2006-09-21 15:24:37 +00:00
|
|
|
# -*- rpm-spec -*-
|
|
|
|
|
2016-10-19 16:49:17 +02:00
|
|
|
# This spec file assumes you are building on a Fedora or RHEL version
|
2018-01-11 16:30:03 +00:00
|
|
|
# that's still supported by the vendor. It may work on other distros
|
|
|
|
# or versions, but no effort will be made to ensure that going forward.
|
2018-07-20 11:50:01 +01:00
|
|
|
%define min_rhel 7
|
2019-05-07 12:10:58 +02:00
|
|
|
%define min_fedora 29
|
2018-01-11 16:30:03 +00:00
|
|
|
|
|
|
|
%if (0%{?fedora} && 0%{?fedora} >= %{min_fedora}) || (0%{?rhel} && 0%{?rhel} >= %{min_rhel})
|
2016-05-11 20:03:57 +02:00
|
|
|
%define supported_platform 1
|
2016-05-04 15:43:08 +01:00
|
|
|
%else
|
2016-05-11 20:03:57 +02:00
|
|
|
%define supported_platform 0
|
2011-03-16 11:50:44 -06:00
|
|
|
%endif
|
|
|
|
|
2011-12-05 10:22:10 -07:00
|
|
|
# Default to skipping autoreconf. Distros can change just this one line
|
|
|
|
# (or provide a command-line override) if they backport any patches that
|
|
|
|
# touch configure.ac or Makefile.am.
|
2015-09-22 15:56:50 -04:00
|
|
|
%{!?enable_autotools:%global enable_autotools 0}
|
2011-12-05 10:22:10 -07:00
|
|
|
|
2016-05-04 16:21:42 +01:00
|
|
|
# The hypervisor drivers that run in libvirtd
|
2016-05-04 15:44:57 +01:00
|
|
|
%define with_qemu 0%{!?_without_qemu:1}
|
|
|
|
%define with_lxc 0%{!?_without_lxc:1}
|
|
|
|
%define with_libxl 0%{!?_without_libxl:1}
|
|
|
|
%define with_vbox 0%{!?_without_vbox:1}
|
2009-09-16 16:02:38 +01:00
|
|
|
|
2012-04-03 11:54:27 +01:00
|
|
|
%define with_qemu_tcg %{with_qemu}
|
2014-07-17 15:48:37 +02:00
|
|
|
|
|
|
|
%define qemu_kvm_arches %{ix86} x86_64
|
|
|
|
|
|
|
|
%if 0%{?fedora}
|
2016-05-04 15:43:08 +01:00
|
|
|
%define qemu_kvm_arches %{ix86} x86_64 %{power64} s390x %{arm} aarch64
|
2014-07-17 15:48:37 +02:00
|
|
|
%endif
|
|
|
|
|
|
|
|
%if 0%{?rhel}
|
|
|
|
%define with_qemu_tcg 0
|
2018-07-20 11:50:01 +01:00
|
|
|
%define qemu_kvm_arches x86_64 %{power64} aarch64 s390x
|
2012-11-16 18:50:20 +01:00
|
|
|
%endif
|
|
|
|
|
|
|
|
%ifarch %{qemu_kvm_arches}
|
2013-01-09 13:50:03 -07:00
|
|
|
%define with_qemu_kvm %{with_qemu}
|
2012-04-03 11:54:27 +01:00
|
|
|
%else
|
2013-01-09 13:50:03 -07:00
|
|
|
%define with_qemu_kvm 0
|
2012-04-03 11:54:27 +01:00
|
|
|
%endif
|
|
|
|
|
2014-07-17 15:48:37 +02:00
|
|
|
%if ! %{with_qemu_tcg} && ! %{with_qemu_kvm}
|
|
|
|
%define with_qemu 0
|
|
|
|
%endif
|
|
|
|
|
2012-04-03 12:05:32 +01:00
|
|
|
# Then the hypervisor drivers that run outside libvirtd, in libvirt.so
|
|
|
|
%define with_openvz 0%{!?_without_openvz:1}
|
|
|
|
%define with_vmware 0%{!?_without_vmware:1}
|
2009-09-16 16:02:38 +01:00
|
|
|
%define with_phyp 0%{!?_without_phyp:1}
|
|
|
|
%define with_esx 0%{!?_without_esx:1}
|
2011-07-13 16:05:18 +02:00
|
|
|
%define with_hyperv 0%{!?_without_hyperv:1}
|
2009-09-16 16:02:38 +01:00
|
|
|
|
2012-04-03 12:05:32 +01:00
|
|
|
# Then the secondary host drivers, which run inside libvirtd
|
2018-07-20 11:50:01 +01:00
|
|
|
%define with_storage_rbd 0%{!?_without_storage_rbd:1}
|
2016-05-04 15:43:08 +01:00
|
|
|
%if 0%{?fedora}
|
2016-05-04 15:44:57 +01:00
|
|
|
%define with_storage_sheepdog 0%{!?_without_storage_sheepdog:1}
|
2012-07-18 20:06:58 +01:00
|
|
|
%else
|
2013-01-09 13:50:03 -07:00
|
|
|
%define with_storage_sheepdog 0
|
2012-07-18 20:06:58 +01:00
|
|
|
%endif
|
2016-05-04 15:44:57 +01:00
|
|
|
%define with_storage_gluster 0%{!?_without_storage_gluster:1}
|
|
|
|
%define with_numactl 0%{!?_without_numactl:1}
|
2009-09-16 16:02:38 +01:00
|
|
|
|
2017-07-17 11:32:46 -04:00
|
|
|
# F25+ has zfs-fuse
|
2018-02-09 14:02:00 +01:00
|
|
|
%if 0%{?fedora}
|
2017-07-17 11:32:46 -04:00
|
|
|
%define with_storage_zfs 0%{!?_without_storage_zfs:1}
|
|
|
|
%else
|
|
|
|
%define with_storage_zfs 0
|
|
|
|
%endif
|
|
|
|
|
2018-08-14 14:31:35 +02:00
|
|
|
# We need a recent enough libiscsi (>= 1.18.0)
|
2018-11-08 13:10:14 +01:00
|
|
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
2018-08-14 14:31:35 +02:00
|
|
|
%define with_storage_iscsi_direct 0%{!?_without_storage_iscsi_direct:1}
|
|
|
|
%else
|
|
|
|
%define with_storage_iscsi_direct 0
|
|
|
|
%endif
|
|
|
|
|
2009-09-16 16:02:38 +01:00
|
|
|
# A few optional bits off by default, we enable later
|
2012-11-12 15:02:23 +08:00
|
|
|
%define with_fuse 0%{!?_without_fuse:0}
|
2011-01-18 18:37:45 +00:00
|
|
|
%define with_sanlock 0%{!?_without_sanlock:0}
|
2012-03-24 09:35:20 +08:00
|
|
|
%define with_numad 0%{!?_without_numad:0}
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 20:59:52 +02:00
|
|
|
%define with_firewalld 0%{!?_without_firewalld:0}
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%define with_firewalld_zone 0%{!?_without_firewalld_zone:0}
