From 6bfebf38843620503203247eeb7cc5c72c3bba5eaff5d49390d68f74fdddfe4a Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 8 Mar 2013 19:47:00 +0000 Subject: [PATCH] - Fix PCI device attach for xen HVM domains fix-pci-attach-xen-driver.patch FATE#313570 - Apparmor security driver: Ensure tapfd's are labled when generating the guest profile. Modified install-apparmor-profiles.patch, added upstream patch ce4557c3-apparmor-tapfd-label.patch bnc#807940 - Grant permission to use datagram packets in libvirtd apparmor profile. Remove AF_PACKET.patch, modify install-apparmor-profiles.patch bnc#801145 - Add 'managed' PCI passthrough support to legacy xen driver support-managed-pci-xen-driver.patch FATE#313570 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=253 --- AF_PACKET.patch | 26 ----- ce4557c3-apparmor-tapfd-label.patch | 68 ++++++++++++++ fix-pci-attach-xen-driver.patch | 42 +++++++++ install-apparmor-profiles.patch | 6 +- libvirt.changes | 31 ++++++ libvirt.spec | 10 +- support-managed-pci-xen-driver.patch | 136 +++++++++++++++++++++++++++ 7 files changed, 288 insertions(+), 31 deletions(-) delete mode 100644 AF_PACKET.patch create mode 100644 ce4557c3-apparmor-tapfd-label.patch create mode 100644 fix-pci-attach-xen-driver.patch create mode 100644 support-managed-pci-xen-driver.patch diff --git a/AF_PACKET.patch b/AF_PACKET.patch deleted file mode 100644 index 4951a2f..0000000 --- a/AF_PACKET.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: libvirt-1.0.3/src/util/virnetdev.c -=================================================================== ---- libvirt-1.0.3.orig/src/util/virnetdev.c -+++ libvirt-1.0.3/src/util/virnetdev.c -@@ -81,7 +81,7 @@ static int virNetDevSetupControlFull(con - static int virNetDevSetupControl(const char *ifname, - struct ifreq *ifr) - { -- return virNetDevSetupControlFull(ifname, ifr, AF_PACKET, SOCK_DGRAM); -+ return virNetDevSetupControlFull(ifname, ifr, AF_INET, SOCK_STREAM); - } - #endif - -Index: libvirt-1.0.3/src/util/virnetdevbridge.c -=================================================================== ---- libvirt-1.0.3.orig/src/util/virnetdevbridge.c -+++ libvirt-1.0.3/src/util/virnetdevbridge.c -@@ -85,7 +85,7 @@ static int virNetDevSetupControlFull(con - static int virNetDevSetupControl(const char *ifname, - struct ifreq *ifr) - { -- return virNetDevSetupControlFull(ifname, ifr, AF_PACKET, SOCK_DGRAM); -+ return virNetDevSetupControlFull(ifname, ifr, AF_INET, SOCK_STREAM); - } - #endif - diff --git a/ce4557c3-apparmor-tapfd-label.patch b/ce4557c3-apparmor-tapfd-label.patch new file mode 100644 index 0000000..0626f21 --- /dev/null +++ b/ce4557c3-apparmor-tapfd-label.patch @@ -0,0 +1,68 @@ +commit ce4557c3ab3702639db73615dd144ddf036321ed +Author: Guannan Ren +Date: Fri Mar 8 00:16:59 2013 +0800 + + apparmor: use AppArmorSetFDLabel for both imageFD and tapFD + + Rename AppArmorSetImageFDLabel to AppArmorSetFDLabel which could + be used as a common function for *ALL* fd relabelling in Linux. + + In apparmor profile for specific vm with uuid cdbebdfa-1d6d-65c3-be0f-fd74b978a773 + Path: /etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files + The last line is for the tapfd relabelling. + + # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. + "/var/log/libvirt/**/rhel6qcow2.log" w, + "/var/lib/libvirt/**/rhel6qcow2.monitor" rw, + "/var/run/libvirt/**/rhel6qcow2.pid" rwk, + "/run/libvirt/**/rhel6qcow2.pid" rwk, + "/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw, + "/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw, + "/var/lib/libvirt/images/rhel6u3qcow2.img" rw, + "/dev/tap45" rw, + +Index: libvirt-1.0.3/src/security/security_apparmor.c +=================================================================== +--- libvirt-1.0.3.orig/src/security/security_apparmor.c ++++ libvirt-1.0.3/src/security/security_apparmor.c +@@ -884,9 +884,9 @@ AppArmorRestoreSavedStateLabel(virSecuri + } + + static int +-AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, +- virDomainDefPtr def, +- int fd) ++AppArmorSetFDLabel(virSecurityManagerPtr mgr, ++ virDomainDefPtr def, ++ int fd) + { + int rc = -1; + char *proc = NULL; +@@ -915,16 +915,6 @@ AppArmorSetImageFDLabel(virSecurityManag + return reload_profile(mgr, def, fd_path, true); + } + +-/* TODO need code here */ +-static int +-AppArmorSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, +- virDomainDefPtr def ATTRIBUTE_UNUSED, +- int fd ATTRIBUTE_UNUSED) +-{ +- return 0; +-} +- +- + static char * + AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED) +@@ -975,8 +965,8 @@ virSecurityDriver virAppArmorSecurityDri + .domainSetSavedStateLabel = AppArmorSetSavedStateLabel, + .domainRestoreSavedStateLabel = AppArmorRestoreSavedStateLabel, + +- .domainSetSecurityImageFDLabel = AppArmorSetImageFDLabel, +- .domainSetSecurityTapFDLabel = AppArmorSetTapFDLabel, ++ .domainSetSecurityImageFDLabel = AppArmorSetFDLabel, ++ .domainSetSecurityTapFDLabel = AppArmorSetFDLabel, + + .domainGetSecurityMountOptions = AppArmorGetMountOptions, + }; diff --git a/fix-pci-attach-xen-driver.patch b/fix-pci-attach-xen-driver.patch new file mode 100644 index 0000000..8d7710c --- /dev/null +++ b/fix-pci-attach-xen-driver.patch @@ -0,0 +1,42 @@ +Fix PCI device attach in xend driver + +When attaching PCI device using the xend driver, the 'device_create' +RPC is called, which is not sufficient to fully prepare/configure +the device for attachment to a domain. In the xen tools, xm pci-attach +uses the 'device_configure' RPC. + +This patch changes the xend driver to always call 'device_configure' for +PCI devices to be consistent with the usage in the xen tools. + +Index: libvirt-1.0.3/src/xen/xend_internal.c +=================================================================== +--- libvirt-1.0.3.orig/src/xen/xend_internal.c ++++ libvirt-1.0.3/src/xen/xend_internal.c +@@ -2473,6 +2473,7 @@ xenDaemonAttachDeviceFlags(virDomainPtr + virBuffer buf = VIR_BUFFER_INITIALIZER; + char class[8], ref[80]; + char *target = NULL; ++ int new_dev; + + virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1); + +@@ -2585,8 +2586,18 @@ xenDaemonAttachDeviceFlags(virDomainPtr + } + + sexpr = virBufferContentAndReset(&buf); ++ new_dev = virDomainXMLDevID(domain, def, dev, class, ref, sizeof(ref)); + +- if (virDomainXMLDevID(domain, def, dev, class, ref, sizeof(ref))) { ++ /* always call 'device_configure' for pci device */ ++ if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV && ++ dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && ++ dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { ++ ret = xend_op(domain->conn, domain->name, "op", "device_configure", ++ "config", sexpr, "dev", ref, NULL); ++ goto cleanup; ++ } ++ ++ if (new_dev) { + /* device doesn't exist, define it */ + ret = xend_op(domain->conn, domain->name, "op", "device_create", + "config", sexpr, NULL); diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index 961b534..f3aacd7 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -202,7 +202,7 @@ Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null +++ libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in -@@ -0,0 +1,57 @@ +@@ -0,0 +1,58 @@ +# Last Modified: Fri Aug 19 11:20:36 2011 +#include +@{LIBVIRT}="libvirt" @@ -233,6 +233,7 @@ Index: libvirt-1.0.3/examples/apparmor/usr.sbin.libvirtd.in + network inet dgram, + network inet6 stream, + network inet6 