October 2017 - Devel - libvirt List Archives

[libvirt] [PATCH 00/12] qemu: block: Prepare for user-specified backing chains (blockdev-add saga)
by Peter Krempa 03 Nov '17

03 Nov '17

When users will specify backing chain, we need to take into account what was passed in them and/or inherit the data from the parents as we are copying the data (labels, etc...) from the parent disk source. Peter Krempa (12): storage: Extract common code to retrieve driver backend for support check storage: Add feature check for storage file backend supporting access check storage: Extract error reporting for broken chains security: selinux: Pass parent storage source into image labeling helper security: dac: Take parent security label into account security: selinux: Take parent security label into account qemu: domain: Simplify using DAC permissions of top of backing chain qemu: domain: Extract setup for disk source secrets qemu: domain: Destroy secrets for complete backing chain qemu: domain: Remove pointless alias check qemu: domain: Prepare TLS data for the whole backing chain qemu: domain: skip chain detection to end of backing chain src/qemu/qemu_domain.c | 177 ++++++++++++++++++++++++++-------------- src/qemu/qemu_domain.h | 6 +- src/qemu/qemu_driver.c | 6 +- src/qemu/qemu_hotplug.c | 2 +- src/qemu/qemu_process.c | 2 +- src/security/security_dac.c | 38 +++++++-- src/security/security_selinux.c | 26 +++--- src/storage/storage_source.c | 110 ++++++++++++++++--------- src/storage/storage_source.h | 5 ++ 9 files changed, 246 insertions(+), 126 deletions(-) -- 2.14.1

2 26

[libvirt] [PATCH 00/12] qemu: Add support for more migration parameters
by Jiri Denemark 02 Nov '17

02 Nov '17

QEMU is transforming existing special migration parameters (those which need dedicated QMP commands to be set or queried) into proper parameters handled by query-migrate-parameters and migrate-set-parameters. Even though we may still want to use the existing commands adding support for tha transformed parameters will help us clean all of them before migration and reset them to their original values after a failed migration. Thus we wouldn't need to add more ad-hoc code which resets some of them and ignores some others. Jiri Denemark (12): qemu: Generalize PARSE macro in qemuMonitorJSONGetMigrationParams qemu: Use macro for parsing string migration parameters qemu: Use macro for parsing ull migration parameters qemu: Generalize APPEND macro in qemuMonitorJSONSetMigrationParams qemu: Use macro for setting string migration parameters qemu: Drop giant if statement from qemuMonitorSetMigrationParams qemumonitorjsontest: Rename 1st CHECK macro in migration params test qemumonitorjsontest: Rename 2nd CHECK macro in migration params test qemu: Add support for setting downtime-limit migration parameter qemu: Rename TLS related migration parameters qemu: Add support for max-bandwidth migration parameter qemu: Add support for block-incremental migration parameter src/qemu/qemu_migration.c | 23 +++++----- src/qemu/qemu_monitor.c | 20 +++------ src/qemu/qemu_monitor.h | 10 ++++- src/qemu/qemu_monitor_json.c | 104 +++++++++++++++++++++++++++---------------- tests/qemumonitorjsontest.c | 46 ++++++++++++------- 5 files changed, 123 insertions(+), 80 deletions(-) -- 2.14.3

2 14

[libvirt] [PATCH v5 0/4] numa: describe sibling nodes distances
by Wim Ten Have 02 Nov '17