|
2013-01-08 21:47:55 +00:00
|
|
|
%define with_libssh2 0%{!?_without_libssh2:0}
|
2014-02-04 12:37:15 -07:00
|
|
|
%define with_wireshark 0%{!?_without_wireshark:0}
|
2016-11-09 15:28:37 +01:00
|
|
|
%define with_libssh 0%{!?_without_libssh:0}
|
2018-01-17 10:21:31 +01:00
|
|
|
%define with_bash_completion 0%{!?_without_bash_completion:0}
|
2009-07-29 10:05:39 +01:00
|
|
|
|
2009-09-16 16:02:38 +01:00
|
|
|
# Finally set the OS / architecture specific special cases
|
|
|
|
|
2008-06-12 16:10:50 +00:00
|
|
|
# Xen is available only on i386 x86_64 ia64
|
2012-02-20 09:27:11 -07:00
|
|
|
%ifnarch %{ix86} x86_64 ia64
|
2013-01-09 13:50:03 -07:00
|
|
|
%define with_libxl 0
|
2008-06-12 16:10:50 +00:00
|
|
|
%endif
|
|
|
|
|
2013-05-24 15:44:19 +02:00
|
|
|
# vbox is available only on i386 x86_64
|
|
|
|
%ifnarch %{ix86} x86_64
|
|
|
|
%define with_vbox 0
|
|
|
|
%endif
|
|
|
|
|
2018-10-05 13:59:31 +01:00
|
|
|
# Numactl is not available on many non-x86 archs
|
|
|
|
%ifarch s390 s390x %{arm} riscv64
|
2013-01-09 13:50:03 -07:00
|
|
|
%define with_numactl 0
|
2009-11-11 18:07:34 +00:00
|
|
|
%endif
|
2015-03-05 11:40:54 +01:00
|
|
|
|
2017-07-17 11:32:46 -04:00
|
|
|
# zfs-fuse is not available on some architectures
|
2018-10-05 13:59:31 +01:00
|
|
|
%ifarch s390 s390x aarch64 riscv64
|
2017-07-17 11:32:46 -04:00
|
|
|
%define with_storage_zfs 0
|
|
|
|
%endif
|
|
|
|
|
2019-01-21 12:20:14 +00:00
|
|
|
# Ceph dropping support for 32-bit hosts
|
2019-01-21 14:05:13 +00:00
|
|
|
%if 0%{?fedora} >= 30
|
2019-01-21 12:20:14 +00:00
|
|
|
%ifarch %{arm} %{ix86}
|
|
|
|
%define with_storage_rbd 0
|
|
|
|
%endif
|
|
|
|
%endif
|
2017-07-17 11:32:46 -04:00
|
|
|
|
2018-12-14 14:45:07 +01:00
|
|
|
# RHEL doesn't ship OpenVZ, VBox, PowerHypervisor,
|
2016-02-15 15:34:24 +01:00
|
|
|
# VMware, libxenserver (xenapi), libxenlight (Xen 4.1 and newer),
|
2011-09-26 14:28:47 -06:00
|
|
|
# or HyperV.
|
2009-09-16 16:02:38 +01:00
|
|
|
%if 0%{?rhel}
|
2013-01-09 13:50:03 -07:00
|
|
|
%define with_openvz 0
|
|
|
|
%define with_vbox 0
|
|
|
|
%define with_phyp 0
|
|
|
|
%define with_vmware 0
|
|
|
|
%define with_xenapi 0
|
|
|
|
%define with_libxl 0
|
|
|
|
%define with_hyperv 0
|
2015-06-10 10:50:00 +03:00
|
|
|
%define with_vz 0
|
2018-02-09 14:08:45 +01:00
|
|
|
|
|
|
|
%if 0%{?rhel} > 7
|
|
|
|
%define with_lxc 0
|
|
|
|
%endif
|
2009-09-16 16:02:38 +01:00
|
|
|
%endif
|
|
|
|
|
2018-07-20 11:50:01 +01:00
|
|
|
%define with_firewalld 1
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 20:59:52 +02:00
|
|
|
|
2019-04-11 12:53:54 -04:00
|
|
|
%if 0%{?fedora} >= 31 || 0%{?rhel} > 7
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
2012-11-12 15:02:23 +08:00
|
|
|
# fuse is used to provide virtualized /proc for LXC
|
2018-07-20 11:50:01 +01:00
|
|
|
%if %{with_lxc}
|
2013-01-09 13:50:03 -07:00
|
|
|
%define with_fuse 0%{!?_without_fuse:1}
|
2012-11-12 15:02:23 +08:00
|
|
|
%endif
|
|
|
|
|
2011-01-18 18:37:45 +00:00
|
|
|
# Enable sanlock library for lock management with QEMU
|
2014-07-23 09:04:22 +02:00
|
|
|
# Sanlock is available only on arches where kvm is available for RHEL
|
2016-05-04 15:43:08 +01:00
|
|
|
%if 0%{?fedora}
|
2016-05-04 15:44:57 +01:00
|
|
|
%define with_sanlock 0%{!?_without_sanlock:1}
|
2011-12-05 10:37:33 -07:00
|
|
|
%endif
|
2016-05-04 15:43:08 +01:00
|
|
|
%if 0%{?rhel}
|
2014-07-23 09:04:22 +02:00
|
|
|
%ifarch %{qemu_kvm_arches}
|
2016-05-04 15:44:57 +01:00
|
|
|
%define with_sanlock 0%{!?_without_sanlock:1}
|
2013-01-09 13:50:03 -07:00
|
|
|
%endif
|
2011-01-18 18:37:45 +00:00
|
|
|
%endif
|
|
|
|
|
2012-10-12 16:50:42 +02:00
|
|
|
# Enable libssh2 transport for new enough distros
|
2016-05-04 15:43:08 +01:00
|
|
|
%if 0%{?fedora}
|
2013-01-09 13:50:03 -07:00
|
|
|
%define with_libssh2 0%{!?_without_libssh2:1}
|
2012-10-12 16:50:42 +02:00
|
|
|
%endif
|
|
|
|
|
2014-02-04 12:37:15 -07:00
|
|
|
# Enable wireshark plugins for all distros shipping libvirt 1.2.2 or newer
|
2016-10-19 16:49:17 +02:00
|
|
|
%if 0%{?fedora}
|
2014-02-04 12:37:15 -07:00
|
|
|
%define with_wireshark 0%{!?_without_wireshark:1}
|
2019-02-08 10:47:42 +01:00
|
|
|
%define wireshark_plugindir %(pkg-config --variable plugindir wireshark)/epan
|
2018-05-03 12:17:31 +01:00
|
|
|
%endif
|
2014-02-04 12:37:15 -07:00
|
|
|
|
2016-11-09 15:28:37 +01:00
|
|
|
# Enable libssh transport for new enough distros
|
2018-05-25 09:45:15 +02:00
|
|
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
2016-11-09 15:28:37 +01:00
|
|
|
%define with_libssh 0%{!?_without_libssh:1}
|
|
|
|
%endif
|
|
|
|
|
2018-07-20 11:50:01 +01:00
|
|
|
%define with_bash_completion 0%{!?_without_bash_completion:1}
|
2018-01-17 10:21:31 +01:00
|
|
|
|
2018-03-19 17:32:47 +01:00
|
|
|
# Use Python 3 when possible, Python 2 otherwise
|
|
|
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
|
|
|
%define python python3
|
|
|
|
%else
|
|
|
|
%define python python2
|
|
|
|
%endif
|
|
|
|
|
2011-07-14 13:20:19 +08:00
|
|
|
|
2018-12-14 14:45:07 +01:00
|
|
|
%if %{with_qemu} || %{with_lxc}
|
2012-05-09 12:26:36 +08:00
|
|
|
# numad is used to manage the CPU and memory placement dynamically,
|
2018-10-05 13:59:31 +01:00
|
|
|
# it's not available on many non-x86 architectures.
|
|
|
|
%ifnarch s390 s390x %{arm} riscv64
|
2016-05-04 15:44:57 +01:00
|
|
|
%define with_numad 0%{!?_without_numad:1}
|
2013-01-09 13:50:03 -07:00
|
|
|
%endif
|
2010-05-25 15:31:38 -04:00
|
|
|
%endif
|
|
|
|
|
2009-09-16 16:02:38 +01:00
|
|
|
# Force QEMU to run as non-root
|
2016-05-04 15:43:08 +01:00
|
|
|
%define qemu_user qemu
|
|
|
|
%define qemu_group qemu
|
2009-07-15 22:25:01 +01:00
|
|
|
|
2009-09-16 16:02:38 +01:00
|
|
|
|
2013-07-30 16:01:11 +02:00
|
|
|
# RHEL releases provide stable tool chains and so it is safe to turn
|
|
|
|
# compiler warning into errors without being worried about frequent
|
|
|
|
# changes in reported warnings
|
|
|
|
%if 0%{?rhel}
|
|
|
|
%define enable_werror --enable-werror
|
2014-12-16 09:21:40 +01:00
|
|
|
%else
|
2014-12-15 15:24:01 +00:00
|
|
|
%define enable_werror --disable-werror
|
2013-07-30 16:01:11 +02:00
|
|
|
%endif
|
|
|
|
|
2018-09-27 16:00:15 +02:00
|
|
|
%if 0%{?rhel} == 7
|
2018-02-09 14:02:00 +01:00
|
|
|
%define tls_priority "NORMAL"
|
2018-09-27 16:00:15 +02:00
|
|
|
%else
|
|
|
|
%define tls_priority "@LIBVIRT,SYSTEM"
|
2016-06-06 16:02:22 +01:00
|
|
|
%endif
|
|
|
|
|
2013-07-30 16:01:11 +02:00
|
|
|
|
2010-11-11 12:21:28 -05:00
|
|
|
Summary: Library providing a simple virtualization API
|
2006-02-09 17:45:11 +00:00
|
|
|
Name: libvirt
|
2005-11-02 15:37:34 +00:00
|
|
|
Version: @VERSION@
|
2019-01-21 12:55:15 +00:00
|
|
|
Release: 1%{?dist}
|
2008-08-08 14:27:05 +00:00
|
|
|
License: LGPLv2+
|
2017-05-11 18:31:08 +02:00
|
|
|
URL: https://libvirt.org/
|
2011-03-23 10:20:14 -06:00
|
|
|
|
2017-05-04 20:08:55 -04:00
|
|
|
%if %(echo %{version} | grep -q "\.0$"; echo $?) == 1
|
2013-01-09 13:50:03 -07:00
|
|
|
%define mainturl stable_updates/
|
2012-05-06 14:09:22 -04:00
|
|
|
%endif
|
2017-05-11 18:31:08 +02:00
|
|
|
Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
|
2012-05-06 14:09:22 -04:00
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-config-nwfilter = %{version}-%{release}
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_libxl}
|
2012-07-18 17:27:03 +01:00
|
|
|
Requires: libvirt-daemon-driver-libxl = %{version}-%{release}
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
|
|
|
%if %{with_lxc}
|
2012-07-18 17:27:03 +01:00
|
|
|
Requires: libvirt-daemon-driver-lxc = %{version}-%{release}
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
|
|
|
%if %{with_qemu}
|
2012-07-18 17:27:03 +01:00
|
|
|
Requires: libvirt-daemon-driver-qemu = %{version}-%{release}
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2018-12-14 14:45:07 +01:00
|
|
|
# We had UML driver, but we've removed it.
|
|
|
|
Obsoletes: libvirt-daemon-driver-uml <= 5.0.0
|
|
|
|
Obsoletes: libvirt-daemon-uml <= 5.0.0
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_vbox}
|
2013-05-17 13:31:59 +01:00
|
|
|
Requires: libvirt-daemon-driver-vbox = %{version}-%{release}
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2013-12-05 14:43:28 -07:00
|
|
|
Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
|
2012-07-18 17:27:03 +01:00
|
|
|
|
|
|
|
Requires: libvirt-daemon-driver-interface = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-secret = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
|
2012-04-03 11:44:59 +01:00
|
|
|
Requires: libvirt-client = %{version}-%{release}
|
2016-06-25 08:37:22 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2011-03-23 10:20:14 -06:00
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
# All build-time requirements. Run-time requirements are
|
|
|
|
# listed against each sub-RPM
|
2011-12-05 10:22:10 -07:00
|
|
|
%if 0%{?enable_autotools}
|
|
|
|
BuildRequires: autoconf
|
|
|
|
BuildRequires: automake
|
|
|
|
BuildRequires: gettext-devel
|
|
|
|
BuildRequires: libtool
|
2013-04-08 14:48:18 +02:00
|
|
|
BuildRequires: /usr/bin/pod2man
|
2011-12-05 10:22:10 -07:00
|
|
|
%endif
|
2018-03-08 09:05:05 +01:00
|
|
|
BuildRequires: gcc
|
2014-11-21 18:09:36 +01:00
|
|
|
BuildRequires: git
|
2018-11-08 13:10:14 +01:00
|
|
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
2017-08-02 10:51:36 +01:00
|
|
|
BuildRequires: perl-interpreter
|
|
|
|
%else
|
2014-08-14 11:37:45 +08:00
|
|
|
BuildRequires: perl
|
2017-08-02 10:51:36 +01:00
|
|
|
%endif
|
2018-03-19 17:32:47 +01:00
|
|
|
BuildRequires: %{python}
|
2011-07-07 14:45:07 +01:00
|
|
|
BuildRequires: systemd-units
|
2018-03-28 17:57:10 -06:00
|
|
|
%if %{with_libxl}
|
2006-07-24 14:32:03 +00:00
|
|
|
BuildRequires: xen-devel
|
2008-06-12 16:10:50 +00:00
|
|
|
%endif
|
2006-02-23 11:35:37 +00:00
|
|
|
BuildRequires: libxml2-devel
|
2011-03-23 10:30:49 -06:00
|
|
|
BuildRequires: libxslt
|
2006-03-04 08:57:22 +00:00
|
|
|
BuildRequires: readline-devel
|
2018-01-17 10:21:31 +01:00
|
|
|
%if %{with_bash_completion}
|
2017-11-02 14:41:53 +01:00
|
|
|
BuildRequires: bash-completion >= 2.0
|
2018-01-17 10:21:31 +01:00
|
|
|
%endif
|
2006-07-13 22:27:31 +00:00
|
|
|
BuildRequires: ncurses-devel
|
2006-09-21 15:24:37 +00:00
|
|
|
BuildRequires: gettext
|
2011-07-25 18:17:57 +01:00
|
|
|
BuildRequires: libtasn1-devel
|
2007-06-11 13:24:45 +00:00
|
|
|
BuildRequires: gnutls-devel
|
2012-09-19 14:00:34 +01:00
|
|
|
BuildRequires: libattr-devel
|
2013-05-01 14:16:10 -06:00
|
|
|
# For pool-build probing for existing pools
|
|
|
|
BuildRequires: libblkid-devel >= 2.17
|
2011-03-23 10:30:49 -06:00
|
|
|
# for augparse, optionally used in testing
|
|
|
|
BuildRequires: augeas
|
2012-06-06 14:03:47 -04:00
|
|
|
BuildRequires: systemd-devel >= 185
|
2016-05-04 16:25:37 +01:00
|
|
|
BuildRequires: libpciaccess-devel >= 0.10.9
|
2018-08-13 13:40:18 +02:00
|
|
|
BuildRequires: yajl-devel
|
2011-01-18 18:37:45 +00:00
|
|
|
%if %{with_sanlock}
|
2012-10-16 12:45:27 +02:00
|
|
|
BuildRequires: sanlock-devel >= 2.4
|
|
|
|
%endif
|
nwfilter: Support for learning a VM's IP address
This patch implements support for learning a VM's IP address. It uses
the pcap library to listen on the VM's backend network interface (tap)
or the physical ethernet device (macvtap) and tries to capture packets
with source or destination MAC address of the VM and learn from DHCP
Offers, ARP traffic, or first-sent IPv4 packet what the IP address of
the VM's interface is. This then allows to instantiate the network
traffic filtering rules without the user having to provide the IP
parameter somewhere in the filter description or in the interface
description as a parameter. This only supports to detect the parameter
IP, which is for the assumed single IPv4 address of a VM. There is not
support for interfaces that may have multiple IP addresses (IP
aliasing) or IPv6 that may then require more than one valid IP address
to be detected. A VM can have multiple independent interfaces that each
uses a different IP address and in that case it will be attempted to
detect each one of the address independently.
