From 02bfe2161ff59883816dc8f71bba3bc8cdd93a15fb8a9fd850f5395ad97dd70f Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Mon, 4 Aug 2014 17:17:49 +0000 Subject: [PATCH 1/2] Accepting request 243625 from home:jfehlig:branches:Virtualization - Update to libvirt 1.2.7 - Introduce virConnectGetDomainCapabilities - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Drop upstream patches: dba3432b-virt-lxc-convert-fix.patch, 9b1e4cd5-skip-useless-apparmor-files.patch, dba3432b-virt-lxc-convert-fix.patch, add-nocow-to-vol-xml.patch, lxc-keep-caps-feature.patch, lxc-keep-caps-feature-conversion.patch, lxc-keep-caps-feature-doc.patch, lxc-net-target-name.patch, lxc-net-target-name-conversion.patch, lxc-net-target-name-doc.patch OBS-URL: https://build.opensuse.org/request/show/243625 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=393 --- 9265f8ab-apparmor-lxc-rework.patch | 358 -------- 9b1e4cd5-skip-useless-apparmor-files.patch | 29 - add-nocow-to-vol-xml.patch | 113 --- dba3432b-virt-lxc-convert-fix.patch | 22 - disable-virCgroupGetPercpuStats-test.patch | 6 +- fix-pci-attach-xen-driver.patch | 10 +- install-apparmor-profiles.patch | 22 +- libvirt-1.2.6.tar.bz2 | 3 - libvirt-1.2.7.tar.bz2 | 3 + libvirt-guests-init-script.patch | 18 +- libvirt-suse-netcontrol.patch | 40 +- libvirt.changes | 18 + libvirt.spec | 26 +- libvirtd-defaults.patch | 18 +- libvirtd-init-script.patch | 6 +- lxc-keep-caps-feature-conversion.patch | 220 ----- lxc-keep-caps-feature-doc.patch | 68 -- lxc-keep-caps-feature.patch | 980 --------------------- lxc-net-target-name-conversion.patch | 130 --- lxc-net-target-name-doc.patch | 37 - lxc-net-target-name.patch | 269 ------ support-managed-pci-xen-driver.patch | 24 +- suse-qemu-conf.patch | 8 +- systemd-service-xen.patch | 6 +- virtlockd-init-script.patch | 12 +- xen-name-for-devid.patch | 12 +- xen-pv-cdrom.patch | 6 +- 27 files changed, 118 insertions(+), 2346 deletions(-) delete mode 100644 9265f8ab-apparmor-lxc-rework.patch delete mode 100644 9b1e4cd5-skip-useless-apparmor-files.patch delete mode 100644 add-nocow-to-vol-xml.patch delete mode 100644 dba3432b-virt-lxc-convert-fix.patch delete mode 100644 libvirt-1.2.6.tar.bz2 create mode 100644 libvirt-1.2.7.tar.bz2 delete mode 100644 lxc-keep-caps-feature-conversion.patch delete mode 100644 lxc-keep-caps-feature-doc.patch delete mode 100644 lxc-keep-caps-feature.patch delete mode 100644 lxc-net-target-name-conversion.patch delete mode 100644 lxc-net-target-name-doc.patch delete mode 100644 lxc-net-target-name.patch diff --git a/9265f8ab-apparmor-lxc-rework.patch b/9265f8ab-apparmor-lxc-rework.patch deleted file mode 100644 index 11c468d..0000000 --- a/9265f8ab-apparmor-lxc-rework.patch +++ /dev/null @@ -1,358 +0,0 @@ -From 9265f8ab67dc14fe89a26efd5c22b156d3168fd6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= -Date: Tue, 15 Jul 2014 11:02:50 +0200 -Subject: [PATCH] Rework lxc apparmor profile - -Rework the apparmor lxc profile abstraction to mimic ubuntu's container-default. -This profile allows quite a lot, but strives to restrict access to -dangerous resources. - -Removing the explicit authorizations to bash, systemd and cron files, -forces them to keep the lxc profile for all applications inside the -container. PUx permissions where leading to running systemd (and others -tasks) unconfined. - -Put the generic files, network and capabilities restrictions directly -in the TEMPLATE.lxc: this way, users can restrict them on a per -container basis. ---- - examples/apparmor/Makefile.am | 6 +- - examples/apparmor/TEMPLATE.lxc | 15 ++++ - examples/apparmor/{TEMPLATE => TEMPLATE.qemu} | 2 +- - examples/apparmor/libvirt-lxc | 119 +++++++++++++++++++++++--- - src/security/security_apparmor.c | 21 +++-- - src/security/virt-aa-helper.c | 29 +------ - 6 files changed, 149 insertions(+), 43 deletions(-) - create mode 100644 examples/apparmor/TEMPLATE.lxc - rename examples/apparmor/{TEMPLATE => TEMPLATE.qemu} (75%) - -Index: libvirt-1.2.6/examples/apparmor/Makefile.am -=================================================================== ---- libvirt-1.2.6.orig/examples/apparmor/Makefile.am -+++ libvirt-1.2.6/examples/apparmor/Makefile.am -@@ -15,7 +15,8 @@ - ## . - - EXTRA_DIST= \ -- TEMPLATE \ -+ TEMPLATE.qemu \ -+ TEMPLATE.lxc \ - libvirt-qemu \ - libvirt-lxc \ - usr.lib.libvirt.virt-aa-helper \ -@@ -36,6 +37,7 @@ abstractions_DATA = \ - - templatesdir = $(apparmordir)/libvirt - templates_DATA = \ -- TEMPLATE \ -+ TEMPLATE.qemu \ -+ TEMPLATE.lxc \ - $(NULL) - endif WITH_APPARMOR_PROFILES -Index: libvirt-1.2.6/examples/apparmor/TEMPLATE.lxc -=================================================================== ---- /dev/null -+++ libvirt-1.2.6/examples/apparmor/TEMPLATE.lxc -@@ -0,0 +1,15 @@ -+# -+# This profile is for the domain whose UUID matches this file. -+# -+ -+#include -+ -+profile LIBVIRT_TEMPLATE { -+ #include -+ -+ # Globally allows everything to run under this profile -+ # These can be narrowed depending on the container's use. -+ file, -+ capability, -+ network, -+} -Index: libvirt-1.2.6/examples/apparmor/TEMPLATE -=================================================================== ---- libvirt-1.2.6.orig/examples/apparmor/TEMPLATE -+++ /dev/null -@@ -1,9 +0,0 @@ --# --# This profile is for the domain whose UUID matches this file. --# -- --#include -- --profile LIBVIRT_TEMPLATE { -- #include --} -Index: libvirt-1.2.6/examples/apparmor/TEMPLATE.qemu -=================================================================== ---- /dev/null -+++ libvirt-1.2.6/examples/apparmor/TEMPLATE.qemu -@@ -0,0 +1,9 @@ -+# -+# This profile is for the domain whose UUID matches this file. -+# -+ -+#include -+ -+profile LIBVIRT_TEMPLATE { -+ #include -+} -Index: libvirt-1.2.6/examples/apparmor/libvirt-lxc -=================================================================== ---- libvirt-1.2.6.orig/examples/apparmor/libvirt-lxc -+++ libvirt-1.2.6/examples/apparmor/libvirt-lxc -@@ -2,16 +2,115 @@ - - #include - -- # Needed for lxc-enter-namespace -- capability sys_admin, -- capability sys_chroot, -- -- # Added for lxc-enter-namespace --cmd /bin/bash -- /bin/bash PUx, -- -- /usr/sbin/cron PUx, -- /usr/lib/systemd/systemd PUx, -- -- /usr/lib/libsystemd-*.so.