02 Nov '17

From: Wim ten Have <wim.ten.have(a)oracle.com> This patch extends guest domain administration adding support to advertise node sibling distances when configuring NUMA guests also referred to as vNUMA (Virtual NUMA). NUMA (Non-Uniform Memory Access), a method of configuring a cluster of nodes within a single multiprocessing system such that it shares processor local memory amongst others improving performance and the ability of the system to be expanded. A NUMA system could be illustrated as shown below. Within this 4-NODE system, every socket is equipped with its own distinct memory and some with I/O. Access to memory or I/O on remote nodes is only possible through the "Interconnect". This results in different performance for local and remote resources. In contrast to NUMA we recognize the flat SMP system where no concept of local or remote resource exists. The disadvantage of high socket count SMP systems is that the shared bus can easily become a performance bottleneck under high activity. +-------------+-------+ +-------+-------------+ |NODE0| | | | | |NODE3| | | CPU00 | CPU03 | | CPU12 | CPU15 | | | | | | | | | | | Mem +--- Socket0 ---<-------->--- Socket3 ---+ Mem | | | | | | | | | +-----+ CPU01 | CPU02 | | CPU13 | CPU14 | | | I/O | | | | | | | +-----+-------^-------+ +-------^-------+-----+ | | | Interconnect | | | +-------------v-------+ +-------v-------------+ |NODE1| | | | | |NODE2| | | CPU04 | CPU07 | | CPU08 | CPU11 | | | | | | | | | | | Mem +--- Socket1 ---<-------->--- Socket2 ---+ Mem | | | | | | | | | +-----+ CPU05 | CPU06 | | CPU09 | CPU10 | | | I/O | | | | | | | +-----+-------+-------+ +-------+-------+-----+ NUMA adds an intermediate level of memory shared amongst a few cores per socket as illustrated above, so that data accesses do not have to travel over a single bus. Unfortunately the way NUMA does this adds its own limitations. This, as visualized in the illustration above, happens when data is stored in memory associated with Socket2 and is accessed by a CPU (core) in Socket0. The processors use the "Interconnect" path to access resource on other nodes. These "Interconnect" hops add data access delays. It is therefore in our interest to describe the relative distances between nodes. The relative distances between nodes are described in the system's SLIT (System Locality Distance Information Table) which is part of the ACPI (Advanced Configuration and Power Interface) specification. On Linux systems the SLIT detail can be listed with help of the 'numactl -H' command. The above guest would show the following output. [root@f25 ~]# numactl -H available: 4 nodes (0-3) node 0 cpus: 0 1 2 3 node 0 size: 2007 MB node 0 free: 1931 MB node 1 cpus: 4 5 6 7 node 1 size: 1951 MB node 1 free: 1902 MB node 2 cpus: 8 9 10 11 node 2 size: 1998 MB node 2 free: 1910 MB node 3 cpus: 12 13 14 15 node 3 size: 2015 MB node 3 free: 1907 MB node distances: node 0 1 2 3 0: 10 21 31 21 1: 21 10 21 31 2: 31 21 10 21 3: 21 31 21 10 These patches extend core libvirt's XML description of NUMA cells to include NUMA distance information and propagate it to Xen guests via libxl. Recently qemu landed support for constructing the SLIT since commit 0f203430dd ("numa: Allow setting NUMA distance for different NUMA nodes"). The core libvirt extensions in this patch set could be used to propagate NUMA distances to qemu quests in the future. Wim ten Have (4): numa: describe siblings distances within cells xenconfig: add domxml conversions for xen-xl libxl: vnuma support xlconfigtest: add tests for numa cell sibling distances docs/formatdomain.html.in | 63 +++- docs/schemas/basictypes.rng | 7 + docs/schemas/cputypes.rng | 18 ++ src/conf/numa_conf.c | 359 ++++++++++++++++++++- src/conf/numa_conf.h | 20 ++ src/libvirt_private.syms | 5 + src/libxl/libxl_conf.c | 121 +++++++ src/libxl/libxl_driver.c | 3 +- src/xenconfig/xen_xl.c | 333 +++++++++++++++++++ .../test-fullvirt-vnuma-autocomplete.cfg | 26 ++ .../test-fullvirt-vnuma-autocomplete.xml | 85 +++++ .../test-fullvirt-vnuma-nodistances.cfg | 26 ++ .../test-fullvirt-vnuma-nodistances.xml | 53 +++ .../test-fullvirt-vnuma-partialdist.cfg | 26 ++ .../test-fullvirt-vnuma-partialdist.xml | 60 ++++ tests/xlconfigdata/test-fullvirt-vnuma.cfg | 26 ++ tests/xlconfigdata/test-fullvirt-vnuma.xml | 81 +++++ tests/xlconfigtest.c | 6 + 18 files changed, 1313 insertions(+), 5 deletions(-) create mode 100644 tests/xlconfigdata/test-fullvirt-vnuma-autocomplete.cfg create mode 100644 tests/xlconfigdata/test-fullvirt-vnuma-autocomplete.xml create mode 100644 tests/xlconfigdata/test-fullvirt-vnuma-nodistances.cfg create mode 100644 tests/xlconfigdata/test-fullvirt-vnuma-nodistances.xml create mode 100644 tests/xlconfigdata/test-fullvirt-vnuma-partialdist.cfg create mode 100644 tests/xlconfigdata/test-fullvirt-vnuma-partialdist.xml create mode 100644 tests/xlconfigdata/test-fullvirt-vnuma.cfg create mode 100644 tests/xlconfigdata/test-fullvirt-vnuma.xml -- 2.13.6