So, when for example an interface description in the domain XML has
looked like this up to now:
<interface type='bridge'>
<source bridge='mybridge'/>
<model type='virtio'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='10.2.3.4'/>
</filterref>
</interface>
you may omit the IP parameter:
<interface type='bridge'>
<source bridge='mybridge'/>
<model type='virtio'/>
<filterref filter='clean-traffic'/>
</interface>
Internally I am walking the 'tree' of a VM's referenced network filters
and determine with the given variables which variables are missing. Now,
the above IP parameter may be missing and this causes a libvirt-internal
thread to be started that uses the pcap library's API to listen to the
backend interface (in case of macvtap to the physical interface) in an
attempt to determine the missing IP parameter. If the backend interface
disappears the thread terminates assuming the VM was brought down. In
case of a macvtap device a timeout is being used to wait for packets
from the given VM (filtering by VM's interface MAC address). If the VM's
macvtap device disappeared the thread also terminates. In all other
cases it tries to determine the IP address of the VM and will then apply
the rules late on the given interface, which would have happened
immediately if the IP parameter had been explicitly given. In case an
error happens while the firewall rules are applied, the VM's backend
interface is 'down'ed preventing it to communicate. Reasons for failure
for applying the network firewall rules may that an ebtables/iptables
command failes or OOM errors. Essentially the same failure reasons may
occur as when the firewall rules are applied immediately on VM start,
except that due to the late application of the filtering rules the VM
now is already running and cannot be hindered anymore from starting.
Bringing down the whole VM would probably be considered too drastic.
While a VM's IP address is attempted to be determined only limited
updates to network filters are allowed. In particular it is prevented
that filters are modified in such a way that they would introduce new
variables.
A caveat: The algorithm does not know which one is the appropriate IP
address of a VM. If the VM spoofs an IP address in its first ARP traffic
or IPv4 packets its filtering rules will be instantiated for this IP
address, thus 'locking' it to the found IP address. So, it's still
'safer' to explicitly provide the IP address of a VM's interface in the
filter description if it is known beforehand.
* configure.ac: detect libpcap
* libvirt.spec.in: require libpcap[-devel] if qemu is built
* src/internal.h: add the new ATTRIBUTE_PACKED define
* src/Makefile.am src/libvirt_private.syms: add the new modules and symbols
* src/nwfilter/nwfilter_learnipaddr.[ch]: new module being added
* src/nwfilter/nwfilter_driver.c src/conf/nwfilter_conf.[ch]
src/nwfilter/nwfilter_ebiptables_driver.[ch]
src/nwfilter/nwfilter_gentech_driver.[ch]: plu the new functionality in
* tests/nwfilterxml2xmltest: extend testing
2010-04-07 23:02:18 +02:00
|
|
|
BuildRequires: libpcap-devel
|
2012-08-24 17:57:42 -04:00
|
|
|
BuildRequires: libnl3-devel
|
2007-09-19 01:56:55 +00:00
|
|
|
BuildRequires: avahi-devel
|
2008-02-20 15:38:29 +00:00
|
|
|
BuildRequires: libselinux-devel
|
2010-08-11 20:25:09 +02:00
|
|
|
BuildRequires: dnsmasq >= 2.41
|
2011-03-23 10:30:49 -06:00
|
|
|
BuildRequires: iptables
|
2016-05-04 16:36:17 +01:00
|
|
|
BuildRequires: radvd
|
2011-03-23 10:30:49 -06:00
|
|
|
BuildRequires: ebtables
|
|
|
|
BuildRequires: module-init-tools
|
2008-06-12 16:10:50 +00:00
|
|
|
BuildRequires: cyrus-sasl-devel
|
2015-07-14 14:42:28 -04:00
|
|
|
BuildRequires: polkit >= 0.112
|
2008-02-20 15:42:30 +00:00
|
|
|
# For mount/umount in FS driver
|
|
|
|
BuildRequires: util-linux
|
|
|
|
%if %{with_qemu}
|
2017-02-14 14:42:54 +01:00
|
|
|
# For managing ACLs
|
|
|
|
BuildRequires: libacl-devel
|
2008-02-20 15:42:30 +00:00
|
|
|
# From QEMU RPMs
|
|
|
|
BuildRequires: /usr/bin/qemu-img
|
2008-06-12 16:10:50 +00:00
|
|
|
%endif
|
2008-02-20 15:45:33 +00:00
|
|
|
# For LVM drivers
|
|
|
|
BuildRequires: lvm2
|
2018-08-08 19:43:25 -04:00
|
|
|
# For pool type=iscsi
|
2008-02-20 15:49:25 +00:00
|
|
|
BuildRequires: iscsi-initiator-utils
|
2018-08-14 14:31:35 +02:00
|
|
|
%if %{with_storage_iscsi_direct}
|
2018-08-08 19:43:25 -04:00
|
|
|
# For pool type=iscsi-direct
|
2018-08-14 13:39:51 +02:00
|
|
|
BuildRequires: libiscsi-devel
|
2018-08-14 14:31:35 +02:00
|
|
|
%endif
|
2008-02-20 15:52:17 +00:00
|
|
|
# For disk driver
|
|
|
|
BuildRequires: parted-devel
|
2009-09-08 16:07:54 +02:00
|
|
|
# For Multipath support
|
|
|
|
BuildRequires: device-mapper-devel
|
2019-02-05 12:12:40 +00:00
|
|
|
# For XFS reflink clone support
|
|
|
|
BuildRequires: xfsprogs-devel
|
2014-02-25 12:28:53 -07:00
|
|
|
%if %{with_storage_rbd}
|
2015-03-05 11:40:54 +01:00
|
|
|
BuildRequires: librados2-devel
|
|
|
|
BuildRequires: librbd1-devel
|
2009-09-16 16:02:38 +01:00
|
|
|
%endif
|
2013-11-19 16:26:05 -07:00
|
|
|
%if %{with_storage_gluster}
|
|
|
|
BuildRequires: glusterfs-api-devel >= 3.4.1
|
|
|
|
BuildRequires: glusterfs-devel >= 3.4.1
|
|
|
|
%endif
|
2016-05-11 16:41:34 +01:00
|
|
|
%if %{with_storage_sheepdog}
|
|
|
|
BuildRequires: sheepdog
|
|
|
|
%endif
|
2017-07-17 11:32:46 -04:00
|
|
|
%if %{with_storage_zfs}
|
|
|
|
# Support any conforming implementation of zfs. On stock Fedora
|
|
|
|
# this is zfs-fuse, but could be zfsonlinux upstream RPMs
|
|
|
|
BuildRequires: /sbin/zfs
|
|
|
|
BuildRequires: /sbin/zpool
|
|
|
|
%endif
|
2009-03-31 12:45:07 +00:00
|
|
|
%if %{with_numactl}
|
2008-11-28 11:20:27 +00:00
|
|
|
# For QEMU/LXC numa info
|
|
|
|
BuildRequires: numactl-devel
|
2009-03-31 12:45:07 +00:00
|
|
|
%endif
|
2009-07-28 18:30:20 +01:00
|
|
|
BuildRequires: libcap-ng-devel >= 0.5.0
|
2012-11-12 15:02:23 +08:00
|
|
|
%if %{with_fuse}
|
|
|
|
BuildRequires: fuse-devel >= 2.8.6
|
|
|
|
%endif
|
2013-01-08 21:47:55 +00:00
|
|
|
%if %{with_phyp} || %{with_libssh2}
|
2012-10-12 16:50:42 +02:00
|
|
|
BuildRequires: libssh2-devel >= 1.3.0
|
|
|
|
%endif
|
2012-08-24 17:57:42 -04:00
|
|
|
|
|
|
|
BuildRequires: netcf-devel >= 0.2.2
|
2010-05-04 16:13:55 +02:00
|
|
|
%if %{with_esx}
|
|
|
|
BuildRequires: libcurl-devel
|
|
|
|
%endif
|
2011-07-13 16:05:18 +02:00
|
|
|
%if %{with_hyperv}
|
|
|
|
BuildRequires: libwsman-devel >= 2.2.3
|
|
|
|
%endif
|
2010-09-15 14:44:11 +01:00
|
|
|
BuildRequires: audit-libs-devel
|
2010-11-30 19:52:25 +01:00
|
|
|
# we need /usr/sbin/dtrace
|
|
|
|
BuildRequires: systemtap-sdt-devel
|
|
|
|
|
2011-03-23 10:20:14 -06:00
|
|
|
# For mount/umount in FS driver
|
|
|
|
BuildRequires: util-linux
|
|
|
|
# For showmount in FS driver (netfs discovery)
|
|
|
|
BuildRequires: nfs-utils
|
2008-06-12 16:10:50 +00:00
|
|
|
|
2015-12-31 16:09:11 +11:00
|
|
|
# Communication with the firewall and polkit daemons use DBus
|
2012-08-23 17:44:08 +08:00
|
|
|
BuildRequires: dbus-devel
|
|
|
|
|
2008-06-12 16:10:50 +00:00
|
|
|
# Fedora build root suckage
|
|
|
|
BuildRequires: gawk
|
2005-11-02 15:37:34 +00:00
|
|
|
|
2012-02-14 11:09:42 +01:00
|
|
|
# For storage wiping with different algorithms
|
|
|
|
BuildRequires: scrub
|
|
|
|
|
2012-03-24 09:35:20 +08:00
|
|
|
%if %{with_numad}
|
|
|
|
BuildRequires: numad
|
|
|
|
%endif
|
|
|
|
|
2014-02-04 12:37:15 -07:00
|
|
|
%if %{with_wireshark}
|
2019-02-08 12:05:23 +01:00
|
|
|
BuildRequires: wireshark-devel >= 2.4.0
|
2014-02-04 12:37:15 -07:00
|
|
|
%endif
|
|
|
|
|
2016-11-09 15:28:37 +01:00
|
|
|
%if %{with_libssh}
|
|
|
|
BuildRequires: libssh-devel >= 0.7.0
|
|
|
|
%endif
|
|
|
|
|
2018-11-08 13:10:14 +01:00
|
|
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
2018-04-03 13:41:46 +01:00
|
|
|
BuildRequires: rpcgen
|
|
|
|
BuildRequires: libtirpc-devel
|
|
|
|
%endif
|
|
|
|
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%if %{with_firewalld_zone}
|
|
|
|
BuildRequires: firewalld-filesystem
|
|
|
|
%endif
|
|
|
|
|
2012-05-15 16:03:14 +01:00
|
|
|
Provides: bundled(gnulib)
|
|
|
|
|
2005-11-02 15:37:34 +00:00
|
|
|
%description
|
2008-01-24 10:15:13 +00:00
|
|
|
Libvirt is a C toolkit to interact with the virtualization capabilities
|
2009-07-21 11:16:15 +02:00
|
|
|
of recent versions of Linux (and other OSes). The main package includes
|
|
|
|
the libvirtd server exporting the virtualization support.
