rpms/libvirt
5
0
Fork 1
Code Issues Pull Requests Releases Activity
d670e246d0
libvirt/0005-network-avoid-trying-to-create-global-firewall-rules.patch
Daniel P. Berrangé d670e246d0 Fix rbd upgrade compat & deprecations and networking 
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-03-20 17:42:59 +00:00

51 lines
2.0 KiB
Diff
Raw Blame History

From 3e02ee9b5da7fc7197aaa6d57563349a7670b8a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 13 Mar 2019 16:21:15 +0000
Subject: [PATCH 5/5] network: avoid trying to create global firewall rules if
unprivileged
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The unprivileged libvirtd does not have permission to create firewall
rules, or bridge devices, or do anything to the host network in
general. Historically we still activate the network driver though and
let the network start API call fail.
The startup code path which reloads firewall rules on active networks
would thus effectively be a no-op when unprivileged as it is impossible
for there to be any active networks
With the change to use a global set of firewall chains, however, we now
have code that is run unconditionally.
Ideally we would not register the network driver at all when
unprivileged, but the entanglement with the virt drivers currently makes
that impractical. As a temporary hack, we just make the firewall reload
into a no-op.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 5d010c3df6152cf5fb00f1f67d22151241f4a8a2)
---
src/network/bridge_driver.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 1da60f0a21..0e1d5efd8e 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2108,6 +2108,10 @@ static void
networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
{
VIR_INFO("Reloading iptables rules");
+ /* Ideally we'd not even register the driver when unprivilegd
+ * but until we untangle the virt driver that's not viable */
+ if (!driver->privileged)
+ return;
networkPreReloadFirewallRules(startup);
virNetworkObjListForEach(driver->networks,
networkReloadFirewallRulesHelper,
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink