[libvirt] [PATCH 0/14 [RFC] Network filtering (ACL) extensions for libvirt
by Stefan Berger
Hi!
This is a repost of this set of patches with some of the fixes
recommended by Daniel Berrange applied and ipv6 support on the ebtables
layer added.
The following set of patches add network filtering (ACL) extensions to
libvirt and enable network traffic filtering for VMs using ebtables and,
depending on the networking technology being used (tap, but not
macvtap), also iptables. Usage of either is optional and controlled
through filters that a VM is referencing.
The ebtables-level filtering is based on the XML derived from the CIM
network slide 10 (filtering) from the DMTF website
(http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf).
The XML we derived from this was discussed on the list before. On the
ebtables level we currently handle filtering of IPv4 and ARP traffic.
The iptables-level filtering is based on similar XML where XML nodes
described the particular protocol to filter for. Its extensions enable
the filtering of traffic using iptables for tcp, udp, icmp, igmp, sctp
and 'all' types of traffic. This list of protocols maps to the features
supported by iptables and only excludes protocols like 'esp', 'ah' and
'udplite'. Currently only bridging mode is supported and based on
availability of the physdev match.
The filtering framework adds new libvirt virsh commands for managing
the filters. The 5 new commands are:
- virsh nwfilter-list
- virsh nwfilter-dumpxml <name of filter>
- virsh nwfilter-define <name of file containing filter desc.>
- virsh nwfilter-undefine <name of filter>
- virsh nwfilter-edit <name of filter>
Above commands are similar to commands for already existing pools and as
such much of the code directly related to the above commands could be
borrowed from other drivers.
The network filters can either contain rules using the above mentioned
XML or contain references to other filters in order to build more
complex filters that form some sort of filter tree or can contain both.
An example for a filter referencing other filters would be this one
here:
<filter name='demofilter4' chain='root'>
<uuid>66f62d1d-34c1-1421-824f-c62d5ee5e8b6</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-mac-broadcast'/>
<filterref filter='no-arp-spoofing'/>
<filterref filter='allow-dhcp'>
<parameter name='DHCPSERVER' value='10.0.0.1'/>
</filterref>
<filterref filter='no-other-l2-traffic'/>
<filterref filter='recv-only-vm-ipaddress'/>
<filterref filter='recv-only-vm-macaddress'/>
<filterref filter='l3-test'/>
<filterref filter='ipv6test'/>
</filter>
A filter containing actual rules would look like this:
<filter name='no-mac-broadcast' chain='ipv4'>
<uuid>ffe2ccd6-edec-7360-1852-6b5ccb553234</uuid>
<rule action='drop' direction='out' priority='500'>
<mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
</rule>
</filter>
The filter XML now also holds a priority attribute in the rule. This
provides control over the ordering of the applied ebtables/iptables
rules beyond their appearance in the XML.
The domain XML has been extended to reference a top level filter from
within each <interface> XML node. A valid reference to such a top level
filter looks like this:
<interface type='bridge'>
<source bridge='static'/>
<filterref filter='demofilter4'>
<parameter name='IP' value='9.59.241.151'/>
</filterref>
</interface>
In this XML a parameter IP is passed for instantiation of the referenced
filters, that may require the availability of this parameter. In the
above case the IP parameter's value describes the value of the IP
address of the VM and allows to enable those filters to be instantiated
that require this 'IP' variable. If a filter requires a parameter that
is not provided, the VM will not start or the interface will not attach
to a running VM. Any names of parameters can be provided for
instantiation of filters and their names and values only need to pass a
regular expression test. In a subsequent patch we will be adding
capability to allow users to omit the IP parameter (only) and enable
libvirt to learn the IP address of the VM and have it instantiate the
filter once it knows it.
While virtual machines are running, it is possible to update their
filters. For that all running VMs' filter 'trees' are traversed to
detect whether the updated filter is referenced by the VM. If so, its
ebtables/iptable rules are applied. If one of the VMs' update fails
allupdates are rolled back and the filter XML update is rejected.
One comment about the instantiation of the rules: Since the XML allows
to create nearly any possible combination of parameters to ebtables or
iptables commands, I haven't used the ebtables or iptables wrappers.