* mr, -- /usr/lib/libudev-*.so.* mr, -- /etc/ld.so.cache mr, -+ umount, -+ -+ # ignore DENIED message on / remount -+ deny mount options=(ro, remount) -> /, -+ -+ # allow tmpfs mounts everywhere -+ mount fstype=tmpfs, -+ -+ # allow mqueue mounts everywhere -+ mount fstype=mqueue, -+ -+ # allow fuse mounts everywhere -+ mount fstype=fuse.*, -+ -+ # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted -+ mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, -+ deny @{PROC}/sys/fs/** wklx, -+ -+ # allow efivars to be mounted, writing to it will be blocked though -+ mount fstype=efivarfs -> /sys/firmware/efi/efivars/, -+ -+ # block some other dangerous paths -+ deny @{PROC}/sysrq-trigger rwklx, -+ deny @{PROC}/mem rwklx, -+ deny @{PROC}/kmem rwklx, -+ -+ # deny writes in /sys except for /sys/fs/cgroup, also allow -+ # fusectl, securityfs and debugfs to be mounted there (read-only) -+ mount fstype=fusectl -> /sys/fs/fuse/connections/, -+ mount fstype=securityfs -> /sys/kernel/security/, -+ mount fstype=debugfs -> /sys/kernel/debug/, -+ mount fstype=proc -> /proc/, -+ mount fstype=sysfs -> /sys/, -+ deny /sys/firmware/efi/efivars/** rwklx, -+ deny /sys/kernel/security/** rwklx, -+ -+ # generated by: lxc-generate-aa-rules.py container-rules.base -+ deny /proc/sys/[^kn]*{,/**} wklx, -+ deny /proc/sys/k[^e]*{,/**} wklx, -+ deny /proc/sys/ke[^r]*{,/**} wklx, -+ deny /proc/sys/ker[^n]*{,/**} wklx, -+ deny /proc/sys/kern[^e]*{,/**} wklx, -+ deny /proc/sys/kerne[^l]*{,/**} wklx, -+ deny /proc/sys/kernel/[^smhd]*{,/**} wklx, -+ deny /proc/sys/kernel/d[^o]*{,/**} wklx, -+ deny /proc/sys/kernel/do[^m]*{,/**} wklx, -+ deny /proc/sys/kernel/dom[^a]*{,/**} wklx, -+ deny /proc/sys/kernel/doma[^i]*{,/**} wklx, -+ deny /proc/sys/kernel/domai[^n]*{,/**} wklx, -+ deny /proc/sys/kernel/domain[^n]*{,/**} wklx, -+ deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, -+ deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, -+ deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, -+ deny /proc/sys/kernel/domainname?*{,/**} wklx, -+ deny /proc/sys/kernel/h[^o]*{,/**} wklx, -+ deny /proc/sys/kernel/ho[^s]*{,/**} wklx, -+ deny /proc/sys/kernel/hos[^t]*{,/**} wklx, -+ deny /proc/sys/kernel/host[^n]*{,/**} wklx, -+ deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, -+ deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, -+ deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, -+ deny /proc/sys/kernel/hostname?*{,/**} wklx, -+ deny /proc/sys/kernel/m[^s]*{,/**} wklx, -+ deny /proc/sys/kernel/ms[^g]*{,/**} wklx, -+ deny /proc/sys/kernel/msg*/** wklx, -+ deny /proc/sys/kernel/s[^he]*{,/**} wklx, -+ deny /proc/sys/kernel/se[^m]*{,/**} wklx, -+ deny /proc/sys/kernel/sem*/** wklx, -+ deny /proc/sys/kernel/sh[^m]*{,/**} wklx, -+ deny /proc/sys/kernel/shm*/** wklx, -+ deny /proc/sys/kernel?*{,/**} wklx, -+ deny /proc/sys/n[^e]*{,/**} wklx, -+ deny /proc/sys/ne[^t]*{,/**} wklx, -+ deny /proc/sys/net?*{,/**} wklx, -+ deny /sys/[^fdc]*{,/**} wklx, -+ deny /sys/c[^l]*{,/**} wklx, -+ deny /sys/cl[^a]*{,/**} wklx, -+ deny /sys/cla[^s]*{,/**} wklx, -+ deny /sys/clas[^s]*{,/**} wklx, -+ deny /sys/class/[^n]*{,/**} wklx, -+ deny /sys/class/n[^e]*{,/**} wklx, -+ deny /sys/class/ne[^t]*{,/**} wklx, -+ deny /sys/class/net?*{,/**} wklx, -+ deny /sys/class?*{,/**} wklx, -+ deny /sys/d[^e]*{,/**} wklx, -+ deny /sys/de[^v]*{,/**} wklx, -+ deny /sys/dev[^i]*{,/**} wklx, -+ deny /sys/devi[^c]*{,/**} wklx, -+ deny /sys/devic[^e]*{,/**} wklx, -+ deny /sys/device[^s]*{,/**} wklx, -+ deny /sys/devices/[^v]*{,/**} wklx, -+ deny /sys/devices/v[^i]*{,/**} wklx, -+ deny /sys/devices/vi[^r]*{,/**} wklx, -+ deny /sys/devices/vir[^t]*{,/**} wklx, -+ deny /sys/devices/virt[^u]*{,/**} wklx, -+ deny /sys/devices/virtu[^a]*{,/**} wklx, -+ deny /sys/devices/virtua[^l]*{,/**} wklx, -+ deny /sys/devices/virtual/[^n]*{,/**} wklx, -+ deny /sys/devices/virtual/n[^e]*{,/**} wklx, -+ deny /sys/devices/virtual/ne[^t]*{,/**} wklx, -+ deny /sys/devices/virtual/net?*{,/**} wklx, -+ deny /sys/devices/virtual?*{,/**} wklx, -+ deny /sys/devices?*{,/**} wklx, -+ deny /sys/f[^s]*{,/**} wklx, -+ deny /sys/fs/[^c]*{,/**} wklx, -+ deny /sys/fs/c[^g]*{,/**} wklx, -+ deny /sys/fs/cg[^r]*{,/**} wklx, -+ deny /sys/fs/cgr[^o]*{,/**} wklx, -+ deny /sys/fs/cgro[^u]*{,/**} wklx, -+ deny /sys/fs/cgrou[^p]*{,/**} wklx, -+ deny /sys/fs/cgroup?*{,/**} wklx, -+ deny /sys/fs?