1. Patchew
  2. Libvirt
  3. [PATCH 0/2] network: fix network driver to gracefully skip startup
  4. View patch

[PATCH 2/2] network: don't attempt to initialize if non-privileged

Daniel P. Berrangé posted 2 patches 3 months, 1 week ago
[PATCH 2/2] network: don't attempt to initialize if non-privileged
Posted by Daniel P. Berrangé 3 months, 1 week ago 
Running any of the firewall tools is unsupported when non-root. Rather
than attempt to initialize the driver, which will then be unusable,
just skip initialization entirely and decline startup.

This allows libvirtd to carry on operating with the network driver
disabled, while ensuring virtnetworkd will shutdown.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/network/bridge_driver.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 371bc2bae6..ce69c56464 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -596,6 +596,12 @@ networkStateInitialize(bool privileged,
         return -1;
     }
 
+    /* Can't manipulate the firewall when non-root */
+    if (!privileged) {
+        ret = VIR_DRV_STATE_INIT_SKIPPED;
+        goto error;
+    }
+
     network_driver = g_new0(virNetworkDriverState, 1);
 
     network_driver->lockFD = -1;
-- 
2.45.1
Re: [PATCH 2/2] network: don't attempt to initialize if non-privileged
Posted by Laine Stump 3 months ago 
On 6/11/24 12:47 PM, Daniel P. Berrangé wrote:
> Running any of the firewall tools is unsupported when non-root. Rather
> than attempt to initialize the driver, which will then be unusable,
> just skip initialization entirely and decline startup.
> 
> This allows libvirtd to carry on operating with the network driver
> disabled, while ensuring virtnetworkd will shutdown.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>   src/network/bridge_driver.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index 371bc2bae6..ce69c56464 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -596,6 +596,12 @@ networkStateInitialize(bool privileged,
>           return -1;
>       }
>   
> +    /* Can't manipulate the firewall when non-root */
> +    if (!privileged) {
> +        ret = VIR_DRV_STATE_INIT_SKIPPED;
> +        goto error;
> +    }
> +

Reviewed-by: Laine Stump <laine@redhat.com>

About once every 3 or 4 years I've wondered why we load the network 
driver for unprivileged libvirt, since it's unusable. I haven't had the 
attention span to ask anyone and write this patch though :-)

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.