[libvirt] [tck PATCH 0/4] A few libvirt-tck patches to fix false failures
by Laine Stump
I found these when I ran the tck on RHEL8 beta.
Laine Stump (4):
storage: skip qcow1 tests when qcow1 isn't supported by qemu-img
storage: fix/improve diagnostic messages
networks: remove stray use of brctl command
nwfilter: allow for ebtables *not* removing leading 0 from mac
addresses
scripts/networks/340-guest-network-bridge.t | 4 +-
scripts/nwfilter/100-ping-still-working.t | 4 +-
scripts/nwfilter/210-no-mac-spoofing.t | 4 +-
scripts/storage/100-create-vol-dir.t | 36 +++++++++-------
scripts/storage/200-clone-vol-dir.t | 48 ++++++++++++---------
5 files changed, 54 insertions(+), 42 deletions(-)
--
2.20.1
5 years, 9 months
[libvirt] [PATCH v4 0/6] Add authorization support to all network services
by Daniel P. Berrangé
v1: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg04482.html
v2: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg05727.html
v3: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg01639.html
This series builds on the core authorization framework:
v8: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04253.html
enabling its use with the VNC, chardev, NBD and migration network servers.
In combination with TLS x509 client certificates, this allows these
services to whitelist specific clients, which avoids the need to setup
restricted child certificate authorities.
In VNC it also allows whitelisting based on SASL user names.
Changed in v4:
- Update deprecation versions to 4.0
- Rebased to latest git
Changed in v3:
- Rebased to latest git master
Changed in v2:
- Document that authz objects are resolved at time of use, not
time of network service activation
- Improve docs for tls-authz parameters on services
- Fix 2.13 -> 3.0 version tags
- Remove redundant conditionals around g_strdup
- Fix arg syntax for qemu-nbd s/-/--/
- Remove QAPI (optional) annotation
- Fix some outdated usage example
Based-on: <20190215155709.15777-1-berrange(a)redhat.com>
Daniel P. Berrangé (6):
qemu-nbd: add support for authorization of TLS clients
nbd: allow authorization with nbd-server-start QMP command
migration: add support for a "tls-authz" migration parameter
chardev: add support for authorization for TLS clients
vnc: allow specifying a custom authorization object name
monitor: deprecate acl_show, acl_reset, acl_policy, acl_add,
acl_remove
blockdev-nbd.c | 11 ++++++--
chardev/char-socket.c | 12 +++++++-
chardev/char.c | 3 ++
hmp.c | 11 +++++++-
include/block/nbd.h | 4 +--
migration/migration.c | 8 ++++++
migration/tls.c | 2 +-
monitor.c | 23 +++++++++++++++
nbd/server.c | 10 +++----
qapi/block.json | 8 +++++-
qapi/char.json | 6 ++++
qapi/migration.json | 14 ++++++++-
qemu-deprecated.texi | 11 ++++++++
qemu-nbd.c | 14 ++++++++-
qemu-nbd.texi | 4 +++
qemu-options.hx | 44 +++++++++++++++++++++--------
tests/qemu-iotests/233 | 31 ++++++++++++++++++--
tests/qemu-iotests/233.out | 11 ++++++++
ui/vnc.c | 58 ++++++++++++++++++++++++++++++++------
19 files changed, 245 insertions(+), 40 deletions(-)
--
2.20.1
5 years, 9 months
[libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile
by Laine Stump
The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
following:
1) lists specific services it wants to allow, then
2) uses a lower priority <reject/> rule to block all other services to
the host, and then finally,
3) relies on the zone's default "accept" policy to, accept all
forwarded traffic (since forwarded traffic is ignored by the
slightly higher priority <reject/> rule in (2)).
I had assumed that icmp traffic was either being allowed at the top of
the rules, or that it would be ignored by the <reject/> rule and
passed by the default accept policy (similar to forwarded traffic),
but this assumption was incorrect; the <reject/> rule does block icmp
traffic. This became apparent when DHCPv6 which requires ICMPv6 in
addition to udp/dhcpv6) failed to work.