*{,/**} wklx, -Index: libvirt-1.2.6/src/security/security_apparmor.c -=================================================================== ---- libvirt-1.2.6.orig/src/security/security_apparmor.c -+++ libvirt-1.2.6/src/security/security_apparmor.c -@@ -351,26 +351,37 @@ AppArmorSetSecuritySCSILabel(virSCSIDevi - static int - AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED) - { -- char *template = NULL; -+ char *template_qemu = NULL; -+ char *template_lxc = NULL; - int rc = SECURITY_DRIVER_DISABLE; - - if (use_apparmor() < 0) - return rc; - - /* see if template file exists */ -- if (virAsprintf(&template, "%s/TEMPLATE", -+ if (virAsprintf(&template_qemu, "%s/TEMPLATE.qemu", - APPARMOR_DIR "/libvirt") == -1) - return rc; - -- if (!virFileExists(template)) { -+ if (virAsprintf(&template_lxc, "%s/TEMPLATE.lxc", -+ APPARMOR_DIR "/libvirt") == -1) -+ goto cleanup; -+ -+ if (!virFileExists(template_qemu)) { -+ virReportError(VIR_ERR_INTERNAL_ERROR, -+ _("template \'%s\' does not exist"), template_qemu); -+ goto cleanup; -+ } -+ if (!virFileExists(template_lxc)) { - virReportError(VIR_ERR_INTERNAL_ERROR, -- _("template \'%s\' does not exist"), template); -+ _("template \'%s\' does not exist"), template_lxc); - goto cleanup; - } - rc = SECURITY_DRIVER_ENABLE; - - cleanup: -- VIR_FREE(template); -+ VIR_FREE(template_qemu); -+ VIR_FREE(template_lxc); - - return rc; - } -Index: libvirt-1.2.6/src/security/virt-aa-helper.c -=================================================================== ---- libvirt-1.2.6.orig/src/security/virt-aa-helper.c -+++ libvirt-1.2.6/src/security/virt-aa-helper.c -@@ -336,24 +336,20 @@ create_profile(const char *profile, cons - char *pcontent = NULL; - char *replace_name = NULL; - char *replace_files = NULL; -- char *replace_driver = NULL; - const char *template_name = "\nprofile LIBVIRT_TEMPLATE"; - const char *template_end = "\n}"; -- const char *template_driver = "libvirt-driver"; - int tlen, plen; - int fd; - int rc = -1; -- const char *driver_name = "qemu"; -- -- if (virtType == VIR_DOMAIN_VIRT_LXC) -- driver_name = "lxc"; - - if (virFileExists(profile)) { - vah_error(NULL, 0, _("profile exists")); - goto end; - } - -- if (virAsprintfQuiet(&template, "%s/TEMPLATE", APPARMOR_DIR "/libvirt") < 0) { -+ -+ if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", -+ virDomainVirtTypeToString(virtType)) < 0) { - vah_error(NULL, 0, _("template name exceeds maximum length")); - goto end; - } -@@ -378,11 +374,6 @@ create_profile(const char *profile, cons - goto clean_tcontent; - } - -- if (strstr(tcontent, template_driver) == NULL) { -- vah_error(NULL, 0, _("no replacement string in template")); -- goto clean_tcontent; -- } -- - /* '\nprofile \0' */ - if (virAsprintfQuiet(&replace_name, "\nprofile %s", profile_name) == -1) { - vah_error(NULL, 0, _("could not allocate memory for profile name")); -@@ -397,15 +388,7 @@ create_profile(const char *profile, cons - goto clean_tcontent; - } - -- /* 'libvirt-\0' */ -- if (virAsprintfQuiet(&replace_driver, "libvirt-%s", driver_name) == -1) { -- vah_error(NULL, 0, _("could not allocate memory for profile driver")); -- VIR_FREE(replace_driver); -- goto clean_tcontent; -- } -- -- plen = tlen + strlen(replace_name) - strlen(template_name) + -- strlen(replace_driver) - strlen(template_driver) + 1; -+ plen = tlen + strlen(replace_name) - strlen(template_name) + 1; - - if (virtType != VIR_DOMAIN_VIRT_LXC) - plen += strlen(replace_files) - strlen(template_end); -@@ -422,9 +405,6 @@ create_profile(const char *profile, cons - pcontent[0] = '\0'; - strcpy(pcontent, tcontent); - -- if (replace_string(pcontent, plen, template_driver, replace_driver) < 0) -- goto clean_all; -- - if (replace_string(pcontent, plen, template_name, replace_name) < 0) - goto clean_all; - -@@ -455,7 +435,6 @@ create_profile(const char *profile, cons - clean_replace: - VIR_FREE(replace_name); - VIR_FREE(replace_files); -- VIR_FREE(replace_driver); - clean_tcontent: - VIR_FREE(tcontent); - end: diff --git a/9b1e4cd5-skip-useless-apparmor-files.patch b/9b1e4cd5-skip-useless-apparmor-files.patch deleted file mode 100644 index 4c606ee..0000000 --- a/9b1e4cd5-skip-useless-apparmor-files.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit 9b1e4cd5034225c7f750b38968b576c966c51d75 -Author: Cédric Bosdonnat -Date: Wed Jul 9 16:15:02 2014 +0200 - - Don't output libvirt-UUID.files for LXC apparmor profiles - ---- - src/security/virt-aa-helper.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c -index b5f66f3..c8f17f9 100644 ---- a/src/security/virt-aa-helper.c -+++ b/src/security/virt-aa-helper.c -@@ -1342,10 +1342,13 @@ main(int argc, char **argv) - vah_info(include_file); - vah_info(included_files); - rc = 0; -+ } else if (ctl->def->virtType == VIR_DOMAIN_VIRT_LXC) { -+ rc = 0; - } else if ((rc = update_include_file(include_file, - included_files, -- ctl->append)) != 0) -+ ctl->append)) != 0) { - goto cleanup; -+ } - - - /* create the profile from TEMPLATE */ diff --git a/add-nocow-to-vol-xml.patch b/add-nocow-to-vol-xml.patch deleted file mode 100644 index 40f5adb..0000000 --- a/add-nocow-to-vol-xml.patch +++ /dev/null @@ -1,113 +0,0 @@ -commit ccc0b45917fa76a77ff83f1ddfd30836c8c3805e -Author: Chunyan Liu -Date: Wed May 7 12:45:40 2014 +0800 - - add nocow to vol xml - - Updated patch. Rebase to git master. - - Signed-off-by: Chunyan Liu - -Index: libvirt-1.2.6/docs/schemas/storagevol.rng -=================================================================== ---- libvirt-1.2.6.orig/docs/schemas/storagevol.rng -+++ libvirt-1.2.6/docs/schemas/storagevol.rng -@@ -138,6 +138,11 @@ - - - -+ -+ -+ -+ -+ - - - -Index: libvirt-1.2.6/src/conf/storage_conf.c -=================================================================== ---- libvirt-1.2.6.orig/src/conf/storage_conf.c -+++ libvirt-1.2.6/src/conf/storage_conf.c -@@ -1397,6 +1397,9 @@ virStorageVolDefParseXML(virStoragePoolD - virStringFreeList(version); - } - -+ if (virXPathNode("./target/nocow", ctxt)) -+ ret->target.nocow = true; -+ - if (options->featureFromString && virXPathNode("./target/features", ctxt)) { - if ((n = virXPathNodeSet("./target/features/*", ctxt, &nodes)) < 0) - goto error; -Index: libvirt-1.2.6/src/storage/storage_backend.c -=================================================================== ---- libvirt-1.2.6.orig/src/storage/storage_backend.c -+++ libvirt-1.2.6/src/storage/storage_backend.c -@@ -37,6 +37,9 @@ - #ifdef __linux__ - # include - # include -+# ifndef FS_NOCOW_FL -+# define FS_NOCOW_FL 0x00800000 /* Do not cow file */ -+# endif - #endif - - #if WITH_SELINUX -@@ -452,6 +455,21 @@ virStorageBackendCreateRaw(virConnectPtr - goto cleanup; - } - -+ if (vol->target.nocow) { -+#ifdef __linux__ -+ int attr; -+ -+ /* Set NOCOW flag. This is an optimisation for btrfs. -+ * The FS_IOC_SETFLAGS ioctl return value will be ignored since any -+ * failure of this operation should not block the left work. -+ */ -+ if (ioctl(fd, FS_IOC_GETFLAGS, &attr) == 0) { -+ attr |= FS_NOCOW_FL; -+ ioctl(fd, FS_IOC_SETFLAGS, &attr); -+ } -+#endif -+ } -+ - if ((ret = createRawFile(fd, vol, inputvol)) < 0) - /* createRawFile already reported the exact error. */ - ret = -1; -@@ -717,6 +735,7 @@ virStorageBackendCreateQemuImgOpts(char - bool preallocate, - int format, - const char *compat, -+ bool nocow, - virBitmapPtr features) - { - virBuffer buf = VIR_BUFFER_INITIALIZER; -@@ -729,6 +748,8 @@ virStorageBackendCreateQemuImgOpts(char - virBufferAddLit(&buf, "encryption=on,"); - if (preallocate) - virBufferAddLit(&buf, "preallocation=metadata,"); -+ if (nocow) -+ virBufferAddLit(&buf, "nocow=on,"); - - if (compat) - virBufferAsprintf(&buf, "compat=%s,", compat); -@@ -950,6 +971,7 @@ virStorageBackendCreateQemuImgCmd(virCon - do_encryption, preallocate, - vol->target.format, - compat, -+ vol->target.nocow, - vol->target.features) < 0) { - virCommandFree(cmd); - return NULL; -Index: libvirt-1.2.6/src/util/virstoragefile.h -=================================================================== ---- libvirt-1.2.6.orig/src/util/virstoragefile.h -+++ libvirt-1.2.6/src/util/virstoragefile.h -@@ -232,6 +232,7 @@ struct _virStorageSource { - * pool-specific enum for storage volumes */ - virBitmapPtr features; - char *compat; -+ bool nocow; - - virStoragePermsPtr perms; - virStorageTimestampsPtr timestamps; diff --git a/dba3432b-virt-lxc-convert-fix.patch b/dba3432b-virt-lxc-convert-fix.patch deleted file mode 100644 index 5dc7ad8..0000000 --- a/dba3432b-virt-lxc-convert-fix.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 236a18572216a35f742824f4056108245fac3082 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= -Date: Fri, 4 Jul 2014 15:57:17 +0200 -Subject: [PATCH] virt-lxc-convert: make free return values in bytes - ---- - examples/lxcconvert/virt-lxc-convert | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: libvirt-1.2.5/examples/lxcconvert/virt-lxc-convert -=================================================================== ---- libvirt-1.2.5.orig/examples/lxcconvert/virt-lxc-convert -+++ libvirt-1.2.5/examples/lxcconvert/virt-lxc-convert -@@ -64,7 +64,7 @@ if test -r "$fstab"; then - sed 's/^\([^#]\)/lxc.mount.entry = \1/' "$fstab" >>"${conf_new}" - fi - --memory=$(free | sed -n '/Mem:/s/ \+/ /gp' | cut -f 2 -d ' ') -+memory=$(free -b | sed -n '/Mem:/s/ \+/ /gp' | cut -f 2 -d ' ') - default_tmpfs="size=$((memory/2))" - - # Do we have tmpfs without size param? diff --git a/disable-virCgroupGetPercpuStats-test.patch b/disable-virCgroupGetPercpuStats-test.patch index 3ca99d8..65ff2c3 100644 --- a/disable-virCgroupGetPercpuStats-test.patch +++ b/disable-virCgroupGetPercpuStats-test.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.2.6/tests/vircgrouptest.c +Index: libvirt-1.2.7/tests/vircgrouptest.c =================================================================== ---- libvirt-1.2.6.orig/tests/vircgrouptest.c -+++ libvirt-1.2.6/tests/vircgrouptest.c +--- libvirt-1.2.7.orig/tests/vircgrouptest.c ++++ libvirt-1.2.7/tests/vircgrouptest.c @@ -33,7 +33,6 @@ # include "virlog.h" # include "virfile.h" diff --git a/fix-pci-attach-xen-driver.patch b/fix-pci-attach-xen-driver.patch index dd96ee8..4ebcdc4 100644 --- a/fix-pci-attach-xen-driver.patch +++ b/fix-pci-attach-xen-driver.patch @@ -8,11 +8,11 @@ uses the 'device_configure' RPC. This patch changes the xend driver to always call 'device_configure' for PCI devices to be consistent with the usage in the xen tools. -Index: libvirt-1.2.6/src/xen/xend_internal.c +Index: libvirt-1.2.7/src/xen/xend_internal.c =================================================================== ---- libvirt-1.2.6.orig/src/xen/xend_internal.c -+++ libvirt-1.2.6/src/xen/xend_internal.c -@@ -2222,6 +2222,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr +--- libvirt-1.2.7.orig/src/xen/xend_internal.c ++++ libvirt-1.2.7/src/xen/xend_internal.c +@@ -2221,6 +2221,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr virBuffer buf = VIR_BUFFER_INITIALIZER; char class[8], ref[80]; char *target = NULL; @@ -20,7 +20,7 @@ Index: libvirt-1.2.6/src/xen/xend_internal.c virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1); -@@ -2320,8 +2321,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr +@@ -2319,8 +2320,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr } sexpr = virBufferContentAndReset(&buf); diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index 4904a53..469653b 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.2.6/examples/apparmor/Makefile.am +Index: libvirt-1.2.7/examples/apparmor/Makefile.am =================================================================== ---- libvirt-1.2.6.orig/examples/apparmor/Makefile.am -+++ libvirt-1.2.6/examples/apparmor/Makefile.am +--- libvirt-1.2.7.orig/examples/apparmor/Makefile.am ++++ libvirt-1.2.7/examples/apparmor/Makefile.am @@ -19,10 +19,22 @@ EXTRA_DIST= \ TEMPLATE.lxc \ libvirt-qemu \ @@ -27,10 +27,10 @@ Index: libvirt-1.2.6/examples/apparmor/Makefile.am apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ usr.lib.libvirt.virt-aa-helper \ -Index: libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in +Index: libvirt-1.2.7/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in =================================================================== --- /dev/null -+++ libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in ++++ libvirt-1.2.7/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,48 @@ +# Last Modified: Mon Apr 5 15:10:27 2010 +#include @@ -80,10 +80,10 @@ Index: libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in + /**.[iI][sS][oO] r, + /**/disk{,.*} r, +} -Index: libvirt-1.2.6/examples/apparmor/usr.sbin.libvirtd.in +Index: libvirt-1.2.7/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null -+++ libvirt-1.2.6/examples/apparmor/usr.sbin.libvirtd.in ++++ libvirt-1.2.7/examples/apparmor/usr.sbin.libvirtd.in @@ -0,0 +1,67 @@ +# Last Modified: Mon Apr 5 15:03:58 2010 +#include @@ -152,9 +152,9 @@ Index: libvirt-1.2.6/examples/apparmor/usr.sbin.libvirtd.in + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +} -Index: libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper +Index: libvirt-1.2.7/examples/apparmor/usr.lib.libvirt.virt-aa-helper =================================================================== ---- libvirt-1.2.6.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +--- libvirt-1.2.7.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,48 +0,0 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 @@ -205,9 +205,9 @@ Index: libvirt-1.2.6/examples/apparmor/usr.lib.libvirt.virt-aa-helper - /**.[iI][sS][oO] r, - /**/disk{,.*} r, -} -Index: libvirt-1.2.6/examples/apparmor/usr.sbin.libvirtd +Index: libvirt-1.2.7/examples/apparmor/usr.sbin.libvirtd =================================================================== ---- libvirt-1.2.6.orig/examples/apparmor/usr.sbin.libvirtd +--- libvirt-1.2.7.orig/examples/apparmor/usr.sbin.libvirtd +++ /dev/null @@ -1,63 +0,0 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 diff --git a/libvirt-1.2.6.tar.bz2 b/libvirt-1.2.6.tar.bz2 deleted file mode 100644 index ab64a59..0000000 --- a/libvirt-1.2.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:99c005cf2a22a3919c5efa9b815181e776cb214b7005c24620a8a4a76efae544 -size 21124173 diff --git a/libvirt-1.2.7.tar.bz2 b/libvirt-1.2.7.tar.bz2 new file mode 100644 index 0000000..f21d884 --- /dev/null +++ b/libvirt-1.2.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:89e36179a2e235ad4eed1b07829875c15c73b68a3132f19ba9ca64355fdaceef +size 21382962 diff --git a/libvirt-guests-init-script.patch b/libvirt-guests-init-script.patch index 47e134e..6a42f4f 100644 --- a/libvirt-guests-init-script.patch +++ b/libvirt-guests-init-script.patch @@ -1,9 +1,9 @@ Adjust libvirt-guests init files to conform to SUSE standards -Index: libvirt-1.2.6/tools/libvirt-guests.init.in +Index: libvirt-1.2.7/tools/libvirt-guests.init.in =================================================================== ---- libvirt-1.2.6.orig/tools/libvirt-guests.init.in -+++ libvirt-1.2.6/tools/libvirt-guests.init.in +--- libvirt-1.2.7.orig/tools/libvirt-guests.init.in ++++ libvirt-1.2.7/tools/libvirt-guests.init.in @@ -3,15 +3,15 @@ # the following is the LSB init header # @@ -28,10 +28,10 @@ Index: libvirt-1.2.6/tools/libvirt-guests.init.in ### END INIT INFO # the following is chkconfig init header -Index: libvirt-1.2.6/tools/libvirt-guests.sh.in +Index: libvirt-1.2.7/tools/libvirt-guests.sh.in =================================================================== ---- libvirt-1.2.6.orig/tools/libvirt-guests.sh.in -+++ libvirt-1.2.6/tools/libvirt-guests.sh.in +--- libvirt-1.2.7.orig/tools/libvirt-guests.sh.in ++++ libvirt-1.2.7/tools/libvirt-guests.sh.in @@ -16,14 +16,13 @@ # License along with this library. If not, see # . @@ -189,10 +189,10 @@ Index: libvirt-1.2.6/tools/libvirt-guests.sh.in esac -exit $RETVAL +rc_exit -Index: libvirt-1.2.6/tools/libvirt-guests.sysconf +Index: libvirt-1.2.7/tools/libvirt-guests.sysconf =================================================================== ---- libvirt-1.2.6.orig/tools/libvirt-guests.sysconf -+++ libvirt-1.2.6/tools/libvirt-guests.sysconf +--- libvirt-1.2.7.orig/tools/libvirt-guests.sysconf ++++ libvirt-1.2.7/tools/libvirt-guests.sysconf @@ -1,19 +1,29 @@ +## Path: System/Virtualization/libvirt-guests + diff --git a/libvirt-suse-netcontrol.patch b/libvirt-suse-netcontrol.patch index 8d1c5c1..2446b09 100644 --- a/libvirt-suse-netcontrol.patch +++ b/libvirt-suse-netcontrol.