pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 176049 from Virtualization

Browse Source 
New libvirt package for Factory.

- fix leak after listing all volumes - CVE-2013-1962
  ca697e90-CVE-2013-1962.patch
  bnc#820397
- Fix iohelper usage with streams opened for read
  a2214c52-iohelper.patch
- Cope with missing swap cgroup controls
  f493d83f-cgroup-swap-control.patch
  bnc#819976
- Fix cgroup handling when setting VCPU BW
  0471637d-cgroups-vcpu-bw.patch
  rhb#963592
- Escape a leading '.' with '_' in the cgroup names
  0ced83dc-cgroup-escape-dot.patch
- Add missing documentation on new cgroup layout
  486a86eb-cgroups-docs.patch
- Another fix related to systems with no cgroups
  c2cf5f1c-no-cgroups-fix.patch
  bnc#819963

- Fix botched backport of commit bbe97ae9

- Fix starting domains when kernel has no cgroups support
  bbe97ae9-no-cgroups.patch

- Update to libvirt 1.0.5
  - PPC64: Add NVRAM device
  - Add XML config for resource partitions
  - Add support for TPM
  - NPIV storage migration support
  - Many incremental improvements and bug fixes, see

OBS-URL: https://build.opensuse.org/request/show/176049
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=117
This commit is contained in:
Stephan Kulow 2013-05-27 07:52:23 +00:00 committed by Git OBS Bridge
commit eb797057ed
27 changed files with 858 additions and 237 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
0471637d-cgroups-vcpu-bw.patch Normal file
View File

@ -0,0 +1,63 @@
commit 0471637d5628106d058f0eb5516ffa7d5285cc6f
Author: Martin Kletzander <mkletzan@redhat.com>
Date: Thu May 16 14:37:54 2013 +0200
qemu: Fix cgroup handling when setting VCPU BW
Commit 632f78c introduced a regression which causes schedinfo being
unable to set some parameters. When migrating to priv->cgroup there
was missing variable left out and due to passed NULL to underlying
function, the setting failed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=963592
Index: libvirt-1.0.5/src/qemu/qemu_driver.c
===================================================================
--- libvirt-1.0.5.orig/src/qemu/qemu_driver.c
+++ libvirt-1.0.5/src/qemu/qemu_driver.c
@@ -7721,7 +7721,6 @@ qemuDomainSetSchedulerParametersFlags(vi
{
virQEMUDriverPtr driver = dom->conn->privateData;
int i;
- virCgroupPtr group = NULL;
virDomainObjPtr vm = NULL;
virDomainDefPtr vmdef = NULL;
unsigned long long value_ul;
@@ -7799,7 +7798,7 @@ qemuDomainSetSchedulerParametersFlags(vi
QEMU_SCHED_MIN_PERIOD, QEMU_SCHED_MAX_PERIOD);
if (flags & VIR_DOMAIN_AFFECT_LIVE && value_ul) {
- if ((rc = qemuSetVcpusBWLive(vm, group, value_ul, 0)))
+ if ((rc = qemuSetVcpusBWLive(vm, priv->cgroup, value_ul, 0)))
goto cleanup;
vm->def->cputune.period = value_ul;
@@ -7813,7 +7812,7 @@ qemuDomainSetSchedulerParametersFlags(vi
QEMU_SCHED_MIN_QUOTA, QEMU_SCHED_MAX_QUOTA);
if (flags & VIR_DOMAIN_AFFECT_LIVE && value_l) {
- if ((rc = qemuSetVcpusBWLive(vm, group, 0, value_l)))
+ if ((rc = qemuSetVcpusBWLive(vm, priv->cgroup, 0, value_l)))
goto cleanup;
vm->def->cputune.quota = value_l;
@@ -7827,7 +7826,8 @@ qemuDomainSetSchedulerParametersFlags(vi
QEMU_SCHED_MIN_PERIOD, QEMU_SCHED_MAX_PERIOD);
if (flags & VIR_DOMAIN_AFFECT_LIVE && value_ul) {
- if ((rc = qemuSetEmulatorBandwidthLive(vm, group, value_ul, 0)))
+ if ((rc = qemuSetEmulatorBandwidthLive(vm, priv->cgroup,
+ value_ul, 0)))
goto cleanup;
vm->def->cputune.emulator_period = value_ul;
@@ -7841,7 +7841,8 @@ qemuDomainSetSchedulerParametersFlags(vi
QEMU_SCHED_MIN_QUOTA, QEMU_SCHED_MAX_QUOTA);
if (flags & VIR_DOMAIN_AFFECT_LIVE && value_l) {
- if ((rc = qemuSetEmulatorBandwidthLive(vm, group, 0, value_l)))
+ if ((rc = qemuSetEmulatorBandwidthLive(vm, priv->cgroup,
+ 0, value_l)))
goto cleanup;
vm->def->cputune.emulator_quota = value_l;

24
0ced83dc-cgroup-escape-dot.patch Normal file
View File

@ -0,0 +1,24 @@
commit 0ced83dcfbb19af1201202e1af0a7073c338aabd
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Fri May 3 20:56:50 2013 +0100
Escaping leading '.' in cgroup names
Escaping a leading '.' with '_' in the cgroup names
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.0.5/src/util/vircgroup.c
===================================================================
--- libvirt-1.0.5.orig/src/util/vircgroup.c
+++ libvirt-1.0.5/src/util/vircgroup.c
@@ -1106,7 +1106,8 @@ static int virCgroupPartitionNeedsEscapi
if (STRPREFIX(path, "cgroup."))
return 1;
- if (path[0] == '_')
+ if (path[0] == '_' ||
+ path[0] == '.')
return 1;
if (!(fp = fopen("/proc/cgroups", "r")))

317
486a86eb-cgroups-docs.patch Normal file
View File

@ -0,0 +1,317 @@
commit 486a86eb184c008c5957fb68c63f163289f3344b
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Fri May 3 16:58:26 2013 +0100
Add docs about cgroups layout and usage
Describe the new cgroups layout, how to customize placement
of guests and what virsh commands are used to access the
parameters.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.0.5/docs/cgroups.html.in
===================================================================
--- /dev/null
+++ libvirt-1.0.5/docs/cgroups.html.in
@@ -0,0 +1,285 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <h1>Control Groups Resource Management</h1>
+
+ <ul id="toc"></ul>
+
+ <p>
+ The QEMU and LXC drivers make use of the Linux "Control Groups" facility
+ for applying resource management to their virtual machines and containers.
+ </p>
+
+ <h2><a name="requiredControllers">Required controllers</a></h2>
+
+ <p>
+ The control groups filesystem supports multiple "controllers". By default
+ the init system (such as systemd) should mount all controllers compiled
+ into the kernel at <code>/sys/fs/cgroup/$CONTROLLER-NAME</code>. Libvirt
+ will never attempt to mount any controllers itself, merely detect where
+ they are mounted.
+ </p>
+
+ <p>
+ The QEMU driver is capable of using the <code>cpuset</code>,
+ <code>cpu</code>, <code>memory</code>, <code>blkio</code> and
+ <code>devices</code> controllers. None of them are compulsory.
+ If any controller is not mounted, the resource management APIs
+ which use it will cease to operate. It is possible to explicitly
+ turn off use of a controller, even when mounted, via the
+ <code>/etc/libvirt/qemu.conf</code> configuration file.
+ </p>
+
+ <p>
+ The LXC driver is capable of using the <code>cpuset</code>,
+ <code>cpu</code>, <code>cpuset</code>, <code>freezer</code>,
+ <code>memory</code>, <code>blkio</code> and <code>devices</code>
+ controllers. The <code>cpuset</code>, <code>devices</code>
+ and <code>memory</code> controllers are compulsory. Without
+ them mounted, no containers can be started. If any of the
+ other controllers are not mounted, the resource management APIs
+ which use them will cease to operate.
+ </p>
+
+ <h2><a name="currentLayout">Current cgroups layout</a></h2>
+
+ <p>
+ As of libvirt 1.0.5 or later, the cgroups layout created by libvirt has been
+ simplified, in order to facilitate the setup of resource control policies by
+ administrators / management applications. The layout is based on the concepts of
+ "partitions" and "consumers". Each virtual machine or container is a consumer,
+ and has a corresponding cgroup named <code>$VMNAME.libvirt-{qemu,lxc}</code>.
+ Each consumer is associated with exactly one partition, which also have a
+ corresponding cgroup usually named <code>$PARTNAME.partition</code>. The
+ exceptions to this naming rule are the three top level default partitions,
+ named <code>/system</code> (for system services), <code>/user</code> (for
+ user login sessions) and <code>/machine</code> (for virtual machines and
+ containers). By default every consumer will of course be associated with
+ the <code>/machine</code> partition. This leads to a hierarchy that looks
+ like
+ </p>
+
+ <pre>
+$ROOT
+ |
+ +- system
+ | |
+ | +- libvirtd.service
+ |
+ +- machine
+ |
+ +- vm1.libvirt-qemu
+ | |
+ | +- emulator
+ | +- vcpu0
+ | +- vcpu1
+ |
+ +- vm2.libvirt-qemu
+ | |
+ | +- emulator
+ | +- vcpu0
+ | +- vcpu1
+ |
+ +- vm3.libvirt-qemu
+ | |
+ | +- emulator
+ | +- vcpu0
+ | +- vcpu1
+ |
+ +- container1.libvirt-lxc
+ |
+ +- container2.libvirt-lxc
+ |
+ +- container3.libvirt-lxc
+ </pre>
+
+ <p>
+ The default cgroups layout ensures that, when there is contention for
+ CPU time, it is shared equally between system services, user sessions
+ and virtual machines / containers. This prevents virtual machines from
+ locking the administrator out of the host, or impacting execution of
+ system services. Conversely, when there is no contention from
+ system services / user sessions, it is possible for virtual machines
+ to fully utilize the host CPUs.
+ </p>
+
+ <h2><a name="customPartiton">Using custom partitions</a></h2>
+
+ <p>
+ If there is a need to apply resource constraints to groups of
+ virtual machines or containers, then the single default
+ partition <code>/machine</code> may not be sufficiently
+ flexible. The administrator may wish to sub-divide the
+ default partition, for example into "testing" and "production"
+ partitions, and then assign each guest to a specific
+ sub-partition. This is achieved via a small element addition
+ to the guest domain XML config, just below the main <code>domain</code>
+ element
+ </p>
+
+ <pre>
+ ...
+ &lt;resource&gt;
+ &lt;partition&gt;/machine/production&lt;/partition&gt;
+ &lt;/resource&gt;
+ ...
+ </pre>
+
+ <p>
+ Libvirt will not auto-create the cgroups directory to back
+ this partition. In the future, libvirt / virsh will provide
+ APIs / commands to create custom partitions, but currently
+ this is left as an exercise for the administrator. For
+ example, given the XML config above, the admin would need
+ to create a cgroup named '/machine/production.partition'
+ </p>
+
+ <pre>
+# cd /sys/fs/cgroup
+# for i in blkio cpu,cpuacct cpuset devices freezer memory net_cls perf_event
+ do
+ mkdir $i/machine/production.partition
+ done
+# for i in cpuset.cpus cpuset.mems
+ do
+ cat cpuset/machine/$i > cpuset/machine/production.partition/$i
+ done
+</pre>
+
+ <p>
+ <strong>Note:</strong> the cgroups directory created as a ".partition"
+ suffix, but the XML config does not require this suffix.
+ </p>
+
+ <p>
+ <strong>Note:</strong> the ability to place guests in custom
+ partitions is only available with libvirt &gt;= 1.0.5, using
+ the new cgroup layout. The legacy cgroups layout described
+ later did not support customization per guest.
+ </p>
+
+ <h2><a name="resourceAPIs">Resource management APIs/commands</a></h2>
+
+ <p>
+ Since libvirt aims to provide an API which is portable across
+ hypervisors, the concept of cgroups is not exposed directly
+ in the API or XML configuration. It is considered to be an
+ internal implementation detail. Instead libvirt provides a
+ set of APIs for applying resource controls, which are then
+ mapped to corresponding cgroup tunables
+ </p>
+
+ <h3>Scheduler tuning</h3>
+
+ <p>
+ Parameters from the "cpu" controller are exposed via the
+ <code>schedinfo</code> command in virsh.
+ </p>
+
+ <pre>
+# virsh schedinfo demo
+Scheduler : posix
+cpu_shares : 1024
+vcpu_period : 100000
+vcpu_quota : -1
+emulator_period: 100000
+emulator_quota : -1</pre>
+
+
+ <h3>Block I/O tuning</h3>
+
+ <p>
+ Parameters from the "blkio" controller are exposed via the
+ <code>bkliotune</code> command in virsh.
+ </p>
+
+
+ <pre>
+# virsh blkiotune demo
+weight : 500
+device_weight : </pre>
+
+ <h3>Memory tuning</h3>
+
+ <p>
+ Parameters from the "memory" controller are exposed via the
+ <code>memtune</code> command in virsh.
+ </p>
+
+ <pre>
+# virsh memtune demo
+hard_limit : 580192
+soft_limit : unlimited
+swap_hard_limit: unlimited
+ </pre>
+
+ <h3>Network tuning</h3>
+
+ <p>
+ The <code>net_cls</code> is not currently used. Instead traffic
+ filter policies are set directly against individual virtual
+ network interfaces.
+ </p>
+
+ <h2><a name="legacyLayout">Legacy cgroups layout</a></h2>
+
+ <p>
+ Prior to libvirt 1.0.5, the cgroups layout created by libvirt was different
+ from that described above, and did not allow for administrator customization.
+ Libvirt used a fixed, 3-level hierarchy <code>libvirt/{qemu,lxc}/$VMNAME</code>
+ which was rooted at the point in the hierarchy where libvirtd itself was
+ located. So if libvirtd was placed at <code>/system/libvirtd.service</code>
+ by systemd, the groups for each virtual machine / container would be located
+ at <code>/system/libvirtd.service/libvirt/{qemu,lxc}/$VMNAME</code>. In addition
+ to this, the QEMU drivers further child groups for each vCPU thread and the
+ emulator thread(s). This leads to a hierarchy that looked like
+ </p>
+
+
+ <pre>
+$ROOT
+ |
+ +- system
+ |
+ +- libvirtd.service
+ |
+ +- libvirt
+ |
+ +- qemu
+ | |
+ | +- vm1
+ | | |
+ | | +- emulator
+ | | +- vcpu0
+ | | +- vcpu1
+ | |
+ | +- vm2
+ | | |
+ | | +- emulator
+ | | +- vcpu0
+ | | +- vcpu1
+ | |
+ | +- vm3
+ | |
+ | +- emulator
+ | +- vcpu0
+ | +- vcpu1
+ |
+ +- lxc
+ |
+ +- container1
+ |
+ +- container2
+ |
+ +- container3
+ </pre>
+
+ <p>
+ Although current releases are much improved, historically the use of deep
+ hierarchies has had a significant negative impact on the kernel scalability.
+ The legacy libvirt cgroups layout highlighted these problems, to the detriment
+ of the performance of virtual machines and containers.
+ </p>
+ </body>
+</html>
Index: libvirt-1.0.5/docs/sitemap.html.in
===================================================================
--- libvirt-1.0.5.orig/docs/sitemap.html.in
+++ libvirt-1.0.5/docs/sitemap.html.in
@@ -87,6 +87,10 @@
<span>Ensuring exclusive guest access to disks</span>
</li>
<li>
+ <a href="cgroups.html">CGroups</a>
+ <span>Control groups integration</span>
+ </li>
+ <li>
<a href="hooks.html">Hooks</a>
<span>Hooks for system specific management</span>
</li>

