Compare commits
6 Commits
Author | SHA1 | Date |
---|---|---|
Cole Robinson | d8f5f4e2e9 | |
Daniel P. Berrangé | 7fa7c37eee | |
Daniel P. Berrangé | 398721ffd4 | |
Daniel P. Berrangé | f6736a34a2 | |
Daniel P. Berrangé | aa2d30880a | |
Daniel P. Berrangé | b6cdf32170 |
|
@ -0,0 +1,36 @@
|
||||||
|
From 519a6adb135959709fefbe30b7f40de436dd2f16 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||||
|
Date: Mon, 21 May 2018 23:05:07 +0100
|
||||||
|
Subject: [PATCH 1/2] cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
New microcode introduces the "Speculative Store Bypass Disable"
|
||||||
|
CPUID feature bit. This needs to be exposed to guest OS to allow
|
||||||
|
them to protect against CVE-2018-3639.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
||||||
|
(cherry picked from commit 1dbca2eccad58d91a5fd33962854f1a653638182)
|
||||||
|
---
|
||||||
|
src/cpu/cpu_map.xml | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
|
||||||
|
index 00a43b172c..245aec3309 100644
|
||||||
|
--- a/src/cpu/cpu_map.xml
|
||||||
|
+++ b/src/cpu/cpu_map.xml
|
||||||
|
@@ -298,6 +298,9 @@
|
||||||
|
<feature name='spec-ctrl'>
|
||||||
|
<cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
|
||||||
|
</feature>
|
||||||
|
+ <feature name='ssbd'>
|
||||||
|
+ <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/>
|
||||||
|
+ </feature>
|
||||||
|
|
||||||
|
<!-- Processor Extended State Enumeration sub leaf 1 -->
|
||||||
|
<feature name='xsaveopt'>
|
||||||
|
--
|
||||||
|
2.17.0
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
From ec92abee2851344e4e8c108a26b5cec594561ff4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||||
|
Date: Mon, 5 Mar 2018 12:46:16 +0000
|
||||||
|
Subject: [PATCH] tests: force use of "NORMAL" TLS priority in test suite
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
When generating certificates we rely on GNUTLS' built-in default setup
|
||||||
|
for the ciphers used in the certs. We then currently run with the distro
|
||||||
|
specific TLS priority setup which can be much stronger, to the extent
|
||||||
|
that the certificates we generate are considered untrustworthy. We don't
|
||||||
|
care about the quality of the ciphers we use in the test suite, so just
|
||||||
|
force the priority to "NORMAL" which should ensure our certs are
|
||||||
|
accepted by GNUTLS.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
---
|
||||||
|
tests/virnettlscontexttest.c | 4 ++--
|
||||||
|
tests/virnettlssessiontest.c | 4 ++--
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
|
||||||
|
index 089c10e964..86647f3014 100644
|
||||||
|
--- a/tests/virnettlscontexttest.c
|
||||||
|
+++ b/tests/virnettlscontexttest.c
|
||||||
|
@@ -72,7 +72,7 @@ static int testTLSContextInit(const void *opaque)
|
||||||
|
data->crt,
|
||||||
|
KEYFILE,
|
||||||
|
NULL,
|
||||||
|
- NULL,
|
||||||
|
+ "NORMAL",
|
||||||
|
true,
|
||||||
|
true);
|
||||||
|
} else {
|
||||||
|
@@ -80,7 +80,7 @@ static int testTLSContextInit(const void *opaque)
|
||||||
|
NULL,
|
||||||
|
data->crt,
|
||||||
|
KEYFILE,
|
||||||
|
- NULL,
|
||||||
|
+ "NORMAL",
|
||||||
|
true,
|
||||||
|
true);
|
||||||
|
}
|
||||||
|
diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
|
||||||
|
index 6d639e5b16..7e85607181 100644
|
||||||
|
--- a/tests/virnettlssessiontest.c
|
||||||
|
+++ b/tests/virnettlssessiontest.c
|
||||||
|
@@ -113,7 +113,7 @@ static int testTLSSessionInit(const void *opaque)
|
||||||
|
data->servercrt,
|
||||||
|
KEYFILE,
|
||||||
|
data->wildcards,
|
||||||
|
- NULL,
|
||||||
|
+ "NORMAL",
|
||||||
|
false,
|
||||||
|
true);
|
||||||
|
|
||||||
|
@@ -121,7 +121,7 @@ static int testTLSSessionInit(const void *opaque)
|
||||||
|
NULL,
|
||||||
|
data->clientcrt,
|
||||||
|
KEYFILE,
|
||||||
|
- NULL,
|
||||||
|
+ "NORMAL",
|
||||||
|
false,
|
||||||
|
true);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
|
@ -0,0 +1,47 @@
|
||||||
|
From 40cf57b55f3af94163d7ef3d50aec6c5c79c139d Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||||
|
Date: Mon, 21 May 2018 23:05:08 +0100
|
||||||
|
Subject: [PATCH 2/2] cpu: define the 'virt-ssbd' CPUID feature bit
|
||||||
|
(CVE-2018-3639)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Some AMD processors only support a non-architectural means of
|
||||||
|
enabling Speculative Store Bypass Disable. To allow simplified
|
||||||
|
handling in virtual environments, hypervisors will expose an
|
||||||
|
architectural definition through CPUID bit 0x80000008_EBX[25].
|
||||||
|
This needs to be exposed to guest OS running on AMD x86 hosts to
|
||||||
|
allow them to protect against CVE-2018-3639.
|
||||||
|
|
||||||
|
Note that since this CPUID bit won't be present in the host CPUID
|
||||||
|
results on physical hosts, it will not be enabled automatically
|
||||||
|
in guests configured with "host-model" CPU unless using QEMU
|
||||||
|
version >= 2.9.0. Thus for older versions of QEMU, this feature
|
||||||
|
must be manually enabled using policy=force. Guests using the
|
||||||
|
"host-passthrough" CPU mode do not need special handling.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
||||||
|
(cherry picked from commit 9267342206ce17f6933d57a3128cdc504d5945c9)
|
||||||
|
---
|
||||||
|
src/cpu/cpu_map.xml | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
|
||||||
|
index 245aec3309..96daa0f9af 100644
|
||||||
|
--- a/src/cpu/cpu_map.xml
|
||||||
|
+++ b/src/cpu/cpu_map.xml
|
||||||
|
@@ -433,6 +433,9 @@
|
||||||
|
<feature name='ibpb'>
|
||||||
|
<cpuid eax_in='0x80000008' ebx='0x00001000'/>
|
||||||
|
</feature>
|
||||||
|
+ <feature name='virt-ssbd'>
|
||||||
|
+ <cpuid eax_in='0x80000008' ebx='0x02000000'/>
|
||||||
|
+ </feature>
|
||||||
|
|
||||||
|
<!-- models -->
|
||||||
|
<model name='486'>
|
||||||
|
--
|
||||||
|
2.17.0
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
From fb327ac2c3d721b4002852c520d9f39a35183e0d Mon Sep 17 00:00:00 2001
|
||||||
|
Message-Id: <fb327ac2c3d721b4002852c520d9f39a35183e0d.1530632931.git.crobinso@redhat.com>
|
||||||
|
From: Jim Fehlig <jfehlig@suse.com>
|
||||||
|
Date: Wed, 14 Mar 2018 16:42:39 -0600
|
||||||
|
Subject: [PATCH] lockd: fix typo in virtlockd-admin.socket
|
||||||
|
|
||||||
|
Commit ce7ae55ea1 introduced a typo in virtlockd-admin socket file
|
||||||
|
|
||||||
|
/usr/lib/systemd/system/virtlockd-admin.socket:7: Unknown lvalue
|
||||||
|
'Server' in section 'Socket'
|
||||||
|
|
||||||
|
Change 'Server' to 'Service'.
|
||||||
|
|
||||||
|
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
||||||
|
Reviewed-by: Erik Skultety <eskultet@redhat.com>
|
||||||
|
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||||
|
---
|
||||||
|
src/locking/virtlockd-admin.socket.in | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
|
||||||
|
index 1fa0a3dc33..2a7500f3d0 100644
|
||||||
|
--- a/src/locking/virtlockd-admin.socket.in
|
||||||
|
+++ b/src/locking/virtlockd-admin.socket.in
|
||||||
|
@@ -4,7 +4,7 @@ Before=libvirtd.service
|
||||||
|
|
||||||
|
[Socket]
|
||||||
|
ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
|
||||||
|
-Server=virtlockd.service
|
||||||
|
+Service=virtlockd.service
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sockets.target
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
From ce5aebeacd10a1c15cb3ee46a59c8b5ff235589e Mon Sep 17 00:00:00 2001
|
||||||
|
Message-Id: <ce5aebeacd10a1c15cb3ee46a59c8b5ff235589e.1530632895.git.crobinso@redhat.com>
|
||||||
|
From: Laine Stump <laine@laine.org>
|
||||||
|
Date: Wed, 25 Apr 2018 17:12:03 -0400
|
||||||
|
Subject: [PATCH] nwfilter: increase pcap buffer size to be compatible with
|
||||||
|
TPACKET_V3
|
||||||
|
|
||||||
|
When an nwfilter rule sets the parameter CTRL_IP_LEARNING to "dhcp",
|
||||||
|
this turns on the "dhcpsnoop" thread, which uses libpcap to monitor
|
||||||
|
traffic on the domain's tap device and extract the IP address from the
|
||||||
|
DHCP response.
