Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2014-07-17 06:58:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2014-07-04 17:18:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2014-07-17 06:58:33.000000000 +0200 @@ -1,0 +2,27 @@ +Wed Jul 16 12:07:33 UTC 2014 - cbosdonnat@suse.com + +- lxc AppArmor profile now only restricting potentially dangerous + accesses. fdo#886460 +- Add virt-lxc-convert to libvirt-daemon-driver-lxc package + +- added patches: + * 9265f8ab-apparmor-lxc-rework.patch + * 9b1e4cd5-skip-useless-apparmor-files.patch +------------------------------------------------------------------- +Wed Jul 16 11:40:35 UTC 2014 - cbosdonnat@suse.com + +- virt-lxc-convert: force free to output values in bytes + +- added patches: + * dba3432b-virt-lxc-convert-fix.patch + +------------------------------------------------------------------- +Wed Jul 16 11:33:31 UTC 2014 - cbosdonnat@suse.com + +- lxc: allow setting a custom name for container NICs as LXC is + is able to do it. + lxc-net-target-name.patch, + lxc-net-target-name-conversion.patch, + lxc-net-target-name-doc.patch + +------------------------------------------------------------------- New: ---- 9265f8ab-apparmor-lxc-rework.patch 9b1e4cd5-skip-useless-apparmor-files.patch dba3432b-virt-lxc-convert-fix.patch lxc-net-target-name-conversion.patch lxc-net-target-name-doc.patch lxc-net-target-name.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.Wx15vU/_old 2014-07-17 06:58:35.000000000 +0200 +++ /var/tmp/diff_new_pack.Wx15vU/_new 2014-07-17 06:58:35.000000000 +0200 @@ -428,6 +428,9 @@ Source2: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches +Patch0: dba3432b-virt-lxc-convert-fix.patch +Patch1: 9b1e4cd5-skip-useless-apparmor-files.patch +Patch2: 9265f8ab-apparmor-lxc-rework.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: xen-pv-cdrom.patch @@ -436,6 +439,9 @@ Patch150: lxc-keep-caps-feature.patch Patch151: lxc-keep-caps-feature-conversion.patch Patch152: lxc-keep-caps-feature-doc.patch +Patch153: lxc-net-target-name.patch +Patch154: lxc-net-target-name-conversion.patch +Patch155: lxc-net-target-name-doc.patch # Our patches Patch200: libvirtd-defaults.patch Patch201: libvirtd-init-script.patch @@ -947,12 +953,18 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 %patch100 -p1 %patch101 -p1 %patch102 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 +%patch153 -p1 +%patch154 -p1 +%patch155 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1 @@ -1183,6 +1195,7 @@ do (cd examples/$i ; make clean ; rm -rf .deps .libs Makefile Makefile.in) done +cp examples/lxcconvert/virt-lxc-convert $RPM_BUILD_ROOT%{_bindir} rm -f $RPM_BUILD_ROOT%{_libdir}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/*.a rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/lock-driver/*.la @@ -1488,7 +1501,8 @@ %config(noreplace) %{_sysconfdir}/apparmor.d/usr.lib.libvirt.virt-aa-helper %config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-qemu %config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-lxc -%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE +%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE.lxc +%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE.qemu %{_libdir}/%{name}/virt-aa-helper %endif %config %{_fwdefdir}/libvirtd-relocation-server @@ -1648,6 +1662,7 @@ %{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_lxc.so +%attr(0755, root, root) %{_bindir}/virt-lxc-convert %endif %if %{with_uml} ++++++ 9265f8ab-apparmor-lxc-rework.patch ++++++
From 9265f8ab67dc14fe89a26efd5c22b156d3168fd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
Date: Tue, 15 Jul 2014 11:02:50 +0200 Subject: [PATCH] Rework lxc apparmor profile
Rework the apparmor lxc profile abstraction to mimic ubuntu's container-default.
This profile allows quite a lot, but strives to restrict access to
dangerous resources.
Removing the explicit authorizations to bash, systemd and cron files,
forces them to keep the lxc profile for all applications inside the
container. PUx permissions where leading to running systemd (and others
tasks) unconfined.
Put the generic files, network and capabilities restrictions directly
in the TEMPLATE.lxc: this way, users can restrict them on a per
container basis.
