External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

Include pid namespace inode in LXC audit messages

Browse Source 
To allow the efficient correlation of container audit messages
with host hosts, include the pid namespace inode in audit
messages.
This commit is contained in:
Daniel P. Berrange 2013-03-06 14:56:49 +00:00
parent eaf7d4ddff
commit ab1ef3bc6c
3 changed files with 49 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/conf/domain_audit.c
View File

@ -649,7 +649,8 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
void void
virDomainAuditInit(virDomainObjPtr vm, virDomainAuditInit(virDomainObjPtr vm,
pid_t initpid) pid_t initpid,
ino_t pidns)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname; char *vmname;
@ -668,8 +669,9 @@ virDomainAuditInit(virDomainObjPtr vm,
} }
VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_CONTROL, true, VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_CONTROL, true,
"virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld", "virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld pid-ns=%lld",
virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid); virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid,
(long long)pidns);
VIR_FREE(vmname); VIR_FREE(vmname);
} }

3
src/conf/domain_audit.h
View File

@ -32,7 +32,8 @@ void virDomainAuditStart(virDomainObjPtr vm,
bool success) bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
void virDomainAuditInit(virDomainObjPtr vm, void virDomainAuditInit(virDomainObjPtr vm,
pid_t pid) pid_t pid,
ino_t pidns)
ATTRIBUTE_NONNULL(1); ATTRIBUTE_NONNULL(1);
void virDomainAuditStop(virDomainObjPtr vm, void virDomainAuditStop(virDomainObjPtr vm,
const char *reason) const char *reason)

43
src/lxc/lxc_process.c
View File

@ -630,6 +630,36 @@ static void virLXCProcessMonitorExitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED
priv->stopReason, status); priv->stopReason, status);
} }
static int
virLXCProcessGetNsInode(pid_t pid,
const char *nsname,
ino_t *inode)
{
char *path = NULL;
struct stat sb;
int ret = -1;
if (virAsprintf(&path, "/proc/%llu/ns/%s",
(unsigned long long)pid, nsname) < 0) {
virReportOOMError();
goto cleanup;
}
if (stat(path, &sb) < 0) {
virReportSystemError(errno,
_("Unable to stat %s"), path);
goto cleanup;
}
*inode = sb.st_ino;
ret = 0;
cleanup:
VIR_FREE(path);
return ret;
}
/* XXX a little evil */ /* XXX a little evil */
extern virLXCDriverPtr lxc_driver; extern virLXCDriverPtr lxc_driver;
static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED, static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED,
@ -637,8 +667,19 @@ static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED
virDomainObjPtr vm) virDomainObjPtr vm)
{ {
virLXCDomainObjPrivatePtr priv = vm->privateData; virLXCDomainObjPrivatePtr priv = vm->privateData;
ino_t inode;
priv->initpid = initpid; priv->initpid = initpid;
virDomainAuditInit(vm, initpid);
if (virLXCProcessGetNsInode(initpid, "pid", &inode) < 0) {
virErrorPtr err = virGetLastError();
VIR_WARN("Cannot obtain pid NS inode for %llu: %s",
(unsigned long long)initpid,
err && err->message ? err->message : "<unknown>");
virResetLastError();
inode = 0;
}
virDomainAuditInit(vm, initpid, inode);
if (virDomainSaveStatus(lxc_driver->caps, lxc_driver->stateDir, vm) < 0) if (virDomainSaveStatus(lxc_driver->caps, lxc_driver->stateDir, vm) < 0)
VIR_WARN("Cannot update XML with PID for LXC %s", vm->def->name); VIR_WARN("Cannot update XML with PID for LXC %s", vm->def->name);