28
a2214c52-iohelper.patch Normal file
View File

@ -0,0 +1,28 @@
commit a2214c5257d3bd7b086ce04aca1648e8ff05ee96
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Fri May 10 14:45:05 2013 +0100
Fix iohelper usage with streams opened for read
In b2878ed860ceceec3cd6481424fed0b543b687cd we added the O_NOCTTY
flag when opening files in the stream code. Unfortunately a later
piece of code was comparing the flags == O_RDONLY, without masking
out the non-access mode flags. This broke the iohelper when used
with streams for read, since it caused us to attach the stream
output pipe to the stream input FD instead of output FD :-(
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.0.5/src/fdstream.c
===================================================================
--- libvirt-1.0.5.orig/src/fdstream.c
+++ libvirt-1.0.5/src/fdstream.c
@@ -640,7 +640,7 @@ virFDStreamOpenFileInternal(virStreamPtr
virCommandTransferFD(cmd, fd);
virCommandAddArgFormat(cmd, "%d", fd);
- if (oflags == O_RDONLY) {
+ if ((oflags & O_ACCMODE) == O_RDONLY) {
childfd = fds[1];
fd = fds[0];
virCommandSetOutputFD(cmd, &childfd);

102
bbe97ae9-no-cgroups.patch Normal file
View File

@ -0,0 +1,102 @@
commit bbe97ae968eba60b71e0066d49f9fc909966d9d6
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri May 10 12:05:00 2013 -0600
Fix starting domains when kernel has no cgroups support
Found that I was unable to start existing domains after updating
to a kernel with no cgroups support
# zgrep CGROUP /proc/config.gz
# CONFIG_CGROUPS is not set
# virsh start test
error: Failed to start domain test
error: Unable to initialize /machine cgroup: Cannot allocate memory
virCgroupPartitionNeedsEscaping() correctly returns errno (ENOENT) when
attempting to open /proc/cgroups on such a system, but it was being
dropped in virCgroupSetPartitionSuffix().
Change virCgroupSetPartitionSuffix() to propagate errors returned by
its callees. Also check for ENOENT in qemuInitCgroup() when determining
if cgroups support is available.
Index: libvirt-1.0.5/src/qemu/qemu_cgroup.c
===================================================================
--- libvirt-1.0.5.orig/src/qemu/qemu_cgroup.c
+++ libvirt-1.0.5/src/qemu/qemu_cgroup.c
@@ -415,7 +415,8 @@ int qemuInitCgroup(virQEMUDriverPtr driv
if (rc != 0) {
if (rc == -ENXIO ||
rc == -EPERM ||
- rc == -EACCES) { /* No cgroups mounts == success */
+ rc == -EACCES ||
+ rc == -ENOENT) { /* No cgroups mounts == success */
VIR_DEBUG("No cgroups present/configured/accessible, ignoring error");
goto done;
}
Index: libvirt-1.0.5/src/util/vircgroup.c
===================================================================
--- libvirt-1.0.5.orig/src/util/vircgroup.c
+++ libvirt-1.0.5/src/util/vircgroup.c
@@ -1168,14 +1168,14 @@ static int virCgroupPartitionEscape(char
return 0;
}
-static char *virCgroupSetPartitionSuffix(const char *path)
+static int virCgroupSetPartitionSuffix(const char *path, char **res)
{
char **tokens = virStringSplit(path, "/", 0);
size_t i;
- char *ret = NULL;
+ int ret = -1;
if (!tokens)
- return NULL;
+ return ret;
for (i = 0 ; tokens[i] != NULL ; i++) {
/* Whitelist the 3 top level fixed dirs
@@ -1194,20 +1194,27 @@ static char *virCgroupSetPartitionSuffix
!strchr(tokens[i], '.')) {
if (VIR_REALLOC_N(tokens[i],
strlen(tokens[i]) + strlen(".partition") + 1) < 0) {
+ ret = -ENOMEM;
virReportOOMError();
goto cleanup;
}
strcat(tokens[i], ".partition");
}
- if (virCgroupPartitionEscape(&(tokens[i])) < 0) {
- virReportOOMError();
+ ret = virCgroupPartitionEscape(&(tokens[i]));
+ if (ret < 0) {
+ if (ret == -ENOMEM)
+ virReportOOMError();
goto cleanup;
}
}
- if (!(ret = virStringJoin((const char **)tokens, "/")))
+ if (!(*res = virStringJoin((const char **)tokens, "/"))) {
+ ret = -ENOMEM;
goto cleanup;
+ }
+
+ ret = 0;
cleanup:
virStringFreeList(tokens);
@@ -1242,9 +1249,9 @@ int virCgroupNewPartition(const char *pa
/* XXX convert all cgroups APIs to use error report
* APIs instead of returning errno */
- if (!(newpath = virCgroupSetPartitionSuffix(path))) {
+ rc = virCgroupSetPartitionSuffix(path, &newpath);
+ if (rc < 0) {
virResetLastError();
- rc = -ENOMEM;
goto cleanup;
}

49
c2cf5f1c-no-cgroups-fix.patch Normal file
View File

@ -0,0 +1,49 @@
commit c2cf5f1c2abc81d607abe34bf5dc4c615a9b8b4d
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu May 16 18:47:07 2013 +0100
Fix failure to detect missing cgroup partitions
Change bbe97ae968eba60b71e0066d49f9fc909966d9d6 caused the
QEMU driver to ignore ENOENT errors from cgroups, in order
to cope with missing /proc/cgroups. This is not good though
because many other things can cause ENOENT and should not
be ignored. The callers expect to see ENXIO when cgroups
are not present, so adjust the code to report that errno
when /proc/cgroups is missing
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.0.5/src/qemu/qemu_cgroup.c
===================================================================
--- libvirt-1.0.5.orig/src/qemu/qemu_cgroup.c
+++ libvirt-1.0.5/src/qemu/qemu_cgroup.c
@@ -415,8 +415,7 @@ int qemuInitCgroup(virQEMUDriverPtr driv
if (rc != 0) {
if (rc == -ENXIO ||
rc == -EPERM ||
- rc == -EACCES ||
- rc == -ENOENT) { /* No cgroups mounts == success */
+ rc == -EACCES) { /* No cgroups mounts == success */
VIR_DEBUG("No cgroups present/configured/accessible, ignoring error");
goto done;
}
Index: libvirt-1.0.5/src/util/vircgroup.c
===================================================================
--- libvirt-1.0.5.orig/src/util/vircgroup.c
+++ libvirt-1.0.5/src/util/vircgroup.c
@@ -1110,8 +1110,13 @@ static int virCgroupPartitionNeedsEscapi
path[0] == '.')
return 1;
- if (!(fp = fopen("/proc/cgroups", "r")))
+ if (!(fp = fopen("/proc/cgroups", "r"))) {
+ /* The API contract is that we return ENXIO
+ * if cgroups are not available on a host */
+ if (errno == ENOENT)
+ errno = ENXIO;
return -errno;
+ }
/*
* Data looks like this:

26
ca697e90-CVE-2013-1962.patch Normal file
View File

@ -0,0 +1,26 @@
commit ca697e90d5bd6a6dfb94bfb6d4438bdf9a44b739
Author: Ján Tomko <jtomko@redhat.com>
Date: Fri Apr 12 17:30:56 2013 +0200
daemon: fix leak after listing all volumes
CVE-2013-1962
remoteDispatchStoragePoolListAllVolumes wasn't freeing the pool.
The pool also held a reference to the connection, preventing it from
getting freed and closing the netcf interface driver, which held two
sockets open.
Index: libvirt-1.0.5/daemon/remote.c
===================================================================
--- libvirt-1.0.5.orig/daemon/remote.c
+++ libvirt-1.0.5/daemon/remote.c
@@ -4226,6 +4226,8 @@ cleanup:
virStorageVolFree(vols[i]);
VIR_FREE(vols);
}
+ if (pool)
+ virStoragePoolFree(pool);
return rv;
}

