- Fix PCI device attach for xen HVM domains
fix-pci-attach-xen-driver.patch FATE#313570 - Apparmor security driver: Ensure tapfd's are labled when generating the guest profile. Modified install-apparmor-profiles.patch, added upstream patch ce4557c3-apparmor-tapfd-label.patch bnc#807940 - Grant permission to use datagram packets in libvirtd apparmor profile. Remove AF_PACKET.patch, modify install-apparmor-profiles.patch bnc#801145 - Add 'managed' PCI passthrough support to legacy xen driver support-managed-pci-xen-driver.patch FATE#313570 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=253
This commit is contained in:
parent
326f0f1ce2
commit
6bfebf3884
@ -1,26 +0,0 @@
|
||||
Index: libvirt-1.0.3/src/util/virnetdev.c
|
||||
===================================================================
|
||||
--- libvirt-1.0.3.orig/src/util/virnetdev.c
|
||||
+++ libvirt-1.0.3/src/util/virnetdev.c
|
||||
@@ -81,7 +81,7 @@ static int virNetDevSetupControlFull(con
|
||||
static int virNetDevSetupControl(const char *ifname,
|
||||
struct ifreq *ifr)
|
||||
{
|
||||
- return virNetDevSetupControlFull(ifname, ifr, AF_PACKET, SOCK_DGRAM);
|
||||
+ return virNetDevSetupControlFull(ifname, ifr, AF_INET, SOCK_STREAM);
|
||||
}
|
||||
#endif
|
||||
|
||||
Index: libvirt-1.0.3/src/util/virnetdevbridge.c
|
||||
===================================================================
|
||||
--- libvirt-1.0.3.orig/src/util/virnetdevbridge.c
|
||||
+++ libvirt-1.0.3/src/util/virnetdevbridge.c
|
||||
@@ -85,7 +85,7 @@ static int virNetDevSetupControlFull(con
|
||||
static int virNetDevSetupControl(const char *ifname,
|
||||
struct ifreq *ifr)
|
||||
{
|
||||
- return virNetDevSetupControlFull(ifname, ifr, AF_PACKET, SOCK_DGRAM);
|
||||
+ return virNetDevSetupControlFull(ifname, ifr, AF_INET, SOCK_STREAM);
|
||||
}
|
||||
#endif
|
||||
|
68
ce4557c3-apparmor-tapfd-label.patch
Normal file
68
ce4557c3-apparmor-tapfd-label.patch
Normal file
@ -0,0 +1,68 @@
|
||||
commit ce4557c3ab3702639db73615dd144ddf036321ed
|
||||
Author: Guannan Ren <gren@redhat.com>
|
||||
Date: Fri Mar 8 00:16:59 2013 +0800
|
||||
|
||||
apparmor: use AppArmorSetFDLabel for both imageFD and tapFD
|
||||
|
||||
Rename AppArmorSetImageFDLabel to AppArmorSetFDLabel which could
|
||||
be used as a common function for *ALL* fd relabelling in Linux.
|
||||
|
||||
In apparmor profile for specific vm with uuid cdbebdfa-1d6d-65c3-be0f-fd74b978a773
|
||||
Path: /etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files
|
||||
The last line is for the tapfd relabelling.
