pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 243625 from home:jfehlig:branches:Virtualization

Browse Source 
- Update to libvirt 1.2.7
  - Introduce virConnectGetDomainCapabilities
  - Many incremental improvements and bug fixes, see
    http://libvirt.org/news.html
  - Drop upstream patches: dba3432b-virt-lxc-convert-fix.patch,
    9b1e4cd5-skip-useless-apparmor-files.patch,
    dba3432b-virt-lxc-convert-fix.patch,
    add-nocow-to-vol-xml.patch,
    lxc-keep-caps-feature.patch,
    lxc-keep-caps-feature-conversion.patch,
    lxc-keep-caps-feature-doc.patch,
    lxc-net-target-name.patch,
    lxc-net-target-name-conversion.patch,
    lxc-net-target-name-doc.patch

OBS-URL: https://build.opensuse.org/request/show/243625
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=393
This commit is contained in:
James Fehlig 2014-08-04 17:17:49 +00:00 committed by Git OBS Bridge
parent 164c37781e
commit 02bfe2161f
27 changed files with 118 additions and 2346 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

358
9265f8ab-apparmor-lxc-rework.patch
View File

@ -1,358 +0,0 @@
From 9265f8ab67dc14fe89a26efd5c22b156d3168fd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Tue, 15 Jul 2014 11:02:50 +0200
Subject: [PATCH] Rework lxc apparmor profile
Rework the apparmor lxc profile abstraction to mimic ubuntu's container-default.
This profile allows quite a lot, but strives to restrict access to
dangerous resources.
Removing the explicit authorizations to bash, systemd and cron files,
forces them to keep the lxc profile for all applications inside the
container. PUx permissions where leading to running systemd (and others
tasks) unconfined.
Put the generic files, network and capabilities restrictions directly
in the TEMPLATE.lxc: this way, users can restrict them on a per
container basis.
---
examples/apparmor/Makefile.am | 6 +-
examples/apparmor/TEMPLATE.lxc | 15 ++++
examples/apparmor/{TEMPLATE => TEMPLATE.qemu} | 2 +-
examples/apparmor/libvirt-lxc | 119 +++++++++++++++++++++++---
src/security/security_apparmor.c | 21 +++--
src/security/virt-aa-helper.c | 29 +------
6 files changed, 149 insertions(+), 43 deletions(-)
create mode 100644 examples/apparmor/TEMPLATE.lxc
rename examples/apparmor/{TEMPLATE => TEMPLATE.qemu} (75%)
Index: libvirt-1.2.6/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.2.6.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.6/examples/apparmor/Makefile.am
@@ -15,7 +15,8 @@
## <http://www.gnu.org/licenses/>.
EXTRA_DIST= \
- TEMPLATE \
+ TEMPLATE.qemu \
+ TEMPLATE.lxc \
libvirt-qemu \
libvirt-lxc \
usr.lib.libvirt.virt-aa-helper \
@@ -36,6 +37,7 @@ abstractions_DATA = \
templatesdir = $(apparmordir)/libvirt
templates_DATA = \
- TEMPLATE \
+ TEMPLATE.qemu \
+ TEMPLATE.lxc \
$(NULL)
endif WITH_APPARMOR_PROFILES
Index: libvirt-1.2.6/examples/apparmor/TEMPLATE.lxc
===================================================================
--- /dev/null
+++ libvirt-1.2.6/examples/apparmor/TEMPLATE.lxc
@@ -0,0 +1,15 @@
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE {
+ #include <abstractions/libvirt-lxc>
+
+ # Globally allows everything to run under this profile
+ # These can be narrowed depending on the container's use.
+ file,
+ capability,
+ network,
+}
Index: libvirt-1.2.6/examples/apparmor/TEMPLATE
===================================================================
--- libvirt-1.2.6.orig/examples/apparmor/TEMPLATE
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# This profile is for the domain whose UUID matches this file.
-#
-
-#include <tunables/global>
-
-profile LIBVIRT_TEMPLATE {
- #include <abstractions/libvirt-driver>
-}
Index: libvirt-1.2.6/examples/apparmor/TEMPLATE.qemu
===================================================================
--- /dev/null
+++ libvirt-1.2.6/examples/apparmor/TEMPLATE.qemu
@@ -0,0 +1,9 @@
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE {
+ #include <abstractions/libvirt-qemu>
+}
Index: libvirt-1.2.6/examples/apparmor/libvirt-lxc
===================================================================
--- libvirt-1.2.6.orig/examples/apparmor/libvirt-lxc
+++ libvirt-1.2.6/examples/apparmor/libvirt-lxc
@@ -2,16 +2,115 @@
#include <abstractions/base>
- # Needed for lxc-enter-namespace
- capability sys_admin,
- capability sys_chroot,
-
- # Added for lxc-enter-namespace --cmd /bin/bash
- /bin/bash PUx,
-
- /usr/sbin/cron PUx,
- /usr/lib/systemd/systemd PUx,
-
- /usr/lib/libsystemd-*.so.* mr,
- /usr/lib/libudev-*.so.* mr,
- /etc/ld.so.cache mr,
+ umount,
+
+ # ignore DENIED message on / remount
+ deny mount options=(ro, remount) -> /,
+
+ # allow tmpfs mounts everywhere
+ mount fstype=tmpfs,
+
+ # allow mqueue mounts everywhere
+ mount fstype=mqueue,
+
+ # allow fuse mounts everywhere
+ mount fstype=fuse.*,
+
+ # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+ mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+ deny @{PROC}/sys/fs/** wklx,
+
+ # allow efivars to be mounted, writing to it will be blocked though
+ mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+ # block some other dangerous paths
+ deny @{PROC}/sysrq-trigger rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/kmem rwklx,
+
+ # deny writes in /sys except for /sys/fs/cgroup, also allow
+ # fusectl, securityfs and debugfs to be mounted there (read-only)
+ mount fstype=fusectl -> /sys/fs/fuse/connections/,
+ mount fstype=securityfs -> /sys/kernel/security/,
+ mount fstype=debugfs -> /sys/kernel/debug/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+
+ # generated by: lxc-generate-aa-rules.py container-rules.base
+ deny /proc/sys/[^kn]*{,/**} wklx,
+ deny /proc/sys/k[^e]*{,/**} wklx,
+ deny /proc/sys/ke[^r]*{,/**} wklx,
+ deny /proc/sys/ker[^n]*{,/**} wklx,
+ deny /proc/sys/kern[^e]*{,/**} wklx,
+ deny /proc/sys/kerne[^l]*{,/**} wklx,
+ deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
+ deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+ deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/domainname?*{,/**} wklx,
+ deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+ deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/hostname?*{,/**} wklx,
+ deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+ deny /proc/sys/kernel/msg*/** wklx,
+ deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+ deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/sem*/** wklx,
+ deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/shm*/** wklx,
+ deny /proc/sys/kernel?*{,/**} wklx,
+ deny /proc/sys/n[^e]*{,/**} wklx,
+ deny /proc/sys/ne[^t]*{,/**} wklx,
+ deny /proc/sys/net?*{,/**} wklx,
+ deny /sys/[^fdc]*{,/**} wklx,
+ deny /sys/c[^l]*{,/**} wklx,
+ deny /sys/cl[^a]*{,/**} wklx,
+ deny /sys/cla[^s]*{,/**} wklx,
+ deny /sys/clas[^s]*{,/**} wklx,
+ deny /sys/class/[^n]*{,/**} wklx,
+ deny /sys/class/n[^e]*{,/**} wklx,
+ deny /sys/class/ne[^t]*{,/**} wklx,
+ deny /sys/class/net?*{,/**} wklx,
+ deny /sys/class?*{,/**} wklx,
+ deny /sys/d[^e]*{,/**} wklx,
+ deny /sys/de[^v]*{,/**} wklx,
+ deny /sys/dev[^i]*{,/**} wklx,
+ deny /sys/devi[^c]*{,/**} wklx,
+ deny /sys/devic[^e]*{,/**} wklx,
+ deny /sys/device[^s]*{,/**} wklx,
+ deny /sys/devices/[^v]*{,/**} wklx,
+ deny /sys/devices/v[^i]*{,/**} wklx,
+ deny /sys/devices/vi[^r]*{,/**} wklx,
+ deny /sys/devices/vir[^t]*{,/**} wklx,
+ deny /sys/devices/virt[^u]*{,/**} wklx,
+ deny /sys/devices/virtu[^a]*{,/**} wklx,
+ deny /sys/devices/virtua[^l]*{,/**} wklx,
+ deny /sys/devices/virtual/[^n]*{,/**} wklx,
+ deny /sys/devices/virtual/n[^e]*{,/**} wklx,
+ deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
+ deny /sys/devices/virtual/net?*{,/**} wklx,
+ deny /sys/devices/virtual?*{,/**} wklx,
+ deny /sys/devices?*{,/**} wklx,
+ deny /sys/f[^s]*{,/**} wklx,
+ deny /sys/fs/[^c]*{,/**} wklx,
+ deny /sys/fs/c[^g]*{,/**} wklx,
+ deny /sys/fs/cg[^r]*{,/**} wklx,
+ deny /sys/fs/cgr[^o]*{,/**} wklx,
+ deny /sys/fs/cgro[^u]*{,/**} wklx,
+ deny /sys/fs/cgrou[^p]*{,/**} wklx,
+ deny /sys/fs/cgroup?*{,/**} wklx,
+ deny /sys/fs?*{,/**} wklx,
Index: libvirt-1.2.6/src/security/security_apparmor.c
===================================================================
--- libvirt-1.2.6.orig/src/security/security_apparmor.c
+++ libvirt-1.2.6/src/security/security_apparmor.c
@@ -351,26 +351,37 @@ AppArmorSetSecuritySCSILabel(virSCSIDevi
static int
AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED)
{
- char *template = NULL;
+ char *template_qemu = NULL;
+ char *template_lxc = NULL;
int rc = SECURITY_DRIVER_DISABLE;
if (use_apparmor() < 0)
return rc;
/* see if template file exists */
- if (virAsprintf(&template, "%s/TEMPLATE",
+ if (virAsprintf(&template_qemu, "%s/TEMPLATE.qemu",
APPARMOR_DIR "/libvirt") == -1)
return rc;
- if (!virFileExists(template)) {
+ if (virAsprintf(&template_lxc, "%s/TEMPLATE.lxc",
+ APPARMOR_DIR "/libvirt") == -1)
+ goto cleanup;
+
+ if (!virFileExists(template_qemu)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("template \'%s\' does not exist"), template_qemu);
+ goto cleanup;
+ }
+ if (!virFileExists(template_lxc)) {
virReportError(VIR_ERR_INTERNAL_ERROR,
- _("template \'%s\' does not exist"), template);
+ _("template \'%s\' does not exist"), template_lxc);
goto cleanup;
}
rc = SECURITY_DRIVER_ENABLE;
cleanup:
- VIR_FREE(template);
+ VIR_FREE(template_qemu);
+ VIR_FREE(template_lxc);
return rc;
}
Index: libvirt-1.2.6/src/security/virt-aa-helper.c
===================================================================
--- libvirt-1.2.6.orig/src/security/virt-aa-helper.c
+++ libvirt-1.2.6/src/security/virt-aa-helper.c
@@ -336,24 +336,20 @@ create_profile(const char *profile, cons
char *pcontent = NULL;
char *replace_name = NULL;
char *replace_files = NULL;
- char *replace_driver = NULL;
const char *template_name = "\nprofile LIBVIRT_TEMPLATE";
const char *template_end = "\n}";
- const char *template_driver = "libvirt-driver";
int tlen, plen;
int fd;
int rc = -1;
- const char *driver_name = "qemu";
-
- if (virtType == VIR_DOMAIN_VIRT_LXC)
- driver_name = "lxc";
if (virFileExists(profile)) {
vah_error(NULL, 0, _("profile exists"));
goto end;
}
- if (virAsprintfQuiet(&template, "%s/TEMPLATE", APPARMOR_DIR "/libvirt") < 0) {
+
+ if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt",
+ virDomainVirtTypeToString(virtType)) < 0) {
vah_error(NULL, 0, _("template name exceeds maximum length"));
goto end;
}
@@ -378,11 +374,6 @@ create_profile(const char *profile, cons
goto clean_tcontent;
}
- if (strstr(tcontent, template_driver) == NULL) {
- vah_error(NULL, 0, _("no replacement string in template"));
- goto clean_tcontent;
- }
-
/* '\nprofile <profile_name>\0' */
if (virAsprintfQuiet(&replace_name, "\nprofile %s", profile_name) == -1) {
vah_error(NULL, 0, _("could not allocate memory for profile name"));
@@ -397,15 +388,7 @@ create_profile(const char *profile, cons
goto clean_tcontent;
}
- /* 'libvirt-<driver_name>\0' */
- if (virAsprintfQuiet(&replace_driver, "libvirt-%s", driver_name) == -1) {
- vah_error(NULL, 0, _("could not allocate memory for profile driver"));
- VIR_FREE(replace_driver);
- goto clean_tcontent;
- }
-
- plen = tlen + strlen(replace_name) - strlen(template_name) +
- strlen(replace_driver) - strlen(template_driver) + 1;
+ plen = tlen + strlen(replace_name) - strlen(template_name) + 1;
if (virtType != VIR_DOMAIN_VIRT_LXC)
plen += strlen(replace_files) - strlen(template_end);
@@ -422,9 +405,6 @@ create_profile(const char *profile, cons
pcontent[0] = '\0';
strcpy(pcontent, tcontent);
- if (replace_string(pcontent, plen, template_driver, replace_driver) < 0)
- goto clean_all;
-
if (replace_string(pcontent, plen, template_name, replace_name) < 0)
goto clean_all;
@@ -455,7 +435,6 @@ create_profile(const char *profile, cons
clean_replace:
VIR_FREE(replace_name);
VIR_FREE(replace_files);
- VIR_FREE(replace_driver);
clean_tcontent:
VIR_FREE(tcontent);
end:

29
9b1e4cd5-skip-useless-apparmor-files.patch
View File

@ -1,29 +0,0 @@
commit 9b1e4cd5034225c7f750b38968b576c966c51d75
Author: Cédric Bosdonnat <cbosdonnat@suse.com>
Date: Wed Jul 9 16:15:02 2014 +0200
Don't output libvirt-UUID.files for LXC apparmor profiles
---
src/security/virt-aa-helper.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index b5f66f3..c8f17f9 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1342,10 +1342,13 @@ main(int argc, char **argv)
vah_info(include_file);
vah_info(included_files);
rc = 0;
+ } else if (ctl->def->virtType == VIR_DOMAIN_VIRT_LXC) {
+ rc = 0;
} else if ((rc = update_include_file(include_file,
included_files,
- ctl->append)) != 0)
+ ctl->append)) != 0) {
goto cleanup;
+ }
/* create the profile from TEMPLATE */

113
add-nocow-to-vol-xml.patch
View File

@ -1,113 +0,0 @@
commit ccc0b45917fa76a77ff83f1ddfd30836c8c3805e
Author: Chunyan Liu <cyliu@suse.com>
Date: Wed May 7 12:45:40 2014 +0800
add nocow to vol xml
Updated patch. Rebase to git master.
Signed-off-by: Chunyan Liu <cyliu@suse.com>
Index: libvirt-1.2.6/docs/schemas/storagevol.rng
===================================================================
--- libvirt-1.2.6.orig/docs/schemas/storagevol.rng
+++ libvirt-1.2.6/docs/schemas/storagevol.rng
@@ -138,6 +138,11 @@
<ref name='compat'/>
</optional>
<optional>
+ <element name='nocow'>
+ <empty/>
+ </element>
+ </optional>
+ <optional>
<ref name='fileFormatFeatures'/>
</optional>
</interleave>
Index: libvirt-1.2.6/src/conf/storage_conf.c
===================================================================
--- libvirt-1.2.6.orig/src/conf/storage_conf.c
+++ libvirt-1.2.6/src/conf/storage_conf.c
@@ -1397,6 +1397,9 @@ virStorageVolDefParseXML(virStoragePoolD
virStringFreeList(version);
}
+ if (virXPathNode("./target/nocow", ctxt))
+ ret->target.nocow = true;
+
if (options->featureFromString && virXPathNode("./target/features", ctxt)) {
if ((n = virXPathNodeSet("./target/features/*", ctxt, &nodes)) < 0)
goto error;
Index: libvirt-1.2.6/src/storage/storage_backend.c
===================================================================
--- libvirt-1.2.6.orig/src/storage/storage_backend.c
+++ libvirt-1.2.6/src/storage/storage_backend.c
@@ -37,6 +37,9 @@
#ifdef __linux__
# include <sys/ioctl.h>
# include <linux/fs.h>
+# ifndef FS_NOCOW_FL
+# define FS_NOCOW_FL 0x00800000 /* Do not cow file */
+# endif
#endif
#if WITH_SELINUX
@@ -452,6 +455,21 @@ virStorageBackendCreateRaw(virConnectPtr
goto cleanup;
}
+ if (vol->target.nocow) {
+#ifdef __linux__
+ int attr;
+
+ /* Set NOCOW flag. This is an optimisation for btrfs.
+ * The FS_IOC_SETFLAGS ioctl return value will be ignored since any
+ * failure of this operation should not block the left work.
+ */
+ if (ioctl(fd, FS_IOC_GETFLAGS, &attr) == 0) {
+ attr |= FS_NOCOW_FL;
+ ioctl(fd, FS_IOC_SETFLAGS, &attr);
+ }
+#endif
+ }
+
if ((ret = createRawFile(fd, vol, inputvol)) < 0)
/* createRawFile already reported the exact error. */
ret = -1;
@@ -717,6 +735,7 @@ virStorageBackendCreateQemuImgOpts(char
bool preallocate,
int format,
const char *compat,
+ bool nocow,
virBitmapPtr features)
{
virBuffer buf = VIR_BUFFER_INITIALIZER;
@@ -729,6 +748,8 @@ virStorageBackendCreateQemuImgOpts(char
virBufferAddLit(&buf, "encryption=on,");
if (preallocate)
virBufferAddLit(&buf, "preallocation=metadata,");
+ if (nocow)
+ virBufferAddLit(&buf, "nocow=on,");
if (compat)
virBufferAsprintf(&buf, "compat=%s,", compat);
@@ -950,6 +971,7 @@ virStorageBackendCreateQemuImgCmd(virCon
do_encryption, preallocate,
vol->target.format,
compat,
+ vol->target.nocow,
vol->target.features) < 0) {
virCommandFree(cmd);
return NULL;
Index: libvirt-1.2.6/src/util/virstoragefile.h
===================================================================
--- libvirt-1.2.6.orig/src/util/virstoragefile.h
+++ libvirt-1.2.6/src/util/virstoragefile.h
@@ -232,6 +232,7 @@ struct _virStorageSource {
* pool-specific enum for storage volumes */
virBitmapPtr features;
char *compat;
+ bool nocow;
virStoragePermsPtr perms;
virStorageTimestampsPtr timestamps;

22
dba3432b-virt-lxc-convert-fix.patch
View File

@ -1,22 +0,0 @@
From 236a18572216a35f742824f4056108245fac3082 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Fri, 4 Jul 2014 15:57:17 +0200
Subject: [PATCH] virt-lxc-convert: make free return values in bytes
---
examples/lxcconvert/virt-lxc-convert | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: libvirt-1.2.5/examples/lxcconvert/virt-lxc-convert
===================================================================
--- libvirt-1.2.5.orig/examples/lxcconvert/virt-lxc-convert
+++ libvirt-1.2.5/examples/lxcconvert/virt-lxc-convert
@@ -64,7 +64,7 @@ if test -r "$fstab"; then
sed 's/^\([^#]\)/lxc.mount.entry = \1/' "$fstab" >>"${conf_new}"
fi
-memory=$(free | sed -n '/Mem:/s/ \+/ /gp' | cut -f 2 -d ' ')
+memory=$(free -b | sed -n '/Mem:/s/ \+/ /gp' | cut -f 2 -d ' ')
default_tmpfs="size=$((memory/2))"
# Do we have tmpfs without size param?

6
disable-virCgroupGetPercpuStats-test.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.2.6/tests/vircgrouptest.c
Index: libvirt-1.2.7/tests/vircgrouptest.c
===================================================================
--- libvirt-1.2.6.orig/tests/vircgrouptest.c
+++ libvirt-1.2.6/tests/vircgrouptest.c
--- libvirt-1.2.7.orig/tests/vircgrouptest.c
+++ libvirt-1.2.7/tests/vircgrouptest.c
@@ -33,7 +33,6 @@
# include "virlog.h"
# include "virfile.h"

10
fix-pci-attach-xen-driver.patch
View File

@ -8,11 +8,11 @@ uses the 'device_configure' RPC.
This patch changes the xend driver to always call 'device_configure' for
PCI devices to be consistent with the usage in the xen tools.
Index: libvirt-1.2.6/src/xen/xend_internal.c
Index: libvirt-1.2.7/src/xen/xend_internal.c
===================================================================
--- libvirt-1.2.6.orig/src/xen/xend_internal.c
+++ libvirt-1.2.6/src/xen/xend_internal.c
@@ -2222,6 +2222,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr
--- libvirt-1.2.7.orig/src/xen/xend_internal.c
+++ libvirt-1.2.7/src/xen/xend_internal.c
@@ -2221,6 +2221,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr
virBuffer buf = VIR_BUFFER_INITIALIZER;
char class[8], ref[80];
char *target = NULL;
@ -20,7 +20,7 @@ Index: libvirt-1.2.6/src/xen/xend_internal.c
virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1);
@@ -2320,8 +2321,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr
@@ -2319,8 +2320,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr
}
sexpr = virBufferContentAndReset(&buf);

22
install-apparmor-profiles.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.2.6/examples/apparmor/Makefile.am
Index: libvirt-1.2.7/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.2.6.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.6/examples/apparmor/Makefile.am
--- libvirt-1.2.7.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.7/examples/apparmor/Makefile.am
@@ -19,10 +19,22 @@ EXTRA_DIST= \
TEMPLATE.lxc \
libvirt-qemu \
@ -27,10 +27,10 @@ Index: libvirt-1.2.6/examples/apparmor/Makefile.am
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
usr.lib.libvirt.virt-aa-helper \
Index: libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
Index: libvirt-1.2.7/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ libvirt-1.2.7/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,48 @@
+# Last Modified: Mon Apr 5 15:10:27 2010
+#include <tunables/global>
@ -80,10 +80,10 @@ Index: libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+}
Index: libvirt-1.2.6/examples/apparmor/usr.sbin.libvirtd.in
Index: libvirt-1.2.7/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.2.6/examples/apparmor/usr.sbin.libvirtd.in
+++ libvirt-1.2.7/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,67 @@
+# Last Modified: Mon Apr 5 15:03:58 2010
+#include <tunables/global>
@ -152,9 +152,9 @@ Index: libvirt-1.2.6/examples/apparmor/usr.sbin.libvirtd.in
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper
Index: libvirt-1.2.7/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.2.6.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt-1.2.7.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,48 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
@ -205,9 +205,9 @@ Index: libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper
- /**.[iI][sS][oO] r,
- /**/disk{,.*} r,
-}
Index: libvirt-1.2.6/examples/apparmor/usr.sbin.libvirtd
Index: libvirt-1.2.7/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.2.6.orig/examples/apparmor/usr.sbin.libvirtd
--- libvirt-1.2.7.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,63 +0,0 @@
-# Last Modified: Mon Apr 5 15:03:58 2010

3
libvirt-1.2.6.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:99c005cf2a22a3919c5efa9b815181e776cb214b7005c24620a8a4a76efae544
size 21124173

3
libvirt-1.2.7.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:89e36179a2e235ad4eed1b07829875c15c73b68a3132f19ba9ca64355fdaceef
size 21382962

18
libvirt-guests-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust libvirt-guests init files to conform to SUSE standards
Index: libvirt-1.2.6/tools/libvirt-guests.init.in
Index: libvirt-1.2.7/tools/libvirt-guests.init.in
===================================================================
--- libvirt-1.2.6.orig/tools/libvirt-guests.init.in
+++ libvirt-1.2.6/tools/libvirt-guests.init.in
--- libvirt-1.2.7.orig/tools/libvirt-guests.init.in
+++ libvirt-1.2.7/tools/libvirt-guests.init.in
@@ -3,15 +3,15 @@
# the following is the LSB init header
#
@ -28,10 +28,10 @@ Index: libvirt-1.2.6/tools/libvirt-guests.init.in
### END INIT INFO
# the following is chkconfig init header
Index: libvirt-1.2.6/tools/libvirt-guests.sh.in
Index: libvirt-1.2.7/tools/libvirt-guests.sh.in
===================================================================
--- libvirt-1.2.6.orig/tools/libvirt-guests.sh.in
+++ libvirt-1.2.6/tools/libvirt-guests.sh.in
--- libvirt-1.2.7.orig/tools/libvirt-guests.sh.in
+++ libvirt-1.2.7/tools/libvirt-guests.sh.in
@@ -16,14 +16,13 @@
# License along with this library. If not, see
# <http://www.gnu.org/licenses/>.
@ -189,10 +189,10 @@ Index: libvirt-1.2.6/tools/libvirt-guests.sh.in
esac
-exit $RETVAL
+rc_exit
Index: libvirt-1.2.6/tools/libvirt-guests.sysconf
Index: libvirt-1.2.7/tools/libvirt-guests.sysconf
===================================================================
--- libvirt-1.2.6.orig/tools/libvirt-guests.sysconf
+++ libvirt-1.2.6/tools/libvirt-guests.sysconf
--- libvirt-1.2.7.orig/tools/libvirt-guests.sysconf
+++ libvirt-1.2.7/tools/libvirt-guests.sysconf
@@ -1,19 +1,29 @@
+## Path: System/Virtualization/libvirt-guests
+

