We already install the file, along with its driver-specific
counterparts, into ${datadir}/libvirt/api/ where language
bindings will actually look for them.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Acked-by: NMichal Privoznik <mprivozn@redhat.com>

This is exactly how we already treat nwfilters, which require
the same kind of care (aka nasty hacks) as the default network,
because in both cases the UUID is generated and written to
disk the first time libvirtd is started after installing the
corresponding subpackage.

After this patch, RPM will be aware of the fact that the
libvirt-daemon-config-network subpackage owns the default
network.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Acked-by: NMichal Privoznik <mprivozn@redhat.com>

While libvirtd creates this directory with the default 0755 mode, the
spec file stores 0700 in the RPM database. Thus RPM verification always
complains about this directory. Let's fix the spec file to match
reality.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>

The nwfilter XML files stored in /etc/libvirt/nwfilter are copied in a
%post scriptlet from /usr/share/libvirt/nwfilter/*.xml. While the files
in /usr/share are created with mode 0644, libvirt creates the files in
/etc/libvirt/nwfilter with mode 0600. Since 0600 is also stored in the
RPM database, we need to chmod the files copied from /usr/share to make
sure RPM verification does not complain about changed permissions.

https://bugzilla.redhat.com/show_bug.cgi?id=1628475Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>

The libvirt-lock-sanlock subpackage requires sanlock to be installed
first and the sanlock package creates the sanlock group on all distros
we care about in the spec file (Fedora and RHEL >= 7). Thus instead of
setting the ownership and permissions in a post scriptlet only when the
sanlock group exists we can just install the directory with the
appropriate metadata.

https://bugzilla.redhat.com/show_bug.cgi?id=1702758Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
Acked-by: NMichal Privoznik <mprivozn@redhat.com>

The libvirt-daemon-driver-qemu RPM has historically had a hard
dependency on the libvirt-daemon-driver-network and
libvirt-daemon-driver-storage-core packages. This was because the QEMU
driver would directly call into APIs that were part of these drivers.

The dependency to the storage driver was eliminated in

  commit 064fec69
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Thu Jan 25 09:35:46 2018 +0000

    storage: move storage file backend framework into util directory

The dependency to the network driver was eliminated in

  commit 5b13570a
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Thu Jan 25 09:35:47 2018 +0000

    conf: introduce callback registration for domain net device allocation

  commit 1438aea4
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Thu Jan 25 09:35:48 2018 +0000

    conf: expand network device callbacks to cover bandwidth updates
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Our build system doesn't currently install the various
example programs provided along libvirt; however, both the
upstream .spec file and the Debian packaging go out of
their way to make sure these useful demos are included in
the respective documentation packages.

Moreover, doing so without help from the upstream build
system is easy to get wrong: the libvirt-docs RPM package,
for example, ends up missing one of the examples and
including a bunch of empty .deps/ directories.

Install the examples in $(docdir) as part of our regular
procedure, so that users and downstreams don't have to do
anything special about them.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Acked-by: NMichal Privoznik <mprivozn@redhat.com>

At the moment we allow the user to specify exactly where
they want the HTML documentation to be installed with an
extreme level of precision through the --with-html-dir and
--with-html-subdir configure options.

Most of the time, of course, the user will stick with the
default, that is $(datadir)/doc/$(PACKAGE)-$(VERSION)/html.

So close to $(docdir)! Including the version number in
the path, specifically, seems entirely unnecessary since
different releases of libvirt are not going to be able to
coexist on the same system anyway.

Drop all these custom flexibilty for flexibilty's sake
shenaningans in favor of the standard, well understood
$(docdir).
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Acked-by: NMichal Privoznik <mprivozn@redhat.com>

Fedora 30 is out, which means that Fedora 28 is going to be
EOL very soon. Let's get ahead of the game and drop support
for it right now.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Commit 3b71f2e4 added spec handling for with_firewalld_zone. We
now call %firewalld_reload if with_firewalld is set. But the matching
'BuildRequires: firewalld-filesystem' is only applied if
with_firewalld_zone is set.

Fix the former bit to use with_firewalld_zone
Reviewed-by: NLaine Stump <laine@laine.org>
Reported-by: NYuval Turgeman <yturgema@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>

The firewalld package in Fedora 30 didn't get support for rich rule
priorities, which is required by the libvirt zonefile that's installed
when the build is configured with --with-firewalld-zone, so we need to
set --without-firewalld-zone for that version of Fedora. The needed
feature is already upstream in firewalld, so it just needs another
upstream release to be there. Let's be optimistic and assume that will
happen prior to F31.

Resolves: https://bugzilla.redhat.com/1699051Signed-off-by: NLaine Stump <laine@laine.org>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
Acked-by: NEric Garver <eric@garver.life>

ldconfig needs to be called after installing or uninstalling
shared libraries.

For a very long time, libvirt didn't have a separate package
containing just the shared libraries, and so it shipped them
in the same one as the clients.

