10:09 p.m.
I'm pushing these backports under the build-breaker rule; they
were all necessary for me to complete 'make check' on this old
branch from within Fedora 19. It will set the stage for the
CVE patches in another series.
Daniel P. Berrange (1):
Fix TLS tests with gnutls 3
Eric Blake (3):
build: allow building with newer glibc-headers and -O0
build: more workarounds for if_bridge.h
build: avoid confusing make with raw name 'undefine'
Jiri Denemark (1):
virsh: Fix POD syntax
configure.ac | 20 +++++++++++++++++---
m4/virt-compile-warnings.m4 | 8 ++++++--
src/util/virnetdevbridge.c | 18 ++++++++++++++++++
tests/Makefile.am | 10 ++++++----
tests/virnettlscontexttest.c | 25 +++++++++++++++----------
tests/{undefine => virsh-undefine} | 0
tools/virsh.pod | 4 ++--
7 files changed, 64 insertions(+), 21 deletions(-)
rename tests/{undefine => virsh-undefine} (100%)
--
1.8.3.1
10:09 p.m.
New subject: [libvirt] [v0.9.12-maint 1/5] build: allow building with newer glibc-headers and -O0
glibc 2.15 (on Fedora 17) coupled with explicit disabling of
optimization during development dies a painful death:
In file included from /usr/include/limits.h:27:0,
from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/limits.h:169,
from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/syslimits.h:7,
from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/limits.h:34,
from util/bitmap.c:26:
/usr/include/features.h:314:4: error: #warning _FORTIFY_SOURCE requires compiling with
optimization (-O) [-Werror=cpp]
cc1: all warnings being treated as errors
Work around this by only conditionally defining _FORTIFY_SOURCE,
in the case where glibc can actually use it. The trick is using
AH_VERBATIM instead of AC_DEFINE.
* m4/virt-compile-warnings.m4 (LIBVIRT_COMPILE_WARNINGS): Squelch
_FORTIFY_SOURCE when needed to avoid glibc #warnings.
(cherry picked from commit 2af63b1c349114df98c163a8401fd9cf2facdabe)
---
m4/virt-compile-warnings.m4 | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/m4/virt-compile-warnings.m4 b/m4/virt-compile-warnings.m4
index 5527bff..a91d69f 100644
--- a/m4/virt-compile-warnings.m4
+++ b/m4/virt-compile-warnings.m4
@@ -102,8 +102,12 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[
# Silence certain warnings in gnulib, and use improved glibc headers
AC_DEFINE([lint], [1],
[Define to 1 if the compiler is checking for lint.])
- AC_DEFINE([_FORTIFY_SOURCE], [2],
- [enable compile-time and run-time bounds-checking, and some warnings])
+ AH_VERBATIM([FORTIFY_SOURCE],
+ [/* Enable compile-time and run-time bounds-checking, and some warnings. */
+ #if __OPTIMIZE__
+ # define _FORTIFY_SOURCE 2
+ #endif
+ ])
# Extra special flags
dnl -fstack-protector stuff passes gl_WARN_ADD with gcc
--
1.8.3.1
10:09 p.m.
New subject: [libvirt] [v0.9.12-maint 2/5] build: more workarounds for if_bridge.h
This is a second attempt at fixing the problem first attempted
in commit 2df8d99; basically undoing the fact that it was
reverted in commit 43cee32f, plus fixing two more issues: the
code in configure.ac has to EXACTLY match virnetdevbridge.c
with regards to declaring in6 types before using if_bridge.h,
and the fact that RHEL 5 has even more conflicts:
In file included from util/virnetdevbridge.c:49:
/usr/include/linux/in6.h:47: error: conflicting types for 'in6addr_any'
/usr/include/netinet/in.h:206: error: previous declaration of 'in6addr_any' was
here
/usr/include/linux/in6.h:49: error: conflicting types for 'in6addr_loopback'
/usr/include/netinet/in.h:207: error: previous declaration of 'in6addr_loopback'
was here
The rest of this commit message borrows from the original try
of 2df8d99:
A fresh checkout on a RHEL 6 machine with these packages:
kernel-headers-2.6.32-405.el6.x86_64
glibc-2.12-1.128.el6.x86_64
failed to configure with this message:
checking for linux/if_bridge.h... no
configure: error: You must install kernel-headers in order to compile libvirt with QEMU or
LXC support
Digging in config.log, we see that the problem is identical to
what we fixed earlier in commit d12c2811:
configure:98831: checking for linux/if_bridge.h
configure:98853: gcc -std=gnu99 -c -g -O2 conftest.c >&5
In file included from /usr/include/linux/if_bridge.h:17,
from conftest.c:559:
/usr/include/linux/in6.h:31: error: redefinition of 'struct in6_addr'
/usr/include/linux/in6.h:48: error: redefinition of 'struct sockaddr_in6'
/usr/include/linux/in6.h:56: error: redefinition of 'struct ipv6_mreq'
configure:98860: $? = 1
I had not hit it earlier because I was using incremental builds,
where config.cache had shielded me from the kernel-headers breakage.