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.2.6/configure.ac +Index: libvirt-1.2.7/configure.ac =================================================================== ---- libvirt-1.2.6.orig/configure.ac -+++ libvirt-1.2.6/configure.ac +--- libvirt-1.2.7.orig/configure.ac ++++ libvirt-1.2.7/configure.ac @@ -237,6 +237,7 @@ LIBVIRT_CHECK_FUSE LIBVIRT_CHECK_GLUSTER LIBVIRT_CHECK_HAL @@ -26,7 +26,7 @@ Index: libvirt-1.2.6/configure.ac esac if test "$with_interface" = "yes" ; then -@@ -2822,6 +2824,7 @@ LIBVIRT_RESULT_FUSE +@@ -2834,6 +2836,7 @@ LIBVIRT_RESULT_FUSE LIBVIRT_RESULT_GLUSTER LIBVIRT_RESULT_HAL LIBVIRT_RESULT_NETCF @@ -34,11 +34,11 @@ Index: libvirt-1.2.6/configure.ac LIBVIRT_RESULT_NUMACTL LIBVIRT_RESULT_OPENWSMAN LIBVIRT_RESULT_PCIACCESS -Index: libvirt-1.2.6/src/Makefile.am +Index: libvirt-1.2.7/src/Makefile.am =================================================================== ---- libvirt-1.2.6.orig/src/Makefile.am -+++ libvirt-1.2.6/src/Makefile.am -@@ -818,6 +818,10 @@ if WITH_NETCF +--- libvirt-1.2.7.orig/src/Makefile.am ++++ libvirt-1.2.7/src/Makefile.am +@@ -820,6 +820,10 @@ if WITH_NETCF INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_netcf.c endif WITH_NETCF @@ -49,7 +49,7 @@ Index: libvirt-1.2.6/src/Makefile.am if WITH_UDEV INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_udev.c -@@ -1414,10 +1418,15 @@ if WITH_NETCF +@@ -1416,10 +1420,15 @@ if WITH_NETCF libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS) libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS) else ! WITH_NETCF @@ -65,10 +65,10 @@ Index: libvirt-1.2.6/src/Makefile.am endif ! WITH_NETCF if WITH_DRIVER_MODULES libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la -Index: libvirt-1.2.6/tools/virsh.c +Index: libvirt-1.2.7/tools/virsh.c =================================================================== ---- libvirt-1.2.6.orig/tools/virsh.c -+++ libvirt-1.2.6/tools/virsh.c +--- libvirt-1.2.7.orig/tools/virsh.c ++++ libvirt-1.2.7/tools/virsh.c @@ -3320,6 +3320,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE vshPrint(ctl, " Interface"); # if defined(WITH_NETCF) @@ -78,10 +78,10 @@ Index: libvirt-1.2.6/tools/virsh.c # elif defined(WITH_UDEV) vshPrint(ctl, " udev"); # endif -Index: libvirt-1.2.6/src/interface/interface_backend_netcf.c +Index: libvirt-1.2.7/src/interface/interface_backend_netcf.c =================================================================== ---- libvirt-1.2.6.orig/src/interface/interface_backend_netcf.c -+++ libvirt-1.2.6/src/interface/interface_backend_netcf.c +--- libvirt-1.2.7.orig/src/interface/interface_backend_netcf.c ++++ libvirt-1.2.7/src/interface/interface_backend_netcf.c @@ -23,7 +23,12 @@ #include @@ -165,10 +165,10 @@ Index: libvirt-1.2.6/src/interface/interface_backend_netcf.c return 0; } -Index: libvirt-1.2.6/src/interface/interface_driver.c +Index: libvirt-1.2.7/src/interface/interface_driver.c =================================================================== ---- libvirt-1.2.6.orig/src/interface/interface_driver.c -+++ libvirt-1.2.6/src/interface/interface_driver.c +--- libvirt-1.2.7.orig/src/interface/interface_driver.c ++++ libvirt-1.2.7/src/interface/interface_driver.c @@ -30,8 +30,15 @@ interfaceRegister(void) if (netcfIfaceRegister() == 0) return 0; @@ -186,10 +186,10 @@ Index: libvirt-1.2.6/src/interface/interface_driver.c if (udevIfaceRegister() == 0) return 0; #endif /* WITH_UDEV */ -Index: libvirt-1.2.6/m4/virt-netcontrol.m4 +Index: libvirt-1.2.7/m4/virt-netcontrol.m4 =================================================================== --- /dev/null -+++ libvirt-1.2.6/m4/virt-netcontrol.m4 ++++ libvirt-1.2.7/m4/virt-netcontrol.m4 @@ -0,0 +1,35 @@ +dnl The libnetcontrol library +dnl diff --git a/libvirt.changes b/libvirt.changes index a524ba4..e65789c 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Mon Aug 4 09:32:57 MDT 2014 - jfehlig@suse.com + +- Update to libvirt 1.2.7 + - Introduce virConnectGetDomainCapabilities + - Many incremental improvements and bug fixes, see + http://libvirt.org/news.html + - Drop upstream patches: dba3432b-virt-lxc-convert-fix.patch, + 9b1e4cd5-skip-useless-apparmor-files.patch, + dba3432b-virt-lxc-convert-fix.patch, + add-nocow-to-vol-xml.patch, + lxc-keep-caps-feature.patch, + lxc-keep-caps-feature-conversion.patch, + lxc-keep-caps-feature-doc.patch, + lxc-net-target-name.patch, + lxc-net-target-name-conversion.patch, + lxc-net-target-name-doc.patch + ------------------------------------------------------------------- Wed Jul 16 12:07:33 UTC 2014 - cbosdonnat@suse.com diff --git a/libvirt.spec b/libvirt.spec index a6f4984..d7abf3f 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -235,7 +235,7 @@ Name: libvirt Url: http://libvirt.org/ -Version: 1.2.6 +Version: 1.2.7 Release: 0 Summary: Library providing a simple virtualization API License: LGPL-2.1+ @@ -428,20 +428,9 @@ Source1: libvirtd.init Source2: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches -Patch0: dba3432b-virt-lxc-convert-fix.patch -Patch1: 9b1e4cd5-skip-useless-apparmor-files.patch -Patch2: 9265f8ab-apparmor-lxc-rework.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: xen-pv-cdrom.patch -Patch102: add-nocow-to-vol-xml.patch -# pending review upstream patches -Patch150: lxc-keep-caps-feature.patch -Patch151: lxc-keep-caps-feature-conversion.patch -Patch152: lxc-keep-caps-feature-doc.patch -Patch153: lxc-net-target-name.patch -Patch154: lxc-net-target-name-conversion.patch -Patch155: lxc-net-target-name-doc.patch # Our patches Patch200: libvirtd-defaults.patch Patch201: libvirtd-init-script.patch @@ -953,18 +942,8 @@ namespaces. %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 %patch100 -p1 %patch101 -p1 -%patch102 -p1 -%patch150 -p1 -%patch151 -p1 -%patch152 -p1 -%patch153 -p1 -%patch154 -p1 -%patch155 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1 @@ -1191,7 +1170,7 @@ gzip -9 ChangeLog %install %makeinstall SYSTEMD_UNIT_DIR=%{_unitdir} DOCS_DIR=%{_docdir}/%{name}-python EXAMPLE_DIR=%{_docdir}/%{name}-python/examples HTML_DIR=%{_docdir}/%{name} -for i in object-events dominfo domsuspend hellolibvirt openauth xml/nwfilter systemtap +for i in object-events dominfo domsuspend hellolibvirt openauth xml/nwfilter systemtap domtop do (cd examples/$i ; make clean ; rm -rf .deps .libs Makefile Makefile.in) done @@ -1769,6 +1748,7 @@ fi %{_datadir}/libvirt/schemas/basictypes.rng %{_datadir}/libvirt/schemas/capability.rng %{_datadir}/libvirt/schemas/domain.rng +%{_datadir}/libvirt/schemas/domaincaps.rng %{_datadir}/libvirt/schemas/domaincommon.rng %{_datadir}/libvirt/schemas/domainsnapshot.rng %{_datadir}/libvirt/schemas/interface.rng diff --git a/libvirtd-defaults.patch b/libvirtd-defaults.patch index e145973..212fabe 100644 --- a/libvirtd-defaults.patch +++ b/libvirtd-defaults.