40
libvirt-suse-netcontrol.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.2.6/configure.ac
Index: libvirt-1.2.7/configure.ac
===================================================================
--- libvirt-1.2.6.orig/configure.ac
+++ libvirt-1.2.6/configure.ac
--- libvirt-1.2.7.orig/configure.ac
+++ libvirt-1.2.7/configure.ac
@@ -237,6 +237,7 @@ LIBVIRT_CHECK_FUSE
LIBVIRT_CHECK_GLUSTER
LIBVIRT_CHECK_HAL
@ -26,7 +26,7 @@ Index: libvirt-1.2.6/configure.ac
esac
if test "$with_interface" = "yes" ; then
@@ -2822,6 +2824,7 @@ LIBVIRT_RESULT_FUSE
@@ -2834,6 +2836,7 @@ LIBVIRT_RESULT_FUSE
LIBVIRT_RESULT_GLUSTER
LIBVIRT_RESULT_HAL
LIBVIRT_RESULT_NETCF
@ -34,11 +34,11 @@ Index: libvirt-1.2.6/configure.ac
LIBVIRT_RESULT_NUMACTL
LIBVIRT_RESULT_OPENWSMAN
LIBVIRT_RESULT_PCIACCESS
Index: libvirt-1.2.6/src/Makefile.am
Index: libvirt-1.2.7/src/Makefile.am
===================================================================
--- libvirt-1.2.6.orig/src/Makefile.am
+++ libvirt-1.2.6/src/Makefile.am
@@ -818,6 +818,10 @@ if WITH_NETCF
--- libvirt-1.2.7.orig/src/Makefile.am
+++ libvirt-1.2.7/src/Makefile.am
@@ -820,6 +820,10 @@ if WITH_NETCF
INTERFACE_DRIVER_SOURCES += \
interface/interface_backend_netcf.c
endif WITH_NETCF
@ -49,7 +49,7 @@ Index: libvirt-1.2.6/src/Makefile.am
if WITH_UDEV
INTERFACE_DRIVER_SOURCES += \
interface/interface_backend_udev.c
@@ -1414,10 +1418,15 @@ if WITH_NETCF
@@ -1416,10 +1420,15 @@ if WITH_NETCF
libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS)
libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS)
else ! WITH_NETCF
@ -65,10 +65,10 @@ Index: libvirt-1.2.6/src/Makefile.am
endif ! WITH_NETCF
if WITH_DRIVER_MODULES
libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la
Index: libvirt-1.2.6/tools/virsh.c
Index: libvirt-1.2.7/tools/virsh.c
===================================================================
--- libvirt-1.2.6.orig/tools/virsh.c
+++ libvirt-1.2.6/tools/virsh.c
--- libvirt-1.2.7.orig/tools/virsh.c
+++ libvirt-1.2.7/tools/virsh.c
@@ -3320,6 +3320,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
vshPrint(ctl, " Interface");
# if defined(WITH_NETCF)
@ -78,10 +78,10 @@ Index: libvirt-1.2.6/tools/virsh.c
# elif defined(WITH_UDEV)
vshPrint(ctl, " udev");
# endif
Index: libvirt-1.2.6/src/interface/interface_backend_netcf.c
Index: libvirt-1.2.7/src/interface/interface_backend_netcf.c
===================================================================
--- libvirt-1.2.6.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.2.6/src/interface/interface_backend_netcf.c
--- libvirt-1.2.7.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.2.7/src/interface/interface_backend_netcf.c
@@ -23,7 +23,12 @@
#include <config.h>
@ -165,10 +165,10 @@ Index: libvirt-1.2.6/src/interface/interface_backend_netcf.c
return 0;
}
Index: libvirt-1.2.6/src/interface/interface_driver.c
Index: libvirt-1.2.7/src/interface/interface_driver.c
===================================================================
--- libvirt-1.2.6.orig/src/interface/interface_driver.c
+++ libvirt-1.2.6/src/interface/interface_driver.c
--- libvirt-1.2.7.orig/src/interface/interface_driver.c
+++ libvirt-1.2.7/src/interface/interface_driver.c
@@ -30,8 +30,15 @@ interfaceRegister(void)
if (netcfIfaceRegister() == 0)
return 0;
@ -186,10 +186,10 @@ Index: libvirt-1.2.6/src/interface/interface_driver.c
if (udevIfaceRegister() == 0)
return 0;
#endif /* WITH_UDEV */
Index: libvirt-1.2.6/m4/virt-netcontrol.m4
Index: libvirt-1.2.7/m4/virt-netcontrol.m4
===================================================================
--- /dev/null
+++ libvirt-1.2.6/m4/virt-netcontrol.m4
+++ libvirt-1.2.7/m4/virt-netcontrol.m4
@@ -0,0 +1,35 @@
+dnl The libnetcontrol library
+dnl

18
libvirt.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Mon Aug 4 09:32:57 MDT 2014 - jfehlig@suse.com
- Update to libvirt 1.2.7
- Introduce virConnectGetDomainCapabilities
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Drop upstream patches: dba3432b-virt-lxc-convert-fix.patch,
9b1e4cd5-skip-useless-apparmor-files.patch,
dba3432b-virt-lxc-convert-fix.patch,
add-nocow-to-vol-xml.patch,
lxc-keep-caps-feature.patch,
lxc-keep-caps-feature-conversion.patch,
lxc-keep-caps-feature-doc.patch,
lxc-net-target-name.patch,
lxc-net-target-name-conversion.patch,
lxc-net-target-name-doc.patch
-------------------------------------------------------------------
Wed Jul 16 12:07:33 UTC 2014 - cbosdonnat@suse.com

26
libvirt.spec
View File

@ -235,7 +235,7 @@
Name: libvirt
Url: http://libvirt.org/
Version: 1.2.6
Version: 1.2.7
Release: 0
Summary: Library providing a simple virtualization API
License: LGPL-2.1+
@ -428,20 +428,9 @@ Source1: libvirtd.init
Source2: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches
Patch0: dba3432b-virt-lxc-convert-fix.patch
Patch1: 9b1e4cd5-skip-useless-apparmor-files.patch
Patch2: 9265f8ab-apparmor-lxc-rework.patch
# Need to go upstream
Patch100: xen-name-for-devid.patch
Patch101: xen-pv-cdrom.patch
Patch102: add-nocow-to-vol-xml.patch
# pending review upstream patches
Patch150: lxc-keep-caps-feature.patch
Patch151: lxc-keep-caps-feature-conversion.patch
Patch152: lxc-keep-caps-feature-doc.patch
Patch153: lxc-net-target-name.patch
Patch154: lxc-net-target-name-conversion.patch
Patch155: lxc-net-target-name-doc.patch
# Our patches
Patch200: libvirtd-defaults.patch
Patch201: libvirtd-init-script.patch
@ -953,18 +942,8 @@ namespaces.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1
%patch153 -p1
%patch154 -p1
%patch155 -p1
%patch200 -p1
%patch201 -p1
%patch202 -p1
@ -1191,7 +1170,7 @@ gzip -9 ChangeLog
%install
%makeinstall SYSTEMD_UNIT_DIR=%{_unitdir} DOCS_DIR=%{_docdir}/%{name}-python EXAMPLE_DIR=%{_docdir}/%{name}-python/examples HTML_DIR=%{_docdir}/%{name}
for i in object-events dominfo domsuspend hellolibvirt openauth xml/nwfilter systemtap
for i in object-events dominfo domsuspend hellolibvirt openauth xml/nwfilter systemtap domtop
do
(cd examples/$i ; make clean ; rm -rf .deps .libs Makefile Makefile.in)
done
@ -1769,6 +1748,7 @@ fi
%{_datadir}/libvirt/schemas/basictypes.rng
%{_datadir}/libvirt/schemas/capability.rng
%{_datadir}/libvirt/schemas/domain.rng
%{_datadir}/libvirt/schemas/domaincaps.rng
%{_datadir}/libvirt/schemas/domaincommon.rng
%{_datadir}/libvirt/schemas/domainsnapshot.rng
%{_datadir}/libvirt/schemas/interface.rng

18
libvirtd-defaults.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.2.6/daemon/libvirtd.conf
Index: libvirt-1.2.7/daemon/libvirtd.conf
===================================================================
--- libvirt-1.2.6.orig/daemon/libvirtd.conf
+++ libvirt-1.2.6/daemon/libvirtd.conf
--- libvirt-1.2.7.orig/daemon/libvirtd.conf
+++ libvirt-1.2.7/daemon/libvirtd.conf
@@ -18,8 +18,8 @@
# It is necessary to setup a CA and issue server certificates before
# using this capability.
@ -13,10 +13,10 @@ Index: libvirt-1.2.6/daemon/libvirtd.conf
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
Index: libvirt-1.2.6/daemon/libvirtd-config.c
Index: libvirt-1.2.7/daemon/libvirtd-config.c
===================================================================
--- libvirt-1.2.6.orig/daemon/libvirtd-config.c
+++ libvirt-1.2.6/daemon/libvirtd-config.c
--- libvirt-1.2.7.orig/daemon/libvirtd-config.c
+++ libvirt-1.2.7/daemon/libvirtd-config.c
@@ -229,7 +229,7 @@ daemonConfigNew(bool privileged ATTRIBUT
if (VIR_ALLOC(data) < 0)
return NULL;
@ -26,10 +26,10 @@ Index: libvirt-1.2.6/daemon/libvirtd-config.c
data->listen_tcp = 0;
if (VIR_STRDUP(data->tls_port, LIBVIRTD_TLS_PORT) < 0 ||
Index: libvirt-1.2.6/daemon/test_libvirtd.aug.in
Index: libvirt-1.2.7/daemon/test_libvirtd.aug.in
===================================================================
--- libvirt-1.2.6.orig/daemon/test_libvirtd.aug.in
+++ libvirt-1.2.6/daemon/test_libvirtd.aug.in
--- libvirt-1.2.7.orig/daemon/test_libvirtd.aug.in
+++ libvirt-1.2.7/daemon/test_libvirtd.aug.in
@@ -2,7 +2,7 @@ module Test_libvirtd =
::CONFIG::

6
libvirtd-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust libvirtd sysconfig file to conform to SUSE standards
Index: libvirt-1.2.6/daemon/libvirtd.sysconf
Index: libvirt-1.2.7/daemon/libvirtd.sysconf
===================================================================
--- libvirt-1.2.6.orig/daemon/libvirtd.sysconf
+++ libvirt-1.2.6/daemon/libvirtd.sysconf
--- libvirt-1.2.7.orig/daemon/libvirtd.sysconf
+++ libvirt-1.2.7/daemon/libvirtd.sysconf
@@ -1,16 +1,25 @@
+## Path: System/Virtualization/libvirt
+

