March 2010 - Devel - libvirt List Archives

[libvirt] [PATCH 0/14 [RFC] Network filtering (ACL) extensions for libvirt
by Stefan Berger 19 Mar '10

19 Mar '10

Hi! This is a repost of this set of patches with some of the fixes recommended by Daniel Berrange applied and ipv6 support on the ebtables layer added. The following set of patches add network filtering (ACL) extensions to libvirt and enable network traffic filtering for VMs using ebtables and, depending on the networking technology being used (tap, but not macvtap), also iptables. Usage of either is optional and controlled through filters that a VM is referencing. The ebtables-level filtering is based on the XML derived from the CIM network slide 10 (filtering) from the DMTF website (http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf) The XML we derived from this was discussed on the list before. On the ebtables level we currently handle filtering of IPv4 and ARP traffic. The iptables-level filtering is based on similar XML where XML nodes described the particular protocol to filter for. Its extensions enable the filtering of traffic using iptables for tcp, udp, icmp, igmp, sctp and 'all' types of traffic. This list of protocols maps to the features supported by iptables and only excludes protocols like 'esp', 'ah' and 'udplite'. Currently only bridging mode is supported and based on availability of the physdev match. The filtering framework adds new libvirt virsh commands for managing the filters. The 5 new commands are: - virsh nwfilter-list - virsh nwfilter-dumpxml <name of filter> - virsh nwfilter-define <name of file containing filter desc.> - virsh nwfilter-undefine <name of filter> - virsh nwfilter-edit <name of filter> Above commands are similar to commands for already existing pools and as such much of the code directly related to the above commands could be borrowed from other drivers. The network filters can either contain rules using the above mentioned XML or contain references to other filters in order to build more complex filters that form some sort of filter tree or can contain both. An example for a filter referencing other filters would be this one here: <filter name='demofilter4' chain='root'> <uuid>66f62d1d-34c1-1421-824f-c62d5ee5e8b6</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-mac-broadcast'/> <filterref filter='no-arp-spoofing'/> <filterref filter='allow-dhcp'> <parameter name='DHCPSERVER' value='10.0.0.1'/> </filterref> <filterref filter='no-other-l2-traffic'/> <filterref filter='recv-only-vm-ipaddress'/> <filterref filter='recv-only-vm-macaddress'/> <filterref filter='l3-test'/> <filterref filter='ipv6test'/> </filter> A filter containing actual rules would look like this: <filter name='no-mac-broadcast' chain='ipv4'> <uuid>ffe2ccd6-edec-7360-1852-6b5ccb553234</uuid> <rule action='drop' direction='out' priority='500'> <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/> </rule> </filter> The filter XML now also holds a priority attribute in the rule. This provides control over the ordering of the applied ebtables/iptables rules beyond their appearance in the XML. The domain XML has been extended to reference a top level filter from within each <interface> XML node. A valid reference to such a top level filter looks like this: <interface type='bridge'> <source bridge='static'/> <filterref filter='demofilter4'> <parameter name='IP' value='9.59.241.151'/> </filterref> </interface> In this XML a parameter IP is passed for instantiation of the referenced filters, that may require the availability of this parameter. In the above case the IP parameter's value describes the value of the IP address of the VM and allows to enable those filters to be instantiated that require this 'IP' variable. If a filter requires a parameter that is not provided, the VM will not start or the interface will not attach to a running VM. Any names of parameters can be provided for instantiation of filters and their names and values only need to pass a regular expression test. In a subsequent patch we will be adding capability to allow users to omit the IP parameter (only) and enable libvirt to learn the IP address of the VM and have it instantiate the filter once it knows it. While virtual machines are running, it is possible to update their filters. For that all running VMs' filter 'trees' are traversed to detect whether the updated filter is referenced by the VM. If so, its ebtables/iptable rules are applied. If one of the VMs' update fails allupdates are rolled back and the filter XML update is rejected. One comment about the instantiation of the rules: Since the XML allows to create nearly any possible combination of parameters to ebtables or iptables commands, I haven't used the ebtables or iptables wrappers. Instead, I am writing ebtables/iptables command into a buffer, add command line options to each one of them as described in the rule's XML, write the buffer into a file and run it as a script. For those commands that are not allowed to fail I am using the following format to run them: cmd="ebtables <some options>" r=`${cmd}` if [ $? -ne 0 ]; then echo "Failure in command ${cmd}." exit 1 fi cmd="..." [...] If one of the command fails in such a batch, the libvirt code is going pick up the error code '1', tear down anything previously established and report an error back. The actual error message shown above is currently not reported back, but can be later on with some changes to the commands running external programs that need to read the script's stdout. One comment to patch 14: It currently #include's a .c file into a .c file only for the reason so I don't have to change too much code once I change code in the underlying patch. So this has to be changed. The patch series works without patch 13, but then only supports ebtables. The patches apply to the current tip. They pass 'make syntax-check' and have been frequently run in valgrind for memory leak checks. The order in which I apply the patches is as follows: add_recursive_locks.diff add_build_support.diff add_public_api.diff add_internal_api.diff impl_pub_api.diff def_wire_protocol_format.diff impl_rpc_client.c impl_srv_dispatch.diff add_virsh_support.diff add_xml_parsing.diff add_qemu_support.diff impl_driver.diff add_ipv6_support.diff add_iptables_support.diff Looking forward to your feedback on the patches. Thanks and regards, Stefan and Gerhard

