Currently the LXC driver logs audit messages when a container
is started or stopped. These audit messages, however, contain
the PID of the libvirt_lxc supervisor process. To enable
sysadmins to correlate with audit messages generated by
processes /inside/ the container, we need to include the
container init process PID.
We can't do this in the main 'start' audit message, since
the init PID is not available at that point. Instead we output
a completely new audit record, that lists both PIDs.
type=VIRT_CONTROL msg=audit(
1353433750.071:363): pid=20180 uid=0 auid=501 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='virt=lxc op=init vm="busy" uuid=
dda7b947-0846-1759-2873-
0f375df7d7eb vm-pid=20371 init-pid=20372 exe="/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/6 res=success'
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
virDomainAuditLifecycle(vm, "start", reason, success);
}
+void
+virDomainAuditInit(virDomainObjPtr vm,
+ pid_t initpid)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ char *vmname;
+ const char *virt;
+
+ virUUIDFormat(vm->def->uuid, uuidstr);
+
+ if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+ VIR_WARN("OOM while encoding audit message");
+ return;
+ }
+
+ if (!(virt = virDomainVirtTypeToString(vm->def->virtType))) {
+ VIR_WARN("Unexpected virt type %d while encoding audit message", vm->def->virtType);
+ virt = "?";
+ }
+
+ VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_CONTROL, true,
+ "virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld",
+ virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid);
+
+ VIR_FREE(vmname);
+}
void
virDomainAuditStop(virDomainObjPtr vm, const char *reason)
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
+void virDomainAuditInit(virDomainObjPtr vm,
+ pid_t pid)
+ ATTRIBUTE_NONNULL(1);
void virDomainAuditStop(virDomainObjPtr vm,
const char *reason)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
virDomainAuditDisk;
virDomainAuditFS;
virDomainAuditHostdev;
+virDomainAuditInit;
virDomainAuditMemory;
virDomainAuditNet;
virDomainAuditNetDevice;
/* Server socket */
virNetServerPtr server;
+ bool firstClient;
virNetServerClientPtr client;
virNetServerProgramPtr prog;
bool inShutdown;
#include "lxc_controller_dispatch.h"
static void virLXCControllerFree(virLXCControllerPtr ctrl);
+static int virLXCControllerEventSendInit(virLXCControllerPtr ctrl,
+ pid_t initpid);
static void virLXCControllerQuitTimer(int timer ATTRIBUTE_UNUSED, void *opaque)
{
goto no_memory;
ctrl->timerShutdown = -1;
+ ctrl->firstClient = true;
if (!(ctrl->name = strdup(name)))
goto no_memory;
virNetServerClientSetCloseHook(client, virLXCControllerClientCloseHook);
VIR_DEBUG("Got new client %p", client);
ctrl->client = client;
+
+ if (ctrl->initpid && ctrl->firstClient)
+ virLXCControllerEventSendInit(ctrl, ctrl->initpid);
+ ctrl->firstClient = false;
+
return dummy;
}
{
virNetMessagePtr msg;
- if (!ctrl->client)
+ if (!ctrl->client) {
+ VIR_WARN("Dropping event %d becuase libvirtd is not connected", procnr);
return;
+ }
VIR_DEBUG("Send event %d client=%p", procnr, ctrl->client);
if (!(msg = virNetMessageNew(false)))
}
+static int
+virLXCControllerEventSendInit(virLXCControllerPtr ctrl,
+ pid_t initpid)
+{
+ virLXCProtocolInitEventMsg msg;
+
+ VIR_DEBUG("Init pid %llu", (unsigned long long)initpid);
+ memset(&msg, 0, sizeof(msg));
+ msg.initpid = initpid;
+
+ virLXCControllerEventSend(ctrl,
+ VIR_LXC_PROTOCOL_PROC_INIT_EVENT,
+ (xdrproc_t)xdr_virLXCProtocolInitEventMsg,
+ (void*)&msg);
+ return 0;
+}
+
+
static int
virLXCControllerRun(virLXCControllerPtr ctrl)
{
virLXCMonitorHandleEventExit(virNetClientProgramPtr prog,
virNetClientPtr client,
void *evdata, void *opaque);
+static void
+virLXCMonitorHandleEventInit(virNetClientProgramPtr prog,
+ virNetClientPtr client,
+ void *evdata, void *opaque);
static virNetClientProgramEvent virLXCProtocolEvents[] = {
{ VIR_LXC_PROTOCOL_PROC_EXIT_EVENT,
virLXCMonitorHandleEventExit,
sizeof(virLXCProtocolExitEventMsg),
(xdrproc_t)xdr_virLXCProtocolExitEventMsg },
+ { VIR_LXC_PROTOCOL_PROC_INIT_EVENT,
+ virLXCMonitorHandleEventInit,
+ sizeof(virLXCProtocolInitEventMsg),
+ (xdrproc_t)xdr_virLXCProtocolInitEventMsg },
};
}
+static void
+virLXCMonitorHandleEventInit(virNetClientProgramPtr prog ATTRIBUTE_UNUSED,
+ virNetClientPtr client ATTRIBUTE_UNUSED,
+ void *evdata, void *opaque)
+{
+ virLXCMonitorPtr mon = opaque;
+ virLXCProtocolInitEventMsg *msg = evdata;
+
+ VIR_DEBUG("Event init %llu",
+ (unsigned long long)msg->initpid);
+ if (mon->cb.initNotify)
+ mon->cb.initNotify(mon, (pid_t)msg->initpid, mon->vm);
+}
+
+
static void virLXCMonitorEOFNotify(virNetClientPtr client ATTRIBUTE_UNUSED,
int reason ATTRIBUTE_UNUSED,
void *opaque)
virLXCProtocolExitStatus status,
virDomainObjPtr vm);
+typedef void (*virLXCMonitorCallbackInitNotify)(virLXCMonitorPtr mon,
+ pid_t pid,
+ virDomainObjPtr vm);
+
struct _virLXCMonitorCallbacks {
virLXCMonitorCallbackDestroy destroy;
virLXCMonitorCallbackEOFNotify eofNotify;
virLXCMonitorCallbackExitNotify exitNotify;
+ virLXCMonitorCallbackInitNotify initNotify;
};
virLXCMonitorPtr virLXCMonitorNew(virDomainObjPtr vm,
priv->stopReason, status);
}
+static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED,
+ pid_t initpid,
+ virDomainObjPtr vm)
+{
+ virDomainAuditInit(vm, initpid);
+}
+
static virLXCMonitorCallbacks monitorCallbacks = {
.eofNotify = virLXCProcessMonitorEOFNotify,
.exitNotify = virLXCProcessMonitorExitNotify,
+ .initNotify = virLXCProcessMonitorInitNotify,
};
enum virLXCProtocolExitStatus status;
};
+struct virLXCProtocolInitEventMsg {
+ unsigned hyper initpid;
+};
+
const VIR_LXC_PROTOCOL_PROGRAM = 0x12341234;
const VIR_LXC_PROTOCOL_PROGRAM_VERSION = 1;
enum virLXCProtocolProcedure {
- VIR_LXC_PROTOCOL_PROC_EXIT_EVENT = 1 /* skipgen skipgen */
+ VIR_LXC_PROTOCOL_PROC_EXIT_EVENT = 1, /* skipgen skipgen */
+ VIR_LXC_PROTOCOL_PROC_INIT_EVENT = 2 /* skipgen skipgen */
};
projects / people / dariof / libvirt.git / commitdiff