[libvirt PATCH 00/28] native support for nftables in virtual network
driver
by Laine Stump
(After replying to your message, I noticed that you had sent it as a
reply to a much earlier version of the nftables patches sent a year ago
to the old mailing list, rather than the most recent version that was
pushed, which was very different, and sent to deel(a)lists.libvirt.org, so
I'm re-sending my response, but to the new mailing list :-))
On 6/10/24 2:54 PM, Roman Bogorodskiy wrote:
> Laine Stump wrote:
>
>> This patch series enables libvirt to use nftables rules …
[View More]rather than
>> iptables *when setting up virtual networks* (it does *not* add
>> nftables support to the nwfilter driver). It accomplishes this by
>> abstracting several iptables functions (from viriptables.[ch] called
>> by the virtual network driver into a rudimentary "virNetfilter API"
>> (in virnetfilter.[ch], having the virtual network driver call the
>> virNetFilter API rather than calling the existing iptables functions
>> directly, and then finally adding an equivalent virNftables backend
>> that can be used instead of iptables (selected manually via a
>> network.conf setting, or automatically if iptables isn't found on the
>> host).
>
> Hi,
>
> Apparently, I'm late to the discussion.
>
> I noticed that now I cannot use the bridge driver on FreeBSD as it's
> failing to initialize both iptables and nftables backends (which is
> expect).
Yeah, previously we wouldn't check if iptables was available until
someone tried to start a network that would need to use it, and would
then log an error (and just fail starting that network, but the network
driver would remain running). But now we figure out which firewall
backend to use immediately when the driver is loaded, and if we fail to
fin a workable backend we fail the entire driver init.r
How did you use the network driver before? With a <forward mode='open'/>
network? Truthfully I hadn't ever considered the case of someone using
it with only network types that didn't need firewall rules. I wonder if
there are other platforms we support that have a usable network driver
for <forward mode='open'/> (MacOS?)
>
> What would be a good way to address that? I see at least two options:
>
> 1. Add a Noop firewall driver
> 2. Implement a "real" FreeBSD driver based either on pf or ipfw (that's
> been on my TODO list forever, but I somehow got stuck on the very first
> step on choosing between pf and ipfw).
Why not both? :-)
> This obviously will take much
> more time.
>
> Maybe there are other options I'm missing.
Obviously (2) would be nicest, but I guess in the short term some
variation of (1) would be quicker.
Another possibility could be to restore the old behavior of saving the
error and only reporting it when a network requiring a firewall is
loaded, but I think I remember a discussion about this during review of
an earlier revision of the patches, and we agreed that it made the
problem easier to find if it was reported immediately and the driver
load failed.
I suppose in the long run the build-time option
firewall_backend_priority should be used to control which backends are
included in the build (rather than just which ones are checked at
runtime), so that FreeBSD could completely skip all the iptables and
nftables code (and firewalld when that's done), and Linux platforms
could skip pf and ipfw.
>
> What do you think?
I'm about to be offline for 3 weeks, but in the meantime if you'd like
to try making a NULL backend that is only an option if it's listed in
firewall_backend_priority (you'll need to remove the compile-time check
that all possible backends are accounted for - I think that is the first
of the two G_STATIC_ASSERTS at the top of virNetworkLoadDriverConfig()),
always initializes successfully in bridge_driver_conf.c if it is listed
in the options, and then in networkAddFirewallRules add a check to log
an error and fail if backend == NULL (something about attempting to
start a network type that would require firewall rules, but the system
not having any of the supported types of firewallbackend or something -
it's too late now and my brain is too fried and sleepy to think of good
wording :-)). As long as it isn't a valid selection on Linux builds that
are done with firewall_backend_priority=nftables,iptables, but *is* a
valid selection if the setting is "firewall_backend_priority=null" that
shouldn't be *too* controversial.
Later we can talk about pf and ipfw backends :-)
[View Less]
10 months, 1 week
[PATCH v2] meson: allow systemd sysusersdir to be changed
by Daniel P. Berrangé
We currently hardcode the systemd sysusersdir, but it is desirable to be
able to choose a different location in some cases. For example, Fedora
flatpak builds change the RPM %_sysusersdir macro, but we can't currently
honour that.
