1. 10 10月, 2017 3 次提交
  2. 07 10月, 2017 3 次提交
    • J
      apparmor: add dnsmasq ptrace rule to libvirtd profile · c44b29aa
      Jim Fehlig 提交于
      Commit b482925c added ptrace rule for the apparmor profiles,
      but one was missed in the libvirtd profile for dnsmasq. It was
      overlooked since the test machine did not have an active libvirt
      network requiring dnsmasq that was also set to autostart. With
      one active and set to autostart, the following denial is observed
      in audit.log when restarting libvirtd
      
      type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
      operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
      comm="libvirtd" requested_mask="trace" denied_mask="trace" \
      peer="/usr/sbin/dnsmasq"
      
      With an active network, I suspect a libvirtd restart causes access
      to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
      side affect of the denial, libvirtd thinks it needs to spawn a
      dnsmasq process even though one is already running for the network.
      E.g. after two libvirtd restarts
      
      dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
       /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
       --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
      root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
       /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
       --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
      dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
       /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
       --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
      root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
       /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
       --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
      dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
       /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
       --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
      root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
       /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
       --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
      
      A simple fix is to add a ptrace rule for dnsmasq.
      Signed-off-by: NJim Fehlig <jfehlig@suse.com>
      Reviewed-By: NGuido Günther <agx@sigxcpu.org>
      c44b29aa
    • W
      numa: rename function virDomainNumaDefCPUFormat · 137391bd
      Wim ten Have 提交于
      Rename virDomainNumaDefCPUFormat to virDomainNumaDefCPUFormatXML,
      matching its peer virDomainNumaDefCPUParseXML and the general
      vir*{Format,Parse}XML conventions.
      Signed-off-by: NWim ten Have <wim.ten.have@oracle.com>
      Reviewed-by: NJim Fehlig <jfehlig@suse.com>
      137391bd
    • W
      build: isolate core libvirt libs deps from xen runtime · 6c200c76
      Wim ten Have 提交于
      Generating libvirt packages per make rpm, "with-libxl=1" and "with-xen=1",
      adds strict runtime dependencies per libxenlight for xen-libs package from
      core libvirt-libs package.  This is not necessary and unfortunate since
      those dependencies set demand to "xen-libs" package even when there's no
      need for libvirt xen or libxl driver components.
      
      This patch is to have two separate xenconfig lib tool libraries: one for
      core libvirt (without XL), and a another that contains xl for libxl driver
      (libvirt_driver_libxl_impl.la) which when loading the driver, loads the
      remaining symbols (xen{Format,Parse}XL. For the user/sysadmin, this means
      the xen dependencies are moved into libxl driver, instead of core libvirt.
      Signed-off-by: NJoao Martins <joao.m.martins@oracle.com>
      Signed-off-by: NWim ten Have <wim.ten.have@oracle.com>
      Reviewed-by: NJim Fehlig <jfehlig@suse.com>
      6c200c76
  3. 06 10月, 2017 21 次提交
  4. 05 10月, 2017 13 次提交