4 13

[libvirt] [PATCH v2 0/4] Predictable file names for memory-backend-file
by Michal Privoznik 02 Nov '17

02 Nov '17

v2 of: https://www.redhat.com/archives/libvir-list/2017-October/msg01063.html Patches are to be found here too: https://github.com/zippy2/libvirt/tree/qemu_mem_path_v3 diff to v1: -Dropped qemu.conf config knob -s/rmdir/virFileDeleteTree/ in qemuProcessBuildDestroyMemoryPathsImpl() because qemu leaves files behind and thus we need to unlink them too. Michal Privoznik (4): conf: s/virDomainObjGetShortName/virDomainDefGetShortName/ qemu: Move memPath generation from memoryBackingDir to a separate function qemu: Use predictable file names for memory-backend-file news: Document predictable file names for memory-backend-file docs/news.xml | 11 ++ src/conf/domain_conf.c | 4 +- src/conf/domain_conf.h | 2 +- src/libvirt_private.syms | 2 +- src/qemu/qemu_command.c | 9 +- src/qemu/qemu_conf.c | 71 ++++++++++- src/qemu/qemu_conf.h | 10 ++ src/qemu/qemu_domain.c | 4 +- src/qemu/qemu_driver.c | 19 ++- src/qemu/qemu_hotplug.c | 2 +- src/qemu/qemu_process.c | 137 +++++++++++++++------ src/qemu/qemu_process.h | 8 +- .../qemuxml2argv-cpu-numa-memshared.args | 6 +- .../qemuxml2argv-fd-memory-numa-topology.args | 3 +- .../qemuxml2argv-fd-memory-numa-topology2.args | 6 +- .../qemuxml2argv-fd-memory-numa-topology3.args | 9 +- .../qemuxml2argv-hugepages-memaccess2.args | 9 +- 17 files changed, 244 insertions(+), 68 deletions(-) -- 2.13.6

2 11

[libvirt] [PATCH go-xml] Add support for CPUTune in Domain
by Michal Rostecki 01 Nov '17

01 Nov '17

From: Michal Rostecki <michal.rostecki(a)gmail.com> Signed-off-by: Victoria Efimova <neverpushthisbutton(a)yandex.ru> Signed-off-by: Ivan Shvedunov <ischvedunov(a)mirantis.com> Signed-off-by: Miha Pleško <miha.plesko(a)xlab.si> Signed-off-by: Michal Rostecki <michal.rostecki(a)gmail.com> --- domain.go | 19 +++++++++++++++++++ domain_test.go | 20 ++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/domain.go b/domain.go index bacab11..3efd68c 100644 --- a/domain.go +++ b/domain.go @@ -722,6 +722,24 @@ type DomainFeatureList struct { SMM *DomainFeatureState `xml:"smm"` } +type DomainCPUTuneShares struct { + Value uint `xml:",chardata"` +} + +type DomainCPUTunePeriod struct { + Value uint64 `xml:",chardata"` +} + +type DomainCPUTuneQuota struct { + Value int64 `xml:",chardata"` +} + +type DomainCPUTune struct { + Shares *DomainCPUTuneShares `xml:"shares"` + Period *DomainCPUTunePeriod `xml:"period"` + Quota *DomainCPUTuneQuota `xml:"quota"` +} + type DomainQEMUCommandlineArg struct { Value string `xml:"value,attr"` } @@ -751,6 +769,7 @@ type Domain struct { MemoryBacking *DomainMemoryBacking `xml:"memoryBacking"` VCPU *DomainVCPU `xml:"vcpu"` VCPUs *DomainVCPUs `xml:"vcpus"` + CPUTune *DomainCPUTune `xml:"cputune"` Resource *DomainResource `xml:"resource"` SysInfo *DomainSysInfo `xml:"sysinfo"` OS *DomainOS `xml:"os"` diff --git a/domain_test.go b/domain_test.go index dbebe42..b427b50 100644 --- a/domain_test.go +++ b/domain_test.go @@ -1335,6 +1335,26 @@ var domainTestData = []struct { `</domain>`, }, }, + { + Object: &Domain{ + Name: "test", + CPUTune: &DomainCPUTune{ + Shares: &DomainCPUTuneShares{Value: 1024}, + Period: &DomainCPUTunePeriod{Value: 500000}, + Quota: &DomainCPUTuneQuota{Value: -1}, + }, + }, + Expected: []string{ + `<domain>`, + ` <name>test</name>`, + ` <cputune>`, + ` <shares>1024</shares>`, + ` <period>500000</period>`, + ` <quota>-1</quota>`, + ` </cputune>`, + `</domain>`, + }, + }, /* Tests for sub-documents that can be hotplugged */ { -- 2.13.6