Instead, I am writing ebtables/iptables command into a buffer, add
command line options to each one of them as described in the rule's XML,
write the buffer into a file and run it as a script. For those commands
that are not allowed to fail I am using the following format to run
them:
cmd="ebtables <some options>"
r=`${cmd}`
if [ $? -ne 0 ]; then
echo "Failure in command ${cmd}."
exit 1
fi
cmd="..."
[...]
If one of the command fails in such a batch, the libvirt code is going
pick up the error code '1', tear down anything previously established
and report an error back. The actual error message shown above is
currently not reported back, but can be later on with some changes to
the commands running external programs that need to read the script's
stdout.
One comment to patch 14: It currently #include's a .c file into a .c
file only for the reason so I don't have to change too much code once I
change code in the underlying patch. So this has to be changed. The
patch series works without patch 13, but then only supports ebtables.
The patches apply to the current tip. They pass 'make syntax-check' and
have been frequently run in valgrind for memory leak checks. The order
in which I apply the patches is as follows:
add_recursive_locks.diff
add_build_support.diff
add_public_api.diff
add_internal_api.diff
impl_pub_api.diff
def_wire_protocol_format.diff
impl_rpc_client.c
impl_srv_dispatch.diff
add_virsh_support.diff
add_xml_parsing.diff
add_qemu_support.diff
impl_driver.diff
add_ipv6_support.diff
add_iptables_support.diff
Looking forward to your feedback on the patches.
Thanks and regards,
Stefan and Gerhard
15 years, 2 months
[libvirt] [PATCH] website: Increase text size
by Cole Robinson
Personally I find the text so small it is difficult to read, especially
in the documentation pages where we can have a large wall of text.
Here is a before and after shot of the main page on my
machine (scaled down):
http://fedorapeople.org/~crobinso/tmp/libvirt-web-before-after.png
Text size is now similar to linux-kvm.org, which I find much easier to
read.
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
docs/generic.css | 10 +++++-----
docs/libvirt.css | 1 +
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/docs/generic.css b/docs/generic.css
index dbf7b56..d9cf49e 100644
--- a/docs/generic.css
+++ b/docs/generic.css
@@ -43,22 +43,22 @@ div.footer {
}
h1 {
- font-size: 2em;
+ font-size: 1.6em;
}
h2 {
- font-size: 1.6em;
+ font-size: 1.4em;
}
h3 {
- font-size: 1.4em;
+ font-size: 1.2em;
}
h4 {
- font-size: 1.2em;
+ font-size: 1.1em;
}
h5 {
font-size: 1em;
}
h6 {
- font-size: 0.8em;
+ font-size: 0.9em;
}
dl dt {
diff --git a/docs/libvirt.css b/docs/libvirt.css
index dfc93c6..46e9a3f 100644
--- a/docs/libvirt.css
+++ b/docs/libvirt.css
@@ -33,6 +33,7 @@ h2, h3, h4, h5, h6 {
margin-right: 1em;
padding: 0px;
padding-bottom: 1em;
+ font-size: larger;
}
#menu {
--
1.6.6.1
15 years, 2 months
[libvirt] [PATCH 0/5] Introduce virDomainMigrateSetDowntime API
by Jiri Denemark
This API call is supposed to change maximum tolerable downtime for live
migrations.