---
examples/apparmor/Makefile.am | 6 +-
examples/apparmor/TEMPLATE.lxc | 15 ++++
examples/apparmor/{TEMPLATE => TEMPLATE.qemu} | 2 +-
examples/apparmor/libvirt-lxc | 119 +++++++++++++++++++++++---
src/security/security_apparmor.c | 21 +++--
src/security/virt-aa-helper.c | 29 +------
6 files changed, 149 insertions(+), 43 deletions(-)
create mode 100644 examples/apparmor/TEMPLATE.lxc
rename examples/apparmor/{TEMPLATE => TEMPLATE.qemu} (75%)
Index: libvirt-1.2.6/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.2.6.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.6/examples/apparmor/Makefile.am
@@ -15,7 +15,8 @@
## http://www.gnu.org/licenses/.
EXTRA_DIST= \
- TEMPLATE \
+ TEMPLATE.qemu \
+ TEMPLATE.lxc \
libvirt-qemu \
libvirt-lxc \
usr.lib.libvirt.virt-aa-helper \
@@ -36,6 +37,7 @@ abstractions_DATA = \
templatesdir = $(apparmordir)/libvirt
templates_DATA = \
- TEMPLATE \
+ TEMPLATE.qemu \
+ TEMPLATE.lxc \
$(NULL)
endif WITH_APPARMOR_PROFILES
Index: libvirt-1.2.6/examples/apparmor/TEMPLATE.lxc
===================================================================
--- /dev/null
+++ libvirt-1.2.6/examples/apparmor/TEMPLATE.lxc
@@ -0,0 +1,15 @@
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include
From 236a18572216a35f742824f4056108245fac3082 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
Date: Fri, 4 Jul 2014 15:57:17 +0200 Subject: [PATCH] virt-lxc-convert: make free return values in bytes
--- examples/lxcconvert/virt-lxc-convert | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libvirt-1.2.5/examples/lxcconvert/virt-lxc-convert =================================================================== --- libvirt-1.2.5.orig/examples/lxcconvert/virt-lxc-convert +++ libvirt-1.2.5/examples/lxcconvert/virt-lxc-convert @@ -64,7 +64,7 @@ if test -r "$fstab"; then sed 's/^\([^#]\)/lxc.mount.entry = \1/' "$fstab" >>"${conf_new}" fi -memory=$(free | sed -n '/Mem:/s/ \+/ /gp' | cut -f 2 -d ' ') +memory=$(free -b | sed -n '/Mem:/s/ \+/ /gp' | cut -f 2 -d ' ') default_tmpfs="size=$((memory/2))" # Do we have tmpfs without size param? ++++++ install-apparmor-profiles.patch ++++++ --- /var/tmp/diff_new_pack.Wx15vU/_old 2014-07-17 06:58:35.000000000 +0200 +++ /var/tmp/diff_new_pack.Wx15vU/_new 2014-07-17 06:58:35.000000000 +0200 @@ -2,8 +2,8 @@ =================================================================== --- libvirt-1.2.6.orig/examples/apparmor/Makefile.am +++ libvirt-1.2.6/examples/apparmor/Makefile.am -@@ -18,10 +18,22 @@ EXTRA_DIST= \ - TEMPLATE \ +@@ -19,10 +19,22 @@ EXTRA_DIST= \ + TEMPLATE.lxc \ libvirt-qemu \ libvirt-lxc \ - usr.lib.libvirt.virt-aa-helper \ ++++++ lxc-net-target-name-conversion.patch ++++++
From 27b425b5f77029bf0d322afb930eabf6ec6899e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
Date: Wed, 2 Jul 2014 15:13:40 +0200 Subject: [PATCH 1/2] lxc conf2xml: convert lxc.network.name for veth networks
--- src/lxc/lxc_native.c | 22 ++++++++++++++++------ .../lxcconf2xmldata/lxcconf2xml-physnetwork.config | 1 + tests/lxcconf2xmldata/lxcconf2xml-simple.xml | 1 + 3 files changed, 18 insertions(+), 6 deletions(-) Index: libvirt-1.2.5/src/lxc/lxc_native.c =================================================================== --- libvirt-1.2.5.orig/src/lxc/lxc_native.c +++ libvirt-1.2.5/src/lxc/lxc_native.c @@ -338,7 +338,8 @@ lxcCreateNetDef(const char *type, const char *linkdev, const char *mac, const char *flag, - const char *macvlanmode) + const char *macvlanmode, + const char *name) { virDomainNetDefPtr net = NULL; virMacAddr macAddr; @@ -353,6 +354,8 @@ lxcCreateNetDef(const char *type, net->linkstate = VIR_DOMAIN_NET_INTERFACE_LINK_STATE_DOWN; } + if (name && VIR_STRDUP(net->ifname_guest, name) < 0) + goto error; if (mac && virMacAddrParse(mac, &macAddr) == 0) net->mac = macAddr; @@ -416,7 +419,8 @@ lxcAddNetworkDefinition(virDomainDefPtr const char *mac, const char *flag, const char *macvlanmode, - const char *vlanid) + const char *vlanid, + const char *name) { virDomainNetDefPtr net = NULL; virDomainHostdevDefPtr hostdev = NULL; @@ -452,7 +456,7 @@ lxcAddNetworkDefinition(virDomainDefPtr goto error; def->hostdevs[def->nhostdevs - 1] = hostdev; } else { - if (!(net = lxcCreateNetDef(type, linkdev, mac, flag, macvlanmode))) + if (!