1 0

[libvirt] [PATCH] website: Increase text size
by Cole Robinson 18 Mar '10

18 Mar '10

Personally I find the text so small it is difficult to read, especially in the documentation pages where we can have a large wall of text. Here is a before and after shot of the main page on my machine (scaled down): http://fedorapeople.org/~crobinso/tmp/libvirt-web-before-after.png Text size is now similar to linux-kvm.org, which I find much easier to read. Signed-off-by: Cole Robinson <crobinso(a)redhat.com> --- docs/generic.css | 10 +++++----- docs/libvirt.css | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/generic.css b/docs/generic.css index dbf7b56..d9cf49e 100644 --- a/docs/generic.css +++ b/docs/generic.css @@ -43,22 +43,22 @@ div.footer { } h1 { - font-size: 2em; + font-size: 1.6em; } h2 { - font-size: 1.6em; + font-size: 1.4em; } h3 { - font-size: 1.4em; + font-size: 1.2em; } h4 { - font-size: 1.2em; + font-size: 1.1em; } h5 { font-size: 1em; } h6 { - font-size: 0.8em; + font-size: 0.9em; } dl dt { diff --git a/docs/libvirt.css b/docs/libvirt.css index dfc93c6..46e9a3f 100644 --- a/docs/libvirt.css +++ b/docs/libvirt.css @@ -33,6 +33,7 @@ h2, h3, h4, h5, h6 { margin-right: 1em; padding: 0px; padding-bottom: 1em; + font-size: larger; } #menu { -- 1.6.6.1

3 3

[libvirt] [PATCH 0/5] Introduce virDomainMigrateSetDowntime API
by Jiri Denemark 18 Mar '10

