[libvirt] [v0.9.12-maint 0/5] building 0.9.12 on newer systems
I'm pushing these backports under the build-breaker rule; they were all necessary for me to complete 'make check' on this old branch from within Fedora 19. It will set the stage for the CVE patches in another series. Daniel P. Berrange (1): Fix TLS tests with gnutls 3 Eric Blake (3): build: allow building with newer glibc-headers and -O0 build: more workarounds for if_bridge.h build: avoid confusing make with raw name 'undefine' Jiri Denemark (1): virsh: Fix POD syntax configure.ac | 20 +++++++++++++++++--- m4/virt-compile-warnings.m4 | 8 ++++++-- src/util/virnetdevbridge.c | 18 ++++++++++++++++++ tests/Makefile.am | 10 ++++++---- tests/virnettlscontexttest.c | 25 +++++++++++++++---------- tests/{undefine => virsh-undefine} | 0 tools/virsh.pod | 4 ++-- 7 files changed, 64 insertions(+), 21 deletions(-) rename tests/{undefine => virsh-undefine} (100%) -- 1.8.3.1
glibc 2.15 (on Fedora 17) coupled with explicit disabling of optimization during development dies a painful death: In file included from /usr/include/limits.h:27:0, from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/limits.h:169, from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/syslimits.h:7, from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/limits.h:34, from util/bitmap.c:26: /usr/include/features.h:314:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp] cc1: all warnings being treated as errors Work around this by only conditionally defining _FORTIFY_SOURCE, in the case where glibc can actually use it. The trick is using AH_VERBATIM instead of AC_DEFINE. * m4/virt-compile-warnings.m4 (LIBVIRT_COMPILE_WARNINGS): Squelch _FORTIFY_SOURCE when needed to avoid glibc #warnings. (cherry picked from commit 2af63b1c349114df98c163a8401fd9cf2facdabe) --- m4/virt-compile-warnings.m4 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/m4/virt-compile-warnings.m4 b/m4/virt-compile-warnings.m4 index 5527bff..a91d69f 100644 --- a/m4/virt-compile-warnings.m4 +++ b/m4/virt-compile-warnings.m4 @@ -102,8 +102,12 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[ # Silence certain warnings in gnulib, and use improved glibc headers AC_DEFINE([lint], [1], [Define to 1 if the compiler is checking for lint.]) - AC_DEFINE([_FORTIFY_SOURCE], [2], - [enable compile-time and run-time bounds-checking, and some warnings]) + AH_VERBATIM([FORTIFY_SOURCE], + [/* Enable compile-time and run-time bounds-checking, and some warnings. */ + #if __OPTIMIZE__ + # define _FORTIFY_SOURCE 2 + #endif + ]) # Extra special flags dnl -fstack-protector stuff passes gl_WARN_ADD with gcc -- 1.8.3.1
This is a second attempt at fixing the problem first attempted in commit 2df8d99; basically undoing the fact that it was reverted in commit 43cee32f, plus fixing two more issues: the code in configure.ac has to EXACTLY match virnetdevbridge.c with regards to declaring in6 types before using if_bridge.h, and the fact that RHEL 5 has even more conflicts: In file included from util/virnetdevbridge.c:49: /usr/include/linux/in6.h:47: error: conflicting types for 'in6addr_any' /usr/include/netinet/in.h:206: error: previous declaration of 'in6addr_any' was here /usr/include/linux/in6.h:49: error: conflicting types for 'in6addr_loopback' /usr/include/netinet/in.h:207: error: previous declaration of 'in6addr_loopback' was here The rest of this commit message borrows from the original try of 2df8d99: A fresh checkout on a RHEL 6 machine with these packages: kernel-headers-2.6.32-405.el6.x86_64 glibc-2.12-1.128.el6.x86_64 failed to configure with this message: checking for linux/if_bridge.h... no configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support Digging in config.log, we see that the problem is identical to what we fixed earlier in commit d12c2811: configure:98831: checking for linux/if_bridge.h configure:98853: gcc -std=gnu99 -c -g -O2 conftest.c >&5 In file included from /usr/include/linux/if_bridge.h:17, from conftest.c:559: /usr/include/linux/in6.h:31: error: redefinition of 'struct in6_addr' /usr/include/linux/in6.h:48: error: redefinition of 'struct sockaddr_in6' /usr/include/linux/in6.h:56: error: redefinition of 'struct ipv6_mreq' configure:98860: $? = 1 I had not hit it earlier because I was using incremental builds, where config.cache had shielded me from the kernel-headers breakage. * configure.ac (if_bridge.h): Avoid conflicting type definitions. * src/util/virnetdevbridge.c (includes): Also sanitize for RHEL 5. Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 70024dc9192038575ab5217ac35080b038e5b13e) Done in one patch rather than a series for bisectability reasons (as intermediate patches suffer from various problems on various platforms), and because the intermediate patches include a revert, but it is pointless to backport two patches where one undoes the other. Intermediate patches include: 9a2f36e, c308a9a, 1bf661c, d12c281, 2df8d99, 43cee32 (phew, that's a mouthful). Conflicts: configure.ac - skip the churn of all intermediate patches src/util/virnetdevbridge.c - ditto --- configure.ac | 20 +++++++++++++++++--- src/util/virnetdevbridge.c | 18 ++++++++++++++++++ 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index a6894ae..fa9d537 100644 --- a/configure.ac +++ b/configure.ac @@ -848,9 +848,23 @@ fi dnl dnl check for kernel headers required by src/bridge.c dnl -if test "$with_qemu" = "yes" || test "$with_lxc" = "yes" ; then - AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],, - AC_MSG_ERROR([You must install kernel-headers in order to compile libvirt with QEMU or LXC support])) +if test "$with_linux" = "yes"; then + if test "$with_qemu" = "yes" || test "$with_lxc" = "yes" ; then + AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],, + [AC_MSG_ERROR([You must install kernel-headers in order to compile libvirt with QEMU or LXC support])], + [[/* The kernel folks broke their headers when used with particular + * glibc versions; although the structs are ABI compatible, the + * C type system doesn't like struct redefinitions. We work around + * the problem here in the same manner as in virnetdevbridge.c. */ + #include <netinet/in.h> + #define in6_addr in6_addr_ + #define sockaddr_in6 sockaddr_in6_ + #define ipv6_mreq ipv6_mreq_ + #define in6addr_any in6addr_any_ + #define in6addr_loopback in6addr_loopback_ + #include <linux/in6.h> + ]]) + fi fi diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c index 08c8f5c..84ab89d 100644 --- a/src/util/virnetdevbridge.c +++ b/src/util/virnetdevbridge.c @@ -30,13 +30,31 @@ #include "intprops.h" #include <sys/ioctl.h> +#include <sys/socket.h> #ifdef HAVE_NET_IF_H # include <net/if.h> #endif +#include <netinet/in.h> + #ifdef __linux__ # include <linux/sockios.h> # include <linux/param.h> /* HZ */ +/* Depending on the version of kernel vs. glibc, there may be a collision + * between <net/in.h> and kernel IPv6 structures. The different types + * are ABI compatible, but choke the C type system; work around it by + * using temporary redefinitions. */ +# define in6_addr in6_addr_ +# define sockaddr_in6 sockaddr_in6_ +# define ipv6_mreq ipv6_mreq_ +# define in6addr_any in6addr_any_ +# define in6addr_loopback in6addr_loopback_ +# include <linux/in6.h> # include <linux/if_bridge.h> /* SYSFS_BRIDGE_ATTR */ +# undef in6_addr +# undef sockaddr_in6 +# undef ipv6_mreq +# undef in6addr_any +# undef in6addr_loopback # define JIFFIES_TO_MS(j) (((j)*1000)/HZ) # define MS_TO_JIFFIES(ms) (((ms)*HZ)/1000) -- 1.8.3.1
From: Jiri Denemark <jdenemar@redhat.com> The first two hunks fix "Unterminated I<...> sequence" error and the last one fixes "’=item’ outside of any ’=over’" error. (cherry picked from commit 61299a1c983a64c7e0337b94232fdd2d42c1f4f2) Signed-off-by: Eric Blake <eblake@redhat.com> Conflicts: tools/virsh.pod - drop hunks not present this far back --- tools/virsh.