|
||||||
|
|
||||||
|
If libpcap on the host is built with HAVE_TPACKET3 defined (to enable
|
||||||
|
support for TPACKET_V3), the dhcpsnoop code's initialization of the
|
||||||
|
libpcap socket would fail with the following error:
|
||||||
|
|
||||||
|
virNWFilterSnoopDHCPOpen:1134 : internal error: pcap_setfilter: can't remove kernel filter: Bad file descriptor
|
||||||
|
|
||||||
|
It turns out that this was because TPACKET_V3 requires a larger buffer
|
||||||
|
size than libvirt was setting (we were setting it to 128k). Changing
|
||||||
|
the buffer size to 256k eliminates the error, and the dhcpsnoop thread
|
||||||
|
once again works properly.
|
||||||
|
|
||||||
|
A fuller explanation of why TPACKET_V3 requires such a large buffer,
|
||||||
|
for future git spelunkers:
|
||||||
|
|
||||||
|
libpcap calls setsockopt(... SOL_PACKET, PACKET_RX_RING...) to setup a
|
||||||
|
ring buffer for receiving packets; two of the attributes sent to this
|
||||||
|
API are called tp_frame_size, and tp_frame_nr. If libpcap was built
|
||||||
|
with HAVE_TPACKET3 defined, tp_trame_size is set to MAXIMUM_SNAPLEN
|
||||||
|
(defined in libpcap sources as 262144) and tp_frame_nr is set to:
|
||||||
|
|
||||||
|
[the buffer size we set, i.e. PCAP_BUFFERSIZE i.e. 262144] / tp_frame_size.
|
||||||
|
|
||||||
|
So if PCAP_BUFFERSIZE < MAXIMUM_SNAPLEN, then tp_frame_nr (the number
|
||||||
|
of frames in the ring buffer) is 0, which is nonsensical. This same
|
||||||
|
value is later used as a multiplier to determine the size for a call
|
||||||
|
to malloc() (which would also fail).
|
||||||
|
|
||||||
|
(NB: if HAVE_TPACKET3 is *not* defined, then tp_frame_size is set to
|
||||||
|
the snaplen set by the user (in our case 576) plus a small amount to
|
||||||
|
account for ethernet headers, so 256k is far more than adequate)
|
||||||
|
|
||||||
|
Since the TPACKET_V3 code in libpcap actually reads multiple packets
|
||||||
|
into each frame, it's not a problem to have only a single frame
|
||||||
|
(especially when we are monitoring such infrequent traffic), so it's
|
||||||
|
okay to set this relatively small buffer size (in comparison to the
|
||||||
|
default, which is 2MB), which is important since every guest using
|
||||||
|
dhcp snooping in a nwfilter rule will hold 2 of these buffers for the
|
||||||
|
entire life of the guest.
|
||||||
|
|
||||||
|
Thanks to Christian Ehrhardt for discovering that buffer size was the
|
||||||
|
problem (this was not at all obvious from the error that was logged!)
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/1547237
|
||||||
|
Fixes: https://bugs.launchpad.net/libvirt/+bug/1758037
|
||||||
|
|
||||||
|
Signed-off-by: Laine Stump <laine@laine.org>
|
||||||
|
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> (V1)
|
||||||
|
Reviewed-by: John Ferlan <jferlan@redhat.com>
|
||||||
|
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
|
||||||
|
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||||
|
---
|
||||||
|
src/nwfilter/nwfilter_dhcpsnoop.c | 22 +++++++++++++++++++---
|
||||||
|
1 file changed, 19 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
|
||||||
|
index 6069e70460..50cfb944a2 100644
|
||||||
|
--- a/src/nwfilter/nwfilter_dhcpsnoop.c
|
||||||
|
+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
|
||||||
|
@@ -256,10 +256,21 @@ struct _virNWFilterDHCPDecodeJob {
|
||||||
|
# define DHCP_BURST_INTERVAL_S 10 /* sec */
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * libpcap 1.5 requires a 128kb buffer
|
||||||
|
- * 128 kb is bigger than (DHCP_PKT_BURST * PCAP_PBUFSIZE / 2)
|
||||||
|
+ * NB: Any libpcap built with HAVE_TPACKET3 will require
|
||||||
|
+ * PCAP_BUFFERSIZE to be at least 262144 (although
|
||||||
|
+ * pcap_set_buffer_size() with a lower value will succeed, and the
|
||||||
|
+ * error will only show up later when pcap_setfilter() is called).
|
||||||
|
+ *
|
||||||
|
+ * It is possible that in the future libpcap could increase the
|
||||||
|
+ * minimum size even further, but due to the fact that each guest
|
||||||
|
+ * using dhcp snooping keeps 2 pcap sockets open (and thus 2 buffers
|
||||||
|
+ * allocated) for the life of the guest, we want to minimize the
|
||||||
|
+ * length of the buffer, so instead of leaving it at the default size
|
||||||
|
+ * (2MB), we are setting it to the minimum viable size and including
|
||||||
|
+ * this clue in the source to help quickly resolve the problem when/if
|
||||||
|
+ * it reoccurs.