Reported-by: Yaakov Selkowitz <yselkowi(a)redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 1 +
meson.build | 5 +++++
meson_options.txt | 1 +
src/qemu/meson.build | 2 +-
4 files changed, 8 …
[View More]insertions(+), 1 deletion(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 244e5e824c..347a609add 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1328,6 +1328,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
-Drunstatedir=%{_rundir} \
-Dinitconfdir=%{_sysconfdir}/sysconfig \
-Dunitdir=%{_unitdir} \
+ -Dsysusersdir=%{_sysusersdir} \
%{?arg_qemu} \
%{?arg_openvz} \
%{?arg_lxc} \
diff --git a/meson.build b/meson.build
index 295613fd93..5c7cd7ec2e 100644
--- a/meson.build
+++ b/meson.build
@@ -100,6 +100,11 @@ if unitdir == ''
unitdir = prefix / 'lib' / 'systemd' / 'system'
endif
+sysusersdir = get_option('sysusersdir')
+if sysusersdir == ''
+ sysusersdir = prefix / 'lib' / 'sysusers.d'
+endif
+
bindir = prefix / get_option('bindir')
datadir = prefix / get_option('datadir')
includedir = prefix / get_option('includedir')
diff --git a/meson_options.txt b/meson_options.txt
index a4f1dd769f..50d71427cb 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -5,6 +5,7 @@ option('system', type: 'boolean', value: false, description: 'Set install paths
option('runstatedir', type: 'string', value: '', description: 'State directory for temporary sockets, pid files, etc')
option('initconfdir', type: 'string', value: '', description: 'directory for init script configuration files')
option('unitdir', type: 'string', value: '', description: 'directory for systemd unit files')
+option('sysusersdir', type: 'string', value: '', description: 'directory for sysusers files')
# dep:tests
option('expensive_tests', type: 'feature', value: 'auto', description: 'set the default for enabling expensive tests (long timeouts)')
option('test_coverage', type: 'boolean', value: false, description: 'turn on code coverage instrumentation')
diff --git a/src/qemu/meson.build b/src/qemu/meson.build
index 907893d431..57356451e4 100644
--- a/src/qemu/meson.build
+++ b/src/qemu/meson.build
@@ -163,7 +163,7 @@ if conf.has('WITH_QEMU')
# Install the sysuser config for the qemu driver
install_data(
'libvirt-qemu.sysusers.conf',
- install_dir: prefix / 'lib' / 'sysusers.d',
+ install_dir: sysusersdir,
rename: [ 'libvirt-qemu.conf' ],
)
--
2.43.0
[View Less]
10 months, 1 week
[PATCH 0/5] Introduce pstore device
by Michal Privoznik
*** BLURB HERE ***
Michal Prívozník (5):
qemu_capabilities: Introduce QEMU_CAPS_DEVICE_ACPI_ERST
conf: Introduce pstore device
qemu: Build cmd line for pstore device
security: Set seclabels for pstore device
NEWS: Document pstore device addition
NEWS.rst | 7 +
docs/formatdomain.rst | 32 ++++
src/ch/ch_domain.c | 1 +
src/conf/domain_conf.c | 153 ++++++++++++++++++
…
[View More]src/conf/domain_conf.h | 19 +++
src/conf/domain_postparse.c | 1 +
src/conf/domain_validate.c | 30 ++++
src/conf/schemas/domaincommon.rng | 25 +++
src/conf/virconftypes.h | 2 +
src/hyperv/hyperv_driver.c | 1 +
src/libvirt_private.syms | 2 +
src/libxl/libxl_driver.c | 6 +
src/lxc/lxc_driver.c | 6 +
src/qemu/qemu_alias.c | 10 ++
src/qemu/qemu_capabilities.c | 4 +
src/qemu/qemu_capabilities.h | 3 +
src/qemu/qemu_command.c | 52 ++++++
src/qemu/qemu_domain.c | 3 +
src/qemu/qemu_domain_address.c | 11 ++
src/qemu/qemu_driver.c | 3 +
src/qemu/qemu_hotplug.c | 5 +
src/qemu/qemu_validate.c | 26 +++
src/security/security_dac.c | 10 ++
src/security/security_selinux.c | 9 ++
src/security/virt-aa-helper.c | 4 +
.../caps_7.0.0_aarch64+hvf.xml | 1 +
.../caps_7.0.0_aarch64.xml | 1 +
.../qemucapabilitiesdata/caps_7.0.0_ppc64.xml | 1 +
.../caps_7.0.0_x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_7.1.0_ppc64.xml | 1 +