220
lxc-keep-caps-feature-conversion.patch
View File

@ -1,220 +0,0 @@
From f199dbab24896c31c90a3291c4779daccef949ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 11 Jun 2014 16:43:45 +0200
Subject: [PATCH 2/3] lxc domain from xml: convert lxc.cap.drop
---
src/lxc/lxc_native.c | 25 ++++++++++++++++++++++
tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml | 2 ++
tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml | 2 ++
tests/lxcconf2xmldata/lxcconf2xml-cputune.xml | 2 ++
tests/lxcconf2xmldata/lxcconf2xml-idmap.xml | 2 ++
.../lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml | 4 ++++
tests/lxcconf2xmldata/lxcconf2xml-memtune.xml | 2 ++
tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml | 4 ++++
tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml | 2 ++
tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml | 4 ++++
tests/lxcconf2xmldata/lxcconf2xml-simple.xml | 8 +++++++
tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml | 4 ++++
12 files changed, 61 insertions(+)
Index: libvirt-1.2.6/src/lxc/lxc_native.c
===================================================================
--- libvirt-1.2.6.orig/src/lxc/lxc_native.c
+++ libvirt-1.2.6/src/lxc/lxc_native.c
@@ -838,6 +838,28 @@ lxcSetBlkioTune(virDomainDefPtr def, vir
return 0;
}
+static void
+lxcSetCapDrop(virDomainDefPtr def, virConfPtr properties)
+{
+ virConfValuePtr value;
+ char **toDrop = NULL;
+ const char *capString;
+ size_t i;
+
+ if ((value = virConfGetValue(properties, "lxc.cap.drop")) && value->str)
+ toDrop = virStringSplit(value->str, " ", 0);
+
+ for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) {
+ capString = virDomainCapsFeatureTypeToString(i);
+ if (toDrop != NULL && virStringArrayHasString(toDrop, capString))
+ def->caps_features[i] = VIR_DOMAIN_FEATURE_STATE_OFF;
+ }
+
+ def->features[VIR_DOMAIN_FEATURE_CAPABILITIES] = VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW;
+
+ virStringFreeList(toDrop);
+}
+
virDomainDefPtr
lxcParseConfigString(const char *config)
{
@@ -935,6 +957,9 @@ lxcParseConfigString(const char *config)
if (lxcSetBlkioTune(vmdef, properties) < 0)
goto error;
+ /* lxc.cap.drop */
+ lxcSetCapDrop(vmdef, properties);
+
goto cleanup;
error:
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml
@@ -25,6 +25,8 @@
</os>
<features>
<privnet/>
+ <capabilities policy='allow'>
+ </capabilities>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml
@@ -13,6 +13,8 @@
</os>
<features>
<privnet/>
+ <capabilities policy='allow'>
+ </capabilities>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml
@@ -15,6 +15,8 @@
</os>
<features>
<privnet/>
+ <capabilities policy='allow'>
+ </capabilities>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml
@@ -14,6 +14,8 @@
</idmap>
<features>
<privnet/>
+ <capabilities policy='allow'>
+ </capabilities>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml
@@ -8,6 +8,10 @@
<type>exe</type>
<init>/sbin/init</init>
</os>
+ <features>
+ <capabilities policy='allow'>
+ </capabilities>
+ </features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml
@@ -15,6 +15,8 @@
</os>
<features>
<privnet/>
+ <capabilities policy='allow'>
+ </capabilities>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml
@@ -8,6 +8,10 @@
<type>exe</type>
<init>/sbin/init</init>
</os>
+ <features>
+ <capabilities policy='allow'>
+ </capabilities>
+ </features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml
@@ -10,6 +10,8 @@
</os>
<features>
<privnet/>
+ <capabilities policy='allow'>
+ </capabilities>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml
@@ -8,6 +8,10 @@
<type>exe</type>
<init>/sbin/init</init>
</os>
+ <features>
+ <capabilities policy='allow'>
+ </capabilities>
+ </features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
@@ -8,6 +8,14 @@
<type arch='i686'>exe</type>
<init>/sbin/init</init>
</os>
+ <features>
+ <capabilities policy='allow'>
+ <mac_admin state='off'/>
+ <mac_override state='off'/>
+ <mknod state='off'/>
+ <sys_module state='off'/>
+ </capabilities>
+ </features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml
===================================================================
--- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml
+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml
@@ -8,6 +8,10 @@
<type>exe</type>
<init>/sbin/init</init>
</os>
+ <features>
+ <capabilities policy='allow'>
+ </capabilities>
+ </features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>

68
lxc-keep-caps-feature-doc.patch
View File

@ -1,68 +0,0 @@
From b6f1f5a3be5b2643b255882effdca2e903d9d738 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 11 Jun 2014 17:01:11 +0200
Subject: [PATCH 3/3] lxc: update doc to mention features/capabilities/* domain
configuration
---
docs/drvlxc.html.in | 47 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
Index: libvirt-1.2.6/docs/drvlxc.html.in
===================================================================
--- libvirt-1.2.6.orig/docs/drvlxc.html.in
+++ libvirt-1.2.6/docs/drvlxc.html.in
@@ -540,6 +540,53 @@ debootstrap, whatever) under /opt/vm-1-r
&lt;/domain&gt;
</pre>
+<h2><a name="capabilities">Altering the available capabilities</a></h2>
+
+<p>
+By default the libvirt LXC driver drops some capabilities among which CAP_MKNOD.
+However <span class="since">since 1.2.6</span> libvirt can be told to keep or
+drop some capabilities using a domain configuration like the following:
+</p>
+<pre>
+...
+&lt;features&gt;
+ &lt;capabilities policy='default'&gt;
+ &lt;mknod state='on'/&gt;
+ &lt;sys_chroot state='off'/&gt;
+ &lt;/capabilities&gt;
+&lt;/features&gt;
+...
+</pre>
+<p>
+The capabilities children elements are named after the capabilities as defined in
+<code>man 7 capabilities</code>. An <code>off</code> state tells libvirt to drop the
+capability, while an <code>on</code> state will force to keep the capability even though
+this one is dropped by default.
+</p>
+<p>
+The <code>policy</code> attribute can be one of <code>default</code>, <code>allow</code>
+or <code>deny</code>. It defines the default rules for capabilities: either keep the
+default behavior that is dropping a few selected capabilities, or keep all capabilities
+or drop all capabilities. The interest of <code>allow</code> and <code>deny</code> is that
+they guarantee that all capabilities will be kept (or removed) even if new ones are added
+later.
+</p>
+<p>
+The following example, drops all capabilities but CAP_MKNOD:
+</p>
+<pre>
+...
+&lt;features&gt;
+ &lt;capabilities policy='deny'&gt;
+ &lt;mknod state='on'/&gt;
+ &lt;/capabilities&gt;
+&lt;/features&gt;
+...
+</pre>
+<p>
+Note that allowing capabilities that are normally dropped by default can seriously
+affect the security of the container and the host.
+</p>
<h2><a name="usage">Container usage / management</a></h2>

