[libvirt] [PATCH] Ensure securityfs is mounted readonly in container
by Daniel P. Berrange
From: Dan Walsh <dwalsh(a)redhat.com>
If securityfs is available on the host, we should ensure to
mount it read-only in the container. This will avoid systemd
trying to mount it during startup causing SELinux AVCs.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b910b10..a943b22 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void)
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
#if WITH_SELINUX
{ SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
--
1.8.3.1
11 years
[libvirt] [PATCHv2 0/5] Refactor feature handling and add support for pvticketlocks
by Peter Krempa
Version 2 incorporates changes based on review feedback from Jan and Doug.
Peter Krempa (5):
schema: Rename option to make it reusable
conf: Refactor storing and usage of feature flags
qemu: Add support for paravirtual spinlocks in the guest
conf: Clean up few error messages
qemu: command: Fix macro indentation
docs/formatdomain.html.in | 7 +
docs/schemas/domaincommon.rng | 18 +-
src/conf/domain_conf.c | 200 +++++++++++++++------
src/conf/domain_conf.h | 3 +-
src/libxl/libxl_conf.c | 9 +-
src/lxc/lxc_container.c | 6 +-
src/qemu/qemu_command.c | 31 +++-
src/vbox/vbox_tmpl.c | 45 +++--
src/xenapi/xenapi_driver.c | 10 +-
src/xenapi/xenapi_utils.c | 22 ++-
src/xenxs/xen_sxpr.c | 20 +--
src/xenxs/xen_xm.c | 30 ++--
.../qemuxml2argv-pv-spinlock-disabled.args | 5 +
.../qemuxml2argv-pv-spinlock-disabled.xml | 26 +++
.../qemuxml2argv-pv-spinlock-enabled.args | 5 +
.../qemuxml2argv-pv-spinlock-enabled.xml | 26 +++
tests/qemuxml2argvtest.c | 2 +
tests/qemuxml2xmltest.c | 2 +
18 files changed, 326 insertions(+), 141 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-pv-spinlock-disabled.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-pv-spinlock-disabled.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-pv-spinlock-enabled.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-pv-spinlock-enabled.xml
--
1.8.3.2
11 years
[libvirt] [PATCH] virerror: s/VIR_ERR_STORAGE_VOL_EXISTS/VIR_ERR_STORAGE_VOL_EXISTS/
by Michal Privoznik
We currently have other error codes in singular form, e.g.
VIR_ERR_NETWORK_EXIST. Cleanup the previous patch to match the form.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
include/libvirt/virterror.h | 2 +-
src/storage/storage_driver.c | 2 +-
src/util/virerror.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/libvirt/virterror.h b/include/libvirt/virterror.h
index fd14237..e31e9c4 100644
--- a/include/libvirt/virterror.h
+++ b/include/libvirt/virterror.h
@@ -296,7 +296,7 @@ typedef enum {
VIR_ERR_ACCESS_DENIED = 88, /* operation on the object/resource
was denied */
VIR_ERR_DBUS_SERVICE = 89, /* error from a dbus service */
- VIR_ERR_STORAGE_VOL_EXISTS = 90, /* the storage vol already exists */
+ VIR_ERR_STORAGE_VOL_EXIST = 90, /* the storage vol already exists */
} virErrorNumber;
/**
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index d419a36..b3f0871 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -1538,7 +1538,7 @@ storageVolCreateXML(virStoragePoolPtr obj,
goto cleanup;
if (virStorageVolDefFindByName(pool, voldef->name)) {
- virReportError(VIR_ERR_STORAGE_VOL_EXISTS,
+ virReportError(VIR_ERR_STORAGE_VOL_EXIST,
_("'%s'"), voldef->name);
goto cleanup;
}
diff --git a/src/util/virerror.c b/src/util/virerror.c
index 3f55cec..d9a9fc4 100644
--- a/src/util/virerror.c
+++ b/src/util/virerror.c
@@ -1004,7 +1004,7 @@ virErrorMsg(virErrorNumber error, const char *info)
else
errmsg = _("Storage volume not found: %s");
break;
- case VIR_ERR_STORAGE_VOL_EXISTS:
+ case VIR_ERR_STORAGE_VOL_EXIST:
if (info == NULL)
errmsg = _("this storage volume exists already");
else
--
1.8.1.5
11 years
[libvirt] [PATCH 0/2] Fixes for Mac OS X
by Ryota Ozaki
These patches enable libvirtd to work on Mac OS X.
