[libvirt] [PATCH v4 0/3] expose baselabel for each sec model/virt type
by Giuseppe Scrivano
Now each security model can define its own base label, that describes
the default security context used by libvirt to run an hypervisor
process. This information is exposed to users trough the host
capabilities XML.
*v4 major changes
- Refactor virSecurityDACSetUser and virSecurityDACSetGroup in a
separate patch
- virSecurityManagerGetBaseLabel never causes a VIR_ERR_NO_SUPPORT
error.
*v3 major changes
- support LXC
- merge virSecurityDACSetUser and virSecurityDACSetGroup in
virSecurityDACSetUserAndGroup
- DAC sets the baselabel in virSecurityDACSetUserAndGroup
- Use virDomainVirtTypeToString instead of hardcoding the name
Giuseppe Scrivano (3):
security: use a single function to set DAC user and group
security: add new internal function "virSecurityManagerGetBaseLabel"
capabilities: add baselabel per sec driver/virt type to secmodel
docs/schemas/capability.rng | 8 ++++
src/conf/capabilities.c | 60 +++++++++++++++++++++++++++-
src/conf/capabilities.h | 14 +++++++
src/libvirt_private.syms | 2 +
src/lxc/lxc_conf.c | 10 ++++-
src/qemu/qemu_conf.c | 21 ++++++++--
src/security/security_apparmor.c | 8 ++++
src/security/security_dac.c | 34 +++++++++++-----
src/security/security_dac.h | 7 ++--
src/security/security_driver.h | 4 ++
src/security/security_manager.c | 21 +++++++++-
src/security/security_manager.h | 2 +
src/security/security_nop.c | 10 +++++
src/security/security_selinux.c | 12 ++++++
src/security/security_stack.c | 9 +++++
tests/capabilityschemadata/caps-qemu-kvm.xml | 2 +
tests/capabilityschemadata/caps-test3.xml | 2 +
17 files changed, 203 insertions(+), 23 deletions(-)
--
1.8.3.1
11 years
[libvirt] [PATCH] virsh: new environment variable VIRSH_HISTSIZE
by Pavel Raiskup
Allow adjust the number of commands to remember in the command
history.
* tools/virsh.c (vshReadlineInit): Read and sanity the
VIRSH_HISTSIZE variable.
(VIRSH_HISTSIZE_MAX): New constant.
* tools/virsh.pod: Document VIRSH_HISTSIZE variable.
---
tools/virsh.c | 17 ++++++++++++++++-
tools/virsh.pod | 5 +++++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/tools/virsh.c b/tools/virsh.c
index bad78c9..58bc841 100644
--- a/tools/virsh.c
+++ b/tools/virsh.c
@@ -2748,11 +2748,14 @@ vshReadlineCompletion(const char *text, int start,
return matches;
}
+#define VIRSH_HISTSIZE_MAX 500000
static int
vshReadlineInit(vshControl *ctl)
{
char *userdir = NULL;
+ int max_history = 500;
+ char *histsize_str;
/* Allow conditional parsing of the ~/.inputrc file. */
rl_readline_name = "virsh";
@@ -2761,7 +2764,19 @@ vshReadlineInit(vshControl *ctl)
rl_attempted_completion_function = vshReadlineCompletion;
/* Limit the total size of the history buffer */
- stifle_history(500);
+ if ((histsize_str = getenv("VIRSH_HISTSIZE"))) {
+ if (virStrToLong_i(histsize_str, NULL, 10, &max_history) < 0) {
+ vshError(ctl, "%s", _("Bad $VIRSH_HISTSIZE value."));
+ VIR_FREE(userdir);
+ return -1;
+ } else if (max_history > VIRSH_HISTSIZE_MAX || max_history < 0) {
+ vshError(ctl, _("$VIRSH_HISTSIZE value should be between 0 and %d"),
+ VIRSH_HISTSIZE_MAX);
+ VIR_FREE(userdir);
+ return -1;
+ }
+ }
+ stifle_history(max_history);
/* Prepare to read/write history from/to the $XDG_CACHE_HOME/virsh/history file */
userdir = virGetUserCacheDirectory();
diff --git a/tools/virsh.pod b/tools/virsh.pod
index 23d17c4..dac9a08 100644
--- a/tools/virsh.pod
+++ b/tools/virsh.pod
@@ -3349,6 +3349,11 @@ The editor to use by the B<edit> and related options.
The editor to use by the B<edit> and related options, if C<VISUAL>
is not set.
+=item VIRSH_HISTSIZE
+
+The number of commands to remember in the command history. The
+default value is 500.
+
=item LIBVIRT_DEBUG=LEVEL
Turn on verbose debugging of all libvirt API calls. Valid levels are
--
1.8.3.1
11 years
[libvirt] [PATCH 0/2 v2] improve auto complete in virsh
by Chen Hanxiao
From: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
Chen Hanxiao (2):
[libvirt]virsh: introduce member excludeOption in vshCmdOptDef and
improve auto complete with it
[libvirt]virsh: set --shareable and --mode's new member: excludeOption
tools/virsh-domain.c | 6 ++++--
tools/virsh.c | 34 ++++++++++++++++++++++++++++++++++
tools/virsh.h | 1 +
3 files changed, 39 insertions(+), 2 deletions(-)
--
1.8.2.1
11 years
[libvirt] [PATCH v2 REPOST 0/6] Try to fix selinux/securityfs mount handling in LXC
by Daniel P. Berrange
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Update of
https://www.redhat.com/archives/libvir-list/2013-October/msg00270.html
Previously I just re-sent the one patch needing changes. This time I
am reposting the whole series after rebasing.