18 Mar '10

This API call is supposed to change maximum tolerable downtime for live migrations. Jiri Denemark (5): Internal driver API for virDomainMigrateSetDowntime Public virDomainMigrateSetDowntime API Implement virDomainMigrateSetDowntime in remote driver Wire protocol and dispatcher for virDomainMigrateSetDowntime Implement virDomainMigrateSetDowntime in qemu driver daemon/remote.c | 29 ++++++++++ daemon/remote_dispatch_args.h | 1 + daemon/remote_dispatch_prototypes.h | 8 +++ daemon/remote_dispatch_table.h | 5 ++ include/libvirt/libvirt.h.in | 3 + src/driver.h | 5 ++ src/esx/esx_driver.c | 1 + src/libvirt.c | 46 ++++++++++++++++ src/libvirt_public.syms | 5 ++ src/lxc/lxc_driver.c | 1 + src/opennebula/one_driver.c | 1 + src/openvz/openvz_driver.c | 1 + src/phyp/phyp_driver.c | 1 + src/qemu/qemu_driver.c | 47 +++++++++++++++++ src/qemu/qemu_monitor.c | 15 +++++ src/qemu/qemu_monitor.h | 3 + src/qemu/qemu_monitor_json.c | 29 ++++++++++ src/qemu/qemu_monitor_json.h | 3 + src/qemu/qemu_monitor_text.c | 27 ++++++++++ src/qemu/qemu_monitor_text.h | 3 + src/remote/remote_driver.c | 27 ++++++++++ src/remote/remote_protocol.c | 11 ++++ src/remote/remote_protocol.h | 97 +++++++++++++++++++---------------- src/remote/remote_protocol.x | 9 +++- src/test/test_driver.c | 1 + src/uml/uml_driver.c | 1 + src/vbox/vbox_tmpl.c | 1 + src/xen/xen_driver.c | 1 + src/xenapi/xenapi_driver.c | 1 + 29 files changed, 338 insertions(+), 45 deletions(-)

4 18

[libvirt] [PATCH] maint: enforce recent N_ usage
by Eric Blake 18 Mar '10

18 Mar '10

* cfg.mk (sc_prohibit_gettext_noop): New rule. --- cfg.mk | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/cfg.mk b/cfg.mk index 3fd9f7b..5b4d6ed 100644 --- a/cfg.mk +++ b/cfg.mk @@ -105,6 +105,11 @@ sc_prohibit_gethostname: msg='use virGetHostname, not gethostname' \ $(_prohibit_regexp) +sc_prohibit_gettext_noop: + @re='gettext_noop *\(' \ + msg='use _N, not gettext_noop' \ + $(_prohibit_regexp) + sc_prohibit_VIR_ERR_NO_MEMORY: @re='\<V''IR_ERR_NO_MEMORY\>' \ msg='use virReportOOMError, not V'IR_ERR_NO_MEMORY \ -- 1.6.6.1

2 2

[libvirt] View graphical desktop of linux distribution through libvirt.
by Kumar L Srikanth-B22348 18 Mar '10

18 Mar '10

Hi Daniel, Is it possible to view the graphical desktop(startx) of any linux distribution in libvirt through Linux Container(LXC)? If it is possible, what are the necessary dependents we need to take care in the Domain XML or in the minimal Root file system of the linux distribution. Can you please let me know. Regards, Srikanth.

1 0

[libvirt] [PATCH] website: Drop static FAQ, point to http://wiki.libvirt.org/page/FAQ
by Cole Robinson 18 Mar '10

