- 22 8月, 2012 10 次提交
-
-
由 Eric Blake 提交于
Without this patch, RHEL 5 fails to compile, since the dbus files lives under /usr/include/dbus-1.0/dbus/dbus.h, and DBUS_CFLAGS contains -I/usr/include/dbus-1.0. In file included from network/bridge_driver.c:67: ../src/util/virdbus.h:26:25: error: dbus/dbus.h: No such file or directory * src/Makefile.am (libvirt_driver_network_impl_la_CFLAGS): Add DBUS_CFLAGS.
-
由 Eric Blake 提交于
-
由 Eric Blake 提交于
When gcc atomic intrinsics are not available (such as on RHEL 5 with gcc 4.1.2), we were getting link errors due to multiple definitions: ./.libs/libvirt_util.a(libvirt_util_la-virobject.o): In function `virAtomicIntXor': /home/dummy/l,ibvirt/src/util/viratomoic.h:404: multiple definition of `virAtomicIntXor' ./.libs/libvirt_util.a(libvirt_util_la-viratomic.o):/home/dummy/libvirt/src/util/viratomic.h:404: first defined here Solve this by conditionally marking the functions static (the condition avoids falling foul of gcc warnings about unused static function declarations). * src/util/viratomic.h: When not using gcc intrinsics, use static functions to avoid linker errors on duplicate functions.
-
由 Eric Blake 提交于
Building on RHEL 5 warned: nodeinfo.c: 305: warning: implicit declaration of function 'CPU_COUNT' This extension macro in <sched.h> was not added until later glibc. * src/nodeinfo.c (CPU_COUNT): Add fallback implementation.
-
由 Eric Blake 提交于
We already skip out on building the LXC under RHEL 5, because the kernel is too old (commits 4c18acff, 2dee8965); but commit 9612e4b2 moved some LXC-only code into common files, resulting in this build failure: util/virfile.c: In function 'virFileLoopDeviceAssociate': util/virfile.c:580: error: 'LO_FLAGS_AUTOCLEAR' undeclared (first use in this function) Unfortunately, the kernel folks only made it an enum, rather than also a #define, so we have to modify configure.ac to record when it is usable. * configure.ac (with_lxc): Mark when LO_FLAGS_AUTOCLEAR was found. * src/util/virfile.c (virFileLoopDeviceAssociate): Avoid compilation when kernel is too old.
-
由 Ján Tomko 提交于
Fix possible double close in the child process after the fork in case infd and outfd are equal, just like they are after being called from virNetSocketNewConnectCommand.
-
由 Stefan Berger 提交于
This patch provides basic support for using firewalld's firewall-cmd rather than then plain eb/ip(6)tables commands.
-
由 Thomas Woerner 提交于
* configure.ac, spec file: firewalld defaults to enabled if dbus is available, otherwise is disabled. If --with_firewalld is explicitly requested and dbus is not available, configure will fail. * bridge_driver: add dbus filters to get the FirewallD1.Reloaded signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1. When these are encountered, reload all the iptables reuls of all libvirt's virtual networks (similar to what happens when libvirtd is restarted). * iptables, ebtables: use firewall-cmd's direct passthrough interface when available, otherwise use iptables and ebtables commands. This decision is made once the first time libvirt calls iptables/ebtables, and that decision is maintained for the life of libvirtd. * Note that the nwfilter part of this patch was separated out into another patch by Stefan in V2, so that needs to be revised and re-reviewed as well. ================ All the configure.ac and specfile changes are unchanged from Thomas' V3. V3 re-ran "firewall-cmd --state" every time a new rule was added, which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set up a one-time initialization function. The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called vir(Ip|Eb)OnceInit(), which will then be called the first time that the static function vir(Ip|Eb)TablesInitialize() is called (that function is defined for you by the macro). This is thread-safe, so there is no chance of any race. IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init functions (one for iptables, on for ebtables) as VIR_WARN so that I don't have to turn on all the other debug message just to see these. Even if this patch doesn't need any other modification, those messages need to be changed to VIR_DEBUG before pushing. This one-time initialization works well. However, I've encountered problems with testing: 1) Whenever I have enabled the firewalld service, *all* attempts to call firewall-cmd from within libvirtd end with firewall-cmd hanging internally somewhere. This is *not* the case if firewall-cmd returns non-0 in response to "firewall-cmd --state" (i.e. *that* command runs and returns to libvirt successfully.) 2) If I start libvirtd while firewalld is stopped, then start firewalld later, this triggers libvirtd to reload its iptables rules, however it also spits out a *ton* of complaints about deletion failing (I suppose because firewalld has nuked all of libvirt's rules). I guess we need to suppress those messages (which is a more annoying problem to fix than you might think, but that's another story). 3) I noticed a few times during this long line of errors that firewalld made a complaint about "Resource Temporarily unavailable. Having libvirtd access iptables commands directly at the same time as firewalld is doing so is apparently problematic. 4) In general, I'm concerned about the "set it once and never change it" method - if firewalld is disabled at libvirtd startup, causing libvirtd to always use iptables/ebtables directly, this won't cause *terrible* problems, but if libvirtd decides to use firewall-cmd and firewalld is later disabled, libvirtd will not be able to recover.
