1. 07 2月, 2019 1 次提交
  2. 06 2月, 2019 3 次提交
  3. 05 2月, 2019 1 次提交
  4. 04 2月, 2019 11 次提交
  5. 03 2月, 2019 1 次提交
    • L
      util: remove test code accidentally committed to virFirewallDZoneExists · 7c9dcfed
      Laine Stump 提交于
      Just before pushing the series containing commit 3bba4825 I had added
      a "return true" to the top of virFirewallDZoneExists() to measure the
      impact of calling that function once per network during startup. I
      found that the effect was minimal, but forgot to remove the "return
      true" before pushing. This unfortunately causes a failure to start
      networks on systems that have a firewalld version that doesn't support
      our libvirt zone file (i.e. pretty much everyone).
      
      This patch removes the unintended line.
      Signed-off-by: NLaine Stump <laine@laine.org>
      7c9dcfed
  6. 02 2月, 2019 12 次提交
    • R
      docs: bhyve: warn about bhyve:commandline risks · 18795687
      Roman Bogorodskiy 提交于
      Document that using bhyve:commandline is not fully
      supported and may cause issues.
      Signed-off-by: NRoman Bogorodskiy <bogorodskiy@gmail.com>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      18795687
    • R
      bhyve: emit warning when using bhyve:commandline · 20551883
      Roman Bogorodskiy 提交于
      When using custom command line arguments, warn that
      this configuration is not fully supported.
      Signed-off-by: NRoman Bogorodskiy <bogorodskiy@gmail.com>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      20551883
    • R
      bhyve: bhyveDomainDefNamespaceFormatXML cleanup · d04e0647
      Roman Bogorodskiy 提交于
       - Remove ATTRIBUTE_UNUSED for the "buf" argument, it's
         not unused
       - Indent fix
      Signed-off-by: NRoman Bogorodskiy <bogorodskiy@gmail.com>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      d04e0647
    • L
      62adfa67
    • L
      network: allow configuring firewalld zone for virtual network bridge device · 30a6f916
      Laine Stump 提交于
      Since we're setting the zone anyway, it will be useful to allow
      setting a different (custom) zone for each network. This will be done
      by adding a "zone" attribute to the "bridge" element, e.g.:
      
         ...
         <bridge name='virbr0' zone='myzone'/>
         ...
      
      If a zone is specified in the config and it can't be honored, this
      will be an error.
      Signed-off-by: NLaine Stump <laine@laine.org>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      30a6f916
    • L
      network: set firewalld zone of bridges to "libvirt" zone when appropriate · ae05211a
      Laine Stump 提交于
      This patch restores broken guest network connectivity after a host
      firewalld is switched to using an nftables backend. It does this by
      adding libvirt networks' bridge interfaces to the new "libvirt" zone
      in firewalld.
      
      After this patch, the bridge interface of any network created by
      libvirt (when firewalld is active) will be added to the firewalld
      zone called "libvirt" if it exists (regardless of the firewalld
      backend setting). This behavior does *not* depend on whether or not
      libvirt has installed the libvirt zone file (set with
      "--with[out]-firewalld-zone" during the configure phase of the package
      build).
      
      If the libvirt zone doesn't exist (either because the package was
      configured to not install it, or possibly it was installed, but
      firewalld doesn't support rule priorities, resulting in a parse
      error), the bridge will remain in firewalld's default zone, which
      could be innocuous (in the case that the firewalld backend is
      iptables, guest networking will still function properly with the
      bridge in the default zone), or it could be disastrous (if the
      firewalld backend is nftables, we can be assured that guest networking
      will fail). In order to be unobtrusive in the former case, and
      informative in the latter, when the libvirt zone doesn't exist we
      then check the firewalld version to see if it's new enough to support
      the nftables backend, and then if the backend is actually set to
      nftables, before logging an error (and failing the net-start
      operation, since the network couldn't possibly work anyway).
      
