Accepting request 684124 from Virtualization

OBS-URL: https://build.opensuse.org/request/show/684124
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=275
This commit is contained in:
Dominique Leuenberger 2019-03-12 08:48:44 +00:00 committed by Git OBS Bridge
commit 5cc78c273e
46 changed files with 442 additions and 759 deletions

View File

@ -18,10 +18,10 @@ them.
create mode 100644 src/conf/domain_stats.c
create mode 100644 src/conf/domain_stats.h
Index: libvirt-5.0.0/src/conf/domain_stats.c
Index: libvirt-5.1.0/src/conf/domain_stats.c
===================================================================
--- /dev/null
+++ libvirt-5.0.0/src/conf/domain_stats.c
+++ libvirt-5.1.0/src/conf/domain_stats.c
@@ -0,0 +1,139 @@
+/*
+ * domain_stats.c: domain stats extraction helpers
@ -162,10 +162,10 @@ Index: libvirt-5.0.0/src/conf/domain_stats.c
+}
+
+#undef STATS_ADD_NET_PARAM
Index: libvirt-5.0.0/src/conf/domain_stats.h
Index: libvirt-5.1.0/src/conf/domain_stats.h
===================================================================
--- /dev/null
+++ libvirt-5.0.0/src/conf/domain_stats.h
+++ libvirt-5.1.0/src/conf/domain_stats.h
@@ -0,0 +1,64 @@
+/*
+ * domain_stats.h: domain stats extraction helpers
@ -231,11 +231,11 @@ Index: libvirt-5.0.0/src/conf/domain_stats.h
+ int *maxparams);
+
+#endif /* __DOMAIN_STATS_H */
Index: libvirt-5.0.0/src/libvirt_private.syms
Index: libvirt-5.1.0/src/libvirt_private.syms
===================================================================
--- libvirt-5.0.0.orig/src/libvirt_private.syms
+++ libvirt-5.0.0/src/libvirt_private.syms
@@ -661,6 +661,9 @@ virDomainConfNWFilterInstantiate;
--- libvirt-5.1.0.orig/src/libvirt_private.syms
+++ libvirt-5.1.0/src/libvirt_private.syms
@@ -662,6 +662,9 @@ virDomainConfNWFilterInstantiate;
virDomainConfNWFilterTeardown;
virDomainConfVMNWFilterTeardown;
@ -245,7 +245,7 @@ Index: libvirt-5.0.0/src/libvirt_private.syms
# conf/interface_conf.h
virInterfaceDefFormat;
@@ -1550,6 +1553,7 @@ virCgroupGetMemoryUsage;
@@ -1547,6 +1550,7 @@ virCgroupGetMemoryUsage;
virCgroupGetMemSwapHardLimit;
virCgroupGetMemSwapUsage;
virCgroupGetPercpuStats;
@ -253,10 +253,10 @@ Index: libvirt-5.0.0/src/libvirt_private.syms
virCgroupHasController;
virCgroupHasEmptyTasks;
virCgroupKillPainfully;
Index: libvirt-5.0.0/src/qemu/qemu_driver.c
Index: libvirt-5.1.0/src/qemu/qemu_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_driver.c
+++ libvirt-5.0.0/src/qemu/qemu_driver.c
--- libvirt-5.1.0.orig/src/qemu/qemu_driver.c
+++ libvirt-5.1.0/src/qemu/qemu_driver.c
@@ -67,6 +67,7 @@
#include "virarptable.h"
#include "viruuid.h"
@ -265,7 +265,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
#include "domain_audit.h"
#include "node_device_conf.h"
#include "virpci.h"
@@ -19969,21 +19970,7 @@ qemuDomainGetStatsState(virQEMUDriverPtr
@@ -20042,21 +20043,7 @@ qemuDomainGetStatsState(virQEMUDriverPtr
int *maxparams,
unsigned int privflags ATTRIBUTE_UNUSED)
{
@ -288,7 +288,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
}
@@ -20173,37 +20160,7 @@ qemuDomainGetStatsCpuCgroup(virDomainObj
@@ -20246,37 +20233,7 @@ qemuDomainGetStatsCpuCgroup(virDomainObj
int *maxparams)
{
qemuDomainObjPrivatePtr priv = dom->privateData;
@ -327,7 +327,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
}
@@ -20401,44 +20358,6 @@ qemuDomainGetStatsVcpu(virQEMUDriverPtr
@@ -20470,44 +20427,6 @@ qemuDomainGetStatsVcpu(virQEMUDriverPtr
return ret;
}
@ -372,7 +372,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
static int
qemuDomainGetStatsInterface(virQEMUDriverPtr driver ATTRIBUTE_UNUSED,
virDomainObjPtr dom,
@@ -20446,68 +20365,9 @@ qemuDomainGetStatsInterface(virQEMUDrive
@@ -20515,68 +20434,9 @@ qemuDomainGetStatsInterface(virQEMUDrive
int *maxparams,
unsigned int privflags ATTRIBUTE_UNUSED)
{
@ -442,7 +442,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
#define QEMU_ADD_BLOCK_PARAM_UI(record, maxparams, num, name, value) \
do { \
char param_name[VIR_TYPED_PARAM_FIELD_LENGTH]; \
@@ -20740,10 +20600,10 @@ qemuDomainGetStatsBlockExportHeader(virD
@@ -20809,10 +20669,10 @@ qemuDomainGetStatsBlockExportHeader(virD
{
int ret = -1;
@ -455,7 +455,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
if (src->id)
QEMU_ADD_BLOCK_PARAM_UI(records, nrecords, recordnr, "backingIndex",
src->id);
@@ -20897,7 +20757,7 @@ qemuDomainGetStatsBlock(virQEMUDriverPtr
@@ -20966,7 +20826,7 @@ qemuDomainGetStatsBlock(virQEMUDriverPtr
* after the iteration than it is to iterate twice; but we still
* want count listed first. */
count_index = record->nparams;
@ -464,7 +464,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
for (i = 0; i < dom->def->ndisks; i++) {
if (qemuDomainGetStatsBlockExportDisk(dom->def->disks[i], stats, nodestats,
@@ -20922,8 +20782,6 @@ qemuDomainGetStatsBlock(virQEMUDriverPtr
@@ -20991,8 +20851,6 @@ qemuDomainGetStatsBlock(virQEMUDriverPtr
#undef QEMU_ADD_BLOCK_PARAM_ULL
@ -473,7 +473,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
#define QEMU_ADD_IOTHREAD_PARAM_UI(record, maxparams, id, name, value) \
do { \
char param_name[VIR_TYPED_PARAM_FIELD_LENGTH]; \
@@ -20975,7 +20833,7 @@ qemuDomainGetStatsIOThread(virQEMUDriver
@@ -21044,7 +20902,7 @@ qemuDomainGetStatsIOThread(virQEMUDriver
if (niothreads == 0)
return 0;
@ -482,7 +482,7 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
for (i = 0; i < niothreads; i++) {
if (iothreads[i]->poll_valid) {
@@ -21008,8 +20866,6 @@ qemuDomainGetStatsIOThread(virQEMUDriver
@@ -21077,8 +20935,6 @@ qemuDomainGetStatsIOThread(virQEMUDriver
#undef QEMU_ADD_IOTHREAD_PARAM_ULL
@ -491,11 +491,11 @@ Index: libvirt-5.0.0/src/qemu/qemu_driver.c
static int
qemuDomainGetStatsPerfOneEvent(virPerfPtr perf,
virPerfEventType type,
Index: libvirt-5.0.0/src/util/vircgroup.c
Index: libvirt-5.1.0/src/util/vircgroup.c
===================================================================
--- libvirt-5.0.0.orig/src/util/vircgroup.c
+++ libvirt-5.0.0/src/util/vircgroup.c
@@ -2796,6 +2796,44 @@ virCgroupControllerAvailable(int control
--- libvirt-5.1.0.orig/src/util/vircgroup.c
+++ libvirt-5.1.0/src/util/vircgroup.c
@@ -2800,6 +2800,44 @@ virCgroupControllerAvailable(int control
return ret;
}
@ -540,7 +540,7 @@ Index: libvirt-5.0.0/src/util/vircgroup.c
#else /* !__linux__ */
bool
@@ -2805,6 +2843,15 @@ virCgroupAvailable(void)
@@ -2809,6 +2847,15 @@ virCgroupAvailable(void)
}
@ -556,10 +556,10 @@ Index: libvirt-5.0.0/src/util/vircgroup.c
int
virCgroupNewPartition(const char *path ATTRIBUTE_UNUSED,
bool create ATTRIBUTE_UNUSED,
Index: libvirt-5.0.0/src/util/vircgroup.h
Index: libvirt-5.1.0/src/util/vircgroup.h
===================================================================
--- libvirt-5.0.0.orig/src/util/vircgroup.h
+++ libvirt-5.0.0/src/util/vircgroup.h
--- libvirt-5.1.0.orig/src/util/vircgroup.h
+++ libvirt-5.1.0/src/util/vircgroup.h
@@ -284,4 +284,9 @@ int virCgroupSetOwner(virCgroupPtr cgrou
int virCgroupHasEmptyTasks(virCgroupPtr cgroup, int controller);
@ -570,10 +570,10 @@ Index: libvirt-5.0.0/src/util/vircgroup.h
+ int *maxparams);
+
#endif /* LIBVIRT_VIRCGROUP_H */
Index: libvirt-5.0.0/src/conf/Makefile.inc.am
Index: libvirt-5.1.0/src/conf/Makefile.inc.am
===================================================================
--- libvirt-5.0.0.orig/src/conf/Makefile.inc.am
+++ libvirt-5.0.0/src/conf/Makefile.inc.am
--- libvirt-5.1.0.orig/src/conf/Makefile.inc.am
+++ libvirt-5.1.0/src/conf/Makefile.inc.am
@@ -20,6 +20,8 @@ DOMAIN_CONF_SOURCES = \
conf/domain_audit.h \
conf/domain_nwfilter.c \

