Re: [libvirt] [PATCH 0/3] network: resolve CVE 2012-3411

[Gene Czarcinski]

On 11/21/2012 09:55 PM, Laine Stump wrote:

This patch series resolves the libvirt part of CVE 2012-3411:

https://bugzilla.redhat.com/show_bug.cgi?id=833033

Further details are in PATCH 3/3.

Things are going well and I have the DHCPv6 patches re-worked to be on 
top of these patches.  I am using the new capabilities to get the 
dnsmasq version.  I had to add driver being a parameter passed to 
networkStartRadvd() so that I could check for the dnsmasq version. I 
also changed a couple of your tests to have dnsmasq version 2.64 rather 
than 2.63 so that I could check for the DHCPv6 behavior.


Now, on the conf-file which should not be too bad.

It is so much fun when two or more people are changing the same source 
code at the same time ;}}


Gene

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] Is DBus a hard dependency

[Guido Günther]

Hi,
currently running libvirtd without DBus fails due to:

error : nwfilterDriverStartup:208 : DBus matches could not be installed. 
Disabling nwfilter driver
error : virDBusGetSystemBus:77 : internal error Unable to get DBus system bus 
connection: Failed to connect to socket /var/run/dbus/system_bus_socket: No 
such file or directory
error : virStateInitialize:810 : Initialization of NWFilter state driver failed
error : daemonRunStateInit:784 : Driver state initialization failed

because we fail driver initialization hard in nwfilter_driver.c:

if (nwfilterDriverInstallDBusMatches(sysbus)  0) {
VIR_ERROR(_(DBus matches could not be installed. Disabling nwfilter 
  driver));
/*
 * unfortunately this is fatal since virNWFilterTechDriversInit
 * may have caused the ebiptables driver to use the firewall tool
 * but now that the watches don't work, we just disable the nwfilter
 * driver
 */
goto error;
}

I wonder if this on prupose or if we can just make this a soft error and
go on without DBus? At least in the !HAVE_FIREWALLD case it should be
o.k. to continue. Shouldn't it? See attached patch.
Cheers,
 -- Guido
From 22571860568bfe8026e60dcede8f332ec6fd002f Mon Sep 17 00:00:00 2001
Message-Id: 22571860568bfe8026e60dcede8f332ec6fd002f.1353774807.git@sigxcpu.org
From: =?UTF-8?q?Guido=20G=C3=BCnther?= a...@sigxcpu.org
Date: Sat, 24 Nov 2012 17:32:59 +0100
Subject: [PATCH] nwfilter: Allow DBus initialization to fail
To: libvir-list@redhat.com

in case we don't use firewalld. This allows us to run without
DBus on servers.
---
 src/nwfilter/nwfilter_driver.c |2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
index 12f47ef..e4f6ec9 100644
--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
@@ -204,6 +204,7 @@ nwfilterDriverStartup(int privileged)
  * initializing
  */
 if (nwfilterDriverInstallDBusMatches(sysbus)  0) {
+#if HAVE_FIREWALLD
 VIR_ERROR(_(DBus matches could not be installed. Disabling nwfilter 
   driver));
 /*
@@ -213,6 +214,7 @@ nwfilterDriverStartup(int privileged)
  * driver
  */
 goto error;
+#endif
 }
 
 if (privileged) {
-- 
1.7.10.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] Proposal: no dnsmasq (no dhcp and no dns) and no radvd option

[Laine Stump]

On 11/23/2012 02:18 PM, Gene Czarcinski wrote:
 On 11/20/2012 05:29 PM, Laine Stump wrote:
 On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
 Laine mentioned something yesterday that got me to thinking: being
 able to specify that dnsmasq is not to be started for an interface.
 
 Let me expand that by saying that libvirt would not start dnsmasq for
 either dns or dhcp and also would not start radvd.  However, the IPv4
 and IPv6 gateway addresses would be defined on the virtual network
 interface and the usual iptables and ip6tables rules would be in
 force.
 
 This would allow a user to configure dnsmasq to meet any user desires
 or use something completely different instead of dnsmasq.
 
 Questions:  Useful?  Worth the time and effort?
 That was already determined before I mentioned it to you - it's been
 requested several times, and I've told some people it was going to
 happen, although didn't say when:-).

 OK, color this almost done (doc and schemas need updating).

 Three new parameters are added:
   network disableDnsmasq='yes'  logDnsQueries='yes' logDhcp='yes' 

Don't refer to dnsmasq specifically in the XML unless it's something
that is unique to dnsmasq (and then we should seriously consider  if
we're thinking about it the right way before adding it). The intent is
that the XML should describe the desired configuration in a manner high
level enough that a new driver using different backend components would
be able to use the same XML attributes and arrive at similar
functionality. For example, there is active work right now to support
libvirt's server side on FreeBSD, and they may decide that they want to
implement their networks using different implementations of DNS and dhcp
servers (they will already need to do something different in place of
Linux host brdges and iptables, so it will have to be a completely new
driver anyway).