68
ce4557c3-apparmor-tapfd-label.patch
View File

@ -1,68 +0,0 @@
commit ce4557c3ab3702639db73615dd144ddf036321ed
Author: Guannan Ren <gren@redhat.com>
Date: Fri Mar 8 00:16:59 2013 +0800
apparmor: use AppArmorSetFDLabel for both imageFD and tapFD
Rename AppArmorSetImageFDLabel to AppArmorSetFDLabel which could
be used as a common function for *ALL* fd relabelling in Linux.
In apparmor profile for specific vm with uuid cdbebdfa-1d6d-65c3-be0f-fd74b978a773
Path: /etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files
The last line is for the tapfd relabelling.
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/rhel6qcow2.log" w,
"/var/lib/libvirt/**/rhel6qcow2.monitor" rw,
"/var/run/libvirt/**/rhel6qcow2.pid" rwk,
"/run/libvirt/**/rhel6qcow2.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
"/var/lib/libvirt/images/rhel6u3qcow2.img" rw,
"/dev/tap45" rw,
Index: libvirt-1.0.3/src/security/security_apparmor.c
===================================================================
--- libvirt-1.0.3.orig/src/security/security_apparmor.c
+++ libvirt-1.0.3/src/security/security_apparmor.c
@@ -884,9 +884,9 @@ AppArmorRestoreSavedStateLabel(virSecuri
}
static int
-AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainDefPtr def,
- int fd)
+AppArmorSetFDLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ int fd)
{
int rc = -1;
char *proc = NULL;
@@ -915,16 +915,6 @@ AppArmorSetImageFDLabel(virSecurityManag
return reload_profile(mgr, def, fd_path, true);
}
-/* TODO need code here */
-static int
-AppArmorSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainDefPtr def ATTRIBUTE_UNUSED,
- int fd ATTRIBUTE_UNUSED)
-{
- return 0;
-}
-
-
static char *
AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED)
@@ -975,8 +965,8 @@ virSecurityDriver virAppArmorSecurityDri
.domainSetSavedStateLabel = AppArmorSetSavedStateLabel,
.domainRestoreSavedStateLabel = AppArmorRestoreSavedStateLabel,
- .domainSetSecurityImageFDLabel = AppArmorSetImageFDLabel,
- .domainSetSecurityTapFDLabel = AppArmorSetTapFDLabel,
+ .domainSetSecurityImageFDLabel = AppArmorSetFDLabel,
+ .domainSetSecurityTapFDLabel = AppArmorSetFDLabel,
.domainGetSecurityMountOptions = AppArmorGetMountOptions,
};

12
clone.patch
View File

@ -2,7 +2,7 @@ Index: src/lxc/lxc_container.c
===================================================================
--- src/lxc/lxc_container.c.orig
+++ src/lxc/lxc_container.c
@@ -136,6 +136,7 @@ int lxcContainerHasReboot(void)
@@ -138,6 +138,7 @@ int lxcContainerHasReboot(void)
int cmd, v;
int status;
char *tmp;
@ -10,7 +10,7 @@ Index: src/lxc/lxc_container.c
if (virFileReadAll("/proc/sys/kernel/ctrl-alt-del", 10, &buf) < 0)
return -1;
@@ -152,14 +153,21 @@ int lxcContainerHasReboot(void)
@@ -154,14 +155,21 @@ int lxcContainerHasReboot(void)
VIR_FREE(buf);
cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF;
@ -34,7 +34,7 @@ Index: src/lxc/lxc_container.c
VIR_FREE(stack);
if (cpid < 0) {
virReportSystemError(errno, "%s",
@@ -2358,6 +2366,9 @@ int lxcContainerStart(virDomainDefPtr de
@@ -2116,6 +2124,9 @@ int lxcContainerStart(virDomainDefPtr de
ttyPaths, nttyPaths, handshakefd};
/* allocate a stack for the container */
@ -44,7 +44,7 @@ Index: src/lxc/lxc_container.c
if (VIR_ALLOC_N(stack, stacksize) < 0) {
virReportOOMError();
return -1;
@@ -2377,7 +2388,11 @@ int lxcContainerStart(virDomainDefPtr de
@@ -2134,7 +2145,11 @@ int lxcContainerStart(virDomainDefPtr de
cflags |= CLONE_NEWNET;
}
@ -56,7 +56,7 @@ Index: src/lxc/lxc_container.c
VIR_FREE(stack);
VIR_DEBUG("clone() completed, new container PID is %d", pid);
@@ -2403,6 +2418,7 @@ int lxcContainerAvailable(int features)
@@ -2160,6 +2175,7 @@ int lxcContainerAvailable(int features)
int cpid;
char *childStack;
char *stack;
@ -64,7 +64,7 @@ Index: src/lxc/lxc_container.c
if (features & LXC_CONTAINER_FEATURE_USER)
flags |= CLONE_NEWUSER;
@@ -2410,14 +2426,21 @@ int lxcContainerAvailable(int features)
@@ -2167,14 +2183,21 @@ int lxcContainerAvailable(int features)
if (features & LXC_CONTAINER_FEATURE_NET)
flags |= CLONE_NEWNET;

34
f493d83f-cgroup-swap-control.patch Normal file
View File

@ -0,0 +1,34 @@
commit f493d83fbd3257453e63f2f32ee90a216fd531c1
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu May 9 13:53:39 2013 +0100
Cope with missing swap cgroup controls
It is possible to build a kernel without swap cgroup controls
present. This causes a fatal error when querying memory
parameters. Treat missing swap controls as meaning "unlimited".
The fatal error remains if the user tries to actually change
the limit.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.0.5/src/qemu/qemu_driver.c
===================================================================
--- libvirt-1.0.5.orig/src/qemu/qemu_driver.c
+++ libvirt-1.0.5/src/qemu/qemu_driver.c
@@ -7351,9 +7351,12 @@ qemuDomainGetMemoryParameters(virDomainP
case 2: /* fill swap hard limit here */
rc = virCgroupGetMemSwapHardLimit(priv->cgroup, &val);
if (rc != 0) {
- virReportSystemError(-rc, "%s",
- _("unable to get swap hard limit"));
- goto cleanup;
+ if (rc != -ENOENT) {
+ virReportSystemError(-rc, "%s",
+ _("unable to get swap hard limit"));
+ goto cleanup;
+ }
+ val = VIR_DOMAIN_MEMORY_PARAM_UNLIMITED;
}
if (virTypedParameterAssign(param,
VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT,

6
fix-pci-attach-xen-driver.patch
View File

@ -8,10 +8,10 @@ uses the 'device_configure' RPC.
This patch changes the xend driver to always call 'device_configure' for
PCI devices to be consistent with the usage in the xen tools.
Index: libvirt-1.0.3/src/xen/xend_internal.c
Index: libvirt-1.0.5/src/xen/xend_internal.c
===================================================================
--- libvirt-1.0.3.orig/src/xen/xend_internal.c
+++ libvirt-1.0.3/src/xen/xend_internal.c
--- libvirt-1.0.5.orig/src/xen/xend_internal.c
+++ libvirt-1.0.5/src/xen/xend_internal.c
@@ -2473,6 +2473,7 @@ xenDaemonAttachDeviceFlags(virDomainPtr
virBuffer buf = VIR_BUFFER_INITIALIZER;
char class[8], ref[80];