View File

@ -0,0 +1,46 @@
From b1a50c10c95747dacd31a23b5c73ec4f938af329 Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@suse.com>
Date: Fri, 1 Mar 2019 14:34:17 -0700
Subject: [PATCH 1/2] apparmor: Check libvirtd profile status by name
Commit a3ab6d42 changed the libvirtd profile to a named profile,
breaking the apparmor driver's ability to detect if the profile is
active. When the apparmor driver loads it checks the status of the
libvirtd profile using the full binary path, which fails since the
profile is now referenced by name. If the apparmor driver is
explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
to load too.
Instead of only checking the profile status by full binary path,
also check by profile name. The full path check is retained in case
users have a customized libvirtd profile with full path.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
src/security/security_apparmor.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
Index: libvirt-5.1.0/src/security/security_apparmor.c
===================================================================
--- libvirt-5.1.0.orig/src/security/security_apparmor.c
+++ libvirt-5.1.0/src/security/security_apparmor.c
@@ -257,10 +257,16 @@ use_apparmor(void)
if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
goto cleanup;
+ /* First check profile status using full binary path. If that fails
+ * check using profile name.
+ */
rc = profile_status(libvirt_daemon, 1);
- /* Error or unconfined should all result in -1*/
- if (rc < 0)
- rc = -1;
+ if (rc < 0) {
+ rc = profile_status("libvirtd", 1);
+ /* Error or unconfined should all result in -1*/
+ if (rc < 0)
+ rc = -1;
+ }
cleanup:
VIR_FREE(libvirt_daemon);

View File

@ -19,10 +19,10 @@ reworking this patch and submitting it to upstream libvirt.
src/libxl/libxl_driver.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 91 insertions(+)
Index: libvirt-5.0.0/src/libxl/libxl_driver.c
Index: libvirt-5.1.0/src/libxl/libxl_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.0.0/src/libxl/libxl_driver.c
--- libvirt-5.1.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.1.0/src/libxl/libxl_driver.c
@@ -5252,6 +5252,97 @@ libxlDomainMemoryStats(virDomainPtr dom,
#undef LIBXL_SET_MEMSTAT

View File

@ -0,0 +1,40 @@
From 85001fd799deb33338aed627b3c3a6870cb70d2d Mon Sep 17 00:00:00 2001
From: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Date: Fri, 1 Mar 2019 11:29:51 +0100
Subject: [PATCH] qemu: Fix query-cpus-fast target architecture detection
Since qemu 2.13 reports the target architecture in a property called
'target' additionally to the property 'arch', that has been used in
qemu 2.12 in the response data of 'query-cpus-fast'.
Libvirts monitor code prefers the 'target' property over 'arch'.
At least for s390(x), target is reported as 's390x' while arch is 's390'.
In a later step a comparison is performed against 's390' which fails for
qemu 2.13 and later.
In consequence the architecture specific data for s390 won't be extracted
from the returned data, leading to incorrect values being reported by
virsh domstats --vcpu.
Changing to check explicitly for 's390' and 's390x'.
Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
---
src/qemu/qemu_monitor_json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: libvirt-5.1.0/src/qemu/qemu_monitor_json.c
===================================================================
--- libvirt-5.1.0.orig/src/qemu/qemu_monitor_json.c
+++ libvirt-5.1.0/src/qemu/qemu_monitor_json.c
@@ -1772,7 +1772,7 @@ qemuMonitorJSONExtractCPUInfo(virJSONVal
goto cleanup;
/* process optional architecture-specific data */
- if (STREQ_NULLABLE(arch, "s390"))
+ if (STREQ_NULLABLE(arch, "s390") || STREQ_NULLABLE(arch, "s390x"))
qemuMonitorJSONExtractCPUS390Info(entry, cpus + i);
}

View File

@ -9,10 +9,10 @@ them using the existing API.
src/lxc/lxc_driver.c | 138 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 138 insertions(+)
Index: libvirt-5.0.0/src/lxc/lxc_driver.c
Index: libvirt-5.1.0/src/lxc/lxc_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/lxc/lxc_driver.c
+++ libvirt-5.0.0/src/lxc/lxc_driver.c
--- libvirt-5.1.0.orig/src/lxc/lxc_driver.c
+++ libvirt-5.1.0/src/lxc/lxc_driver.c
@@ -75,6 +75,7 @@
#include "viraccessapichecklxc.h"
#include "virhostdev.h"
@ -21,7 +21,7 @@ Index: libvirt-5.0.0/src/lxc/lxc_driver.c
#define VIR_FROM_THIS VIR_FROM_LXC
@@ -5408,6 +5409,142 @@ lxcDomainHasManagedSaveImage(virDomainPt
@@ -5396,6 +5397,142 @@ lxcDomainHasManagedSaveImage(virDomainPt
return ret;
}
@ -164,7 +164,7 @@ Index: libvirt-5.0.0/src/lxc/lxc_driver.c
/* Function Tables */
static virHypervisorDriver lxcHypervisorDriver = {
@@ -5503,6 +5640,7 @@ static virHypervisorDriver lxcHypervisor
@@ -5491,6 +5628,7 @@ static virHypervisorDriver lxcHypervisor
.nodeGetFreePages = lxcNodeGetFreePages, /* 1.2.6 */
.nodeAllocPages = lxcNodeAllocPages, /* 1.2.9 */
.domainHasManagedSaveImage = lxcDomainHasManagedSaveImage, /* 1.2.13 */

View File

@ -1,34 +0,0 @@
commit 11c8aca938bff7f6b7fb9def732262f3ad9e91f9
Author: Jim Fehlig <jfehlig@suse.com>
Date: Thu Jan 10 15:18:36 2019 -0700
libxl: Set current memory value after successful balloon
The libxl driver does not set the new memory value in the active domain def
after a successful balloon. This results in the old memory value in
<currentMemory>. E.g.
virsh dumpxml test | grep currentMemory
<currentMemory unit='KiB'>20971520</currentMemory>
virsh setmem test 16777216 --live
virsh dumpxml test | grep currentMemory
<currentMemory unit='KiB'>20971520</currentMemory>
Set the new memory value in active domain def after a successful call to
libxl_set_memory_target().
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Index: libvirt-5.0.0/src/libxl/libxl_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.0.0/src/libxl/libxl_driver.c
@@ -1676,6 +1676,7 @@ libxlDomainSetMemoryFlags(virDomainPtr d
" with libxenlight"), vm->def->id);
goto endjob;
}
+ vm->def->mem.cur_balloon = newmem;
}
if (flags & VIR_DOMAIN_MEM_CONFIG) {

View File

@ -1,103 +0,0 @@
commit 17f6a257f1ea484489277f4da38be914b246a30b
Author: Erik Skultety <eskultet@redhat.com>
Date: Thu Jan 31 15:16:50 2019 +0100
security: dac: Relabel /dev/sev in the namespace
The default permissions (0600 root:root) are of no use to the qemu
process so we need to change the owner to qemu iff running with
namespaces.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.0.0/src/security/security_dac.c
===================================================================
--- libvirt-5.0.0.orig/src/security/security_dac.c
+++ libvirt-5.0.0/src/security/security_dac.c
@@ -48,6 +48,7 @@
VIR_LOG_INIT("security.security_dac");
#define SECURITY_DAC_NAME "dac"
+#define DEV_SEV "/dev/sev"
typedef struct _virSecurityDACData virSecurityDACData;
typedef virSecurityDACData *virSecurityDACDataPtr;
@@ -1690,6 +1691,16 @@ virSecurityDACRestoreMemoryLabel(virSecu
static int
+virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
+{
+ /* we only label /dev/sev when running with namespaces, so we don't need to
+ * restore anything */
+ return 0;
+}
+
+
+static int
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
bool migrated,
@@ -1759,6 +1770,11 @@ virSecurityDACRestoreAllLabel(virSecurit
rc = -1;
}
+ if (def->sev) {
+ if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
+ rc = -1;
+ }
+
if (def->os.loader && def->os.loader->nvram &&
virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
rc = -1;
@@ -1833,6 +1849,36 @@ virSecurityDACSetMemoryLabel(virSecurity
static int
+virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityLabelDefPtr seclabel;
+ uid_t user;
+ gid_t group;
+
+ /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly
+ * increase the chance of a DOS attack on SEV
+ */
+ if (!priv->mountNamespace)
+ return 0;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+ if (seclabel && !seclabel->relabel)
+ return 0;
+
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+ return -1;
+
+ if (virSecurityDACSetOwnership(mgr, NULL, DEV_SEV,
+ user, group, false) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+static int
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *stdin_path ATTRIBUTE_UNUSED,
@@ -1902,6 +1948,11 @@ virSecurityDACSetAllLabel(virSecurityMan
return -1;
}
+ if (def->sev) {
+ if (virSecurityDACSetSEVLabel(mgr, def) < 0)
+ return -1;
+ }
+
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
return -1;

View File

@ -0,0 +1,33 @@
commit 4ec3cf9a0fc3d76058ea363a6c35df19e67e6261
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri Mar 1 15:05:36 2019 -0700
apparmor: Add ptrace and signal rules for named profile
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules. As a result, libvirtd is unable to
signal confined qemu processes and hence unable to shutdown
or destroy VMs.
Add ptrace and signal rules that reference the libvirtd profile
by name in addition to full binary path.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
===================================================================
--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
@@ -16,8 +16,10 @@
network inet stream,
network inet6 stream,
+ ptrace (readby, tracedby) peer=libvirtd,
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+ signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
/dev/net/tun rw,

View File

@ -1,25 +0,0 @@
commit 620d9dd598fde388f56ac37bcd3b31168c2f9fc6
Author: Peter Krempa <pkrempa@redhat.com>
Date: Mon Feb 4 16:24:15 2019 +0100
qemu: caps: Don't try to ask for CAP_DAC_OVERRIDE if non-root
It will not work. This breaks qemu capabilities probing as a user.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Index: libvirt-5.0.0/src/qemu/qemu_capabilities.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_capabilities.c
+++ libvirt-5.0.0/src/qemu/qemu_capabilities.c
@@ -4529,7 +4529,8 @@ virQEMUCapsInitQMPCommandRun(virQEMUCaps
#if WITH_CAPNG
/* QEMU might run into permission issues, e.g. /dev/sev (0600), override
* them just for the purpose of probing */
- virCommandAllowCap(cmd->cmd, CAP_DAC_OVERRIDE);
+ if (geteuid() == 0)
+ virCommandAllowCap(cmd->cmd, CAP_DAC_OVERRIDE);
#endif
virCommandSetGID(cmd->cmd, cmd->runGid);