* configure.ac (if_bridge.h): Avoid conflicting type definitions.
* src/util/virnetdevbridge.c (includes): Also sanitize for RHEL 5.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
(cherry picked from commit 70024dc9192038575ab5217ac35080b038e5b13e)
Done in one patch rather than a series for bisectability reasons
(as intermediate patches suffer from various problems on various
platforms), and because the intermediate patches include a revert,
but it is pointless to backport two patches where one undoes the
other. Intermediate patches include: 9a2f36e, c308a9a, 1bf661c,
d12c281, 2df8d99, 43cee32 (phew, that's a mouthful).
Conflicts:
configure.ac - skip the churn of all intermediate patches
src/util/virnetdevbridge.c - ditto
---
configure.ac | 20 +++++++++++++++++---
src/util/virnetdevbridge.c | 18 ++++++++++++++++++
2 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index a6894ae..fa9d537 100644
--- a/configure.ac
+++ b/configure.ac
@@ -848,9 +848,23 @@ fi
dnl
dnl check for kernel headers required by src/bridge.c
dnl
-if test "$with_qemu" = "yes" || test "$with_lxc" =
"yes" ; then
- AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],,
- AC_MSG_ERROR([You must install kernel-headers in order to compile
libvirt with QEMU or LXC support]))
+if test "$with_linux" = "yes"; then
+ if test "$with_qemu" = "yes" || test "$with_lxc" =
"yes" ; then
+ AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],,
+ [AC_MSG_ERROR([You must install kernel-headers in order to compile libvirt with
QEMU or LXC support])],
+ [[/* The kernel folks broke their headers when used with particular
+ * glibc versions; although the structs are ABI compatible, the
+ * C type system doesn't like struct redefinitions. We work around
+ * the problem here in the same manner as in virnetdevbridge.c. */
+ #include <netinet/in.h>
+ #define in6_addr in6_addr_
+ #define sockaddr_in6 sockaddr_in6_
+ #define ipv6_mreq ipv6_mreq_
+ #define in6addr_any in6addr_any_
+ #define in6addr_loopback in6addr_loopback_
+ #include <linux/in6.h>
+ ]])
+ fi
fi
diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c
index 08c8f5c..84ab89d 100644
--- a/src/util/virnetdevbridge.c
+++ b/src/util/virnetdevbridge.c
@@ -30,13 +30,31 @@
#include "intprops.h"
#include <sys/ioctl.h>
+#include <sys/socket.h>
#ifdef HAVE_NET_IF_H
# include <net/if.h>
#endif
+#include <netinet/in.h>
+
#ifdef __linux__
# include <linux/sockios.h>
# include <linux/param.h> /* HZ */
+/* Depending on the version of kernel vs. glibc, there may be a collision
+ * between <net/in.h> and kernel IPv6 structures. The different types
+ * are ABI compatible, but choke the C type system; work around it by
+ * using temporary redefinitions. */
+# define in6_addr in6_addr_
+# define sockaddr_in6 sockaddr_in6_
+# define ipv6_mreq ipv6_mreq_
+# define in6addr_any in6addr_any_
+# define in6addr_loopback in6addr_loopback_
+# include <linux/in6.h>
# include <linux/if_bridge.h> /* SYSFS_BRIDGE_ATTR */
+# undef in6_addr
+# undef sockaddr_in6
+# undef ipv6_mreq
+# undef in6addr_any
+# undef in6addr_loopback
# define JIFFIES_TO_MS(j) (((j)*1000)/HZ)
# define MS_TO_JIFFIES(ms) (((ms)*HZ)/1000)
--
1.8.3.1
10:09 p.m.
New subject: [libvirt] [v0.9.12-maint 3/5] virsh: Fix POD syntax
From: Jiri Denemark <jdenemar(a)redhat.com>
The first two hunks fix "Unterminated I<...> sequence" error and the
last one fixes "’=item’ outside of any ’=over’" error.
(cherry picked from commit 61299a1c983a64c7e0337b94232fdd2d42c1f4f2)
Signed-off-by: Eric Blake <eblake(a)redhat.com>
Conflicts:
tools/virsh.pod - drop hunks not present this far back
---
tools/virsh.pod | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/virsh.pod b/tools/virsh.pod
index ef71717..b396527 100644
--- a/tools/virsh.pod
+++ b/tools/virsh.pod
@@ -642,7 +642,7 @@ address of virtual interface (such as I<detach-interface> or
I<domif-setlink>) will accept the MAC address printed by this command.
