[libvirt] [PATCH 2/2] Make sure the rundir is accessible by the user
by Guido Günther
otherwise the user might not have enough permissions to access the
socket if roots umask is 077.
http://bugs.debian.org/614210
---
daemon/libvirtd.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 610e7fd..a968e05 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -3156,7 +3156,9 @@ static int create_rundir (void)
{
const char *rundir = LOCALSTATEDIR "/run/libvirt";
int ret = 0;
+ mode_t old_umask;
+ old_umask = umask(022);
if (mkdir (rundir, 0755)) {
if (errno != EEXIST) {
char ebuf[1024];
@@ -3165,6 +3167,7 @@ static int create_rundir (void)
ret = VIR_DAEMON_ERR_RUNDIR;
}
}
+ umask(old_umask);
return ret;
}
--
1.7.4.1
13 years, 8 months
[libvirt] [PATCH] storage: replace the deprecated option of qemu-img.
by Osier Yang
qemu-img silently disable "-e", so we can't use it for volume
encryption anymore, change it into "-o encryption=on".
I'm afraid of it will inroduce compatibility problem for older
qemu without "-o" option, but "-o" option is already used in the
codes, seems it's fine.
* src/storage/storage_backend.c
---
src/storage/storage_backend.c | 17 +++++++++++------
1 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c
index 2eede74..c381444 100644
--- a/src/storage/storage_backend.c
+++ b/src/storage/storage_backend.c
@@ -778,7 +778,7 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
imgargv[8] = vol->target.path;
imgargv[9] = size;
if (vol->target.encryption != NULL)
- imgargv[10] = "-e";
+ imgargv[10] = "-o encryption=on";
break;
case QEMU_IMG_BACKING_FORMAT_OPTIONS:
@@ -786,13 +786,18 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
virReportOOMError();
goto cleanup;
}
+
+ if (vol->target.encryption != NULL) {
+ if (virAsprintf(&optflag, ",encryption=on") < 0) {
+ virReportOOMError();
+ goto cleanup;
+ }
+ }
+
imgargv[6] = "-o";
imgargv[7] = optflag;
imgargv[8] = vol->target.path;
imgargv[9] = size;
- if (vol->target.encryption != NULL)
- imgargv[10] = "-e";
- break;
default:
VIR_INFO("Unable to set backing store format for %s with %s",
@@ -800,7 +805,7 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
imgargv[6] = vol->target.path;
imgargv[7] = size;
if (vol->target.encryption != NULL)
- imgargv[8] = "-e";
+ imgargv[8] = "-o encryption=on";
}
ret = virStorageBackendCreateExecCommand(pool, vol, imgargv);
@@ -817,7 +822,7 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
NULL
};
if (vol->target.encryption != NULL)
- imgargv[6] = "-e";
+ imgargv[6] = "-o encryption=on";
ret = virStorageBackendCreateExecCommand(pool, vol, imgargv);
}
--
1.7.4
13 years, 8 months
[libvirt] [PATCH] docs: correct range of default NAT subnet
by Eric Blake
* docs/formatdomain.html.in: Fix typo.
---
Pushing under the trivial rule.
docs/formatdomain.html.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 9b9ab29..8b6e5e4 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -1145,7 +1145,7 @@
network config with '<code>virsh net-dumpxml [networkname]</code>'.
There is one virtual network called 'default' setup out
of the box which does NAT'ing to the default route and has an IP range of
- <code>192.168.22.0/255.255.255.0</code>. Each guest will have an
+ <code>192.168.122.0/255.255.255.0</code>. Each guest will have an
associated tun device created with a name of vnetN, which can also be
overridden with the <target> element (see
<a href="#elementsNICSTargetOverride">overriding the target element</a>).
