- Fix PCI device attach for xen HVM domains

fix-pci-attach-xen-driver.patch
  FATE#313570

- Apparmor security driver: Ensure tapfd's are labled when
  generating the guest profile.
  Modified install-apparmor-profiles.patch, added upstream patch
  ce4557c3-apparmor-tapfd-label.patch
  bnc#807940

- Grant permission to use datagram packets in libvirtd apparmor
  profile.
  Remove AF_PACKET.patch, modify install-apparmor-profiles.patch
  bnc#801145

- Add 'managed' PCI passthrough support to legacy xen driver
  support-managed-pci-xen-driver.patch
  FATE#313570

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=253
This commit is contained in:
James Fehlig 2013-03-08 19:47:00 +00:00 committed by Git OBS Bridge
parent 326f0f1ce2
commit 6bfebf3884
7 changed files with 288 additions and 31 deletions

View File

@ -1,26 +0,0 @@
Index: libvirt-1.0.3/src/util/virnetdev.c
===================================================================
--- libvirt-1.0.3.orig/src/util/virnetdev.c
+++ libvirt-1.0.3/src/util/virnetdev.c
@@ -81,7 +81,7 @@ static int virNetDevSetupControlFull(con
static int virNetDevSetupControl(const char *ifname,
struct ifreq *ifr)
{
- return virNetDevSetupControlFull(ifname, ifr, AF_PACKET, SOCK_DGRAM);
+ return virNetDevSetupControlFull(ifname, ifr, AF_INET, SOCK_STREAM);
}
#endif
Index: libvirt-1.0.3/src/util/virnetdevbridge.c
===================================================================
--- libvirt-1.0.3.orig/src/util/virnetdevbridge.c
+++ libvirt-1.0.3/src/util/virnetdevbridge.c
@@ -85,7 +85,7 @@ static int virNetDevSetupControlFull(con
static int virNetDevSetupControl(const char *ifname,
struct ifreq *ifr)
{
- return virNetDevSetupControlFull(ifname, ifr, AF_PACKET, SOCK_DGRAM);
+ return virNetDevSetupControlFull(ifname, ifr, AF_INET, SOCK_STREAM);
}
#endif

View File

@ -0,0 +1,68 @@
commit ce4557c3ab3702639db73615dd144ddf036321ed
Author: Guannan Ren <gren@redhat.com>
Date: Fri Mar 8 00:16:59 2013 +0800
apparmor: use AppArmorSetFDLabel for both imageFD and tapFD
Rename AppArmorSetImageFDLabel to AppArmorSetFDLabel which could
be used as a common function for *ALL* fd relabelling in Linux.
In apparmor profile for specific vm with uuid cdbebdfa-1d6d-65c3-be0f-fd74b978a773
Path: /etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files
The last line is for the tapfd relabelling.
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/rhel6qcow2.log" w,
"/var/lib/libvirt/**/rhel6qcow2.monitor" rw,
"/var/run/libvirt/**/rhel6qcow2.pid" rwk,
"/run/libvirt/**/rhel6qcow2.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
"/var/lib/libvirt/images/rhel6u3qcow2.img" rw,
"/dev/tap45" rw,
Index: libvirt-1.0.3/src/security/security_apparmor.c
===================================================================
--- libvirt-1.0.3.orig/src/security/security_apparmor.c
+++ libvirt-1.0.3/src/security/security_apparmor.c
@@ -884,9 +884,9 @@ AppArmorRestoreSavedStateLabel(virSecuri
}
static int
-AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainDefPtr def,
- int fd)
+AppArmorSetFDLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ int fd)
{
int rc = -1;
char *proc = NULL;
@@ -915,16 +915,6 @@ AppArmorSetImageFDLabel(virSecurityManag
return reload_profile(mgr, def, fd_path, true);
}
-/* TODO need code here */
-static int
-AppArmorSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainDefPtr def ATTRIBUTE_UNUSED,
- int fd ATTRIBUTE_UNUSED)
-{
- return 0;
-}
-
-
static char *
AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED)
@@ -975,8 +965,8 @@ virSecurityDriver virAppArmorSecurityDri
.domainSetSavedStateLabel = AppArmorSetSavedStateLabel,
.domainRestoreSavedStateLabel = AppArmorRestoreSavedStateLabel,
- .domainSetSecurityImageFDLabel = AppArmorSetImageFDLabel,
- .domainSetSecurityTapFDLabel = AppArmorSetTapFDLabel,
+ .domainSetSecurityImageFDLabel = AppArmorSetFDLabel,
+ .domainSetSecurityTapFDLabel = AppArmorSetFDLabel,
.domainGetSecurityMountOptions = AppArmorGetMountOptions,
};

