxc/lxc_driver.c
> @@ -1470,6 +1470,7 @@ static int lxcStateInitialize(bool privileged,
> {
> virLXCDriverConfigPtr cfg = NULL;
> bool autostart = true;
> + const char *defsecmodel;
>
> if (root != NULL) {
> virReportError(VIR_ERR_INVALID_ARG, "%s",
> @@ -1525,7 +1526,9 @@ static int lxcStateInitialize(bool privileged,
> if (!(lxc_driver->hostdevMgr = virHostdevManagerGetDefault()))
> goto cleanup;
>
> - if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver)))
> + defsecmodel = virSecurityManagerGetModel(lxc_driver->securityManager);
> +
Some trailing spaces.
> + if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver, defsecmodel)))
> goto cleanup;
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal
On Thu, Dec 03, 2020 at 04:25:42PM -0700, Jim Fehlig wrote:
> Attempting to create a lxc domain with <seclabel type='none'/> fails
>
> virsh --connect lxc:/// create distro_nosec.xml
> error: Failed to create domain from distro_nosec.xml
> error: unsupported configuration: Security driver model '(null)' is not available
Is this a regression, or has it always been broken like this ?
>
> The lxc driver does not set a default security driver model in the XML
> parser config, causing seclabels of type='none' to have a null model.
> The lxc driver's security manager is initialized in lxcStateInitialize()
> by calling lxcSecurityInit(). Use the model of this manager as the
> default in the XML parser config.
>
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>
> Kind'a, sort'a a V2 of
>
> https://www.redhat.com/archives/libvir-list/2020-December/msg00186.html
>
> It's quite a different approach to solving the problem than that patch.
>
> src/lxc/lxc_conf.c | 3 ++-
> src/lxc/lxc_conf.h | 3 ++-
> src/lxc/lxc_controller.c | 2 +-
> src/lxc/lxc_driver.c | 5 ++++-
> tests/testutilslxc.c | 2 +-
> 5 files changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
> index 13da6c4586..e6ad91205e 100644
> --- a/src/lxc/lxc_conf.c
> +++ b/src/lxc/lxc_conf.c
> @@ -209,9 +209,10 @@ virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver,
>
>
> virDomainXMLOptionPtr
> -lxcDomainXMLConfInit(virLXCDriverPtr driver)
> +lxcDomainXMLConfInit(virLXCDriverPtr driver, const char *defsecmodel)
> {
> virLXCDriverDomainDefParserConfig.priv = driver;
> + virLXCDriverDomainDefParserConfig.defSecModel = defsecmodel;
> return virDomainXMLOptionNew(&virLXCDriverDomainDefParserConfig,
> &virLXCDriverPrivateDataCallbacks,
> &virLXCDriverDomainXMLNamespace,
> diff --git a/src/lxc/lxc_conf.h b/src/lxc/lxc_conf.h
> index f2f0e0a570..664bafc7b9 100644
> --- a/src/lxc/lxc_conf.h
> +++ b/src/lxc/lxc_conf.h
> @@ -112,7 +112,8 @@ int virLXCLoadDriverConfig(virLXCDriverConfigPtr cfg,
> virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver);
> virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver,
> bool refresh);
> -virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver);
> +virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver,
> + const char *defsecmodel);
>
> static inline void lxcDriverLock(virLXCDriverPtr driver)
> {
> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
> index 97de0408b6..67e5e63d00 100644
> --- a/src/lxc/lxc_controller.c
> +++ b/src/lxc/lxc_controller.c
> @@ -169,7 +169,7 @@ virLXCControllerDriverNew(void)
> }
>
> driver->caps = virLXCDriverCapsInit(NULL);
> - driver->xmlopt = lxcDomainXMLConfInit(driver);
> + driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
>
> return driver;
> }
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> index d0503ef2ea..9d94c703ea 100644
> --- a/src/lxc/lxc_driver.c
> +++ b/src/lxc/lxc_driver.c
> @@ -1470,6 +1470,7 @@ static int lxcStateInitialize(bool privileged,
> {
> virLXCDriverConfigPtr cfg = NULL;
> bool autostart = true;
> + const char *defsecmodel;
>
> if (root != NULL) {
> virReportError(VIR_ERR_INVALID_ARG, "%s",
> @@ -1525,7 +1526,9 @@ static int lxcStateInitialize(bool privileged,
> if (!(lxc_driver->hostdevMgr = virHostdevManagerGetDefault()))
> goto cleanup;
>
> - if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver)))
> + defsecmodel = virSecurityManagerGetModel(lxc_driver->securityManager);
> +
> + if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver, defsecmodel)))
> goto cleanup;
>
> if (!(lxc_driver->closeCallbacks = virCloseCallbacksNew()))
> diff --git a/tests/testutilslxc.c b/tests/testutilslxc.c
> index b5e2f542e7..e15ea2bd32 100644
> --- a/tests/testutilslxc.c
> +++ b/tests/testutilslxc.c
> @@ -71,7 +71,7 @@ testLXCDriverInit(void)
> }
>
> driver->caps = testLXCCapsInit();
> - driver->xmlopt = lxcDomainXMLConfInit(driver);
> + driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
>
> return driver;
> }
> --
> 2.29.2
>