18 Mar '10

The static FAQ was from the days before even QEMU support. I added a few questions to the wiki FAQ about the software license and how to download and install (basically just pointing to downloads.html). The remaining questions on the static page aren't anything that I think is really 'frequently asked' (changing socket perms for regular user xen access, and issues building against libvirt). Signed-off-by: Cole Robinson <crobinso(a)redhat.com> --- docs/FAQ.html.in | 144 -------------------------------------------------- docs/Makefile.am | 3 +- docs/search.php | 2 +- docs/sitemap.html.in | 2 +- 4 files changed, 3 insertions(+), 148 deletions(-) delete mode 100644 docs/FAQ.html.in diff --git a/docs/FAQ.html.in b/docs/FAQ.html.in deleted file mode 100644 index 50f798d..0000000 --- a/docs/FAQ.html.in +++ /dev/null @@ -1,144 +0,0 @@ -<?xml version="1.0"?> -<html> - <body> - <h1 >FAQ</h1> - Table of Contents: - <ul> - <li> - <a href="FAQ.html#License">License(s)</a> - </li> - <li> - <a href="FAQ.html#Installati">Installation</a> - </li> - <li> - <a href="FAQ.html#Compilatio">Compilation</a> - </li> - <li> - <a href="FAQ.html#Developer">Developer corner</a> - </li> - </ul> - <h3><a name="License" id="License">License</a>(s)</h3> - <ol> - <li> - Licensing Terms for libvirt - libvirt is released under the <a href="http://www.opensource.org/licenses/lgpl-license.html">GNU Lesser - General Public License</a>, see the file COPYING.LIB in the distribution - for the precise wording. The only library that libvirt depends upon is - the Xen store access library which is also licenced under the LGPL. - </li> - <li> - Can I embed libvirt in a proprietary application ? - Yes. The LGPL allows you to embed libvirt into a proprietary - application. It would be graceful to send-back bug fixes and improvements - as patches for possible incorporation in the main development tree. It - will decrease your maintenance costs anyway if you do so. - </li> - </ol> - <h3> - <a name="Installati" id="Installati">Installation</a> - </h3> - <ol> - <li>Where can I get libvirt ? - The original distribution comes from <a href="ftp://libvirt.org/libvirt/">ftp://libvirt.org/libvirt/</a>. - </li> - <li> - I can't install the libvirt/libvirt-devel RPM packages due to - failed dependencies - The most generic solution is to re-fetch the latest src.rpm , and - rebuild it locally with - <code>rpm --rebuild libvirt-xxx.src.rpm</code>. - If everything goes well it will generate two binary rpm packages (one - providing the shared libs and virsh, and the other one, the -devel - package, providing includes, static libraries and scripts needed to build - applications with libvirt that you can install locally. - One can also rebuild the RPMs from a tarball: - - <code>rpmbuild -ta libdir-xxx.tar.gz</code> - - Or from a configured tree with: - - <code>make rpm</code> - - </li> - <li> - Failure to use the API for non-root users - Large parts of the API may only be accessible with root privileges, - however the read only access to the xenstore data doesnot have to be - forbidden to user, at least for monitoring purposes. If "virsh dominfo" - fails to run as an user, change the mode of the xenstore read-only socket - with: - - <code>chmod 666 /var/run/xenstored/socket_ro</code> - - and also make sure that the Xen