On 6/11/24 12:47 PM, Daniel P. Berrangé wrote:
> Running any of the firewall tools is unsupported when non-root. Rather
> than attempt to initialize the driver, which will then be unusable,
> just skip initialization entirely and decline startup.
>
> This allows libvirtd to carry on operating with the network driver
> disabled, while ensuring virtnetworkd will shutdown.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> src/network/bridge_driver.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index 371bc2bae6..ce69c56464 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -596,6 +596,12 @@ networkStateInitialize(bool privileged,
> return -1;
> }
>
> + /* Can't manipulate the firewall when non-root */
> + if (!privileged) {
> + ret = VIR_DRV_STATE_INIT_SKIPPED;
> + goto error;
> + }
> +
Reviewed-by: Laine Stump <laine@redhat.com>
About once every 3 or 4 years I've wondered why we load the network
driver for unprivileged libvirt, since it's unusable. I haven't had the
attention span to ask anyone and write this patch though :-)