--
1.7.4
13 years, 8 months
[libvirt] [PATCH 2/2] libvirtd: Remove indirect linking
by Guido Günther
as described at
http://wiki.debian.org/ToolChain/DSOLinking
https://fedoraproject.org/wiki/UnderstandingDSOLinkChange
otherwise the build fails on current Debian unstable with:
CCLD libvirtd
/usr/bin/ld: ../src/.libs/libvirt_driver_lxc.a(libvirt_driver_lxc_la-lxc_container.o): undefined reference to symbol 'capng_apply'
/usr/bin/ld: note: 'capng_apply' is defined in DSO //usr/lib/libcap-ng.so.0 so try adding it to the linker command line
CCLD libvirtd
/usr/bin/ld: ../src/.libs/libvirt_driver_storage.a(libvirt_driver_storage_la-storage_backend.o): undefined reference to symbol 'fgetfilecon'
/usr/bin/ld: note: 'fgetfilecon' is defined in DSO //lib/libselinux.so.1 so try adding it to the linker command line
//lib/libselinux.so.1: could not read symbols: Invalid operation
O.k. to apply?
Cheers,
-- Guido
---
daemon/Makefile.am | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 912440c..2083084 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -145,7 +145,15 @@ if WITH_NWFILTER
endif
endif
-libvirtd_LDADD += ../src/libvirt.la
+if WITH_SECDRIVER_SELINUX
+ libvirtd_LDADD += $(SELINUX_LIBS)
+endif
+if WITH_SECDRIVER_APPARMOR
+ libvirtd_LDADD += $(APPARMOR_LIBS)
+endif
+
+libvirtd_LDADD += ../src/libvirt.la \
+ $(CAPNG_LIBS)
if HAVE_POLKIT
if HAVE_POLKIT0
--
1.7.4.1
13 years, 8 months
[libvirt] [libvirt-snmp][PATCH] configure.ac: lower required minimal version of autoconf
by Michal Privoznik
so we can build even on rhel 5.6 where the original version is not yet.
---
configure.ac | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 468fb07..dcab0ae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@ AC_INIT([libvirt-snmp],[0.0.1],[libvir-list@redhat.com],[],[http://libvirt.org])
AM_INIT_AUTOMAKE([-Wall -Werror])
AC_CONFIG_HEADERS([config.h])
-AC_PREREQ([2.66])
+AC_PREREQ([2.50])
AC_CHECK_FUNCS([memset])
AC_CHECK_FUNCS([strdup])
AC_CHECK_HEADERS([stdlib.h])
--
1.7.4
13 years, 8 months
[libvirt] (no subject)
by Guido Günther
>From 4a3765d97c3f5049aa294a4b7b629eabfd9cf04d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx(a)sigxcpu.org>
Date: Mon, 7 Mar 2011 22:22:36 +0100
Subject: [PATCH 1/2] Move rundir creation into separate function
---
daemon/libvirtd.c | 31 ++++++++++++++++++++-----------
1 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 452566c..610e7fd 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -3150,6 +3150,24 @@ enum {
OPT_VERSION = 129
};
+
+/* Ensure the rundir exists (on tmpfs on some systems) */
+static int create_rundir (void)
+{
+ const char *rundir = LOCALSTATEDIR "/run/libvirt";
+ int ret = 0;
+
+ if (mkdir (rundir, 0755)) {
+ if (errno != EEXIST) {
+ char ebuf[1024];
+ VIR_ERROR(_("unable to create rundir %s: %s"), rundir,
+ virStrerror(errno, ebuf, sizeof(ebuf)));
+ ret = VIR_DAEMON_ERR_RUNDIR;
+ }
+ }
+ return ret;
+}
+
#define MAX_LISTEN 5
int main(int argc, char **argv) {
struct qemud_server *server = NULL;
@@ -3276,17 +3294,8 @@ int main(int argc, char **argv) {
/* Ensure the rundir exists (on tmpfs on some systems) */
if (geteuid() == 0) {
- const char *rundir = LOCALSTATEDIR "/run/libvirt";
-
- if (mkdir (rundir, 0755)) {
- if (errno != EEXIST) {
- char ebuf[1024];
- VIR_ERROR(_("unable to create rundir %s: %s"), rundir,
- virStrerror(errno, ebuf, sizeof(ebuf)));
- ret = VIR_DAEMON_ERR_RUNDIR;
- goto error;
- }
- }
+ if (create_rundir ())
+ goto error;
}
/* Beyond this point, nothing should rely on using
--
1.7.4.1
13 years, 8 months
[libvirt] [PATCH] Fix a wrong error message threw to user.