Daemon is running correctly with local - HTTP server enabled, this is defined in - <code>/etc/xen/xend-config.sxp</code> which need the following line to be - enabled: - - <code>(xend-http-server yes)</code> - - If needed restart the xend daemon after making the change with the - following command run as root: - - <code>service xend restart</code> - - </li> - </ol> - <h3> - <a name="Compilatio" id="Compilatio">Compilation</a> - </h3> - <ol> - <li> - What is the process to compile libvirt ? - As most UNIX libraries libvirt follows the "standard": - - <code>gunzip -c libvirt-xxx.tar.gz | tar xvf -</code> - - - <code>cd libvirt-xxxx</code> - - - <code>./configure --help</code> - - to see the options, then the compilation/installation proper - - <code>./configure [possible options]</code> - - - <code>make</code> - - - <code>make install</code> - - At that point you may have to rerun ldconfig or a similar utility to - update your list of installed shared libs. - </li> - <li> - What other libraries are needed to compile/install libvirt ? - Libvirt requires libxenstore, which is usually provided by the xen - packages as well as the public headers to compile against libxenstore. - </li> - <li> - I use the GIT version and there is no configure script - The configure script (and other Makefiles) are generated. Use the - autogen.sh script to regenerate the configure script and Makefiles, - like: - - <code>./autogen.sh --prefix=/usr --disable-shared</code> - - </li> - </ol> - <h3><a name="Developer" id="Developer">Developer</a> corner</h3> - <ol> - <li> - Troubles compiling or linking programs using libvirt - To simplify the process of reusing the library, libvirt comes with - pkgconfig support, which can be used directly from autoconf support or - via the pkg-config command line tool, like: - - <code>pkg-config libvirt --libs</code> - - </li> - </ol> - </body> -</html> diff --git a/docs/Makefile.am b/docs/Makefile.am index edf6fc8..57f3d3d 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -147,8 +147,7 @@ rebuild: api all install-data-local: $(mkinstalldirs) $(DESTDIR)$(HTML_DIR) - -$(INSTALL) -m 0644 $(srcdir)/FAQ.html \ - $(srcdir)/Libxml2-Logo-90x34.gif $(DESTDIR)$(HTML_DIR) + -$(INSTALL) -m 0644 $(srcdir)/Libxml2-Logo-90x34.gif $(DESTDIR)$(HTML_DIR) $(mkinstalldirs) $(DESTDIR)$(HTML_DIR)/html for h in $(apihtml); do \ $(INSTALL) -m 0644 $(srcdir)/$$h $(DESTDIR)$(HTML_DIR)/html; done diff --git a/docs/search.php b/docs/search.php index a6c1def..bbd652a 100644 --- a/docs/search.php +++ b/docs/search.php @@ -258,7 +258,7 @@ </li><li> <a title="User contributed content" class="inactive" href="http://wiki.libvirt.org">Wiki</a> </li><li> - <a title="Frequently asked questions" class="inactive" href="FAQ.html">FAQ</a> + <a title="Frequently asked questions" class="inactive" href="http://wiki.libvirt.org/page/FAQ">FAQ</a> </li><li> <a title="How and where to report bugs and request features" class="inactive" href="bugs.html">Bug reports</a> </li><li> diff --git a/docs/sitemap.html.in b/docs/sitemap.html.in index 76d8faa..aaa0966 100644 --- a/docs/sitemap.html.in +++ b/docs/sitemap.html.in @@ -247,7 +247,7 @@ User contributed content </li> <li> - <a href="FAQ.html">FAQ</a> + <a href="http://wiki.libvirt.org/page/FAQ">FAQ</a> Frequently asked questions </li> <li> -- 1.6.6.1