Jiri Denemark (5):
Internal driver API for virDomainMigrateSetDowntime
Public virDomainMigrateSetDowntime API
Implement virDomainMigrateSetDowntime in remote driver
Wire protocol and dispatcher for virDomainMigrateSetDowntime
Implement virDomainMigrateSetDowntime in qemu driver
daemon/remote.c | 29 ++++++++++
daemon/remote_dispatch_args.h | 1 +
daemon/remote_dispatch_prototypes.h | 8 +++
daemon/remote_dispatch_table.h | 5 ++
include/libvirt/libvirt.h.in | 3 +
src/driver.h | 5 ++
src/esx/esx_driver.c | 1 +
src/libvirt.c | 46 ++++++++++++++++
src/libvirt_public.syms | 5 ++
src/lxc/lxc_driver.c | 1 +
src/opennebula/one_driver.c | 1 +
src/openvz/openvz_driver.c | 1 +
src/phyp/phyp_driver.c | 1 +
src/qemu/qemu_driver.c | 47 +++++++++++++++++
src/qemu/qemu_monitor.c | 15 +++++
src/qemu/qemu_monitor.h | 3 +
src/qemu/qemu_monitor_json.c | 29 ++++++++++
src/qemu/qemu_monitor_json.h | 3 +
src/qemu/qemu_monitor_text.c | 27 ++++++++++
src/qemu/qemu_monitor_text.h | 3 +
src/remote/remote_driver.c | 27 ++++++++++
src/remote/remote_protocol.c | 11 ++++
src/remote/remote_protocol.h | 97 +++++++++++++++++++----------------
src/remote/remote_protocol.x | 9 +++-
src/test/test_driver.c | 1 +
src/uml/uml_driver.c | 1 +
src/vbox/vbox_tmpl.c | 1 +
src/xen/xen_driver.c | 1 +
src/xenapi/xenapi_driver.c | 1 +
29 files changed, 338 insertions(+), 45 deletions(-)
15 years, 2 months
[libvirt] [PATCH] maint: enforce recent N_ usage
by Eric Blake
* cfg.mk (sc_prohibit_gettext_noop): New rule.
---
cfg.mk | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/cfg.mk b/cfg.mk
index 3fd9f7b..5b4d6ed 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -105,6 +105,11 @@ sc_prohibit_gethostname:
msg='use virGetHostname, not gethostname' \
$(_prohibit_regexp)
+sc_prohibit_gettext_noop:
+ @re='gettext_noop *\(' \
+ msg='use _N, not gettext_noop' \
+ $(_prohibit_regexp)
+
sc_prohibit_VIR_ERR_NO_MEMORY:
@re='\<V''IR_ERR_NO_MEMORY\>' \
msg='use virReportOOMError, not V'IR_ERR_NO_MEMORY \
--
1.6.6.1
15 years, 2 months
[libvirt] View graphical desktop of linux distribution through libvirt.
by Kumar L Srikanth-B22348
Hi Daniel,
Is it possible to view the graphical desktop(startx) of any linux
distribution in libvirt through Linux Container(LXC)?
If it is possible, what are the necessary dependents we need to take
care in the Domain XML or in the minimal Root file system of the linux
distribution.
Can you please let me know.
Regards,
Srikanth.
15 years, 2 months
[libvirt] [PATCH] website: Drop static FAQ, point to http://wiki.libvirt.org/page/FAQ
by Cole Robinson
The static FAQ was from the days before even QEMU support. I added
a few questions to the wiki FAQ about the software license and how to
download and install (basically just pointing to downloads.html).
The remaining questions on the static page aren't anything that I think
is really 'frequently asked' (changing socket perms for regular user
xen access, and issues building against libvirt).
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
docs/FAQ.html.in | 144 --------------------------------------------------
docs/Makefile.am | 3 +-
docs/search.php | 2 +-
docs/sitemap.html.in | 2 +-
4 files changed, 3 insertions(+), 148 deletions(-)
delete mode 100644 docs/FAQ.html.in
diff --git a/docs/FAQ.html.in b/docs/FAQ.html.in
deleted file mode 100644
index 50f798d..0000000
--- a/docs/FAQ.html.in
+++ /dev/null
@@ -1,144 +0,0 @@
-<?xml version="1.0"?>
-<html>
- <body>
- <h1 >FAQ</h1>
- <p>Table of Contents:</p>
- <ul>
- <li>
- <a href="FAQ.html#License">License(s)</a>
- </li>
- <li>
- <a href="FAQ.html#Installati">Installation</a>
- </li>
- <li>
- <a href="FAQ.html#Compilatio">Compilation</a>
- </li>
- <li>
- <a href="FAQ.html#Developer">Developer corner</a>
- </li>
- </ul>
- <h3><a name="License" id="License">License</a>(s)</h3>
- <ol>
- <li>
- <em>Licensing Terms for libvirt</em>
- <p>libvirt is released under the <a href="http://www.opensource.org/licenses/lgpl-license.html">GNU Lesser
- General Public License</a>, see the file COPYING.LIB in the distribution
- for the precise wording. The only library that libvirt depends upon is
- the Xen store access library which is also licenced under the LGPL.</p>
- </li>
- <li>
- <em>Can I embed libvirt in a proprietary application ?</em>
- <p>Yes. The LGPL allows you to embed libvirt into a proprietary
- application. It would be graceful to send-back bug fixes and improvements
- as patches for possible incorporation in the main development tree. It
- will decrease your maintenance costs anyway if you do so.</p>
- </li>
- </ol>
- <h3>
- <a name="Installati" id="Installati">Installation</a>
- </h3>
- <ol>
- <li><em>Where can I get libvirt</em> ?
