- 14 3月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
The code tries to detect installed version of qemu to learn if it uses HMP or QMP and enable YAJL based on that. Well, we support only QMP and also minimal required version of qemu is 1.5.0 so the check would have enabled yajl anyway. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 12 2月, 2019 2 次提交
-
-
由 Michal Privoznik 提交于
The wireshark-2.4.0 is almost 2 years old now. Assuming anybody interested in running latest libvirt doesn't run old wireshark, it is safe to do this. It also simplifies the code. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Michal Privoznik 提交于
Since wirshark-2.5.0 toplevel plugins are no longer loaded. Only plugins from epan/, wiretap/ or codecs/ subdirs are. Update the plugin dir we generate. This is safe to do even for older wiresharks, since they load plugins from there too. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 02 2月, 2019 2 次提交
-
-
由 Laine Stump 提交于
In the past (when both libvirt and firewalld used iptables), if either libvirt's rules *OR* firewalld's rules accepted a packet, it would be accepted. This was because libvirt and firewalld rules were processed during the same kernel hook, and a single ACCEPT result would terminate the rule traversal and cause the packet to be accepted. But now firewalld can use nftables for its backend, while libvirt's firewall rules are still using iptables; iptables rules are still processed, but at a different time during packet processing (i.e. during a different hook) than the firewalld nftables rules. The result is that a packet must be accepted by *BOTH* the libvirt iptables rules *AND* the firewalld nftable rules in order to be accepted. This causes pain because 1) libvirt always adds rules to permit DNS and DHCP (and sometimes TFTP) from guests to the host network's bridge interface. But libvirt's bridges are in firewalld's "default" zone (which is usually the zone called "public"). The public zone allows ssh, but doesn't allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the DHCP and DNS traffic, the firewalld rules (now processed during a different hook) dont, thus guests connected to libvirt's bridges can't acquire an IP address from DHCP, nor can they make DNS queries to the DNS server libvirt has setup on the host. (This could be solved by modifying the default firewalld zone to allow DNS and DHCP, but that would open *all* interfaces in the default zone to those services, which is most likely not what the host's admin wants.) 2) Even though libvirt adds iptables rules to allow forwarded traffic to pass the iptables hook, firewalld's higher level "rich rules" don't yet have the ability to configure the acceptance of forwarded traffic (traffic that is going somewhere beyond the host), so any traffic that needs to be forwarded from guests to the network beyond the host is rejected during the nftables hook by the default zone's "default reject" policy (which rejects all traffic in the zone not specifically allowed by the rules in the zone, whether that traffic is destined to be forwarded or locally received by the host). libvirt can't send "direct" nftables rules (firewalld only supports direct/passthrough rules for iptables), so we can't solve this problem by just sending explicit nftables rules instead of explicit iptables rules (which, if it could be done, would place libvirt's rules in the same hook as firewalld's native rules, and thus eliminate the need for packets to be accepted by both libvirt's and firewalld's own rules). However, we can take advantage of a quirk in firewalld zones that have a default policy of "accept" (meaning any packet that doesn't match a specific rule in the zone will be *accepted*) - this default accept will also accept forwarded traffic (not just traffic destined for the host). Of course we don't want to modify firewalld's default zone in that way, because that would affect the filtering of traffic coming into the host from other interfaces using that zone. Instead, we will create a new zone called "libvirt". The libvirt zone will have a default policy of accept so that forwarded traffic can pass and list specific services that will be allowed into the host from guests (DNS, DHCP, SSH, and TFTP). But the same default accept policy that fixes forwarded traffic also causes *all* traffic from guest to host to be accepted. To close this new hole, the libvirt zone can take advantage of a new feature in firewalld (currently slated for firewalld-0.7.0) - priorities for rich rules - to add a low priority rule that rejects all local traffic (but leaves alone all forwarded traffic). So, our new zone will start with a