|
||||
|
||||
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
|
||||
"/var/log/libvirt/**/rhel6qcow2.log" w,
|
||||
"/var/lib/libvirt/**/rhel6qcow2.monitor" rw,
|
||||
"/var/run/libvirt/**/rhel6qcow2.pid" rwk,
|
||||
"/run/libvirt/**/rhel6qcow2.pid" rwk,
|
||||
"/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
|
||||
"/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
|
||||
"/var/lib/libvirt/images/rhel6u3qcow2.img" rw,
|
||||
"/dev/tap45" rw,
|
||||
|
||||
Index: libvirt-1.0.3/src/security/security_apparmor.c
|
||||
===================================================================
|
||||
--- libvirt-1.0.3.orig/src/security/security_apparmor.c
|
||||
+++ libvirt-1.0.3/src/security/security_apparmor.c
|
||||
@@ -884,9 +884,9 @@ AppArmorRestoreSavedStateLabel(virSecuri
|
||||
}
|
||||
|
||||
static int
|
||||
-AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
|
||||
- virDomainDefPtr def,
|
||||
- int fd)
|
||||
+AppArmorSetFDLabel(virSecurityManagerPtr mgr,
|
||||
+ virDomainDefPtr def,
|
||||
+ int fd)
|
||||
{
|
||||
int rc = -1;
|
||||
char *proc = NULL;
|
||||
@@ -915,16 +915,6 @@ AppArmorSetImageFDLabel(virSecurityManag
|
||||
return reload_profile(mgr, def, fd_path, true);
|
||||
}
|
||||
|
||||
-/* TODO need code here */
|
||||
-static int
|
||||
-AppArmorSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||
- virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||||
- int fd ATTRIBUTE_UNUSED)
|
||||
-{
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-
|
||||
static char *
|
||||
AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||
virDomainDefPtr vm ATTRIBUTE_UNUSED)
|
||||
@@ -975,8 +965,8 @@ virSecurityDriver virAppArmorSecurityDri
|
||||
.domainSetSavedStateLabel = AppArmorSetSavedStateLabel,
|
||||
.domainRestoreSavedStateLabel = AppArmorRestoreSavedStateLabel,
|
||||
|
||||
- .domainSetSecurityImageFDLabel = AppArmorSetImageFDLabel,
|
||||
- .domainSetSecurityTapFDLabel = AppArmorSetTapFDLabel,
|
||||
+ .domainSetSecurityImageFDLabel = AppArmorSetFDLabel,
|
||||
+ .domainSetSecurityTapFDLabel = AppArmorSetFDLabel,
|
||||
|
||||
.domainGetSecurityMountOptions = AppArmorGetMountOptions,
|
||||
};
|
42
fix-pci-attach-xen-driver.patch
Normal file
42
fix-pci-attach-xen-driver.patch
Normal file
@ -0,0 +1,42 @@
|
||||
Fix PCI device attach in xend driver
|
||||
|
||||
When attaching PCI device using the xend driver, the 'device_create'
|
||||
RPC is called, which is not sufficient to fully prepare/configure
|
||||
the device for attachment to a domain. In the xen tools, xm pci-attach
|
||||
uses the 'device_configure' RPC.
|
||||
|
||||
This patch changes the xend driver to always call 'device_configure' for
|
||||
PCI devices to be consistent with the usage in the xen tools.
|
||||
|
||||
Index: libvirt-1.0.3/src/xen/xend_internal.c
|
||||
===================================================================
|
||||
--- libvirt-1.0.3.orig/src/xen/xend_internal.c
|
||||
+++ libvirt-1.0.3/src/xen/xend_internal.c
|
||||
@@ -2473,6 +2473,7 @@ xenDaemonAttachDeviceFlags(virDomainPtr
|
||||
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
||||
char class[8], ref[80];
|
||||
char *target = NULL;
|
||||
+ int new_dev;
|
||||
|
||||
virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1);
|
||||
|
||||
@@ -2585,8 +2586,18 @@ xenDaemonAttachDeviceFlags(virDomainPtr
|
||||
}
|
||||
|
||||
sexpr = virBufferContentAndReset(&buf);
|
||||
+ new_dev = virDomainXMLDevID(domain, def, dev, class, ref, sizeof(ref));
|
||||
|
||||
- if (virDomainXMLDevID(domain, def, dev, class, ref, sizeof(ref))) {
|
||||
+ /* always call 'device_configure' for pci device */
|
||||
+ if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV &&
|
||||
+ dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
|
||||
+ dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
|
||||
+ ret = xend_op(domain->conn, domain->name, "op", "device_configure",
|
||||
+ "config", sexpr, "dev", ref, NULL);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ if (new_dev) {
|
||||
/* device doesn't exist, define it */
|
||||
ret = xend_op(domain->conn, domain->name, "op", "device_create",
|
||||
"config", sexpr, NULL);
|
@ -202,7 +202,7 @@ Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
|
||||
@@ -0,0 +1,57 @@
|
||||
@@ -0,0 +1,58 @@
|
||||
+# Last Modified: Fri Aug 19 11:20:36 2011
|
||||
+#include <tunables/global>
|
||||
+@{LIBVIRT}="libvirt"
|
||||
@ -233,6 +233,7 @@ Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
|
||||
+ network inet dgram,
|
||||
+ network inet6 stream,
|
||||
+ network inet6 dgram,
|
||||
+ network packet dgram,
|
||||
+
|
||||
+ # Very lenient profile for libvirtd since we want to first focus on confining
|
||||
+ # the guests. Guests will have a very restricted profile.