View File

@ -1,60 +0,0 @@
commit 6fd4c8f8785a063112c8161a3a3f5ad3cb6647ea
Author: Erik Skultety <eskultet@redhat.com>
Date: Tue Jan 22 13:46:16 2019 +0100
qemu: domain: Add /dev/sev into the domain mount namespace selectively
Instead of exposing /dev/sev to every domain, do it selectively.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.0.0/src/qemu/qemu_domain.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_domain.c
+++ libvirt-5.0.0/src/qemu/qemu_domain.c
@@ -116,6 +116,7 @@ VIR_ENUM_IMPL(qemuDomainNamespace, QEMU_
#define DEVPREFIX "/dev/"
#define DEV_VFIO "/dev/vfio/vfio"
#define DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
+#define DEV_SEV "/dev/sev"
struct _qemuDomainLogContext {
@@ -12018,6 +12019,26 @@ qemuDomainSetupLoader(virQEMUDriverConfi
}
+static int
+qemuDomainSetupLaunchSecurity(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm,
+ const struct qemuDomainCreateDeviceData *data)
+{
+ virDomainSEVDefPtr sev = vm->def->sev;
+
+ if (!sev || sev->sectype != VIR_DOMAIN_LAUNCH_SECURITY_SEV)
+ return 0;
+
+ VIR_DEBUG("Setting up launch security");
+
+ if (qemuDomainCreateDevice(DEV_SEV, data, false) < 0)
+ return -1;
+
+ VIR_DEBUG("Set up launch security");
+ return 0;
+}
+
+
int
qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg,
virSecurityManagerPtr mgr,
@@ -12089,6 +12110,9 @@ qemuDomainBuildNamespace(virQEMUDriverCo
if (qemuDomainSetupLoader(cfg, vm, &data) < 0)
goto cleanup;
+ if (qemuDomainSetupLaunchSecurity(cfg, vm, &data) < 0)
+ goto cleanup;
+
/* Save some mount points because we want to share them with the host */
for (i = 0; i < ndevMountsPath; i++) {
struct stat sb;

View File

@ -1,38 +0,0 @@
commit 70c2933da24dc4b004118afe2f9acaeabc42c0ad
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri Jan 11 17:26:03 2019 -0700
apparmor: Add support for named profiles
Upstream apparmor is switching to named profiles. In short,
/usr/sbin/dnsmasq {
becomes
profile dnsmasq /usr/sbin/dnsmasq {
Consequently, any profiles that reference profiles in a peer= condition
need to be updated if the referenced profile switches to a named profile.
Apparmor commit 9ab45d81 switched dnsmasq to a named profile. ATM it is
the only named profile switch that has affected libvirt. Add rules to the
libvirtd profile to reference dnsmasq in peer= conditions by profile name.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Index: libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/usr.sbin.libvirtd
+++ libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
@@ -52,9 +52,11 @@
ptrace (read,trace) peer=unconfined,
ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
signal (send) set=("kill", "term") peer=unconfined,

View File

@ -1,112 +0,0 @@
commit a2d3dea9d41dba313d9566120a8ec9d358567bd0
Author: Erik Skultety <eskultet@redhat.com>
Date: Thu Jan 24 10:33:01 2019 +0100
qemu: caps: Use CAP_DAC_OVERRIDE for probing to avoid permission issues
This is mainly about /dev/sev and its default permissions 0600. Of
course, rule of 'tinfoil' would be that we can't trust anything, but the
probing code in QEMU is considered safe from security's perspective + we
can't create an udev rule for this at the moment, because ioctls and
file system permissions aren't cross-checked in kernel and therefore a
user with read permissions could issue a 'privileged' operation on SEV
which is currently only limited to root.
https://bugzilla.redhat.com/show_bug.cgi?id=1665400
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.0.0/src/qemu/qemu_capabilities.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_capabilities.c
+++ libvirt-5.0.0/src/qemu/qemu_capabilities.c
@@ -53,6 +53,10 @@
#include <stdarg.h>
#include <sys/utsname.h>
+#if WITH_CAPNG
+# include <cap-ng.h>
+#endif
+
#define VIR_FROM_THIS VIR_FROM_QEMU
VIR_LOG_INIT("qemu.qemu_capabilities");
@@ -4521,6 +4525,13 @@ virQEMUCapsInitQMPCommandRun(virQEMUCaps
NULL);
virCommandAddEnvPassCommon(cmd->cmd);
virCommandClearCaps(cmd->cmd);
+
+#if WITH_CAPNG
+ /* QEMU might run into permission issues, e.g. /dev/sev (0600), override
+ * them just for the purpose of probing */
+ virCommandAllowCap(cmd->cmd, CAP_DAC_OVERRIDE);
+#endif
+
virCommandSetGID(cmd->cmd, cmd->runGid);
virCommandSetUID(cmd->cmd, cmd->runUid);
Index: libvirt-5.0.0/src/util/virutil.c
===================================================================
--- libvirt-5.0.0.orig/src/util/virutil.c
+++ libvirt-5.0.0/src/util/virutil.c
@@ -1502,8 +1502,10 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gi
{
size_t i;
int capng_ret, ret = -1;
- bool need_setgid = false, need_setuid = false;
+ bool need_setgid = false;
+ bool need_setuid = false;
bool need_setpcap = false;
+ const char *capstr = NULL;
/* First drop all caps (unless the requested uid is "unchanged" or
* root and clearExistingCaps wasn't requested), then add back
@@ -1512,14 +1514,18 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gi
*/
if (clearExistingCaps || (uid != (uid_t)-1 && uid != 0))
- capng_clear(CAPNG_SELECT_BOTH);
+ capng_clear(CAPNG_SELECT_BOTH);
for (i = 0; i <= CAP_LAST_CAP; i++) {
+ capstr = capng_capability_to_name(i);
+
if (capBits & (1ULL << i)) {
capng_update(CAPNG_ADD,
CAPNG_EFFECTIVE|CAPNG_INHERITABLE|
CAPNG_PERMITTED|CAPNG_BOUNDING_SET,
i);
+
+ VIR_DEBUG("Added '%s' to child capabilities' set", capstr);
}
}
@@ -1579,6 +1585,27 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gi
goto cleanup;
}
+# ifdef PR_CAP_AMBIENT
+ /* we couldn't do this in the loop earlier above, because the capabilities
+ * were not applied yet, since in order to add a capability into the AMBIENT
+ * set, it has to be present in both the PERMITTED and INHERITABLE sets
+ * (capabilities(7))
+ */
+ for (i = 0; i <= CAP_LAST_CAP; i++) {
+ capstr = capng_capability_to_name(i);
+
+ if (capBits & (1ULL << i)) {
+ if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0) {
+ virReportSystemError(errno,
+ _("prctl failed to enable '%s' in the "
+ "AMBIENT set"),
+ capstr);
+ goto cleanup;
+ }
+ }
+ }
+# endif
+
/* Set bounding set while we have CAP_SETPCAP. Unfortunately we cannot
* do this if we failed to get the capability above, so ignore the
* return value.

View File

@ -1,38 +0,0 @@
commit a3ab6d42d825499af44b8f19f9299e150d9687bc
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri Jan 11 17:59:59 2019 -0700
apparmor: convert libvirtd profile to a named profile
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Index: libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/usr.sbin.libvirtd
+++ libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
@@ -2,7 +2,7 @@
#include <tunables/global>
@{LIBVIRT}="libvirt"
-/usr/sbin/libvirtd flags=(attach_disconnected) {
+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/dbus>
@@ -51,7 +51,7 @@
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined,
- ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=@{profile_name},
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
@@ -123,6 +123,7 @@
# For communication/control from libvirtd
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+ signal (receive) set=("term") peer=libvirtd,
/dev/net/tun rw,
/etc/qemu/** r,

View File

@ -1,50 +0,0 @@
commit a404ac34768e975bd420d1eeac3811563da67e3f
Author: Erik Skultety <eskultet@redhat.com>
Date: Mon Jan 21 14:50:11 2019 +0100
qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
SEV has a limit on number of concurrent guests. From security POV we
should only expose resources (any resources for that matter) to domains
that truly need them.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.0.0/src/qemu/qemu_cgroup.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_cgroup.c
+++ libvirt-5.0.0/src/qemu/qemu_cgroup.c
@@ -692,6 +692,22 @@ qemuTeardownChardevCgroup(virDomainObjPt
static int
+qemuSetupSEVCgroup(virDomainObjPtr vm)
+{
+ qemuDomainObjPrivatePtr priv = vm->privateData;
+ int ret;
+
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
+ ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
+ VIR_CGROUP_DEVICE_RW, false);
+ virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
+ "rw", ret);
+ return ret;
+}
+
+static int
qemuSetupDevicesCgroup(virDomainObjPtr vm)
{
qemuDomainObjPrivatePtr priv = vm->privateData;
@@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr v
goto cleanup;
}
+ if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
+ goto cleanup;
+
ret = 0;
cleanup:
virObjectUnref(cfg);

View File

@ -1,7 +1,7 @@
Index: libvirt-5.0.0/src/security/apparmor/libvirt-lxc
Index: libvirt-5.1.0/src/security/apparmor/libvirt-lxc
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/libvirt-lxc
+++ libvirt-5.0.0/src/security/apparmor/libvirt-lxc
--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-lxc
+++ libvirt-5.1.0/src/security/apparmor/libvirt-lxc
@@ -2,39 +2,15 @@
#include <abstractions/base>