list of services that are allowed (dhcp, dns, tftp, and ssh to start, but configurable via any firewalld management application, or direct editing of the zone file in /etc/firewalld/zones/libvirt.xml), followed by a low priority <reject/> rule (to reject all other traffic from guest to host), and finally with a default policy of accept (to allow forwarded traffic). This patch only creates the zonefile for the new zone, and implements a configure.ac option to selectively enable/disable installation of the new zone. A separate patch contains the necessary code to actually place bridge interfaces in the libvirt zone. Why do we need a configure option to disable installation of the new libvirt zone? It uses a new firewalld attribute that sets the priority of a rich rule; this feature first appears in firewalld-0.7.0 (unless it has been backported to am earlier firewalld by a downstream maintainer). If the file were installed on a system with firewalld that didn't support rule priorities, firewalld would log an error every time it restarted, causing confusion and lots of extra bug reports. So we add two new configure.ac switches to avoid polluting the system logs with this error on systems that don't support rule priorities - "--with-firewalld-zone" and "--without-firewalld-zone". A package builder can use these to include/exclude the libvirt zone file in the installation. If firewalld is enabled (--with-firewalld), the default is --with-firewalld-zone, but it can be disabled during configure (using --without-firewalld-zone). Targets that are using a firewalld version too old to support the rule priority setting in the libvirt zone file can simply add --without-firewalld-zone to their configure commandline. These switches only affect whether or not the libvirt zone file is *installed* in /usr/lib/firewalld/zones, but have no effect on whether or not libvirt looks for a zone called libvirt and tries to use it. NB: firewalld zones can only be added to the permanent config of firewalld, and won't be loaded/enabled until firewalld is restarted, so at package install/upgrade time we have to restart firewalld. For rpm-based distros, this is done in the libvirt.spec file by calling the %firewalld_restart rpm macro, which is a part of the firewalld-filesystem package. (For distros that don't use rpm packages, the command "firewalld-cmd --reload" will have the same effect). Signed-off-by: NLaine Stump <laine@laine.org> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
Support for firewalld is a feature that can be selectively enabled or disabled (using --with-firewalld/--without-firewalld), not merely something that must be accounted for in the code if it is present with no exceptions. It is more consistent with other usage in libvirt to use WITH_FIREWALLD rather than HAVE_FIREWALLD. Signed-off-by: NLaine Stump <laine@laine.org> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 18 12月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
The driver is unmaintained, untested and severely broken for quite some time now. Since nobody even reported any issue with it let us drop it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 27 11月, 2018 1 次提交
-
-
Since this is something between PV and HVM, it makes sense to put the setting in place where domain type is specified. To enable it, use <os><type machine="xenpvh">xenpvh</type></os>. It is also included in capabilities.xml, for every supported HVM guest type - it doesn't seems to be any other requirement (besides new enough Xen). Signed-off-by: NMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: NJim Fehlig <jfehlig@suse.com>
-
- 20 9月, 2018 2 次提交
-
-
由 Jim Fehlig 提交于
With the assumption that all Xen >= 4.6 contains a pkgconfig file for libxenlight, commit 5bdcef13 dropped the fallback check to probe libxenlight with LIBVIRT_CHECK_LIB. At the time it was not known that the various Xen pkgconfig files are in the -runtime package in Fedora, instead of the traditional -devel package. This bug [1] was fixed in Fedora > 28, but until Fedora 28 reaches EOL we'll need to re-introduce the fallback check. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1629643Signed-off-by: NJim Fehlig <jfehlig@suse.com>
-
由 Jim Fehlig 提交于
Signed-off-by: NJim Fehlig <jfehlig@suse.com>
-
- 19 9月, 2018 1 次提交
-
-
由 Jim Fehlig 提交于
The libxl_domain_config_from_json API appeared in Xen 4.5, hence there is no need to check for its existence after changing the minimum supported Xen version to 4.6. Remove the check and its use in the tests. Signed-off-by: NJim Fehlig <jfehlig@suse.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 15 9月, 2018 1 次提交
-
-
由 Jim Fehlig 提交于
