mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
Pass virSecurityManagerPtr object further down into LXC setup code
Currently the lxcContainerSetupMounts method uses the virSecurityManagerPtr instance to obtain the mount options string and then only passes the string down into methods it calls. As functionality in LXC grows though, those methods need to have direct access to the virSecurityManagerPtr instance. So push the code down a level. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
3f6470f753
commit
f999e2fdce
@ -1511,17 +1511,21 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
|
|||||||
virDomainFSDefPtr root,
|
virDomainFSDefPtr root,
|
||||||
char **ttyPaths,
|
char **ttyPaths,
|
||||||
size_t nttyPaths,
|
size_t nttyPaths,
|
||||||
char *sec_mount_options)
|
virSecurityManagerPtr securityDriver)
|
||||||
{
|
{
|
||||||
struct lxcContainerCGroup *mounts = NULL;
|
struct lxcContainerCGroup *mounts = NULL;
|
||||||
size_t nmounts = 0;
|
size_t nmounts = 0;
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
char *cgroupRoot;
|
char *cgroupRoot = NULL;
|
||||||
|
char *sec_mount_options;
|
||||||
|
|
||||||
|
if (!(sec_mount_options = virSecurityManagerGetMountOptions(securityDriver, vmDef)))
|
||||||
|
return -1;
|
||||||
|
|
||||||
/* Before pivoting we need to identify any
|
/* Before pivoting we need to identify any
|
||||||
* cgroups controllers that are mounted */
|
* cgroups controllers that are mounted */
|
||||||
if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0)
|
if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0)
|
||||||
return -1;
|
goto cleanup;
|
||||||
|
|
||||||
/* Gives us a private root, leaving all parent OS mounts on /.oldroot */
|
/* Gives us a private root, leaving all parent OS mounts on /.oldroot */
|
||||||
if (lxcContainerPivotRoot(root) < 0)
|
if (lxcContainerPivotRoot(root) < 0)
|
||||||
@ -1577,6 +1581,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
|
|||||||
cleanup:
|
cleanup:
|
||||||
lxcContainerCGroupFree(mounts, nmounts);
|
lxcContainerCGroupFree(mounts, nmounts);
|
||||||
VIR_FREE(cgroupRoot);
|
VIR_FREE(cgroupRoot);
|
||||||
|
VIR_FREE(sec_mount_options);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1585,14 +1590,19 @@ cleanup:
|
|||||||
but with extra stuff mapped in */
|
but with extra stuff mapped in */
|
||||||
static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
|
static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
|
||||||
virDomainFSDefPtr root,
|
virDomainFSDefPtr root,
|
||||||
char *sec_mount_options)
|
virSecurityManagerPtr securityDriver)
|
||||||
{
|
{
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
struct lxcContainerCGroup *mounts = NULL;
|
struct lxcContainerCGroup *mounts = NULL;
|
||||||
size_t nmounts = 0;
|
size_t nmounts = 0;
|
||||||
char *cgroupRoot;
|
char *cgroupRoot = NULL;
|
||||||
|
char *sec_mount_options;
|
||||||
|
|
||||||
VIR_DEBUG("def=%p", vmDef);
|
VIR_DEBUG("def=%p", vmDef);
|
||||||
|
|
||||||
|
if (!(sec_mount_options = virSecurityManagerGetMountOptions(securityDriver, vmDef)))
|
||||||
|
return -1;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* This makes sure that any new filesystems in the
|
* This makes sure that any new filesystems in the
|
||||||
* host OS propagate to the container, but any
|
* host OS propagate to the container, but any
|
||||||
@ -1601,25 +1611,25 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
|
|||||||
if (mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
|
if (mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
|
||||||
virReportSystemError(errno, "%s",
|
virReportSystemError(errno, "%s",
|
||||||
_("Failed to make / slave"));
|
_("Failed to make / slave"));
|
||||||
return -1;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (root && root->readonly) {
|
if (root && root->readonly) {
|
||||||
if (mount("", "/", NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) {
|
if (mount("", "/", NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) {
|
||||||
virReportSystemError(errno, "%s",
|
virReportSystemError(errno, "%s",
|
||||||
_("Failed to make root readonly"));
|
_("Failed to make root readonly"));
|
||||||
return -1;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
VIR_DEBUG("Mounting config FS");
|
VIR_DEBUG("Mounting config FS");
|
||||||
if (lxcContainerMountAllFS(vmDef, "", false, sec_mount_options) < 0)
|
if (lxcContainerMountAllFS(vmDef, "", false, sec_mount_options) < 0)
|
||||||
return -1;
|
goto cleanup;
|
||||||
|
|
||||||
/* Before replacing /sys we need to identify any
|
/* Before replacing /sys we need to identify any
|
||||||
* cgroups controllers that are mounted */
|
* cgroups controllers that are mounted */
|
||||||
if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0)
|
if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0)
|
||||||
return -1;
|
goto cleanup;
|
||||||
|
|
||||||
#if HAVE_SELINUX
|
#if HAVE_SELINUX
|
||||||
/* Some versions of Linux kernel don't let you overmount
|
/* Some versions of Linux kernel don't let you overmount
|
||||||
@ -1653,6 +1663,7 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
|
|||||||
cleanup:
|
cleanup:
|
||||||
lxcContainerCGroupFree(mounts, nmounts);
|
lxcContainerCGroupFree(mounts, nmounts);
|
||||||
VIR_FREE(cgroupRoot);
|
VIR_FREE(cgroupRoot);
|
||||||
|
VIR_FREE(sec_mount_options);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1684,21 +1695,15 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
|
|||||||
size_t nttyPaths,
|
size_t nttyPaths,
|
||||||
virSecurityManagerPtr securityDriver)
|
virSecurityManagerPtr securityDriver)
|
||||||
{
|
{
|
||||||
int rc = -1;
|
|
||||||
char *sec_mount_options = NULL;
|
|
||||||
if (lxcContainerResolveSymlinks(vmDef) < 0)
|
if (lxcContainerResolveSymlinks(vmDef) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (!(sec_mount_options = virSecurityManagerGetMountOptions(securityDriver, vmDef)))
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (root && root->src)
|
if (root && root->src)
|
||||||
rc = lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, sec_mount_options);
|
return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths,
|
||||||
|
securityDriver);
|
||||||
else
|
else
|
||||||
rc = lxcContainerSetupExtraMounts(vmDef, root, sec_mount_options);
|
return lxcContainerSetupExtraMounts(vmDef, root,
|
||||||
|
securityDriver);
|
||||||
VIR_FREE(sec_mount_options);
|
|
||||||
return rc;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user