View File

@ -1,64 +0,0 @@
commit b6440119185a4e307654a8d26d6d551a2675bf82
Author: Erik Skultety <eskultet@redhat.com>
Date: Mon Jan 21 14:48:02 2019 +0100
qemu: conf: Remove /dev/sev from the default cgroup device acl list
We should not give domains access to something they don't necessarily
need by default. Remove it from the qemu driver docs too.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.0.0/docs/drvqemu.html.in
===================================================================
--- libvirt-5.0.0.orig/docs/drvqemu.html.in
+++ libvirt-5.0.0/docs/drvqemu.html.in
@@ -396,8 +396,7 @@ chmod o+x /path/to/directory
/dev/null, /dev/full, /dev/zero,
/dev/random, /dev/urandom,
/dev/ptmx, /dev/kvm, /dev/kqemu,
-/dev/rtc, /dev/hpet, /dev/net/tun,
-/dev/sev
+/dev/rtc, /dev/hpet, /dev/net/tun
</pre>
<p>
Index: libvirt-5.0.0/src/qemu/qemu.conf
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu.conf
+++ libvirt-5.0.0/src/qemu/qemu.conf
@@ -484,7 +484,7 @@
# "/dev/null", "/dev/full", "/dev/zero",
# "/dev/random", "/dev/urandom",
# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
-# "/dev/rtc","/dev/hpet", "/dev/sev"
+# "/dev/rtc","/dev/hpet"
#]
#
# RDMA migration requires the following extra files to be added to the list:
Index: libvirt-5.0.0/src/qemu/qemu_cgroup.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_cgroup.c
+++ libvirt-5.0.0/src/qemu/qemu_cgroup.c
@@ -46,7 +46,7 @@ const char *const defaultDeviceACL[] = {
"/dev/null", "/dev/full", "/dev/zero",
"/dev/random", "/dev/urandom",
"/dev/ptmx", "/dev/kvm", "/dev/kqemu",
- "/dev/rtc", "/dev/hpet", "/dev/sev",
+ "/dev/rtc", "/dev/hpet",
NULL,
};
#define DEVICE_PTY_MAJOR 136
Index: libvirt-5.0.0/src/qemu/test_libvirtd_qemu.aug.in
===================================================================
--- libvirt-5.0.0.orig/src/qemu/test_libvirtd_qemu.aug.in
+++ libvirt-5.0.0/src/qemu/test_libvirtd_qemu.aug.in
@@ -62,7 +62,6 @@ module Test_libvirtd_qemu =
{ "8" = "/dev/kqemu" }
{ "9" = "/dev/rtc" }
{ "10" = "/dev/hpet" }
- { "11" = "/dev/sev" }
}
{ "save_image_format" = "raw" }
{ "dump_image_format" = "raw" }

View File

@ -11,11 +11,11 @@ Signed-off-by: Chunyan Liu <cyliu@suse.com>
src/qemu/qemu_driver.c | 7 +++++++
1 file changed, 7 insertions(+)
Index: libvirt-5.0.0/src/qemu/qemu_driver.c
Index: libvirt-5.1.0/src/qemu/qemu_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_driver.c
+++ libvirt-5.0.0/src/qemu/qemu_driver.c
@@ -17798,6 +17798,14 @@ qemuDomainBlockCopyCommon(virDomainObjPt
--- libvirt-5.1.0.orig/src/qemu/qemu_driver.c
+++ libvirt-5.1.0/src/qemu/qemu_driver.c
@@ -17836,6 +17836,14 @@ qemuDomainBlockCopyCommon(virDomainObjPt
goto endjob;
}

View File

@ -0,0 +1,38 @@
commit f38ef0fac0582ac0cbb749af9d3f8ba515a6084a
Author: Pavel Hrdina <phrdina@redhat.com>
Date: Thu Mar 7 17:52:55 2019 +0100
util: skip RDMA detection for non-PCI network devices
Only PCI devices have '/sys/class/net/<ifname>/device/resource' so we
need to skip this check for all other network devices.
Without this patch and RDMA enabled libvirt will not detect any network
device that doesn't have the path above which includes 'lo', 'virbr',
'tun', etc.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1639258
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Index: libvirt-5.1.0/src/util/virnetdev.c
===================================================================
--- libvirt-5.1.0.orig/src/util/virnetdev.c
+++ libvirt-5.1.0/src/util/virnetdev.c
@@ -2914,8 +2914,14 @@ virNetDevRDMAFeature(const char *ifname,
if (virAsprintf(&eth_devpath, SYSFS_NET_DIR "%s/device/resource", ifname) < 0)
goto cleanup;
- if (!virFileExists(eth_devpath))
+
+ /* If /sys/class/net/<ifname>/device/resource doesn't exist it is not a PCI
+ * device and therefore it will not have RDMA. */
+ if (!virFileExists(eth_devpath)) {
+ ret = 0;
goto cleanup;
+ }
+
if (virFileReadAll(eth_devpath, RESOURCE_FILE_LEN, &eth_res_buf) < 0)
goto cleanup;

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:afa81dbbc90b5209575930a820a222ff371e5ece5c1d8ec8f46b53c52b73b2e7
size 14832576

View File

@ -1,10 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJcPjX/AAoJEBVYiyZZa+pdu0MH/3FuXogeJV1NbW+DPKxVnmxS
2GDQou2auTZ8SRjCUfR+jLMyYRwrdf2m8+9n1HEeiT8iILwzj/9MjeJFD7+8Czye
LxDJaDhaDc/pXeVVx94DVb6KrxS660PYHNbZH3fUMWzOD1oPVvpVwmNCiOO8BXHH
laY7fDvH3C2Um3s4vDpMuRKXtvCW+dJuwLPn2OJgfUCmD9fLfvN889PS5NP3Rr5i
b/YNYzyfn7Zg0vIe5t/a6uoPp7qeICWG40X+TMiIOz9EjFvQfwQqBNtxoHjZH2Kb
fY/KCX6lAWftFxxw+hqnSArwcDs5t6Uuqk96gGs0K6xXqnJVFHGKR9N1ps1KIaA=
=MwoM
-----END PGP SIGNATURE-----

3
libvirt-5.1.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:26f97a53d3172f07f8b63884d845ed71307c4675dc4e1b281c59d253e1e323ab
size 14893608

10
libvirt-5.1.0.tar.xz.asc Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJcfPYaAAoJEBVYiyZZa+pdr5QH/iyjpJYjAebt3UM8JO6b83gu
ybcvvYyQEWQGK7afPYXdhOhgCA99Wn7oJc/+IcUufFVhzOrcJyLRgb+M7FRgtOrt
BiUswGkYFOUIwBUDnT6Ynxtdl6ESAJJGhzXPFpUShyhxrHPh0Jr77sRJfgz93U/9
t1IZ133EVm+Eynqejb5BDponPc28/1CsI37UL7ogCCFKNN0QTGBjkkXfGlD3FAtk
zVYdl88e4MTW73d7EmK3I/zum0Wojp8HTD+RH69TjHt3ozoSFYvQHwlKxafNC6Mo
1hR7QbpSAO2cA27waINUbtRHnEabiNgv9MlrJ54kDiFoUlJWeH7frzR6uNIRHjc=
=13hI
-----END PGP SIGNATURE-----

View File

@ -2,10 +2,10 @@ Add POWER8 v2.0 and v2.1 to cpu map XML
From: <ro@suse.de>
Index: libvirt-5.0.0/src/cpu_map/ppc64_POWER8.xml
Index: libvirt-5.1.0/src/cpu_map/ppc64_POWER8.xml
===================================================================
--- libvirt-5.0.0.orig/src/cpu_map/ppc64_POWER8.xml
+++ libvirt-5.0.0/src/cpu_map/ppc64_POWER8.xml
--- libvirt-5.1.0.orig/src/cpu_map/ppc64_POWER8.xml
+++ libvirt-5.1.0/src/cpu_map/ppc64_POWER8.xml
@@ -4,5 +4,7 @@
<pvr value='0x004b0000' mask='0xffff0000'/>
<pvr value='0x004c0000' mask='0xffff0000'/>