2 1

[libvirt] [PATCH] website: Remove old repos from download section
by Cole Robinson 18 Mar '10

18 Mar '10

We haven't been using CVS for quite a while now, so I think we can safely drop the reference to the old server and git mirror. Signed-off-by: Cole Robinson <crobinso(a)redhat.com> --- docs/downloads.html.in | 33 --------------------------------- 1 files changed, 0 insertions(+), 33 deletions(-) diff --git a/docs/downloads.html.in b/docs/downloads.html.in index 493923c..2bfb459 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -43,18 +43,6 @@ <a href="http://libvirt.org/git/?p=libvirt.git;a=summary">http://libvirt.org/git/?p=libvirt.git;a=summary</a> </pre> - <h2>CVS repository access (Deprecated) </h2> - - The master source repository used to be under <a href="http://ximbiot.com/cvs/cvshome/docs/">CVS</a> - with anonymous access at: - - <pre> - - # cvs -d :pserver:anoncvs@libvirt.org:2401/data/cvs co libvirt - </pre> - The server is maintainened temporarilly for existing uses, but all - changes are only commited to git now and we expect to deprecate the CVS - server during summer 2009. <h2>Building from a source code checkout</h2> The libvirt build process uses GNU autotools, so after obtaining a @@ -69,26 +57,5 @@ make install </pre> - <h2>GIT repository mirror</h2> - - - Jim Mereying was maintaining a CVS to git mirror on - <a href="http://git.et.redhat.com/?p=libvirt.git">git.et.redhat.com</a>. - Existing users should migrate to the new libvirt.org git server, as the - old one is now deprecated. For the sake of old links including now- - rewritten SHA1s, we'll leave the old repository on-line for some time. - It is available as: - - <pre> - - git clone git://git.et.redhat.com/libvirt.git - </pre> - - It can also be browsed at - - <pre> - <a href="http://git.et.redhat.com/?p=libvirt.git;a=summary">http://git.et.redhat.com/?p=libvirt.git;a=summary</a> - </pre> - </body> </html> -- 1.6.6.1