dgram, ++ network packet dgram, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. @@ -398,7 +399,7 @@ Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu.in =================================================================== --- /dev/null +++ libvirt-1.0.3/examples/apparmor/libvirt-qemu.in -@@ -0,0 +1,131 @@ +@@ -0,0 +1,132 @@ +# Last Modified: Fri Mar 9 14:43:22 2012 + + #include @@ -409,6 +410,7 @@ Index: libvirt-1.0.3/examples/apparmor/libvirt-qemu.in + capability dac_override, + capability dac_read_search, + capability chown, ++ capability setgid, + + network inet stream, + network inet6 stream, diff --git a/libvirt.changes b/libvirt.changes index 35987d4..e0f7c82 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Fri Mar 8 12:00:39 MST 2013 - jfehlig@suse.com + +- Fix PCI device attach for xen HVM domains + fix-pci-attach-xen-driver.patch + FATE#313570 + +------------------------------------------------------------------- +Fri Mar 8 09:06:27 MST 2013 - jfehlig@suse.com + +- Apparmor security driver: Ensure tapfd's are labled when + generating the guest profile. + Modified install-apparmor-profiles.patch, added upstream patch + ce4557c3-apparmor-tapfd-label.patch + bnc#807940 + +------------------------------------------------------------------- +Thu Mar 7 09:10:33 MST 2013 - jfehlig@suse.com + +- Grant permission to use datagram packets in libvirtd apparmor + profile. + Remove AF_PACKET.patch, modify install-apparmor-profiles.patch + bnc#801145 + +------------------------------------------------------------------- +Wed Mar 6 09:14:25 MST 2013 - jfehlig@suse.com + +- Add 'managed' PCI passthrough support to legacy xen driver + support-managed-pci-xen-driver.patch + FATE#313570 + ------------------------------------------------------------------- Tue Mar 5 08:50:33 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index e10bf31..09c816f 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -139,7 +139,7 @@ %if 0%{?suse_version} >= 1210 %define with_netcontrol 0%{!?_without_netcontrol:%{server_drivers}} %endif - +%define with_netcontrol 1 # libcapng is used to manage capabilities in 11.3 or newer. # It is also used by lxc and needs to be enabled if lxc is enabled. %if 0%{?suse_version} >= 1130 || %{with_lxc} @@ -417,11 +417,11 @@ Source1: libvirtd.init Source2: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches +Patch0: ce4557c3-apparmor-tapfd-label.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch Patch102: xen-pv-cdrom.patch -Patch103: AF_PACKET.patch # Our patches Patch200: libvirtd-defaults.patch Patch201: libvirtd-init-script.patch @@ -429,6 +429,8 @@ Patch202: libvirt-guests-init-script.patch Patch203: virtlockd-init-script.patch Patch204: relax-qemu-usergroup-check.patch Patch205: suse-qemu-conf.patch +Patch206: fix-pci-attach-xen-driver.patch +Patch207: support-managed-pci-xen-driver.patch %if %{with_apparmor} Patch250: install-apparmor-profiles.patch %endif @@ -556,16 +558,18 @@ Authors: %prep %setup -q +%patch0 -p1 %patch100 -p1 %patch101 %patch102 -p1 -%patch103 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1 %patch203 -p1 %patch204 -p1 %patch205 -p1 +%patch206 -p1 +%patch207 -p1 %if %{with_apparmor} %patch250 -p1 %endif diff --git a/support-managed-pci-xen-driver.patch b/support-managed-pci-xen-driver.patch new file mode 100644 index 0000000..55a7338 --- /dev/null +++ b/support-managed-pci-xen-driver.patch @@ -0,0 +1,136 @@ +>From 5aeda96eafd230af55343e7ef835e081ded484aa Mon Sep 17 00:00:00 2001 +From: Chunyan Liu +Date: Fri, 25 Jan 2013 17:37:14 +0800 +Subject: [PATCH] support managed pci devices in xen driver + +--- + src/xenxs/xen_sxpr.c | 22 ++++++++-------------- + src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++- + 2 files changed, 35 insertions(+), 15 deletions(-) + +Index: libvirt-1.0.3/src/xenxs/xen_sxpr.c +=================================================================== +--- libvirt-1.0.3.orig/src/xenxs/xen_sxpr.c ++++ libvirt-1.0.3/src/xenxs/xen_sxpr.c +@@ -1035,6 +1035,7 @@ xenParseSxprPCI(virDomainDefPtr def, + int busID; + int slotID; + int funcID; ++ int managed; + + node = cur->u.s.car; + if (!sexpr_lookup(node, "dev")) +@@ -1082,11 +1083,13 @@ xenParseSxprPCI(virDomainDefPtr def, + goto error; + } + ++ managed = sexpr_int(node, "dev/opts/managed"); ++ + if (!(dev = virDomainHostdevDefAlloc())) + goto error; + + dev->mode = VIR_DOMAIN_HOSTDEV_MODE_SUBSYS; +- dev->managed = 0; ++ dev->managed = managed; + dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI; + dev->source.subsys.u.pci.domain = domainID; + dev->source.subsys.u.pci.bus = busID; +@@ -2044,11 +2047,14 @@ static void + xenFormatSxprPCI(virDomainHostdevDefPtr def, + virBufferPtr buf) + { +- virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x))", ++ virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x)", + def->source.subsys.u.pci.domain, + def->source.subsys.u.pci.bus, + def->source.subsys.u.pci.slot, + def->source.subsys.u.pci.function); ++ if (def->managed) ++ virBufferAddLit(buf, "(opts (managed 1))"); ++ virBufferAddLit(buf, ")"); + } + + +@@ -2067,12 +2073,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP + virBufferPtr buf, + int detach) + { +- if (def->managed) { +- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +- _("managed PCI devices not supported with XenD")); +- return -1; +- } +- + virBufferAddLit(buf, "(pci "); + xenFormatSxprPCI(def, buf); + if (detach) +@@ -2127,12 +2127,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def, + for (i = 0 ; i < def->nhostdevs ; i++) { + if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && + def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { +- if (def->hostdevs[i]->managed) { +- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +- _("managed PCI devices not supported with XenD")); +- return -1; +- } +- + xenFormatSxprPCI(def->hostdevs[i], buf); + } + } +Index: libvirt-1.0.3/src/xenxs/xen_xm.c +=================================================================== +--- libvirt-1.0.3.orig/src/xenxs/xen_xm.c ++++ libvirt-1.0.3/src/xenxs/xen_xm.c +@@ -815,6 +815,8 @@ xenParseXM(virConfPtr conf, int xendConf + int busID; + int slotID; + int funcID; ++ char *opt; ++ int managed=0; + + domain[0] = bus[0] = slot[0] = func[0] = '\0'; + +@@ -824,6 +826,11 @@ xenParseXM(virConfPtr conf, int xendConf + /* pci=['0000:00:1b.0','0000:00:13.0'] */ + if (!(key = list->str)) + goto skippci; ++ ++ opt = strchr(key, ','); ++ if (opt) ++ opt++; ++ + if (!(nextkey = strchr(key, ':'))) + goto skippci; + +@@ -872,10 +879,30 @@ xenParseXM(virConfPtr conf, int xendConf + if (virStrToLong_i(func, NULL, 16, &funcID) < 0) + goto skippci; + ++ if (opt) { ++ char opt_managed[2]; ++ char *data; ++ ++ opt_managed[0] = '\0'; ++ data = strchr(opt, '='); ++ data++; ++ ++ if (STRPREFIX(opt, "managed=")) { ++ if (virStrncpy(opt_managed, data, 1, sizeof(opt_managed)) == NULL) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, ++ _("managed option %s too big for destination"), ++ data); ++ goto skippci; ++ } ++ } ++ if (virStrToLong_i(opt_managed, NULL, 10, &managed) < 0) ++ goto skippci; ++ } ++ + if (!(hostdev = virDomainHostdevDefAlloc())) + goto cleanup; + +- hostdev->managed = 0; ++ hostdev->managed = managed; + hostdev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI; + hostdev->source.subsys.u.pci.domain = domainID; + hostdev->source.subsys.u.pci.bus = busID;