View File

@ -1,8 +1,8 @@
Index: libvirt-5.0.0/configure.ac
Index: libvirt-5.1.0/configure.ac
===================================================================
--- libvirt-5.0.0.orig/configure.ac
+++ libvirt-5.0.0/configure.ac
@@ -255,6 +255,7 @@ LIBVIRT_ARG_LIBSSH
--- libvirt-5.1.0.orig/configure.ac
+++ libvirt-5.1.0/configure.ac
@@ -256,6 +256,7 @@ LIBVIRT_ARG_LIBSSH
LIBVIRT_ARG_LIBXML
LIBVIRT_ARG_MACVTAP
LIBVIRT_ARG_NETCF
@ -10,7 +10,7 @@ Index: libvirt-5.0.0/configure.ac
LIBVIRT_ARG_NLS
LIBVIRT_ARG_NSS
LIBVIRT_ARG_NUMACTL
@@ -298,6 +299,7 @@ LIBVIRT_CHECK_LIBSSH
@@ -300,6 +301,7 @@ LIBVIRT_CHECK_LIBSSH
LIBVIRT_CHECK_LIBXML
LIBVIRT_CHECK_MACVTAP
LIBVIRT_CHECK_NETCF
@ -18,7 +18,7 @@ Index: libvirt-5.0.0/configure.ac
LIBVIRT_CHECK_NLS
LIBVIRT_CHECK_NUMACTL
LIBVIRT_CHECK_NWFILTER
@@ -1012,6 +1014,7 @@ LIBVIRT_RESULT_LIBXL
@@ -1015,6 +1017,7 @@ LIBVIRT_RESULT_LIBXL
LIBVIRT_RESULT_LIBXML
LIBVIRT_RESULT_MACVTAP
LIBVIRT_RESULT_NETCF
@ -26,10 +26,10 @@ Index: libvirt-5.0.0/configure.ac
LIBVIRT_RESULT_NLS
LIBVIRT_RESULT_NSS
LIBVIRT_RESULT_NUMACTL
Index: libvirt-5.0.0/tools/virsh.c
Index: libvirt-5.1.0/tools/virsh.c
===================================================================
--- libvirt-5.0.0.orig/tools/virsh.c
+++ libvirt-5.0.0/tools/virsh.c
--- libvirt-5.1.0.orig/tools/virsh.c
+++ libvirt-5.1.0/tools/virsh.c
@@ -563,6 +563,8 @@ virshShowVersion(vshControl *ctl ATTRIBU
vshPrint(ctl, " Interface");
# if defined(WITH_NETCF)
@ -39,10 +39,10 @@ Index: libvirt-5.0.0/tools/virsh.c
# elif defined(WITH_UDEV)
vshPrint(ctl, " udev");
# endif
Index: libvirt-5.0.0/src/interface/interface_backend_netcf.c
Index: libvirt-5.1.0/src/interface/interface_backend_netcf.c
===================================================================
--- libvirt-5.0.0.orig/src/interface/interface_backend_netcf.c
+++ libvirt-5.0.0/src/interface/interface_backend_netcf.c
--- libvirt-5.1.0.orig/src/interface/interface_backend_netcf.c
+++ libvirt-5.1.0/src/interface/interface_backend_netcf.c
@@ -21,7 +21,12 @@
#include <config.h>
@ -126,10 +126,10 @@ Index: libvirt-5.0.0/src/interface/interface_backend_netcf.c
if (virRegisterConnectDriver(&interfaceConnectDriver, false) < 0)
return -1;
if (virSetSharedInterfaceDriver(&interfaceDriver) < 0)
Index: libvirt-5.0.0/src/interface/interface_driver.c
Index: libvirt-5.1.0/src/interface/interface_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/interface/interface_driver.c
+++ libvirt-5.0.0/src/interface/interface_driver.c
--- libvirt-5.1.0.orig/src/interface/interface_driver.c
+++ libvirt-5.1.0/src/interface/interface_driver.c
@@ -30,8 +30,15 @@ interfaceRegister(void)
if (netcfIfaceRegister() == 0)
return 0;
@ -147,10 +147,10 @@ Index: libvirt-5.0.0/src/interface/interface_driver.c
if (udevIfaceRegister() == 0)
return 0;
#endif /* WITH_UDEV */
Index: libvirt-5.0.0/m4/virt-netcontrol.m4
Index: libvirt-5.1.0/m4/virt-netcontrol.m4
===================================================================
--- /dev/null
+++ libvirt-5.0.0/m4/virt-netcontrol.m4
+++ libvirt-5.1.0/m4/virt-netcontrol.m4
@@ -0,0 +1,39 @@
+dnl The libnetcontrol library
+dnl
@ -191,10 +191,10 @@ Index: libvirt-5.0.0/m4/virt-netcontrol.m4
+AC_DEFUN([LIBVIRT_RESULT_NETCONTROL],[
+ LIBVIRT_RESULT_LIB([NETCONTROL])
+])
Index: libvirt-5.0.0/src/interface/Makefile.inc.am
Index: libvirt-5.1.0/src/interface/Makefile.inc.am
===================================================================
--- libvirt-5.0.0.orig/src/interface/Makefile.inc.am
+++ libvirt-5.0.0/src/interface/Makefile.inc.am
--- libvirt-5.1.0.orig/src/interface/Makefile.inc.am
+++ libvirt-5.1.0/src/interface/Makefile.inc.am
@@ -4,6 +4,7 @@ INTERFACE_DRIVER_SOURCES = \
$(NULL)

View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Mon Mar 11 22:50:43 UTC 2019 - James Fehlig <jfehlig@suse.com>
- util: skip RDMA detection for non-PCI network devices
f38ef0fa-no-RDMA-check.patch
bsc#1112182
-------------------------------------------------------------------
Wed Mar 6 20:34:53 UTC 2019 - James Fehlig <jfehlig@suse.com>
- qemu: s390: show correct CPU status after guest crash
0001-qemu-Fix-query-cpus-fast-target-architecture-detecti.patch
bsc#1127841
-------------------------------------------------------------------
Wed Mar 6 17:11:49 UTC 2019 - James Fehlig <jfehlig@suse.com>
- apparmor: fix more fallout from changing libvirtd profile to a
named profile
4ec3cf9a-apparmor-rules.patch,
0001-apparmor-Check-libvirtd-profile-status-by-name.patch
boo#1125841
-------------------------------------------------------------------
Mon Mar 4 18:52:57 UTC 2019 - James Fehlig <jfehlig@suse.com>
- Update to libvirt 5.1.0
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Dropped patches:
11c8aca9-libxl-set-mem-after-balloon.patch,
70c2933d-apparmor-named-profiles.patch,
a3ab6d42-apparmor-conv-libvirtd-named-profile.patch,
b6440119-qemu-conf-sev.patch,
a404ac34-qemu-cgroup-sev.patch,
6fd4c8f8-qemu-domain-sev.patch,
17f6a257-security-dac-sev.patch,
a2d3dea9-qemu-caps-dac-override-sev.patch,
620d9dd5-qemu-no-dac-override-nonroot.patch
- jsc#SLE-3887, jsc#SLE-4480, jsc#SLE-4577
-------------------------------------------------------------------
Wed Feb 27 19:01:22 UTC 2019 - jfehlig@suse.com

View File

@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -51,6 +51,7 @@
%define with_numactl 0%{!?_without_numactl:0}
%define with_numad 0%{!?_without_numad:0}
%define with_firewalld 0%{!?_without_firewalld:0}
%define with_firewalld_zone 0%{!?_without_firewalld_zone:0}
%define with_libssh 0%{!?_without_libssh:0}
%define with_bash_completion 0%{!?_without_bash_completion:0}
@ -177,12 +178,12 @@
%endif
%if %{with_wireshark}
%define wireshark_plugindir %(pkg-config --variable plugindir wireshark)
%define wireshark_plugindir %(pkg-config --variable plugindir wireshark)/epan
%endif
Name: libvirt
Url: http://libvirt.org/
Version: 5.0.0
Version: 5.1.0
Release: 0
Summary: Library providing a virtualization API
License: LGPL-2.1-or-later
@ -313,7 +314,7 @@ BuildRequires: systemtap-sdt-devel
BuildRequires: numad
%endif
%if %{with_wireshark}
BuildRequires: wireshark-devel >= 2.1.0
BuildRequires: wireshark-devel >= 2.4.0
%endif
%if %{with_libssh}
BuildRequires: libssh-devel >= 0.7.0
@ -332,18 +333,13 @@ Source6: libvirtd-relocation-server.xml
Source99: baselibs.conf
Source100: %{name}-rpmlintrc
# Upstream patches
Patch0: 11c8aca9-libxl-set-mem-after-balloon.patch
Patch1: 70c2933d-apparmor-named-profiles.patch
Patch2: a3ab6d42-apparmor-conv-libvirtd-named-profile.patch
Patch3: b6440119-qemu-conf-sev.patch
Patch4: a404ac34-qemu-cgroup-sev.patch
Patch5: 6fd4c8f8-qemu-domain-sev.patch
Patch6: 17f6a257-security-dac-sev.patch
Patch7: a2d3dea9-qemu-caps-dac-override-sev.patch
Patch8: 620d9dd5-qemu-no-dac-override-nonroot.patch
Patch0: 4ec3cf9a-apparmor-rules.patch
Patch1: f38ef0fa-no-RDMA-check.patch
# Patches pending upstream review
Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
Patch102: 0001-apparmor-Check-libvirtd-profile-status-by-name.patch
Patch103: 0001-qemu-Fix-query-cpus-fast-target-architecture-detecti.patch
# Need to go upstream
Patch150: xen-pv-cdrom.patch
Patch151: blockcopy-check-dst-identical-device.patch
@ -859,7 +855,7 @@ Includes the Sanlock lock manager plugin for the QEMU driver
Summary: Wireshark plugin for libvirt RPC protocol
Group: Productivity/Networking/Diagnostic
Requires: %{name}-libs = %{version}-%{release}
Requires: wireshark
Requires: wireshark >= 2.4.0
%description -n wireshark-plugin-libvirt
Wireshark dissector plugin for better analysis of libvirt RPC traffic.
@ -876,15 +872,10 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1
@ -1006,6 +997,11 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%else
%define arg_firewalld --without-firewalld
%endif
%if %{with_firewalld_zone}
%define arg_firewalld_zone --with-firewalld-zone
%else
%define arg_firewalld_zone --without-firewalld-zone
%endif
%if %{with_wireshark}
%define arg_wireshark --with-wireshark-dissector
%else
@ -1082,6 +1078,7 @@ export PYTHON=%{_bindir}/python3
--with-dtrace \
--with-driver-modules \
%{?arg_firewalld} \
%{?arg_firewalld_zone} \
%{?arg_wireshark} \
--with-nss-plugin \
--libexecdir=%{_libdir}/%{name} \
@ -1287,6 +1284,14 @@ if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ;
done
fi
%if %{with_firewalld_zone}
%post daemon-driver-network
%firewalld_reload
%postun daemon-driver-network
%firewalld_reload
%endif
%post daemon-config-network
# Install the default network if one doesn't exist
if test $1 -eq 1 && test ! -f %{_sysconfdir}/%{name}/qemu/networks/default.xml ; then
@ -1433,6 +1438,9 @@ fi
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_leaseshelper
%dir %{_libdir}/%{name}/connection-driver
%{_libdir}/%{name}/connection-driver/libvirt_driver_network.so
%if %{with_firewalld_zone}
%{_prefix}/lib/firewalld/zones/libvirt.xml
%endif
%files daemon-driver-nodedev
%dir %{_libdir}/%{name}/connection-driver
@ -1697,6 +1705,7 @@ fi
%if %{with_wireshark}
%files -n wireshark-plugin-libvirt
%dir %{wireshark_plugindir}/
%{wireshark_plugindir}/libvirt.so
%endif

