rpms
/
libvirt
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to release 0.9.0

This commit is contained in:
Daniel Veillard 2011-04-07 15:47:13 +08:00
parent 47fcec5405
commit ed6c49f874
4 changed files with 128 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
libvirt-0.8.8-kernel-boot-index.patch
View File

@ -1,27 +0,0 @@
commit efc2594b4e0cbcdd6947fafeeed41accd5b611e0
Author: Jim Fehlig <jfehlig@novell.com>
Date: Thu Feb 17 14:22:55 2011 -0700
Do not add drive 'boot=on' param when a kernel is specified
libvirt-tck was failing several domain tests [1] with qemu 0.14, which
is now less tolerable of specifying 2 bootroms with the same boot index [2].
Drop the 'boot=on' param if kernel has been specfied.
[1] https://www.redhat.com/archives/libvir-list/2011-February/msg00559.html
[2] http://lists.nongnu.org/archive/html/qemu-devel/2011-02/msg01892.html
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 371a7ed..0db2843 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -3173,7 +3173,7 @@ qemuBuildCommandLine(virConnectPtr conn,
int bootCD = 0, bootFloppy = 0, bootDisk = 0;
/* If QEMU supports boot=on for -drive param... */
- if (qemuCmdFlags & QEMUD_CMD_FLAG_DRIVE_BOOT) {
+ if (qemuCmdFlags & QEMUD_CMD_FLAG_DRIVE_BOOT && !def->os.kernel) {
for (i = 0 ; i < def->os.nBootDevs ; i++) {
switch (def->os.bootDevs[i]) {
case VIR_DOMAIN_BOOT_CDROM:

95
libvirt-read-only-checks.patch
View File

@ -1,95 +0,0 @@
From: Guido Günther <agx@sigxcpu.org>
Date: Mon, 14 Mar 2011 02:56:28 +0000 (+0800)
Subject: Add missing checks for read only connections
X-Git-Url: http://libvirt.org/git/?p=libvirt.git;a=commitdiff_plain;h=71753cb7f7a16ff800381c0b5ee4e99eea92fed3;hp=13c00dde3171b3a38d23cceb3f9151cb6cac3dad
Add missing checks for read only connections
As pointed on CVE-2011-1146, some API forgot to check the read-only
status of the connection for entry point which modify the state
of the system or may lead to a remote execution using user data.
The entry points concerned are:
- virConnectDomainXMLToNative
- virNodeDeviceDettach
- virNodeDeviceReAttach
- virNodeDeviceReset
- virDomainRevertToSnapshot
- virDomainSnapshotDelete
* src/libvirt.c: fix the above set of entry points to error on read-only
connections
---
diff --git a/src/libvirt.c b/src/libvirt.c
index caa109d..713291f 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -3321,6 +3321,10 @@ char *virConnectDomainXMLToNative(virConnectPtr conn,
virDispatchError(NULL);
return NULL;
}
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
if (nativeFormat == NULL || domainXml == NULL) {
virLibConnError(VIR_ERR_INVALID_ARG, __FUNCTION__);
@@ -9748,6 +9752,11 @@ virNodeDeviceDettach(virNodeDevicePtr dev)
return -1;
}
+ if (dev->conn->flags & VIR_CONNECT_RO) {
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
+
if (dev->conn->driver->nodeDeviceDettach) {
int ret;
ret = dev->conn->driver->nodeDeviceDettach (dev);
@@ -9791,6 +9800,11 @@ virNodeDeviceReAttach(virNodeDevicePtr dev)
return -1;
}
+ if (dev->conn->flags & VIR_CONNECT_RO) {
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
+
if (dev->conn->driver->nodeDeviceReAttach) {
int ret;
ret = dev->conn->driver->nodeDeviceReAttach (dev);
@@ -9836,6 +9850,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
return -1;
}
+ if (dev->conn->flags & VIR_CONNECT_RO) {
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
+
if (dev->conn->driver->nodeDeviceReset) {
int ret;
ret = dev->conn->driver->nodeDeviceReset (dev);
@@ -13131,6 +13150,10 @@ virDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
}
conn = snapshot->domain->conn;
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
if (conn->driver->domainRevertToSnapshot) {
int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
@@ -13177,6 +13200,10 @@ virDomainSnapshotDelete(virDomainSnapshotPtr snapshot,
}
conn = snapshot->domain->conn;
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
if (conn->driver->domainSnapshotDelete) {
int ret = conn->driver->domainSnapshotDelete(snapshot, flags);