2 1

[libvirt] [PATCH] Change logrotate to be per-hypervisor logs
by Daniel Veillard 18 Mar '10

18 Mar '10

Original bug is: https://bugzilla.redhat.com/show_bug.cgi?id=547514 maybe this could be done in slightly different way, possibly more generic, but I think doing a simple split is good enough for now. Change logrotate to be per-hypervisor logs Having a single logrotate configuration file for all hypervisors did not work as logrotate would get confused if an hypervisor not supported on that platform was still listed. Simplest is to split the logrotate as separate per hypervisor files and change the spec file to only install the ones compiled in. * daemon/libvirtd.lxc.logrotate.in daemon/libvirtd.qemu.logrotate.in daemon/libvirtd.uml.logrotate.in: copy and split the original daemon/libvirtd.logrotate.in file * daemon/Makefile.am: update to support the different files * libvirt.spec.in: only install the relevant logrotate configs diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 958a4f6..d429c71 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -25,7 +25,9 @@ EXTRA_DIST = \ libvirtd.sasl \ libvirtd.sysconf \ libvirtd.aug \ - libvirtd.logrotate.in \ + libvirtd.qemu.logrotate.in \ + libvirtd.lxc.logrotate.in \ + libvirtd.uml.logrotate.in \ test_libvirtd.aug \ $(AVAHI_SOURCES) \ $(DAEMON_SOURCES) @@ -177,20 +179,37 @@ remote_dispatch_args.h: $(srcdir)/remote_generate_stubs.pl $(REMOTE_PROTOCOL) remote_dispatch_ret.h: $(srcdir)/remote_generate_stubs.pl $(REMOTE_PROTOCOL) perl -w $(srcdir)/remote_generate_stubs.pl -r $(REMOTE_PROTOCOL) > $@ -BUILT_SOURCES += libvirtd.logrotate +LOGROTATE_CONFS = libvirtd.qemu.logrotate libvirtd.lxc.logrotate \ + libvirtd.uml.logrotate -libvirtd.logrotate: libvirtd.logrotate.in +BUILT_SOURCES += $(LOGROTATE_CONFS) + +libvirtd.qemu.logrotate: libvirtd.qemu.logrotate.in + sed \ + -e s!\@localstatedir\@!@localstatedir@!g \ + < $< > $@-t + mv $@-t $@ + +libvirtd.lxc.logrotate: libvirtd.lxc.logrotate.in + sed \ + -e s!\@localstatedir\@!@localstatedir@!g \ + < $< > $@-t + mv $@-t $@ + +libvirtd.uml.logrotate: libvirtd.uml.logrotate.in sed \ -e s!\@localstatedir\@!@localstatedir@!g \ < $< > $@-t mv $@-t $@ -install-logrotate: libvirtd.logrotate +install-logrotate: $(LOGROTATE_CONFS) mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/qemu/ mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/lxc/ mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/uml/ mkdir -p $(DESTDIR)$(sysconfdir)/logrotate.d/ - $(INSTALL_DATA) $< $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd + $(INSTALL_DATA) libvirtd.qemu.logrotate $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd.qemu + $(INSTALL_DATA) libvirtd.lxc.logrotate $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd.lxc + $(INSTALL_DATA) libvirtd.uml.logrotate $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd.uml if LIBVIRT_INIT_SCRIPT_RED_HAT install-init: libvirtd.init diff --git a/daemon/libvirtd.logrotate.in b/daemon/libvirtd.logrotate.in deleted file mode 100644 index 0c51fd3..0000000 --- a/daemon/libvirtd.logrotate.in +++ /dev/null @@ -1,9 +0,0 @@ -@localstatedir@/log/libvirt/qemu/*.log @localstatedir@/log/libvirt/uml/*.log @localstatedir@/log/libvirt/lxc/*.log { - weekly - missingok - rotate 4 - compress - delaycompress - copytruncate - minsize 100k -} diff --git a/daemon/libvirtd.lxc.logrotate.in b/daemon/libvirtd.lxc.logrotate.in new file mode 100644 index 0000000..4e7d314 --- /dev/null +++ b/daemon/libvirtd.lxc.logrotate.in @@ -0,0 +1,9 @@ +@localstatedir@/log/libvirt/lxc/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/daemon/libvirtd.qemu.logrotate.in b/daemon/libvirtd.qemu.logrotate.in new file mode 100644 index 0000000..15cf019 --- /dev/null +++ b/daemon/libvirtd.qemu.logrotate.in @@ -0,0 +1,9 @@ +@localstatedir@/log/libvirt/qemu/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/daemon/libvirtd.uml.logrotate.in b/daemon/libvirtd.uml.logrotate.in new file mode 100644 index 0000000..135a37d --- /dev/null +++ b/daemon/libvirtd.uml.logrotate.in @@ -0,0 +1,9 @@ +@localstatedir@/log/libvirt/uml/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/libvirt.spec.in b/libvirt.spec.in index b1c1c99..17102d9 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -668,16 +668,20 @@ fi %{_sysconfdir}/rc.d/init.d/libvirtd %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf -%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/ %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/ %if %{with_qemu} %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %endif %if %{with_lxc} %config(noreplace) %{_sysconfdir}/libvirt/lxc.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc +%endif +%if %{with_uml} +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml %endif %dir %{_datadir}/libvirt/ -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