=item B<blockcopy> I<domain> I<path> I<dest> [I<bandwidth>]
[I<--shallow>]
-[I<--reuse-external>] [I<--raw>] [I<--wait> [I<--verbose]
+[I<--reuse-external>] [I<--raw>] [I<--wait> [I<--verbose>]
[{I<--pivot> | I<--finish>}] [I<--timeout> B<seconds>]
[I<--async>]]
Copy a disk backing image chain to I<dest>. By default, this command
@@ -683,7 +683,7 @@ I<path> specifies fully-qualified path of the disk.
I<bandwidth> specifies copying bandwidth limit in Mbps.
=item B<blockpull> I<domain> I<path> [I<bandwidth>]
[I<base>]
-[I<--wait> [I<--verbose>] [I<--timeout> B<seconds>]
[I<--async]]
+[I<--wait> [I<--verbose>] [I<--timeout> B<seconds>]
[I<--async>]]
Populate a disk from its backing image chain. By default, this command
flattens the entire chain; but if I<base> is specified, containing the
--
1.8.3.1
10:09 p.m.
New subject: [libvirt] [v0.9.12-maint 4/5] build: avoid confusing make with raw name 'undefine'
Make has a builtin operator 'undefine', and coupled with latest
automake.git, this test name ended up confusing make into thinking
the file name was meant to be used as the make operator. Renaming
the file avoids the confusion.
* tests/undefine: Rename...
* tests/virsh-undefine: ...to this.
* tests/Makefile.am (test_scripts): Use new name.
Reported by Jim Meyering.
(cherry picked from commit a20f06d9d9b0353d7fb7a8e11a631253d5961b96)
---
tests/Makefile.am | 10 ++++++----
tests/{undefine => virsh-undefine} | 0
2 files changed, 6 insertions(+), 4 deletions(-)
rename tests/{undefine => virsh-undefine} (100%)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 639be58..705cbb4 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -178,12 +178,13 @@ test_scripts += \
read-bufsiz \
read-non-seekable \
start \
- undefine \
vcpupin \
virsh-all \
virsh-optparse \
virsh-schedinfo \
- virsh-synopsis
+ virsh-synopsis \
+ virsh-undefine \
+ $(NULL)
test_programs += \
eventtest \
@@ -199,12 +200,13 @@ EXTRA_DIST += \
read-bufsiz \
read-non-seekable \
start \
- undefine \
vcpupin \
virsh-all \
virsh-optparse \
virsh-schedinfo \
- virsh-synopsis
+ virsh-synopsis \
+ virsh-undefine \
+ $(NULL)
endif
if WITH_SECDRIVER_APPARMOR
diff --git a/tests/undefine b/tests/virsh-undefine
similarity index 100%
rename from tests/undefine
rename to tests/virsh-undefine
--
1.8.3.1
10:09 p.m.
New subject: [libvirt] [v0.9.12-maint 5/5] Fix TLS tests with gnutls 3
From: "Daniel P. Berrange" <berrange(a)redhat.com>
When given a CA cert with basic constraints to set non-critical,
and key usage of 'key signing', this should be rejected. Version
of GNUTLS < 3 do not rejecte it though, so we never noticed the
test case was broken
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
(cherry picked from commit 0204d6d7a0519377b2e6bc296b00328cd748f55d)
---
tests/virnettlscontexttest.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index e745487..78063a3 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -870,15 +870,6 @@ mymain(void)
false, false, NULL, NULL,
0, 0,
};
- /* Key usage:dig-sig:not-critical */
- static struct testTLSCertReq cacert5req = {
- NULL, NULL, "cacert5.pem", "UK",
- "libvirt CA 5", NULL, NULL, NULL, NULL,
- true, true, true,
- true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
- false, false, NULL, NULL,
- 0, 0,
- };
DO_CTX_TEST(true, cacert1req, servercertreq, false);
DO_CTX_TEST(true, cacert2req, servercertreq, false);
@@ -886,10 +877,18 @@ mymain(void)
DO_CTX_TEST(true, cacert3req, servercertreq, false);
# endif
DO_CTX_TEST(true, cacert4req, servercertreq, false);
- DO_CTX_TEST(true, cacert5req, servercertreq, false);
/* Now some bad certs */
+ /* Key usage:dig-sig:not-critical */
+ static struct testTLSCertReq cacert5req = {
+ NULL, NULL, "cacert5.pem", "UK",
+ "libvirt CA 5", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ false, false, NULL, NULL,
+ 0, 0,
+ };
/* no-basic */
static struct testTLSCertReq cacert6req = {
NULL, NULL, "cacert6.pem", "UK",
@@ -909,6 +908,12 @@ mymain(void)
0, 0,
};
+ /* Technically a CA cert with basic constraints
+ * key purpose == key signing + non-critical should
+ * be rejected. GNUTLS < 3 does not reject it and
+ * we don't anticipate them changing this behaviour
+ */
+ DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3);
DO_CTX_TEST(true, cacert6req, servercertreq, true);
DO_CTX_TEST(true, cacert7req, servercertreq, true);
--
1.8.3.1
4084
days inactive
4084
days old
5 comments
1 participants
participants (1)
-
Eric Blake