|
||||||
|
*/
|
||||||
|
-# define PCAP_BUFFERSIZE (128 * 1024)
|
||||||
|
+# define PCAP_BUFFERSIZE (256 * 1024)
|
||||||
|
|
||||||
|
# define MAX_QUEUED_JOBS (DHCP_PKT_BURST + 2 * DHCP_PKT_RATE)
|
||||||
|
|
||||||
|
@@ -1114,6 +1125,11 @@ virNWFilterSnoopDHCPOpen(const char *ifname, virMacAddr *mac,
|
||||||
|
goto cleanup_nohandle;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* IMPORTANT: If there is any failure of *any* pcap_* function
|
||||||
|
+ * during setup of the socket, look to the comment where
|
||||||
|
+ * PCAP_BUFFERSIZE is defined. It may be too small, even if the
|
||||||
|
+ * generated error doesn't imply that.
|
||||||
|
+ */
|
||||||
|
if (pcap_set_snaplen(handle, PCAP_PBUFSIZE) < 0 ||
|
||||||
|
pcap_set_buffer_size(handle, PCAP_BUFFERSIZE) < 0 ||
|
||||||
|
pcap_activate(handle) < 0) {
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
149
libvirt.spec
149
libvirt.spec
|
@ -6,11 +6,6 @@
|
||||||
%define min_rhel 6
|
%define min_rhel 6
|
||||||
%define min_fedora 26
|
%define min_fedora 26
|
||||||
|
|
||||||
# Fedora >= 28 default RPM linker flags set "-z defs" to refuse
|
|
||||||
# to link when there are undefined symbols. This breaks all of our
|
|
||||||
# dlopen()able plugins, so we must turn it off.
|
|
||||||
%undefine _strict_symbol_defs_build
|
|
||||||
|
|
||||||
%if (0%{?fedora} && 0%{?fedora} >= %{min_fedora}) || (0%{?rhel} && 0%{?rhel} >= %{min_rhel})
|
%if (0%{?fedora} && 0%{?fedora} >= %{min_fedora}) || (0%{?rhel} && 0%{?rhel} >= %{min_rhel})
|
||||||
%define supported_platform 1
|
%define supported_platform 1
|
||||||
%else
|
%else
|
||||||
|
@ -78,7 +73,7 @@
|
||||||
%define with_numactl 0%{!?_without_numactl:1}
|
%define with_numactl 0%{!?_without_numactl:1}
|
||||||
|
|
||||||
# F25+ has zfs-fuse
|
# F25+ has zfs-fuse
|
||||||
%if 0%{?fedora} >= 25
|
%if 0%{?fedora}
|
||||||
%define with_storage_zfs 0%{!?_without_storage_zfs:1}
|
%define with_storage_zfs 0%{!?_without_storage_zfs:1}
|
||||||
%else
|
%else
|
||||||
%define with_storage_zfs 0
|
%define with_storage_zfs 0
|
||||||
|
@ -148,6 +143,10 @@
|
||||||
%define with_libxl 0
|
%define with_libxl 0
|
||||||
%define with_hyperv 0
|
%define with_hyperv 0
|
||||||
%define with_vz 0
|
%define with_vz 0
|
||||||
|
|
||||||
|
%if 0%{?rhel} > 7
|
||||||
|
%define with_lxc 0
|
||||||
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Fedora 17 / RHEL-7 are first where we use systemd. Although earlier
|
# Fedora 17 / RHEL-7 are first where we use systemd. Although earlier
|
||||||
|
@ -168,7 +167,7 @@
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# fuse is used to provide virtualized /proc for LXC
|
# fuse is used to provide virtualized /proc for LXC
|
||||||
%if 0%{?fedora} || 0%{?rhel} >= 7
|
%if %{with_lxc} && 0%{?rhel} != 6
|
||||||
%define with_fuse 0%{!?_without_fuse:1}
|
%define with_fuse 0%{!?_without_fuse:1}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
@ -192,6 +191,11 @@
|
||||||
%if 0%{?fedora}
|
%if 0%{?fedora}
|
||||||
%define with_wireshark 0%{!?_without_wireshark:1}
|
%define with_wireshark 0%{!?_without_wireshark:1}
|
||||||
%endif
|
%endif
|
||||||
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||||
|
%define wireshark_plugindir %(pkg-config --variable plugindir wireshark)
|
||||||
|
%else
|
||||||
|
%define wireshark_plugindir %{_libdir}/wireshark/plugins
|
||||||
|
%endif
|
||||||
|
|
||||||
# Enable libssh transport for new enough distros
|
# Enable libssh transport for new enough distros
|
||||||
%if 0%{?fedora}
|
%if 0%{?fedora}
|
||||||
|
@ -238,29 +242,34 @@
|
||||||
%define enable_werror --disable-werror
|
%define enable_werror --disable-werror
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?fedora} >= 25
|
%if 0%{?fedora}
|
||||||
%define tls_priority "@LIBVIRT,SYSTEM"
|
%define tls_priority "@LIBVIRT,SYSTEM"
|
||||||
%else
|
%else
|
||||||
%if 0%{?fedora}
|
%define tls_priority "NORMAL"
|
||||||
%define tls_priority "@SYSTEM"
|
|
||||||
%else
|
|
||||||
%define tls_priority "NORMAL"
|
|
||||||
%endif
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
Summary: Library providing a simple virtualization API
|
Summary: Library providing a simple virtualization API