.../caps_7.1.0_x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_7.2.0_ppc.xml | 1 +
.../caps_7.2.0_x86_64+hvf.xml | 1 +
.../caps_7.2.0_x86_64.xml | 1 +
.../caps_8.0.0_x86_64.xml | 1 +
.../caps_8.1.0_x86_64.xml | 1 +
.../caps_8.2.0_aarch64.xml | 1 +
.../caps_8.2.0_armv7l.xml | 1 +
.../caps_8.2.0_loongarch64.xml | 1 +
.../caps_8.2.0_x86_64.xml | 1 +
.../caps_9.0.0_x86_64.xml | 1 +
.../caps_9.1.0_x86_64.xml | 1 +
.../pstore-acpi-erst.x86_64-latest.args | 38 +++++
.../pstore-acpi-erst.x86_64-latest.xml | 1 +
tests/qemuxmlconfdata/pstore-acpi-erst.xml | 53 ++++++
tests/qemuxmlconftest.c | 1 +
46 files changed, 535 insertions(+)
create mode 100644 tests/qemuxmlconfdata/pstore-acpi-erst.x86_64-latest.args
create mode 120000 tests/qemuxmlconfdata/pstore-acpi-erst.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/pstore-acpi-erst.xml
--
2.44.2
[View Less]
10 months, 1 week
[PATCH] network: allow for forward dev to be a transient interface
by Laine Stump
A user reported that if they set <forward mode='nat|route' dev='blah'>
starting the network would fail if the device 'blah' didn't already
exist.
This is caused by using "iif" and "oif" in nftables rules to check for
the forwarding device - these two commands work by saving the named
interface's ifindex (an unsigned integer) when the rule is added, and
comparing it to the ifindex associated with the packet's path at
runtime. This works great if the interface both 1) exists when the
rule …
[View More]is added, and 2) is never deleted and re-created after the rule
is added (since it would end up with a different ifindex).
When checking for the network's bridge device, it is okay for us to
use "iif" and "oif", because the bridge device is created before the
firewall rules are added, and will continue to exist until just after
the firewall rules are deleted when the network is shutdown.
But since the forward device might be deleted/re-added during the
lifetime of the network's firewall rules, we must instead us "oifname"
and "iifname" - these are much less efficient than "Xif" because they
do a string compare of the interface's name rather than just comparing
two integers (ifindex), but they don't require the interface to exist
when the rule is added, and they can properly cope with the named
interface being deleted and re-added later.
Fixes: a4f38f6ffe6a9edc001d18890ccfc3f38e72fb94
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/network/network_nftables.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index 59ab231a06..268d1f12ca 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -362,7 +362,7 @@ nftablesAddForwardAllowOut(virFirewall *fw,
"iif", iface, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL);
@@ -398,7 +398,7 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw,
VIR_NFTABLES_FWD_IN_CHAIN, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
layerStr, "daddr", networkstr,
@@ -437,7 +437,7 @@ nftablesAddForwardAllowIn(virFirewall *fw,
layerStr, "daddr", networkstr, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
"counter", "accept", NULL);
@@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw,
layerStr, "daddr", "!=", networkstr, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
if (protocol && protocol[0]) {
if (port->start == 0 && port->end == 0) {
@@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw,
VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd,
layerStr, "saddr", networkstr,
--
2.45.1
[View Less]
10 months, 2 weeks
[PATCH] meson: allow systemd sysusersdir to be changed
by Daniel P. Berrangé
We currently hardcode the systemd sysusersdir, but it is desirable to be
able to choose a different location in some cases. For example, Fedora
flatpak builds change the RPM %_sysusersdir macro, but we can't currently
honour that.