This all means that in order to achieve our original goal of "similar
behavior to a default reject policy, but also allowing forwarded
traffic", we need to add rules to allow all icmp and icmpv6 traffic to
the libvirt zone, and that's what this patch does.
This is a further refinement of the resolution to
https://bugzilla.redhat.com/1650320
Signed-off-by: Laine Stump <laine(a)laine.org>
---
src/network/libvirt.zone | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
index bf81db1b6e..b1e84b52ec 100644
--- a/src/network/libvirt.zone
+++ b/src/network/libvirt.zone
@@ -15,6 +15,8 @@
<rule priority='32767'>
<reject/>
</rule>
+<protocol value='icmp'/>
+<protocol value='ipv6-icmp'/>
<service name='dhcp'/>
<service name='dhcpv6'/>
<service name='dns'/>
--
2.20.1
5 years, 9 months
Re: [libvirt] [Qemu-devel] [PULL 00/14] Trivial branch patches
by Peter Maydell
On Thu, 14 Feb 2019 at 10:58, Laurent Vivier <laurent(a)vivier.eu> wrote:
>
> The following changes since commit 0b5e750bea635b167eb03d86c3d9a09bbd43bc06:
>
> Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging (2019-02-12 10:53:37 +0000)
>
> are available in the Git repository at:
>
> git://github.com/vivier/qemu.git tags/trivial-branch-pull-request
>
> for you to fetch changes up to 96566d09aa105ee04cbc1c9539cf8a9a40e8e422:
>
> configure: improve usbfs check (2019-02-14 11:46:30 +0100)
>
> ----------------------------------------------------------------
> - some configure updates (HAX/NetBSD, remove "wav", -Waddress-of-packed-member)
> - remove deprecated options
> - some trace and error cleanup
> - typo fixes
>
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/4.0
for any user-visible changes.
-- PMM
5 years, 9 months
[libvirt] [dockerfiles PATCH] Refresh after installing modprobe for libvirt
by Andrea Bolognani
The corresponding libvirt-jenkins-ci commit is bb67e0969566.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
Pushed under the Dockerfiles refresh rule.
buildenv-centos-7.Dockerfile | 1 +
buildenv-debian-8.Dockerfile | 1 +
buildenv-debian-9.Dockerfile | 1 +
buildenv-debian-sid.Dockerfile | 1 +
buildenv-fedora-28.Dockerfile | 1 +
buildenv-fedora-29.Dockerfile | 1 +
buildenv-fedora-rawhide.Dockerfile | 1 +
buildenv-ubuntu-16.Dockerfile | 1 +
buildenv-ubuntu-18.Dockerfile | 1 +
9 files changed, 9 insertions(+)
diff --git a/buildenv-centos-7.Dockerfile b/buildenv-centos-7.Dockerfile
index ab6f2c5..e85d132 100644
--- a/buildenv-centos-7.Dockerfile
+++ b/buildenv-centos-7.Dockerfile
@@ -25,6 +25,7 @@ RUN yum update -y && \
gnutls-devel \
iproute \
iscsi-initiator-utils \
+ kmod \
libacl-devel \
libattr-devel \
libblkid-devel \
diff --git a/buildenv-debian-8.Dockerfile b/buildenv-debian-8.Dockerfile
index 587b06f..fa92347 100644
--- a/buildenv-debian-8.Dockerfile
+++ b/buildenv-debian-8.Dockerfile
@@ -20,6 +20,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
git \
glusterfs-common \
iproute2 \
+ kmod \
libacl1-dev \
libapparmor-dev \
libattr1-dev \
diff --git a/buildenv-debian-9.Dockerfile b/buildenv-debian-9.Dockerfile
index 359d9c4..9d81f03 100644
--- a/buildenv-debian-9.Dockerfile
+++ b/buildenv-debian-9.Dockerfile
@@ -20,6 +20,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
git \
glusterfs-common \
iproute2 \
+ kmod \
libacl1-dev \
libapparmor-dev \
libattr1-dev \
diff --git a/buildenv-debian-sid.Dockerfile b/buildenv-debian-sid.Dockerfile
index 8e49c0c..3be8a9f 100644