|
|
|
|
|
2012-04-03 10:52:12 +01:00
|
|
|
%package docs
|
|
|
|
Summary: API reference and website documentation
|
|
|
|
|
|
|
|
%description docs
|
|
|
|
Includes the API reference for the libvirt C library, and a complete
|
|
|
|
copy of the libvirt.org website documentation.
|
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
%package daemon
|
|
|
|
Summary: Server side daemon and supporting files for libvirt library
|
|
|
|
|
|
|
|
# All runtime requirements for the libvirt package (runtime requrements
|
|
|
|
# for subpackages are listed later in those subpackages)
|
|
|
|
|
2016-06-25 08:37:22 +02:00
|
|
|
# The client side, i.e. shared libs are in a subpackage
|
|
|
|
Requires: %{name}-libs = %{version}-%{release}
|
2012-04-03 11:44:59 +01:00
|
|
|
|
|
|
|
# for modprobe of pci devices
|
|
|
|
Requires: module-init-tools
|
2018-06-01 13:40:42 +02:00
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
# for /sbin/ip & /sbin/tc
|
|
|
|
Requires: iproute
|
2018-06-01 13:40:42 +02:00
|
|
|
# tc is provided by iproute-tc since at least Fedora 26
|
|
|
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
|
|
|
Requires: iproute-tc
|
|
|
|
%endif
|
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
Requires: avahi-libs
|
2014-07-15 15:18:33 +02:00
|
|
|
Requires: polkit >= 0.112
|
2016-05-04 16:20:58 +01:00
|
|
|
%ifarch %{ix86} x86_64 ia64
|
2012-04-03 11:44:59 +01:00
|
|
|
# For virConnectGetSysinfo
|
|
|
|
Requires: dmidecode
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 11:44:59 +01:00
|
|
|
# For service management
|
|
|
|
Requires(post): systemd-units
|
|
|
|
Requires(post): systemd-sysv
|
|
|
|
Requires(preun): systemd-units
|
|
|
|
Requires(postun): systemd-units
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_numad}
|
2012-04-03 11:44:59 +01:00
|
|
|
Requires: numad
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-12-04 20:43:05 -07:00
|
|
|
# libvirtd depends on 'messagebus' service
|
|
|
|
Requires: dbus
|
2013-05-01 14:28:43 -06:00
|
|
|
# For uid creation during pre
|
|
|
|
Requires(pre): shadow-utils
|
2012-04-03 11:44:59 +01:00
|
|
|
|
|
|
|
%description daemon
|
|
|
|
Server side daemon required to manage the virtualization capabilities
|
|
|
|
of recent versions of Linux. Requires a hypervisor specific sub-RPM
|
|
|
|
for specific drivers.
|
|
|
|
|
|
|
|
%package daemon-config-network
|
|
|
|
Summary: Default configuration files for the libvirtd daemon
|
|
|
|
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2014-02-11 11:35:20 +01:00
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
2012-04-03 11:44:59 +01:00
|
|
|
|
|
|
|
%description daemon-config-network
|
|
|
|
Default configuration files for setting up NAT based networking
|
|
|
|
|
|
|
|
%package daemon-config-nwfilter
|
|
|
|
Summary: Network filter configuration files for the libvirtd daemon
|
|
|
|
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2014-02-12 14:33:16 -07:00
|
|
|
Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
|
2012-04-03 11:44:59 +01:00
|
|
|
|
|
|
|
%description daemon-config-nwfilter
|
|
|
|
Network filter configuration files for cleaning guest traffic
|
2012-04-03 11:54:27 +01:00
|
|
|
|
2012-04-02 20:53:43 +01:00
|
|
|
%package daemon-driver-network
|
|
|
|
Summary: Network driver plugin for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2013-10-29 11:27:45 +00:00
|
|
|
Requires: dnsmasq >= 2.41
|
|
|
|
Requires: radvd
|
|
|
|
Requires: iptables
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
%description daemon-driver-network
|
|
|
|
The network driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the virtual network APIs using the Linux
|
|
|
|
bridge capabilities.
|
|
|
|
|
|
|
|
|
|
|
|
%package daemon-driver-nwfilter
|
|
|
|
Summary: Nwfilter driver plugin for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2013-10-29 11:27:45 +00:00
|
|
|
Requires: iptables
|
|
|
|
Requires: ebtables
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
%description daemon-driver-nwfilter
|
|
|
|
The nwfilter driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the firewall APIs using the ebtables,
|
|
|
|
iptables and ip6tables capabilities
|
|
|
|
|
|
|
|
|
|
|
|
%package daemon-driver-nodedev
|
|
|
|
Summary: Nodedev driver plugin for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2013-10-29 11:27:45 +00:00
|
|
|
# needed for device enumeration
|
|
|
|
Requires: systemd >= 185
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
%description daemon-driver-nodedev
|
|
|
|
The nodedev driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the node device APIs using the udev
|
|
|
|
capabilities.
|
|
|
|
|
|
|
|
|
|
|
|
%package daemon-driver-interface
|
|
|
|
Summary: Interface driver plugin for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2013-10-29 11:27:45 +00:00
|
|
|
Requires: netcf-libs >= 0.2.2
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
%description daemon-driver-interface
|
|
|
|
The interface driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the network interface APIs using the
|
|
|
|
netcf library
|
|
|
|
|
|
|
|
|
|
|
|
%package daemon-driver-secret
|
|
|
|
Summary: Secret driver plugin for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
%description daemon-driver-secret
|
|
|
|
The secret driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the secret key APIs.
|
|
|
|
|
2017-02-08 09:20:21 +01:00
|
|
|
%package daemon-driver-storage-core
|
|
|
|
Summary: Storage driver plugin including base backends for the libvirtd daemon
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2013-10-29 11:27:45 +00:00
|
|
|
Requires: nfs-utils
|
|
|
|
# For mkfs
|
|
|
|
Requires: util-linux
|
2016-05-04 16:40:08 +01:00
|
|
|
%if %{with_qemu}
|
2013-10-29 11:27:45 +00:00
|
|
|
# From QEMU RPMs
|
|
|
|
Requires: /usr/bin/qemu-img
|
2016-05-04 16:40:08 +01:00
|
|
|
%endif
|
2019-03-19 15:59:36 +00:00
|
|
|
%if !%{with_storage_rbd}
|
|
|
|
Obsoletes: libvirt-daemon-driver-storage-rbd < %{version}-%{release}
|
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
2017-02-08 09:20:21 +01:00
|
|
|
%description daemon-driver-storage-core
|
|
|
|
The storage driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the storage APIs using files, local disks, LVM, SCSI,
|
|
|
|
iSCSI, and multipath storage.
|
|
|
|
|
|
|
|
%package daemon-driver-storage-logical
|
|
|
|
Summary: Storage driver plugin for lvm volumes
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-02-08 09:20:21 +01:00
|
|
|
Requires: lvm2
|
|
|
|
|
|
|
|
%description daemon-driver-storage-logical
|
|
|
|
The storage driver backend adding implementation of the storage APIs for block
|
|
|
|
volumes using lvm.
|
|
|
|
|
|
|
|
|
|
|
|
%package daemon-driver-storage-disk
|
|
|
|
Summary: Storage driver plugin for disk
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-02-08 09:20:21 +01:00
|
|
|
Requires: parted
|
|
|
|
Requires: device-mapper
|
|
|
|
|
|
|
|
%description daemon-driver-storage-disk
|
|
|
|
The storage driver backend adding implementation of the storage APIs for block
|
|
|
|
volumes using the host disks.
|
|
|
|
|
|
|
|
|
|
|
|
%package daemon-driver-storage-scsi
|
|
|
|
Summary: Storage driver plugin for local scsi devices
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-02-08 09:20:21 +01:00
|
|
|
|
|
|
|
%description daemon-driver-storage-scsi
|
|
|
|
The storage driver backend adding implementation of the storage APIs for scsi
|
|
|
|
host devices.
|
|
|
|
|
|
|
|
|
|
|
|
%package daemon-driver-storage-iscsi
|
|
|
|
Summary: Storage driver plugin for iscsi
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-02-08 09:20:21 +01:00
|
|
|
Requires: iscsi-initiator-utils
|
|
|
|
|
|
|
|
%description daemon-driver-storage-iscsi
|
|
|
|
The storage driver backend adding implementation of the storage APIs for iscsi
|
|
|
|
volumes using the host iscsi stack.
|
|
|
|
|
|
|
|
|
2018-08-14 14:31:35 +02:00
|
|
|
%if %{with_storage_iscsi_direct}
|
2018-08-08 19:43:25 -04:00
|
|
|
%package daemon-driver-storage-iscsi-direct
|
|
|
|
Summary: Storage driver plugin for iscsi-direct
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2018-08-14 14:31:35 +02:00
|
|
|
Requires: libiscsi
|
2018-08-08 19:43:25 -04:00
|
|
|
|
|
|
|
%description daemon-driver-storage-iscsi-direct
|
|
|
|
The storage driver backend adding implementation of the storage APIs for iscsi
|
|
|
|
volumes using libiscsi direct connection.
|
2018-08-14 14:31:35 +02:00
|
|
|
%endif
|
2018-08-08 19:43:25 -04:00
|
|
|
|
|
|
|
|
2017-02-08 09:20:21 +01:00
|
|
|
%package daemon-driver-storage-mpath
|
|
|
|
Summary: Storage driver plugin for multipath volumes
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-02-08 09:20:21 +01:00
|
|
|
Requires: device-mapper
|
|
|
|
|
|
|
|
%description daemon-driver-storage-mpath
|
|
|
|
The storage driver backend adding implementation of the storage APIs for
|
|
|
|
multipath storage using device mapper.
|
|
|
|
|
|
|
|
|
|
|
|
%if %{with_storage_gluster}
|
|
|
|
%package daemon-driver-storage-gluster
|
|
|
|
Summary: Storage driver plugin for gluster
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-02-08 09:20:21 +01:00
|
|
|
%if 0%{?fedora}
|
|
|
|
Requires: glusterfs-client >= 2.0.1
|
|
|
|
%endif
|
|
|
|
%if (0%{?fedora} || 0%{?with_storage_gluster})
|
|
|
|
Requires: /usr/sbin/gluster
|
|
|
|
%endif
|
|
|
|
|
|
|
|
%description daemon-driver-storage-gluster
|
|
|
|
The storage driver backend adding implementation of the storage APIs for gluster
|
|
|
|
volumes using libgfapi.