View File

@ -0,0 +1,42 @@
Fix PCI device attach in xend driver
When attaching PCI device using the xend driver, the 'device_create'
RPC is called, which is not sufficient to fully prepare/configure
the device for attachment to a domain. In the xen tools, xm pci-attach
uses the 'device_configure' RPC.
This patch changes the xend driver to always call 'device_configure' for
PCI devices to be consistent with the usage in the xen tools.
Index: libvirt-1.0.3/src/xen/xend_internal.c
===================================================================
--- libvirt-1.0.3.orig/src/xen/xend_internal.c
+++ libvirt-1.0.3/src/xen/xend_internal.c
@@ -2473,6 +2473,7 @@ xenDaemonAttachDeviceFlags(virDomainPtr
virBuffer buf = VIR_BUFFER_INITIALIZER;
char class[8], ref[80];
char *target = NULL;
+ int new_dev;
virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1);
@@ -2585,8 +2586,18 @@ xenDaemonAttachDeviceFlags(virDomainPtr
}
sexpr = virBufferContentAndReset(&buf);
+ new_dev = virDomainXMLDevID(domain, def, dev, class, ref, sizeof(ref));
- if (virDomainXMLDevID(domain, def, dev, class, ref, sizeof(ref))) {
+ /* always call 'device_configure' for pci device */
+ if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV &&
+ dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
+ dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
+ ret = xend_op(domain->conn, domain->name, "op", "device_configure",
+ "config", sexpr, "dev", ref, NULL);
+ goto cleanup;
+ }
+
+ if (new_dev) {
/* device doesn't exist, define it */
ret = xend_op(domain->conn, domain->name, "op", "device_create",
"config", sexpr, NULL);

View File

@ -202,7 +202,7 @@ Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,57 @@
@@ -0,0 +1,58 @@
+# Last Modified: Fri Aug 19 11:20:36 2011
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
@ -233,6 +233,7 @@ Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network packet dgram,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
@ -398,7 +399,7 @@ Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu.in
===================================================================
--- /dev/null
+++ libvirt-1.0.3/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,131 @@
@@ -0,0 +1,132 @@
+# Last Modified: Fri Mar 9 14:43:22 2012
+
+ #include <abstractions/base>
@ -409,6 +410,7 @@ Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu.in
+ capability dac_override,
+ capability dac_read_search,
+ capability chown,
+ capability setgid,
+
+ network inet stream,
+ network inet6 stream,

View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Fri Mar 8 12:00:39 MST 2013 - jfehlig@suse.com
- Fix PCI device attach for xen HVM domains
fix-pci-attach-xen-driver.patch
FATE#313570
-------------------------------------------------------------------
Fri Mar 8 09:06:27 MST 2013 - jfehlig@suse.com
- Apparmor security driver: Ensure tapfd's are labled when
generating the guest profile.
Modified install-apparmor-profiles.patch, added upstream patch
ce4557c3-apparmor-tapfd-label.patch
bnc#807940
-------------------------------------------------------------------
Thu Mar 7 09:10:33 MST 2013 - jfehlig@suse.com
- Grant permission to use datagram packets in libvirtd apparmor
profile.
Remove AF_PACKET.patch, modify install-apparmor-profiles.patch
bnc#801145
-------------------------------------------------------------------
Wed Mar 6 09:14:25 MST 2013 - jfehlig@suse.com
- Add 'managed' PCI passthrough support to legacy xen driver
support-managed-pci-xen-driver.patch
FATE#313570
-------------------------------------------------------------------
Tue Mar 5 08:50:33 MST 2013 - jfehlig@suse.com

View File

@ -139,7 +139,7 @@
%if 0%{?suse_version} >= 1210
%define with_netcontrol 0%{!?_without_netcontrol:%{server_drivers}}
%endif
%define with_netcontrol 1
# libcapng is used to manage capabilities in 11.3 or newer.
# It is also used by lxc and needs to be enabled if lxc is enabled.
%if 0%{?suse_version} >= 1130 || %{with_lxc}
@ -417,11 +417,11 @@ Source1: libvirtd.init
Source2: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches
Patch0: ce4557c3-apparmor-tapfd-label.patch
# Need to go upstream
Patch100: xen-name-for-devid.patch
Patch101: clone.patch
Patch102: xen-pv-cdrom.patch
Patch103: AF_PACKET.patch
# Our patches
Patch200: libvirtd-defaults.patch
Patch201: libvirtd-init-script.patch
@ -429,6 +429,8 @@ Patch202: libvirt-guests-init-script.patch
Patch203: virtlockd-init-script.patch
Patch204: relax-qemu-usergroup-check.patch
Patch205: suse-qemu-conf.patch
Patch206: fix-pci-attach-xen-driver.patch
Patch207: support-managed-pci-xen-driver.patch
%if %{with_apparmor}
Patch250: install-apparmor-profiles.patch
%endif
@ -556,16 +558,18 @@ Authors:
%prep
%setup -q
%patch0 -p1
%patch100 -p1
%patch101
%patch102 -p1
%patch103 -p1
%patch200 -p1
%patch201 -p1
%patch202 -p1
%patch203 -p1
%patch204 -p1
%patch205 -p1
%patch206 -p1
%patch207 -p1
%if %{with_apparmor}
%patch250 -p1
%endif