Reported-by: Yaakov Selkowitz <yselkowi(a)redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 1 +
meson.build | 5 +++++
meson_options.txt | 1 +
src/qemu/meson.build | 2 +-
4 files changed, 8 …
[View More]insertions(+), 1 deletion(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 244e5e824c..347a609add 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1328,6 +1328,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
-Drunstatedir=%{_rundir} \
-Dinitconfdir=%{_sysconfdir}/sysconfig \
-Dunitdir=%{_unitdir} \
+ -Dsysusersdir=%{_sysusersdir} \
%{?arg_qemu} \
%{?arg_openvz} \
%{?arg_lxc} \
diff --git a/meson.build b/meson.build
index 295613fd93..2fc9ab3e96 100644
--- a/meson.build
+++ b/meson.build
@@ -100,6 +100,11 @@ if unitdir == ''
unitdir = prefix / 'lib' / 'systemd' / 'system'
endif
+sysusersdir = getoption('sysusersdir')
+if sysusersdir == ''
+ sysusersdir = prefix / 'lib' / 'sysusers.d'
+endif
+
bindir = prefix / get_option('bindir')
datadir = prefix / get_option('datadir')
includedir = prefix / get_option('includedir')
diff --git a/meson_options.txt b/meson_options.txt
index a4f1dd769f..50d71427cb 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -5,6 +5,7 @@ option('system', type: 'boolean', value: false, description: 'Set install paths
option('runstatedir', type: 'string', value: '', description: 'State directory for temporary sockets, pid files, etc')
option('initconfdir', type: 'string', value: '', description: 'directory for init script configuration files')
option('unitdir', type: 'string', value: '', description: 'directory for systemd unit files')
+option('sysusersdir', type: 'string', value: '', description: 'directory for sysusers files')
# dep:tests
option('expensive_tests', type: 'feature', value: 'auto', description: 'set the default for enabling expensive tests (long timeouts)')
option('test_coverage', type: 'boolean', value: false, description: 'turn on code coverage instrumentation')
diff --git a/src/qemu/meson.build b/src/qemu/meson.build
index 907893d431..57356451e4 100644
--- a/src/qemu/meson.build
+++ b/src/qemu/meson.build
@@ -163,7 +163,7 @@ if conf.has('WITH_QEMU')
# Install the sysuser config for the qemu driver
install_data(
'libvirt-qemu.sysusers.conf',
- install_dir: prefix / 'lib' / 'sysusers.d',
+ install_dir: sysusersdir,
rename: [ 'libvirt-qemu.conf' ],
)
--
2.43.0
[View Less]
10 months, 2 weeks
[PATCH-for-9.1 v2 0/3] rdma: Remove RDMA subsystem and pvrdma device
by Philippe Mathieu-Daudé
Since v1:
- split in 3 (Thomas)
- justify gluster removal
Philippe Mathieu-Daudé (3):
hw/rdma: Remove pvrdma device and rdmacm-mux helper
migration: Remove RDMA protocol handling
block/gluster: Remove RDMA protocol handling
MAINTAINERS | 17 -
docs/about/deprecated.rst | 9 -
docs/about/removed-features.rst | 4 +
docs/devel/migration/main.rst | 6 -
docs/pvrdma.txt …
[View More] | 345 --
docs/rdma.txt | 420 --
docs/system/device-url-syntax.rst.inc | 4 +-
docs/system/loongarch/virt.rst | 2 +-
docs/system/qemu-block-drivers.rst.inc | 1 -
meson.build | 59 -
qapi/machine.json | 17 -
qapi/migration.json | 31 +-
qapi/qapi-schema.json | 1 -
qapi/rdma.json | 38 -
contrib/rdmacm-mux/rdmacm-mux.h | 61 -
hw/rdma/rdma_backend.h | 129 -
hw/rdma/rdma_backend_defs.h | 76 -
hw/rdma/rdma_rm.h | 97 -
hw/rdma/rdma_rm_defs.h | 146 -
hw/rdma/rdma_utils.h | 63 -