(net = lxcCreateNetDef(type, linkdev, mac, flag, macvlanmode, name))) goto error; if (VIR_EXPAND_N(def->nets, def->nnets, 1) < 0) @@ -476,6 +480,7 @@ typedef struct { char *flag; char *macvlanmode; char *vlanid; + char *name; bool privnet; size_t networks; } lxcNetworkParseData; @@ -492,7 +497,8 @@ lxcNetworkWalkCallback(const char *name, parseData->link, parseData->mac, parseData->flag, parseData->macvlanmode, - parseData->vlanid); + parseData->vlanid, + parseData->name); if (status < 0) return -1; @@ -508,6 +514,7 @@ lxcNetworkWalkCallback(const char *name, parseData->flag = NULL; parseData->macvlanmode = NULL; parseData->vlanid = NULL; + parseData->name = NULL; /* Keep the new value */ parseData->type = value->str; @@ -522,6 +529,8 @@ lxcNetworkWalkCallback(const char *name, parseData->macvlanmode = value->str; else if (STREQ(name, "lxc.network.vlan.id")) parseData->vlanid = value->str; + else if (STREQ(name, "lxc.network.name")) + parseData->name = value->str; else if (STRPREFIX(name, "lxc.network")) VIR_WARN("Unhandled network property: %s = %s", name, @@ -535,7 +544,7 @@ lxcConvertNetworkSettings(virDomainDefPt { int status; lxcNetworkParseData data = {def, NULL, NULL, NULL, NULL, - NULL, NULL, true, 0}; + NULL, NULL, NULL, true, 0}; virConfWalk(properties, lxcNetworkWalkCallback, &data); @@ -543,7 +552,8 @@ lxcConvertNetworkSettings(virDomainDefPt status = lxcAddNetworkDefinition(def, data.type, data.link, data.mac, data.flag, data.macvlanmode, - data.vlanid); + data.vlanid, + data.name); if (status < 0) return -1; else if (status > 0) Index: libvirt-1.2.5/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.config =================================================================== --- libvirt-1.2.5.orig/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.config +++ libvirt-1.2.5/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.config @@ -1,5 +1,6 @@ lxc.network.type = phys lxc.network.link = eth0 +lxc.network.name = eth1 lxc.rootfs = /var/lib/lxc/migrate_test/rootfs lxc.utsname = migrate_test Index: libvirt-1.2.5/tests/lxcconf2xmldata/lxcconf2xml-simple.xml =================================================================== --- libvirt-1.2.5.orig/tests/lxcconf2xmldata/lxcconf2xml-simple.xml +++ libvirt-1.2.5/tests/lxcconf2xmldata/lxcconf2xml-simple.xml @@ -37,6 +37,7 @@ <interface type='bridge'> <mac address='02:00:15:8f:05:c1'/> <source bridge='virbr0'/> + <guest dev='eth0'/> <link state='up'/> </interface> <console type='pty'> ++++++ lxc-net-target-name-doc.patch ++++++
From c0b1a318442740b6c63630b61d0718598a9937d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
Date: Wed, 2 Jul 2014 15:24:56 +0200 Subject: [PATCH 2/2] lxc network device names change documentation
--- docs/formatdomain.html.in | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) Index: libvirt-1.2.5/docs/formatdomain.html.in =================================================================== --- libvirt-1.2.5.orig/docs/formatdomain.html.in +++ libvirt-1.2.5/docs/formatdomain.html.in @@ -3757,6 +3757,23 @@ qemu-kvm -net nic,model=? /dev/null targets using these prefixes will be ignored. </p> + <p> + Note that for LXC containers, this defines the name of the interface + on the host side. <span class="since">Since 1.2.7</span>, to define + the name of the device on the guest side, the <code>guest</code> + element should be used, as in the following snippet: + </p> + +<pre> + ... + <devices> + <interface type='network'> + <source network='default'/> + <b><guest dev='myeth'/></b> + </interface> + </devices> + ...</pre> + <h5><a name="elementsNICSBoot">Specifying boot order</a></h5> <pre> ++++++ lxc-net-target-name.patch ++++++
From 2dd011bd1451e5e6e41c0fbe98884d7594a46dc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
Date: Fri, 27 Jun 2014 10:41:22 +0200 Subject: [PATCH] lxc network configuration allows setting target container NIC name
LXC network devices can now be assigned a custom NIC device name on the
container side. For example, this is configured with:
<interface type='network'>
<source network='default'/>
<guest dev="eth1"/>
</interface>
In this example the network card will appear as eth1 in the guest.