View File

@ -8,10 +8,10 @@ Date: Mon Jun 23 15:51:20 2014 -0600
option, but domainReset can be implemented in the libxl driver by
forcibly destroying the domain and starting it again.
Index: libvirt-5.0.0/src/libxl/libxl_driver.c
Index: libvirt-5.1.0/src/libxl/libxl_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.0.0/src/libxl/libxl_driver.c
--- libvirt-5.1.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.1.0/src/libxl/libxl_driver.c
@@ -1350,6 +1350,61 @@ libxlDomainReboot(virDomainPtr dom, unsi
}

View File

@ -3,10 +3,10 @@ https://bugzilla.novell.com/show_bug.cgi?id=879425
src/libxl/libxl_conf.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
Index: libvirt-5.0.0/src/libxl/libxl_conf.c
Index: libvirt-5.1.0/src/libxl/libxl_conf.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_conf.c
+++ libvirt-5.0.0/src/libxl/libxl_conf.c
--- libvirt-5.1.0.orig/src/libxl/libxl_conf.c
+++ libvirt-5.1.0/src/libxl/libxl_conf.c
@@ -884,6 +884,30 @@ libxlDiskSetDiscard(libxl_device_disk *x
#endif
}

View File

@ -16,11 +16,11 @@ Signed-off-by: Jim Fehlig <jfehlig@suse.com>
tools/virsh.pod | 8 ++++++++
6 files changed, 125 insertions(+), 6 deletions(-)
Index: libvirt-5.0.0/include/libvirt/libvirt-domain.h
Index: libvirt-5.1.0/include/libvirt/libvirt-domain.h
===================================================================
--- libvirt-5.0.0.orig/include/libvirt/libvirt-domain.h
+++ libvirt-5.0.0/include/libvirt/libvirt-domain.h
@@ -1016,6 +1016,31 @@ typedef enum {
--- libvirt-5.1.0.orig/include/libvirt/libvirt-domain.h
+++ libvirt-5.1.0/include/libvirt/libvirt-domain.h
@@ -1025,6 +1025,31 @@ typedef enum {
*/
# define VIR_MIGRATE_PARAM_AUTO_CONVERGE_INCREMENT "auto_converge.increment"
@ -52,10 +52,10 @@ Index: libvirt-5.0.0/include/libvirt/libvirt-domain.h
/* Domain migration. */
virDomainPtr virDomainMigrate (virDomainPtr domain, virConnectPtr dconn,
unsigned long flags, const char *dname,
Index: libvirt-5.0.0/src/libxl/libxl_driver.c
Index: libvirt-5.1.0/src/libxl/libxl_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.0.0/src/libxl/libxl_driver.c
--- libvirt-5.1.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.1.0/src/libxl/libxl_driver.c
@@ -6118,6 +6118,9 @@ libxlDomainMigratePerform3Params(virDoma
const char *dname = NULL;
const char *uri = NULL;
@ -99,10 +99,10 @@ Index: libvirt-5.0.0/src/libxl/libxl_driver.c
goto cleanup;
}
Index: libvirt-5.0.0/src/libxl/libxl_migration.c
Index: libvirt-5.1.0/src/libxl/libxl_migration.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_migration.c
+++ libvirt-5.0.0/src/libxl/libxl_migration.c
--- libvirt-5.1.0.orig/src/libxl/libxl_migration.c
+++ libvirt-5.1.0/src/libxl/libxl_migration.c
@@ -342,18 +342,39 @@ libxlMigrateDstReceive(virNetSocketPtr s
static int
libxlDoMigrateSrcSend(libxlDriverPrivatePtr driver,
@ -264,10 +264,10 @@ Index: libvirt-5.0.0/src/libxl/libxl_migration.c
virObjectLock(vm);
if (ret < 0) {
Index: libvirt-5.0.0/src/libxl/libxl_migration.h
Index: libvirt-5.1.0/src/libxl/libxl_migration.h
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_migration.h
+++ libvirt-5.0.0/src/libxl/libxl_migration.h
--- libvirt-5.1.0.orig/src/libxl/libxl_migration.h
+++ libvirt-5.1.0/src/libxl/libxl_migration.h
@@ -36,6 +36,10 @@
VIR_MIGRATE_PARAM_URI, VIR_TYPED_PARAM_STRING, \
VIR_MIGRATE_PARAM_DEST_NAME, VIR_TYPED_PARAM_STRING, \
@ -312,13 +312,13 @@ Index: libvirt-5.0.0/src/libxl/libxl_migration.h
virDomainPtr
libxlDomainMigrationDstFinish(virConnectPtr dconn,
Index: libvirt-5.0.0/tools/virsh-domain.c
Index: libvirt-5.1.0/tools/virsh-domain.c
===================================================================
--- libvirt-5.0.0.orig/tools/virsh-domain.c
+++ libvirt-5.0.0/tools/virsh-domain.c
@@ -10558,6 +10558,22 @@ static const vshCmdOptDef opts_migrate[]
.type = VSH_OT_BOOL,
.help = N_("use TLS for migration")
--- libvirt-5.1.0.orig/tools/virsh-domain.c
+++ libvirt-5.1.0/tools/virsh-domain.c
@@ -10562,6 +10562,22 @@ static const vshCmdOptDef opts_migrate[]
.type = VSH_OT_INT,
.help = N_("post-copy migration bandwidth limit in MiB/s")
},
+ {.name = "max_iters",
+ .type = VSH_OT_INT,
@ -339,7 +339,7 @@ Index: libvirt-5.0.0/tools/virsh-domain.c
{.name = NULL}
};
@@ -10581,6 +10597,7 @@ doMigrate(void *opaque)
@@ -10585,6 +10601,7 @@ doMigrate(void *opaque)
unsigned long long ullOpt = 0;
int rv;
virConnectPtr dconn = data->dconn;
@ -347,7 +347,7 @@ Index: libvirt-5.0.0/tools/virsh-domain.c
sigemptyset(&sigmask);
sigaddset(&sigmask, SIGINT);
@@ -10700,6 +10717,27 @@ doMigrate(void *opaque)
@@ -10704,6 +10721,27 @@ doMigrate(void *opaque)
goto save_error;
}
@ -375,11 +375,11 @@ Index: libvirt-5.0.0/tools/virsh-domain.c
if (vshCommandOptStringReq(ctl, cmd, "xml", &opt) < 0)
goto out;
if (opt) {
Index: libvirt-5.0.0/tools/virsh.pod
Index: libvirt-5.1.0/tools/virsh.pod
===================================================================
--- libvirt-5.0.0.orig/tools/virsh.pod
+++ libvirt-5.0.0/tools/virsh.pod
@@ -1994,6 +1994,14 @@ Providing I<--tls> causes the migration
--- libvirt-5.1.0.orig/tools/virsh.pod
+++ libvirt-5.1.0/tools/virsh.pod
@@ -1998,6 +1998,14 @@ Providing I<--tls> causes the migration
the migration of the domain. Usage requires proper TLS setup for both source
and target.

View File

@ -7,10 +7,10 @@ and npiv.
For more details, see bsc#954872 and FATE#319810
Index: libvirt-5.0.0/src/libxl/libxl_conf.c
Index: libvirt-5.1.0/src/libxl/libxl_conf.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_conf.c
+++ libvirt-5.0.0/src/libxl/libxl_conf.c
--- libvirt-5.1.0.orig/src/libxl/libxl_conf.c
+++ libvirt-5.1.0/src/libxl/libxl_conf.c
@@ -884,6 +884,25 @@ libxlDiskSetDiscard(libxl_device_disk *x
#endif
}

View File

@ -13,10 +13,10 @@ device with the same name that is being created.
src/lxc/lxc_process.c | 1 +
3 files changed, 4 insertions(+)
Index: libvirt-5.0.0/src/lxc/lxc_controller.c
Index: libvirt-5.1.0/src/lxc/lxc_controller.c
===================================================================
--- libvirt-5.0.0.orig/src/lxc/lxc_controller.c
+++ libvirt-5.0.0/src/lxc/lxc_controller.c
--- libvirt-5.1.0.orig/src/lxc/lxc_controller.c
+++ libvirt-5.1.0/src/lxc/lxc_controller.c
@@ -69,6 +69,7 @@
#include "rpc/virnetdaemon.h"
#include "virstring.h"
@ -25,7 +25,7 @@ Index: libvirt-5.0.0/src/lxc/lxc_controller.c
#define VIR_FROM_THIS VIR_FROM_LXC
@@ -2016,6 +2017,7 @@ static int virLXCControllerDeleteInterfa
@@ -2017,6 +2018,7 @@ static int virLXCControllerDeleteInterfa
if (virNetDevVethDelete(ctrl->veths[i]) < 0)
ret = -1;
}
@ -33,10 +33,10 @@ Index: libvirt-5.0.0/src/lxc/lxc_controller.c
return ret;
}
Index: libvirt-5.0.0/src/lxc/lxc_driver.c
Index: libvirt-5.1.0/src/lxc/lxc_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/lxc/lxc_driver.c
+++ libvirt-5.0.0/src/lxc/lxc_driver.c
--- libvirt-5.1.0.orig/src/lxc/lxc_driver.c
+++ libvirt-5.1.0/src/lxc/lxc_driver.c
@@ -70,6 +70,7 @@
#include "virtime.h"
#include "virtypedparam.h"
@ -45,7 +45,7 @@ Index: libvirt-5.0.0/src/lxc/lxc_driver.c
#include "virstring.h"
#include "viraccessapicheck.h"
#include "viraccessapichecklxc.h"
@@ -3942,6 +3943,7 @@ lxcDomainAttachDeviceNetLive(virConnectP
@@ -3930,6 +3931,7 @@ lxcDomainAttachDeviceNetLive(virConnectP
case VIR_DOMAIN_NET_TYPE_NETWORK:
case VIR_DOMAIN_NET_TYPE_ETHERNET:
ignore_value(virNetDevVethDelete(veth));
@ -53,7 +53,7 @@ Index: libvirt-5.0.0/src/lxc/lxc_driver.c
break;
case VIR_DOMAIN_NET_TYPE_DIRECT:
@@ -4385,6 +4387,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb
@@ -4373,6 +4375,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb
virDomainAuditNet(vm, detach, NULL, "detach", false);
goto cleanup;
}
@ -61,10 +61,10 @@ Index: libvirt-5.0.0/src/lxc/lxc_driver.c
break;
/* It'd be nice to support this, but with macvlan
Index: libvirt-5.0.0/src/lxc/lxc_process.c
Index: libvirt-5.1.0/src/lxc/lxc_process.c
===================================================================
--- libvirt-5.0.0.orig/src/lxc/lxc_process.c
+++ libvirt-5.0.0/src/lxc/lxc_process.c
--- libvirt-5.1.0.orig/src/lxc/lxc_process.c
+++ libvirt-5.1.0/src/lxc/lxc_process.c
@@ -51,6 +51,7 @@
#include "viratomic.h"
#include "virprocess.h"
@ -73,7 +73,7 @@ Index: libvirt-5.0.0/src/lxc/lxc_process.c
#include "netdev_bandwidth_conf.h"
#define VIR_FROM_THIS VIR_FROM_LXC
@@ -215,6 +216,7 @@ static void virLXCProcessCleanup(virLXCD
@@ -226,6 +227,7 @@ static void virLXCProcessCleanup(virLXCD
}
virDomainNetReleaseActualDevice(vm->def, iface);
}