-
由 Jiri Denemark 提交于
Generating "Unable to add lockspace /lock/space/dir/__LIBVIRT__DISKS__: No such file or directory" is correct but not exactly clear. This patch changes the error message to "Unable to create lockspace /lock/space/dir/__LIBVIRT__DISKS__: parent directory does not exist or is not a directory".
-
由 Jiri Denemark 提交于
When running libvirtd from a build directory, libvirtd would load lock drivers from system directory unless explicitly overridden by setting LIBVIRT_LOCK_MANAGER_PLUGIN_DIR environment variable. Since we already autodetect driver directory if libvirt is build with driver modules, we can use the same trick to automagically set lock driver directory.
-
- 21 8月, 2012 30 次提交
-
-
由 Eric Blake 提交于
Commit 1d22ba95 was complete at the time, but we have since reintroduced a warning that is fixed in the same manner: CCLD storagebackendsheepdogtest *** Warning: Linking the executable storagebackendsheepdogtest against the loadable module *** libvirt_driver_storage.so is not portable! * src/Makefile.am (libvirt_driver_storage.la): Factor into new convenience library libvirt_driver_storage_impl.la. * tests/Makefile.am (storagebackendsheepdogtest_LDADD): Link to convenience library, not shared library.
-
由 Eric Blake 提交于
Our existing STRNEQ_NULLABLE() triggered a warning in gcc 4.7 when used with a literal NULL argument: qemumonitorjsontest.c: In function 'testQemuMonitorJSONGetMachines': qemumonitorjsontest.c:289:5: error: null argument where non-null required (argument 1) [-Werror=nonnull] even though the strcmp is provably dead when a null argument is present. Squelch the warning by refactoring things so that gcc never sees strcmp() called with NULL arguments (we still compare NULL as not equal to "", this rewrite merely aids gcc). Next, gcc has a valid warning about a literal NULLSTR(NULL): qemumonitorjsontest.c:289:5: error: invalid application of 'sizeof' to a void type [-Werror=pointer-arith] Of course, you'd never write NULLSTR(NULL) directly, but it is handy to use through macros. But the entire part about verify_true() is unnecessary - gcc already warns about type mismatch with ?:, without needing to make it more complex. * src/internal.h (STREQ_NULLABLE, STRNEQ_NULLABLE): Avoid gcc 4.7 stupidity. (NULLSTR): Simplify, to allow passing compile-time constants.
-
由 Daniel P. Berrange 提交于
The DAC security driver uses the virStrToLong_ui function to parse the uid/gid out of the seclabel string. This works on Linux where 'uid_t' is an unsigned int, but on Mingw32 it is just an 'int'. This causes compiler warnings about signed/ unsigned int pointer mis-match. To avoid this, use explicit 'unsigned int ouruid' local vars to pass into virStrToLong_ui, and then simply assign to the 'uid_t' type after parsing Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Peter Krempa 提交于
This patch adds URI options to support libssh2 transport in the remote driver. A new transport sceme is introduced eg. "qemu+libssh2://..." that utilizes the libssh2 code added in previous patches. The libssh2 code requires the authentication callback to be able to perform keyboard-interactive authentication or to ask t passprhases or add host keys to known hosts database. Added URI components: - known_hosts - path to a knownHosts file in OpenSSH format to check for known ssh host keys - known_hosts_verify - how to deal with server key verification: * "normal" (default) - ask to add new keys * "auto" - automaticaly add new keys * "ignore" - don't validate host keys - sshauth - authentication methods to use. Default is "agent,privkey,keyboard-interactive". It's a comma separated string of methods to try while authenticating. The order is preserved. Some of the methods may require additional parameters. Locations of the known_hosts file and private keys are set to default values if they're present. (~/.ssh/known_hosts, ~/.ssh/id_rsa, ~/.ssh/id_dsa)
-
由 Peter Krempa 提交于
This patch adds a glue layer to enable using libssh2 code with the network client code. As in the original client implementation, shell code is sent to the server to detect correct options for netcat and connect to libvirt's unix socket.
