Re: [Libvir] [patch 7/9] Add support for lokkit
by Daniel P. Berrange
On Fri, Jan 04, 2008 at 03:57:32PM +0000, Mark McLoughlin wrote:
> Add support for integrating our iptables support with Fedora's
> iptables configuration using the lokkit --custom-rules command.
>
> Basically, we write out our rules to /var/lib/libvirt/iptables
> and run lokkit --custom-rules so that if e.g. iptables is
> restarted or the user edits their firewall configuration, then
> libvirt's rules get reloaded.
Ahh, that's very nice to have.
> +dnl
> +dnl ensure that Fedora's system-config-firewall knows
> +dnl about libvirt's iptables rules
> +dnl
> +AC_ARG_ENABLE(iptables-lokkit,
> + AC_HELP_STRING([--enable-iptables-lokkit=no/yes],
> + [enable registering libvirt's iptables rules with Fedora's lokkit]),
> + [],[enable_iptables_lokkit=no])
> +if test x"$enable_iptables_lokkit" = x"yes"; then
> + AC_DEFINE(ENABLE_IPTABLES_LOKKIT, [], [whether support for Fedora's lokkit is enabled])
> + AC_PATH_PROG(LOKKIT_PATH, lokkit, /usr/sbin/lokkit)
> + AC_DEFINE_UNQUOTED(LOKKIT_PATH, "$LOKKIT_PATH", [path to lokkit binary])
> +fi
> +
Could we make the configure script a little more clever so that it is
a tri-state and can auto-detect whether lokkit is available.
- enable_iptables_lokkit=no - force disable
- enable_iptables_lokkit=yes - check if it is supported, and error if not
- enable_iptables_lokkit=check - check if it is supported and enable or disable as needed
With 'check' being the default. This makes it 'do the right' thing by
default, and lets the user have a strict override if neccessary.
ACK to the rest of the patch
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
17 years
Re: [Libvir] [patch 5/9] Include the iptables command and chain name in the saved rules file
by Daniel P. Berrange
On Fri, Jan 04, 2008 at 03:57:30PM +0000, Mark McLoughlin wrote:
> lokkit --custom-rules expects the passed file to include the
> iptables command and chain name (e.g. "--inset INPUT") rather
> than just the rest of the arguments.
>
> Add both of those to what will be saved to the rules file
> and simplify the resulting code by splitting out a
> argvToString() helper function.
>
> The one complication is that when we're removing a rule
> we need to make sure we don't search for it using
> "--delete" rather than "--insert". For that reason,
> only change the argument to "--delete" once we've
> constructed the string we use to search through the
> existing rules.
ACK.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
17 years
[Libvir] OCaml mlvirtmanager ported to Windows
by Richard W.M. Jones
(NB. This is _not_ the real virt-manager).
Screenshots:
http://www.annexia.org/tmp/mlvirtmanager-win-1.png
http://www.annexia.org/tmp/mlvirtmanager-win-2.png
http://www.annexia.org/tmp/mlvirtmanager-win-3.png
The code is in the Mercurial repository,
http://hg.et.redhat.com/virt/applications/virt-top--devel .
You will need to install lablgtk2 binary from:
http://wwwfun.kurims.kyoto-u.ac.jp/soft/olabl/lablgtk.html
and Windows Gtk development binary from:
http://gladewin32.sourceforge.net/
and then follow the installation instructions for lablgtk2 given here:
http://wwwfun.kurims.kyoto-u.ac.jp/soft/olabl/install-win32.txt
After that, ocaml-libvirt should automatically detect that you've got
Gtk / lablgtk2 installed (you might need to restart the MSys shell so it
gets the new $PATH), and will offer to compile mlvirtmanager.
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
17 years
[Libvir] [PATCH] A few more Windows / MinGW fixups
by Richard W.M. Jones
A few fairly miscellaneous fixups for Windows (MinGW) which fix shared
library builds and fix error handling for sockets.
(1) XDR functions on MinGW come from a library called 'libxdr', not
'librpc'.
(2) To build a DLL under MinGW we need to pass the -no-undefined flag to
the linker.
(3) Socket compatibility header file replaces <winsock2.h> inclusion.
This just defines a portable 'socket_errno()' function which returns
errno in the normal case, or WSAGetLastError() in the Windows case.