|
||||
@ -398,7 +399,7 @@ Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu.in
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-1.0.3/examples/apparmor/libvirt-qemu.in
|
||||
@@ -0,0 +1,131 @@
|
||||
@@ -0,0 +1,132 @@
|
||||
+# Last Modified: Fri Mar 9 14:43:22 2012
|
||||
+
|
||||
+ #include <abstractions/base>
|
||||
@ -409,6 +410,7 @@ Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu.in
|
||||
+ capability dac_override,
|
||||
+ capability dac_read_search,
|
||||
+ capability chown,
|
||||
+ capability setgid,
|
||||
+
|
||||
+ network inet stream,
|
||||
+ network inet6 stream,
|
||||
|
@ -1,3 +1,34 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 8 12:00:39 MST 2013 - jfehlig@suse.com
|
||||
|
||||
- Fix PCI device attach for xen HVM domains
|
||||
fix-pci-attach-xen-driver.patch
|
||||
FATE#313570
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 8 09:06:27 MST 2013 - jfehlig@suse.com
|
||||
|
||||
- Apparmor security driver: Ensure tapfd's are labled when
|
||||
generating the guest profile.
|
||||
Modified install-apparmor-profiles.patch, added upstream patch
|
||||
ce4557c3-apparmor-tapfd-label.patch
|
||||
bnc#807940
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 7 09:10:33 MST 2013 - jfehlig@suse.com
|
||||
|
||||
- Grant permission to use datagram packets in libvirtd apparmor
|
||||
profile.
|
||||
Remove AF_PACKET.patch, modify install-apparmor-profiles.patch
|
||||
bnc#801145
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 6 09:14:25 MST 2013 - jfehlig@suse.com
|
||||
|
||||
- Add 'managed' PCI passthrough support to legacy xen driver
|
||||
support-managed-pci-xen-driver.patch
|
||||
FATE#313570
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 5 08:50:33 MST 2013 - jfehlig@suse.com