      When the libvirt zone is used, network behavior is *slightly*
      different from behavior of previous libvirt. In the past, libvirt
      network behavior would be affected by the configuration of firewalld's
      default zone (usually "public"), but now it is affected only by the
      "libvirt" zone), and thus almost surely warrants a release note for
      any distro upgrading to libvirt 5.1 or above. Although it's
      unfortunate that we have to deal with a mandatory behavior change, the
      architecture of multiple hooks makes it impossible to *not* change
      behavior in some way, and the new behavior is arguably better (since
      it will now be possible to manage access to the host from virtual
      machines vs from public interfaces separately).
      
      Creates-and-Resolves: https://bugzilla.redhat.com/1650320
      Resolves: https://bugzilla.redhat.com/1638342Signed-off-by: NLaine Stump <laine@laine.org>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      ae05211a
    • L
      configure: selectively install a firewalld 'libvirt' zone · 3b71f2e4
      Laine Stump 提交于
      In the past (when both libvirt and firewalld used iptables), if either
      libvirt's rules *OR* firewalld's rules accepted a packet, it would
      be accepted. This was because libvirt and firewalld rules were
      processed during the same kernel hook, and a single ACCEPT result
      would terminate the rule traversal and cause the packet to be
      accepted.
      
      But now firewalld can use nftables for its backend, while libvirt's
      firewall rules are still using iptables; iptables rules are still
      processed, but at a different time during packet processing
      (i.e. during a different hook) than the firewalld nftables rules. The
      result is that a packet must be accepted by *BOTH* the libvirt
      iptables rules *AND* the firewalld nftable rules in order to be
      accepted.
      
      This causes pain because
      
      1) libvirt always adds rules to permit DNS and DHCP (and sometimes
      TFTP) from guests to the host network's bridge interface. But
      libvirt's bridges are in firewalld's "default" zone (which is usually
      the zone called "public"). The public zone allows ssh, but doesn't
      allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
      DHCP and DNS traffic, the firewalld rules (now processed during a
      different hook) dont, thus guests connected to libvirt's bridges can't
      acquire an IP address from DHCP, nor can they make DNS queries to the
      DNS server libvirt has setup on the host. (This could be solved by
      modifying the default firewalld zone to allow DNS and DHCP, but that
      would open *all* interfaces in the default zone to those services,
      which is most likely not what the host's admin wants.)
      
      2) Even though libvirt adds iptables rules to allow forwarded traffic
      to pass the iptables hook, firewalld's higher level "rich rules" don't
      yet have the ability to configure the acceptance of forwarded traffic
      (traffic that is going somewhere beyond the host), so any traffic that
      needs to be forwarded from guests to the network beyond the host is
      rejected during the nftables hook by the default zone's "default
      reject" policy (which rejects all traffic in the zone not specifically
      allowed by the rules in the zone, whether that traffic is destined to
      be forwarded or locally received by the host).
      
      libvirt can't send "direct" nftables rules (firewalld only supports
      direct/passthrough rules for iptables), so we can't solve this problem
      by just sending explicit nftables rules instead of explicit iptables
      rules (which, if it could be done, would place libvirt's rules in the
      same hook as firewalld's native rules, and thus eliminate the need for
      packets to be accepted by both libvirt's and firewalld's own rules).
      
      However, we can take advantage of a quirk in firewalld zones that have
      a default policy of "accept" (meaning any packet that doesn't match a
      specific rule in the zone will be *accepted*) - this default accept will
      also accept forwarded traffic (not just traffic destined for the host).
      
      Of course we don't want to modify firewalld's default zone in that
      way, because that would affect the filtering of traffic coming into
      the host from other interfaces using that zone. Instead, we will
      create a new zone called "libvirt". The libvirt zone will have a
      default policy of accept so that forwarded traffic can pass and list
      specific services that will be allowed into the host from guests (DNS,
      DHCP, SSH, and TFTP).
      
      But the same default accept policy that fixes forwarded traffic also
      causes *all* traffic from guest to host to be accepted. To close this
      new hole, the libvirt zone can take advantage of a new feature in
      firewalld (currently slated for firewalld-0.7.0) - priorities for rich
      rules - to add a low priority rule that rejects all local traffic (but
      leaves alone all forwarded traffic).
      