We still cannot build libvirtd from git repository
due to a rpcgen problem(*) though, we can build it
with a libvirt tarball, that means that we can use
libvirtd installed by HomeBrew.
(*) https://www.redhat.com/archives/libvirt-users/2013-February/msg00033.html
ozaki-r
Ryota Ozaki (2):
rpc: fix getsockopt for LOCAL_PEERCRED on Mac OS X
nodeinfo: make freebsdNodeGetCPUCount work on Mac OS X
src/nodeinfo.c | 15 ++++++++++++---
src/rpc/virnetsocket.c | 4 ++++
2 files changed, 16 insertions(+), 3 deletions(-)
--
1.8.3.4
11 years
[libvirt] [PATCH] Be more clever and verbose about localization-initialization.
by Fuchs, Andreas
Currently libvirt fails with an uninformative error message if no translations are found.
Fixes:
* If bindtextdomain fails due to missing language files, fall back to locale C.
* If textdomain still fails, report the exact error without translation attempt.
https://bugzilla.redhat.com/show_bug.cgi?id=1016158
Signed-off-by: Andreas Fuchs <andreas.fuchs(a)sit.fraunhofer.de>
---
daemon/libvirtd.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 99c0342..490acbf 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -1132,9 +1132,17 @@ int main(int argc, char **argv) {
};
if (setlocale(LC_ALL, "") == NULL ||
- bindtextdomain(PACKAGE, LOCALEDIR) == NULL ||
- textdomain(PACKAGE) == NULL ||
- virInitialize() < 0) {
+ bindtextdomain(PACKAGE, LOCALEDIR) == NULL ||
+ textdomain(PACKAGE) == NULL) {
+ VIR_WARN("Cannot find localization information. Falling back to non-localized messages.");
+ if (setlocale(LC_ALL, "C") == NULL ||
+ textdomain(PACKAGE) == NULL) {
+ fprintf(stderr, "%s: localization initialization failed\n", argv[0]);
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ if (virInitialize() < 0) {
fprintf(stderr, _("%s: initialization failed\n"), argv[0]);
exit(EXIT_FAILURE);
}
--
1.7.10.4
11 years
Re: [libvirt] [libvirt-users] (Xen + libvirt) Installing and workin with xen -4.2.1 and libvirt 1.1.2
by Eric Blake
On 10/07/2013 02:28 AM, cooldharma06 wrote:
> hi,
>
> i removed all libvirt things form my system and i installed libvirt-0.9.12
> frm my repository.
>
> then i installed libvirt-1.1.2 from the source with following commands.
>
> ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc
> --with-xen=yes --with-libxl=yes
>
> make
>
> make install
>
> now its works with XM.
> but with xl its not working...
>
> i attached the corresponding screenshots also. kindly refer the attachment.
Sending 271k of attachments to multiple mailing lists is considered poor
netiquette - the effort to send that much from the mail server to the
large number of recipients of each list, as well as the fact that not
all list recipients have broadband access and have to pay for every byte
downloaded, means that it is much nicer to copy-and-paste the text
contents of error messages, and/or host your screenshots on an external
site and merely post the URL to your screenshots rather than attaching
them to the mail.
Also, we ask that you avoid top-posting on technical lists.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
11 years
[libvirt] [PATCH 0/2] Make it easier to disable readline
by Eric Blake
Previously, disabling readline involved uninstalling the development
library, or else configuring with:
ac_cv_lib_readline_readline=no ac_cv_search_tgetent=no ac_cv_lib_readline_rl_initialize=no
With this series, it is much easier to test that virsh still works
without readline support, merely using ./configuire --without-readline.