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
|
|
%if %{with_storage_rbd}
|
|
|
|
%package daemon-driver-storage-rbd
|
|
|
|
Summary: Storage driver plugin for rbd
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-02-08 09:20:21 +01:00
|
|
|
|
|
|
|
%description daemon-driver-storage-rbd
|
|
|
|
The storage driver backend adding implementation of the storage APIs for rbd
|
|
|
|
volumes using the ceph protocol.
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
|
|
%if %{with_storage_sheepdog}
|
|
|
|
%package daemon-driver-storage-sheepdog
|
|
|
|
Summary: Storage driver plugin for sheepdog
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-02-08 09:20:21 +01:00
|
|
|
Requires: sheepdog
|
|
|
|
|
|
|
|
%description daemon-driver-storage-sheepdog
|
|
|
|
The storage driver backend adding implementation of the storage APIs for
|
|
|
|
sheepdog volumes using.
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
2017-07-17 11:32:46 -04:00
|
|
|
%if %{with_storage_zfs}
|
|
|
|
%package daemon-driver-storage-zfs
|
|
|
|
Summary: Storage driver plugin for ZFS
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2017-07-17 11:32:46 -04:00
|
|
|
# Support any conforming implementation of zfs
|
|
|
|
Requires: /sbin/zfs
|
|
|
|
Requires: /sbin/zpool
|
|
|
|
|
|
|
|
%description daemon-driver-storage-zfs
|
|
|
|
The storage driver backend adding implementation of the storage APIs for
|
|
|
|
ZFS volumes.
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
2017-02-08 09:20:21 +01:00
|
|
|
%package daemon-driver-storage
|
|
|
|
Summary: Storage driver plugin including all backends for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage-disk = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage-logical = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage-scsi = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage-iscsi = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage-mpath = %{version}-%{release}
|
2018-08-14 14:31:35 +02:00
|
|
|
%if %{with_storage_iscsi_direct}
|
|
|
|
Requires: libvirt-daemon-driver-storage-iscsi-direct = %{version}-%{release}
|
|
|
|
%endif
|
2017-02-08 09:20:21 +01:00
|
|
|
%if %{with_storage_gluster}
|
|
|
|
Requires: libvirt-daemon-driver-storage-gluster = %{version}-%{release}
|
|
|
|
%endif
|
|
|
|
%if %{with_storage_rbd}
|
|
|
|
Requires: libvirt-daemon-driver-storage-rbd = %{version}-%{release}
|
|
|
|
%endif
|
|
|
|
%if %{with_storage_sheepdog}
|
|
|
|
Requires: libvirt-daemon-driver-storage-sheepdog = %{version}-%{release}
|
|
|
|
%endif
|
2017-07-17 11:32:46 -04:00
|
|
|
%if %{with_storage_zfs}
|
|
|
|
Requires: libvirt-daemon-driver-storage-zfs = %{version}-%{release}
|
|
|
|
%endif
|
2017-02-08 09:20:21 +01:00
|
|
|
|
2012-04-02 20:53:43 +01:00
|
|
|
%description daemon-driver-storage
|
|
|
|
The storage driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the storage APIs using LVM, iSCSI,
|
|
|
|
parted and more.
|
|
|
|
|
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_qemu}
|
2012-04-02 20:53:43 +01:00
|
|
|
%package daemon-driver-qemu
|
2017-03-07 18:09:58 +01:00
|
|
|
Summary: QEMU driver plugin for the libvirtd daemon
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2013-10-29 11:27:45 +00:00
|
|
|
Requires: /usr/bin/qemu-img
|
|
|
|
# For image compression
|
|
|
|
Requires: gzip
|
|
|
|
Requires: bzip2
|
|
|
|
Requires: lzop
|
|
|
|
Requires: xz
|
2018-02-09 14:08:45 +01:00
|
|
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
2016-07-12 15:57:39 +01:00
|
|
|
Requires: systemd-container
|
2016-07-13 19:01:14 +02:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
%description daemon-driver-qemu
|
|
|
|
The qemu driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the hypervisor driver APIs using
|
|
|
|
QEMU
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_lxc}
|
2012-04-02 20:53:43 +01:00
|
|
|
%package daemon-driver-lxc
|
|
|
|
Summary: LXC driver plugin for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
# There really is a hard cross-driver dependency here
|
2012-05-25 08:10:56 +01:00
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
2018-02-09 14:08:45 +01:00
|
|
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
2016-07-12 15:57:39 +01:00
|
|
|
Requires: systemd-container
|
2016-07-13 19:01:14 +02:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
%description daemon-driver-lxc
|
|
|
|
The LXC driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the hypervisor driver APIs using
|
|
|
|
the Linux kernel
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_vbox}
|
2013-05-17 13:31:59 +01:00
|
|
|
%package daemon-driver-vbox
|
|
|
|
Summary: VirtualBox driver plugin for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2013-05-17 13:31:59 +01:00
|
|
|
|
|
|
|
%description daemon-driver-vbox
|
|
|
|
The vbox driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the hypervisor driver APIs using
|
|
|
|
VirtualBox
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2013-05-17 13:31:59 +01:00
|
|
|
|
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_libxl}
|
2012-04-02 20:53:43 +01:00
|
|
|
%package daemon-driver-libxl
|
|
|
|
Summary: Libxl driver plugin for the libvirtd daemon
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2018-07-09 17:45:45 +02:00
|
|
|
Requires: libvirt-libs = %{version}-%{release}
|
2018-05-03 11:18:42 +01:00
|
|
|
Obsoletes: libvirt-daemon-driver-xen < 4.3.0
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
%description daemon-driver-libxl
|
|
|
|
The Libxl driver plugin for the libvirtd daemon, providing
|
|
|
|
an implementation of the hypervisor driver APIs using
|
|
|
|
Libxl
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
|
|
|
|
2012-04-03 11:54:27 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_qemu_tcg}
|
2012-04-03 11:54:27 +01:00
|
|
|
%package daemon-qemu
|
|
|
|
Summary: Server side daemon & driver required to run QEMU guests
|
|
|
|
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-qemu = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-interface = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
|
2012-05-25 08:10:56 +01:00
|
|
|
Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-secret = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage = %{version}-%{release}
|
2012-04-03 11:54:27 +01:00
|
|
|
Requires: qemu
|
|
|
|
|
|
|
|
%description daemon-qemu
|
|
|
|
Server side daemon and driver required to manage the virtualization
|
|
|
|
capabilities of the QEMU TCG emulators
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 11:54:27 +01:00
|
|
|
|
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_qemu_kvm}
|
2012-04-03 11:54:27 +01:00
|
|
|
%package daemon-kvm
|
|
|
|
Summary: Server side daemon & driver required to run KVM guests
|
|
|
|
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-qemu = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-interface = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
|
2012-05-25 08:10:56 +01:00
|
|
|
Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-secret = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage = %{version}-%{release}
|
2012-04-03 11:54:27 +01:00
|
|
|
Requires: qemu-kvm
|
|
|
|
|
|
|
|
%description daemon-kvm
|
|
|
|
Server side daemon and driver required to manage the virtualization
|
|
|
|
capabilities of the KVM hypervisor
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 11:54:27 +01:00
|
|
|
|
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_lxc}
|
2012-04-03 11:54:27 +01:00
|
|
|
%package daemon-lxc
|
|
|
|
Summary: Server side daemon & driver required to run LXC guests
|
|
|
|
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-lxc = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-interface = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
|
2012-05-25 08:10:56 +01:00
|
|
|
Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-secret = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage = %{version}-%{release}
|
2012-04-03 11:54:27 +01:00
|
|
|
|
|
|
|
%description daemon-lxc
|
|
|
|
Server side daemon and driver required to manage the virtualization
|
|
|
|
capabilities of LXC
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 11:54:27 +01:00
|
|
|
|
|
|
|
|
2018-03-28 17:57:10 -06:00
|
|
|
%if %{with_libxl}
|
2012-04-03 11:54:27 +01:00
|
|
|
%package daemon-xen
|
|
|
|
Summary: Server side daemon & driver required to run XEN guests
|
|
|
|
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_libxl}
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-libxl = %{version}-%{release}
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-interface = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
|
2012-05-25 08:10:56 +01:00
|
|
|
Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
|
2012-04-02 20:53:43 +01:00
|
|
|
Requires: libvirt-daemon-driver-secret = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage = %{version}-%{release}
|
2012-04-03 11:54:27 +01:00
|
|
|
Requires: xen
|
|
|
|
|
|
|
|
%description daemon-xen
|
|
|
|
Server side daemon and driver required to manage the virtualization
|
|
|
|
capabilities of XEN
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2013-05-17 13:31:59 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_vbox}
|
2013-05-17 13:31:59 +01:00
|
|
|
%package daemon-vbox
|
|
|
|
Summary: Server side daemon & driver required to run VirtualBox guests
|
|
|
|
|
|
|
|
Requires: libvirt-daemon = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-vbox = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-interface = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-secret = %{version}-%{release}
|
|
|
|
Requires: libvirt-daemon-driver-storage = %{version}-%{release}
|
|
|
|
|
|
|
|
%description daemon-vbox
|
|
|
|
Server side daemon and driver required to manage the virtualization
|
|
|
|
capabilities of VirtualBox
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 11:44:59 +01:00
|
|
|
|
2009-07-21 11:16:15 +02:00
|
|
|
%package client
|
2016-06-25 08:37:22 +02:00
|
|
|
Summary: Client side utilities of the libvirt library
|
|
|
|
Requires: %{name}-libs = %{version}-%{release}
|
2009-07-21 11:16:15 +02:00
|
|
|
Requires: readline
|
|
|
|
Requires: ncurses
|
2013-05-14 20:14:34 -06:00
|
|
|
# Needed by /usr/libexec/libvirt-guests.sh script.
|
2011-02-18 13:45:13 +08:00
|
|
|
Requires: gettext
|
2011-02-21 10:43:29 -07:00
|
|
|
# Needed by virt-pki-validate script.
|
|
|
|
Requires: gnutls-utils
|
2018-01-24 16:42:00 +01:00
|
|
|
%if %{with_bash_completion}
|
|
|
|
Requires: %{name}-bash-completion = %{version}-%{release}
|
|
|
|
%endif
|
2016-06-25 08:37:22 +02:00
|
|
|
|
|
|
|
%description client
|
|
|
|
The client binaries needed to access the virtualization
|
|
|
|
capabilities of recent versions of Linux (and other OSes).
|
|
|
|
|
|
|
|
%package libs
|
|
|
|
Summary: Client side libraries
|
|
|
|
# So remote clients can access libvirt over SSH tunnel
|
|
|
|
# (client invokes 'nc' against the UNIX socket on the server)
|
|
|
|
Requires: nc
|
2009-07-21 11:16:15 +02:00
|
|
|
Requires: cyrus-sasl
|
2017-03-13 12:15:57 +00:00
|
|
|
# Needed by default sasl.conf - no onerous extra deps, since
|
|
|
|
# 100's of other things on a system already pull in krb5-libs
|
|
|
|
Requires: cyrus-sasl-gssapi
|
2009-07-21 11:16:15 +02:00
|
|
|
|
2016-06-25 08:37:22 +02:00
|
|
|
%description libs
|
|
|
|
Shared libraries for accessing the libvirt daemon.