152
libvirt.spec
View File

@ -1,5 +1,13 @@
# -*- rpm-spec -*-
# If neither fedora nor rhel was defined, try to guess them from %{dist}
%if !0%{?rhel} && !0%{?fedora}
%{expand:%(echo "%{?dist}" | \
sed -ne 's/^\.el\([0-9]\+\).*/%%define rhel \1/p')}
%{expand:%(echo "%{?dist}" | \
sed -ne 's/^\.fc\?\([0-9]\+\).*/%%define fedora \1/p')}
%endif
# A client only build will create a libvirt.so only containing
# the generic RPC driver, and test driver and no libvirtd
# Default to a full server + client build
@ -37,8 +45,7 @@
%define with_vbox 0%{!?_without_vbox:%{server_drivers}}
%define with_uml 0%{!?_without_uml:%{server_drivers}}
%define with_xenapi 0%{!?_without_xenapi:%{server_drivers}}
# XXX this shouldn't be here, but it mistakenly links into libvirtd
%define with_one 0%{!?_without_one:%{server_drivers}}
%define with_libxl 0%{!?_without_libxl:%{server_drivers}}
# Then the hypervisor drivers that talk a native remote protocol
%define with_phyp 0%{!?_without_phyp:1}
@ -87,16 +94,16 @@
%define with_numactl 0
%endif
# RHEL doesn't ship OpenVZ, VBox, UML, OpenNebula, PowerHypervisor,
# VMWare, or libxenserver (xenapi)
# RHEL doesn't ship OpenVZ, VBox, UML, PowerHypervisor,
# VMWare, libxenserver (xenapi), or libxenlight (Xen 4.1 and newer)
%if 0%{?rhel}
%define with_openvz 0
%define with_vbox 0
%define with_uml 0
%define with_one 0
%define with_phyp 0
%define with_vmware 0
%define with_xenapi 0
%define with_libxl 0
%endif
# RHEL-5 has restricted QEMU to x86_64 only and is too old for LXC
@ -123,6 +130,11 @@
%endif
%endif
# Fedora doesn't have new enough Xen for libxl until F16
%if 0%{?fedora} < 16
%define with_libxl 0
%endif
# PolicyKit was introduced in Fedora 8 / RHEL-6 or newer
%if 0%{?fedora} >= 8 || 0%{?rhel} >= 6
%define with_polkit 0%{!?_without_polkit:1}
@ -203,16 +215,16 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 0.8.8
Release: 3%{?dist}%{?extra_release}
Version: 0.9.0
Release: 1%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
Patch1: %{name}-%{version}-kernel-boot-index.patch
Patch2: %{name}-read-only-checks.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
URL: http://libvirt.org/
BuildRequires: python-devel
# All runtime requirements for the libvirt package (runtime requrements
# for subpackages are listed later in those subpackages)
# The client side, i.e. shared libs and virsh are in a subpackage
Requires: %{name}-client = %{version}-%{release}
@ -221,15 +233,21 @@ Requires: %{name}-client = %{version}-%{release}
# daemon is present
%if %{with_libvirtd}
Requires: bridge-utils
# for modprobe of pci devices
Requires: module-init-tools
# for /sbin/ip
Requires: iproute
%endif
%if %{with_network}
Requires: dnsmasq >= 2.41
Requires: radvd
%endif
%if %{with_network} || %{with_nwfilter}
Requires: iptables
Requires: iptables-ipv6
%endif
%if %{with_nwfilter}
Requires: ebtables
Requires: iptables
Requires: iptables-ipv6
%endif
# needed for device enumeration
%if %{with_hal}
@ -246,10 +264,6 @@ Requires: PolicyKit >= 0.6
%endif
%endif
%if %{with_storage_fs}
# For mount/umount in FS driver
BuildRequires: util-linux
# For showmount in FS driver (netfs discovery)
BuildRequires: nfs-utils
Requires: nfs-utils
# For glusterfs
%if 0%{?fedora} >= 11
@ -281,6 +295,7 @@ Requires: iscsi-initiator-utils
%if %{with_storage_disk}
# For disk driver
Requires: parted
Requires: device-mapper
%endif
%if %{with_storage_mpath}
# For multipath support
@ -289,18 +304,24 @@ Requires: device-mapper
%if %{with_cgconfig}
Requires: libcgroup
%endif
# All build-time requirements
BuildRequires: python-devel
%if %{with_xen}
BuildRequires: xen-devel
%endif
%if %{with_one}
BuildRequires: xmlrpc-c-devel >= 1.14.0
%endif
BuildRequires: libxml2-devel
BuildRequires: xhtml1-dtds
BuildRequires: libxslt
BuildRequires: readline-devel
BuildRequires: ncurses-devel
BuildRequires: gettext
BuildRequires: gnutls-devel
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
# for augparse, optionally used in testing
BuildRequires: augeas
%endif
%if %{with_hal}
BuildRequires: hal-devel
%endif
@ -325,8 +346,15 @@ BuildRequires: libselinux-devel
%endif
%if %{with_network}
BuildRequires: dnsmasq >= 2.41
BuildRequires: iptables
BuildRequires: iptables-ipv6
BuildRequires: radvd
%endif
%if %{with_nwfilter}
BuildRequires: ebtables
%endif
BuildRequires: bridge-utils
BuildRequires: module-init-tools
%if %{with_sasl}
BuildRequires: cyrus-sasl-devel
%endif
@ -390,7 +418,11 @@ BuildRequires: libssh2-devel
BuildRequires: netcf-devel >= 0.1.4
%endif
%if %{with_esx}
%if 0%{?fedora} >= 9 || 0%{?rhel} >= 6