hw/rdma/trace.h | 1 -
hw/rdma/vmw/pvrdma.h | 144 -
hw/rdma/vmw/pvrdma_dev_ring.h | 46 -
hw/rdma/vmw/pvrdma_qp_ops.h | 28 -
hw/rdma/vmw/trace.h | 1 -
include/hw/rdma/rdma.h | 37 -
include/monitor/hmp.h | 1 -
.../infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h | 685 ---
.../infiniband/hw/vmw_pvrdma/pvrdma_verbs.h | 348 --
.../standard-headers/rdma/vmw_pvrdma-abi.h | 310 --
migration/migration-stats.h | 6 +-
migration/migration.h | 9 -
migration/options.h | 2 -
migration/rdma.h | 69 -
block/gluster.c | 39 -
contrib/rdmacm-mux/main.c | 831 ----
hw/core/machine-qmp-cmds.c | 32 -
hw/rdma/rdma.c | 30 -
hw/rdma/rdma_backend.c | 1401 ------
hw/rdma/rdma_rm.c | 812 ----
hw/rdma/rdma_utils.c | 126 -
hw/rdma/vmw/pvrdma_cmd.c | 815 ----
hw/rdma/vmw/pvrdma_dev_ring.c | 141 -
hw/rdma/vmw/pvrdma_main.c | 735 ---
hw/rdma/vmw/pvrdma_qp_ops.c | 298 --
migration/migration-stats.c | 5 +-
migration/migration.c | 31 -
migration/options.c | 16 -
migration/qemu-file.c | 1 -
migration/ram.c | 86 +-
migration/rdma.c | 4184 -----------------
migration/savevm.c | 2 +-
monitor/qmp-cmds.c | 1 -
Kconfig.host | 3 -
contrib/rdmacm-mux/meson.build | 7 -
hmp-commands-info.hx | 13 -
hw/Kconfig | 1 -
hw/meson.build | 1 -
hw/rdma/Kconfig | 3 -
hw/rdma/meson.build | 12 -
hw/rdma/trace-events | 31 -
hw/rdma/vmw/trace-events | 17 -
meson_options.txt | 4 -
migration/meson.build | 1 -
migration/trace-events | 68 +-
qapi/meson.build | 1 -
qemu-options.hx | 6 -
.../org.centos/stream/8/build-environment.yml | 1 -
.../ci/org.centos/stream/8/x86_64/configure | 3 -
scripts/ci/setup/build-environment.yml | 4 -
scripts/coverity-scan/run-coverity-scan | 2 +-
scripts/meson-buildoptions.sh | 6 -
scripts/update-linux-headers.sh | 27 -
tests/lcitool/projects/qemu.yml | 3 -
tests/migration/guestperf/engine.py | 4 +-
75 files changed, 20 insertions(+), 12997 deletions(-)
delete mode 100644 docs/pvrdma.txt
delete mode 100644 docs/rdma.txt
delete mode 100644 qapi/rdma.json
delete mode 100644 contrib/rdmacm-mux/rdmacm-mux.h
delete mode 100644 hw/rdma/rdma_backend.h
delete mode 100644 hw/rdma/rdma_backend_defs.h
delete mode 100644 hw/rdma/rdma_rm.h
delete mode 100644 hw/rdma/rdma_rm_defs.h
delete mode 100644 hw/rdma/rdma_utils.h
delete mode 100644 hw/rdma/trace.h
delete mode 100644 hw/rdma/vmw/pvrdma.h
delete mode 100644 hw/rdma/vmw/pvrdma_dev_ring.h
delete mode 100644 hw/rdma/vmw/pvrdma_qp_ops.h
delete mode 100644 hw/rdma/vmw/trace.h
delete mode 100644 include/hw/rdma/rdma.h
delete mode 100644 include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h
delete mode 100644 include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h
delete mode 100644 include/standard-headers/rdma/vmw_pvrdma-abi.h
delete mode 100644 migration/rdma.h
delete mode 100644 contrib/rdmacm-mux/main.c
delete mode 100644 hw/rdma/rdma.c
delete mode 100644 hw/rdma/rdma_backend.c
delete mode 100644 hw/rdma/rdma_rm.c
delete mode 100644 hw/rdma/rdma_utils.c
delete mode 100644 hw/rdma/vmw/pvrdma_cmd.c
delete mode 100644 hw/rdma/vmw/pvrdma_dev_ring.c
delete mode 100644 hw/rdma/vmw/pvrdma_main.c
delete mode 100644 hw/rdma/vmw/pvrdma_qp_ops.c
delete mode 100644 migration/rdma.c
delete mode 100644 contrib/rdmacm-mux/meson.build
delete mode 100644 hw/rdma/Kconfig
delete mode 100644 hw/rdma/meson.build
delete mode 100644 hw/rdma/trace-events