View File

@ -17,11 +17,11 @@ Signed-off-by: Martin Wilck <mwilck@suse.com>
tests/networkxml2confdata/dhcp6host-routed-network.conf | 1 -
2 files changed, 8 insertions(+), 2 deletions(-)
Index: libvirt-5.0.0/src/network/bridge_driver.c
Index: libvirt-5.1.0/src/network/bridge_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/network/bridge_driver.c
+++ libvirt-5.0.0/src/network/bridge_driver.c
@@ -1456,7 +1456,14 @@ networkDnsmasqConfContents(virNetworkObj
--- libvirt-5.1.0.orig/src/network/bridge_driver.c
+++ libvirt-5.1.0/src/network/bridge_driver.c
@@ -1378,7 +1378,14 @@ networkDnsmasqConfContents(virNetworkObj
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) {
if (ipdef->nranges || ipdef->nhosts) {
virBufferAddLit(&configbuf, "dhcp-no-override\n");
@ -37,10 +37,10 @@ Index: libvirt-5.0.0/src/network/bridge_driver.c
}
if (ipdef->tftproot) {
Index: libvirt-5.0.0/tests/networkxml2confdata/dhcp6host-routed-network.conf
Index: libvirt-5.1.0/tests/networkxml2confdata/dhcp6host-routed-network.conf
===================================================================
--- libvirt-5.0.0.orig/tests/networkxml2confdata/dhcp6host-routed-network.conf
+++ libvirt-5.0.0/tests/networkxml2confdata/dhcp6host-routed-network.conf
--- libvirt-5.1.0.orig/tests/networkxml2confdata/dhcp6host-routed-network.conf
+++ libvirt-5.1.0/tests/networkxml2confdata/dhcp6host-routed-network.conf
@@ -10,7 +10,6 @@ bind-dynamic
interface=virbr1
dhcp-range=192.168.122.1,static

View File

@ -2,10 +2,10 @@ Canonicalize hostarch name ppc64le to ppc64
See bnc#894956
Index: libvirt-5.0.0/src/util/virarch.c
Index: libvirt-5.1.0/src/util/virarch.c
===================================================================
--- libvirt-5.0.0.orig/src/util/virarch.c
+++ libvirt-5.0.0/src/util/virarch.c
--- libvirt-5.1.0.orig/src/util/virarch.c
+++ libvirt-5.1.0/src/util/virarch.c
@@ -172,6 +172,8 @@ virArch virArchFromHost(void)
arch = VIR_ARCH_I686;
} else if (STREQ(ut.machine, "amd64")) {

View File

@ -1,8 +1,8 @@
Index: libvirt-5.0.0/src/security/apparmor/libvirt-qemu
Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.0.0/src/security/apparmor/libvirt-qemu
@@ -221,3 +221,6 @@
--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
@@ -222,3 +222,6 @@
# required for sasl GSSAPI plugin
/etc/gss/mech.d/ r,
/etc/gss/mech.d/* r,

View File

@ -8,10 +8,10 @@ Subject: [PATCH] support managed pci devices in xen driver
src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 15 deletions(-)
Index: libvirt-5.0.0/src/xenconfig/xen_common.c
Index: libvirt-5.1.0/src/xenconfig/xen_common.c
===================================================================
--- libvirt-5.0.0.orig/src/xenconfig/xen_common.c
+++ libvirt-5.0.0/src/xenconfig/xen_common.c
--- libvirt-5.1.0.orig/src/xenconfig/xen_common.c
+++ libvirt-5.1.0/src/xenconfig/xen_common.c
@@ -386,12 +386,19 @@ xenParsePCI(char *entry)
int busID;
int slotID;
@ -64,10 +64,10 @@ Index: libvirt-5.0.0/src/xenconfig/xen_common.c
hostdev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
hostdev->source.subsys.u.pci.addr.domain = domainID;
hostdev->source.subsys.u.pci.addr.bus = busID;
Index: libvirt-5.0.0/src/xenconfig/xen_sxpr.c
Index: libvirt-5.1.0/src/xenconfig/xen_sxpr.c
===================================================================
--- libvirt-5.0.0.orig/src/xenconfig/xen_sxpr.c
+++ libvirt-5.0.0/src/xenconfig/xen_sxpr.c
--- libvirt-5.1.0.orig/src/xenconfig/xen_sxpr.c
+++ libvirt-5.1.0/src/xenconfig/xen_sxpr.c
@@ -1053,6 +1053,7 @@ xenParseSxprPCI(virDomainDefPtr def,
int busID;
int slotID;
@ -91,7 +91,7 @@ Index: libvirt-5.0.0/src/xenconfig/xen_sxpr.c
dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
dev->source.subsys.u.pci.addr.domain = domainID;
dev->source.subsys.u.pci.addr.bus = busID;
@@ -1968,11 +1971,15 @@ static void
@@ -1962,11 +1965,15 @@ static void
xenFormatSxprPCI(virDomainHostdevDefPtr def,
virBufferPtr buf)
{
@ -108,7 +108,7 @@ Index: libvirt-5.0.0/src/xenconfig/xen_sxpr.c
}
@@ -1991,12 +1998,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
@@ -1985,12 +1992,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
virBufferPtr buf,
int detach)
{
@ -121,7 +121,7 @@ Index: libvirt-5.0.0/src/xenconfig/xen_sxpr.c
virBufferAddLit(buf, "(pci ");
xenFormatSxprPCI(def, buf);
if (detach)
@@ -2051,12 +2052,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
@@ -2045,12 +2046,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
for (i = 0; i < def->nhostdevs; i++) {
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {

View File

@ -8,11 +8,11 @@ It was also noticed that the per-domain profiles need a libnl rule
to squelch a denial when starting confined domains.
Found while investigating bsc#1058847
Index: libvirt-5.0.0/src/security/apparmor/libvirt-qemu
Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.0.0/src/security/apparmor/libvirt-qemu
@@ -62,6 +62,7 @@
--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
@@ -63,6 +63,7 @@
#/dev/fb* rw,
/etc/pulse/client.conf r,
@ -20,10 +20,10 @@ Index: libvirt-5.0.0/src/security/apparmor/libvirt-qemu
@{HOME}/.pulse-cookie rwk,
owner /root/.pulse-cookie rwk,
owner /root/.pulse/ rw,
Index: libvirt-5.0.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
Index: libvirt-5.1.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ libvirt-5.0.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt-5.1.0.orig/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ libvirt-5.1.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -17,7 +17,7 @@ profile virt-aa-helper /usr/{lib,lib64}/
owner @{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
@ -31,5 +31,5 @@ Index: libvirt-5.0.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
- /etc/libnl-3/classid r,
+ /etc/libnl*/classid r,
# for hostdev
/sys/devices/ r,
# for gl enabled graphics
/dev/dri/{,*} r,

View File

@ -1,9 +1,9 @@
Adjust libvirt-guests service to conform to SUSE standards
Index: libvirt-5.0.0/tools/libvirt-guests.init.in
Index: libvirt-5.1.0/tools/libvirt-guests.init.in
===================================================================
--- libvirt-5.0.0.orig/tools/libvirt-guests.init.in
+++ libvirt-5.0.0/tools/libvirt-guests.init.in
--- libvirt-5.1.0.orig/tools/libvirt-guests.init.in
+++ libvirt-5.1.0/tools/libvirt-guests.init.in
@@ -4,27 +4,27 @@
# http://refspecs.linuxfoundation.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/initscrcomconv.html
#
@ -46,10 +46,10 @@ Index: libvirt-5.0.0/tools/libvirt-guests.init.in
+
exec @libexecdir@/libvirt-guests.sh "$@"
Index: libvirt-5.0.0/tools/libvirt-guests.sh.in
Index: libvirt-5.1.0/tools/libvirt-guests.sh.in
===================================================================
--- libvirt-5.0.0.orig/tools/libvirt-guests.sh.in
+++ libvirt-5.0.0/tools/libvirt-guests.sh.in
--- libvirt-5.1.0.orig/tools/libvirt-guests.sh.in
+++ libvirt-5.1.0/tools/libvirt-guests.sh.in
@@ -16,14 +16,13 @@
# License along with this library. If not, see
# <http://www.gnu.org/licenses/>.
@ -209,10 +209,10 @@ Index: libvirt-5.0.0/tools/libvirt-guests.sh.in
esac
-exit $RETVAL
+rc_exit
Index: libvirt-5.0.0/tools/libvirt-guests.sysconf
Index: libvirt-5.1.0/tools/libvirt-guests.sysconf
===================================================================
--- libvirt-5.0.0.orig/tools/libvirt-guests.sysconf
+++ libvirt-5.0.0/tools/libvirt-guests.sysconf
--- libvirt-5.1.0.orig/tools/libvirt-guests.sysconf
+++ libvirt-5.1.0/tools/libvirt-guests.sysconf
@@ -1,19 +1,29 @@
+## Path: System/Virtualization/libvirt-guests
+