      So, our new zone will start with a list of services that are allowed
      (dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
      management application, or direct editing of the zone file in
      /etc/firewalld/zones/libvirt.xml), followed by a low priority
      <reject/> rule (to reject all other traffic from guest to host), and
      finally with a default policy of accept (to allow forwarded traffic).
      
      This patch only creates the zonefile for the new zone, and implements
      a configure.ac option to selectively enable/disable installation of
      the new zone. A separate patch contains the necessary code to actually
      place bridge interfaces in the libvirt zone.
      
      Why do we need a configure option to disable installation of the new
      libvirt zone? It uses a new firewalld attribute that sets the priority
      of a rich rule; this feature first appears in firewalld-0.7.0 (unless
      it has been backported to am earlier firewalld by a downstream
      maintainer). If the file were installed on a system with firewalld
      that didn't support rule priorities, firewalld would log an error
      every time it restarted, causing confusion and lots of extra bug
      reports.
      
      So we add two new configure.ac switches to avoid polluting the system
      logs with this error on systems that don't support rule priorities -
      "--with-firewalld-zone" and "--without-firewalld-zone". A package
      builder can use these to include/exclude the libvirt zone file in the
      installation. If firewalld is enabled (--with-firewalld), the default
      is --with-firewalld-zone, but it can be disabled during configure
      (using --without-firewalld-zone). Targets that are using a firewalld
      version too old to support the rule priority setting in the libvirt
      zone file can simply add --without-firewalld-zone to their configure
      commandline.
      
      These switches only affect whether or not the libvirt zone file is
      *installed* in /usr/lib/firewalld/zones, but have no effect on whether
      or not libvirt looks for a zone called libvirt and tries to use it.
      
      NB: firewalld zones can only be added to the permanent config of
      firewalld, and won't be loaded/enabled until firewalld is restarted,
      so at package install/upgrade time we have to restart firewalld. For
      rpm-based distros, this is done in the libvirt.spec file by calling
      the %firewalld_restart rpm macro, which is a part of the
      firewalld-filesystem package. (For distros that don't use rpm
      packages, the command "firewalld-cmd --reload" will have the same
      effect).
      Signed-off-by: NLaine Stump <laine@laine.org>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      3b71f2e4
    • L
      util: new virFirewallD APIs + docs · 3bba4825
      Laine Stump 提交于
      virFirewallDGetBackend() reports whether firewalld is currently using
      an iptables or an nftables backend.
      
      virFirewallDGetVersion() learns the version of the firewalld running
      on this system and returns it as 1000000*major + 1000*minor + micro.
      
      virFirewallDGetZones() gets a list of all currently active firewalld
      zones.
      
      virFirewallDInterfaceSetZone() sets the firewalld zone of the given
      interface.
      
      virFirewallDZoneExists() can be used to learn whether or not a
      particular zone is present and active in firewalld.
      Signed-off-by: NLaine Stump <laine@laine.org>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      3bba4825
    • L
      util: move all firewalld-specific stuff into its own files · d8393b56
      Laine Stump 提交于
      In preparation for adding several other firewalld-specific functions,
      separate the code that's unique to firewalld from the more-generic
      "firewall" file.
      Signed-off-by: NLaine Stump <laine@laine.org>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      d8393b56
    • L
      configure: change HAVE_FIREWALLD to WITH_FIREWALLD · 4bf0f390
      Laine Stump 提交于
      Support for firewalld is a feature that can be selectively enabled or
      disabled (using --with-firewalld/--without-firewalld), not merely
      something that must be accounted for in the code if it is present with
      no exceptions. It is more consistent with other usage in libvirt to
      use WITH_FIREWALLD rather than HAVE_FIREWALLD.
      Signed-off-by: NLaine Stump <laine@laine.org>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      4bf0f390
    • J
      util: Fix build issue with virStorageFileGetNPIVKey · 170f8350
      John Ferlan 提交于
      Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
      170f8350
    • E
  7. 01 2月, 2019 11 次提交