2 1

[libvirt] [PATCH go-xml] Add bootp option to NetworkDHCP
by Michal Rostecki 01 Nov '17

01 Nov '17

From: Michal Rostecki <michal.rostecki(a)gmail.com> Support specyfing concrete file and TFTP server for PXE boot. Signed-off-by: Michal Rostecki <michal.rostecki(a)gmail.com> --- network.go | 6 ++++++ network_test.go | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/network.go b/network.go index 32f125a..10c4dfc 100644 --- a/network.go +++ b/network.go @@ -78,9 +78,15 @@ type NetworkDHCPHost struct { IP string `xml:"ip,attr,omitempty"` } +type NetworkBootp struct { + File string `xml:"file,attr,omitempty"` + Server string `xml:"server,attr,omitempty"` +} + type NetworkDHCP struct { Ranges []NetworkDHCPRange `xml:"range"` Hosts []NetworkDHCPHost `xml:"host"` + Bootp []NetworkBootp `xml:"bootp"` } type NetworkIP struct { diff --git a/network_test.go b/network_test.go index b1bd168..3efb278 100644 --- a/network_test.go +++ b/network_test.go @@ -100,6 +100,12 @@ var networkTestData = []struct { IP: "192.168.122.10", }, }, + Bootp: []NetworkBootp{ + NetworkBootp{ + File: "pxelinux.0", + Server: "192.168.122.1", + }, + }, }, }, NetworkIP{ @@ -179,6 +185,7 @@ var networkTestData = []struct { ` <dhcp>`, ` <range start="192.168.122.2" end="192.168.122.254"></range>`, ` <host mac="00:16:3e:77:e2:ed" name="foo.example.com" ip="192.168.122.10"></host>`, + ` <bootp file="pxelinux.0" server="192.168.122.1"></bootp>`, ` </dhcp>`, ` </ip>`, ` <ip address="2001:db8:ca2:2::1" family="ipv6" prefix="64">`, -- 2.13.6

2 1

[libvirt] [PATCH go-xml] Add address support for memory device
by zhenwei.pi 01 Nov '17

