Accepting request 668190 from home:jfehlig:branches:Virtualization

- apparmor: add support for named profiles and convert libvirtd
  profile to a named profile
  70c2933d-apparmor-named-profiles.patch,
  a3ab6d42-apparmor-conv-libvirtd-named-profile.patch
  boo#1118952
- libxl: save current memory value after successful balloon
  11c8aca9-libxl-set-mem-after-balloon.patch
  bsc#1120813

OBS-URL: https://build.opensuse.org/request/show/668190
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=726
This commit is contained in:
James Fehlig 2019-01-23 22:10:16 +00:00 committed by Git OBS Bridge
parent 08f4d19aa7
commit 604f62151f
8 changed files with 134 additions and 6 deletions

View File

@ -23,7 +23,7 @@ Index: libvirt-5.0.0/src/libxl/libxl_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.0.0/src/libxl/libxl_driver.c
@@ -5251,6 +5251,97 @@ libxlDomainMemoryStats(virDomainPtr dom,
@@ -5252,6 +5252,97 @@ libxlDomainMemoryStats(virDomainPtr dom,
#undef LIBXL_SET_MEMSTAT
@ -121,7 +121,7 @@ Index: libvirt-5.0.0/src/libxl/libxl_driver.c
static int
libxlDomainGetJobInfo(virDomainPtr dom,
virDomainJobInfoPtr info)
@@ -6635,6 +6726,7 @@ static virHypervisorDriver libxlHypervis
@@ -6636,6 +6727,7 @@ static virHypervisorDriver libxlHypervis
#endif
.nodeGetFreeMemory = libxlNodeGetFreeMemory, /* 0.9.0 */
.nodeGetCellsFreeMemory = libxlNodeGetCellsFreeMemory, /* 1.1.1 */

View File

@ -0,0 +1,34 @@
commit 11c8aca938bff7f6b7fb9def732262f3ad9e91f9
Author: Jim Fehlig <jfehlig@suse.com>
Date: Thu Jan 10 15:18:36 2019 -0700
libxl: Set current memory value after successful balloon
The libxl driver does not set the new memory value in the active domain def
after a successful balloon. This results in the old memory value in
<currentMemory>. E.g.
virsh dumpxml test | grep currentMemory
<currentMemory unit='KiB'>20971520</currentMemory>
virsh setmem test 16777216 --live
virsh dumpxml test | grep currentMemory
<currentMemory unit='KiB'>20971520</currentMemory>
Set the new memory value in active domain def after a successful call to
libxl_set_memory_target().
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Index: libvirt-5.0.0/src/libxl/libxl_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.0.0/src/libxl/libxl_driver.c
@@ -1676,6 +1676,7 @@ libxlDomainSetMemoryFlags(virDomainPtr d
" with libxenlight"), vm->def->id);
goto endjob;
}
+ vm->def->mem.cur_balloon = newmem;
}
if (flags & VIR_DOMAIN_MEM_CONFIG) {

View File

@ -0,0 +1,38 @@
commit 70c2933da24dc4b004118afe2f9acaeabc42c0ad
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri Jan 11 17:26:03 2019 -0700
apparmor: Add support for named profiles
Upstream apparmor is switching to named profiles. In short,
/usr/sbin/dnsmasq {
becomes
profile dnsmasq /usr/sbin/dnsmasq {
Consequently, any profiles that reference profiles in a peer= condition
need to be updated if the referenced profile switches to a named profile.
Apparmor commit 9ab45d81 switched dnsmasq to a named profile. ATM it is
the only named profile switch that has affected libvirt. Add rules to the
libvirtd profile to reference dnsmasq in peer= conditions by profile name.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Index: libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/usr.sbin.libvirtd
+++ libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
@@ -52,9 +52,11 @@
ptrace (read,trace) peer=unconfined,
ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
signal (send) set=("kill", "term") peer=unconfined,

