Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled
Am 24.12.2014 um 03:23 schrieb Chen, Hanxiao:
-Original Message-
From: Richard Weinberger [mailto:richard.weinber...@gmail.com]
Sent: Wednesday, December 24, 2014 5:36 AM
To: Eric Blake
Cc: Chen, Hanxiao/陈 晗霄; libvir-list@redhat.com
Subject: Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user
namespce enabled
On Mon, Dec 22, 2014 at 4:12 PM, Eric Blake ebl...@redhat.com wrote:
On 12/21/2014 08:57 PM, Chen Hanxiao wrote:
s/namespce/namespace/ in the subject line
If we enabled user ns and provided a uid/gid map,
we do not need to mount /proc, /sys as readonly.
Leave it to kernel for protection.
Signed-off-by: Chen Hanxiao chenhanx...@cn.fujitsu.com
---
src/lxc/lxc_container.c | 6 ++
1 file changed, 6 insertions(+)
I'll leave the actual patch review to someone more familiar with LXC
namespace setups
This change will still mount some useless stuff like:
{ /.oldroot/proc/sys/net/ipv4, /proc/sys/net/ipv4, NULL,
MS_BIND, false, false, true },
{ /.oldroot/proc/sys/net/ipv6, /proc/sys/net/ipv6, NULL,
MS_BIND, false, false, true },
You can set skipUserNS for these.
Thanks, I didn't notice that.
But I *really* would like to see /proc and /sys mounted RW as default.
Please see my comment to:
[libvirt] [PATCHv3] lxc: give RW access to /proc/sys/net/ipv[46] to
containers
I see your new comments in that thread.
If libvirt enable userns(provided a uid/gid map in XML),
it's safe to drop RO mount completely;
If not, I'm not sure whether it will bring back compatibility issues.
So let's wait for more comments from maintainers.
I Agree
Thanks,
//richard
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Parallels: Add VNC hostname setup
On Friday 19 December 2014 16:41:03 Alexander Burluka wrote:
Add missing VNC setup via Parallels SDK.
Parallels Cloud Server starts one VNC server per domain,
so we could process only one VNC server definition.
Network-based listening currently is unimplemented.
Seems good to me, ACK.
Signed-off-by: Alexander Burluka aburl...@parallels.com
---
src/parallels/parallels_sdk.c | 25 -
1 files changed, 24 insertions(+), 1 deletions(-)
diff --git a/src/parallels/parallels_sdk.c b/src/parallels/parallels_sdk.c
index 83a28b7..8394646 100644
--- a/src/parallels/parallels_sdk.c
+++ b/src/parallels/parallels_sdk.c
@@ -1929,7 +1929,7 @@ static int
prlsdkCheckGraphicsUnsupportedParams(virDomainDefPtr def) if
(def-ngraphics == 0)
return 0;
-if (def-ngraphics 1) {
+if (def-ngraphics 1) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, %s,
_(Parallels Cloud Server supports only
one VNC per domain.));
@@ -1988,6 +1988,20 @@ static int
prlsdkCheckGraphicsUnsupportedParams(virDomainDefPtr def) return -1;
}
+if (gr-nListens 1) {
+virReportError(VIR_ERR_INVALID_ARG, %s,
+ _(Parallels driver doesn't support more than
+ one listening VNC server per domain));
+return -1;
+}
+
+if (gr-nListens == 1
+virDomainGraphicsListenGetType(gr, 0) !=
VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_ADDRESS) { +
virReportError(VIR_ERR_INVALID_ARG, %s,
+ _(Parallels driver supports only address-based VNC
listening)); +return -1;
+}
+
return 0;
}
@@ -2286,6 +2300,7 @@ static int prlsdkApplyGraphicsParams(PRL_HANDLE
sdkdom, virDomainDefPtr def) virDomainGraphicsDefPtr gr;
PRL_RESULT pret;
int ret = -1;
+const char *listenAddr = NULL;
if (prlsdkCheckGraphicsUnsupportedParams(def))
return -1;
@@ -2306,6 +2321,14 @@ static int prlsdkApplyGraphicsParams(PRL_HANDLE
sdkdom, virDomainDefPtr def) prlsdkCheckRetGoto(pret, cleanup);
}
+if (gr-nListens == 1) {
+listenAddr = virDomainGraphicsListenGetAddress(gr, 0);
+if (!listenAddr)
+goto cleanup;
+pret = PrlVmCfg_SetVNCHostName(sdkdom, listenAddr);
+prlsdkCheckRetGoto(pret, cleanup);
+}
+
ret = 0;
cleanup:
return ret;
--
Dmitry Guryanov
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] conf: Don't use the current state in def-data.network.actual when migrate
https://bugzilla.redhat.com/show_bug.cgi?id=1177194 When migrate a vm, we will generate a xml via qemuDomainDefFormatLive and pass this xml to target libvirtd. Libvirt will use the current network state in def-data.network.actual to generate the xml, this will make migrate failed when we set a network type guest interface use a macvtap network as a source in a vm then migrate vm to another host(which has the different macvtap network settings: different interface name, bridge name...) Add a flag check in virDomainNetDefFormat, if we set a VIR_DOMAIN_XML_MIGRATABLE flag when call virDomainNetDefFormat, we won't get the current vm interface state. Signed-off-by: Luyao Huang lhu...@redhat.com --- src/conf/domain_conf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index aafc05e..fffd6cd 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -17436,7 +17436,9 @@ virDomainNetDefFormat(virBufferPtr buf, unsigned int actualType = virDomainNetGetActualType(def); bool publicActual = (def-type == VIR_DOMAIN_NET_TYPE_NETWORK def-data.network.actual - !(flags (VIR_DOMAIN_XML_INACTIVE | VIR_DOMAIN_XML_INTERNAL_ACTUAL_NET))); + !(flags (VIR_DOMAIN_XML_INACTIVE | + VIR_DOMAIN_XML_INTERNAL_ACTUAL_NET | + VIR_DOMAIN_XML_MIGRATABLE))); const char *typeStr; virDomainHostdevDefPtr hostdef = NULL; char macstr[VIR_MAC_STRING_BUFLEN]; -- 1.8.3.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