01 Nov '17

Add Base element for DomainAddress. Add address element for DomainMemorydev. Add test code for new DomainMemorydev. Signed-off-by: zhenwei.pi <zhenwei.pi(a)youruncloud.com> --- domain.go | 2 ++ domain_test.go | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/domain.go b/domain.go index bacab11..3d9404f 100644 --- a/domain.go +++ b/domain.go @@ -297,6 +297,7 @@ type DomainAddress struct { Function *HexUint `xml:"function,attr"` Target *uint `xml:"target,attr"` Unit *uint `xml:"unit,attr"` + Base *HexUint `xml:"base,attr"` } type DomainConsole struct { @@ -450,6 +451,7 @@ type DomainMemorydev struct { Model string `xml:"model,attr"` Access string `xml:"access,attr"` Target *DomainMemorydevTarget `xml:"target"` + Address *DomainAddress `xml:"address"` } type DomainDeviceList struct { diff --git a/domain_test.go b/domain_test.go index dbebe42..cbc5d7f 100644 --- a/domain_test.go +++ b/domain_test.go @@ -66,6 +66,9 @@ var vcpuId0 uint = 0 var vcpuOrder0 uint = 1 var vcpuId1 uint = 1 +var memorydevAddressSlot HexUint = 0 +var memorydevAddressBase HexUint = 4294967296 + var domainTestData = []struct { Object Document Expected []string @@ -385,6 +388,11 @@ var domainTestData = []struct { Value: 0, }, }, + Address: &DomainAddress{ + Type: "dimm", + Slot: &memorydevAddressSlot, + Base: &memorydevAddressBase, + }, }, }, }, @@ -434,6 +442,7 @@ var domainTestData = []struct { ` <size unit="GiB">1</size>`, ` <node>0</node>`, ` </target>`, + ` <address type="dimm" slot="0" base="4294967296"></address>`, ` </memory>`, ` </devices>`, `</domain>`, -- 2.7.4

3 2

[libvirt] [PATCH v2] spec: Restart libvirtd in posttrans
by Jiri Denemark 01 Nov '17

01 Nov '17

When upgrading libvirt packages, there's no strict ordering for the installation or removal of the individual libvirt sub packages. Thus libvirt-daemon may be upgraded (and its %postun scriptlet) started before all sub packages with driver libraries are upgraded. When libvirt-daemon's %postun scriptlet restarts the daemon old drivers may still be laying around and the daemon may crash when it tries to use them. Let's restart the daemon in %posttrans to make sure libvirtd is restarted only after all sub packages are at the same version. https://bugzilla.redhat.com/show_bug.cgi?id=1464300 Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com> --- libvirt.spec.in | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 0123d0655..b00689cab 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1516,6 +1516,10 @@ fi /sbin/chkconfig --add virtlockd %endif +# request daemon restart in posttrans +mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : +touch %{_localstatedir}/lib/rpm-state/libvirt/restart || : + %preun daemon %if %{with_systemd} %if %{with_systemd_macros} @@ -1554,13 +1558,11 @@ fi if [ $1 -ge 1 ] ; then /bin/systemctl reload-or-try-restart virtlockd.service >/dev/null 2>&1 || : /bin/systemctl reload-or-try-restart virtlogd.service >/dev/null 2>&1 || : - /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || : fi %else if [ $1 -ge 1 ]; then /sbin/service virtlockd reload > /dev/null 2>&1 || : /sbin/service virtlogd reload > /dev/null 2>&1 || : - /sbin/service libvirtd condrestart > /dev/null 2>&1 fi %endif @@ -1570,7 +1572,6 @@ fi if [ "$1" -ge "1" ]; then /sbin/service virtlockd reload > /dev/null 2>&1 || : /sbin/service virtlogd reload > /dev/null 2>&1 || : - /sbin/service libvirtd condrestart > /dev/null 2>&1 fi %endif @@ -1593,6 +1594,16 @@ if [ $1 -ge 1 ] ; then %endif fi +%posttrans daemon +if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then +%if %{with_systemd} + /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || : +%else + /sbin/service libvirtd condrestart > /dev/null 2>&1 || : +%endif +fi +rm -rf %{_localstatedir}/lib/rpm-state/libvirt || : + %post daemon-config-network if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; then # see if the network used by default network creates a conflict, @@ -1631,23 +1642,35 @@ if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; ln -s ../default.xml %{_sysconfdir}/libvirt/qemu/networks/autostart/default.xml # Make sure libvirt picks up the new network defininiton + mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : + touch %{_localstatedir}/lib/rpm-state/libvirt/restart || : +fi + +%posttrans daemon-config-network +if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then %if %{with_systemd} - /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 ||: + /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || : %else /sbin/service libvirtd condrestart > /dev/null 2>&1 || : %endif - fi - +rm -rf %{_localstatedir}/lib/rpm-state/libvirt || : %post daemon-config-nwfilter cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ # Make sure libvirt picks up the new nwfilter defininitons +mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : +touch %{_localstatedir}/lib/rpm-state/libvirt/restart || : + +%posttrans daemon-config-nwfilter +if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then %if %{with_systemd} - /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 ||: + /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || : %else /sbin/service libvirtd condrestart > /dev/null 2>&1 || : %endif +fi +rm -rf %{_localstatedir}/lib/rpm-state/libvirt || : %if %{with_systemd} -- 2.14.3