delete mode 100644 hw/rdma/vmw/trace-events
--
2.41.0
[View Less]
10 months, 2 weeks
[PATCH] meson: allow systemd unitdir to be changed
by Daniel P. Berrangé
We currently hardcode the systemd unitdir, but it is desirable to be
able to choose a different location in some cases. For examples, Fedora
flatpak builds change the RPM %_unitdir macro, but we can't currently
honour that.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 1 +
meson.build | 5 +++++
meson_options.txt | 1 +
src/meson.build | 8 +++-----
4 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.…
[View More]in
index 1d3240ee6f..0a121515b9 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1329,6 +1329,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
%meson \
-Drunstatedir=%{_rundir} \
-Dinitconfdir=%{_sysconfdir}/sysconfig \
+ -Dunitdir=%{_unitdir} \
%{?arg_qemu} \
%{?arg_openvz} \
%{?arg_lxc} \
diff --git a/meson.build b/meson.build
index 62e49be37d..295613fd93 100644
--- a/meson.build
+++ b/meson.build
@@ -95,6 +95,11 @@ if initconfdir == ''
endif
endif
+unitdir = get_option('unitdir')
+if unitdir == ''
+ unitdir = prefix / 'lib' / 'systemd' / 'system'
+endif
+
bindir = prefix / get_option('bindir')
datadir = prefix / get_option('datadir')
includedir = prefix / get_option('includedir')
diff --git a/meson_options.txt b/meson_options.txt
index cdc8687795..a4f1dd769f 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -4,6 +4,7 @@ option('packager_version', type: 'string', value: '', description: 'Extra packag
option('system', type: 'boolean', value: false, description: 'Set install paths to system ones')
option('runstatedir', type: 'string', value: '', description: 'State directory for temporary sockets, pid files, etc')
option('initconfdir', type: 'string', value: '', description: 'directory for init script configuration files')
+option('unitdir', type: 'string', value: '', description: 'directory for systemd unit files')
# dep:tests
option('expensive_tests', type: 'feature', value: 'auto', description: 'set the default for enabling expensive tests (long timeouts)')
option('test_coverage', type: 'boolean', value: false, description: 'turn on code coverage instrumentation')
diff --git a/src/meson.build b/src/meson.build
index dd2682ec19..8cce42c7ad 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -812,11 +812,9 @@ endforeach
if conf.has('WITH_LIBVIRTD')
# Generate systemd service and socket unit files
if init_script == 'systemd'
- systemd_unit_dir = prefix / 'lib' / 'systemd' / 'system'
-
install_data(
guest_unit_files,
- install_dir: systemd_unit_dir,
+ install_dir: unitdir,
)
if conf.has('WITH_POLKIT')
@@ -855,7 +853,7 @@ if conf.has('WITH_LIBVIRTD')
output: service_out,
configuration: unit_conf,
install: true,
- install_dir: systemd_unit_dir,
+ install_dir: unitdir,
)
foreach socket : unit.get('sockets', [ 'main', 'ro', 'admin' ])
@@ -881,7 +879,7 @@ if conf.has('WITH_LIBVIRTD')
output: socket_out,
configuration: unit_conf,
install: true,
- install_dir: systemd_unit_dir,
+ install_dir: unitdir,
)
endforeach
endforeach
--
2.43.0
[View Less]
10 months, 2 weeks
[PATCH] rpm: drop cyrus-sasl dep
by Daniel P. Berrangé
We link to libsasl2.so, so get a dep on cyrus-sasl-libs automatically.
The dep on cyrus-sasl-gssapi gets us the mechanism that matches our
default config.