BuildRequires: libcurl-devel
%else
BuildRequires: curl-devel
%endif
%endif
%if %{with_audit}
BuildRequires: audit-libs-devel
@ -400,6 +432,12 @@ BuildRequires: audit-libs-devel
BuildRequires: systemtap-sdt-devel
%endif
%if %{with_storage_fs}
# For mount/umount in FS driver
BuildRequires: util-linux
# For showmount in FS driver (netfs discovery)
BuildRequires: nfs-utils
%endif
# Fedora build root suckage
BuildRequires: gawk
@ -417,6 +455,10 @@ Requires: ncurses
# So remote clients can access libvirt over SSH tunnel
# (client invokes 'nc' against the UNIX socket on the server)
Requires: nc
# Needed by libvirt-guests init script.
Requires: gettext
# Needed by virt-pki-validate script.
Requires: gnutls-utils
%if %{with_sasl}
Requires: cyrus-sasl
# Not technically required, but makes 'out-of-box' config
@ -456,8 +498,6 @@ of recent versions of Linux (and other OSes).
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%build
%if ! %{with_xen}
@ -484,6 +524,10 @@ of recent versions of Linux (and other OSes).
%define _without_xenapi --without-xenapi
%endif
%if ! %{with_libxl}
%define _without_libxl --without-libxl
%endif
%if ! %{with_sasl}
%define _without_sasl --without-sasl
%endif
@ -520,10 +564,6 @@ of recent versions of Linux (and other OSes).
%define _without_uml --without-uml
%endif
%if ! %{with_one}
%define _without_one --without-one
%endif
%if %{with_rhel5}
%define _with_rhel5_api --with-rhel5-api
%endif
@ -754,6 +794,46 @@ then
> %{_sysconfdir}/libvirt/qemu/networks/default.xml
ln -s ../default.xml %{_sysconfdir}/libvirt/qemu/networks/autostart/default.xml
fi
# All newly defined networks will have a mac address for the bridge
# auto-generated, but networks already existing at the time of upgrade
# will not. We need to go through all the network configs, look for
# those that don't have a mac address, and add one.
network_files=$( (cd %{_localstatedir}/lib/libvirt/network && \
grep -L "mac address" *.xml; \
cd %{_sysconfdir}/libvirt/qemu/networks && \
grep -L "mac address" *.xml) 2>/dev/null \
| sort -u)
for file in $network_files
do
# each file exists in either the config or state directory (or both) and
# does not have a mac address specified in either. We add the same mac
# address to both files (or just one, if the other isn't there)
mac4=`printf '%X' $(($RANDOM % 256))`
mac5=`printf '%X' $(($RANDOM % 256))`
mac6=`printf '%X' $(($RANDOM % 256))`
for dir in %{_localstatedir}/lib/libvirt/network \
%{_sysconfdir}/libvirt/qemu/networks
do
if test -f $dir/$file
then
sed -i.orig -e \
"s|\(<bridge.*$\)|\0\n <mac address='52:54:00:$mac4:$mac5:$mac6'/>|" \
$dir/$file
if test $? != 0
then
echo "failed to add <mac address='52:54:00:$mac4:$mac5:$mac6'/>" \
"to $dir/$file"
mv -f $dir/$file.orig $dir/$file
else
rm -f $dir/$file.orig
fi
fi
done
done
%endif
%if %{with_cgconfig}
@ -823,7 +903,11 @@ fi
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
%if %{with_libxl}
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/
%endif
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd
%if %{with_qemu}
%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
@ -862,6 +946,10 @@ fi
%dir %{_localstatedir}/run/libvirt/uml/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/
%endif
%if %{with_libxl}
%dir %{_localstatedir}/run/libvirt/libxl/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/
%endif
%if %{with_network}
%dir %{_localstatedir}/run/libvirt/network/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/
@ -896,6 +984,7 @@ fi
%endif
%attr(0755, root, root) %{_libexecdir}/libvirt_parthelper
%attr(0755, root, root) %{_libexecdir}/libvirt_iohelper
%attr(0755, root, root) %{_sbindir}/libvirtd
%{_mandir}/man8/libvirtd.8*
@ -977,6 +1066,19 @@ fi
%endif
%changelog
* Thu Apr 7 2011 Daniel Veillard <veillard@redhat.com> - 0.9.0-1
- Support cputune cpu usage tuning
- Add public APIs for storage volume upload/download
- Add public API for setting migration speed on the fly
- Add libxenlight driver
- qemu: support migration to fd
- libvirt: add virDomain{Get,Set}BlkioParameters
- setmem: introduce a new libvirt API (virDomainSetMemoryFlags)
- Expose event loop implementation as a public API
- Dump the debug buffer to libvirtd.log on fatal signal
- Audit support
- Various improvements and bug fixes
* Mon Mar 14 2011 Daniel Veillard <veillard@redhat.com> - 0.8.8-3
- fix a lack of API check on read-only connections
- CVE-2011-1146

2
sources
View File

@ -1 +1 @@
ac9235576352b84b8cb17df7456bbdfc libvirt-0.8.8.tar.gz
53d005e6f3732aba1fd6b2718f9cec99 libvirt-0.9.0.tar.gz