-
由 Peter Krempa 提交于
This patch enables virNetSocket to be used as an ssh client when properly configured. This patch adds function virNetSocketNewConnectLibSSH2() that takes all needed parameters and creates a libssh2 session and performs steps needed to open the connection and then create a virNetSocket that seamlesly encapsulates the communication.
-
由 Peter Krempa 提交于
This patch adds helper functions that enable us to use libssh2 in conjunction with libvirt's virNetSockets for ssh transport instead of spawning "ssh" client process. This implemetation supports tunneled plaintext, keyboard-interactive, private key, ssh agent based and null authentication. Libvirt's Auth callback is used for interaction with the user. (Keyboard interactive authentication, adding of host keys, private key passphrases). This enables seamless integration into the application using libvirt. No helpers as "ssh-askpass" are needed. Reading and writing of OpenSSH style "known_hosts" files is supported. Communication is done using SSH exec channel, where the user may specify arbitrary command to be executed on the remote side and reads and writes to/from stdin/out are sent through the ssh channel. Usage of stderr is not (yet) supported.
-
由 Daniel P. Berrange 提交于
This test case validates the correct generation of SELinux labels for VMs, wrt the current process label. Since we can't actually change the label of the test program process, we create a shared library libsecurityselinuxhelper.so which overrides the getcon() and setcon() libselinux.so functions. When started the test case will check to see if LD_PRELOAD is set, and if not, it will re-exec() itself setting LD_PRELOAD=libsecurityselinuxhelper.so Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Currently the dynamic label generation code will create labels with a sensitivity of s0, and a category pair in the range 0-1023. This is fine when running a standard MCS policy because libvirtd will run with a label system_u:system_r:virtd_t:s0-s0:c0.c1023 With custom policies though, it is possible for libvirtd to have a different sensitivity, or category range. For example system_u:system_r:virtd_t:s2-s3:c512.c1023 In this case we must assign the VM a sensitivity matching the current lower sensitivity value, and categories in the range 512-1023 Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The code to refactor sec label handling accidentally changed the SELinux driver to use the 'domain_context' when generating the image label instead of the 'file_context' Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Martin Kletzander 提交于
After the cleanup of remote display port allocation, I noticed some messages that didn't make a lot of sense the way they were written. So I rephrased them.
-
由 Martin Kletzander 提交于
The defines QEMU_REMOTE_PORT_MIN and QEMU_REMOTE_PORT_MAX were used to find free port when starting domains. As this was hard-coded to the same ports as default VNC servers, there were races with these other programs. This patch includes the possibility to change the default starting port as well as the maximum port (mostly for completeness) in qemu config file. Support for two new config options in qemu.conf is added: - remote_port_min (defaults to QEMU_REMOTE_PORT_MIN and must be >= than this value) - remote_port_max (defaults to QEMU_REMOTE_PORT_MAX and must be <= than this value)
-
由 Martin Kletzander 提交于
Port allocations for SPICE and VNC behave almost the same (with default ports), but there is some mess in the code. This patch clears these inconsistencies and makes sure the same behavior will be used when ports for remote displays are changed. Changes: - hard-coded number 5900 removed (handled elsewhere like with VNC) - reservedVNCPorts renamed to reservedRemotePorts (it's not just for VNC anymore) - QEMU_VNC_PORT_{MIN,MAX} renamed to QEMU_REMOTE_PORT_{MIN,MAX} - port allocation unified for VNC and SPICE
-
由 Eric Blake 提交于
Commit 350583c8 broke development on a RHEL 5 box, where the ancient Autoconf 2.59 lacks AS_VERSION_STRING. Rather than backport the complex awk script that newer autoconf uses for true strverscmp comparisons from the shell, it was easier to just open-code a shell case statement. * configure.ac (qemu_version): Open-code a replacement for AS_VERSION_CHECK.
-
由 Eric Blake 提交于
Last of the file splits. * tools/virsh-volume.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh.c: Use new header. * tools/virsh-volume.c: Likewise. (vshCommandOptVolBy): Fix flag usage.