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 12/4/20 2:35 AM, Daniel P. Berrangé wrote: > On Thu, Dec 03, 2020 at 04:25:42PM -0700, Jim Fehlig wrote: >> Attempting to create a lxc domain with <seclabel type='none'/> fails >> >> virsh --connect lxc:/// create distro_nosec.xml >> error: Failed to create domain from distro_nosec.xml >> error: unsupported configuration: Security driver model '(null)' is not available > > Is this a regression, or has it always been broken like this ? It's a regression. Works with libvirt 5.1.0 but not 6.0.0. Do you want me to dig further and try to finger a commit? Regards, Jim
On Fri, Dec 04, 2020 at 05:12:14PM -0700, Jim Fehlig wrote: > On 12/4/20 2:35 AM, Daniel P. Berrangé wrote: > > On Thu, Dec 03, 2020 at 04:25:42PM -0700, Jim Fehlig wrote: > > > Attempting to create a lxc domain with <seclabel type='none'/> fails > > > > > > virsh --connect lxc:/// create distro_nosec.xml > > > error: Failed to create domain from distro_nosec.xml > > > error: unsupported configuration: Security driver model '(null)' is not available > > > > Is this a regression, or has it always been broken like this ? > > It's a regression. Works with libvirt 5.1.0 but not 6.0.0. Do you want me to > dig further and try to finger a commit? Yea, if you could find the commit causing it that'd be great, as I'm not entirely convinced by the change here. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 12/7/20 10:28 AM, Daniel P. Berrangé wrote: > On Fri, Dec 04, 2020 at 05:12:14PM -0700, Jim Fehlig wrote: >> On 12/4/20 2:35 AM, Daniel P. Berrangé wrote: >>> On Thu, Dec 03, 2020 at 04:25:42PM -0700, Jim Fehlig wrote: >>>> Attempting to create a lxc domain with <seclabel type='none'/> fails >>>> >>>> virsh --connect lxc:/// create distro_nosec.xml >>>> error: Failed to create domain from distro_nosec.xml >>>> error: unsupported configuration: Security driver model '(null)' is not available >>> >>> Is this a regression, or has it always been broken like this ? >> >> It's a regression. Works with libvirt 5.1.0 but not 6.0.0. Do you want me to >> dig further and try to finger a commit? > > Yea, if you could find the commit causing it that'd be great, as I'm not > entirely convinced by the change here. I thought I dig the commit here, didn't I? https://www.redhat.com/archives/libvir-list/2020-December/msg00245.html Michal
On Mon, Dec 07, 2020 at 11:40:49AM +0100, Michal Privoznik wrote: > On 12/7/20 10:28 AM, Daniel P. Berrangé wrote: > > On Fri, Dec 04, 2020 at 05:12:14PM -0700, Jim Fehlig wrote: > > > On 12/4/20 2:35 AM, Daniel P. Berrangé wrote: > > > > On Thu, Dec 03, 2020 at 04:25:42PM -0700, Jim Fehlig wrote: > > > > > Attempting to create a lxc domain with <seclabel type='none'/> fails > > > > > > > > > > virsh --connect lxc:/// create distro_nosec.xml > > > > > error: Failed to create domain from distro_nosec.xml > > > > > error: unsupported configuration: Security driver model '(null)' is not available > > > > > > > > Is this a regression, or has it always been broken like this ? > > > > > > It's a regression. Works with libvirt 5.1.0 but not 6.0.0. Do you want me to > > > dig further and try to finger a commit? > > > > Yea, if you could find the commit causing it that'd be great, as I'm not > > entirely convinced by the change here. > > I thought I dig the commit here, didn't I? > > https://www.redhat.com/archives/libvir-list/2020-December/msg00245.html Ah, i missed that reply. This makes more sense now. Can you just reference that in the commit message before pushing this. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 12/7/20 3:47 AM, Daniel P. Berrangé wrote: > On Mon, Dec 07, 2020 at 11:40:49AM +0100, Michal Privoznik wrote: >> On 12/7/20 10:28 AM, Daniel P. Berrangé wrote: >>> On Fri, Dec 04, 2020 at 05:12:14PM -0700, Jim Fehlig wrote: >>>> On 12/4/20 2:35 AM, Daniel P. Berrangé wrote: >>>>> On Thu, Dec 03, 2020 at 04:25:42PM -0700, Jim Fehlig wrote: >>>>>> Attempting to create a lxc domain with <seclabel type='none'/> fails >>>>>> >>>>>> virsh --connect lxc:/// create distro_nosec.xml >>>>>> error: Failed to create domain from distro_nosec.xml >>>>>> error: unsupported configuration: Security driver model '(null)' is not available >>>>> >>>>> Is this a regression, or has it always been broken like this ? >>>> >>>> It's a regression. Works with libvirt 5.1.0 but not 6.0.0. Do you want me to >>>> dig further and try to finger a commit? >>> >>> Yea, if you could find the commit causing it that'd be great, as I'm not >>> entirely convinced by the change here. >> >> I thought I dig the commit here, didn't I? >> >> https://www.redhat.com/archives/libvir-list/2020-December/msg00245.html > > Ah, i missed that reply. This makes more sense now. Can you just reference > that in the commit message before pushing this. I added a note referencing the commit and pushed the patch. Regards, Jim
© 2016 - 2026 Red Hat, Inc.