---
docs/schemas/domaincommon.rng | 17 +++++++++++++++++
src/conf/domain_conf.c | 27 +++++++++++++++++++++++++++
src/conf/domain_conf.h | 2 ++
src/lxc/lxc_container.c | 29 +++++++++++++++++++++++++----
src/lxc/lxc_process.c | 25 +++++++++++++++++++++++++
tests/lxcxml2xmldata/lxc-idmap.xml | 1 +
6 files changed, 97 insertions(+), 4 deletions(-)
Index: libvirt-1.2.5/docs/schemas/domaincommon.rng
===================================================================
--- libvirt-1.2.5.orig/docs/schemas/domaincommon.rng
+++ libvirt-1.2.5/docs/schemas/domaincommon.rng
@@ -2165,6 +2165,23 @@
</element>
</optional>
<optional>
+ <element name="guest">
+ <interleave>
+ <optional>
+ <attribute name="dev">
+ <ref name="deviceName"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="actual">
+ <ref name="deviceName"/>
+ </attribute>
+ </optional>
+ </interleave>
+ <empty/>
+ </element>
+ </optional>
+ <optional>
<element name="mac">
<attribute name="address">
<ref name="uniMacAddr"/>
Index: libvirt-1.2.5/src/conf/domain_conf.c
===================================================================
--- libvirt-1.2.5.orig/src/conf/domain_conf.c
+++ libvirt-1.2.5/src/conf/domain_conf.c
@@ -1415,6 +1415,8 @@ void virDomainNetDefFree(virDomainNetDef
VIR_FREE(def->virtPortProfile);
VIR_FREE(def->script);
VIR_FREE(def->ifname);
+ VIR_FREE(def->ifname_guest);
+ VIR_FREE(def->ifname_guest_actual);
virDomainDeviceInfoClear(&def->info);
@@ -6621,6 +6623,8 @@ virDomainNetDefParseXML(virDomainXMLOpti
char *bridge = NULL;
char *dev = NULL;
char *ifname = NULL;
+ char *ifname_guest = NULL;
+ char *ifname_guest_actual = NULL;
char *script = NULL;
char *address = NULL;
char *port = NULL;
@@ -6726,6 +6730,10 @@ virDomainNetDefParseXML(virDomainXMLOpti
/* An auto-generated target name, blank it out */
VIR_FREE(ifname);
}
+ } else if ((!ifname_guest || !ifname_guest_actual) &&
+ xmlStrEqual(cur->name, BAD_CAST "guest")) {
+ ifname_guest = virXMLPropString(cur, "dev");
+ ifname_guest_actual = virXMLPropString(cur, "actual");
} else if (!linkstate &&
xmlStrEqual(cur->name, BAD_CAST "link")) {
linkstate = virXMLPropString(cur, "state");
@@ -6967,6 +6975,14 @@ virDomainNetDefParseXML(virDomainXMLOpti
def->ifname = ifname;
ifname = NULL;
}
+ if (ifname_guest != NULL) {
+ def->ifname_guest = ifname_guest;
+ ifname_guest = NULL;
+ }
+ if (ifname_guest_actual != NULL) {
+ def->ifname_guest_actual = ifname_guest_actual;
+ ifname_guest_actual = NULL;
+ }
/* NIC model (see -net nic,model=?). We only check that it looks
* reasonable, not that it is a supported NIC type. FWIW kvm
@@ -15918,6 +15934,17 @@ virDomainNetDefFormat(virBufferPtr buf,
/* Skip auto-generated target names for inactive config. */
virBufferEscapeString(buf, "<target dev='%s'/>\n", def->ifname);
}
+ if (def->ifname_guest || def->ifname_guest_actual) {
+ virBufferAddLit(buf, "