--- a/buildenv-debian-sid.Dockerfile
+++ b/buildenv-debian-sid.Dockerfile
@@ -19,6 +19,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
gettext \
git \
iproute2 \
+ kmod \
libacl1-dev \
libapparmor-dev \
libattr1-dev \
diff --git a/buildenv-fedora-28.Dockerfile b/buildenv-fedora-28.Dockerfile
index fe96282..447304e 100644
--- a/buildenv-fedora-28.Dockerfile
+++ b/buildenv-fedora-28.Dockerfile
@@ -28,6 +28,7 @@ RUN yum update -y && \
iproute \
iproute-tc \
iscsi-initiator-utils \
+ kmod \
libacl-devel \
libattr-devel \
libblkid-devel \
diff --git a/buildenv-fedora-29.Dockerfile b/buildenv-fedora-29.Dockerfile
index 1d10a5f..81879ae 100644
--- a/buildenv-fedora-29.Dockerfile
+++ b/buildenv-fedora-29.Dockerfile
@@ -28,6 +28,7 @@ RUN yum update -y && \
iproute \
iproute-tc \
iscsi-initiator-utils \
+ kmod \
libacl-devel \
libattr-devel \
libblkid-devel \
diff --git a/buildenv-fedora-rawhide.Dockerfile b/buildenv-fedora-rawhide.Dockerfile
index f6e427c..e5996ec 100644
--- a/buildenv-fedora-rawhide.Dockerfile
+++ b/buildenv-fedora-rawhide.Dockerfile
@@ -29,6 +29,7 @@ RUN yum update -y --nogpgcheck fedora-gpg-keys && \
iproute \
iproute-tc \
iscsi-initiator-utils \
+ kmod \
libacl-devel \
libattr-devel \
libblkid-devel \
diff --git a/buildenv-ubuntu-16.Dockerfile b/buildenv-ubuntu-16.Dockerfile
index 1d49b1f..dc1b16f 100644
--- a/buildenv-ubuntu-16.Dockerfile
+++ b/buildenv-ubuntu-16.Dockerfile
@@ -20,6 +20,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
git \
glusterfs-common \
iproute2 \
+ kmod \
libacl1-dev \
libapparmor-dev \
libattr1-dev \
diff --git a/buildenv-ubuntu-18.Dockerfile b/buildenv-ubuntu-18.Dockerfile
index 7ab5686..3e4c48f 100644
--- a/buildenv-ubuntu-18.Dockerfile
+++ b/buildenv-ubuntu-18.Dockerfile
@@ -20,6 +20,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
git \
glusterfs-common \
iproute2 \
+ kmod \
libacl1-dev \
libapparmor-dev \
libattr1-dev \
--
2.20.1
5 years, 9 months
[libvirt] [PATCH] virkmodtest: Don't fail if modprobe doesn't exist
by Michal Privoznik
On some very basic installations (e.g. some container images) the
modprobe binary might be missing. If that is the case, don't fail
virkmodtest.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
tests/virkmodtest.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tests/virkmodtest.c b/tests/virkmodtest.c
index c90830a23c..80029244ff 100644
--- a/tests/virkmodtest.c
+++ b/tests/virkmodtest.c
@@ -46,7 +46,12 @@ testKModConfig(const void *args ATTRIBUTE_UNUSED)
*/
outbuf = virKModConfig();
if (!outbuf) {
- fprintf(stderr, "Failed to get config\n");
+ if (virFileIsExecutable(MODPROBE)) {
+ fprintf(stderr, "Failed to get config\n");
+ } else {
+ /* modprobe doesn't exist, do not claim error. */
+ ret = 0;
+ }
goto cleanup;
}
ret = 0;
--
2.19.2
5 years, 9 months
[libvirt] [jenkins-ci PATCH 0/2] guests: Install modprobe for libvirt
by Andrea Bolognani
Turns out some Docker base images (eg. ubuntu:18.04) don't include
it, so we have to drag it in manually. It's a crazy world we live
in these days :)
Andrea Bolognani (2):
guests: Add mapping for modprobe
guests: Install modprobe for libvirt
guests/vars/mappings.yml | 4 ++++
guests/vars/projects/libvirt.yml | 1 +
2 files changed, 5 insertions(+)
--
2.20.1
5 years, 9 months
[libvirt] [jenkins-ci PATCH v2 0/9] Add support for cross compiling libvirt via Debian
by Daniel P. Berrangé
Changed in v2:
- Fix multiple package name mistakes
- Modify lcitool to generate cross-arch docker files
- Add --no-install-recommended flag to apt-get
- Add DEBIAN_FRONTEND=noninteractive env to apt-get
- Improve error reporting in lcitool
- Add make rule for generating dockerfiles locally
Daniel P. Berrangé (9):
guests: use libpcap0.8-dev package on Debian
guests: add xfsprogs development package for libvirt
guests: fix glusterfs package name on Debian
lcitool: include root cause when failing to load facts
lcitool: force non-interactive apt-get frontend
lcitool: avoid installing recommended packages
lcitool: avoid using an env var to store package list
lcitool: support generating cross compiler dockerfiles
docker: add a makefile for building docker images locally
.gitignore | 1 +
dockerfiles/Makefile | 33 +++++
guests/host_vars/libvirt-debian-9/docker.yml | 57 ++++++++
.../host_vars/libvirt-debian-sid/docker.yml | 62 +++++++++
guests/lcitool | 123 ++++++++++++++----
guests/vars/mappings.yml | 9 +-
guests/vars/projects/libvirt.yml | 1 +
7 files changed, 257 insertions(+), 29 deletions(-)
create mode 100644 dockerfiles/Makefile
--
2.20.1
5 years, 9 months
[libvirt] [PATCH] virsh: fix snapshot list --parent
by Ján Tomko
The root snapshot does not have a parent.
Use NULLSTR_EMPTY to pass an empty string instead of putting
too few columns in the table.
https://bugzilla.redhat.com/show_bug.cgi?id=1662849
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
tools/virsh-snapshot.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/virsh-snapshot.c b/tools/virsh-snapshot.c
index 90000ef1aa..6cadb2b0d6 100644
--- a/tools/virsh-snapshot.c
+++ b/tools/virsh-snapshot.c
@@ -1608,7 +1608,8 @@ cmdSnapshotList(vshControl *ctl, const vshCmd *cmd)
&time_info);
if (parent) {
- if (vshTableRowAppend(table, snap_name, timestr, state, parent_snap,
+ if (vshTableRowAppend(table, snap_name, timestr, state,
+ NULLSTR_EMPTY(parent_snap),
NULL) < 0)
goto cleanup;
} else {
--
2.19.2
5 years, 9 months
[libvirt] [PATCH v2] udev: only report a warning if udev_enumerate_scan_devices fails
by Marc Hartmayer
Even if an error is reported by `udev_enumerate_scan_devices`,
e.g. because a driver of a device has an bug, we can still enumerate
all other devices. Additionally the documentation of
udev_enumerate_scan_devices says that on success an integer >= 0 is
returned (see man udev_enumerate_scan_devices(3)).
Reviewed-by: Bjoern Walk <bwalk(a)linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay(a)linux.ibm.com>
---
src/node_device/node_device_udev.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
index 299f55260129..eb4d8b3cfe4a 100644
--- a/src/node_device/node_device_udev.c
+++ b/src/node_device/node_device_udev.c
@@ -1480,13 +1480,8 @@ udevEnumerateDevices(struct udev *udev)
if (udevEnumerateAddMatches(udev_enumerate) < 0)
goto cleanup;
- ret = udev_enumerate_scan_devices(udev_enumerate);
- if (ret != 0) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("udev scan devices returned %d"),
- ret);
- goto cleanup;
- }
+ if (udev_enumerate_scan_devices(udev_enumerate) < 0)
+ VIR_WARN("udev scan devices failed");
udev_list_entry_foreach(list_entry,
udev_enumerate_get_list_entry(udev_enumerate)) {
@@ -1494,6 +1489,7 @@ udevEnumerateDevices(struct udev *udev)
udevProcessDeviceListEntry(udev, list_entry);
}
+ ret = 0;
cleanup:
udev_enumerate_unref(udev_enumerate);
return ret;
--
2.17.0
5 years, 9 months