|
2005-11-02 15:37:34 +00:00
|
|
|
|
2016-06-27 10:15:21 +02:00
|
|
|
%package admin
|
|
|
|
Summary: Set of tools to control libvirt daemon
|
|
|
|
Requires: %{name}-libs = %{version}-%{release}
|
|
|
|
Requires: readline
|
2018-01-24 16:42:00 +01:00
|
|
|
%if %{with_bash_completion}
|
|
|
|
Requires: %{name}-bash-completion = %{version}-%{release}
|
|
|
|
%endif
|
2016-06-27 10:15:21 +02:00
|
|
|
|
|
|
|
%description admin
|
|
|
|
The client side utilities to control the libvirt daemon.
|
|
|
|
|
2018-01-24 16:42:00 +01:00
|
|
|
%if %{with_bash_completion}
|
|
|
|
%package bash-completion
|
|
|
|
Summary: Bash completion script
|
|
|
|
|
|
|
|
%description bash-completion
|
|
|
|
Bash completion script stub.
|
|
|
|
%endif
|
|
|
|
|
2014-02-04 12:37:15 -07:00
|
|
|
%if %{with_wireshark}
|
|
|
|
%package wireshark
|
|
|
|
Summary: Wireshark dissector plugin for libvirt RPC transactions
|
2019-02-08 12:05:23 +01:00
|
|
|
Requires: wireshark >= 2.4.0
|
2016-06-25 08:37:22 +02:00
|
|
|
Requires: %{name}-libs = %{version}-%{release}
|
2014-02-04 12:37:15 -07:00
|
|
|
|
|
|
|
%description wireshark
|
|
|
|
Wireshark dissector plugin for better analysis of libvirt RPC traffic.
|
|
|
|
%endif
|
|
|
|
|
2013-10-17 14:18:18 +01:00
|
|
|
%if %{with_lxc}
|
|
|
|
%package login-shell
|
|
|
|
Summary: Login shell for connecting users to an LXC container
|
2016-06-25 08:37:22 +02:00
|
|
|
Requires: %{name}-libs = %{version}-%{release}
|
2013-10-17 14:18:18 +01:00
|
|
|
|
|
|
|
%description login-shell
|
|
|
|
Provides the set-uid virt-login-shell binary that is used to
|
|
|
|
connect a user to an LXC container when they login, by switching
|
|
|
|
namespaces.
|
|
|
|
%endif
|
|
|
|
|
2005-11-02 15:37:34 +00:00
|
|
|
%package devel
|
2006-02-09 17:45:11 +00:00
|
|
|
Summary: Libraries, includes, etc. to compile with the libvirt library
|
2016-06-25 08:37:22 +02:00
|
|
|
Requires: %{name}-libs = %{version}-%{release}
|
2006-11-07 16:28:16 +00:00
|
|
|
Requires: pkgconfig
|
2005-11-02 15:37:34 +00:00
|
|
|
|
|
|
|
%description devel
|
2012-04-03 10:52:12 +01:00
|
|
|
Include header files & development libraries for the libvirt C library.
|
2005-11-02 15:37:34 +00:00
|
|
|
|
2011-01-18 18:37:45 +00:00
|
|
|
%if %{with_sanlock}
|
|
|
|
%package lock-sanlock
|
|
|
|
Summary: Sanlock lock manager plugin for QEMU driver
|
2012-10-16 23:54:18 +02:00
|
|
|
Requires: sanlock >= 2.4
|
2011-09-15 16:55:36 +02:00
|
|
|
#for virt-sanlock-cleanup require augeas
|
|
|
|
Requires: augeas
|
2012-05-21 19:36:30 +01:00
|
|
|
Requires: %{name}-daemon = %{version}-%{release}
|
2016-06-25 08:37:22 +02:00
|
|
|
Requires: %{name}-libs = %{version}-%{release}
|
2011-01-18 18:37:45 +00:00
|
|
|
|
|
|
|
%description lock-sanlock
|
|
|
|
Includes the Sanlock lock manager plugin for the QEMU
|
|
|
|
driver
|
|
|
|
%endif
|
|
|
|
|
2016-02-16 09:41:30 +01:00
|
|
|
%package nss
|
|
|
|
Summary: Libvirt plugin for Name Service Switch
|
|
|
|
Requires: libvirt-daemon-driver-network = %{version}-%{release}
|
|
|
|
|
|
|
|
%description nss
|
|
|
|
Libvirt plugin for NSS for translating domain names into IP addresses.
|
|
|
|
|
2015-04-15 16:16:24 +02:00
|
|
|
|
2005-11-02 15:37:34 +00:00
|
|
|
%prep
|
2016-05-04 15:43:08 +01:00
|
|
|
|
2018-08-03 10:34:32 +01:00
|
|
|
%autosetup -S git_am
|
2014-11-21 18:09:36 +01:00
|
|
|
|
2005-11-02 15:37:34 +00:00
|
|
|
%build
|
2017-10-03 13:41:05 +02:00
|
|
|
%if ! %{supported_platform}
|
2018-01-11 16:30:03 +00:00
|
|
|
echo "This RPM requires either Fedora >= %{min_fedora} or RHEL >= %{min_rhel}"
|
2017-10-03 13:41:05 +02:00
|
|
|
exit 1
|
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_qemu}
|
|
|
|
%define arg_qemu --with-qemu
|
|
|
|
%else
|
|
|
|
%define arg_qemu --without-qemu
|
2008-06-12 16:10:50 +00:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_openvz}
|
|
|
|
%define arg_openvz --with-openvz
|
|
|
|
%else
|
|
|
|
%define arg_openvz --without-openvz
|
2008-08-21 09:28:54 +00:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_lxc}
|
|
|
|
%define arg_lxc --with-lxc
|
2018-02-14 14:49:28 +01:00
|
|
|
%define arg_login_shell --with-login-shell
|
2016-05-04 16:50:55 +01:00
|
|
|
%else
|
|
|
|
%define arg_lxc --without-lxc
|
2018-02-14 14:49:28 +01:00
|
|
|
%define arg_login_shell --without-login-shell
|
2008-08-21 09:28:54 +00:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_vbox}
|
|
|
|
%define arg_vbox --with-vbox
|
|
|
|
%else
|
|
|
|
%define arg_vbox --without-vbox
|
2009-07-28 17:59:34 +01:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_libxl}
|
|
|
|
%define arg_libxl --with-libxl
|
|
|
|
%else
|
|
|
|
%define arg_libxl --without-libxl
|
2011-02-10 15:42:34 -07:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_phyp}
|
|
|
|
%define arg_phyp --with-phyp
|
|
|
|
%else
|
|
|
|
%define arg_phyp --without-phyp
|
2009-07-24 16:26:54 +02:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_esx}
|
|
|
|
%define arg_esx --with-esx
|
|
|
|
%else
|
|
|
|
%define arg_esx --without-esx
|
2009-09-16 16:02:38 +01:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_hyperv}
|
|
|
|
%define arg_hyperv --with-hyperv
|
|
|
|
%else
|
|
|
|
%define arg_hyperv --without-hyperv
|
2011-07-13 16:05:18 +02:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_vmware}
|
|
|
|
%define arg_vmware --with-vmware
|
|
|
|
%else
|
|
|
|
%define arg_vmware --without-vmware
|
2010-12-21 10:13:50 -07:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_storage_rbd}
|
|
|
|
%define arg_storage_rbd --with-storage-rbd
|
|
|
|
%else
|
|
|
|
%define arg_storage_rbd --without-storage-rbd
|
2012-05-14 11:06:42 +02:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_storage_sheepdog}
|
|
|
|
%define arg_storage_sheepdog --with-storage-sheepdog
|
|
|
|
%else
|
|
|
|
%define arg_storage_sheepdog --without-storage-sheepdog
|
2012-07-18 20:06:58 +01:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_storage_gluster}
|
|
|
|
%define arg_storage_gluster --with-storage-gluster
|
|
|
|
%else
|
|
|
|
%define arg_storage_gluster --without-storage-gluster
|
2013-11-19 16:26:05 -07:00
|
|
|
%endif
|
|
|
|
|
2017-07-17 11:32:46 -04:00
|
|
|
%if %{with_storage_zfs}
|
|
|
|
%define arg_storage_zfs --with-storage-zfs
|
|
|
|
%else
|
|
|
|
%define arg_storage_zfs --without-storage-zfs
|
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_numactl}
|
|
|
|
%define arg_numactl --with-numactl
|
|
|
|
%else
|
|
|
|
%define arg_numactl --without-numactl
|
2009-03-31 12:45:07 +00:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_numad}
|
|
|
|
%define arg_numad --with-numad
|
|
|
|
%else
|
|
|
|
%define arg_numad --without-numad
|
2012-03-24 09:35:20 +08:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_fuse}
|
|
|
|
%define arg_fuse --with-fuse
|
|
|
|
%else
|
|
|
|
%define arg_fuse --without-fuse
|
2012-11-12 15:02:23 +08:00
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_sanlock}
|
|
|
|
%define arg_sanlock --with-sanlock
|
|
|
|
%else
|
|
|
|
%define arg_sanlock --without-sanlock
|
2011-01-18 18:37:45 +00:00
|
|
|
%endif
|
|
|
|
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 20:59:52 +02:00
|
|
|
%if %{with_firewalld}
|
2016-05-04 16:50:55 +01:00
|
|
|
%define arg_firewalld --with-firewalld
|
|
|
|
%else
|
|
|
|
%define arg_firewalld --without-firewalld
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 20:59:52 +02:00
|
|
|
%endif
|
|
|
|
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%if %{with_firewalld_zone}
|
|
|
|
%define arg_firewalld_zone --with-firewalld-zone
|
|
|
|
%else
|
|
|
|
%define arg_firewalld_zone --without-firewalld-zone
|
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:50:55 +01:00
|
|
|
%if %{with_wireshark}
|
|
|
|
%define arg_wireshark --with-wireshark-dissector
|
|
|
|
%else
|
|
|
|
%define arg_wireshark --without-wireshark-dissector
|
2014-02-04 12:37:15 -07:00
|
|
|
%endif
|
|
|
|
|
2018-08-14 14:31:35 +02:00
|
|
|
%if %{with_storage_iscsi_direct}
|
|
|
|
%define arg_storage_iscsi_direct --with-storage-iscsi-direct
|
|
|
|
%else
|
|
|
|
%define arg_storage_iscsi_direct --without-storage-iscsi-direct
|
|
|
|
%endif
|
|
|
|
|
Imprint all logs with version + package build information
The logging functions are enhanced so that immediately prior to
the first log message being printed to any output channel, the
libvirt package version will be printed.
eg
$ LIBVIRT_DEBUG=1 virsh
18:13:28.013: 17536: info : libvirt version: 0.8.7
18:13:28.013: 17536: debug : virInitialize:361 : register drivers
...
The 'configure' script gains two new arguments which can be
used as
--with-packager="Fedora Project, x86-01.phx2.fedoraproject.org, 01-27-2011-18:00:10"
--with-packager-version="1.fc14"
to allow distros to append a custom string with package specific
data.