View File

@ -3,10 +3,10 @@ Disable TLS by default
On SUSE distros, the default is for libvirtd to listen only on the
Unix Domain Socket. The libvirt client still provides remote access
via a SSH tunnel.
Index: libvirt-5.0.0/src/remote/libvirtd.conf
Index: libvirt-5.1.0/src/remote/libvirtd.conf
===================================================================
--- libvirt-5.0.0.orig/src/remote/libvirtd.conf
+++ libvirt-5.0.0/src/remote/libvirtd.conf
--- libvirt-5.1.0.orig/src/remote/libvirtd.conf
+++ libvirt-5.1.0/src/remote/libvirtd.conf
@@ -18,8 +18,8 @@
# It is necessary to setup a CA and issue server certificates before
# using this capability.
@ -18,10 +18,10 @@ Index: libvirt-5.0.0/src/remote/libvirtd.conf
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
Index: libvirt-5.0.0/src/remote/remote_daemon_config.c
Index: libvirt-5.1.0/src/remote/remote_daemon_config.c
===================================================================
--- libvirt-5.0.0.orig/src/remote/remote_daemon_config.c
+++ libvirt-5.0.0/src/remote/remote_daemon_config.c
--- libvirt-5.1.0.orig/src/remote/remote_daemon_config.c
+++ libvirt-5.1.0/src/remote/remote_daemon_config.c
@@ -108,7 +108,7 @@ daemonConfigNew(bool privileged ATTRIBUT
if (VIR_ALLOC(data) < 0)
return NULL;
@ -31,10 +31,10 @@ Index: libvirt-5.0.0/src/remote/remote_daemon_config.c
data->listen_tcp = 0;
if (VIR_STRDUP(data->tls_port, LIBVIRTD_TLS_PORT) < 0 ||
Index: libvirt-5.0.0/src/remote/test_libvirtd.aug.in
Index: libvirt-5.1.0/src/remote/test_libvirtd.aug.in
===================================================================
--- libvirt-5.0.0.orig/src/remote/test_libvirtd.aug.in
+++ libvirt-5.0.0/src/remote/test_libvirtd.aug.in
--- libvirt-5.1.0.orig/src/remote/test_libvirtd.aug.in
+++ libvirt-5.1.0/src/remote/test_libvirtd.aug.in
@@ -2,7 +2,7 @@ module Test_libvirtd =
::CONFIG::

View File

@ -7,10 +7,10 @@ On SUSE distros, we promote libvirt and all the libvirt-based
tools. If a user installs libvirt on their SUSE Xen host, then
libvirt should be king and override xendomains. See bsc#1015348
Index: libvirt-5.0.0/src/remote/libvirtd.service.in
Index: libvirt-5.1.0/src/remote/libvirtd.service.in
===================================================================
--- libvirt-5.0.0.orig/src/remote/libvirtd.service.in
+++ libvirt-5.0.0/src/remote/libvirtd.service.in
--- libvirt-5.1.0.orig/src/remote/libvirtd.service.in
+++ libvirt-5.1.0/src/remote/libvirtd.service.in
@@ -17,6 +17,8 @@ After=local-fs.target
After=remote-fs.target
After=systemd-logind.service

View File

@ -1,9 +1,9 @@
Adjust libvirtd sysconfig file to conform to SUSE standards
Index: libvirt-5.0.0/src/remote/libvirtd.sysconf
Index: libvirt-5.1.0/src/remote/libvirtd.sysconf
===================================================================
--- libvirt-5.0.0.orig/src/remote/libvirtd.sysconf
+++ libvirt-5.0.0/src/remote/libvirtd.sysconf
--- libvirt-5.1.0.orig/src/remote/libvirtd.sysconf
+++ libvirt-5.1.0/src/remote/libvirtd.sysconf
@@ -1,16 +1,25 @@
+## Path: System/Virtualization/libvirt
+

View File

@ -1,10 +1,10 @@
Adjust paths of OVMF firmwares on SUSE distros
Index: libvirt-5.0.0/src/qemu/qemu.conf
Index: libvirt-5.1.0/src/qemu/qemu.conf
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu.conf
+++ libvirt-5.0.0/src/qemu/qemu.conf
@@ -767,10 +767,9 @@ security_default_confined = 0
--- libvirt-5.1.0.orig/src/qemu/qemu.conf
+++ libvirt-5.1.0/src/qemu/qemu.conf
@@ -773,10 +773,9 @@ security_default_confined = 0
# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
# follows this scheme.
#nvram = [
@ -18,10 +18,10 @@ Index: libvirt-5.0.0/src/qemu/qemu.conf
#]
# The backend to use for handling stdout/stderr output from
Index: libvirt-5.0.0/src/qemu/qemu_conf.c
Index: libvirt-5.1.0/src/qemu/qemu_conf.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_conf.c
+++ libvirt-5.0.0/src/qemu/qemu_conf.c
--- libvirt-5.1.0.orig/src/qemu/qemu_conf.c
+++ libvirt-5.1.0/src/qemu/qemu_conf.c
@@ -116,10 +116,9 @@ void qemuDomainCmdlineDefFree(qemuDomain
#ifndef DEFAULT_LOADER_NVRAM
@ -36,11 +36,11 @@ Index: libvirt-5.0.0/src/qemu/qemu_conf.c
#endif
Index: libvirt-5.0.0/src/security/virt-aa-helper.c
Index: libvirt-5.1.0/src/security/virt-aa-helper.c
===================================================================
--- libvirt-5.0.0.orig/src/security/virt-aa-helper.c
+++ libvirt-5.0.0/src/security/virt-aa-helper.c
@@ -507,7 +507,8 @@ valid_path(const char *path, const bool
--- libvirt-5.1.0.orig/src/security/virt-aa-helper.c
+++ libvirt-5.1.0/src/security/virt-aa-helper.c
@@ -506,7 +506,8 @@ valid_path(const char *path, const bool
"/usr/share/ovmf/", /* for OVMF images */
"/usr/share/AAVMF/", /* for AAVMF images */
"/usr/share/qemu-efi/", /* for AAVMF images */

View File

@ -7,11 +7,11 @@ suse-qemu-conf-secdriver.patch, suse-qemu-conf-lockmgr.patch,
etc.), but for now they are all lumped together in this
single patch.
Index: libvirt-5.0.0/src/qemu/qemu.conf
Index: libvirt-5.1.0/src/qemu/qemu.conf
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu.conf
+++ libvirt-5.0.0/src/qemu/qemu.conf
@@ -414,11 +414,20 @@
--- libvirt-5.1.0.orig/src/qemu/qemu.conf
+++ libvirt-5.1.0/src/qemu/qemu.conf
@@ -420,11 +420,20 @@
# isolation, but it cannot appear in a list of drivers.
#
#security_driver = "selinux"
@ -34,7 +34,7 @@ Index: libvirt-5.0.0/src/qemu/qemu.conf
# If set to non-zero, then attempts to create unconfined
# guests will be blocked. Defaults to 0.
@@ -649,11 +658,22 @@
@@ -655,11 +664,22 @@
#relaxed_acs_check = 1

View File

@ -1,9 +1,9 @@
Adjust virtlockd sysconfig file to conform to SUSE standards
Index: libvirt-5.0.0/src/locking/virtlockd.sysconf
Index: libvirt-5.1.0/src/locking/virtlockd.sysconf
===================================================================
--- libvirt-5.0.0.orig/src/locking/virtlockd.sysconf
+++ libvirt-5.0.0/src/locking/virtlockd.sysconf
--- libvirt-5.1.0.orig/src/locking/virtlockd.sysconf
+++ libvirt-5.1.0/src/locking/virtlockd.sysconf
@@ -1,3 +1,7 @@
+## Path: System/Virtualization/virtlockd
+

View File

@ -1,9 +1,9 @@
Adjust virtlogd sysconfig file to conform to SUSE standards
Index: libvirt-5.0.0/src/logging/virtlogd.sysconf
Index: libvirt-5.1.0/src/logging/virtlogd.sysconf
===================================================================
--- libvirt-5.0.0.orig/src/logging/virtlogd.sysconf
+++ libvirt-5.0.0/src/logging/virtlogd.sysconf
--- libvirt-5.1.0.orig/src/logging/virtlogd.sysconf
+++ libvirt-5.1.0/src/logging/virtlogd.sysconf
@@ -1,3 +1,7 @@
+## Path: System/Virtualization/virtlogd
+

View File

@ -1,7 +1,7 @@
Index: libvirt-5.0.0/src/xenconfig/xen_sxpr.c
Index: libvirt-5.1.0/src/xenconfig/xen_sxpr.c
===================================================================
--- libvirt-5.0.0.orig/src/xenconfig/xen_sxpr.c
+++ libvirt-5.0.0/src/xenconfig/xen_sxpr.c
--- libvirt-5.1.0.orig/src/xenconfig/xen_sxpr.c
+++ libvirt-5.1.0/src/xenconfig/xen_sxpr.c
@@ -383,7 +383,7 @@ xenParseSxprVifRate(const char *rate, un
static int
xenParseSxprDisks(virDomainDefPtr def,

View File

@ -6,10 +6,10 @@ and 'file'. This was implicitly done prior to commit 9673418c.
https://bugzilla.suse.com/show_bug.cgi?id=938228
Index: libvirt-5.0.0/src/xenconfig/xen_sxpr.c
Index: libvirt-5.1.0/src/xenconfig/xen_sxpr.c
===================================================================
--- libvirt-5.0.0.orig/src/xenconfig/xen_sxpr.c
+++ libvirt-5.0.0/src/xenconfig/xen_sxpr.c
--- libvirt-5.1.0.orig/src/xenconfig/xen_sxpr.c
+++ libvirt-5.1.0/src/xenconfig/xen_sxpr.c
@@ -497,10 +497,11 @@ xenParseSxprDisks(virDomainDefPtr def,
omnipotent, we can revisit this, perhaps stat()'ing
the src file in question */