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/virsh.pod b/tools/virsh.pod index ef71717..b396527 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -642,7 +642,7 @@ address of virtual interface (such as I<detach-interface> or I<domif-setlink>) will accept the MAC address printed by this command. =item B<blockcopy> I<domain> I<path> I<dest> [I<bandwidth>] [I<--shallow>] -[I<--reuse-external>] [I<--raw>] [I<--wait> [I<--verbose] +[I<--reuse-external>] [I<--raw>] [I<--wait> [I<--verbose>] [{I<--pivot> | I<--finish>}] [I<--timeout> B<seconds>] [I<--async>]] Copy a disk backing image chain to I<dest>. By default, this command @@ -683,7 +683,7 @@ I<path> specifies fully-qualified path of the disk. I<bandwidth> specifies copying bandwidth limit in Mbps. =item B<blockpull> I<domain> I<path> [I<bandwidth>] [I<base>] -[I<--wait> [I<--verbose>] [I<--timeout> B<seconds>] [I<--async]] +[I<--wait> [I<--verbose>] [I<--timeout> B<seconds>] [I<--async>]] Populate a disk from its backing image chain. By default, this command flattens the entire chain; but if I<base> is specified, containing the -- 1.8.3.1
Make has a builtin operator 'undefine', and coupled with latest automake.git, this test name ended up confusing make into thinking the file name was meant to be used as the make operator. Renaming the file avoids the confusion. * tests/undefine: Rename... * tests/virsh-undefine: ...to this. * tests/Makefile.am (test_scripts): Use new name. Reported by Jim Meyering. (cherry picked from commit a20f06d9d9b0353d7fb7a8e11a631253d5961b96) --- tests/Makefile.am | 10 ++++++---- tests/{undefine => virsh-undefine} | 0 2 files changed, 6 insertions(+), 4 deletions(-) rename tests/{undefine => virsh-undefine} (100%) diff --git a/tests/Makefile.am b/tests/Makefile.am index 639be58..705cbb4 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -178,12 +178,13 @@ test_scripts += \ read-bufsiz \ read-non-seekable \ start \ - undefine \ vcpupin \ virsh-all \ virsh-optparse \ virsh-schedinfo \ - virsh-synopsis + virsh-synopsis \ + virsh-undefine \ + $(NULL) test_programs += \ eventtest \ @@ -199,12 +200,13 @@ EXTRA_DIST += \ read-bufsiz \ read-non-seekable \ start \ - undefine \ vcpupin \ virsh-all \ virsh-optparse \ virsh-schedinfo \ - virsh-synopsis + virsh-synopsis \ + virsh-undefine \ + $(NULL) endif if WITH_SECDRIVER_APPARMOR diff --git a/tests/undefine b/tests/virsh-undefine similarity index 100% rename from tests/undefine rename to tests/virsh-undefine -- 1.8.3.1
From: "Daniel P. Berrange" <berrange@redhat.com> When given a CA cert with basic constraints to set non-critical, and key usage of 'key signing', this should be rejected. Version of GNUTLS < 3 do not rejecte it though, so we never noticed the test case was broken Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 0204d6d7a0519377b2e6bc296b00328cd748f55d) --- tests/virnettlscontexttest.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c index e745487..78063a3 100644 --- a/tests/virnettlscontexttest.c +++ b/tests/virnettlscontexttest.c @@ -870,15 +870,6 @@ mymain(void) false, false, NULL, NULL, 0, 0, }; - /* Key usage:dig-sig:not-critical */ - static struct testTLSCertReq cacert5req = { - NULL, NULL, "cacert5.pem", "UK", - "libvirt CA 5", NULL, NULL, NULL, NULL, - true, true, true, - true, false, GNUTLS_KEY_DIGITAL_SIGNATURE, - false, false, NULL, NULL, - 0, 0, - }; DO_CTX_TEST(true, cacert1req, servercertreq, false); DO_CTX_TEST(true, cacert2req, servercertreq, false); @@ -886,10 +877,18 @@ mymain(void) DO_CTX_TEST(true, cacert3req, servercertreq, false); # endif DO_CTX_TEST(true, cacert4req, servercertreq, false); - DO_CTX_TEST(true, cacert5req, servercertreq, false); /* Now some bad certs */ + /* Key usage:dig-sig:not-critical */ + static struct testTLSCertReq cacert5req = { + NULL, NULL, "cacert5.pem", "UK", + "libvirt CA 5", NULL, NULL, NULL, NULL, + true, true, true, + true, false, GNUTLS_KEY_DIGITAL_SIGNATURE, + false, false, NULL, NULL, + 0, 0, + }; /* no-basic */ static struct testTLSCertReq cacert6req = { NULL, NULL, "cacert6.pem", "UK", @@ -909,6 +908,12 @@ mymain(void) 0, 0, }; + /* Technically a CA cert with basic constraints + * key purpose == key signing + non-critical should + * be rejected. GNUTLS < 3 does not reject it and + * we don't anticipate them changing this behaviour + */ + DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3); DO_CTX_TEST(true, cacert6req, servercertreq, true); DO_CTX_TEST(true, cacert7req, servercertreq, true); -- 1.8.3.1
participants (1)
-
Eric Blake