From nobody Mon Sep 16 19:15:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1718124525536529.5589936862307; Tue, 11 Jun 2024 09:48:45 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 7D438BAC; Tue, 11 Jun 2024 12:48:44 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 7616ECCB; Tue, 11 Jun 2024 12:48:11 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6DE5EB47; Tue, 11 Jun 2024 12:48:06 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 0903AB39 for ; Tue, 11 Jun 2024 12:48:06 -0400 (EDT) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-20-lKBbO8WtMoieUEk6dgN0zw-1; Tue, 11 Jun 2024 12:48:04 -0400 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3DDC219560A3 for ; Tue, 11 Jun 2024 16:48:02 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.42.28.73]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0549C1956048; Tue, 11 Jun 2024 16:48:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1718124485; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LuzRf9ZA1ge+hQDgn31uhPFJlAk1GhKWIyERt9IUh9E=; b=ONx2xXzGen42yVQOFrKFiBGngHOGc9CLmtU7epLijrwH0NIW7zHx8p+DQlOH8Ciy8YmBvR 7P8h+Vs4Va9tnD6cnvX5Sn5C7ZVWexHOMs/H+Qh0CtpHg1wqSKlWAD4RF8GjWpv4Nqvdw9 osWQl+Otgev5wCeCncMzacNUAfYc6kw= X-MC-Unique: lKBbO8WtMoieUEk6dgN0zw-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: devel@lists.libvirt.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 1/2] network: skip network driver init if no firewall backend is present Date: Tue, 11 Jun 2024 17:47:57 +0100 Message-ID: <20240611164758.1036695-2-berrange@redhat.com> In-Reply-To: <20240611164758.1036695-1-berrange@redhat.com> References: <20240611164758.1036695-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: EZITBJ3ES6N5B5VTONA3WIIJGXX5WLIE X-Message-ID-Hash: EZITBJ3ES6N5B5VTONA3WIIJGXX5WLIE X-MailFrom: berrange@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1718124525803100001 Content-Type: text/plain; charset="utf-8" If neither iptables or nftables are present, and no explicit config setting was made, skip network driver initialization, rather than making it a hard error. This allows libvirtd to carry on operating with the network driver disabled, while ensuring virtnetworkd will shutdown. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/network/bridge_driver.c | 8 +++++++- src/network/bridge_driver_conf.c | 8 ++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 32572c755f..371bc2bae6 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -588,6 +588,7 @@ networkStateInitialize(bool privileged, #ifdef WITH_FIREWALLD GDBusConnection *sysbus =3D NULL; #endif + int ret =3D VIR_DRV_STATE_INIT_ERROR; =20 if (root !=3D NULL) { virReportError(VIR_ERR_INVALID_ARG, "%s", @@ -611,6 +612,11 @@ networkStateInitialize(bool privileged, if (!(network_driver->config =3D cfg =3D virNetworkDriverConfigNew(pri= vileged))) goto error; =20 + if (network_driver->config->firewallBackend =3D=3D -1) { + ret =3D VIR_DRV_STATE_INIT_SKIPPED; + goto error; + } + if ((network_driver->lockFD =3D virPidFileAcquire(cfg->stateDir, "driver", getpid())) < 0) goto error; @@ -689,7 +695,7 @@ networkStateInitialize(bool privileged, =20 error: networkStateCleanup(); - return VIR_DRV_STATE_INIT_ERROR; + return ret; } =20 =20 diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index e2f3613a41..f6c89ddddf 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -132,7 +132,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg = G_GNUC_UNUSED, if (fwBackendSelected) { VIR_INFO("using firewall_backend: '%s'", virFirewallBackendTypeToString(cfg->firewallBackend)); - return 0; + return 1; =20 } else if (fwBackendStr) { =20 @@ -143,9 +143,9 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg = G_GNUC_UNUSED, return -1; =20 } else { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("could not find a usable firewall backend")); - return -1; + cfg->firewallBackend =3D -1; + VIR_ERROR(_("could not find a usable firewall backend")); + return 0; } } =20 --=20 2.45.1 From nobody Mon Sep 16 19:15:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1718124540329517.1338969615804; Tue, 11 Jun 2024 09:49:00 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 4E3CEBDC; Tue, 11 Jun 2024 12:48:59 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 23312D3F; Tue, 11 Jun 2024 12:48:13 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id ADA07B6F; Tue, 11 Jun 2024 12:48:06 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 5082CB43 for ; Tue, 11 Jun 2024 12:48:06 -0400 (EDT) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-611-rBkkviMoPomPechEFHHIww-1; Tue, 11 Jun 2024 12:48:04 -0400 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B836119560AE for ; Tue, 11 Jun 2024 16:48:03 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.42.28.73]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id A97EB1956048; Tue, 11 Jun 2024 16:48:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1718124486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P1joicQDplBWW8pscxCv1G6ZWVelJ02fZDy9yspgMwc=; b=cRodbkAjFTGZ6mOSGXNTZ3+ehvF9H8lEOQpWqYej6XlQSDnh3limkEv8VXU75HbfC3TM/V flSkqgOdnNIGQkQpXF/DNcS+UL4FNzdjNh9O9my7eFqZ6Sz/Vo1y57m4Fpvp10phB6zgis QTsp+oCZI3HztIm1DnBYBkPi5zXYtGY= X-MC-Unique: rBkkviMoPomPechEFHHIww-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: devel@lists.libvirt.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 2/2] network: don't attempt to initialize if non-privileged Date: Tue, 11 Jun 2024 17:47:58 +0100 Message-ID: <20240611164758.1036695-3-berrange@redhat.com> In-Reply-To: <20240611164758.1036695-1-berrange@redhat.com> References: <20240611164758.1036695-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: T5ZGWOXUW4QRPFURBI2BGZVKM7URT45M X-Message-ID-Hash: T5ZGWOXUW4QRPFURBI2BGZVKM7URT45M X-MailFrom: berrange@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1718124541898100001 Content-Type: text/plain; charset="utf-8" Running any of the firewall tools is unsupported when non-root. Rather than attempt to initialize the driver, which will then be unusable, just skip initialization entirely and decline startup. This allows libvirtd to carry on operating with the network driver disabled, while ensuring virtnetworkd will shutdown. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/network/bridge_driver.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 371bc2bae6..ce69c56464 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -596,6 +596,12 @@ networkStateInitialize(bool privileged, return -1; } =20 + /* Can't manipulate the firewall when non-root */ + if (!privileged) { + ret =3D VIR_DRV_STATE_INIT_SKIPPED; + goto error; + } + network_driver =3D g_new0(virNetworkDriverState, 1); =20 network_driver->lockFD =3D -1; --=20 2.45.1