980
lxc-keep-caps-feature.patch
View File

@ -1,980 +0,0 @@
From 370ed9b2535b11acaa776fbb4fc6dcb8671c2c88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 11 Jun 2014 15:03:58 +0200
Subject: [PATCH 1/3] lxc: allow to keep or drop capabilities
Added <capabilities> in the <features> section of LXC domains
configuration. This section can contain elements named after the
capabilities like:
<mknod state="on"/>, keep CAP_MKNOD capability
<sys_chroot state="off"/> drop CAP_SYS_CHROOT capability
Users can restrict or give more capabilities than the default using
this mechanism.
---
docs/schemas/domaincommon.rng | 207 ++++++++++++++++++++++++
src/conf/domain_conf.c | 126 ++++++++++++++-
src/conf/domain_conf.h | 56 +++++++
src/libvirt_private.syms | 3 +
src/lxc/lxc_cgroup.c | 8 +
src/lxc/lxc_container.c | 123 ++++++++++++--
src/util/vircgroup.c | 74 ++++++++-
src/util/vircgroup.h | 2 +
tests/domainschemadata/domain-caps-features.xml | 28 ++++
9 files changed, 602 insertions(+), 25 deletions(-)
create mode 100644 tests/domainschemadata/domain-caps-features.xml
Index: libvirt-1.2.6/docs/schemas/domaincommon.rng
===================================================================
--- libvirt-1.2.6.orig/docs/schemas/domaincommon.rng
+++ libvirt-1.2.6/docs/schemas/domaincommon.rng
@@ -3744,6 +3744,9 @@
<empty/>
</element>
</optional>
+ <optional>
+ <ref name="capabilities"/>
+ </optional>
</interleave>
</element>
</optional>
@@ -4311,6 +4314,200 @@
</element>
</define>
+ <!-- Optional capabilities features -->
+ <define name="capabilities">
+ <element name="capabilities">
+ <ref name="capabilitiespolicy"/>
+ <interleave>
+ <optional>
+ <element name="audit_control">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="audit_write">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="block_suspend">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="chown">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="dac_override">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="dac_read_search">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="fowner">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="fsetid">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="ipc_lock">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="ipc_owner">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="kill">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="lease">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="linux_immutable">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mac_admin">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mac_override">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mknod">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="net_admin">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="net_bind_service">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="net_broadcast">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="net_raw">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="setgid">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="setfcap">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="setpcap">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="setuid">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_admin">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_boot">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_chroot">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_module">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_nice">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_pacct">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_ptrace">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_rawio">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_resource">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_time">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="sys_tty_config">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="syslog">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="wake_alarm">
+ <ref name="featurestate"/>
+ </element>
+ </optional>
+ </interleave>
+ </element>
+ </define>
+
<define name="featurestate">
<attribute name="state">
<choice>
@@ -4319,6 +4516,16 @@
</choice>
</attribute>
</define>
+
+ <define name="capabilitiespolicy">
+ <attribute name="policy">
+ <choice>
+ <value>default</value>
+ <value>allow</value>
+ <value>deny</value>
+ </choice>
+ </attribute>
+ </define>
<!--
Optional hypervisor extensions in their own namespace:
Index: libvirt-1.2.6/src/conf/domain_conf.c
===================================================================
--- libvirt-1.2.6.orig/src/conf/domain_conf.c
+++ libvirt-1.2.6/src/conf/domain_conf.c
@@ -147,18 +147,63 @@ VIR_ENUM_IMPL(virDomainFeature, VIR_DOMA
"viridian",
"privnet",
"hyperv",
- "pvspinlock")
+ "pvspinlock",
+ "capabilities")
VIR_ENUM_IMPL(virDomainFeatureState, VIR_DOMAIN_FEATURE_STATE_LAST,
"default",
"on",
"off")
+VIR_ENUM_IMPL(virDomainCapabilitiesPolicy, VIR_DOMAIN_CAPABILITIES_POLICY_LAST,
+ "default",
+ "allow",
+ "deny")
+
VIR_ENUM_IMPL(virDomainHyperv, VIR_DOMAIN_HYPERV_LAST,
"relaxed",
"vapic",
"spinlocks")
+VIR_ENUM_IMPL(virDomainCapsFeature, VIR_DOMAIN_CAPS_FEATURE_LAST,
+ "audit_control",
+ "audit_write",
+ "block_suspend",
+ "chown",
+ "dac_override",
+ "dac_read_search",
+ "fowner",
+ "fsetid",
+ "ipc_lock",
+ "ipc_owner",
+ "kill",
+ "lease",
+ "linux_immutable",
+ "mac_admin",
+ "mac_override",
+ "mknod",
+ "net_admin",
+ "net_bind_service",
+ "net_broadcast",
+ "net_raw",
+ "setgid",
+ "setfcap",
+ "setpcap",
+ "setuid",
+ "sys_admin",
+ "sys_boot",
+ "sys_chroot",
+ "sys_module",
+ "sys_nice",
+ "sys_pacct",
+ "sys_ptrace",
+ "sys_rawio",
+ "sys_resource",
+ "sys_time",
+ "sys_tty_config",
+ "syslog",
+ "wake_alarm")
+
VIR_ENUM_IMPL(virDomainLifecycle, VIR_DOMAIN_LIFECYCLE_LAST,
"destroy",
"restart",
@@ -11879,6 +11924,22 @@ virDomainDefParseXML(xmlDocPtr xml,
def->features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
break;
+ case VIR_DOMAIN_FEATURE_CAPABILITIES:
+ node = ctxt->node;
+ ctxt->node = nodes[i];
+ if ((tmp = virXPathString("string(./@policy)", ctxt))) {
+ if ((def->features[val] = virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("unknown state attribute '%s' of feature '%s'"),
+ tmp, virDomainFeatureTypeToString(val));
+ goto error;
+ }
+ VIR_FREE(tmp);
+ } else {
+ def->features[val] = VIR_DOMAIN_FEATURE_STATE_DEFAULT;
+ }
+ ctxt->node = node;
+ break;
case VIR_DOMAIN_FEATURE_PVSPINLOCK:
node = ctxt->node;
ctxt->node = nodes[i];
@@ -11987,6 +12048,37 @@ virDomainDefParseXML(xmlDocPtr xml,
ctxt->node = node;
}
+ if ((n = virXPathNodeSet("./features/capabilities/*", ctxt, &nodes)) < 0)
+ goto error;
+
+ for (i = 0; i < n; i++) {
+ int val = virDomainCapsFeatureTypeFromString((const char *)nodes[i]->name);
+ if (val < 0) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("unexpected capability feature '%s'"), nodes[i]->name);
+ goto error;
+ }
+
+ if (val >= 0 && val < VIR_DOMAIN_CAPS_FEATURE_LAST) {
+ node = ctxt->node;
+ ctxt->node = nodes[i];
+
+ if ((tmp = virXPathString("string(./@state)", ctxt))) {
+ if ((def->caps_features[val] = virDomainFeatureStateTypeFromString(tmp)) == -1) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("unknown state attribute '%s' of feature capability '%s'"),
+ tmp, virDomainFeatureTypeToString(val));
+ goto error;
+ }
+ VIR_FREE(tmp);
+ } else {
+ def->caps_features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
+ }
+ ctxt->node = node;
+ }
+ }
+ VIR_FREE(nodes);
+
if (virDomainEventActionParseXML(ctxt, "on_reboot",
"string(./on_reboot[1])",
&def->onReboot,
@@ -17184,6 +17276,19 @@ verify(((VIR_DOMAIN_XML_INTERNAL_STATUS
VIR_DOMAIN_XML_INTERNAL_CLOCK_ADJUST)
& DUMPXML_FLAGS) == 0);
+static bool
+virDomainDefHasCapabilitiesFeatures(virDomainDefPtr def)
+{
+ size_t i;
+
+ for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) {
+ if (def->caps_features[i] != VIR_DOMAIN_FEATURE_STATE_DEFAULT)
+ return true;
+ }
+
+ return false;
+}
+
/* This internal version can accept VIR_DOMAIN_XML_INTERNAL_*,
* whereas the public version cannot. Also, it appends to an existing
* buffer (possibly with auto-indent), rather than flattening to string.
@@ -17703,6 +17808,25 @@ virDomainDefFormatInternal(virDomainDefP
virBufferAddLit(buf, "</hyperv>\n");
break;
+ case VIR_DOMAIN_FEATURE_CAPABILITIES:
+ if (def->features[i] == VIR_DOMAIN_CAPABILITIES_POLICY_DEFAULT &&
+ !virDomainDefHasCapabilitiesFeatures(def))
+ break;
+
+ virBufferAsprintf(buf, "<capabilities policy='%s'>\n",
+ virDomainCapabilitiesPolicyTypeToString(def->features[i]));
+ virBufferAdjustIndent(buf, 2);
+ for (j = 0; j < VIR_DOMAIN_CAPS_FEATURE_LAST; j++) {
+ if (def->caps_features[j] != VIR_DOMAIN_FEATURE_STATE_DEFAULT)
+ virBufferAsprintf(buf, "<%s state='%s'/>\n",
+ virDomainCapsFeatureTypeToString(j),
+ virDomainFeatureStateTypeToString(
+ def->caps_features[j]));
+ }
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</capabilities>\n");
+ break;
+
case VIR_DOMAIN_FEATURE_LAST:
break;
}
Index: libvirt-1.2.6/src/conf/domain_conf.h
===================================================================
--- libvirt-1.2.6.orig/src/conf/domain_conf.h
+++ libvirt-1.2.6/src/conf/domain_conf.h
@@ -1528,6 +1528,7 @@ typedef enum {
VIR_DOMAIN_FEATURE_PRIVNET,
VIR_DOMAIN_FEATURE_HYPERV,
VIR_DOMAIN_FEATURE_PVSPINLOCK,
+ VIR_DOMAIN_FEATURE_CAPABILITIES,
VIR_DOMAIN_FEATURE_LAST
} virDomainFeature;
@@ -1549,6 +1550,56 @@ typedef enum {
} virDomainHyperv;
typedef enum {
+ VIR_DOMAIN_CAPABILITIES_POLICY_DEFAULT = 0,
+ VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW,
+ VIR_DOMAIN_CAPABILITIES_POLICY_DENY,
+
+ VIR_DOMAIN_CAPABILITIES_POLICY_LAST
+ } virDomainCapabilitiesPolicy;
+
+ /* The capabilities are ordered alphabetically to help check for new ones */
+ typedef enum {
+ VIR_DOMAIN_CAPS_FEATURE_AUDIT_CONTROL = 0,
+ VIR_DOMAIN_CAPS_FEATURE_AUDIT_WRITE,
+ VIR_DOMAIN_CAPS_FEATURE_BLOCK_SUSPEND,
+ VIR_DOMAIN_CAPS_FEATURE_CHOWN,
+ VIR_DOMAIN_CAPS_FEATURE_DAC_OVERRIDE,
+ VIR_DOMAIN_CAPS_FEATURE_DAC_READ_SEARCH,
+ VIR_DOMAIN_CAPS_FEATURE_FOWNER,
+ VIR_DOMAIN_CAPS_FEATURE_FSETID,
+ VIR_DOMAIN_CAPS_FEATURE_IPC_LOCK,
+ VIR_DOMAIN_CAPS_FEATURE_IPC_OWNER,
+ VIR_DOMAIN_CAPS_FEATURE_KILL,
+ VIR_DOMAIN_CAPS_FEATURE_LEASE,
+ VIR_DOMAIN_CAPS_FEATURE_LINUX_IMMUTABLE,
+ VIR_DOMAIN_CAPS_FEATURE_MAC_ADMIN,
+ VIR_DOMAIN_CAPS_FEATURE_MAC_OVERRIDE,
+ VIR_DOMAIN_CAPS_FEATURE_MKNOD,
+ VIR_DOMAIN_CAPS_FEATURE_NET_ADMIN,
+ VIR_DOMAIN_CAPS_FEATURE_NET_BIND_SERVICE,
+ VIR_DOMAIN_CAPS_FEATURE_NET_BROADCAST,
+ VIR_DOMAIN_CAPS_FEATURE_NET_RAW,
+ VIR_DOMAIN_CAPS_FEATURE_SETGID,
+ VIR_DOMAIN_CAPS_FEATURE_SETFCAP,
+ VIR_DOMAIN_CAPS_FEATURE_SETPCAP,
+ VIR_DOMAIN_CAPS_FEATURE_SETUID,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_ADMIN,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_BOOT,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_CHROOT,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_MODULE,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_NICE,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_PACCT,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_PTRACE,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_RAWIO,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_RESOURCE,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_TIME,
+ VIR_DOMAIN_CAPS_FEATURE_SYS_TTY_CONFIG,
+ VIR_DOMAIN_CAPS_FEATURE_SYSLOG,
+ VIR_DOMAIN_CAPS_FEATURE_WAKE_ALARM,
+ VIR_DOMAIN_CAPS_FEATURE_LAST
+ } virDomainCapsFeature;
+
+typedef enum {
VIR_DOMAIN_LIFECYCLE_DESTROY,
VIR_DOMAIN_LIFECYCLE_RESTART,
VIR_DOMAIN_LIFECYCLE_RESTART_RENAME,
@@ -1917,6 +1968,9 @@ struct _virDomainDef {
int hyperv_features[VIR_DOMAIN_HYPERV_LAST];
unsigned int hyperv_spinlocks;
+ /* This options are of type virDomainFeatureState: ON = keep, OFF = drop */
+ int caps_features[VIR_DOMAIN_CAPS_FEATURE_LAST];
+
virDomainClockDef clock;
size_t ngraphics;
@@ -2534,6 +2588,8 @@ VIR_ENUM_DECL(virDomainBoot)
VIR_ENUM_DECL(virDomainBootMenu)
VIR_ENUM_DECL(virDomainFeature)
VIR_ENUM_DECL(virDomainFeatureState)
+VIR_ENUM_DECL(virDomainCapabilitiesPolicy)
+VIR_ENUM_DECL(virDomainCapsFeature)
VIR_ENUM_DECL(virDomainLifecycle)
VIR_ENUM_DECL(virDomainLifecycleCrash)
VIR_ENUM_DECL(virDomainPMState)
