ping
On Wed, Mar 13, 2019 at 04:24:02PM +0000, Daniel P. Berrangé wrote:
> The unprivileged libvirtd does not have permission to create firewall
> rules, or bridge devices, or do anything to the host network in
> general. Historically we still activate the network driver though and
> let the network start API call fail.
>
> The startup code path which reloads firewall rules on active networks
> would thus effectively be a no-op when unprivileged as it is impossible
> for there to be any active networks
>
> With the change to use a global set of firewall chains, however, we now
> have code that is run unconditionally.
>
> Ideally we would not register the network driver at all when
> unprivileged, but the entanglement with the virt drivers currently makes
> that impractical. As a temporary hack, we just make the firewall reload
> into a no-op.
>
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
> src/network/bridge_driver.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index c3e1381124..7d95675623 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -2095,6 +2095,10 @@ static void
> networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
> {
> VIR_INFO("Reloading iptables rules");
> + /* Ideally we'd not even register the driver when unprivilegd
> + * but until we untangle the virt driver that's not viable */
> + if (!driver->privileged)
> + return;
> if (networkPreReloadFirewallRules(startup) < 0)
> return;
> virNetworkObjListForEach(driver->networks,
> --
> 2.20.1
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