Obviously there are cases where something specific to the backend needs
to be in the XML; for example the virtio-net drivers can specify driver
name='qemu' ... and in that case can have an option ioeventfd and
event_idx options which would probably be meaningless to any netdev
driver for another hypervisor, but we aim to keep that to a minimum, and
use it only when the characteristic described really is unique to
particular backend).

(At any rate, it seems reasonable to me that someone may want us to
provide a dhcp server but no dns server. Yes, this also implies that we
should have a way in the config to feed in the address of an alternative
DNS server (--dhcp-option=option:dns-server,x.x.x.x and
--dhcp-option=option6:dnsserver,::) to send to dhcp clients
when they've disabled dnsmasq's own dns server (in case you hadn't found
it in the manpage yet - you can run dnsmasq with no dns server by adding
--port=0 to the commandline). As soon as I hit send on this, I'm going
to type up a short mail asking for comments on how to add support for
any standard dhcp option.

As for the other two - any reason why you used logDnsQueries instead
of logDns? Also, do you think we might want the ability to specify a
level in the future? (I guess if we did, that could coexist with yes|no).

And while we're on the topic of logging: one thing that's bothered me a
lot, and we've had other people complain about it as well, is that every
single DHCP lease renewal results in a message to /var/log/messages, and
there doesn't seem to be any way to suppress it. Is that correct?


 If nothing is specified, then the default is no, no, no so that things
 work as they do now.  Currently, if the boolean value is 'no' or
 false, then that parameter is not written out.  I could easily change
 that depending on what others want to do.

 Laine, I changed this to be disableDnsmasq because that is the real
 result.  If this is specified, then starting radvd will also be
 suppressed.  It is as if no IPv4 or IPv6 addresses were specified.
 However, the iptables and ip6tables rules will remain the same since
 it is assumed that gateway addresses will be specified.

Actually that's yet another switch that we need to add - the ability to
suppress all iptables rules for a particular network (unless it is in
NAT mode, in which case it makes no sense, because it's the difference
in rules that changes it from mode='route' to mode='nat'). Perhaps it
could be something like filter='none|open|restricted', although I don't
know if that's descriptive enough - even without getting into specific
protocols (which I don't think should be done - at that point they
should really be using a guest-specific filterref) you might still want
to know if there should be any rules at all, allow everything, allow
outgoing sessions but not incoming, allow inter-guest traffic but not
incoming from the outside, allow nothing (all of these could be
overridden by a particular guest's filterref)

 I have scratched an itch of mine by providing a way to specify that
 dns-queries and dhcp activity should be logged and that this is
 

[libvirt] RFC: adding configuration for standard dhcp options to network

[Laine Stump]

There have been multiple requests over the last couple years to make the
DHCP server of libvirt's virutal networks more configurable (for
example, see the following BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=824573 ).

You can see a full list of the options supported by dnsmasq with this
command:

   dnsmasq --help dhcp

The biggest question here is in exactly how to represent the options in
the network XML. I can see a few different options, among them:

1) make each option its own element within dhcp, e.g.:

 dnsServer family='ipv4' address='x.x.x.x'/
 dnsServer family='ipv6' address=':::1'/
 ntpServer address='y.y.y.y'/
 smtpServer address='z.z.z.z'/

2) A variation of (1) where each option could appear only once, but with
two attributes, one for ipv6 address and one for ipv4:

 dnsServer address4='x.x.x.x'address6=':::1'/
 ntpServer address4='y.y.y.y'/

3) have a repeatable option element (again, a subelement of dhcp
that can contain any number of the options as attributes:

 option family='ipv4' dnsServer='x.x.x.x' ntpServer='y.y.y.y'
smtpServer='z.z.z.z'/
 option family='ipv6' dnsServer='::1'/

  (in this case, we may or may not support repeating option to add
more options for the same family).

4) yet another variation, where each option is a subelement of option
family='':

 option family='ipv4'
   dnsServerx.x.x.x/dnsServer
   ntpServery.y.y.y/ntpServer
   smtpServerz.z.z.z/smtpServer
 /option
 option family='ipv6'
   dnsServer:::1/dnsServer
 /option

I'm not sure which of these would be more straightforward for a user.
One thought I've had is that dnsmasq at least allows specifying
different groups of guest addresses (with a tag) and applying
different options to addresses with different tags. I don't know if
we'll ever use that capability, but if we do it *seems* like any of
these methods could be adapted to specifying multiple groups.

Does anyone have a preference? (I have a narrow preference for (1),
simply because it was the first to come to my mind, but could easily be
swayed to one of the others, or something else, given a logical reason).

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] storage: fix logical volume cloning

[Ján Tomko]

Commit 258e06c removed setting of the volume type to
VIR_STORAGE_VOL_BLOCK, which leads to failures in
storageVolumeCreateXMLFrom.

The type (and target.format) of the volume was set to zero. In
virStorageBackendGetBuildVolFromFunction, this gets interpreted as
VIR_STORAGE_FILE_NONE and the qemu-img tool is called with unknown
none format.