Index: libvirt-1.2.6/src/libvirt_private.syms
===================================================================
--- libvirt-1.2.6.orig/src/libvirt_private.syms
+++ libvirt-1.2.6/src/libvirt_private.syms
@@ -139,6 +139,8 @@ virDomainBlockedReasonTypeFromString;
virDomainBlockedReasonTypeToString;
virDomainBootMenuTypeFromString;
virDomainBootMenuTypeToString;
+virDomainCapabilitiesPolicyTypeToString;
+virDomainCapsFeatureTypeToString;
virDomainChrConsoleTargetTypeFromString;
virDomainChrConsoleTargetTypeToString;
virDomainChrDefForeach;
@@ -1027,6 +1029,7 @@ virBufferVasprintf;
# util/vircgroup.h
virCgroupAddTask;
virCgroupAddTaskController;
+virCgroupAllowAllDevices;
virCgroupAllowDevice;
virCgroupAllowDeviceMajor;
virCgroupAllowDevicePath;
Index: libvirt-1.2.6/src/lxc/lxc_cgroup.c
===================================================================
--- libvirt-1.2.6.orig/src/lxc/lxc_cgroup.c
+++ libvirt-1.2.6/src/lxc/lxc_cgroup.c
@@ -363,6 +363,14 @@ static int virLXCCgroupSetupDeviceACL(vi
if (virCgroupDenyAllDevices(cgroup) < 0)
goto cleanup;
+ /* white list mknod if CAP_MKNOD has to be kept */
+ int capMknod = def->caps_features[VIR_DOMAIN_CAPS_FEATURE_MKNOD];
+ if (capMknod == VIR_DOMAIN_FEATURE_STATE_ON) {
+ if (virCgroupAllowAllDevices(cgroup,
+ VIR_CGROUP_DEVICE_MKNOD) < 0)
+ goto cleanup;
+ }
+
for (i = 0; devices[i].type != 0; i++) {
virLXCCgroupDevicePolicyPtr dev = &devices[i];
if (virCgroupAllowDevice(cgroup,
Index: libvirt-1.2.6/src/lxc/lxc_container.c
===================================================================
--- libvirt-1.2.6.orig/src/lxc/lxc_container.c
+++ libvirt-1.2.6/src/lxc/lxc_container.c
@@ -1732,25 +1732,232 @@ static int lxcContainerResolveSymlinks(v
* host system, since they are not currently "containerized"
*/
#if WITH_CAPNG
-static int lxcContainerDropCapabilities(bool keepReboot)
+
+# ifndef CAP_AUDIT_CONTROL
+# define CAP_AUDIT_CONTROL -1
+# endif
+# ifndef CAP_AUDIT_WRITE
+# define CAP_AUDIT_WRITE -1
+# endif
+# ifndef CAP_BLOCK_SUSPEND
+# define CAP_BLOCK_SUSPEND -1
+# endif
+# ifndef CAP_CHOWN
+# define CAP_CHOWN -1
+# endif
+# ifndef CAP_DAC_OVERRIDE
+# define CAP_DAC_OVERRIDE -1
+# endif
+# ifndef CAP_DAC_READ_SEARCH
+# define CAP_DAC_READ_SEARCH -1
+# endif
+# ifndef CAP_FOWNER
+# define CAP_FOWNER -1
+# endif
+# ifndef CAP_FSETID
+# define CAP_FSETID -1
+# endif
+# ifndef CAP_IPC_LOCK
+# define CAP_IPC_LOCK -1
+# endif
+# ifndef CAP_IPC_OWNER
+# define CAP_IPC_OWNER -1
+# endif
+# ifndef CAP_KILL
+# define CAP_KILL -1
+# endif
+# ifndef CAP_LEASE
+# define CAP_LEASE -1
+# endif
+# ifndef CAP_LINUX_IMMUTABLE
+# define CAP_LINUX_IMMUTABLE -1
+# endif
+# ifndef CAP_MAC_ADMIN
+# define CAP_MAC_ADMIN -1
+# endif
+# ifndef CAP_MAC_OVERRIDE
+# define CAP_MAC_OVERRIDE -1
+# endif
+# ifndef CAP_MKNOD
+# define CAP_MKNOD -1
+# endif
+# ifndef CAP_NET_ADMIN
+# define CAP_NET_ADMIN -1
+# endif
+# ifndef CAP_NET_BIND_SERVICE
+# define CAP_NET_BIND_SERVICE -1
+# endif
+# ifndef CAP_NET_BROADCAST
+# define CAP_NET_BROADCAST -1
+# endif
+# ifndef CAP_NET_RAW
+# define CAP_NET_RAW -1
+# endif
+# ifndef CAP_SETGID
+# define CAP_SETGID -1
+# endif
+# ifndef CAP_SETFCAP
+# define CAP_SETFCAP -1
+# endif
+# ifndef CAP_SETPCAP
+# define CAP_SETPCAP -1
+# endif
+# ifndef CAP_SETUID
+# define CAP_SETUID -1
+# endif
+# ifndef CAP_SYS_ADMIN
+# define CAP_SYS_ADMIN -1
+# endif
+# ifndef CAP_SYS_BOOT
+# define CAP_SYS_BOOT -1
+# endif
+# ifndef CAP_SYS_CHROOT
+# define CAP_SYS_CHROOT -1
+# endif
+# ifndef CAP_SYS_MODULE
+# define CAP_SYS_MODULE -1
+# endif
+# ifndef CAP_SYS_NICE
+# define CAP_SYS_NICE -1
+# endif
+# ifndef CAP_SYS_PACCT
+# define CAP_SYS_PACCT -1
+# endif
+# ifndef CAP_SYS_PTRACE
+# define CAP_SYS_PTRACE -1
+# endif
+# ifndef CAP_SYS_RAWIO
+# define CAP_SYS_RAWIO -1
+# endif
+# ifndef CAP_SYS_RESOURCE
+# define CAP_SYS_RESOURCE -1
+# endif
+# ifndef CAP_SYS_TIME
+# define CAP_SYS_TIME -1
+# endif
+# ifndef CAP_SYS_TTY_CONFIG
+# define CAP_SYS_TTY_CONFIG -1
+# endif
+# ifndef CAP_SYSLOG
+# define CAP_SYSLOG -1
+# endif
+# ifndef CAP_WAKE_ALARM
+# define CAP_WAKE_ALARM -1
+# endif
+
+static int lxcContainerDropCapabilities(virDomainDefPtr def,
+ bool keepReboot)
{
int ret;
+ size_t i;
+ int policy = def->features[VIR_DOMAIN_FEATURE_CAPABILITIES];
+
+ /* Maps virDomainCapsFeature to CAPS_* */
+ static unsigned int capsMapping[] = {CAP_AUDIT_CONTROL,
+ CAP_AUDIT_WRITE,
+ CAP_BLOCK_SUSPEND,
+ CAP_CHOWN,
+ CAP_DAC_OVERRIDE,
+ CAP_DAC_READ_SEARCH,
+ CAP_FOWNER,
+ CAP_FSETID,
+ CAP_IPC_LOCK,
+ CAP_IPC_OWNER,
+ CAP_KILL,
+ CAP_LEASE,
+ CAP_LINUX_IMMUTABLE,
+ CAP_MAC_ADMIN,
+ CAP_MAC_OVERRIDE,
+ CAP_MKNOD,
+ CAP_NET_ADMIN,
+ CAP_NET_BIND_SERVICE,
+ CAP_NET_BROADCAST,
+ CAP_NET_RAW,
+ CAP_SETGID,
+ CAP_SETFCAP,
+ CAP_SETPCAP,
+ CAP_SETUID,
+ CAP_SYS_ADMIN,
+ CAP_SYS_BOOT,
+ CAP_SYS_CHROOT,
+ CAP_SYS_MODULE,
+ CAP_SYS_NICE,
+ CAP_SYS_PACCT,
+ CAP_SYS_PTRACE,
+ CAP_SYS_RAWIO,
+ CAP_SYS_RESOURCE,
+ CAP_SYS_TIME,
+ CAP_SYS_TTY_CONFIG,
+ CAP_SYSLOG,
+ CAP_WAKE_ALARM};
capng_get_caps_process();
- if ((ret = capng_updatev(CAPNG_DROP,
- CAPNG_EFFECTIVE | CAPNG_PERMITTED |
- CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
- CAP_SYS_MODULE, /* No kernel module loading */
- CAP_SYS_TIME, /* No changing the clock */
- CAP_MKNOD, /* No creating device nodes */
- CAP_AUDIT_CONTROL, /* No messing with auditing status */
- CAP_MAC_ADMIN, /* No messing with LSM config */
- keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */
- -1)) < 0) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Failed to remove capabilities: %d"), ret);
- return -1;
+ /* Make sure we drop everything if required by the user */
+ if (policy == VIR_DOMAIN_CAPABILITIES_POLICY_DENY)
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ /* Apply all single capabilities changes */
+ for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) {
+ bool toDrop = false;
+ int state = def->caps_features[i];
+
+ /* Skip capabilities that aren't handled by our kernel */
+ if (!cap_valid(capsMapping))
+ continue;
+
+ switch ((virDomainCapabilitiesPolicy) policy) {
+
+ case VIR_DOMAIN_CAPABILITIES_POLICY_DENY:
+ if (state == VIR_DOMAIN_FEATURE_STATE_ON &&
+ (ret = capng_update(CAPNG_ADD,
+ CAPNG_EFFECTIVE | CAPNG_PERMITTED |
+ CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
+ capsMapping[i])) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Failed to add capability %s: %d"),
+ virDomainCapsFeatureTypeToString(i), ret);
+ return -1;
+ }
+ break;
+
+ case VIR_DOMAIN_CAPABILITIES_POLICY_DEFAULT:
+ switch ((virDomainCapsFeature) i) {
+ case VIR_DOMAIN_CAPS_FEATURE_SYS_BOOT: /* No use of reboot */
+ toDrop = !keepReboot && (state != VIR_DOMAIN_FEATURE_STATE_ON);
+ break;
+ case VIR_DOMAIN_CAPS_FEATURE_SYS_MODULE: /* No kernel module loading */
+ case VIR_DOMAIN_CAPS_FEATURE_SYS_TIME: /* No changing the clock */
+ case VIR_DOMAIN_CAPS_FEATURE_MKNOD: /* No creating device nodes */
+ case VIR_DOMAIN_CAPS_FEATURE_AUDIT_CONTROL: /* No messing with auditing status */
+ case VIR_DOMAIN_CAPS_FEATURE_MAC_ADMIN: /* No messing with LSM config */
+ toDrop = (state != VIR_DOMAIN_FEATURE_STATE_ON);
+ break;
+ default: /* User specified capabilities to drop */
+ toDrop = (state == VIR_DOMAIN_FEATURE_STATE_OFF);
+ }
+ /* Fallthrough */
+
+ case VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW:
+ if (policy == VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW)
+ toDrop = state == VIR_DOMAIN_FEATURE_STATE_OFF;
+
+ if (toDrop && (ret = capng_update(CAPNG_DROP,
+ CAPNG_EFFECTIVE | CAPNG_PERMITTED |
+ CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
+ capsMapping[i])) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Failed to remove capability %s: %d"),
+ virDomainCapsFeatureTypeToString(i), ret);
+ return -1;
+ }
+ break;
+
+ default:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("Unsupported capabilities policy: %s"),
+ virDomainCapabilitiesPolicyTypeToString(policy));
+ }
}
if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
@@ -1768,7 +1975,8 @@ static int lxcContainerDropCapabilities(
return 0;
}
#else
-static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
+static int lxcContainerDropCapabilities(virDomainDefPtr def ATTRIBUTE_UNUSED,
+ bool keepReboot ATTRIBUTE_UNUSED)
{
VIR_WARN("libcap-ng support not compiled in, unable to clear capabilities");
return 0;
@@ -1874,7 +2082,7 @@ static int lxcContainerChild(void *data)
}
/* drop a set of root capabilities */
- if (lxcContainerDropCapabilities(!!hasReboot) < 0)
+ if (lxcContainerDropCapabilities(vmDef, !!hasReboot) < 0)
goto cleanup;
if (lxcContainerSendContinue(argv->handshakefd) < 0) {
Index: libvirt-1.2.6/src/util/vircgroup.c
===================================================================
--- libvirt-1.2.6.orig/src/util/vircgroup.c
+++ libvirt-1.2.6/src/util/vircgroup.c
@@ -2622,6 +2622,62 @@ virCgroupDenyAllDevices(virCgroupPtr gro
"a");
}
+static int
+virCgroupAllowDevices(virCgroupPtr group, char type, const char *device, int perms)
+{
+ int ret = -1;
+ char *devstr = NULL;
+
+ if (virAsprintf(&devstr, "%c %s %s%s%s", type, device,
+ perms & VIR_CGROUP_DEVICE_READ ? "r" : "",
+ perms & VIR_CGROUP_DEVICE_WRITE ? "w" : "",
+ perms & VIR_CGROUP_DEVICE_MKNOD ? "m" : "") < 0)
+ goto cleanup;
+
+ if (virCgroupSetValueStr(group,
+ VIR_CGROUP_CONTROLLER_DEVICES,
+ "devices.allow",
+ devstr) < 0)
+ goto cleanup;
+
+ ret = 0;
+
+ cleanup:
+ VIR_FREE(devstr);
+ return ret;
+}
+
+/**
+ * virCgroupAllowAllDevices:
+ *
+ * Allows the permissiong for all devices by setting lines similar
+ * to these ones (obviously the 'm' permission is an example):
+ *
+ * 'b *:* m'
+ * 'c *:* m'
+ *
+ * @group: The cgroup to allow devices for
+ * @perms: Bitwise or of VIR_CGROUP_DEVICE permission bits to allow
+ *
+ * Returns: 0 on success
+ */
+int
+virCgroupAllowAllDevices(virCgroupPtr group, int perms)
+{
+ int ret = -1;
+
+ if (virCgroupAllowDevices(group, 'b', "*:*", perms) < 0)
+ goto cleanup;
+
+ if (virCgroupAllowDevices(group, 'c', "*:*", perms) < 0)
+ goto cleanup;
+
+ ret = 0;
+
+ cleanup:
+ return ret;
+}
+
/**
* virCgroupAllowDevice:
@@ -2641,16 +2697,10 @@ virCgroupAllowDevice(virCgroupPtr group,
int ret = -1;
char *devstr = NULL;
- if (virAsprintf(&devstr, "%c %i:%i %s%s%s", type, major, minor,
- perms & VIR_CGROUP_DEVICE_READ ? "r" : "",
- perms & VIR_CGROUP_DEVICE_WRITE ? "w" : "",
- perms & VIR_CGROUP_DEVICE_MKNOD ? "m" : "") < 0)
+ if (virAsprintf(&devstr, "%i:%i", major, minor) < 0)
goto cleanup;
- if (virCgroupSetValueStr(group,
- VIR_CGROUP_CONTROLLER_DEVICES,
- "devices.allow",
- devstr) < 0)
+ if (virCgroupAllowDevices(group, type, devstr, perms) < 0)
goto cleanup;
ret = 0;
@@ -4202,6 +4252,14 @@ virCgroupGetCpusetCpus(virCgroupPtr grou
return -1;
}
+int
+virCgroupAllowAllDevices(virCgroupPtr groupi ATTRIBUTE_UNUSED,
+ int perms ATTRIBUTE_UNUSED)
+{
+ virReportSystemError(ENOSYS, "%s",
+ _("Control groups not supported on this platform"));
+ return -1;
+}
int
virCgroupDenyAllDevices(virCgroupPtr group ATTRIBUTE_UNUSED)
Index: libvirt-1.2.6/src/util/vircgroup.h
===================================================================
--- libvirt-1.2.6.orig/src/util/vircgroup.h
+++ libvirt-1.2.6/src/util/vircgroup.h
@@ -175,6 +175,8 @@ enum {
int virCgroupDenyAllDevices(virCgroupPtr group);
+int virCgroupAllowAllDevices(virCgroupPtr group, int perms);
+
int virCgroupAllowDevice(virCgroupPtr group,
char type,
int major,
Index: libvirt-1.2.6/tests/domainschemadata/domain-caps-features.xml
===================================================================
--- /dev/null
+++ libvirt-1.2.6/tests/domainschemadata/domain-caps-features.xml
@@ -0,0 +1,28 @@
+<domain type='lxc'>
+ <name>demo</name>
+ <uuid>8369f1ac-7e46-e869-4ca5-759d51478066</uuid>
+ <os>
+ <type>exe</type>
+ <init>/sh</init>
+ </os>
+ <features>
+ <capabilities policy="deny">
+ <mknod state="on"/>
+ </capabilities>
+ </features>
+ <resource>
+ <partition>/virtualmachines</partition>
+ </resource>
+ <memory unit='KiB'>500000</memory>
+ <devices>
+ <filesystem type='mount'>
+ <source dir='/root/container'/>
+ <target dir='/'/>
+ </filesystem>
+ <filesystem type='mount'>
+ <source dir='/home'/>
+ <target dir='/home'/>
+ </filesystem>
+ <console type='pty'/>
+ </devices>
+</domain>