The RPM specfile is modified so that it appends the RPM version,
the build host, the build date and the packager name.
eg
$ LIBVIRT_DEBUG=1 virsh
18:14:52.086: 17551: info : libvirt version: 0.8.7, package: 1.fc13 (Fedora Project, x86-01.phx2.fedoraproject.org, 01-27-2011-18:00:10)
18:14:52.086: 17551: debug : virInitialize:361 : register drivers
Thus when distro packagers receive bug reports they can clearly
see what version was in use, even if the bug reporter mistakenly
or intentionally lies about version/builds
* src/util/logging.c: Output version data prior to first log message
* libvirt.spec.in: Include RPM release, date, hostname & packager
* configure.ac: Add --with-packager & --with-packager-version args
2011-01-27 18:11:16 +00:00
|
|
|
%define when %(date +"%%F-%%T")
|
|
|
|
%define where %(hostname)
|
|
|
|
%define who %{?packager}%{!?packager:Unknown}
|
2016-05-04 16:50:55 +01:00
|
|
|
%define arg_packager --with-packager="%{who}, %{when}, %{where}"
|
|
|
|
%define arg_packager_version --with-packager-version="%{release}"
|
Imprint all logs with version + package build information
The logging functions are enhanced so that immediately prior to
the first log message being printed to any output channel, the
libvirt package version will be printed.
eg
$ LIBVIRT_DEBUG=1 virsh
18:13:28.013: 17536: info : libvirt version: 0.8.7
18:13:28.013: 17536: debug : virInitialize:361 : register drivers
...
The 'configure' script gains two new arguments which can be
used as
--with-packager="Fedora Project, x86-01.phx2.fedoraproject.org, 01-27-2011-18:00:10"
--with-packager-version="1.fc14"
to allow distros to append a custom string with package specific
data.
The RPM specfile is modified so that it appends the RPM version,
the build host, the build date and the packager name.
eg
$ LIBVIRT_DEBUG=1 virsh
18:14:52.086: 17551: info : libvirt version: 0.8.7, package: 1.fc13 (Fedora Project, x86-01.phx2.fedoraproject.org, 01-27-2011-18:00:10)
18:14:52.086: 17551: debug : virInitialize:361 : register drivers
Thus when distro packagers receive bug reports they can clearly
see what version was in use, even if the bug reporter mistakenly
or intentionally lies about version/builds
* src/util/logging.c: Output version data prior to first log message
* libvirt.spec.in: Include RPM release, date, hostname & packager
* configure.ac: Add --with-packager & --with-packager-version args
2011-01-27 18:11:16 +00:00
|
|
|
|
2018-07-20 11:50:01 +01:00
|
|
|
%define arg_selinux_mount --with-selinux-mount="/sys/fs/selinux"
|
2012-09-06 15:22:27 +01:00
|
|
|
|
2016-05-20 15:50:16 -04:00
|
|
|
%if 0%{?fedora}
|
2018-08-15 17:25:08 -04:00
|
|
|
# Nightly edk2.git-ovmf-x64
|
2016-05-20 15:50:16 -04:00
|
|
|
LOADERS="/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd"
|
2018-08-15 17:27:02 -04:00
|
|
|
# Nightly edk2.git-ovmf-ia32
|
|
|
|
LOADERS="$LOADERS:/usr/share/edk2.git/ovmf-ia32/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-ia32/OVMF_VARS-pure-efi.fd"
|
2018-08-15 17:25:08 -04:00
|
|
|
# Nightly edk2.git-aarch64
|
2016-05-20 15:50:16 -04:00
|
|
|
LOADERS="$LOADERS:/usr/share/edk2.git/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2.git/aarch64/vars-template-pflash.raw"
|
2018-08-15 17:27:02 -04:00
|
|
|
# Nightly edk2.git-arm
|
|
|
|
LOADERS="$LOADERS:/usr/share/edk2.git/arm/QEMU_EFI-pflash.raw:/usr/share/edk2.git/arm/vars-template-pflash.raw"
|
|
|
|
|
2018-08-15 17:25:08 -04:00
|
|
|
# Fedora edk2-ovmf
|
2016-05-20 15:50:16 -04:00
|
|
|
LOADERS="$LOADERS:/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/ovmf/OVMF_VARS.fd"
|
2018-08-15 17:27:02 -04:00
|
|
|
# Fedora edk2-ovmf-ia32
|
|
|
|
LOADERS="$LOADERS:/usr/share/edk2/ovmf-ia32/OVMF_CODE.fd:/usr/share/edk2/ovmf-ia32/OVMF_VARS.fd"
|
2018-08-15 17:25:08 -04:00
|
|
|
# Fedora edk2-aarch64
|
2016-05-20 15:50:16 -04:00
|
|
|
LOADERS="$LOADERS:/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2/aarch64/vars-template-pflash.raw"
|
2018-08-15 17:27:02 -04:00
|
|
|
# Fedora edk2-arm
|
|
|
|
LOADERS="$LOADERS:/usr/share/edk2/arm/QEMU_EFI-pflash.raw:/usr/share/edk2/arm/vars-template-pflash.raw"
|
2016-05-20 15:50:16 -04:00
|
|
|
%define arg_loader_nvram --with-loader-nvram="$LOADERS"
|
|
|
|
%endif
|
|
|
|
|
2013-07-30 16:04:48 +02:00
|
|
|
# place macros above and build commands below this comment
|
|
|
|
|
2017-11-29 11:08:40 +01:00
|
|
|
export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
|
|
|
|
|
2013-07-30 16:04:48 +02:00
|
|
|
%if 0%{?enable_autotools}
|
|
|
|
autoreconf -if
|
|
|
|
%endif
|
|
|
|
|
2014-03-06 11:52:25 +01:00
|
|
|
rm -f po/stamp-po
|
2018-03-28 17:57:10 -06:00
|
|
|
%configure %{?arg_qemu} \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_openvz} \
|
|
|
|
%{?arg_lxc} \
|
|
|
|
%{?arg_vbox} \
|
|
|
|
%{?arg_libxl} \
|
2016-05-04 16:29:49 +01:00
|
|
|
--with-sasl \
|
2016-05-04 16:21:42 +01:00
|
|
|
--with-avahi \
|
2016-05-04 16:31:38 +01:00
|
|
|
--with-polkit \
|
2016-05-04 16:20:58 +01:00
|
|
|
--with-libvirtd \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_phyp} \
|
|
|
|
%{?arg_esx} \
|
|
|
|
%{?arg_hyperv} \
|
|
|
|
%{?arg_vmware} \
|
2016-05-04 15:11:01 +01:00
|
|
|
--without-xenapi \
|
|
|
|
--without-vz \
|
2014-02-25 09:51:40 -07:00
|
|
|
--without-bhyve \
|
2016-05-04 16:34:37 +01:00
|
|
|
--with-interface \
|
2016-05-04 16:36:17 +01:00
|
|
|
--with-network \
|
2016-05-04 16:40:08 +01:00
|
|
|
--with-storage-fs \
|
|
|
|
--with-storage-lvm \
|
|
|
|
--with-storage-iscsi \
|
2018-08-14 14:31:35 +02:00
|
|
|
%{?arg_storage_iscsi_direct} \
|
2017-02-21 10:16:04 +01:00
|
|
|
--with-storage-scsi \
|
2016-05-04 16:40:08 +01:00
|
|
|
--with-storage-disk \
|
|
|
|
--with-storage-mpath \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_storage_rbd} \
|
|
|
|
%{?arg_storage_sheepdog} \
|
|
|
|
%{?arg_storage_gluster} \
|
2017-07-17 11:32:46 -04:00
|
|
|
%{?arg_storage_zfs} \
|
2017-02-21 10:16:04 +01:00
|
|
|
--without-storage-vstorage \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_numactl} \
|
|
|
|
%{?arg_numad} \
|
2016-05-04 16:24:39 +01:00
|
|
|
--with-capng \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_fuse} \
|
2016-05-04 16:26:30 +01:00
|
|
|
--with-netcf \
|
2016-05-04 16:33:14 +01:00
|
|
|
--with-selinux \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_selinux_mount} \
|
2016-05-04 16:24:02 +01:00
|
|
|
--without-apparmor \
|
2016-05-04 16:22:18 +01:00
|
|
|
--without-hal \
|
2016-05-04 16:25:37 +01:00
|
|
|
--with-udev \
|
2018-08-13 13:40:18 +02:00
|
|
|
--with-yajl \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_sanlock} \
|
2016-05-04 16:43:44 +01:00
|
|
|
--with-libpcap \
|
2016-05-04 16:44:27 +01:00
|
|
|
--with-macvtap \
|
2016-05-04 16:26:58 +01:00
|
|
|
--with-audit \
|
2016-05-04 16:27:46 +01:00
|
|
|
--with-dtrace \
|
2016-05-04 16:14:10 +01:00
|
|
|
--with-driver-modules \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_firewalld} \
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%{?arg_firewalld_zone} \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_wireshark} \
|
2018-07-20 11:54:37 +01:00
|
|
|
--without-pm-utils \
|
2016-05-04 16:46:16 +01:00
|
|
|
--with-nss-plugin \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{arg_packager} \
|
|
|
|
%{arg_packager_version} \
|
2009-07-15 22:25:01 +01:00
|
|
|
--with-qemu-user=%{qemu_user} \
|
|
|
|
--with-qemu-group=%{qemu_group} \
|
2016-06-06 16:02:22 +01:00
|
|
|
--with-tls-priority=%{tls_priority} \
|
2016-05-04 16:50:55 +01:00
|
|
|
%{?arg_loader_nvram} \
|
2013-07-30 16:01:11 +02:00
|
|
|
%{?enable_werror} \
|
build: add configure option to disable gnulib tests
The gnulib testsuite is relatively stable - the only times it is
likely to have a test change from pass to fail is on a gnulib
submodule update or a major system change (such as moving from
Fedora 18 to 19, or other large change to libc). While it is an
important test for end users on arbitrary machines (to make sure
that the portability glue works for their machine), it mostly
wastes time for development testing (as most developers aren't
making any of the major changes that would cause gnulib tests
to alter behavior). Thus, it pays to make the tests optional
at configure time, defaulting to off for development, on for
tarballs, with autobuilders requesting it to be on. It also
helps to allow a make-time override, via VIR_TEST_EXPENSIVE=[01]
(much the way automake sets up V=[01] for overriding the configure
time default of how verbose to be).
Automake has some pretty hard-coded magic with regards to the
TESTS variable; I had quite a job figuring out how to keep
'make distcheck' passing regardless of the configure option
setting in use, while still disabling the tests at runtime
when I did not configure them on and did not use the override
variable. Thankfully, we require GNU make, which lets me
hide some information from Automake's magic handling of TESTS.
* bootstrap.conf (bootstrap_epilogue): Munge gnulib test variable.
* configure.ac (--enable-expensive-tests): Add new enable switch.
(VIR_TEST_EXPENSIVE_DEFAULT, WITH_EXPENSIVE_TESTS): Set new
witnesses.
* gnulib/tests/Makefile.am (TESTS): Make tests conditional on
configure settings and the VIR_TEST_EXPENSIVE variable.
* tests/Makefile.am (TESTS_ENVIRONMENT): Expose VIR_TEST_EXPENSIVE
to all tests.
* autobuild.sh: Enable all tests during autobuilds.
* libvirt.spec.in (%configure): Likewise.
* mingw-libvirt.spec.in (%mingw_configure): Likewise.
* docs/hacking.html.in: Document the option.