|
||||||
Name: libvirt
|
Name: libvirt
|
||||||
Version: 4.0.0
|
Version: 4.1.0
|
||||||
Release: 2%{?dist}%{?extra_release}
|
Release: 4%{?dist}%{?extra_release}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||||
URL: https://libvirt.org/
|
URL: https://libvirt.org/
|
||||||
|
|
||||||
%if %(echo %{version} | grep -q "\.0$"; echo $?) == 1
|
%if %(echo %{version} | grep -q "\.0$"; echo $?) == 1
|
||||||
%define mainturl stable_updates/
|
%define mainturl stable_updates/
|
||||||
%endif
|
%endif
|
||||||
Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
|
Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
|
||||||
|
Patch1: 0001-tests-force-use-of-NORMAL-TLS-priority-in-test-suite.patch
|
||||||
|
Patch2: 0001-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
|
||||||
|
Patch3: 0002-cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-.patch
|
||||||
|
# Fix virtlockd-admin.socket syntax (bz #1586239)
|
||||||
|
Patch5: 0004-lockd-fix-typo-in-virtlockd-admin.socket.patch
|
||||||
|
# nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz
|
||||||
|
# #1547237)
|
||||||
|
Patch4: 0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch
|
||||||
|
|
||||||
Requires: libvirt-daemon = %{version}-%{release}
|
Requires: libvirt-daemon = %{version}-%{release}
|
||||||
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
||||||
|
@ -303,7 +312,7 @@ BuildRequires: libtool
|
||||||
BuildRequires: /usr/bin/pod2man
|
BuildRequires: /usr/bin/pod2man
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
%if 0%{?fedora} >= 27
|
%if 0%{?fedora} >= 27 || 0%{?rhel} > 7
|
||||||
BuildRequires: perl-interpreter
|
BuildRequires: perl-interpreter
|
||||||
%else
|
%else
|
||||||
BuildRequires: perl
|
BuildRequires: perl
|
||||||
|
@ -455,11 +464,7 @@ BuildRequires: numad
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with_wireshark}
|
%if %{with_wireshark}
|
||||||
%if 0%{fedora} >= 24
|
|
||||||
BuildRequires: wireshark-devel >= 2.1.0
|
BuildRequires: wireshark-devel >= 2.1.0
|
||||||
%else
|
|
||||||
BuildRequires: wireshark-devel >= 1.12.1
|
|
||||||
%endif
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with_libssh}
|
%if %{with_libssh}
|
||||||
|
@ -803,7 +808,7 @@ Requires: gzip
|
||||||
Requires: bzip2
|
Requires: bzip2
|
||||||
Requires: lzop
|
Requires: lzop
|
||||||
Requires: xz
|
Requires: xz
|
||||||
%if 0%{?fedora} >= 24
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||||
Requires: systemd-container
|
Requires: systemd-container
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
@ -821,7 +826,7 @@ Group: Development/Libraries
|
||||||
Requires: libvirt-daemon = %{version}-%{release}
|
Requires: libvirt-daemon = %{version}-%{release}
|
||||||
# There really is a hard cross-driver dependency here
|
# There really is a hard cross-driver dependency here
|
||||||
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
||||||
%if 0%{?fedora} >= 24
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||||
Requires: systemd-container
|
Requires: systemd-container
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
@ -1026,6 +1031,9 @@ Requires: gnutls-utils
|
||||||
# Needed for probing the power management features of the host.
|
# Needed for probing the power management features of the host.
|
||||||
Requires: pm-utils
|
Requires: pm-utils
|
||||||
%endif
|
%endif
|
||||||
|
%if %{with_bash_completion}
|
||||||
|
Requires: %{name}-bash-completion = %{version}-%{release}
|
||||||
|
%endif
|
||||||
|
|
||||||
%description client
|
%description client
|
||||||
The client binaries needed to access the virtualization
|
The client binaries needed to access the virtualization
|
||||||
|
@ -1050,10 +1058,22 @@ Summary: Set of tools to control libvirt daemon
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
Requires: %{name}-libs = %{version}-%{release}
|
Requires: %{name}-libs = %{version}-%{release}
|
||||||
Requires: readline
|
Requires: readline
|
||||||
|
%if %{with_bash_completion}
|
||||||
|
Requires: %{name}-bash-completion = %{version}-%{release}
|
||||||
|
%endif
|
||||||
|
|
||||||
%description admin
|
%description admin
|
||||||
The client side utilities to control the libvirt daemon.