View File

@ -0,0 +1,38 @@
commit a3ab6d42d825499af44b8f19f9299e150d9687bc
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri Jan 11 17:59:59 2019 -0700
apparmor: convert libvirtd profile to a named profile
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Index: libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/usr.sbin.libvirtd
+++ libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
@@ -2,7 +2,7 @@
#include <tunables/global>
@{LIBVIRT}="libvirt"
-/usr/sbin/libvirtd flags=(attach_disconnected) {
+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/dbus>
@@ -51,7 +51,7 @@
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined,
- ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=@{profile_name},
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
@@ -123,6 +123,7 @@
# For communication/control from libvirtd
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+ signal (receive) set=("term") peer=libvirtd,
/dev/net/tun rw,
/etc/qemu/** r,

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Jan 23 20:53:29 UTC 2019 - James Fehlig <jfehlig@suse.com>
- apparmor: add support for named profiles and convert libvirtd
profile to a named profile
70c2933d-apparmor-named-profiles.patch,
a3ab6d42-apparmor-conv-libvirtd-named-profile.patch
boo#1118952
- libxl: save current memory value after successful balloon
11c8aca9-libxl-set-mem-after-balloon.patch
bsc#1120813
-------------------------------------------------------------------
Wed Jan 23 10:23:23 UTC 2019 - Jan Engelhardt <jengelh@inai.de>

View File

@ -332,6 +332,9 @@ Source6: libvirtd-relocation-server.xml
Source99: baselibs.conf
Source100: %{name}-rpmlintrc
# Upstream patches
Patch0: 11c8aca9-libxl-set-mem-after-balloon.patch
Patch1: 70c2933d-apparmor-named-profiles.patch
Patch2: a3ab6d42-apparmor-conv-libvirtd-named-profile.patch
# Patches pending upstream review
Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -865,6 +868,9 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch100 -p1
%patch101 -p1
%patch150 -p1

View File

@ -74,7 +74,7 @@ Index: libvirt-5.0.0/src/libxl/libxl_driver.c
libxlDomainDestroyFlags(virDomainPtr dom,
unsigned int flags)
{
@@ -6510,6 +6565,7 @@ static virHypervisorDriver libxlHypervis
@@ -6511,6 +6566,7 @@ static virHypervisorDriver libxlHypervis
.domainShutdown = libxlDomainShutdown, /* 0.9.0 */
.domainShutdownFlags = libxlDomainShutdownFlags, /* 0.9.10 */
.domainReboot = libxlDomainReboot, /* 0.9.0 */

View File

@ -56,7 +56,7 @@ Index: libvirt-5.0.0/src/libxl/libxl_driver.c
===================================================================
--- libvirt-5.0.0.orig/src/libxl/libxl_driver.c
+++ libvirt-5.0.0/src/libxl/libxl_driver.c
@@ -6117,6 +6117,9 @@ libxlDomainMigratePerform3Params(virDoma
@@ -6118,6 +6118,9 @@ libxlDomainMigratePerform3Params(virDoma
const char *dname = NULL;
const char *uri = NULL;
int ret = -1;
@ -66,7 +66,7 @@ Index: libvirt-5.0.0/src/libxl/libxl_driver.c
#ifdef LIBXL_HAVE_NO_SUSPEND_RESUME
virReportUnsupportedError();
@@ -6133,6 +6136,18 @@ libxlDomainMigratePerform3Params(virDoma
@@ -6134,6 +6137,18 @@ libxlDomainMigratePerform3Params(virDoma
virTypedParamsGetString(params, nparams,
VIR_MIGRATE_PARAM_DEST_NAME,
&dname) < 0 ||
@ -85,7 +85,7 @@ Index: libvirt-5.0.0/src/libxl/libxl_driver.c
virTypedParamsGetString(params, nparams,
VIR_MIGRATE_PARAM_URI,
&uri) < 0)
@@ -6147,11 +6162,11 @@ libxlDomainMigratePerform3Params(virDoma
@@ -6148,11 +6163,11 @@ libxlDomainMigratePerform3Params(virDoma
if ((flags & (VIR_MIGRATE_TUNNELLED | VIR_MIGRATE_PEER2PEER))) {
if (libxlDomainMigrationSrcPerformP2P(driver, vm, dom->conn, dom_xml,