- <p>The original distribution comes from <a href="ftp://libvirt.org/libvirt/">ftp://libvirt.org/libvirt/</a>.</p>
- </li>
- <li>
- <em>I can't install the libvirt/libvirt-devel RPM packages due to
- failed dependencies</em>
- <p>The most generic solution is to re-fetch the latest src.rpm , and
- rebuild it locally with</p>
- <p><code>rpm --rebuild libvirt-xxx.src.rpm</code>.</p>
- <p>If everything goes well it will generate two binary rpm packages (one
- providing the shared libs and virsh, and the other one, the -devel
- package, providing includes, static libraries and scripts needed to build
- applications with libvirt that you can install locally.</p>
- <p>One can also rebuild the RPMs from a tarball:</p>
- <p>
- <code>rpmbuild -ta libdir-xxx.tar.gz</code>
- </p>
- <p>Or from a configured tree with:</p>
- <p>
- <code>make rpm</code>
- </p>
- </li>
- <li>
- <em>Failure to use the API for non-root users</em>
- <p>Large parts of the API may only be accessible with root privileges,
- however the read only access to the xenstore data doesnot have to be
- forbidden to user, at least for monitoring purposes. If "virsh dominfo"
- fails to run as an user, change the mode of the xenstore read-only socket
- with:</p>
- <p>
- <code>chmod 666 /var/run/xenstored/socket_ro</code>
- </p>
- <p>and also make sure that the Xen Daemon is running correctly with local
- HTTP server enabled, this is defined in
- <code>/etc/xen/xend-config.sxp</code> which need the following line to be
- enabled:</p>
- <p>
- <code>(xend-http-server yes)</code>
- </p>
- <p>If needed restart the xend daemon after making the change with the
- following command run as root:</p>
- <p>
- <code>service xend restart</code>
- </p>
- </li>
- </ol>
- <h3>
- <a name="Compilatio" id="Compilatio">Compilation</a>
- </h3>
- <ol>
- <li>
- <em>What is the process to compile libvirt ?</em>
- <p>As most UNIX libraries libvirt follows the "standard":</p>
- <p>
- <code>gunzip -c libvirt-xxx.tar.gz | tar xvf -</code>
- </p>
- <p>
- <code>cd libvirt-xxxx</code>
- </p>
- <p>
- <code>./configure --help</code>
- </p>
- <p>to see the options, then the compilation/installation proper</p>
- <p>
- <code>./configure [possible options]</code>
- </p>
- <p>
- <code>make</code>
- </p>
- <p>
- <code>make install</code>
- </p>
- <p>At that point you may have to rerun ldconfig or a similar utility to
- update your list of installed shared libs.</p>
- </li>
- <li>
- <em>What other libraries are needed to compile/install libvirt ?</em>
- <p>Libvirt requires libxenstore, which is usually provided by the xen
- packages as well as the public headers to compile against libxenstore.</p>
- </li>
- <li>
- <em>I use the GIT version and there is no configure script</em>
- <p>The configure script (and other Makefiles) are generated. Use the
- autogen.sh script to regenerate the configure script and Makefiles,
- like:</p>
- <p>
- <code>./autogen.sh --prefix=/usr --disable-shared</code>
- </p>
- </li>
- </ol>
- <h3><a name="Developer" id="Developer">Developer</a> corner</h3>
- <ol>
- <li>
- <em>Troubles compiling or linking programs using libvirt</em>
- <p>To simplify the process of reusing the library, libvirt comes with
- pkgconfig support, which can be used directly from autoconf support or