Since commit 70b4f0e7, however, shared libraries have been
moved from -client to their own -libs package; unfortunately,
the corresponding ldconfig calls were not moved at the same
time, which is what this commit takes care of.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>

These blocks are only triggered when updating from a libvirt version
less than 0.9.4, which was released in August 2011. I think it's been
long enough that we can say this upgrade path is unsupported without
an intermediate step.
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>

Since Fedora 28 (our minimum supported build), ldconfig is called
automatically for us:

https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets

These changes appear to be implemented for RHEL > 7 as well, so only
run ldconfig on RHEL7
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>

We previously had to disable RBD on 32-bit platforms since Ceph has
dropped all support for 32-bit. Unfortunately anyone with the RPM
libvirt-daemon-driver-storage-rbd installed on 32-bit now has a
broken upgrade path.

To fix this we must make libvirt-daemon-driver-storage-core
have an Obsoletes: libvirt-daemon-driver-storage-rbd < $VER-$REL
Reviewed-by: NErik Skultety <eskultet@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Support for XFS reflink clone was added in:

  commit 8ed874b3
  Author: Julio Faracco <jcfaracco@gmail.com>
  Date:   Fri Jul 6 10:43:01 2018 -0300

    storage: Rename btrfsCloneFile to support other filesystems.

  commit 2e11298f
  Author: Julio Faracco <jcfaracco@gmail.com>
  Date:   Fri Jul 6 10:43:00 2018 -0300

    configure: Adding XFS library/headers check.

But these patches missed that the xfs/xfs.h header is not installed
unless you have xfsprogs-devel present.
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Define a schema for the storage pool capabilities along with
a test to show the general format.
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
ACKed-by: NMichal Privoznik <mprivozn@redhat.com>

The wireshark-2.4.0 is almost 2 years old now. Assuming anybody
interested in running latest libvirt doesn't run old wireshark,
it is safe to do this. It also simplifies the code.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

Since wirshark-2.5.0 toplevel plugins are no longer loaded. Only
plugins from epan/, wiretap/ or codecs/ subdirs are. Update the
plugin dir we generate. This is safe to do even for older
wiresharks, since they load plugins from there too.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.

But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.

This causes pain because

1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)

2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).

libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).

However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).

Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).

But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).

So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).

This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.

Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.

So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.

These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.

NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: NLaine Stump <laine@laine.org>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

The %{extra_release} field was previously populated by data from the old
autobuild.sh file but is no longer used.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Ceph in upstream and Fedora has dropped support for building on host
architectures which are 32-bit.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The driver is unmaintained, untested and severely broken for
quite some time now. Since nobody even reported any issue with it
let us drop it.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

In accordance with our platform support policy, now that
Fedora 29 is out we no longer support building on Fedora 27.

This allows us to remove a few version checks.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

numctl, numad and zfs-fuse are not available on riscv64 targets
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Both ceph and gluster have been built on RHEL on all architectures for
some time, there's no need to limit them to x86_64.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
Reviewed-by: NPavel Hrdina <phrdina@redhat.com>

RHEL-7 is the only system where gnutls is too old to support @LIBVIRT
specifier.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
Reviewed-by: NPavel Hrdina <phrdina@redhat.com>

Fedora 26 has reached its EOL on May 29th 2018.

https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.org/message/XGG7GYUJN3VDA6HX4KJNFSKSQCGF2FMW/Signed-off-by: NFabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

In preparation for splitting up the CPU map data file, move it into a
dedicated directory of its own.
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Signed-off-by: NCole Robinson <crobinso@redhat.com>

Signed-off-by: NCole Robinson <crobinso@redhat.com>

Most distributions we build RPMs on don't ship a
recent enough version of libiscsi, so we can't enable
the driver unconditionally. Add an explicit dependency
on the runtime package while at it.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NPavel Hrdina <phrdina@redhat.com>

Commit 34a6962c added a BuildRequires for the
iscsi-direct backend, but we need the headers rather
than the runtime package to be available in order to
link against the library.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Signed-off-by: NCole Robinson <crobinso@redhat.com>

This reverts commit 9cf38263.

Jansson cannot parse QEMU's quirky JSON.
Revert back to yajl.

https://bugzilla.redhat.com/show_bug.cgi?id=1614569Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

This reverts commit ce3c6ef6.

Jansson cannot parse QEMU's quirky JSON.
Revert back to yajl.

https://bugzilla.redhat.com/show_bug.cgi?id=1614569Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

The distros we support for RPM builds all have %autosetup support so we
can ditch the convoluted code for running git manually and use the RPM
defaults.
Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

It's on RHEL7, saves a bit of typing, and lets us drop the comment
Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>

The jansson and json-glib libraries both export symbols with a json_
name prefix and json_object_iter_next() clashes between them.

Unfortunately json-glib is linked in by GTK, so any app using GTK and
libvirt will get a clash, resulting in SEGV. This also affects the NSS
module provided by libvirt

Instead of directly linking to jansson, use dlopen() with the RTLD_LOCAL
flag which allows us to hide the symbols from the application that loads
libvirt or the NSS module.

Some preprocessor black magic and wrapper functions are used to redirect
calls into the dlopen resolved symbols.
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>