The 'cyrus-sasl' package merely contains some man pages and the
saslauthd daemon, which is not required by libvirt. This dep appears
to have been redundant since we first added in
commit 1b1d647439059b7e10fb94e1ade227fb695d7110
Author: Daniel P. Berrangé <berrange(a)redhat.com>
Date: Wed Dec 5 15:24:15 2007 +0000
Initial …
[View More]integration of SASL authentication, working for Kerberos only
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 2 --
1 file changed, 2 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 1d3240ee6f..343015ad1d 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1055,8 +1055,6 @@ with some QEMU specific features of libvirt.
%package libs
Summary: Client side libraries
-# So remote clients can access libvirt over SSH tunnel
-Requires: cyrus-sasl
# Needed by default sasl.conf - no onerous extra deps, since
# 100's of other things on a system already pull in krb5-libs
Requires: cyrus-sasl-gssapi
--
2.43.0
[View Less]
10 months, 2 weeks
Re: [PATCH] qemu_block: Validate number of hosts for iSCSI disk
device
by Peter Krempa
On Thu, Jun 06, 2024 at 16:17:41 +0530, Rayhan Faizel wrote:
> Hi,
Hi, please *always* keep replies on-list (use reply-all).
I've re-added the mailing list again.
>
> On Thu, Jun 6, 2024 at 4:12 PM Peter Krempa <pkrempa(a)redhat.com> wrote:
> >
> > On Thu, Jun 06, 2024 at 15:45:16 +0530, Rayhan Faizel wrote:
> > > An iSCSI device with zero hosts will result in a segmentation fault. This patch
> > > adds a check for the number of hosts, which must …
[View More]be one in the case of iSCSI.
> > >
> > > Minimal reproducing XML:
> > >
> > > <domain type='qemu'>
> > > <name>MyGuest</name>
> > > <uuid>4dea22b3-1d52-d8f3-2516-782e98ab3fa0</uuid>
> > > <os>
> > > <type arch='x86_64'>hvm</type>
> > > </os>
> > > <memory>4096</memory>
> > > <devices>
> > > <disk type='network'>
> > > <source name='dummy' protocol='iscsi'/>
> > > <target dev='vda'/>
> > > </disk>
> > > </devices>
> > > </domain>
> >
> > Please transform this bit into a test case in qemuxmlconftest to see
> > that it's properly rejected.
> >
>
> I did try to add a testcase but the schema tests fail on this
> particular XML because it expects one or more <hosts>. Is there a way
> to exclude schema validation for certain testcases or should I just
> modify the schema and change it from oneOrMore to zeroOrMore?
Schema test result can be inverted by naming the file with
'-invalid.xml' suffix. In such case the test will require that the XML
has invalid schema. Additionally it's also possible by adding an
exception in virschematest, but we have more than a few tests with the
suffix in qemuxmlconftest.
[View Less]
10 months, 2 weeks
[PATCH] qemu_block: Validate number of hosts for iSCSI disk device
by Rayhan Faizel
An iSCSI device with zero hosts will result in a segmentation fault. This patch
adds a check for the number of hosts, which must be one in the case of iSCSI.
Minimal reproducing XML:
<domain type='qemu'>
<name>MyGuest</name>
<uuid>4dea22b3-1d52-d8f3-2516-782e98ab3fa0</uuid>
<os>
<type arch='x86_64'>hvm</type>
</os>
<memory>4096</memory>
<devices>
<disk type='network'>
…
[View More] <source name='dummy' protocol='iscsi'/>
<target dev='vda'/>
</disk>
</devices>
</domain>
Signed-off-by: Rayhan Faizel <rayhan.faizel(a)gmail.com>
---
This crashing XML was detected by the WIP fuzzer which is being developed
as part of Google Summer of Code 2024.
src/qemu/qemu_block.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 738b72d7ea..d6cdf521c4 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -602,6 +602,12 @@ qemuBlockStorageSourceGetISCSIProps(virStorageSource *src,
* }
*/
+ if (src->nhosts != 1) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("iSCSI protocol accepts only one host"));
+ return NULL;
+ }
+
target = g_strdup(src->path);
/* Separate the target and lun */
--
2.34.1
[View Less]
10 months, 2 weeks