2 1

[libvirt] Entering freeze for next release
by Daniel Veillard 01 Nov '17

01 Nov '17

The Candidate Release 1 is tagged in git, I also pushed signed tarball and rpms to the usual place : ftp://libvirt.org/libvirt/ I'm travelling so not really in a position to do much testing, but https://ci.centos.org/view/libvirt/ is all green (yay!) so that sounds rather good ATM :-) I will try to push RC2 on Tuesday evening or Wed morning, with a final release on Tuesday 2nd, in the meantime please give it a try, as usual testing on various arches and OSes is very useful ! Thanks, Daniel -- Daniel Veillard | Red Hat Developers Tools http://developer.redhat.com/ veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

2 3

[libvirt] [PATCH dbus v2] Run system instance as an unprivileged user account
by Daniel P. Berrange 31 Oct '17

31 Oct '17

There is no reason for the libvirt-dbus daemon to require root privileges. All it actually needs is ability to connect to libvirtd, which can be achieved by dropping in a polkit configuration file Now a libvirt connection to the system bus gives you privileges equivalent to root, so this doesn't really improve security on its own. It relies on there being a dbus policy that prevents users from issuing elevated APIs. For example, a DBus policy could allow non-root users to list VMs on the system bus and get their status (aka virsh list equiv). In this case, the security isolation does give some benefit. Security can be further improved if the admin uses the libvirt polkit file to restrict what libvirt-dbus is permitted to do. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- configure.ac | 5 ++++ data/Makefile.am | 33 ++++++++++++++++++---- data/system/libvirt-dbus.rules.in | 8 ++++++ .../{org.libvirt.conf => org.libvirt.conf.in} | 5 +++- data/system/org.libvirt.service.in | 2 +- libvirt-dbus.spec.in | 9 ++++++ src/main.c | 8 ++++++ 7 files changed, 62 insertions(+), 8 deletions(-) create mode 100644 data/system/libvirt-dbus.rules.in rename data/system/{org.libvirt.conf => org.libvirt.conf.in} (87%) diff --git a/configure.ac b/configure.ac index 228ea11..aef3d37 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,11 @@ else fi AC_SUBST(DBUS_SYSTEM_POLICIES_DIR) +LIBVIRT_ARG_WITH([SYSTEM_USER], [username to run system instance as], + ['libvirtdbus']) +SYSTEM_USER=$with_system_user +AC_SUBST([SYSTEM_USER]) + AC_OUTPUT(Makefile data/Makefile src/Makefile diff --git a/data/Makefile.am b/data/Makefile.am index 58e855f..3f27b02 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -9,18 +9,28 @@ system_servicedir = $(DBUS_SYSTEM_SERVICES_DIR) system_service_DATA = $(system_service_in_files:.service.in=.service) system_policy_files = \ - system/org.libvirt.conf + system/org.libvirt.conf.in system_policydir = $(DBUS_SYSTEM_POLICIES_DIR) -system_policy_DATA = $(system_policy_files) +system_policy_DATA = $(system_policy_files:.conf.in=.conf) + +polkit_files = \ + system/libvirt-dbus.rules.in +polkit_policydir = $(sysconfdir)/polkit-1/rules.d +polkit_policy_DATA = $(polkit_files:.rules.in=.rules) EXTRA_DIST = \ $(service_in_files) \ $(system_service_in_files) \ - $(system_policy_files) + $(system_policy_files) \ + $(polkit_files) \ + $(NULL) CLEANFILES = \ $(service_DATA) \ - $(system_service_DATA) + $(system_service_DATA) \ + $(system_policy_DATA) \ + $(polkit_DATA) \ + $(NULL) session/org.libvirt.service: session/org.libvirt.service.in $(AM_V_GEN)$(MKDIR_P) session && \ @@ -29,5 +39,16 @@ session/org.libvirt.service: session/org.libvirt.service.in system/org.libvirt.service: system/org.libvirt.service.in $(AM_V_GEN)$(MKDIR_P) system && \ - sed -e 's|[@]bindir[@]|$(bindir)|g' < $< > $@-t && \ - mv $@-t $@ + sed -e 's|[@]bindir[@]|$(bindir)|g' \ + -e 's|[@]SYSTEM_USER[@]|$(SYSTEM_USER)|' \ + < $< > $@-t && mv $@-t $@ + +system/org.libvirt.conf: system/org.libvirt.conf.in + $(AM_V_GEN)$(MKDIR_P) system && \ + sed -e 's|[@]SYSTEM_USER[@]|$(SYSTEM_USER)|' \ + < $< > $@-t && mv $@-t $@ + +system/libvirt-dbus.rules: system/libvirt-dbus.rules.in + $(AM_V_GEN)$(MKDIR_P) system && \ + sed -e 's|[@]SYSTEM_USER[@]|$(SYSTEM_USER)|' \ + < $< > $@-t && mv $@-t $@ diff --git a/data/system/libvirt-dbus.rules.in b/data/system/libvirt-dbus.rules.in new file mode 100644 index 0000000..4eb4ee1 --- /dev/null +++ b/data/system/libvirt-dbus.rules.in @@ -0,0 +1,8 @@ +// Allow libvirt-dbus running in dedicated account to use libvirt + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.user == "@SYSTEM_USER@") { + return polkit.Result.YES; + } +}); diff --git a/data/system/org.libvirt.conf b/data/system/org.libvirt.conf.in similarity index 87% rename from data/system/org.libvirt.conf rename to data/system/org.libvirt.conf.in index 5cbc732..fe61b70 100644 --- a/data/system/org.libvirt.conf +++ b/data/system/org.libvirt.conf.in @@ -4,8 +4,11 @@ <busconfig> - <policy user="root"> + <policy user="@SYSTEM_USER@"> <allow own="org.libvirt"/> + </policy> + + <policy user="root"> <allow send_destination="org.libvirt"/> </policy> diff --git a/data/system/org.libvirt.service.in b/data/system/org.libvirt.service.in index 08d32a2..0d3abdd 100644 --- a/data/system/org.libvirt.service.in +++ b/data/system/org.libvirt.service.in @@ -1,4 +1,4 @@ [D-BUS Service] Name=org.libvirt Exec=@bindir@/libvirt-dbus --system -User=root +User=@SYSTEM_USER@ diff --git a/libvirt-dbus.spec.in b/libvirt-dbus.spec.in index 5be4c22..572300f 100644 --- a/libvirt-dbus.spec.in +++ b/libvirt-dbus.spec.in @@ -19,6 +19,7 @@ BuildRequires: systemd-devel >= %{systemd_version} Requires: libvirt-libs >= %{libvirt_version} Requires: systemd-libs >= %{systemd_version} +Requires(pre): shadow-utils %description This package provides integration between libvirt and the DBus @@ -37,9 +38,17 @@ rm -rf $RPM_BUILD_ROOT %clean rm -rf $RPM_BUILD_ROOT +%pre +getent group libvirtdbus >/dev/null || groupadd -r libvirtdbus +getent passwd libvirtdbus >/dev/null || \ + useradd -r -g libvirtdbus -d / -s /sbin/nologin \ + -c "Libvirt DBus bridge" libvirtdbus +exit 0 + %files %defattr(-,root,root,-) %doc README COPYING AUTHORS NEWS +%{_sysconfdir}/polkit-1/rules.d/libvirt-dbus.rules %{_bindir}/libvirt-dbus %{_datadir}/dbus-1/services/org.libvirt.service %{_datadir}/dbus-1/system-services/org.libvirt.service diff --git a/src/main.c b/src/main.c index a6a0212..225fb46 100644 --- a/src/main.c +++ b/src/main.c @@ -143,6 +143,14 @@ main(int argc, char *argv[]) } } + if (uri == NULL) { + if (system_bus) { + uri = "qemu:///system"; + } else { + uri = "qemu:///session"; + } + } + sigemptyset(&mask); sigaddset(&mask, SIGTERM); sigaddset(&mask, SIGINT); -- 2.13.6

2 1