by Hu Tao
---
src/qemu/qemu_driver.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 0f7cbad..f26b1ef 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -4209,8 +4209,8 @@ static int qemuDomainUpdateDeviceFlags(virDomainPtr dom,
default:
qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("disk device type '%s' cannot be updated"),
- virDomainDiskDeviceTypeToString(dev->data.disk->device));
+ _("device type '%s' cannot be updated"),
+ virDomainDeviceTypeToString(dev->type));
break;
}
--
1.7.3.1
13 years, 8 months
[libvirt] [PATCH] security: ignore disk opening failure of DAC driver.
by Osier Yang
Which blocks the domain booting up if one of the disks
can't be opened (e.g. doesn't exist).
---
src/security/security_dac.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index fba2d1d..8bb5bc9 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -182,7 +182,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
return virDomainDiskDefForeachPath(disk,
virSecurityManagerGetAllowDiskFormatProbing(mgr),
- false,
+ true,
virSecurityDACSetSecurityFileLabel,
mgr);
}
--
1.7.4
13 years, 8 months
[libvirt] [PATCH] dynamic_ownership documentation
by Stephan Mueller
Hi,
I would like to propose the following patch for the libvirtd.conf file to
document sVirt and its usage. If you have suggestions to add better wording,
please let me know.
(If you reply with comments, could you please CC me as I am not on the list.)
Ciao
Stephan
---
diff --git a/cc-config/cc/libvirtd.conf b/cc-config/cc/libvirtd.conf
index 43e19d8..a9acc21 100644
--- a/cc-config/cc/libvirtd.conf
+++ b/cc-config/cc/libvirtd.conf
@@ -154,7 +154,52 @@ auth_unix_rw = "none"
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
-
+#################################################################
+#
+# sVirt protection mechanisms
+#
+# The following options specify the separation of virtual machines
+# based on SELinux categories. As virtual machines execute with the
+# same user ID, an additional separation functionality is necessary
+# to prevent different virtual machines from interfering with each other
+# in case the simulation environment provided with QEMU is
+# successfully broken by a rogue guest.
+#
+# The sVirt protection mechanism implements two modes of operation:
+# dynamic assignment of SELinux categories
+# static assignment of SELinux labels
+#
+# A dynamic assignment of categories implies that libvirt generates
+# a unique SELinux category that the virtual machine and its resources
+# are assigned to during the instantiation of the virtual machine.
+# SELinux ensures that each virtual machine can only access resources
+# labeled with the same category as the virtual machine itself.
+#
+# A static assignment of SELinux labels imply that the administrator
+# manually configures the SELinux label of the virtual machine in
+# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example:
+#
+# <seclabel model='selinux' type="static">
+# <label>system_u:system_r:qemu_t:s0:c210.c502</label>
+# </seclabel>
+#
+# The <label> tag specifies a full SELinux label the virtual machine
+# will be executed with.
+#
+# In addition to the setting of the SELinux label of the virtual
+# machine, the administrator must manually set the SELinux label
+# of all resources the virtual machine accesses appropriately.
+#
+# NOTE: The dynamic assignment of categories is only intended for
+# systems with the targeted SELinux policy. Systems with the MLS
+# SELinux policy MUST use the static assignment of labels.
+# It is possible that static assignment is configured for
+# systems with the targeted policy as well.
+#
+# dynamic_ownership: 0 == static assignment of SELinux labels
+# 1 == dynamic assignment of SELinux labels
+dynamic_ownership=1
+#
13 years, 8 months
[libvirt] how to install 'devel' module from source files...
by john alexander sanabria ordonez
Hi,
I'm wondering how, when libvirt is installed from sources, to also install
the 'development' files?
I installed libvirt-0.8.8 with no problems and 'virsh' works OK. However,
when I try to install, for instance libvirt-ruby, it asks me for libvirt
development files.
What extra step is required?
Thanks,
13 years, 8 months