130
lxc-net-target-name-conversion.patch
View File

@ -1,130 +0,0 @@
From 27b425b5f77029bf0d322afb930eabf6ec6899e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 2 Jul 2014 15:13:40 +0200
Subject: [PATCH 1/2] lxc conf2xml: convert lxc.network.name for veth networks
---
src/lxc/lxc_native.c | 22 ++++++++++++++++------
.../lxcconf2xmldata/lxcconf2xml-physnetwork.config | 1 +
tests/lxcconf2xmldata/lxcconf2xml-simple.xml | 1 +
3 files changed, 18 insertions(+), 6 deletions(-)
Index: libvirt-1.2.5/src/lxc/lxc_native.c
===================================================================
--- libvirt-1.2.5.orig/src/lxc/lxc_native.c
+++ libvirt-1.2.5/src/lxc/lxc_native.c
@@ -338,7 +338,8 @@ lxcCreateNetDef(const char *type,
const char *linkdev,
const char *mac,
const char *flag,
- const char *macvlanmode)
+ const char *macvlanmode,
+ const char *name)
{
virDomainNetDefPtr net = NULL;
virMacAddr macAddr;
@@ -353,6 +354,8 @@ lxcCreateNetDef(const char *type,
net->linkstate = VIR_DOMAIN_NET_INTERFACE_LINK_STATE_DOWN;
}
+ if (name && VIR_STRDUP(net->ifname_guest, name) < 0)
+ goto error;
if (mac && virMacAddrParse(mac, &macAddr) == 0)
net->mac = macAddr;
@@ -416,7 +419,8 @@ lxcAddNetworkDefinition(virDomainDefPtr
const char *mac,
const char *flag,
const char *macvlanmode,
- const char *vlanid)
+ const char *vlanid,
+ const char *name)
{
virDomainNetDefPtr net = NULL;
virDomainHostdevDefPtr hostdev = NULL;
@@ -452,7 +456,7 @@ lxcAddNetworkDefinition(virDomainDefPtr
goto error;
def->hostdevs[def->nhostdevs - 1] = hostdev;
} else {
- if (!(net = lxcCreateNetDef(type, linkdev, mac, flag, macvlanmode)))
+ if (!(net = lxcCreateNetDef(type, linkdev, mac, flag, macvlanmode, name)))
goto error;
if (VIR_EXPAND_N(def->nets, def->nnets, 1) < 0)
@@ -476,6 +480,7 @@ typedef struct {
char *flag;
char *macvlanmode;
char *vlanid;
+ char *name;
bool privnet;
size_t networks;
} lxcNetworkParseData;
@@ -492,7 +497,8 @@ lxcNetworkWalkCallback(const char *name,
parseData->link, parseData->mac,
parseData->flag,
parseData->macvlanmode,
- parseData->vlanid);
+ parseData->vlanid,
+ parseData->name);
if (status < 0)
return -1;
@@ -508,6 +514,7 @@ lxcNetworkWalkCallback(const char *name,
parseData->flag = NULL;
parseData->macvlanmode = NULL;
parseData->vlanid = NULL;
+ parseData->name = NULL;
/* Keep the new value */
parseData->type = value->str;
@@ -522,6 +529,8 @@ lxcNetworkWalkCallback(const char *name,
parseData->macvlanmode = value->str;
else if (STREQ(name, "lxc.network.vlan.id"))
parseData->vlanid = value->str;
+ else if (STREQ(name, "lxc.network.name"))
+ parseData->name = value->str;
else if (STRPREFIX(name, "lxc.network"))
VIR_WARN("Unhandled network property: %s = %s",
name,
@@ -535,7 +544,7 @@ lxcConvertNetworkSettings(virDomainDefPt
{
int status;
lxcNetworkParseData data = {def, NULL, NULL, NULL, NULL,
- NULL, NULL, true, 0};
+ NULL, NULL, NULL, true, 0};
virConfWalk(properties, lxcNetworkWalkCallback, &data);
@@ -543,7 +552,8 @@ lxcConvertNetworkSettings(virDomainDefPt
status = lxcAddNetworkDefinition(def, data.type, data.link,
data.mac, data.flag,
data.macvlanmode,
- data.vlanid);
+ data.vlanid,
+ data.name);
if (status < 0)
return -1;
else if (status > 0)
Index: libvirt-1.2.5/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.config
===================================================================
--- libvirt-1.2.5.orig/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.config
+++ libvirt-1.2.5/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.config
@@ -1,5 +1,6 @@
lxc.network.type = phys
lxc.network.link = eth0
+lxc.network.name = eth1
lxc.rootfs = /var/lib/lxc/migrate_test/rootfs
lxc.utsname = migrate_test
Index: libvirt-1.2.5/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
===================================================================
--- libvirt-1.2.5.orig/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
+++ libvirt-1.2.5/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
@@ -37,6 +37,7 @@
<interface type='bridge'>
<mac address='02:00:15:8f:05:c1'/>
<source bridge='virbr0'/>
+ <guest dev='eth0'/>
<link state='up'/>
</interface>
<console type='pty'>

37
lxc-net-target-name-doc.patch
View File

@ -1,37 +0,0 @@
From c0b1a318442740b6c63630b61d0718598a9937d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 2 Jul 2014 15:24:56 +0200
Subject: [PATCH 2/2] lxc network device names change documentation
---
docs/formatdomain.html.in | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
Index: libvirt-1.2.5/docs/formatdomain.html.in
===================================================================
--- libvirt-1.2.5.orig/docs/formatdomain.html.in
+++ libvirt-1.2.5/docs/formatdomain.html.in
@@ -3757,6 +3757,23 @@ qemu-kvm -net nic,model=? /dev/null
targets using these prefixes will be ignored.
</p>
+ <p>
+ Note that for LXC containers, this defines the name of the interface
+ on the host side. <span class="since">Since 1.2.7</span>, to define
+ the name of the device on the guest side, the <code>guest</code>
+ element should be used, as in the following snippet:
+ </p>
+
+<pre>
+ ...
+ &lt;devices&gt;
+ &lt;interface type='network'&gt;
+ &lt;source network='default'/&gt;
+ <b>&lt;guest dev='myeth'/&gt;</b>
+ &lt;/interface&gt;
+ &lt;/devices&gt;
+ ...</pre>
+
<h5><a name="elementsNICSBoot">Specifying boot order</a></h5>
<pre>

269
lxc-net-target-name.patch
View File

@ -1,269 +0,0 @@
From 2dd011bd1451e5e6e41c0fbe98884d7594a46dc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Fri, 27 Jun 2014 10:41:22 +0200
Subject: [PATCH] lxc network configuration allows setting target container NIC
name
LXC network devices can now be assigned a custom NIC device name on the
container side. For example, this is configured with:
<interface type='network'>
<source network='default'/>
<guest dev="eth1"/>
</interface>
In this example the network card will appear as eth1 in the guest.
---
docs/schemas/domaincommon.rng | 17 +++++++++++++++++
src/conf/domain_conf.c | 27 +++++++++++++++++++++++++++
src/conf/domain_conf.h | 2 ++
src/lxc/lxc_container.c | 29 +++++++++++++++++++++++++----
src/lxc/lxc_process.c | 25 +++++++++++++++++++++++++
tests/lxcxml2xmldata/lxc-idmap.xml | 1 +
6 files changed, 97 insertions(+), 4 deletions(-)
Index: libvirt-1.2.5/docs/schemas/domaincommon.rng
===================================================================
--- libvirt-1.2.5.orig/docs/schemas/domaincommon.rng
+++ libvirt-1.2.5/docs/schemas/domaincommon.rng
@@ -2165,6 +2165,23 @@
</element>
</optional>
<optional>
+ <element name="guest">
+ <interleave>
+ <optional>
+ <attribute name="dev">
+ <ref name="deviceName"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="actual">
+ <ref name="deviceName"/>
+ </attribute>
+ </optional>
+ </interleave>
+ <empty/>
+ </element>
+ </optional>
+ <optional>
<element name="mac">
<attribute name="address">
<ref name="uniMacAddr"/>
Index: libvirt-1.2.5/src/conf/domain_conf.c
===================================================================
--- libvirt-1.2.5.orig/src/conf/domain_conf.c
+++ libvirt-1.2.5/src/conf/domain_conf.c
@@ -1415,6 +1415,8 @@ void virDomainNetDefFree(virDomainNetDef
VIR_FREE(def->virtPortProfile);
VIR_FREE(def->script);
VIR_FREE(def->ifname);
+ VIR_FREE(def->ifname_guest);
+ VIR_FREE(def->ifname_guest_actual);
virDomainDeviceInfoClear(&def->info);
@@ -6621,6 +6623,8 @@ virDomainNetDefParseXML(virDomainXMLOpti
char *bridge = NULL;
char *dev = NULL;
char *ifname = NULL;
+ char *ifname_guest = NULL;
+ char *ifname_guest_actual = NULL;
char *script = NULL;
char *address = NULL;
char *port = NULL;
@@ -6726,6 +6730,10 @@ virDomainNetDefParseXML(virDomainXMLOpti
/* An auto-generated target name, blank it out */
VIR_FREE(ifname);
}
+ } else if ((!ifname_guest || !ifname_guest_actual) &&
+ xmlStrEqual(cur->name, BAD_CAST "guest")) {
+ ifname_guest = virXMLPropString(cur, "dev");
+ ifname_guest_actual = virXMLPropString(cur, "actual");
} else if (!linkstate &&
xmlStrEqual(cur->name, BAD_CAST "link")) {
linkstate = virXMLPropString(cur, "state");
@@ -6967,6 +6975,14 @@ virDomainNetDefParseXML(virDomainXMLOpti
def->ifname = ifname;
ifname = NULL;
}
+ if (ifname_guest != NULL) {
+ def->ifname_guest = ifname_guest;
+ ifname_guest = NULL;
+ }
+ if (ifname_guest_actual != NULL) {
+ def->ifname_guest_actual = ifname_guest_actual;
+ ifname_guest_actual = NULL;
+ }
/* NIC model (see -net nic,model=?). We only check that it looks
* reasonable, not that it is a supported NIC type. FWIW kvm
@@ -15918,6 +15934,17 @@ virDomainNetDefFormat(virBufferPtr buf,
/* Skip auto-generated target names for inactive config. */
virBufferEscapeString(buf, "<target dev='%s'/>\n", def->ifname);
}
+ if (def->ifname_guest || def->ifname_guest_actual) {
+ virBufferAddLit(buf, "<guest");
+ /* Skip auto-generated target names for inactive config. */
+ if (def->ifname_guest)
+ virBufferEscapeString(buf, " dev='%s'", def->ifname_guest);
+
+ /* Only set if the host is running, so shouldn't pollute output */
+ if (def->ifname_guest_actual)
+ virBufferEscapeString(buf, " actual='%s'", def->ifname_guest_actual);
+ virBufferAddLit(buf, "/>\n");
+ }
if (def->model) {
virBufferEscapeString(buf, "<model type='%s'/>\n",
def->model);
Index: libvirt-1.2.5/src/conf/domain_conf.h
===================================================================
--- libvirt-1.2.5.orig/src/conf/domain_conf.h
+++ libvirt-1.2.5/src/conf/domain_conf.h
@@ -916,6 +916,8 @@ struct _virDomainNetDef {
} tune;
char *script;
char *ifname;
+ char *ifname_guest;
+ char *ifname_guest_actual;
virDomainDeviceInfo info;
char *filter;
virNWFilterHashTablePtr filterparams;
Index: libvirt-1.2.5/src/lxc/lxc_container.c
===================================================================
--- libvirt-1.2.5.orig/src/lxc/lxc_container.c
+++ libvirt-1.2.5/src/lxc/lxc_container.c
@@ -464,6 +464,21 @@ static int lxcContainerSetID(virDomainDe
}
+static virDomainNetDefPtr
+lxcContainerGetNetDef(virDomainDefPtr vmDef, const char *devName)
+{
+ size_t i;
+ virDomainNetDefPtr netDef;
+
+ for (i = 0; i < vmDef->nnets; i++) {
+ netDef = vmDef->nets[i];
+ if (STREQ(netDef->ifname_guest_actual, devName))
+ return netDef;
+ }
+
+ return NULL;
+}
+
/**
* lxcContainerRenameAndEnableInterfaces:
* @nveths: number of interfaces
@@ -475,16 +490,23 @@ static int lxcContainerSetID(virDomainDe
*
* Returns 0 on success or nonzero in case of error
*/
-static int lxcContainerRenameAndEnableInterfaces(bool privNet,
+static int lxcContainerRenameAndEnableInterfaces(virDomainDefPtr vmDef,
size_t nveths,
char **veths)
{
int rc = 0;
size_t i;
char *newname = NULL;
+ virDomainNetDefPtr netDef;
+ bool privNet = vmDef->features[VIR_DOMAIN_FEATURE_PRIVNET] ==
+ VIR_DOMAIN_FEATURE_STATE_ON;
for (i = 0; i < nveths; i++) {
- if (virAsprintf(&newname, "eth%zu", i) < 0) {
+ if (!(netDef = lxcContainerGetNetDef(vmDef, veths[i])))
+ return -1;
+
+ newname = netDef->ifname_guest;
+ if (!newname) {
rc = -1;
goto error_out;
}
@@ -2074,8 +2096,7 @@ static int lxcContainerChild(void *data)
}
/* rename and enable interfaces */
- if (lxcContainerRenameAndEnableInterfaces(vmDef->features[VIR_DOMAIN_FEATURE_PRIVNET] ==
- VIR_DOMAIN_FEATURE_STATE_ON,
+ if (lxcContainerRenameAndEnableInterfaces(vmDef,
argv->nveths,
argv->veths) < 0) {
goto cleanup;
Index: libvirt-1.2.5/src/lxc/lxc_process.c
===================================================================
--- libvirt-1.2.5.orig/src/lxc/lxc_process.c
+++ libvirt-1.2.5/src/lxc/lxc_process.c
@@ -259,6 +259,8 @@ char *virLXCProcessSetupInterfaceBridged
if (virNetDevSetMAC(containerVeth, &net->mac) < 0)
goto cleanup;
+ if (VIR_STRDUP(net->ifname_guest_actual, containerVeth) < 0)
+ goto cleanup;
if (vport && vport->virtPortType == VIR_NETDEV_VPORT_PROFILE_OPENVSWITCH) {
if (virNetDevOpenvswitchAddPort(brname, parentVeth, &net->mac,
@@ -369,6 +371,7 @@ static int virLXCProcessSetupInterfaces(
{
int ret = -1;
size_t i;
+ size_t niface = 0;
for (i = 0; i < def->nnets; i++) {
char *veth = NULL;
@@ -451,6 +454,13 @@ static int virLXCProcessSetupInterfaces(
}
(*veths)[(*nveths)-1] = veth;
+
+ /* Make sure all net definitions will have a name in the container */
+ if (!def->nets[i]->ifname_guest) {
+ if (virAsprintf(&def->nets[i]->ifname_guest, "eth%zu", niface) < 0)
+ return -1;
+ niface++;
+ }
}
ret = 0;
@@ -470,6 +480,18 @@ static int virLXCProcessSetupInterfaces(
return ret;
}
+static void
+virLXCProcessCleanInterfaces(virDomainDefPtr def)
+{
+ size_t i;
+
+ for (i = 0; i < def->nnets; i++) {
+ VIR_FREE(def->nets[i]->ifname_guest_actual);
+ def->nets[i]->ifname_guest_actual = NULL;
+ VIR_DEBUG("Cleared net names: %s", def->nets[i]->ifname_guest);
+ }
+}
+
extern virLXCDriverPtr lxc_driver;
static void virLXCProcessMonitorEOFNotify(virLXCMonitorPtr mon,
@@ -1306,6 +1328,9 @@ int virLXCProcessStart(virConnectPtr con
vm, false) < 0)
goto error;
+ /* We don't need the temporary NIC names anymore, clear them */
+ virLXCProcessCleanInterfaces(vm->def);
+
/* Write domain status to disk.
*
* XXX: Earlier we wrote the plain "live" domain XML to this
Index: libvirt-1.2.5/tests/lxcxml2xmldata/lxc-idmap.xml
===================================================================
--- libvirt-1.2.5.orig/tests/lxcxml2xmldata/lxc-idmap.xml
+++ libvirt-1.2.5/tests/lxcxml2xmldata/lxc-idmap.xml
@@ -29,6 +29,7 @@
<mac address='00:16:3e:0f:ef:8a'/>
<source bridge='bri0'/>
<target dev='veth0'/>
+ <guest dev='eth2'/>
</interface>
<console type='pty'>
<target type='lxc' port='0'/>