Currently the libxl driver claims support for Xen >= 4.4, but Xen 4.4 and 4.5 are no longer supported upstream. Let's increase the minimum supported Xen version to 4.6 and change the defined LIBXL_API_VERSION to 0x040500, which is the API version defined when Xen 4.6 was released. Since Xen 4.6 contains a pkgconfig file, drop the now unused code that falls back to using LIBVIRT_CHECK_LIB in the absence of pkgconfig file. In addition, bumping the LIBXL_API_VERSION required adjusting the calls to libxl_set_vcpuaffinity to account for the extra parameter in the 0x040500 version of the API. Signed-off-by: NJim Fehlig <jfehlig@suse.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 13 8月, 2018 5 次提交
-
-
由 Ján Tomko 提交于
This reverts commit 12b34f09. Jansson cannot parse QEMU's quirky JSON. Revert back to yajl. https://bugzilla.redhat.com/show_bug.cgi?id=1614569 Conflicts: configure.ac: Commit 8aa85e0b introduced LIBVIRT_*_LIBISCSI macros. Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Ján Tomko 提交于
This reverts commit 9cf38263. Jansson cannot parse QEMU's quirky JSON. Revert back to yajl. https://bugzilla.redhat.com/show_bug.cgi?id=1614569Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Ján Tomko 提交于
This reverts commit c5ae8e0c. Jansson cannot parse QEMU's quirky JSON. Revert back to yajl. https://bugzilla.redhat.com/show_bug.cgi?id=1614569Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Ján Tomko 提交于
This reverts commit 01ce0437. Jansson cannot parse QEMU's quirky JSON. Revert back to yajl. https://bugzilla.redhat.com/show_bug.cgi?id=1614569Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Ján Tomko 提交于
This reverts commit 4dd60540. Jansson cannot parse QEMU's quirky JSON. Revert back to yajl. https://bugzilla.redhat.com/show_bug.cgi?id=1614569Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 10 8月, 2018 1 次提交
-
-
Fix saving CFLAGS in LIBVIRT_DRIVER_CHECK_LIBXL - LIBVIRT_CHECK_LIB will override old_CFLAGS, so use a different name. Signed-off-by: NMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: NJim Fehlig <jfehlig@suse.com>
-
- 06 8月, 2018 4 次提交
-
-
由 Clementine Hayat 提交于
We need here libiscsi for the storgae pool backend. For the iscsi-direct storage pool, only checkPool and refreshPool should be necessary for basic support. The pool is state-less and just need the informations within the volume to work. Signed-off-by: NClementine Hayat <clem@lse.epita.fr> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Clementine Hayat 提交于
Introducing the pool as a noop. Integration inside the build system. Implementation will be in the following commits. Signed-off-by: NClementine Hayat <clem@lse.epita.fr> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Clementine Hayat 提交于
The minimal required version is 1.18.0 because the synchrounous function needed were introduced here. Signed-off-by: NClementine Hayat <clem@lse.epita.fr>
-
由 Martin Kletzander 提交于
The proper file that should be included is `sys/xattr.h` as that comes from `glibc` and not `attr/xattr.h` which ships with the `attr` utility. We're most probably not the only ones because `attr/xattr.h` added a #warning to their include resulting in the following compilation errors: In file included from securityselinuxlabeltest.c:31:0: /usr/include/attr/xattr.h:5:2: error: #warning "Please change your <attr/xattr.h> includes to <sys/xattr.h>" [-Werror=cpp] #warning "Please change your <attr/xattr.h> includes to <sys/xattr.h>" ^~~~~~~ In file included from securityselinuxhelper.c:37:0: /usr/include/attr/xattr.h:5:2: error: #warning "Please change your <attr/xattr.h> includes to <sys/xattr.h>" [-Werror=cpp] #warning "Please change your <attr/xattr.h> includes to <sys/xattr.h>" ^~~~~~~ Signed-off-by: NMartin Kletzander <mkletzan@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 18 7月, 2018 5 次提交
-
-
由 Ján Tomko 提交于
Add a second check for Jansson >= 2.8, which includes fixes to preserve ordering of object keys. Use this constant to guard tests that depend on stable ordering. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Ján Tomko 提交于
If the QEMU driver was requested, require Jansson, since we need to use the JSON monitor to probe capabilities for all QEMU version supported by libvirt. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Ján Tomko 提交于
Unless explicitly requested, enable the QEMU driver only if the Jansson library is present. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Ján Tomko 提交于