-
由 Eric Blake 提交于
Almost done with the splits. * tools/virsh-snapshot.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh.c: Use new header. * tools/virsh-snapshot.c: Likewise.
-
由 Eric Blake 提交于
One of the simpler splits. * tools/virsh-secret.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh.c: Use new header. * tools/virsh-secret.c: Likewise.
-
由 Eric Blake 提交于
More in a series of file splits. * tools/virsh-pool.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh.c: Use new header. * tools/virsh-pool.c: Likewise. (virCommandOptPoolBy): Fix flag usage.
-
由 Eric Blake 提交于
Yet another split file. * tools/virsh-nwfilter.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh.c: Use new header. * tools/virsh-nwfilter.c: Likewise.
-
由 Eric Blake 提交于
Another worthwhile split, needed one more public function. * tools/virsh-nodedev.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh-nodedev.c: Use new header. * tools/virsh.c: Likewise. (vshTreePrint): Export. * tools/virsh.h (vshTreePrint): Declare.
-
由 Eric Blake 提交于
Another relatively easy file split. * tools/virsh-network.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh.c: Use new header. * tools/virsh-network.c: Likewise. (vshCommandOptNetworkBy): Update signature.
-
由 Eric Blake 提交于
Another relatively easy split, since helper functions were fixed in the previous patch. * tools/virsh-interface.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh.c: Use new header. * tools/virsh-interface.c: Likewise. (vshCommandOptInterfaceBy): Check flags.
-
由 Eric Blake 提交于
In preparation for splitting virsh-interface.c, I found these functions need to be declared in virsh.h, as well as one that belongs more properly in virsh-domain.h. Also, since we use the VSH_BY* flags in more than one function, I improved how they are used. * tools/virsh.h (vshNameSorter, vshCmdHasOption): Declare. (VSH_BYID): Turn into enum. (vshCommandOptDomainBy): Move... * tools/virsh-domain.h): ...here. * tools/virsh.c: (vshNameSorter): Export. (cmd_has_option): Rename... (vshCmdHasOption): ...and export. (vshCommandOptDomainBy): Move... * tools/virsh-domain.c (vshCommandOptDomainBy): ...here, adjust signature, and check flags. * tools/virsh-network.c (vshCommandOptNetworkBy): Update callers. * tools/virsh-nwfilter.c (vshCommandOptNWFilterBy): Likewise. * tools/virsh-secret.c (vshCommandOptSecret): Likewise. * tools/virsh-domain-monitor.c (includes): Likewise. * tools/virsh-host.c (includes): Likewise.
-
由 Eric Blake 提交于
The splits are getting easier, with fewer cleanups needed in virsh.h. * tools/virsh-host.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh-host.c: Use new header. * tools/virsh.c: Likewise.
-
由 Eric Blake 提交于
Another file worth compiling on its own instead of by .c inclusion. * tools/virsh-domain-monitor.h: New file. * tools/Makefile.am (virsh_SOURCES): Build it. * tools/virsh.h (vshGetDomainDescription): Move to correct header. * tools/virsh-domain-monitor.c: Use new header. * tools/virsh.c: Likewise. * tools/virsh-domain.c: Likewise.
-
由 Marcelo Cerri 提交于
This patch updates libvirt's API to allow applications to inspect the full list of security labels of a domain. Signed-off-by: NMarcelo Cerri <mhcerri@linux.vnet.ibm.com>
-
由 Marcelo Cerri 提交于
This patch updates the key "security_driver" in QEMU config to suport both a sigle default driver or a list of default drivers. This ensures that it will remain compatible with older versions of the config file. Signed-off-by: NMarcelo Cerri <mhcerri@linux.vnet.ibm.com>
-
由 Marcelo Cerri 提交于
These changes make the security drivers able to find and handle the correct security label information when more than one label is available. They also update the DAC driver to be used as an usual security driver. Signed-off-by: NMarcelo Cerri <mhcerri@linux.vnet.ibm.com>
-
由 Marcelo Cerri 提交于
This patch updates the domain and capability XML parser and formatter to support more than one "seclabel" element for each domain and device. The RNG schema and the tests related to this are also updated by this patch. Signed-off-by: NMarcelo Cerri <mhcerri@linux.vnet.ibm.com>
-
由 Marcelo Cerri 提交于
This patch updates the structures that store information about each domain and each hypervisor to support multiple security labels and drivers. It also updates all the remaining code to use the new fields. Signed-off-by: NMarcelo Cerri <mhcerri@linux.vnet.ibm.com>
-