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.2.6/daemon/libvirtd.conf +Index: libvirt-1.2.7/daemon/libvirtd.conf =================================================================== ---- libvirt-1.2.6.orig/daemon/libvirtd.conf -+++ libvirt-1.2.6/daemon/libvirtd.conf +--- libvirt-1.2.7.orig/daemon/libvirtd.conf ++++ libvirt-1.2.7/daemon/libvirtd.conf @@ -18,8 +18,8 @@ # It is necessary to setup a CA and issue server certificates before # using this capability. @@ -13,10 +13,10 @@ Index: libvirt-1.2.6/daemon/libvirtd.conf # Listen for unencrypted TCP connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to -Index: libvirt-1.2.6/daemon/libvirtd-config.c +Index: libvirt-1.2.7/daemon/libvirtd-config.c =================================================================== ---- libvirt-1.2.6.orig/daemon/libvirtd-config.c -+++ libvirt-1.2.6/daemon/libvirtd-config.c +--- libvirt-1.2.7.orig/daemon/libvirtd-config.c ++++ libvirt-1.2.7/daemon/libvirtd-config.c @@ -229,7 +229,7 @@ daemonConfigNew(bool privileged ATTRIBUT if (VIR_ALLOC(data) < 0) return NULL; @@ -26,10 +26,10 @@ Index: libvirt-1.2.6/daemon/libvirtd-config.c data->listen_tcp = 0; if (VIR_STRDUP(data->tls_port, LIBVIRTD_TLS_PORT) < 0 || -Index: libvirt-1.2.6/daemon/test_libvirtd.aug.in +Index: libvirt-1.2.7/daemon/test_libvirtd.aug.in =================================================================== ---- libvirt-1.2.6.orig/daemon/test_libvirtd.aug.in -+++ libvirt-1.2.6/daemon/test_libvirtd.aug.in +--- libvirt-1.2.7.orig/daemon/test_libvirtd.aug.in ++++ libvirt-1.2.7/daemon/test_libvirtd.aug.in @@ -2,7 +2,7 @@ module Test_libvirtd = ::CONFIG:: diff --git a/libvirtd-init-script.patch b/libvirtd-init-script.patch index cd92c4e..904d5c7 100644 --- a/libvirtd-init-script.patch +++ b/libvirtd-init-script.patch @@ -1,9 +1,9 @@ Adjust libvirtd sysconfig file to conform to SUSE standards -Index: libvirt-1.2.6/daemon/libvirtd.sysconf +Index: libvirt-1.2.7/daemon/libvirtd.sysconf =================================================================== ---- libvirt-1.2.6.orig/daemon/libvirtd.sysconf -+++ libvirt-1.2.6/daemon/libvirtd.sysconf +--- libvirt-1.2.7.orig/daemon/libvirtd.sysconf ++++ libvirt-1.2.7/daemon/libvirtd.sysconf @@ -1,16 +1,25 @@ +## Path: System/Virtualization/libvirt + diff --git a/lxc-keep-caps-feature-conversion.patch b/lxc-keep-caps-feature-conversion.patch deleted file mode 100644 index 89f3a76..0000000 --- a/lxc-keep-caps-feature-conversion.patch +++ /dev/null @@ -1,220 +0,0 @@ -From f199dbab24896c31c90a3291c4779daccef949ed Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= -Date: Wed, 11 Jun 2014 16:43:45 +0200 -Subject: [PATCH 2/3] lxc domain from xml: convert lxc.cap.drop - ---- - src/lxc/lxc_native.c | 25 ++++++++++++++++++++++ - tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml | 2 ++ - tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml | 2 ++ - tests/lxcconf2xmldata/lxcconf2xml-cputune.xml | 2 ++ - tests/lxcconf2xmldata/lxcconf2xml-idmap.xml | 2 ++ - .../lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml | 4 ++++ - tests/lxcconf2xmldata/lxcconf2xml-memtune.xml | 2 ++ - tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml | 4 ++++ - tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml | 2 ++ - tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml | 4 ++++ - tests/lxcconf2xmldata/lxcconf2xml-simple.xml | 8 +++++++ - tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml | 4 ++++ - 12 files changed, 61 insertions(+) - -Index: libvirt-1.2.6/src/lxc/lxc_native.c -=================================================================== ---- libvirt-1.2.6.orig/src/lxc/lxc_native.c -+++ libvirt-1.2.6/src/lxc/lxc_native.c -@@ -838,6 +838,28 @@ lxcSetBlkioTune(virDomainDefPtr def, vir - return 0; - } - -+static void -+lxcSetCapDrop(virDomainDefPtr def, virConfPtr properties) -+{ -+ virConfValuePtr value; -+ char **toDrop = NULL; -+ const char *capString; -+ size_t i; -+ -+ if ((value = virConfGetValue(properties, "lxc.cap.drop")) && value->str) -+ toDrop = virStringSplit(value->str, " ", 0); -+ -+ for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) { -+ capString = virDomainCapsFeatureTypeToString(i); -+ if (toDrop != NULL && virStringArrayHasString(toDrop, capString)) -+ def->caps_features[i] = VIR_DOMAIN_FEATURE_STATE_OFF; -+ } -+ -+ def->features[VIR_DOMAIN_FEATURE_CAPABILITIES] = VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW; -+ -+ virStringFreeList(toDrop); -+} -+ - virDomainDefPtr - lxcParseConfigString(const char *config) - { -@@ -935,6 +957,9 @@ lxcParseConfigString(const char *config) - if (lxcSetBlkioTune(vmdef, properties) < 0) - goto error; - -+ /* lxc.cap.drop */ -+ lxcSetCapDrop(vmdef, properties); -+ - goto cleanup; - - error: -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml -@@ -25,6 +25,8 @@ - - - -+ -+ - - - destroy -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml -@@ -13,6 +13,8 @@ - - - -+ -+ - - - destroy -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml -@@ -15,6 +15,8 @@ - - - -+ -+ - - - destroy -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml -@@ -14,6 +14,8 @@ - - - -+ -+ - - - destroy -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml -@@ -8,6 +8,10 @@ - exe - /sbin/init - -+ -+ -+ -+ - - destroy - restart -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml -@@ -15,6 +15,8 @@ - - - -+ -+ - - - destroy -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml -@@ -8,6 +8,10 @@ - exe - /sbin/init - -+ -+ -+ -+ - - destroy - restart -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml -@@ -10,6 +10,8 @@ - - - -+ -+ - - - destroy -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml -@@ -8,6 +8,10 @@ - exe - /sbin/init - -+ -+ -+ -+ - - destroy - restart -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-simple.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-simple.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-simple.xml -@@ -8,6 +8,14 @@ - exe - /sbin/init - -+ -+ -+ -+ -+ -+ -+ -+ - - destroy - restart -Index: libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml -=================================================================== ---- libvirt-1.2.6.orig/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml -+++ libvirt-1.2.6/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml -@@ -8,6 +8,10 @@ - exe - /sbin/init - -+ -+ -+ -+ - - destroy - restart diff --git a/lxc-keep-caps-feature-doc.patch b/lxc-keep-caps-feature-doc.patch deleted file mode 100644 index 5ece112..0000000 --- a/lxc-keep-caps-feature-doc.patch +++ /dev/null @@ -1,68 +0,0 @@ -From b6f1f5a3be5b2643b255882effdca2e903d9d738 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= -Date: Wed, 11 Jun 2014 17:01:11 +0200 -Subject: [PATCH 3/3] lxc: update doc to mention features/capabilities/* domain - configuration - ---- - docs/drvlxc.html.in | 47 +++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 47 insertions(+) - -Index: libvirt-1.2.6/docs/drvlxc.html.in -=================================================================== ---- libvirt-1.2.6.orig/docs/drvlxc.html.in -+++ libvirt-1.2.6/docs/drvlxc.html.in -@@ -540,6 +540,53 @@ debootstrap, whatever) under /opt/vm-1-r - </domain> - - -+

Altering the available capabilities

-+ -+

-+By default the libvirt LXC driver drops some capabilities among which CAP_MKNOD. -+However since 1.2.6 libvirt can be told to keep or -+drop some capabilities using a domain configuration like the following: -+

-+
-+...
-+<features>
-+  <capabilities policy='default'>
-+    <mknod state='on'/>
-+    <sys_chroot state='off'/>
-+  </capabilities>
-+</features>
-+...
-+
-+

-+The capabilities children elements are named after the capabilities as defined in -+man 7 capabilities. An off state tells libvirt to drop the -+capability, while an on state will force to keep the capability even though -+this one is dropped by default. -+

-+

-+The policy attribute can be one of default, allow -+or deny. It defines the default rules for capabilities: either keep the -+default behavior that is dropping a few selected capabilities, or keep all capabilities -+or drop all capabilities. The interest of allow and deny is that -+they guarantee that all capabilities will be kept (or removed) even if new ones are added -+later. -+

-+

-+The following example, drops all capabilities but CAP_MKNOD: -+

-+
-+...
-+<features>
-+  <capabilities policy='deny'>
-+    <mknod state='on'/>
-+  </capabilities>
-+</features>
-+...
-+
-+

-+Note that allowing capabilities that are normally dropped by default can seriously -+affect the security of the container and the host. -+

- -

Container usage / management

- diff --git a/lxc-keep-caps-feature.patch b/lxc-keep-caps-feature.patch deleted file mode 100644 index 09a2f86..0000000 --- a/lxc-keep-caps-feature.patch +++ /dev/null @@ -1,980 +0,0 @@ -From 370ed9b2535b11acaa776fbb4fc6dcb8671c2c88 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= -Date: Wed, 11 Jun 2014 15:03:58 +0200 -Subject: [PATCH 1/3] lxc: allow to keep or drop capabilities - -Added in the section of LXC domains -configuration. This section can contain elements named after the -capabilities like: - - , keep CAP_MKNOD capability - drop CAP_SYS_CHROOT capability - -Users can restrict or give more capabilities than the default using -this mechanism. ---- - docs/schemas/domaincommon.rng | 207 ++++++++++++++++++++++++ - src/conf/domain_conf.c | 126 ++++++++++++++- - src/conf/domain_conf.h | 56 +++++++ - src/libvirt_private.syms | 3 + - src/lxc/lxc_cgroup.c | 8 + - src/lxc/lxc_container.c | 123 ++++++++++++-- - src/util/vircgroup.c | 74 ++++++++- - src/util/vircgroup.h | 2 + - tests/domainschemadata/domain-caps-features.xml | 28 ++++ - 9 files changed, 602 insertions(+), 25 deletions(-) - create mode 100644 tests/domainschemadata/domain-caps-features.xml - -Index: libvirt-1.2.6/docs/schemas/domaincommon.rng -=================================================================== ---- libvirt-1.2.6.orig/docs/schemas/domaincommon.rng -+++ libvirt-1.2.6/docs/schemas/domaincommon.rng -@@ -3744,6 +3744,9 @@ - - - -+ -+ -+ - - - -@@ -4311,6 +4314,200 @@ - - - -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -4319,6 +4516,16 @@ - - - -+ -+ -+ -+ -+ default -+ allow -+ deny -+ -+ -+ - -