|
||||
|
||||
|
10
libvirt.spec
10
libvirt.spec
@ -139,7 +139,7 @@
|
||||
%if 0%{?suse_version} >= 1210
|
||||
%define with_netcontrol 0%{!?_without_netcontrol:%{server_drivers}}
|
||||
%endif
|
||||
|
||||
%define with_netcontrol 1
|
||||
# libcapng is used to manage capabilities in 11.3 or newer.
|
||||
# It is also used by lxc and needs to be enabled if lxc is enabled.
|
||||
%if 0%{?suse_version} >= 1130 || %{with_lxc}
|
||||
@ -417,11 +417,11 @@ Source1: libvirtd.init
|
||||
Source2: libvirtd-relocation-server.fw
|
||||
Source99: baselibs.conf
|
||||
# Upstream patches
|
||||
Patch0: ce4557c3-apparmor-tapfd-label.patch
|
||||
# Need to go upstream
|
||||
Patch100: xen-name-for-devid.patch
|
||||
Patch101: clone.patch
|
||||
Patch102: xen-pv-cdrom.patch
|
||||
Patch103: AF_PACKET.patch
|
||||
# Our patches
|
||||
Patch200: libvirtd-defaults.patch
|
||||
Patch201: libvirtd-init-script.patch
|
||||
@ -429,6 +429,8 @@ Patch202: libvirt-guests-init-script.patch
|
||||
Patch203: virtlockd-init-script.patch
|
||||
Patch204: relax-qemu-usergroup-check.patch
|
||||
Patch205: suse-qemu-conf.patch
|
||||
Patch206: fix-pci-attach-xen-driver.patch
|
||||
Patch207: support-managed-pci-xen-driver.patch
|
||||
%if %{with_apparmor}
|
||||
Patch250: install-apparmor-profiles.patch
|
||||
%endif
|
||||
@ -556,16 +558,18 @@ Authors:
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch100 -p1
|
||||
%patch101
|
||||
%patch102 -p1
|
||||
%patch103 -p1
|
||||
%patch200 -p1
|
||||
%patch201 -p1
|
||||
%patch202 -p1
|
||||
%patch203 -p1
|
||||
%patch204 -p1
|
||||
%patch205 -p1
|
||||
%patch206 -p1
|
||||
%patch207 -p1
|
||||
%if %{with_apparmor}
|
||||
%patch250 -p1
|
||||
%endif
|
||||
|
136
support-managed-pci-xen-driver.patch
Normal file
136
support-managed-pci-xen-driver.patch
Normal file
@ -0,0 +1,136 @@
|
||||
>From 5aeda96eafd230af55343e7ef835e081ded484aa Mon Sep 17 00:00:00 2001
|
||||
From: Chunyan Liu <cyliu@suse.com>
|
||||
Date: Fri, 25 Jan 2013 17:37:14 +0800
|
||||
Subject: [PATCH] support managed pci devices in xen driver
|
||||
|
||||
---
|
||||
src/xenxs/xen_sxpr.c | 22 ++++++++--------------
|
||||
src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++-
|
||||
2 files changed, 35 insertions(+), 15 deletions(-)
|
||||
|
||||
Index: libvirt-1.0.3/src/xenxs/xen_sxpr.c
|
||||
===================================================================
|
||||
--- libvirt-1.0.3.orig/src/xenxs/xen_sxpr.c
|
||||
+++ libvirt-1.0.3/src/xenxs/xen_sxpr.c
|
||||
@@ -1035,6 +1035,7 @@ xenParseSxprPCI(virDomainDefPtr def,
|
||||
int busID;
|
||||
int slotID;
|
||||
int funcID;
|
||||
+ int managed;
|
||||
|
||||
node = cur->u.s.car;
|
||||
if (!sexpr_lookup(node, "dev"))
|
||||
@@ -1082,11 +1083,13 @@ xenParseSxprPCI(virDomainDefPtr def,
|
||||
goto error;
|
||||
}
|
||||
|
||||
+ managed = sexpr_int(node, "dev/opts/managed");
|
||||
+
|
||||
if (!(dev = virDomainHostdevDefAlloc()))
|
||||
goto error;
|
||||
|
||||
dev->mode = VIR_DOMAIN_HOSTDEV_MODE_SUBSYS;
|
||||
- dev->managed = 0;
|
||||
+ dev->managed = managed;
|
||||
dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
|
||||
dev->source.subsys.u.pci.domain = domainID;
|
||||
dev->source.subsys.u.pci.bus = busID;
|
||||
@@ -2044,11 +2047,14 @@ static void
|
||||
xenFormatSxprPCI(virDomainHostdevDefPtr def,