24
support-managed-pci-xen-driver.patch
View File

@ -8,10 +8,10 @@ Subject: [PATCH] support managed pci devices in xen driver
src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 15 deletions(-)
Index: libvirt-1.2.6/src/xenxs/xen_sxpr.c
Index: libvirt-1.2.7/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.2.6.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.2.6/src/xenxs/xen_sxpr.c
--- libvirt-1.2.7.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.2.7/src/xenxs/xen_sxpr.c
@@ -997,6 +997,7 @@ xenParseSxprPCI(virDomainDefPtr def,
int busID;
int slotID;
@ -35,7 +35,7 @@ Index: libvirt-1.2.6/src/xenxs/xen_sxpr.c
dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
dev->source.subsys.u.pci.addr.domain = domainID;
dev->source.subsys.u.pci.addr.bus = busID;
@@ -1991,11 +1994,15 @@ static void
@@ -1990,11 +1993,15 @@ static void
xenFormatSxprPCI(virDomainHostdevDefPtr def,
virBufferPtr buf)
{
@ -52,7 +52,7 @@ Index: libvirt-1.2.6/src/xenxs/xen_sxpr.c
}
@@ -2014,12 +2021,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
@@ -2013,12 +2020,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
virBufferPtr buf,
int detach)
{
@ -65,7 +65,7 @@ Index: libvirt-1.2.6/src/xenxs/xen_sxpr.c
virBufferAddLit(buf, "(pci ");
xenFormatSxprPCI(def, buf);
if (detach)
@@ -2074,12 +2075,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
@@ -2073,12 +2074,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
for (i = 0; i < def->nhostdevs; i++) {
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@ -78,11 +78,11 @@ Index: libvirt-1.2.6/src/xenxs/xen_sxpr.c
xenFormatSxprPCI(def->hostdevs[i], buf);
}
}
Index: libvirt-1.2.6/src/xenxs/xen_xm.c
Index: libvirt-1.2.7/src/xenxs/xen_xm.c
===================================================================
--- libvirt-1.2.6.orig/src/xenxs/xen_xm.c
+++ libvirt-1.2.6/src/xenxs/xen_xm.c
@@ -819,6 +819,8 @@ xenParseXM(virConfPtr conf, int xendConf
--- libvirt-1.2.7.orig/src/xenxs/xen_xm.c
+++ libvirt-1.2.7/src/xenxs/xen_xm.c
@@ -815,6 +815,8 @@ xenParseXM(virConfPtr conf, int xendConf
int busID;
int slotID;
int funcID;
@ -91,7 +91,7 @@ Index: libvirt-1.2.6/src/xenxs/xen_xm.c
domain[0] = bus[0] = slot[0] = func[0] = '\0';
@@ -828,6 +830,11 @@ xenParseXM(virConfPtr conf, int xendConf
@@ -824,6 +826,11 @@ xenParseXM(virConfPtr conf, int xendConf
/* pci=['0000:00:1b.0','0000:00:13.0'] */
if (!(key = list->str))
goto skippci;
@ -103,7 +103,7 @@ Index: libvirt-1.2.6/src/xenxs/xen_xm.c
if (!(nextkey = strchr(key, ':')))
goto skippci;
@@ -876,10 +883,30 @@ xenParseXM(virConfPtr conf, int xendConf
@@ -872,10 +879,30 @@ xenParseXM(virConfPtr conf, int xendConf
if (virStrToLong_i(func, NULL, 16, &funcID) < 0)
goto skippci;

8
suse-qemu-conf.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.2.6/src/qemu/qemu.conf
Index: libvirt-1.2.7/src/qemu/qemu.conf
===================================================================
--- libvirt-1.2.6.orig/src/qemu/qemu.conf
+++ libvirt-1.2.6/src/qemu/qemu.conf
--- libvirt-1.2.7.orig/src/qemu/qemu.conf
+++ libvirt-1.2.7/src/qemu/qemu.conf
@@ -200,7 +200,16 @@
# a special value; security_driver can be set to that value in
# isolation, but it cannot appear in a list of drivers.
@ -19,7 +19,7 @@ Index: libvirt-1.2.6/src/qemu/qemu.conf
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
@@ -402,11 +411,22 @@
@@ -409,11 +418,22 @@
#allow_disk_format_probing = 1

6
systemd-service-xen.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.2.6/daemon/libvirtd.service.in
Index: libvirt-1.2.7/daemon/libvirtd.service.in
===================================================================
--- libvirt-1.2.6.orig/daemon/libvirtd.service.in
+++ libvirt-1.2.6/daemon/libvirtd.service.in
--- libvirt-1.2.7.orig/daemon/libvirtd.service.in
+++ libvirt-1.2.7/daemon/libvirtd.service.in
@@ -10,6 +10,8 @@ After=network.target
After=dbus.service
After=iscsid.service

12
virtlockd-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust virtlockd init files to conform to SUSE standards
Index: libvirt-1.2.6/src/locking/virtlockd.sysconf
Index: libvirt-1.2.7/src/locking/virtlockd.sysconf
===================================================================
--- libvirt-1.2.6.orig/src/locking/virtlockd.sysconf
+++ libvirt-1.2.6/src/locking/virtlockd.sysconf
--- libvirt-1.2.7.orig/src/locking/virtlockd.sysconf
+++ libvirt-1.2.7/src/locking/virtlockd.sysconf
@@ -1,3 +1,7 @@
+## Path: System/Virtualization/virtlockd
+
@ -12,10 +12,10 @@ Index: libvirt-1.2.6/src/locking/virtlockd.sysconf
#
# Pass extra arguments to virtlockd
#VIRTLOCKD_ARGS=
Index: libvirt-1.2.6/src/locking/virtlockd.init.in
Index: libvirt-1.2.7/src/locking/virtlockd.init.in
===================================================================
--- libvirt-1.2.6.orig/src/locking/virtlockd.init.in
+++ libvirt-1.2.6/src/locking/virtlockd.init.in
--- libvirt-1.2.7.orig/src/locking/virtlockd.init.in
+++ libvirt-1.2.7/src/locking/virtlockd.init.in
@@ -4,12 +4,14 @@
# http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV
#

12
xen-name-for-devid.patch
View File

@ -14,10 +14,10 @@
is inactive. We obviously can't search xenstore when the domain is
inactive.
Index: libvirt-1.2.6/src/xen/xend_internal.c
Index: libvirt-1.2.7/src/xen/xend_internal.c
===================================================================
--- libvirt-1.2.6.orig/src/xen/xend_internal.c
+++ libvirt-1.2.6/src/xen/xend_internal.c
--- libvirt-1.2.7.orig/src/xen/xend_internal.c
+++ libvirt-1.2.7/src/xen/xend_internal.c
@@ -72,7 +72,7 @@ VIR_LOG_INIT("xen.xend_internal");
#define XEND_RCV_BUF_MAX_LEN (256 * 1024)
@ -27,7 +27,7 @@ Index: libvirt-1.2.6/src/xen/xend_internal.c
virDomainDeviceDefPtr dev, char *class,
char *ref, int ref_len);
@@ -3331,37 +3331,35 @@ xenDaemonDomainBlockPeek(virConnectPtr c
@@ -3328,37 +3328,35 @@ xenDaemonDomainBlockPeek(virConnectPtr c
* Returns 0 in case of success, -1 in case of failure.
*/
static int
@ -80,7 +80,7 @@ Index: libvirt-1.2.6/src/xen/xend_internal.c
} else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
char mac[VIR_MAC_STRING_BUFLEN];
virDomainNetDefPtr netdef = dev->data.net;
@@ -3369,16 +3367,22 @@ virDomainXMLDevID(virConnectPtr conn,
@@ -3366,16 +3364,22 @@ virDomainXMLDevID(virConnectPtr conn,
strcpy(class, "vif");
@ -113,7 +113,7 @@ Index: libvirt-1.2.6/src/xen/xend_internal.c
} else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV &&
dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@@ -3394,17 +3398,44 @@ virDomainXMLDevID(virConnectPtr conn,
@@ -3391,17 +3395,44 @@ virDomainXMLDevID(virConnectPtr conn,
strcpy(class, "pci");

6
xen-pv-cdrom.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.2.6/src/xenxs/xen_sxpr.c
Index: libvirt-1.2.7/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.2.6.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.2.6/src/xenxs/xen_sxpr.c
--- libvirt-1.2.7.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.2.7/src/xenxs/xen_sxpr.c
@@ -332,7 +332,7 @@ xenParseSxprChar(const char *value,
static int
xenParseSxprDisks(virDomainDefPtr def,