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=879780
---
 src/storage/storage_backend_logical.c |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/storage/storage_backend_logical.c 
b/src/storage/storage_backend_logical.c
index de43c3a..fd5cbd1 100644
--- a/src/storage/storage_backend_logical.c
+++ b/src/storage/storage_backend_logical.c
@@ -708,6 +708,8 @@ virStorageBackendLogicalCreateVol(virConnectPtr conn,
 return -1;
 }
 
+vol-type = VIR_STORAGE_VOL_BLOCK;
+
 if (vol-target.path != NULL) {
 /* A target path passed to CreateVol has no meaning */
 VIR_FREE(vol-target.path);
-- 
1.7.8.6

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 3/3] network: use dnsmasq --bind-dynamic when available

[Laine Stump]

On 11/23/2012 07:44 AM, Gene Czarcinski wrote:
 On 11/21/2012 09:55 PM, Laine Stump wrote:
 This bug resolves CVE-2012-3411, which is described in the following
 bugzilla report:

https://bugzilla.redhat.com/show_bug.cgi?id=833033

 The following report is specifically for libvirt on Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=874702

 In short, a dnsmasq instance run with the intention of listening for
 DHCP/DNS requests only on a libvirt virtual network (which is
 constructed using a Linux host bridge) would also answer queries sent
 from outside the virtualization host.

 This patch takes advantage of a new dnsmasq option --bind-dynamic,
 which will cause the listening socket to be setup such that it will
 only receive those requests that actually come in via the bridge
 interface. In order for this behavior to actually occur, not only must
 --bind-interfaces be replaced with --bind-dynamic, but also all
 --listen-address options must be replaced with a single
 --interface option. Fully:

 --bind-interfaces --except-interface lo --listen-address x.x.x.x ...

 (with --listen-address possibly repeated) is replaced with:

 --bind-dynamic --interface virbrX
 I have some questions about this change.

 1.  If I correctly understand the problem being addressed (not a
 given), a dnsmasq instance providing a dns service to a virtual
 network interface was responding to queries on other network
 interfaces (virtual or real).

To be more precise, it was responding to DNS queries sent to the proper
IP address, but arriving on the socket via a different interface than
the bridge of the virtual network.

   Obviously (to me) this is not desired and should be considered a
 security problem. This series of patches is intended to address this
 problem while continuing to support older versions of dnsmasq which do
 not support bind-dynamic.

Correct.


 [If I understand correctly then, while this is a problem for IPv4, it
 could be even more critical for IPv6.]

What makes it more critical for IPv6?


 2.  I assume that this change still supports queries originating on
 the virtualization host and directed to the virtual network interface.

Interesting question. I hadn't tried it. Is there a specific scenario
where you use this (I can think of one - perhaps the system dns server
wants to have access to the A and PTR records for guests so that the
host (and possibly external entities) can reference them by name... Ah,
I see you mention that down in item 4).


 3.  I assume that dnsmasq's support of DHCP continues as before.

Since libvirt's dnsmasq didn't previously answer requests on other
interfaces, I'm fairly certain that this change, which further limits
the scope of request sources, won't affect dhcp, but of course only a
good round of testing will prove that out :-)


 [I will be implementing this update and testing it over the next
 couple of days.  For one thing, I need to integrate my DHCPv6, etc.
 patches with this.  For one thing, I need to pick up the dnsmasq
 version implemented by this patch.]

 4.  What about the situation where an Internet publically available
 service is implemented on a virtual (guest) system.  I assume that the
 dnsmasq instance for the virtual network interface will not be
 directly available for external queries.  How about if the
 virtualization host is running yet another instance of dnsmasq (not
 started by libvirt) which forwards queries to the dnsmasq instance
 started by libvirt (the query would be sent to an address on the
 virtual network interface).

That's definitely something I need to try before pushing...

Okay, I just tried it and it works (although the packets show up on lo
rather than the bridge). This is the same behavior as previously.


 5.  I assume dnsmasq will respond to queries on any IPv4 or IPv6
 (gateway) address defined on a virtual network interface.

Correct. As long as it arrives at the listening socket via the bridge
interface for that network.


 6.  I assume that, if no IPv4 or IPv6 (gateway) addresses are defined
 on an interface, dnsmasq will not be started for that interface.

Correct. That's always been the case, and doesn't change now.


 7.  Are there any conditions where bind-interface would still be
 preferable to bind-dynamic?  [Maybe I need to ask Simon Kelley this
 question.]

I notice that you asked him on dnsmasq-discuss, and his answer was (as
far as I understood) no.


 Comment:  You sure did put a lot of effort into making sure that
 libvirt would still work with older versions of dnsmasq which did not
 support bind-dynamic.

The first rule of libvirt club is to not needlessly break existing
installations :-) (seriously though, we can't be sure how long it would
be until other distros get a new enough dnsmasq, and we can't break
libvirt for all those people in the interim). Whenever something is
added to libvirt, we're not only thinking of compatibility with running
a new libvirt on a system with older