(4) Use socket_errno() instead of errno in a few cases (but only when
the code can be compiled under Windows, ie. only in the remote client case).
Example -- a dynamically linked virsh.exe (linked to libvirt-0.dll)
accessing a remote libvirtd:
$ src/.libs/virsh.exe -c test+tcp://192.168.2.128/default list
Id Name State
----------------------------------
1 test running
If you want to compile this under Windows, you will need:
(a) MinGW & MSYS (select the "candidate" versions of MinGW tools if you
are using Vista or W2K8, since otherwise nothing works because of a
known bug).
(b) Install gcc 4 experimental package from MinGW site. It's called
gcc-sjlj for reasons which escape me.
(c) Install GnuTLS binary from
http://www.gnu.org/software/gnutls/download.html. I'm using GnuTLS
Windows binary 1.6.3 and I had to hand-hack the *.la files in that
distribution because they contain incorrect paths.
(d) Compile and install latest libxml2 from http://xmlsoft.org/. I'm
using 2.6.30.
(e) Compile and install my XDR package for Windows
(http://www.annexia.org/tmp/xdr-4.0-mingw5.tar.gz)
(f) ./configure --without-xen --without-qemu --without-sasl
--without-libvirtd
(g) make
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
17 years
[Libvir] OCaml bindings now build and run under Windows (MinGW)
by Richard W.M. Jones
The OCaml bindings, examples, and mlvirsh tool, now build and run under
Windows (MinGW), both for bytecode and native code. You'll need the
libvirt patches for MinGW as in my previous email.
OCaml bindings: http://hg.et.redhat.com/virt/applications/virt-top--devel
Example of using mlvirsh (native code version) to access a remote libvirtd:
rjones@WIN-MJ27YD6XBZI /c/d/virt-top--devel
$ ./mlvirsh/mlvirsh.opt -c test+tcp://192.168.2.128/default list
1 test running
rjones@WIN-MJ27YD6XBZI /c/d/virt-top--devel
$ ./mlvirsh/mlvirsh.opt -c test+tcp://192.168.2.128/default nodeinfo
model: i686
memory: 3145728 K
cpus: 16
mhz: 1400
nodes: 2
sockets: 2
cores: 2
threads: 2
[Screenshot: http://www.annexia.org/tmp/Screenshot-VNC_win-mj27yd6xbzi.png ]
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
17 years
Re: [Libvir] [patch 9/9] Remove --with-iptables-dir
by Daniel P. Berrange
On Fri, Jan 04, 2008 at 03:57:34PM +0000, Mark McLoughlin wrote:
> --with-iptables-dir was added to integrate with
> a proposed system for letting iptables know how to
> reload our rules.
>
> The idea was that we'd save our rules to a file
> under /etc/sysconfig/iptable.d and the iptables
> init script would load the rules from there when
> it was reloading.
>
> The proposed system wasn't accepted so, although
> there might be some theoretical use for this other
> than the lokkit support, let's just remove it
> for now.
ACK
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
17 years
Re: [Libvir] [patch 8/9] Remove --with-iptables-prefix
by Daniel P. Berrange
On Fri, Jan 04, 2008 at 03:57:33PM +0000, Mark McLoughlin wrote:
> --with-iptables-prefix was added to integrate with
> a proposed system for letting iptables know how to
> reload our rules.
>
> The idea was that we'd add our rules to a chain
> like libvirt-INPUT rather than INPUT, and there'd
> be a configuration file which would specify whether
> INPUT should include libvirt-INPUT.
>
> The proposed system wasn't accepted so, although
> there might be some other theoretical use for this,
> let's just remove it.
I rather doubt anyone's using it, so ACK to killing it off.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
17 years
Re: [Libvir] [patch 4/9] Re-name the "flipflop" variable to "command_idx"
by Daniel P. Berrange
On Fri, Jan 04, 2008 at 03:57:29PM +0000, Mark McLoughlin wrote:
> The "flipflop" variable marks the index into argv where
> the "--insert" is at, so that when we're reloading the
> rules we can easily change it to "--delete" and back
> again.
>
> It's a rather silly name, and the next patch is going
> to make more use out of it, so let's use the more sane
> "command_idx" name.
Fair, enough. ACK.
Dan
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
17 years