30
install-apparmor-profiles.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.0.3/examples/apparmor/Makefile.am
Index: libvirt-1.0.5/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.0.3.orig/examples/apparmor/Makefile.am
+++ libvirt-1.0.3/examples/apparmor/Makefile.am
--- libvirt-1.0.5.orig/examples/apparmor/Makefile.am
+++ libvirt-1.0.5/examples/apparmor/Makefile.am
@@ -1,8 +1,45 @@
## Copyright (C) 2005-2011 Red Hat, Inc.
## See COPYING.LIB for the License of this software
@ -53,10 +53,10 @@ Index: libvirt-1.0.3/examples/apparmor/Makefile.am
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+
+endif
Index: libvirt-1.0.3/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
Index: libvirt-1.0.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.0.3/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ libvirt-1.0.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,40 @@
+# Last Modified: Fri Aug 19 11:21:48 2011
+#include <tunables/global>
@ -98,9 +98,9 @@ Index: libvirt-1.0.3/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+ /var/lib/kvm/images/ r,
+ /var/lib/kvm/images/** r,
+}
Index: libvirt-1.0.3/examples/apparmor/usr.lib.libvirt.virt-aa-helper
Index: libvirt-1.0.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.0.3.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt-1.0.5.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,38 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
@ -141,9 +141,9 @@ Index: libvirt-1.0.3/examples/apparmor/usr.lib.libvirt.virt-aa-helper
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
-}
Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd
Index: libvirt-1.0.5/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.0.3.orig/examples/apparmor/usr.sbin.libvirtd
--- libvirt-1.0.5.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,52 +0,0 @@
-# Last Modified: Mon Apr 5 15:03:58 2010
@ -198,10 +198,10 @@ Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
Index: libvirt-1.0.5/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
+++ libvirt-1.0.5/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,58 @@
+# Last Modified: Fri Aug 19 11:20:36 2011
+#include <tunables/global>
@ -261,9 +261,9 @@ Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu
Index: libvirt-1.0.5/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.0.3.orig/examples/apparmor/libvirt-qemu
--- libvirt-1.0.5.orig/examples/apparmor/libvirt-qemu
+++ /dev/null
@@ -1,129 +0,0 @@
-# Last Modified: Fri Mar 9 14:43:22 2012
@ -395,10 +395,10 @@ Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu
-
- /usr/libexec/qemu-bridge-helper rmix,
- }
Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu.in
Index: libvirt-1.0.5/examples/apparmor/libvirt-qemu.in
===================================================================
--- /dev/null
+++ libvirt-1.0.3/examples/apparmor/libvirt-qemu.in
+++ libvirt-1.0.5/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,132 @@
+# Last Modified: Fri Mar 9 14:43:22 2012
+

3
libvirt-1.0.3.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8d085259072879ba1c9956dcfb4f016a7a6c938e0a06becf2a5817db4abe215a
size 16567568

3
libvirt-1.0.5.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd0ba7e6866c35a7df15d88526c1c1fb1de12b8ad577cc92aa3eb1f859e9f3b5
size 17170054

33
libvirt-guests-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust libvirt-guests init files to conform to SUSE standards
Index: libvirt-1.0.3/tools/libvirt-guests.init.in
Index: libvirt-1.0.5/tools/libvirt-guests.init.in
===================================================================
--- libvirt-1.0.3.orig/tools/libvirt-guests.init.in
+++ libvirt-1.0.3/tools/libvirt-guests.init.in
--- libvirt-1.0.5.orig/tools/libvirt-guests.init.in
+++ libvirt-1.0.5/tools/libvirt-guests.init.in
@@ -3,15 +3,15 @@
# the following is the LSB init header
#
@ -28,10 +28,10 @@ Index: libvirt-1.0.3/tools/libvirt-guests.init.in
### END INIT INFO
# the following is chkconfig init header
Index: libvirt-1.0.3/tools/libvirt-guests.sh.in
Index: libvirt-1.0.5/tools/libvirt-guests.sh.in
===================================================================
--- libvirt-1.0.3.orig/tools/libvirt-guests.sh.in
+++ libvirt-1.0.3/tools/libvirt-guests.sh.in
--- libvirt-1.0.5.orig/tools/libvirt-guests.sh.in
+++ libvirt-1.0.5/tools/libvirt-guests.sh.in
@@ -1,13 +1,12 @@
#!/bin/sh
@ -130,7 +130,7 @@ Index: libvirt-1.0.3/tools/libvirt-guests.sh.in
eval_gettext "Resuming guests on \$uri URI..."; echo
for guest in $list; do
name=$(guest_name "$uri" "$guest")
@@ -377,7 +403,7 @@ shutdown_guests_parallel()
@@ -378,7 +404,7 @@ shutdown_guests_parallel()
timeout=$(($timeout - 1))
if [ $timeout -le 0 ]; then
eval_gettext "Timeout expired while shutting down domains"; echo
@ -139,7 +139,7 @@ Index: libvirt-1.0.3/tools/libvirt-guests.sh.in
return
fi
else
@@ -405,7 +431,7 @@ stop() {
@@ -406,7 +432,7 @@ stop() {
if [ $SHUTDOWN_TIMEOUT -lt 0 ]; then
gettext "SHUTDOWN_TIMEOUT must be equal or greater than 0"
echo
@ -148,7 +148,7 @@ Index: libvirt-1.0.3/tools/libvirt-guests.sh.in
return
fi
fi
@@ -453,14 +479,14 @@ stop() {
@@ -454,14 +480,14 @@ stop() {
if [ $? -ne 0 ]; then
eval_gettext "Failed to list persistent guests on \$uri"
echo
@ -165,7 +165,7 @@ Index: libvirt-1.0.3/tools/libvirt-guests.sh.in
set +f
return
fi
@@ -519,14 +545,13 @@ gueststatus() {
@@ -520,14 +546,13 @@ gueststatus() {
rh_status() {
if [ -f "$LISTFILE" ]; then
gettext "stopped, with saved guests"; echo
@ -174,23 +174,24 @@ Index: libvirt-1.0.3/tools/libvirt-guests.sh.in
else
if [ -f "$VAR_SUBSYS_LIBVIRT_GUESTS" ]; then
gettext "started"; echo
- RETVAL=0
else
gettext "stopped, with no saved guests"; echo
- RETVAL=3
+ rc_failed 3
fi
- RETVAL=0
fi
}
@@ -570,4 +595,4 @@ case "$1" in
@@ -572,4 +597,4 @@ case "$1" in
usage
;;
esac
-exit $RETVAL
+rc_exit
Index: libvirt-1.0.3/tools/libvirt-guests.sysconf
Index: libvirt-1.0.5/tools/libvirt-guests.sysconf
===================================================================
--- libvirt-1.0.3.orig/tools/libvirt-guests.sysconf
+++ libvirt-1.0.3/tools/libvirt-guests.sysconf
--- libvirt-1.0.5.orig/tools/libvirt-guests.sysconf
+++ libvirt-1.0.5/tools/libvirt-guests.sysconf
@@ -1,19 +1,29 @@
+## Path: System/Virtualization/libvirt-guests
+

31
libvirt-iptables-1.4.18.diff
View File

@ -1,31 +0,0 @@
Index: b/src/util/viriptables.c
===================================================================
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -478,22 +478,22 @@ iptablesForwardAllowRelatedIn(iptablesCo
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
- "--match", "state",
- "--state", "ESTABLISHED,RELATED",
+ "--match", "conntrack",
+ "--ctstate", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter,
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
"--out-interface", iface,
- "--match", "state",
- "--state", "ESTABLISHED,RELATED",
+ "--match", "conntrack",
+ "--ctstate", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
}
VIR_FREE(networkstr);
return ret;