Yajl has not seen much activity upstream recently. Switch to using Jansson >= 2.5. All the platforms we target on https://libvirt.org/platforms.html have a version >= 2.7 listed on the sites below: https://repology.org/metapackage/jansson/versions https://build.opensuse.org/package/show/devel:libraries:c_c++/libjansson Additionally, Ubuntu 14.04 on Travis-CI has 2.5. Set the requirement to 2.5 since we don't use anything from newer versions. Implement virJSONValue{From,To}String using Jansson, delete the yajl code (and the related virJSONParser structure) and report an error if someone explicitly specifies --with-yajl. Also adjust the test data to account for Jansson's different whitespace usage for empty arrays and tune up the specfile to keep 'make rpm' working when bisecting. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Ján Tomko 提交于
Introduce the configure argument and check for Jansson >= 2.5 Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
- 06 6月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
With --disable-nls is given we turn off use of gettext in the source code, but mistakenly still installed the gmo files. Reported-by: NOlaf Hering <olaf@aepfle.de> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 05 6月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
We are building with GnuTLS everywhere because GnuTLS is widely available. Also, it is desirable to prefer cryptographically strong PRNG over "/dev/urandom" which is just a fallback. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 16 5月, 2018 5 次提交
-
-
由 Ján Tomko 提交于
Assume its presence for gnutls >= 3.2. Check introduced by <commit 7d21d6b6>. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Ján Tomko 提交于
Introduced in gnutls 2.10, and we assume >= 3.2. Commit 1ce9c08a added this check. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Ján Tomko 提交于
Introduced in gnutls 2.12, but we require gnutls >= 3.2 Check added by commit <2d23d145>. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Ján Tomko 提交于
Now that we assume GnuTLS >= 3.0, we can ditch gcrypt support. Introduced by <commit 6094b1ff>. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Ján Tomko 提交于
Ubuntu 14.04 which is not targetted as a supported platform [0] already has 3.2.11 [0] https://libvirt.org/platforms.htmlSigned-off-by: NJán Tomko <jtomko@redhat.com>
-
- 11 5月, 2018 2 次提交
-
-
由 Julio Faracco 提交于
This commit adds some checks inside libssh m4 checking to verify if ssh_get_server_publickey is available. This new function scope replaces the old ssh_get_publickey() from libssh 0.7.5 and below. Assuming that some distros are not showing the right version of libssh. This is a simple way to check which function is available. Signed-off-by: NJulio Faracco <jcfaracco@gmail.com> Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
-
由 Michal Privoznik 提交于
Just like we allow users overriding path to bridge-helper detected at compile time we can allow them to override path to qemu-pr-helper. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 19 4月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
Historically we have relied on autopoint/gettextize to install a standard po/Makefile.in.in. There is very limited scope for customizing this and it also causes a bunch of extra stuff to be pulled into configure.ac which potentially clashes with gnulib. Writing make rules for po file management is no more difficult than any other rules libvirt has, so stop using autopoint/gettextize. Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 10 4月, 2018 1 次提交
-
-
由 Jim Fehlig 提交于
xend was deprecated in Xen 4.2 and removed from the Xen sources before the Xen 4.5 release. The last Xen release to contain xend was Xen 4.4, which was retired upstream in March 2017. Remove xend support from libvirt since it is unrealistic to use modern libvirt with ancient Xen. Signed-off-by: NJim Fehlig <jfehlig@suse.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 26 3月, 2018 2 次提交
-
-
由 Ján Tomko 提交于
Commit 2499d1a0 was too eager and possibly enabled polkit on all platforms with D-Bus, regardless of whether they use polkit. Reintroduce the usage of pkcheck as a witness for --with-polkit=check, but do not require it for --with-polkit=yes. Signed-off-by: NJán Tomko <jtomko@redhat.com> Reported-by: NJiří Denemark <jdenemar@redhat.com> Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
-
由 Rainer Müller 提交于
After validation against XHTML 1.0 was dropped in f802c9de, the XML_CATALOG_FILE is not in use anymore. Therefore the checks in configure can be removed. Signed-off-by: NRainer Müller <raimue@codingfarm.de>
-
- 14 3月, 2018 1 次提交
-
-
由 Andrea Bolognani 提交于
Commit 596fc3e3 introduced the ability to detect xenstore using pkg-config for systems with Xen 4.9, but accidentally broke detection for all other systems. Fix the logic so that it works in all cases. Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
-