4 8

[libvirt] [PATCH] Small fix for LSB compilance of init script
by Daniel Veillard 18 Mar '10

18 Mar '10

A trivial small fix: Fix LSB compliance of init script https://bugzilla.redhat.com/show_bug.cgi?id=538701 * daemon/libvirtd.init.in: daemon/libvirtd.init.in were not mentionned in the usage message and if a missing or wrong argument is given it should return 2, not 1 diff --git a/daemon/libvirtd.init.in b/daemon/libvirtd.init.in index b808ab3..4c8821b 100644 --- a/daemon/libvirtd.init.in +++ b/daemon/libvirtd.init.in @@ -106,8 +106,8 @@ case "$1" in [ -f @localstatedir@/lock/subsys/$SERVICE ] && restart || : ;; *) - echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}" - exit 1 + echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|force-reload|try-restart}" + exit 2 ;; esac exit $RETVAL -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

1 1

[libvirt] [PATCH 0/13] [RFC] Network filtering (ACL) extensions for libvirt
by Stefan Berger 18 Mar '10

18 Mar '10

Hi! The following set of patches add network filtering (ACL) extensions to libvirt and enable network traffic filtering for VMs using ebtables and, depending on the networking technology being used (tap, but not macvtap), also iptables. Usage of either is optional and controlled through filters that a VM is referencing. The ebtables-level filtering is based on the XML derived from the CIM network slide 10 (filtering) from the DMTF website (http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf) The XML we derived from this was discussed on the list before. On the ebtables level we currently handle filtering of IPv4 and ARP traffic. The iptables-level filtering is based on similar XML where XML nodes described the particular protocol to filter for. Its extensions enable the filtering of traffic using iptables for tcp, udp, icmp, igmp, sctp and 'all' types of traffic. This list of protocols maps to the features supported by iptables and only excludes protocols like 'esp' and 'ah'. Currently only bridging mode is supported and based on availability of the physdev match. The filtering framework adds new libvirt virsh commands for managing the filters. The 5 new commands are: - virsh nwfilter-list - virsh nwfilter-dumpxml <name of filter> - virsh nwfilter-define <name of file containing filter desc.> - virsh nwfilter-undefine <name of filter> - virsh nwfilter-edit <name of filter> Above commands are similar to commands for already existing pools and as such much of the code directly related to the above commands could be borrowed from other drivers. The network filters can either contain rules using the above mentioned XML or contain references to other filters in order to build more complex filters that form some sort of filter tree or can contain both. An example for a filter referencing other filters would be this one here: <filter name='demofilter4' chain='root'> <uuid>66f62d1d-34c1-1421-824f-c62d5ee5e8b6</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-mac-broadcast'/> <filterref filter='no-arp-spoofing'/> <filterref filter='allow-dhcp'> <parameter name='DHCPSERVER' value='10.0.0.1'/> </filterref> <filterref filter='no-other-l2-traffic'/> <filterref filter='recv-only-vm-ipaddress'/> <filterref filter='recv-only-vm-macaddress'/> <filterref filter='l3-test'/> </filter> A filter containing actual rules would look like this: <filter name='no-mac-broadcast' chain='ipv4'> <uuid>ffe2ccd6-edec-7360-1852-6b5ccb553234</uuid> <rule action='drop' direction='out' priority='500'> <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/> </rule> </filter> The filter XML now also holds a priority attribute in the rule. This provides control over the ordering of the applied ebtables/iptables rules beyond their appearance in the XML. The domain XML has been extended to reference a top level filter from within each <interface> XML node. A valid reference to such a top level filter looks like this: <interface type='bridge'> <source bridge='static'/> <filterref filter='demofilter4'> <parameter name='IP' value='9.59.241.151'/> </filterref> </interface> In this XML a parameter IP is passed for instantiation of the referenced filters, that may require the availability of this parameter. In the above case the IP parameter's value describes the value of the IP address of the VM and allows to enable those filters to be instantiated that require this 'IP' variable. If a filter requires a parameter that is not provided, the VM will not start or the interface will not attach to a running VM. Any names of parameters can be provided for instantiation of filters and their names and values only need to pass a regular expression test. Currently only MAC and IP addresses and port numbers can be replaced with variables inside the filter XML. In a subsequent patch we will be adding capability to allow users to omit the IP parameter (only) and enable libvirt to learn the IP address of the VM and have it instantiate the filter once it knows it. While virtual machines are running, it is possible to update their filters. For that all running VMs' filter 'trees' are traversed to detect whether the updated filter is referenced by the VM. If so, its ebtables/iptable rules are applied. If one of the VMs' update fails allupdates are rolled back and the filter XML update is rejected. One comment about the instantiation of the rules: Since the XML allows to create nearly any possible combination of parameters to ebtables or iptables commands, I haven't used the ebtables or iptables wrappers. Instead, I am writing ebtables/iptables command into a buffer, add command line options to each one of them as described in the rule's XML, write the buffer into a file and run it as a script. For those commands that are not allowed to fail I am using the following format to run them: cmd="ebtables <some options>" r=`${cmd}` if [ $? -ne 0 ]; then echo "Failure in command ${cmd}." exit 1 fi cmd="..." [...] If one of the command fails in such a batch, the libvirt code is going pick up the error code '1', tear down anything previously established and report an error back. The actual error message shown above is currently not reported back, but can be later on with some changes to the commands running external programs that need to read the script's stdout. One comment to patch 13: It currently #include's a .c file into a .c file only for the reason so I don't have to change too much code once I change code in the underlying patch. So this has to be changed. The patch series works without patch 13, but then only supports ebtables. The patches apply to the current tip. They pass 'make syntax-check' and have been frequently run in valgrind for memory leak checks. The order in which I apply the patches is as follows: add_recursive_locks.diff add_build_support.diff add_public_api.diff add_internal_api.diff impl_pub_api.diff def_wire_protocol_format.diff impl_rpc_client.c impl_srv_dispatch.diff add_virsh_support.diff add_xml_parsing.diff add_qemu_support.diff impl_driver.diff add_iptables_support.diff Looking forward to your feedback on the patches. Thanks and regards, Stefan and Gerhard

2 6