48
libvirt-suse-netcontrol.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.0.3/configure.ac
Index: libvirt-1.0.5/configure.ac
===================================================================
--- libvirt-1.0.3.orig/configure.ac
+++ libvirt-1.0.3/configure.ac
@@ -153,6 +153,7 @@ LIBVIRT_CHECK_DBUS
--- libvirt-1.0.5.orig/configure.ac
+++ libvirt-1.0.5/configure.ac
@@ -159,6 +159,7 @@ LIBVIRT_CHECK_DBUS
LIBVIRT_CHECK_FUSE
LIBVIRT_CHECK_HAL
LIBVIRT_CHECK_NETCF
@ -10,7 +10,7 @@ Index: libvirt-1.0.3/configure.ac
LIBVIRT_CHECK_NUMACTL
LIBVIRT_CHECK_OPENWSMAN
LIBVIRT_CHECK_PCIACCESS
@@ -2199,11 +2200,12 @@ if test "$with_libvirtd" = "no" ; then
@@ -2205,11 +2206,12 @@ if test "$with_libvirtd" = "no" ; then
with_interface=no
fi
@ -26,7 +26,7 @@ Index: libvirt-1.0.3/configure.ac
esac
if test "$with_interface" = "yes" ; then
@@ -2473,6 +2475,7 @@ LIBVIRT_RESULT_DBUS
@@ -2488,6 +2490,7 @@ LIBVIRT_RESULT_DBUS
LIBVIRT_RESULT_FUSE
LIBVIRT_RESULT_HAL
LIBVIRT_RESULT_NETCF
@ -34,11 +34,11 @@ Index: libvirt-1.0.3/configure.ac
LIBVIRT_RESULT_NUMACTL
LIBVIRT_RESULT_OPENWSMAN
LIBVIRT_RESULT_PCIACCESS
Index: libvirt-1.0.3/src/Makefile.am
Index: libvirt-1.0.5/src/Makefile.am
===================================================================
--- libvirt-1.0.3.orig/src/Makefile.am
+++ libvirt-1.0.3/src/Makefile.am
@@ -643,6 +643,10 @@ if WITH_NETCF
--- libvirt-1.0.5.orig/src/Makefile.am
+++ libvirt-1.0.5/src/Makefile.am
@@ -715,6 +715,10 @@ if WITH_NETCF
INTERFACE_DRIVER_SOURCES += \
interface/interface_backend_netcf.c
endif
@ -49,7 +49,7 @@ Index: libvirt-1.0.3/src/Makefile.am
if WITH_UDEV
INTERFACE_DRIVER_SOURCES += \
interface/interface_backend_udev.c
@@ -1130,11 +1134,16 @@ if WITH_NETCF
@@ -1200,11 +1204,16 @@ if WITH_NETCF
libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS)
libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS)
else
@ -66,11 +66,11 @@ Index: libvirt-1.0.3/src/Makefile.am
if WITH_DRIVER_MODULES
libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la
libvirt_driver_interface_la_LDFLAGS += -module -avoid-version
Index: libvirt-1.0.3/tools/virsh.c
Index: libvirt-1.0.5/tools/virsh.c
===================================================================
--- libvirt-1.0.3.orig/tools/virsh.c
+++ libvirt-1.0.3/tools/virsh.c
@@ -2812,6 +2812,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
--- libvirt-1.0.5.orig/tools/virsh.c
+++ libvirt-1.0.5/tools/virsh.c
@@ -2888,6 +2888,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
vshPrint(ctl, " Interface");
# if defined(WITH_NETCF)
vshPrint(ctl, " netcf");
@ -79,10 +79,10 @@ Index: libvirt-1.0.3/tools/virsh.c
# elif defined(WITH_UDEV)
vshPrint(ctl, " udev");
# endif
Index: libvirt-1.0.3/src/interface/interface_backend_netcf.c
Index: libvirt-1.0.5/src/interface/interface_backend_netcf.c
===================================================================
--- libvirt-1.0.3.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.0.3/src/interface/interface_backend_netcf.c
--- libvirt-1.0.5.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.0.5/src/interface/interface_backend_netcf.c
@@ -23,7 +23,12 @@
#include <config.h>
@ -135,7 +135,7 @@ Index: libvirt-1.0.3/src/interface/interface_backend_netcf.c
static int netcf_to_vir_err(int netcf_errcode)
{
switch (netcf_errcode)
@@ -137,6 +173,10 @@ static virDrvOpenStatus interfaceOpenInt
@@ -137,6 +173,10 @@ static virDrvOpenStatus netcfInterfaceOp
goto mutex_error;
}
@ -146,10 +146,10 @@ Index: libvirt-1.0.3/src/interface/interface_backend_netcf.c
/* open netcf */
if (ncf_init(&driverState->netcf, NULL) != 0)
{
Index: libvirt-1.0.3/src/interface/interface_driver.c
Index: libvirt-1.0.5/src/interface/interface_driver.c
===================================================================
--- libvirt-1.0.3.orig/src/interface/interface_driver.c
+++ libvirt-1.0.3/src/interface/interface_driver.c
--- libvirt-1.0.5.orig/src/interface/interface_driver.c
+++ libvirt-1.0.5/src/interface/interface_driver.c
@@ -28,8 +28,15 @@ interfaceRegister(void) {
if (netcfIfaceRegister() == 0)
return 0;
@ -167,10 +167,10 @@ Index: libvirt-1.0.3/src/interface/interface_driver.c
if (udevIfaceRegister() == 0)
return 0;
#endif /* WITH_UDEV */
Index: libvirt-1.0.3/m4/virt-netcontrol.m4
Index: libvirt-1.0.5/m4/virt-netcontrol.m4
===================================================================
--- /dev/null
+++ libvirt-1.0.3/m4/virt-netcontrol.m4
+++ libvirt-1.0.5/m4/virt-netcontrol.m4
@@ -0,0 +1,35 @@
+dnl The libnetcontrol library
+dnl

57
libvirt.changes
View File

@ -1,3 +1,60 @@
-------------------------------------------------------------------
Sat May 18 09:15:00 MDT 2013 - jfehlig@suse.com
- fix leak after listing all volumes - CVE-2013-1962
ca697e90-CVE-2013-1962.patch
bnc#820397
- Fix iohelper usage with streams opened for read
a2214c52-iohelper.patch
- Cope with missing swap cgroup controls
f493d83f-cgroup-swap-control.patch
bnc#819976
- Fix cgroup handling when setting VCPU BW
0471637d-cgroups-vcpu-bw.patch
rhb#963592
- Escape a leading '.' with '_' in the cgroup names
0ced83dc-cgroup-escape-dot.patch
- Add missing documentation on new cgroup layout
486a86eb-cgroups-docs.patch
- Another fix related to systems with no cgroups
c2cf5f1c-no-cgroups-fix.patch
bnc#819963
-------------------------------------------------------------------
Thu May 16 16:25:13 MDT 2013 - jfehlig@suse.com
- Fix botched backport of commit bbe97ae9
-------------------------------------------------------------------
Mon May 13 09:32:56 MDT 2013 - jfehlig@suse.com
- Fix starting domains when kernel has no cgroups support
bbe97ae9-no-cgroups.patch
-------------------------------------------------------------------
Thu May 2 13:14:00 MDT 2013 - jfehlig@suse.com
- Update to libvirt 1.0.5
- PPC64: Add NVRAM device
- Add XML config for resource partitions
- Add support for TPM
- NPIV storage migration support
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
-------------------------------------------------------------------
Tue Apr 2 15:26:18 MDT 2013 - jfehlig@suse.com
- Update to libvirt 1.0.4
- qemu: support passthrough for iscsi disks
- various S390 improvements
- various LXC bugs fixes and improvements
- add API for thread cancellation
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Drop upstream patches: ce4557c3-apparmor-tapfd-label.patch
libvirt-iptables-1.4.18.diff
-------------------------------------------------------------------
Sun Mar 24 20:05:28 UTC 2013 - seife+obs@b1-systems.com

