1. 17 7月, 2013 2 次提交
    • M
      lxc_container: Don't call virGetGroupList during exec · 192a86ca
      Michal Privoznik 提交于
      Commit 75c12564 states that virGetGroupList must not be called
      between fork and exec, then commit ee777e99 promptly violated
      that for lxc.
      
      Patch originally posted by Eric Blake <eblake@redhat.com>.
      192a86ca
    • M
      lxcCapsInit: Allocate primary security driver unconditionally · 37d96498
      Michal Privoznik 提交于
      Currently, if the primary security driver is 'none', we skip
      initializing caps->host.secModels. This means, later, when LXC domain
      XML is parsed and <seclabel type='none'/> is found (see
      virSecurityLabelDefsParseXML), the model name is not copied to the
      seclabel. This leads to subsequent crash in virSecurityManagerGenLabel
      where we call STREQ() over the model (note, that we are expecting model
      to be !NULL).
      37d96498
  2. 16 7月, 2013 7 次提交
  3. 12 7月, 2013 3 次提交
    • D
      Add a couple of debug statements to LXC driver · f45dbdb2
      Daniel P. Berrange 提交于
      When failing to start a container due to inaccessible root
      filesystem path, we did not log any meaningful error. Add a
      few debug statements to assist diagnosis
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      f45dbdb2
    • E
      util: make virSetUIDGID async-signal-safe · ee777e99
      Eric Blake 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=964358
      
      POSIX states that multi-threaded apps should not use functions
      that are not async-signal-safe between fork and exec, yet we
      were using getpwuid_r and initgroups.  Although rare, it is
      possible to hit deadlock in the child, when it tries to grab
      a mutex that was already held by another thread in the parent.
      I actually hit this deadlock when testing multiple domains
      being started in parallel with a command hook, with the following
      backtrace in the child:
      
       Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)):
       #0  __lll_lock_wait ()
           at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
       #1  0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0
       #2  0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360)
           at pthread_mutex_lock.c:61
       #3  0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70,
           buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8)
           at nss_files/files-pwd.c:40
       #4  0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70,
           buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0)
           at ../nss/getXXbyYY_r.c:253
       #5  0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031
       #6  0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0,
           clearExistingCaps=true) at util/virutil.c:1388
       #7  0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654
       #8  0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0)
           at util/vircommand.c:2247
       #9  0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0)
           at util/vircommand.c:2100
       #10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0,
           driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1,
           stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
           flags=1) at qemu/qemu_process.c:3694
       ...
      
      The solution is to split the work of getpwuid_r/initgroups into the
      unsafe portions (getgrouplist, called pre-fork) and safe portions
      (setgroups, called post-fork).
      
      * src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust
      signature.
      * src/util/virutil.c (virSetUIDGID): Add parameters.
      (virSetUIDGIDWithCaps): Adjust clients.
      * src/util/vircommand.c (virExec): Likewise.
      * src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
      (virDirCreate): Likewise.
      * src/security/security_dac.c (virSecurityDACSetProcessLabel):
      Likewise.
      * src/lxc/lxc_container.c (lxcContainerSetID): Likewise.
      * configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not
      initgroups.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      ee777e99
    • J
      testutils: Resolve Coverity issues · 8283ef9e
      John Ferlan 提交于
      Recent changes uncovered a NEGATIVE_RETURNS in the return from sysconf()
      when processing a for loop in virtTestCaptureProgramExecChild() in
      testutils.c
      
      Code review uncovered 3 other code paths with the same condition that
      weren't found by Covirity, so fixed those as well.
      8283ef9e
  4. 11 7月, 2013 2 次提交
  5. 10 7月, 2013 2 次提交
  6. 09 7月, 2013 3 次提交
  7. 03 7月, 2013 3 次提交
  8. 02 7月, 2013 10 次提交
  9. 25 6月, 2013 1 次提交
  10. 24 6月, 2013 1 次提交
  11. 20 6月, 2013 1 次提交
    • J
      lxc: Resolve issue with GetScheduler APIs for non running domain · 38ada092
      John Ferlan 提交于
      As a consequence of the cgroup layout changes from commit 'cfed9ad4', the
      lxcDomainGetSchedulerParameters[Flags]()' and lxcGetSchedulerType() APIs
      failed to return data for a non running domain.  This can be seen through
      a 'virsh schedinfo <domain>' command which returns:
      
      Scheduler      : Unknown
      error: Requested operation is not valid: cgroup CPU controller is not mounted
      
      Prior to that change a non running domain would return:
      
      Scheduler      : posix
      cpu_shares     : 0
      vcpu_period    : 0
      vcpu_quota     : 0
      emulator_period: 0
      emulator_quota : 0
      
      This patch will restore the capability to return configuration only data
      for a non running domain regardless of whether cgroups are available.
      38ada092
  12. 14 6月, 2013 1 次提交
  13. 06 6月, 2013 1 次提交
  14. 05 6月, 2013 3 次提交
    • D
      Ensure non-root can read /proc/meminfo file in LXC containers · 922ebe4e
      Daniel P. Berrange 提交于
      By default files in a FUSE mount can only be accessed by the
      user which created them, even if the file permissions would
      otherwise allow it. To allow other users to access the FUSE
      mount the 'allow_other' mount option must be used. This bug
      prevented non-root users in an LXC container from reading
      the /proc/meminfo file.
      
      https://bugzilla.redhat.com/show_bug.cgi?id=967977Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      922ebe4e
    • D
      Remove legacy code for single-instance devpts filesystem · 61e672b2
      Daniel P. Berrange 提交于
      Earlier commit f7e8653f dropped support for using LXC with
      kernels having single-instance devpts filesystem from the
      LXC controller. It forgot to remove the same code from the
      LXC container setup.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      61e672b2
    • E
      maint: don't use config.h in .h files · 1add9c78
      Eric Blake 提交于
      Enforce the rule that .h files don't need to (redundantly)
      include <config.h>.
      
      * cfg.mk (sc_prohibit_config_h_in_headers): New rule.
      (_virsh_includes): Delete; instead, inline a smaller number of
      exclusions...
      (exclude_file_name_regexp--sc_require_config_h)
      (exclude_file_name_regexp--sc_require_config_h_first): ...here.
      * daemon/libvirtd.h (includes): Fix offenders.
      * src/driver.h (includes): Likewise.
      * src/gnutls_1_0_compat.h (includes): Likewise.
      * src/libxl/libxl_conf.h (includes): Likewise.
      * src/libxl/libxl_driver.h (includes): Likewise.
      * src/lxc/lxc_conf.h (includes): Likewise.
      * src/lxc/lxc_driver.h (includes): Likewise.
      * src/lxc/lxc_fuse.h (includes): Likewise.
      * src/network/bridge_driver.h (includes): Likewise.
      * src/phyp/phyp_driver.h (includes): Likewise.
      * src/qemu/qemu_conf.h (includes): Likewise.
      * src/util/virnetlink.h (includes): Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      1add9c78