Eric Blake (2):
build: move readline check into its own macro
build: add configure --without-readline
configure.ac | 43 +++----------------------------------------
m4/virt-readline.m4 | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
tools/virsh.c | 12 ++++++------
3 files changed, 59 insertions(+), 46 deletions(-)
create mode 100644 m4/virt-readline.m4
--
1.8.3.1
11 years
[libvirt] [PATCH] tests: avoid compile failure on linux kernels older than 2.6.19
by Giuseppe Scrivano
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
tests/securityselinuxhelper.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c
index 89cba3a..d996825 100644
--- a/tests/securityselinuxhelper.c
+++ b/tests/securityselinuxhelper.c
@@ -24,7 +24,9 @@
#include <dlfcn.h>
#include <errno.h>
-#include <linux/magic.h>
+#if HAVE_LINUX_MAGIC_H
+# include <linux/magic.h>
+#endif
#include <selinux/selinux.h>
#include <stdio.h>
#include <stdlib.h>
@@ -33,6 +35,10 @@
#include <unistd.h>
#include <attr/xattr.h>
+#ifndef NFS_SUPER_MAGIC
+# define NFS_SUPER_MAGIC 0x6969
+#endif
+
#include "virstring.h"
static int (*realstatfs)(const char *path, struct statfs *buf);
--
1.8.3.1
11 years
[libvirt] [PATCH] build: kill maintainer mode, always rebuild by default
by Eric Blake
The automake manual recommends against the use of disabling
maintainer mode by default:
https://www.gnu.org/software/automake/manual/automake.html#maintainer_002...
because when it is disabled, the user gets no indication if they
touch a file that would normally require a rebuild. Automake
1.11 changed things so that AM_MAINTAINER_MODE([enable]) will set
the mode to enabled by default; but RHEL 5 still uses automake 1.9,
where AM_MAINTAINER_MODE did not recognize an argument, and
therefore disables maintainer mode by default. Having the default
be different according to which version of automake built the
project is annoying, and I _have_ been bitten on RHEL 5 rebuilds
where the default disabled mode led to silently incorrect builds.
The automake manual admits that being able to disable maintainer
mode still makes sense for projects that still store generated
files from the autotools in version control; but we have dropped
that for several years now. As such, it's finally time to just
ditch the whole idea of maintainer mode, and unconditionally
rebuild autotools files if a dependency changes, without offering
a configure option to disable that mode.
* configure.ac (AM_MAINTAINER_MODE): Drop.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
configure.ac | 1 -
1 file changed, 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 7e357c4..024b0c8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,7 +24,6 @@ AC_CONFIG_MACRO_DIR([m4])
dnl Make automake keep quiet about wildcards & other GNUmake-isms; also keep
dnl quiet about the fact that we intentionally cater to automake 1.9
AM_INIT_AUTOMAKE([-Wno-portability -Wno-obsolete tar-ustar subdir-objects])
-AM_MAINTAINER_MODE([enable])
# Maintainer note - comment this line out if you plan to rerun
# GNULIB_POSIXCHECK testing to see if libvirt should be using more modules.
--
1.8.3.1
11 years
[libvirt] Changing test_driver.c file
by Arun Viswanath
Hi All,
For some testing purpose I've changed some content in
src/test/test_driver.c and then used "make" command to compile and build
the code. Then I copied the "libvirt.so.0.9.10.so" file to the target
machine and restart the libvirtd daemon, but the changes I made in
test_driver.c is nothing reflected. I'm not sure whether I'm missing
something. Is it moving only the "libvirt.so.0.9.10.so" is enough or I need
to move some .a files ? , but I'm not seeing any ".a" in the kvm host
related to libvirt to replace. Please provide me sufficient info to proceed
further.
Thanks In Advance,
Arun V
11 years