|
The client side utilities to control the libvirt daemon.
|
||||||
|
|
||||||
|
%if %{with_bash_completion}
|
||||||
|
%package bash-completion
|
||||||
|
Summary: Bash completion script
|
||||||
|
Group: Development/Libraries
|
||||||
|
|
||||||
|
%description bash-completion
|
||||||
|
Bash completion script stub.
|
||||||
|
%endif
|
||||||
|
|
||||||
%if %{with_wireshark}
|
%if %{with_wireshark}
|
||||||
%package wireshark
|
%package wireshark
|
||||||
Summary: Wireshark dissector plugin for libvirt RPC transactions
|
Summary: Wireshark dissector plugin for libvirt RPC transactions
|
||||||
|
@ -1176,8 +1196,10 @@ exit 1
|
||||||
|
|
||||||
%if %{with_lxc}
|
%if %{with_lxc}
|
||||||
%define arg_lxc --with-lxc
|
%define arg_lxc --with-lxc
|
||||||
|
%define arg_login_shell --with-login-shell
|
||||||
%else
|
%else
|
||||||
%define arg_lxc --without-lxc
|
%define arg_lxc --without-lxc
|
||||||
|
%define arg_login_shell --without-login-shell
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with_vbox}
|
%if %{with_vbox}
|
||||||
|
@ -1387,7 +1409,8 @@ rm -f po/stamp-po
|
||||||
%{?arg_loader_nvram} \
|
%{?arg_loader_nvram} \
|
||||||
%{?enable_werror} \
|
%{?enable_werror} \
|
||||||
--enable-expensive-tests \
|
--enable-expensive-tests \
|
||||||
%{arg_init_script}
|
%{arg_init_script} \
|
||||||
|
%{?arg_login_shell}
|
||||||
make %{?_smp_mflags} V=1
|
make %{?_smp_mflags} V=1
|
||||||
gzip -9 ChangeLog
|
gzip -9 ChangeLog
|
||||||
|
|
||||||
|
@ -1412,13 +1435,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/connection-driver/*.a
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-backend/*.la
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-backend/*.la
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-backend/*.a
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-backend/*.a
|
||||||
%if %{with_wireshark}
|
%if %{with_wireshark}
|
||||||
%if 0%{fedora} >= 24
|
rm -f $RPM_BUILD_ROOT%{wireshark_plugindir}/libvirt.la
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/wireshark/plugins/libvirt.la
|
|
||||||
%else
|
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/wireshark/plugins/*/libvirt.la
|
|
||||||
mv $RPM_BUILD_ROOT%{_libdir}/wireshark/plugins/*/libvirt.so \
|
|
||||||
$RPM_BUILD_ROOT%{_libdir}/wireshark/plugins/libvirt.so
|
|
||||||
%endif
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/lib/libvirt/dnsmasq/
|
install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/lib/libvirt/dnsmasq/
|
||||||
|
@ -1483,6 +1500,9 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
|
||||||
$RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes-64.stp
|
$RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes-64.stp
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%clean
|
||||||
|
rm -fr %{buildroot}
|
||||||
|
|
||||||
%check
|
%check
|
||||||
cd tests
|
cd tests
|
||||||
# These tests don't current work in a mock build root
|
# These tests don't current work in a mock build root
|
||||||
|
@ -1511,13 +1531,17 @@ exit 0
|
||||||
|
|
||||||
%if %{with_systemd}
|
%if %{with_systemd}
|
||||||
%if %{with_systemd_macros}
|
%if %{with_systemd_macros}
|
||||||
%systemd_post virtlockd.socket virtlogd.socket libvirtd.service
|
%systemd_post virtlockd.socket virtlockd-admin.socket
|
||||||
|
%systemd_post virtlogd.socket virtlogd-admin.socket
|
||||||
|
%systemd_post libvirtd.service
|
||||||
%else
|
%else
|
||||||
if [ $1 -eq 1 ] ; then
|
if [ $1 -eq 1 ] ; then
|
||||||
# Initial installation
|
# Initial installation
|
||||||
/bin/systemctl enable \
|
/bin/systemctl enable \
|
||||||
virtlockd.socket \
|
virtlockd.socket \
|
||||||
|
virtlockd-admin.socket \
|
||||||
virtlogd.socket \
|
virtlogd.socket \