- via the pkg-config command line tool, like:</p>
- <p>
- <code>pkg-config libvirt --libs</code>
- </p>
- </li>
- </ol>
- </body>
-</html>
diff --git a/docs/Makefile.am b/docs/Makefile.am
index edf6fc8..57f3d3d 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -147,8 +147,7 @@ rebuild: api all
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(HTML_DIR)
- -$(INSTALL) -m 0644 $(srcdir)/FAQ.html \
- $(srcdir)/Libxml2-Logo-90x34.gif $(DESTDIR)$(HTML_DIR)
+ -$(INSTALL) -m 0644 $(srcdir)/Libxml2-Logo-90x34.gif $(DESTDIR)$(HTML_DIR)
$(mkinstalldirs) $(DESTDIR)$(HTML_DIR)/html
for h in $(apihtml); do \
$(INSTALL) -m 0644 $(srcdir)/$$h $(DESTDIR)$(HTML_DIR)/html; done
diff --git a/docs/search.php b/docs/search.php
index a6c1def..bbd652a 100644
--- a/docs/search.php
+++ b/docs/search.php
@@ -258,7 +258,7 @@
</li><li>
<a title="User contributed content" class="inactive" href="http://wiki.libvirt.org">Wiki</a>
</li><li>
- <a title="Frequently asked questions" class="inactive" href="FAQ.html">FAQ</a>
+ <a title="Frequently asked questions" class="inactive" href="http://wiki.libvirt.org/page/FAQ">FAQ</a>
</li><li>
<a title="How and where to report bugs and request features" class="inactive" href="bugs.html">Bug reports</a>
</li><li>
diff --git a/docs/sitemap.html.in b/docs/sitemap.html.in
index 76d8faa..aaa0966 100644
--- a/docs/sitemap.html.in
+++ b/docs/sitemap.html.in
@@ -247,7 +247,7 @@
<span>User contributed content</span>
</li>
<li>
- <a href="FAQ.html">FAQ</a>
+ <a href="http://wiki.libvirt.org/page/FAQ">FAQ</a>
<span>Frequently asked questions</span>
</li>
<li>
--
1.6.6.1
15 years, 2 months
[libvirt] [PATCH] website: Remove old repos from download section
by Cole Robinson
We haven't been using CVS for quite a while now, so I think we can
safely drop the reference to the old server and git mirror.
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
docs/downloads.html.in | 33 ---------------------------------
1 files changed, 0 insertions(+), 33 deletions(-)
diff --git a/docs/downloads.html.in b/docs/downloads.html.in
index 493923c..2bfb459 100644
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@@ -43,18 +43,6 @@
<a href="http://libvirt.org/git/?p=libvirt.git;a=summary">http://libvirt.org/git/?p=libvirt.git;a=summary</a>
</pre>
- <h2>CVS repository access (Deprecated) </h2>
- <p>
- The master source repository used to be under <a href="http://ximbiot.com/cvs/cvshome/docs/">CVS</a>
- with anonymous access at:
- </p>
- <pre>
-
- # cvs -d :pserver:anoncvs@libvirt.org:2401/data/cvs co libvirt
- </pre>
- <p> The server is maintainened temporarilly for existing uses, but all
- changes are only commited to git now and we expect to deprecate the CVS
- server during summer 2009. </p>
<h2>Building from a source code checkout</h2>
<p> The libvirt build process uses GNU autotools, so after obtaining a
@@ -69,26 +57,5 @@
make install
</pre>
- <h2>GIT repository mirror</h2>
-
- <p>
- Jim Mereying was maintaining a CVS to git mirror on
- <a href="http://git.et.redhat.com/?p=libvirt.git">git.et.redhat.com</a>.
- Existing users should migrate to the new libvirt.org git server, as the
- old one is now deprecated. For the sake of old links including now-
- rewritten SHA1s, we'll leave the old repository on-line for some time.