View File

@ -0,0 +1,136 @@
>From 5aeda96eafd230af55343e7ef835e081ded484aa Mon Sep 17 00:00:00 2001
From: Chunyan Liu <cyliu@suse.com>
Date: Fri, 25 Jan 2013 17:37:14 +0800
Subject: [PATCH] support managed pci devices in xen driver
---
src/xenxs/xen_sxpr.c | 22 ++++++++--------------
src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 15 deletions(-)
Index: libvirt-1.0.3/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.0.3.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.0.3/src/xenxs/xen_sxpr.c
@@ -1035,6 +1035,7 @@ xenParseSxprPCI(virDomainDefPtr def,
int busID;
int slotID;
int funcID;
+ int managed;
node = cur->u.s.car;
if (!sexpr_lookup(node, "dev"))
@@ -1082,11 +1083,13 @@ xenParseSxprPCI(virDomainDefPtr def,
goto error;
}
+ managed = sexpr_int(node, "dev/opts/managed");
+
if (!(dev = virDomainHostdevDefAlloc()))
goto error;
dev->mode = VIR_DOMAIN_HOSTDEV_MODE_SUBSYS;
- dev->managed = 0;
+ dev->managed = managed;
dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
dev->source.subsys.u.pci.domain = domainID;
dev->source.subsys.u.pci.bus = busID;
@@ -2044,11 +2047,14 @@ static void
xenFormatSxprPCI(virDomainHostdevDefPtr def,
virBufferPtr buf)
{
- virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x))",
+ virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x)",
def->source.subsys.u.pci.domain,
def->source.subsys.u.pci.bus,
def->source.subsys.u.pci.slot,
def->source.subsys.u.pci.function);
+ if (def->managed)
+ virBufferAddLit(buf, "(opts (managed 1))");
+ virBufferAddLit(buf, ")");
}
@@ -2067,12 +2073,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
virBufferPtr buf,
int detach)
{
- if (def->managed) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("managed PCI devices not supported with XenD"));
- return -1;
- }
-
virBufferAddLit(buf, "(pci ");
xenFormatSxprPCI(def, buf);
if (detach)
@@ -2127,12 +2127,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
for (i = 0 ; i < def->nhostdevs ; i++) {
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
- if (def->hostdevs[i]->managed) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("managed PCI devices not supported with XenD"));
- return -1;
- }
-
xenFormatSxprPCI(def->hostdevs[i], buf);
}
}
Index: libvirt-1.0.3/src/xenxs/xen_xm.c
===================================================================
--- libvirt-1.0.3.orig/src/xenxs/xen_xm.c
+++ libvirt-1.0.3/src/xenxs/xen_xm.c
@@ -815,6 +815,8 @@ xenParseXM(virConfPtr conf, int xendConf
int busID;
int slotID;
int funcID;
+ char *opt;
+ int managed=0;
domain[0] = bus[0] = slot[0] = func[0] = '\0';
@@ -824,6 +826,11 @@ xenParseXM(virConfPtr conf, int xendConf
/* pci=['0000:00:1b.0','0000:00:13.0'] */
if (!(key = list->str))
goto skippci;
+
+ opt = strchr(key, ',');
+ if (opt)
+ opt++;
+
if (!(nextkey = strchr(key, ':')))
goto skippci;
@@ -872,10 +879,30 @@ xenParseXM(virConfPtr conf, int xendConf
if (virStrToLong_i(func, NULL, 16, &funcID) < 0)
goto skippci;
+ if (opt) {
+ char opt_managed[2];
+ char *data;
+
+ opt_managed[0] = '\0';
+ data = strchr(opt, '=');
+ data++;
+
+ if (STRPREFIX(opt, "managed=")) {
+ if (virStrncpy(opt_managed, data, 1, sizeof(opt_managed)) == NULL) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("managed option %s too big for destination"),
+ data);
+ goto skippci;
+ }
+ }
+ if (virStrToLong_i(opt_managed, NULL, 10, &managed) < 0)
+ goto skippci;
+ }
+
if (!(hostdev = virDomainHostdevDefAlloc()))
goto cleanup;
- hostdev->managed = 0;
+ hostdev->managed = managed;
hostdev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
hostdev->source.subsys.u.pci.domain = domainID;
hostdev->source.subsys.u.pci.bus = busID;