|
||||||
|
virtlogd-admin.socket \
|
||||||
libvirtd.service >/dev/null 2>&1 || :
|
libvirtd.service >/dev/null 2>&1 || :
|
||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
|
@ -1544,21 +1568,27 @@ touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
|
||||||
%preun daemon
|
%preun daemon
|
||||||
%if %{with_systemd}
|
%if %{with_systemd}
|
||||||
%if %{with_systemd_macros}
|
%if %{with_systemd_macros}
|
||||||
%systemd_preun libvirtd.service virtlogd.socket virtlogd.service virtlockd.socket virtlockd.service
|
%systemd_preun libvirtd.service
|
||||||
|
%systemd_preun virtlogd.socket virtlogd-admin.socket virtlogd.service
|
||||||
|
%systemd_preun virtlockd.socket virtlockd-admin.socket virtlockd.service
|
||||||
%else
|
%else
|
||||||
if [ $1 -eq 0 ] ; then
|
if [ $1 -eq 0 ] ; then
|
||||||
# Package removal, not upgrade
|
# Package removal, not upgrade
|
||||||
/bin/systemctl --no-reload disable \
|
/bin/systemctl --no-reload disable \
|
||||||
libvirtd.service \
|
libvirtd.service \
|
||||||
virtlogd.socket \
|
virtlogd.socket \
|
||||||
|
virtlogd-admin.socket \
|
||||||
virtlogd.service \
|
virtlogd.service \
|
||||||
virtlockd.socket \
|
virtlockd.socket \
|
||||||
|
virtlockd-admin.socket \
|
||||||
virtlockd.service > /dev/null 2>&1 || :
|
virtlockd.service > /dev/null 2>&1 || :
|
||||||
/bin/systemctl stop \
|
/bin/systemctl stop \
|
||||||
libvirtd.service \
|
libvirtd.service \
|
||||||
virtlogd.socket \
|
virtlogd.socket \
|
||||||
|
virtlogd-admin.socket \
|
||||||
virtlogd.service \
|
virtlogd.service \
|
||||||
virtlockd.socket \
|
virtlockd.socket \
|
||||||
|
virtlockd-admin.socket \
|
||||||
virtlockd.service > /dev/null 2>&1 || :
|
virtlockd.service > /dev/null 2>&1 || :
|
||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
|
@ -1587,15 +1617,6 @@ if [ $1 -ge 1 ]; then
|
||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with_systemd}
|
|
||||||
%else
|
|
||||||
%triggerpostun daemon -- libvirt-daemon < 1.2.1
|
|
||||||
if [ "$1" -ge "1" ]; then
|
|
||||||
/sbin/service virtlockd reload > /dev/null 2>&1 || :
|
|
||||||
/sbin/service virtlogd reload > /dev/null 2>&1 || :
|
|
||||||
fi
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# In upgrade scenario we must explicitly enable virtlockd/virtlogd
|
# In upgrade scenario we must explicitly enable virtlockd/virtlogd
|
||||||
# sockets, if libvirtd is already enabled and start them if
|
# sockets, if libvirtd is already enabled and start them if
|
||||||
# libvirtd is running, otherwise you'll get failures to start
|
# libvirtd is running, otherwise you'll get failures to start
|
||||||
|
@ -1603,15 +1624,17 @@ fi
|
||||||
%triggerpostun daemon -- libvirt-daemon < 1.3.0
|
%triggerpostun daemon -- libvirt-daemon < 1.3.0
|
||||||
if [ $1 -ge 1 ] ; then
|
if [ $1 -ge 1 ] ; then
|
||||||
%if %{with_systemd}
|
%if %{with_systemd}
|
||||||
/bin/systemctl is-enabled libvirtd.service 1>/dev/null 2>&1 &&
|
/bin/systemctl is-enabled libvirtd.service 1>/dev/null 2>&1 &&
|
||||||
/bin/systemctl enable virtlogd.socket || :
|
/bin/systemctl enable virtlogd.socket virtlogd-admin.socket || :
|
||||||
/bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1 &&
|
/bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1 &&
|
||||||
/bin/systemctl start virtlogd.socket || :
|
/bin/systemctl start virtlogd.socket virtlogd-admin.socket || :
|
||||||
%else
|
%else
|
||||||
/sbin/chkconfig libvirtd 1>/dev/null 2>&1 &&
|
/sbin/chkconfig libvirtd 1>/dev/null 2>&1 &&
|
||||||
/sbin/chkconfig virtlogd on || :
|
/sbin/chkconfig virtlogd on || :
|
||||||
/sbin/service libvirtd status 1>/dev/null 2>&1 &&
|
/sbin/service libvirtd status 1>/dev/null 2>&1 &&
|
||||||