- It is available as:
- </p>
- <pre>
-
- git clone git://git.et.redhat.com/libvirt.git
- </pre>
- <p>
- It can also be browsed at
- </p>
- <pre>
- <a href="http://git.et.redhat.com/?p=libvirt.git;a=summary">http://git.et.redhat.com/?p=libvirt.git;a=summary</a>
- </pre>
-
</body>
</html>
--
1.6.6.1
15 years, 2 months
[libvirt] [PATCH] Change logrotate to be per-hypervisor logs
by Daniel Veillard
Original bug is:
https://bugzilla.redhat.com/show_bug.cgi?id=547514
maybe this could be done in slightly different way, possibly more
generic, but I think doing a simple split is good enough for now.
Change logrotate to be per-hypervisor logs
Having a single logrotate configuration file for all hypervisors
did not work as logrotate would get confused if an hypervisor not
supported on that platform was still listed. Simplest is to split
the logrotate as separate per hypervisor files and change the
spec file to only install the ones compiled in.
* daemon/libvirtd.lxc.logrotate.in daemon/libvirtd.qemu.logrotate.in
daemon/libvirtd.uml.logrotate.in: copy and split the original
daemon/libvirtd.logrotate.in file
* daemon/Makefile.am: update to support the different files
* libvirt.spec.in: only install the relevant logrotate configs
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 958a4f6..d429c71 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -25,7 +25,9 @@ EXTRA_DIST = \
libvirtd.sasl \
libvirtd.sysconf \
libvirtd.aug \
- libvirtd.logrotate.in \
+ libvirtd.qemu.logrotate.in \
+ libvirtd.lxc.logrotate.in \
+ libvirtd.uml.logrotate.in \
test_libvirtd.aug \
$(AVAHI_SOURCES) \
$(DAEMON_SOURCES)
@@ -177,20 +179,37 @@ remote_dispatch_args.h: $(srcdir)/remote_generate_stubs.pl $(REMOTE_PROTOCOL)
remote_dispatch_ret.h: $(srcdir)/remote_generate_stubs.pl $(REMOTE_PROTOCOL)
perl -w $(srcdir)/remote_generate_stubs.pl -r $(REMOTE_PROTOCOL) > $@
-BUILT_SOURCES += libvirtd.logrotate
+LOGROTATE_CONFS = libvirtd.qemu.logrotate libvirtd.lxc.logrotate \
+ libvirtd.uml.logrotate
-libvirtd.logrotate: libvirtd.logrotate.in
+BUILT_SOURCES += $(LOGROTATE_CONFS)
+
+libvirtd.qemu.logrotate: libvirtd.qemu.logrotate.in
+ sed \
+ -e s!\@localstatedir\@!@localstatedir@!g \
+ < $< > $@-t
+ mv $@-t $@
+
+libvirtd.lxc.logrotate: libvirtd.lxc.logrotate.in
+ sed \
+ -e s!\@localstatedir\@!@localstatedir@!g \
+ < $< > $@-t
+ mv $@-t $@
+
+libvirtd.uml.logrotate: libvirtd.uml.logrotate.in
sed \
-e s!\@localstatedir\@!@localstatedir@!g \
< $< > $@-t
mv $@-t $@
-install-logrotate: libvirtd.logrotate
+install-logrotate: $(LOGROTATE_CONFS)
mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/qemu/
mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/lxc/
mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/uml/
mkdir -p $(DESTDIR)$(sysconfdir)/logrotate.d/
- $(INSTALL_DATA) $< $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd
+ $(INSTALL_DATA) libvirtd.qemu.logrotate $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd.qemu
+ $(INSTALL_DATA) libvirtd.lxc.logrotate $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd.lxc
+ $(INSTALL_DATA) libvirtd.uml.logrotate $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd.uml
if LIBVIRT_INIT_SCRIPT_RED_HAT
install-init: libvirtd.init
diff --git a/daemon/libvirtd.logrotate.in b/daemon/libvirtd.logrotate.in
deleted file mode 100644
index 0c51fd3..0000000
--- a/daemon/libvirtd.logrotate.in
+++ /dev/null
@@ -1,9 +0,0 @@
-@localstatedir(a)/log/libvirt/qemu/*.log @localstatedir(a)/log/libvirt/uml/*.log @localstatedir(a)/log/libvirt/lxc/*.log {
- weekly
- missingok
- rotate 4
- compress
- delaycompress
- copytruncate
- minsize 100k
-}
diff --git a/daemon/libvirtd.lxc.logrotate.in b/daemon/libvirtd.lxc.logrotate.in
new file mode 100644
index 0000000..4e7d314
--- /dev/null
+++ b/daemon/libvirtd.lxc.logrotate.in
@@ -0,0 +1,9 @@
+@localstatedir(a)/log/libvirt/lxc/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
