On Thu, Jul 30, 2009 at 03:00:53PM +0100, Daniel P. Berrange wrote: > > There is a minor bug when running QEMU non-root, and having > capng enabled. libvirt is unable to write the PID file in > /var/run/libvirt/qemu, since its now owned by 'qemu', but > libvirtd has dropped all capabilties at this point. The fix > is to delay dropping capabilities until after the PID file > has been created. We should also be sure to kill the child > if writing the PID file fails [...] > diff --git a/src/qemu_driver.c b/src/qemu_driver.c > index 9fb8506..26897d3 100644 > --- a/src/qemu_driver.c > +++ b/src/qemu_driver.c > @@ -468,7 +468,7 @@ qemudStartup(int privileged) { > goto out_of_memory; > > if (virAsprintf(&qemu_driver->stateDir, > - "%s/run/libvirt/qemu/", LOCAL_STATE_DIR) == -1) > + "%s/run/libvirt/qemu", LOCAL_STATE_DIR) == -1) > goto out_of_memory; > } else { > uid_t uid = geteuid(); unrelated but fine > diff --git a/src/util.c b/src/util.c > index ee64b28..39aae24 100644 > --- a/src/util.c > +++ b/src/util.c > @@ -513,12 +513,6 @@ __virExec(virConnectPtr conn, > if ((hook)(data) != 0) > _exit(1); > > - /* The hook above may need todo something privileged, so > - * we delay clearing capabilities until now */ > - if ((flags & VIR_EXEC_CLEAR_CAPS) && > - virClearCapabilities() < 0) > - _exit(1); > - > /* Daemonize as late as possible, so the parent process can detect > * the above errors with wait* */ > if (flags & VIR_EXEC_DAEMON) { > @@ -543,6 +537,9 @@ __virExec(virConnectPtr conn, > > if (pid > 0) { > if (pidfile && virFileWritePidPath(pidfile,pid)) { > + kill(pid, SIGTERM); > + usleep(500*1000); > + kill(pid, SIGTERM); > virReportSystemError(conn, errno, > "%s", _("could not write pidfile")); > _exit(1); minor nitpick I would error first and then do the kill > @@ -551,6 +548,12 @@ __virExec(virConnectPtr conn, > } > } > > + /* The steps above may need todo something privileged, so > + * we delay clearing capabilities until the last minute */ > + if ((flags & VIR_EXEC_CLEAR_CAPS) && > + virClearCapabilities() < 0) > + _exit(1); > + > if (envp) > execve(argv[0], (char **) argv, (char**)envp); > else > ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/ -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list