27
libvirt.spec
View File

@ -334,10 +334,16 @@ BuildRequires: sanlock-devel >= 2.4
%if %{with_systemd}
BuildRequires: systemd
%endif
%if %{with_libvirtd}
%if 0%{?suse_version} >= 1210
# For pool-build probing for existing pools
BuildRequires: libblkid-devel >= 2.17
%endif
%endif
Name: libvirt
Url: http://libvirt.org/
Version: 1.0.3
Version: 1.0.5
Release: 0
Summary: A C toolkit to interact with the virtualization capabilities of Linux
License: LGPL-2.1+
@ -417,12 +423,18 @@ Source1: libvirtd.init
Source2: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches
Patch0: ce4557c3-apparmor-tapfd-label.patch
Patch0: f493d83f-cgroup-swap-control.patch
Patch1: 486a86eb-cgroups-docs.patch
Patch2: 0ced83dc-cgroup-escape-dot.patch
Patch3: bbe97ae9-no-cgroups.patch
Patch4: 0471637d-cgroups-vcpu-bw.patch
Patch5: c2cf5f1c-no-cgroups-fix.patch
Patch6: a2214c52-iohelper.patch
Patch7: ca697e90-CVE-2013-1962.patch
# Need to go upstream
Patch100: xen-name-for-devid.patch
Patch101: clone.patch
Patch102: xen-pv-cdrom.patch
Patch103: libvirt-iptables-1.4.18.diff
# Our patches
Patch200: libvirtd-defaults.patch
Patch201: libvirtd-init-script.patch
@ -560,10 +572,16 @@ Authors:
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch100 -p1
%patch101
%patch102 -p1
%patch103 -p1
%patch200 -p1
%patch201 -p1
%patch202 -p1
@ -1070,6 +1088,7 @@ fi
%{_datadir}/libvirt/schemas/storagepool.rng
%{_datadir}/libvirt/schemas/storagevol.rng
%{_datadir}/libvirt/cpu_map.xml
%{_datadir}/libvirt/libvirtLogo.png
%if %{with_sasl}
%config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
%endif

12
libvirtd-defaults.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.0.3/daemon/libvirtd.conf
Index: libvirt-1.0.5/daemon/libvirtd.conf
===================================================================
--- libvirt-1.0.3.orig/daemon/libvirtd.conf
+++ libvirt-1.0.3/daemon/libvirtd.conf
--- libvirt-1.0.5.orig/daemon/libvirtd.conf
+++ libvirt-1.0.5/daemon/libvirtd.conf
@@ -18,8 +18,8 @@
# It is necessary to setup a CA and issue server certificates before
# using this capability.
@ -13,10 +13,10 @@ Index: libvirt-1.0.3/daemon/libvirtd.conf
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
Index: libvirt-1.0.3/daemon/libvirtd-config.c
Index: libvirt-1.0.5/daemon/libvirtd-config.c
===================================================================
--- libvirt-1.0.3.orig/daemon/libvirtd-config.c
+++ libvirt-1.0.3/daemon/libvirtd-config.c
--- libvirt-1.0.5.orig/daemon/libvirtd-config.c
+++ libvirt-1.0.5/daemon/libvirtd-config.c
@@ -233,7 +233,7 @@ daemonConfigNew(bool privileged ATTRIBUT
return NULL;
}

6
libvirtd-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust libvirtd sysconfig file to conform to SUSE standards
Index: libvirt-1.0.3/daemon/libvirtd.sysconf
Index: libvirt-1.0.5/daemon/libvirtd.sysconf
===================================================================
--- libvirt-1.0.3.orig/daemon/libvirtd.sysconf
+++ libvirt-1.0.3/daemon/libvirtd.sysconf
--- libvirt-1.0.5.orig/daemon/libvirtd.sysconf
+++ libvirt-1.0.5/daemon/libvirtd.sysconf
@@ -1,16 +1,25 @@
+## Path: System/Virtualization/libvirt
+

8
relax-qemu-usergroup-check.patch
View File

@ -7,11 +7,11 @@ drivers as loadable modules instead of built-in to the
daemon. Then the qemu driver would only be loaded when needed,
which would never be the case on a xen-only configuration.
Index: libvirt-1.0.3/src/qemu/qemu_conf.c
Index: libvirt-1.0.5/src/qemu/qemu_conf.c
===================================================================
--- libvirt-1.0.3.orig/src/qemu/qemu_conf.c
+++ libvirt-1.0.3/src/qemu/qemu_conf.c
@@ -439,15 +439,15 @@ int virQEMUDriverConfigLoadFile(virQEMUD
--- libvirt-1.0.5.orig/src/qemu/qemu_conf.c
+++ libvirt-1.0.5/src/qemu/qemu_conf.c
@@ -435,15 +435,15 @@ int virQEMUDriverConfigLoadFile(virQEMUD
p = virConfGetValue(conf, "user");
CHECK_TYPE("user", VIR_CONF_STRING);

47
support-managed-pci-xen-driver.patch
View File

@ -8,15 +8,15 @@ Subject: [PATCH] support managed pci devices in xen driver
src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 15 deletions(-)
Index: libvirt-1.0.3/src/xenxs/xen_sxpr.c
Index: libvirt-1.0.5/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.0.3.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.0.3/src/xenxs/xen_sxpr.c
--- libvirt-1.0.5.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.0.5/src/xenxs/xen_sxpr.c
@@ -1035,6 +1035,7 @@ xenParseSxprPCI(virDomainDefPtr def,
int busID;
int slotID;
int funcID;
+ int managed;
+ bool managed;
node = cur->u.s.car;
if (!sexpr_lookup(node, "dev"))
@ -30,28 +30,29 @@ Index: libvirt-1.0.3/src/xenxs/xen_sxpr.c
goto error;
dev->mode = VIR_DOMAIN_HOSTDEV_MODE_SUBSYS;
- dev->managed = 0;
+ dev->managed = managed;
- dev->managed = false;
+ dev->managed = managed ? true : false;
dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
dev->source.subsys.u.pci.domain = domainID;
dev->source.subsys.u.pci.bus = busID;
@@ -2044,11 +2047,14 @@ static void
dev->source.subsys.u.pci.addr.domain = domainID;
dev->source.subsys.u.pci.addr.bus = busID;
@@ -2042,11 +2045,15 @@ static void
xenFormatSxprPCI(virDomainHostdevDefPtr def,
virBufferPtr buf)
{
- virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x))",
+ virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x)",
def->source.subsys.u.pci.domain,
def->source.subsys.u.pci.bus,
def->source.subsys.u.pci.slot,
def->source.subsys.u.pci.function);
def->source.subsys.u.pci.addr.domain,
def->source.subsys.u.pci.addr.bus,
def->source.subsys.u.pci.addr.slot,
def->source.subsys.u.pci.addr.function);
+
+ if (def->managed)
+ virBufferAddLit(buf, "(opts (managed 1))");
+ virBufferAddLit(buf, ")");
}
@@ -2067,12 +2073,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
@@ -2065,12 +2072,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
virBufferPtr buf,
int detach)
{
@ -64,7 +65,7 @@ Index: libvirt-1.0.3/src/xenxs/xen_sxpr.c
virBufferAddLit(buf, "(pci ");
xenFormatSxprPCI(def, buf);
if (detach)
@@ -2127,12 +2127,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
@@ -2125,12 +2126,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
for (i = 0 ; i < def->nhostdevs ; i++) {
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@ -77,16 +78,16 @@ Index: libvirt-1.0.3/src/xenxs/xen_sxpr.c
xenFormatSxprPCI(def->hostdevs[i], buf);
}
}
Index: libvirt-1.0.3/src/xenxs/xen_xm.c
Index: libvirt-1.0.5/src/xenxs/xen_xm.c
===================================================================
--- libvirt-1.0.3.orig/src/xenxs/xen_xm.c
+++ libvirt-1.0.3/src/xenxs/xen_xm.c
--- libvirt-1.0.5.orig/src/xenxs/xen_xm.c
+++ libvirt-1.0.5/src/xenxs/xen_xm.c
@@ -815,6 +815,8 @@ xenParseXM(virConfPtr conf, int xendConf
int busID;
int slotID;
int funcID;
+ char *opt;
+ int managed=0;
+ int managed = 0;
domain[0] = bus[0] = slot[0] = func[0] = '\0';
@ -129,8 +130,8 @@ Index: libvirt-1.0.3/src/xenxs/xen_xm.c
if (!(hostdev = virDomainHostdevDefAlloc()))
goto cleanup;
- hostdev->managed = 0;
+ hostdev->managed = managed;
- hostdev->managed = false;
+ hostdev->managed = managed ? true : false;
hostdev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
hostdev->source.subsys.u.pci.domain = domainID;
hostdev->source.subsys.u.pci.bus = busID;
hostdev->source.subsys.u.pci.addr.domain = domainID;
hostdev->source.subsys.u.pci.addr.bus = busID;