|
||||
virBufferPtr buf)
|
||||
{
|
||||
- virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x))",
|
||||
+ virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x)",
|
||||
def->source.subsys.u.pci.domain,
|
||||
def->source.subsys.u.pci.bus,
|
||||
def->source.subsys.u.pci.slot,
|
||||
def->source.subsys.u.pci.function);
|
||||
+ if (def->managed)
|
||||
+ virBufferAddLit(buf, "(opts (managed 1))");
|
||||
+ virBufferAddLit(buf, ")");
|
||||
}
|
||||
|
||||
|
||||
@@ -2067,12 +2073,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
|
||||
virBufferPtr buf,
|
||||
int detach)
|
||||
{
|
||||
- if (def->managed) {
|
||||
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
- _("managed PCI devices not supported with XenD"));
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
virBufferAddLit(buf, "(pci ");
|
||||
xenFormatSxprPCI(def, buf);
|
||||
if (detach)
|
||||
@@ -2127,12 +2127,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
|
||||
for (i = 0 ; i < def->nhostdevs ; i++) {
|
||||
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
|
||||
def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
|
||||
- if (def->hostdevs[i]->managed) {
|
||||
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
- _("managed PCI devices not supported with XenD"));
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
xenFormatSxprPCI(def->hostdevs[i], buf);
|
||||
}
|
||||
}
|
||||
Index: libvirt-1.0.3/src/xenxs/xen_xm.c
|
||||
===================================================================
|
||||
--- libvirt-1.0.3.orig/src/xenxs/xen_xm.c
|
||||
+++ libvirt-1.0.3/src/xenxs/xen_xm.c
|
||||
@@ -815,6 +815,8 @@ xenParseXM(virConfPtr conf, int xendConf
|
||||
int busID;
|
||||
int slotID;
|
||||
int funcID;
|
||||
+ char *opt;
|
||||
+ int managed=0;
|
||||
|
||||
domain[0] = bus[0] = slot[0] = func[0] = '\0';
|
||||
|
||||
@@ -824,6 +826,11 @@ xenParseXM(virConfPtr conf, int xendConf
|
||||
/* pci=['0000:00:1b.0','0000:00:13.0'] */
|
||||
if (!(key = list->str))
|
||||
goto skippci;
|
||||
+
|
||||
+ opt = strchr(key, ',');
|
||||
+ if (opt)
|
||||
+ opt++;
|
||||
+
|
||||
if (!(nextkey = strchr(key, ':')))
|
||||
goto skippci;
|
||||
|
||||
@@ -872,10 +879,30 @@ xenParseXM(virConfPtr conf, int xendConf
|
||||
if (virStrToLong_i(func, NULL, 16, &funcID) < 0)
|
||||
goto skippci;
|
||||
|
||||
+ if (opt) {
|
||||
+ char opt_managed[2];
|
||||
+ char *data;
|
||||
+
|
||||
+ opt_managed[0] = '\0';
|
||||
+ data = strchr(opt, '=');
|
||||
+ data++;
|
||||
+
|
||||
+ if (STRPREFIX(opt, "managed=")) {
|
||||
+ if (virStrncpy(opt_managed, data, 1, sizeof(opt_managed)) == NULL) {
|
||||
+ virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
+ _("managed option %s too big for destination"),
|
||||
+ data);
|
||||
+ goto skippci;
|
||||
+ }
|
||||
+ }
|
||||
+ if (virStrToLong_i(opt_managed, NULL, 10, &managed) < 0)
|
||||
+ goto skippci;
|
||||
+ }
|
||||
+
|
||||
if (!(hostdev = virDomainHostdevDefAlloc()))
|
||||
goto cleanup;
|
||||
|
||||
- hostdev->managed = 0;
|
||||
+ hostdev->managed = managed;
|
||||
hostdev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
|
||||
hostdev->source.subsys.u.pci.domain = domainID;
|
||||
hostdev->source.subsys.u.pci.bus = busID;
|
Loading…
Reference in New Issue
Block a user