/sbin/service virtlogd start || :
|
/sbin/service virtlogd start || :
|
||||||
|
/sbin/service virtlockd reload > /dev/null 2>&1 || :
|
||||||
|
/sbin/service virtlogd reload > /dev/null 2>&1 || :
|
||||||
%endif
|
%endif
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -1811,14 +1834,15 @@ exit 0
|
||||||
%{_unitdir}/virt-guest-shutdown.target
|
%{_unitdir}/virt-guest-shutdown.target
|
||||||
%{_unitdir}/virtlogd.service
|
%{_unitdir}/virtlogd.service
|
||||||
%{_unitdir}/virtlogd.socket
|
%{_unitdir}/virtlogd.socket
|
||||||
|
%{_unitdir}/virtlogd-admin.socket
|
||||||
%{_unitdir}/virtlockd.service
|
%{_unitdir}/virtlockd.service
|
||||||
%{_unitdir}/virtlockd.socket
|
%{_unitdir}/virtlockd.socket
|
||||||
|
%{_unitdir}/virtlockd-admin.socket
|
||||||
%else
|
%else
|
||||||
%{_sysconfdir}/rc.d/init.d/libvirtd
|
%{_sysconfdir}/rc.d/init.d/libvirtd
|
||||||
%{_sysconfdir}/rc.d/init.d/virtlogd
|
%{_sysconfdir}/rc.d/init.d/virtlogd
|
||||||
%{_sysconfdir}/rc.d/init.d/virtlockd
|
%{_sysconfdir}/rc.d/init.d/virtlockd
|
||||||
%endif
|
%endif
|
||||||
%doc daemon/libvirtd.upstart
|
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
|
%config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/virtlogd
|
%config(noreplace) %{_sysconfdir}/sysconfig/virtlogd
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/virtlockd
|
%config(noreplace) %{_sysconfdir}/sysconfig/virtlockd
|
||||||
|
@ -2065,7 +2089,7 @@ exit 0
|
||||||
%{_datadir}/systemtap/tapset/libvirt_functions.stp
|
%{_datadir}/systemtap/tapset/libvirt_functions.stp
|
||||||
|
|
||||||
%if %{with_bash_completion}
|
%if %{with_bash_completion}
|
||||||
%{_datadir}/bash-completion/completions/vsh
|
%{_datadir}/bash-completion/completions/virsh
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
@ -2117,11 +2141,18 @@ exit 0
|
||||||
%files admin
|
%files admin
|
||||||
%{_mandir}/man1/virt-admin.1*
|
%{_mandir}/man1/virt-admin.1*
|
||||||
%{_bindir}/virt-admin
|
%{_bindir}/virt-admin
|
||||||
|
%if %{with_bash_completion}
|
||||||
|
%{_datadir}/bash-completion/completions/virt-admin
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_bash_completion}
|
||||||
|
%files bash-completion
|
||||||
|
%{_datadir}/bash-completion/completions/vsh
|
||||||
|
%endif
|
||||||
|
|
||||||
%if %{with_wireshark}
|
%if %{with_wireshark}
|
||||||
%files wireshark
|
%files wireshark
|
||||||
%{_libdir}/wireshark/plugins/libvirt.so
|
%{wireshark_plugindir}/libvirt.so
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files nss
|
%files nss
|
||||||
|
@ -2173,6 +2204,20 @@ exit 0
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 03 2018 Cole Robinson <crobinso@redhat.com> - 4.1.0-4
|
||||||
|
- Fix virtlockd-admin.socket syntax (bz #1586239)
|
||||||
|
- nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz
|
||||||
|
#1547237)
|
||||||
|
|
||||||
|
* Mon Jun 18 2018 Daniel P. Berrangé <berrange@redhat.com> - 4.1.0-3
|
||||||
|
- Add new CPU features for speculative store bypass (CVE-2018-3639)
|
||||||
|
|
||||||
|
* Wed Mar 21 2018 Daniel P. Berrangé <berrange@redhat.com> - 4.1.0-2
|
||||||
|
- Fix systemd macro argument with line continuations (rhbz#1558648)
|
||||||
|
|
||||||
|
* Mon Mar 5 2018 Daniel Berrange <berrange@redhat.com> - 4.1.0-1
|
||||||
|
- Rebase to version 4.1.0
|
||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
||||||
SHA512 (libvirt-4.0.0.tar.xz) = c99ea305f427859eb070b5f0c43de48645a5c53a2aa8efc60f54f278ec3fa0b504307861309e1852f8d7bff4436afe00c859aac27691366a0c36c91341cea7a1
|
SHA512 (libvirt-4.1.0.tar.xz) = 62d1a228adf3270cc6defe3cbf92dac8c4ce2c434c4d97219571ccef799a4f6304cfd1ba9938338356641285f53ac71145d7b398523021c5ea1dc8e3d49cf894
|
||||||
|
|
Loading…
Reference in New Issue