8
suse-qemu-conf.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.0.3/src/qemu/qemu.conf
Index: libvirt-1.0.5/src/qemu/qemu.conf
===================================================================
--- libvirt-1.0.3.orig/src/qemu/qemu.conf
+++ libvirt-1.0.3/src/qemu/qemu.conf
--- libvirt-1.0.5.orig/src/qemu/qemu.conf
+++ libvirt-1.0.5/src/qemu/qemu.conf
@@ -169,7 +169,16 @@
# a special value; security_driver can be set to that value in
# isolation, but it cannot appear in a list of drivers.
@ -19,7 +19,7 @@ Index: libvirt-1.0.3/src/qemu/qemu.conf
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
@@ -357,6 +366,15 @@
@@ -365,6 +374,15 @@
#allow_disk_format_probing = 1

12
virtlockd-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust virtlockd init files to conform to SUSE standards
Index: libvirt-1.0.3/src/locking/virtlockd.sysconf
Index: libvirt-1.0.5/src/locking/virtlockd.sysconf
===================================================================
--- libvirt-1.0.3.orig/src/locking/virtlockd.sysconf
+++ libvirt-1.0.3/src/locking/virtlockd.sysconf
--- libvirt-1.0.5.orig/src/locking/virtlockd.sysconf
+++ libvirt-1.0.5/src/locking/virtlockd.sysconf
@@ -1,3 +1,7 @@
+## Path: System/Virtualization/virtlockd
+
@ -12,10 +12,10 @@ Index: libvirt-1.0.3/src/locking/virtlockd.sysconf
#
# Pass extra arguments to virtlockd
#VIRTLOCKD_ARGS=
Index: libvirt-1.0.3/src/locking/virtlockd.init.in
Index: libvirt-1.0.5/src/locking/virtlockd.init.in
===================================================================
--- libvirt-1.0.3.orig/src/locking/virtlockd.init.in
+++ libvirt-1.0.3/src/locking/virtlockd.init.in
--- libvirt-1.0.5.orig/src/locking/virtlockd.init.in
+++ libvirt-1.0.5/src/locking/virtlockd.init.in
@@ -4,11 +4,13 @@
# http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV
#

35
xen-name-for-devid.patch
View File

@ -14,10 +14,10 @@
is inactive. We obviously can't search xenstore when the domain is
inactive.
Index: libvirt-1.0.3/src/xen/xend_internal.c
Index: libvirt-1.0.5/src/xen/xend_internal.c
===================================================================
--- libvirt-1.0.3.orig/src/xen/xend_internal.c
+++ libvirt-1.0.3/src/xen/xend_internal.c
--- libvirt-1.0.5.orig/src/xen/xend_internal.c
+++ libvirt-1.0.5/src/xen/xend_internal.c
@@ -60,8 +60,8 @@
#define XEND_RCV_BUF_MAX_LEN (256 * 1024)
@ -48,7 +48,7 @@ Index: libvirt-1.0.3/src/xen/xend_internal.c
_("requested device does not exist"));
goto cleanup;
@@ -2790,7 +2790,7 @@ xenDaemonDetachDeviceFlags(virDomainPtr
def, xml, VIR_DOMAIN_XML_INACTIVE)))
VIR_DOMAIN_XML_INACTIVE)))
goto cleanup;
- if (virDomainXMLDevID(domain, dev, class, ref, sizeof(ref)))
@ -56,7 +56,7 @@ Index: libvirt-1.0.3/src/xen/xend_internal.c
goto cleanup;
if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV) {
@@ -3682,21 +3682,22 @@ struct xenUnifiedDriver xenDaemonDriver
@@ -3682,31 +3682,32 @@ struct xenUnifiedDriver xenDaemonDriver
/**
* virDomainXMLDevID:
* @domain: pointer to domain object
@ -83,10 +83,10 @@ Index: libvirt-1.0.3/src/xen/xend_internal.c
virDomainDeviceDefPtr dev,
char *class,
char *ref,
@@ -3704,9 +3705,11 @@ virDomainXMLDevID(virDomainPtr domain,
int ref_len)
{
xenUnifiedPrivatePtr priv = domain->conn->privateData;
char *xref;
- xenUnifiedPrivatePtr priv = domain->conn->privateData;
- char *xref;
- char *tmp;
+ unsigned int i;
@ -96,7 +96,7 @@ Index: libvirt-1.0.3/src/xen/xend_internal.c
if (dev->data.disk->driverName &&
STREQ(dev->data.disk->driverName, "tap"))
strcpy(class, "tap");
@@ -3716,19 +3719,17 @@ virDomainXMLDevID(virDomainPtr domain,
@@ -3716,19 +3717,17 @@ virDomainXMLDevID(virDomainPtr domain,
else
strcpy(class, "vbd");
@ -125,15 +125,14 @@ Index: libvirt-1.0.3/src/xen/xend_internal.c
+ }
+ return -1;
} else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
char mac[30];
char mac[VIR_MAC_STRING_BUFLEN];
virDomainNetDefPtr def = dev->data.net;
@@ -3738,17 +3739,22 @@ virDomainXMLDevID(virDomainPtr domain,
@@ -3736,16 +3735,22 @@ virDomainXMLDevID(virDomainPtr domain,
strcpy(class, "vif");
- xenUnifiedLock(priv);
- xref = xenStoreDomainGetNetworkID(domain->conn, domain->id,
- mac);
- xref = xenStoreDomainGetNetworkID(domain->conn, domain->id, mac);
- xenUnifiedUnlock(priv);
- if (xref == NULL)
- return -1;
@ -161,7 +160,7 @@ Index: libvirt-1.0.3/src/xen/xend_internal.c
} else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV &&
dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@@ -3766,17 +3772,44 @@ virDomainXMLDevID(virDomainPtr domain,
@@ -3763,17 +3768,44 @@ virDomainXMLDevID(virDomainPtr domain,
strcpy(class, "pci");
@ -182,10 +181,10 @@ Index: libvirt-1.0.3/src/xen/xend_internal.c
+ continue;
+
+ if (virAsprintf(&dst_bdf, "%04x:%02x:%02x.%0x",
+ hostdev->source.subsys.u.pci.domain,
+ hostdev->source.subsys.u.pci.bus,
+ hostdev->source.subsys.u.pci.slot,
+ hostdev->source.subsys.u.pci.function) < 0) {
+ hostdev->source.subsys.u.pci.addr.domain,
+ hostdev->source.subsys.u.pci.addr.bus,
+ hostdev->source.subsys.u.pci.addr.slot,
+ hostdev->source.subsys.u.pci.addr.function) < 0) {
+ virReportOOMError();
+ VIR_FREE(bdf);
+ return -1;

6
xen-pv-cdrom.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.0.3/src/xenxs/xen_sxpr.c
Index: libvirt-1.0.5/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.0.3.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.0.3/src/xenxs/xen_sxpr.c
--- libvirt-1.0.5.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.0.5/src/xenxs/xen_sxpr.c
@@ -341,7 +341,7 @@ error:
static int
xenParseSxprDisks(virDomainDefPtr def,