diff --git a/daemon/libvirtd.qemu.logrotate.in b/daemon/libvirtd.qemu.logrotate.in
new file mode 100644
index 0000000..15cf019
--- /dev/null
+++ b/daemon/libvirtd.qemu.logrotate.in
@@ -0,0 +1,9 @@
+@localstatedir(a)/log/libvirt/qemu/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
diff --git a/daemon/libvirtd.uml.logrotate.in b/daemon/libvirtd.uml.logrotate.in
new file mode 100644
index 0000000..135a37d
--- /dev/null
+++ b/daemon/libvirtd.uml.logrotate.in
@@ -0,0 +1,9 @@
+@localstatedir(a)/log/libvirt/uml/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
diff --git a/libvirt.spec.in b/libvirt.spec.in
index b1c1c99..17102d9 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -668,16 +668,20 @@ fi
%{_sysconfdir}/rc.d/init.d/libvirtd
%config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
%config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
-%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
%if %{with_qemu}
%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
+%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
%endif
%if %{with_lxc}
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
+%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
+%endif
+%if %{with_uml}
+%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml
%endif
%dir %{_datadir}/libvirt/
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
15 years, 2 months
[libvirt] [PATCH] Small fix for LSB compilance of init script
by Daniel Veillard
A trivial small fix:
Fix LSB compliance of init script
https://bugzilla.redhat.com/show_bug.cgi?id=538701
* daemon/libvirtd.init.in: daemon/libvirtd.init.in were not mentionned
in the usage message and if a missing or wrong argument is given it
should return 2, not 1
diff --git a/daemon/libvirtd.init.in b/daemon/libvirtd.init.in
index b808ab3..4c8821b 100644
--- a/daemon/libvirtd.init.in
+++ b/daemon/libvirtd.init.in
@@ -106,8 +106,8 @@ case "$1" in
[ -f @localstatedir@/lock/subsys/$SERVICE ] && restart || :
;;
*)
- echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
- exit 1
+ echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|force-reload|try-restart}"
+ exit 2
;;
esac
exit $RETVAL
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
15 years, 2 months
[libvirt] [PATCH 0/13] [RFC] Network filtering (ACL) extensions for libvirt
by Stefan Berger
Hi!
The following set of patches add network filtering (ACL) extensions to
libvirt and enable network traffic filtering for VMs using ebtables and,
depending on the networking technology being used (tap, but not
macvtap), also iptables. Usage of either is optional and controlled
through filters that a VM is referencing.
The ebtables-level filtering is based on the XML derived from the CIM
network slide 10 (filtering) from the DMTF website
(http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf).
The XML we derived from this was discussed on the list before. On the
ebtables level we currently handle filtering of IPv4 and ARP traffic.
The iptables-level filtering is based on similar XML where XML nodes
described the particular protocol to filter for. Its extensions enable
the filtering of traffic using iptables for tcp, udp, icmp, igmp, sctp
and 'all' types of traffic. This list of protocols maps to the features
supported by iptables and only excludes protocols like 'esp' and 'ah'.
Currently only bridging mode is supported and based on availability of
the physdev match.
The filtering framework adds new libvirt virsh commands for managing
the filters. The 5 new commands are:
- virsh nwfilter-list
- virsh nwfilter-dumpxml <name of filter>
- virsh nwfilter-define <name of file containing filter desc.>
- virsh nwfilter-undefine <name of filter>
- virsh nwfilter-edit <name of filter>
Above commands are similar to commands for already existing pools and as
such much of the code directly related to the above commands could be
borrowed from other drivers.