Daniel P. Berrange (6):
Add virFileIsMountPoint function
Remove unused 'opts' field from LXC basic mounts struct
Remove pointless 'srcpath' variable in lxcContainerMountBasicFS
Remove duplicate entries in lxcBasicMounts array
Add flag to lxcBasicMounts to control use in user namespaces
Skip any files which are not mounted on the host
src/libvirt_private.syms | 1 +
src/lxc/lxc_container.c | 86 +++++++++++++++++++++++++++++-------------------
src/util/virfile.c | 50 ++++++++++++++++++++++++++++
src/util/virfile.h | 2 ++
4 files changed, 105 insertions(+), 34 deletions(-)
--
1.8.3.1
11 years
[libvirt] Schedule for next release
by Daniel Veillard
Assuming we want to release around the end of the month means we
ought to enter freeze next week around the 24 or 25, but I know I
will be very busy and have a hard time on those days. So potentially
I will try to do the freeze on the Saturday 26 for a release around
Nov 1st, but there is a slight risk that the release of 1.1.4 will
be postponed if I fail to this while in Edinburgh (BTW a lot of libvirt
developpers will be there around the KVM forum and LinuxCon events).
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
11 years
[libvirt] [PATCH] Quick fix for config-demo.py
by Ian Main
I guess this must have been changed and the demo not updated. Fix the
demo so it uses the right value.
Signed-off-by: Ian Main <imain(a)redhat.com>
---
examples/config-demo.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/config-demo.py b/examples/config-demo.py
index 367d99a..c28d8b9 100644
--- a/examples/config-demo.py
+++ b/examples/config-demo.py
@@ -28,7 +28,7 @@ disk.set_type(LibvirtGConfig.DomainDiskType.FILE)
disk.set_guest_device_type(LibvirtGConfig.DomainDiskGuestDeviceType.DISK)
disk.set_source("/tmp/foo/bar")
disk.set_driver_name("qemu")
-disk.set_driver_format(LibvirtGConfig.DriverType.QCOW2)
+disk.set_driver_format(LibvirtGConfig.DomainDiskFormat.QCOW2)
disk.set_target_bus(LibvirtGConfig.DomainDiskBus.IDE)
disk.set_target_dev("hda")
domain.add_device(disk)
--
1.8.1.4
11 years
[libvirt] [PATCH] Don't update dom->persistent without lock held
by Daniel P. Berrange
From: "Daniel P. Berrange" <berrange(a)redhat.com>
virDomainObjListLoadAllConfigs sets dom->persistent after
having released its lock on the domain object. This exposes
a possible race condition.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/conf/domain_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 562d98b..51c4e29 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -17373,9 +17373,9 @@ virDomainObjListLoadAllConfigs(virDomainObjListPtr doms,
notify,
opaque);
if (dom) {
- virObjectUnlock(dom);
if (!liveStatus)
dom->persistent = 1;
+ virObjectUnlock(dom);
}
}
--
1.8.3.1
11 years
[libvirt] [PATCH]lxc: don't always print debug log in lxcContainerSetID
by Chen Hanxiao
From: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
lxcContainerSetID is used for user namespace.
If we don't enable user namespace, don't print debug log.
Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 56df69e..ed1fe29 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -420,12 +420,14 @@ static int lxcContainerSetID(virDomainDefPtr def)
* for this container. And user namespace is only enabled
* when nuidmap&ngidmap is not zero */
- VIR_DEBUG("Set UID/GID to 0/0");
- if (def->idmap.nuidmap &&
- virSetUIDGID(0, 0, NULL, 0) < 0) {
- virReportSystemError(errno, "%s",
- _("setuid or setgid failed"));
- return -1;
+ if (def->idmap.nuidmap) {
+ if (virSetUIDGID(0, 0, NULL, 0) < 0) {
+ virReportSystemError(errno, "%s",
+ _("setuid or setgid failed"));
+ return -1;
+ } else {
+ VIR_DEBUG("Set UID/GID to 0/0");
+ }
}
return 0;
--
1.8.2.1
11 years
[libvirt] [PATCH 0/2] improve auto complete in virsh
by Chen Hanxiao
From: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
Chen Hanxiao (2):
[libvirt]virsh: introduce member exclude_option in vshCmdOptDef and
improve auto complete with it
[libvirt]virsh: set --shareable and --mode's new member:
exclude_option
tools/virsh-domain.c | 6 ++++--
tools/virsh.c | 8 ++++++++
tools/virsh.h | 1 +
3 files changed, 13 insertions(+), 2 deletions(-)
--
1.8.2.1
11 years