The network filters can either contain rules using the above mentioned
XML or contain references to other filters in order to build more
complex filters that form some sort of filter tree or can contain both.
An example for a filter referencing other filters would be this one
here:
<filter name='demofilter4' chain='root'>
<uuid>66f62d1d-34c1-1421-824f-c62d5ee5e8b6</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-mac-broadcast'/>
<filterref filter='no-arp-spoofing'/>
<filterref filter='allow-dhcp'>
<parameter name='DHCPSERVER' value='10.0.0.1'/>
</filterref>
<filterref filter='no-other-l2-traffic'/>
<filterref filter='recv-only-vm-ipaddress'/>
<filterref filter='recv-only-vm-macaddress'/>
<filterref filter='l3-test'/>
</filter>
A filter containing actual rules would look like this:
<filter name='no-mac-broadcast' chain='ipv4'>
<uuid>ffe2ccd6-edec-7360-1852-6b5ccb553234</uuid>
<rule action='drop' direction='out' priority='500'>
<mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
</rule>
</filter>
The filter XML now also holds a priority attribute in the rule. This
provides control over the ordering of the applied ebtables/iptables
rules beyond their appearance in the XML.
The domain XML has been extended to reference a top level filter from
within each <interface> XML node. A valid reference to such a top level
filter looks like this:
<interface type='bridge'>
<source bridge='static'/>
<filterref filter='demofilter4'>
<parameter name='IP' value='9.59.241.151'/>
</filterref>
</interface>
In this XML a parameter IP is passed for instantiation of the referenced
filters, that may require the availability of this parameter. In the
above case the IP parameter's value describes the value of the IP
address of the VM and allows to enable those filters to be instantiated
that require this 'IP' variable. If a filter requires a parameter that
is not provided, the VM will not start or the interface will not attach
to a running VM. Any names of parameters can be provided for
instantiation of filters and their names and values only need to pass a
regular expression test. Currently only MAC and IP addresses and port
numbers can be replaced with variables inside the filter XML. In a
subsequent patch we will be adding capability to allow users to omit the
IP parameter (only) and enable libvirt to learn the IP address of the VM
and have it instantiate the filter once it knows it.
While virtual machines are running, it is possible to update their
filters. For that all running VMs' filter 'trees' are traversed to
detect whether the updated filter is referenced by the VM. If so, its
ebtables/iptable rules are applied. If one of the VMs' update fails
allupdates are rolled back and the filter XML update is rejected.
One comment about the instantiation of the rules: Since the XML allows
to create nearly any possible combination of parameters to ebtables or
iptables commands, I haven't used the ebtables or iptables wrappers.
Instead, I am writing ebtables/iptables command into a buffer, add
command line options to each one of them as described in the rule's XML,
write the buffer into a file and run it as a script. For those commands
that are not allowed to fail I am using the following format to run
them:
cmd="ebtables <some options>"
r=`${cmd}`
if [ $? -ne 0 ]; then
echo "Failure in command ${cmd}."
exit 1
fi
cmd="..."
[...]
If one of the command fails in such a batch, the libvirt code is going
pick up the error code '1', tear down anything previously established
and report an error back. The actual error message shown above is
currently not reported back, but can be later on with some changes to
the commands running external programs that need to read the script's
stdout.
One comment to patch 13: It currently #include's a .c file into a .c
file only for the reason so I don't have to change too much code once I
change code in the underlying patch. So this has to be changed. The
patch series works without patch 13, but then only supports ebtables.
The patches apply to the current tip. They pass 'make syntax-check' and
have been frequently run in valgrind for memory leak checks. The order
in which I apply the patches is as follows:
add_recursive_locks.diff
add_build_support.diff
add_public_api.diff
add_internal_api.diff
impl_pub_api.diff
def_wire_protocol_format.diff
impl_rpc_client.c
impl_srv_dispatch.diff
add_virsh_support.diff
add_xml_parsing.diff
add_qemu_support.diff
impl_driver.diff
add_iptables_support.diff
Looking forward to your feedback on the patches.
Thanks and regards,
Stefan and Gerhard
15 years, 2 months