* HACKING: Regenerate.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-31 07:18:58 -06:00
|
|
|
--enable-expensive-tests \
|
2018-07-20 11:54:37 +01:00
|
|
|
--with-init-script=systemd \
|
2018-02-14 14:49:28 +01:00
|
|
|
%{?arg_login_shell}
|
2017-11-29 11:08:15 +01:00
|
|
|
make %{?_smp_mflags} V=1
|
2009-07-21 11:16:15 +02:00
|
|
|
gzip -9 ChangeLog
|
2005-11-02 15:37:34 +00:00
|
|
|
|
|
|
|
%install
|
|
|
|
rm -fr %{buildroot}
|
|
|
|
|
2017-11-29 11:08:40 +01:00
|
|
|
export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
|
|
|
|
|
2018-07-31 11:31:34 -04:00
|
|
|
%make_install %{?_smp_mflags} SYSTEMD_UNIT_DIR=%{_unitdir} V=1
|
2013-01-31 15:31:37 +01:00
|
|
|
|
2005-11-02 15:37:34 +00:00
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
2005-12-16 13:27:23 +00:00
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/*.a
|
2011-01-18 18:37:45 +00:00
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/lock-driver/*.la
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/lock-driver/*.a
|
2012-04-02 20:53:43 +01:00
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/connection-driver/*.la
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/connection-driver/*.a
|
2017-02-07 19:40:29 +01:00
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-backend/*.la
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-backend/*.a
|
2018-04-25 14:37:07 +01:00
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-file/*.la
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-file/*.a
|
2014-02-04 12:37:15 -07:00
|
|
|
%if %{with_wireshark}
|
2018-05-03 12:17:31 +01:00
|
|
|
rm -f $RPM_BUILD_ROOT%{wireshark_plugindir}/libvirt.la
|
2014-02-04 12:37:15 -07:00
|
|
|
%endif
|
2007-03-15 17:51:11 +00:00
|
|
|
|
2010-04-28 15:38:47 +02:00
|
|
|
install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/lib/libvirt/dnsmasq/
|
2007-03-15 17:51:11 +00:00
|
|
|
# We don't want to install /etc/libvirt/qemu/networks in the main %files list
|
|
|
|
# because if the admin wants to delete the default network completely, we don't
|
|
|
|
# want to end up re-incarnating it on every RPM upgrade.
|
|
|
|
install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/libvirt/networks/
|
|
|
|
cp $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu/networks/default.xml \
|
|
|
|
$RPM_BUILD_ROOT%{_datadir}/libvirt/networks/default.xml
|
2019-05-27 12:56:04 +02:00
|
|
|
# libvirt saves this file with mode 0600
|
|
|
|
chmod 0600 $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu/networks/default.xml
|
2017-04-12 21:36:01 +02:00
|
|
|
|
|
|
|
# nwfilter files are installed in /usr/share/libvirt and copied to /etc in %post
|
|
|
|
# to avoid verification errors on changed files in /etc
|
|
|
|
install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/libvirt/nwfilter/
|
|
|
|
cp -a $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/nwfilter/*.xml \
|
|
|
|
$RPM_BUILD_ROOT%{_datadir}/libvirt/nwfilter/
|
2018-05-29 22:30:33 +02:00
|
|
|
# libvirt saves these files with mode 600
|
|
|
|
chmod 600 $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/nwfilter/*.xml
|
2017-04-12 21:36:01 +02:00
|
|
|
|
2007-03-12 16:32:43 +00:00
|
|
|
# Strip auto-generated UUID - we need it generated per-install
|
2007-03-15 17:51:11 +00:00
|
|
|
sed -i -e "/<uuid>/d" $RPM_BUILD_ROOT%{_datadir}/libvirt/networks/default.xml
|
2009-09-16 16:02:38 +01:00
|
|
|
%if ! %{with_qemu}
|
2008-11-26 14:46:49 +00:00
|
|
|
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_qemu.aug
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
|
2008-09-17 14:09:13 +00:00
|
|
|
%endif
|
2006-09-21 15:24:37 +00:00
|
|
|
%find_lang %{name}
|
2005-11-02 15:37:34 +00:00
|
|
|
|
2012-05-30 17:15:22 +02:00
|
|
|
%if ! %{with_sanlock}
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirt_sanlock.aug
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirt_sanlock.aug
|
|
|
|
%endif
|
|
|
|
|
2009-10-08 18:06:40 +02:00
|
|
|
%if ! %{with_lxc}
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_lxc.aug
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
|
2009-10-13 16:18:45 +02:00
|
|
|
%endif
|
2009-10-08 18:06:40 +02:00
|
|
|
|
2008-09-17 14:09:13 +00:00
|
|
|
%if ! %{with_qemu}
|
|
|
|
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu.conf
|
2010-03-18 13:50:08 +01:00
|
|
|
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.qemu
|
2008-09-17 14:09:13 +00:00
|
|
|
%endif
|
2009-10-08 17:40:14 +02:00
|
|
|
%if ! %{with_lxc}
|
|
|
|
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/lxc.conf
|
2010-04-13 10:40:21 +02:00
|
|
|
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.lxc
|
2010-03-18 13:50:08 +01:00
|
|
|
%endif
|
2013-09-09 09:15:15 -06:00
|
|
|
%if ! %{with_libxl}
|
|
|
|
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/libxl.conf
|
2015-04-30 15:16:49 -06:00
|
|
|
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.libxl
|
2013-09-09 09:15:15 -06:00
|
|
|
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_libxl.aug
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_libxl.aug
|
|
|
|
%endif
|
2008-09-17 14:09:13 +00:00
|
|
|
|
2013-11-20 12:58:24 +00:00
|
|
|
# Copied into libvirt-docs subpackage eventually
|
2019-05-10 16:22:11 +02:00
|
|
|
mv $RPM_BUILD_ROOT%{_datadir}/doc/libvirt libvirt-docs
|
2012-04-03 10:52:12 +01:00
|
|
|
|
2016-05-04 16:27:46 +01:00
|
|
|
%ifarch %{power64} s390x x86_64 ia64 alpha sparc64
|
2012-10-20 22:46:58 -04:00
|
|
|
mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_probes.stp \
|
|
|
|
$RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_probes-64.stp
|
2018-05-18 17:15:16 +02:00
|
|
|
|
|
|
|
%if %{with_qemu}
|
2012-10-20 22:46:58 -04:00
|
|
|
mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
|
|
|
|
$RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes-64.stp
|
2018-05-18 17:15:16 +02:00
|
|
|
%endif
|
2012-10-20 22:46:58 -04:00
|
|
|
%endif
|
|
|
|
|
2010-04-12 19:39:00 +01:00
|
|
|
%check
|
|
|
|
cd tests
|
2012-08-01 16:10:36 +08:00
|
|
|
# These tests don't current work in a mock build root
|
|
|
|
for i in nodeinfotest seclabeltest
|
2010-04-12 19:39:00 +01:00
|
|
|
do
|
|
|
|
rm -f $i
|
2012-08-01 13:09:57 +02:00
|
|
|
printf 'int main(void) { return 0; }' > $i.c
|
2012-08-01 16:10:36 +08:00
|
|
|
printf '#!/bin/sh\nexit 0\n' > $i
|
2010-04-12 19:39:00 +01:00
|
|
|
chmod +x $i
|
|
|
|
done
|
2016-11-03 20:34:53 +08:00
|
|
|
if ! make %{?_smp_mflags} check VIR_TEST_DEBUG=1
|
2013-07-29 17:36:20 +02:00
|
|
|
then
|
|
|
|
cat test-suite.log || true
|
|
|
|
exit 1
|
|
|
|
fi
|
2010-04-12 19:39:00 +01:00
|
|
|
|
2019-03-25 10:51:05 +01:00
|
|
|
%post libs
|
|
|
|
%if 0%{?rhel} == 7
|
|
|
|
/sbin/ldconfig
|
|
|
|
%endif
|
|
|
|
|
|
|
|
%postun libs
|
|
|
|
%if 0%{?rhel} == 7
|
|
|
|
/sbin/ldconfig
|
|
|
|
%endif
|
|
|
|
|
2015-04-28 17:38:00 -04:00
|
|
|
%pre daemon
|
|
|
|
# 'libvirt' group is just to allow password-less polkit access to
|
|
|
|
# libvirtd. The uid number is irrelevant, so we use dynamic allocation
|
|
|
|
# described at the above link.
|
|
|
|
getent group libvirt >/dev/null || groupadd -r libvirt
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
%post daemon
|
2007-03-15 17:51:11 +00:00
|
|
|
|
2018-07-20 11:54:37 +01:00
|
|
|
%systemd_post virtlockd.socket virtlockd-admin.socket
|
|
|
|
%systemd_post virtlogd.socket virtlogd-admin.socket
|
|
|
|
%systemd_post libvirtd.service
|
2007-03-15 17:51:11 +00:00
|
|
|
|
2017-10-23 13:06:44 +02:00
|
|
|
# request daemon restart in posttrans
|
|
|
|
mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
|
|
|
|
touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
|
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
%preun daemon
|
2018-07-20 11:54:37 +01:00
|
|
|
%systemd_preun libvirtd.service
|
|
|
|
%systemd_preun virtlogd.socket virtlogd-admin.socket virtlogd.service
|
|
|
|
%systemd_preun virtlockd.socket virtlockd-admin.socket virtlockd.service
|
2011-07-07 14:45:07 +01:00
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
%postun daemon
|
2011-07-07 14:45:07 +01:00
|
|
|
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
|
|
|
if [ $1 -ge 1 ] ; then
|
2013-12-09 17:23:30 +11:00
|
|
|
/bin/systemctl reload-or-try-restart virtlockd.service >/dev/null 2>&1 || :
|
2015-02-09 16:35:05 +00:00
|
|
|
/bin/systemctl reload-or-try-restart virtlogd.service >/dev/null 2>&1 || :
|
2011-07-07 14:45:07 +01:00
|
|
|
fi
|
2013-12-09 17:23:30 +11:00
|
|
|
|
2015-12-07 12:48:04 +00:00
|
|
|
# In upgrade scenario we must explicitly enable virtlockd/virtlogd
|
|
|
|
# sockets, if libvirtd is already enabled and start them if
|
|
|
|
# libvirtd is running, otherwise you'll get failures to start
|
|
|
|
# guests
|
|
|
|
%triggerpostun daemon -- libvirt-daemon < 1.3.0
|
|
|
|
if [ $1 -ge 1 ] ; then
|
2018-02-14 12:09:32 +01:00
|
|
|
/bin/systemctl is-enabled libvirtd.service 1>/dev/null 2>&1 &&
|
|
|
|
/bin/systemctl enable virtlogd.socket virtlogd-admin.socket || :
|
|
|
|
/bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1 &&
|
|
|
|
/bin/systemctl start virtlogd.socket virtlogd-admin.socket || :
|
2015-12-07 12:48:04 +00:00
|
|
|
fi
|
|
|
|
|
2017-10-23 13:06:44 +02:00
|
|
|
%posttrans daemon
|
|
|
|
if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
|
|
|
|
/bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || :
|
|
|
|
fi
|
|
|
|
rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
|
|
|
|
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%post daemon-driver-network
|
2019-04-30 10:39:31 -04:00
|
|
|
%if %{with_firewalld_zone}
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%firewalld_reload
|
|
|
|
%endif
|
|
|
|
|
|
|
|
%postun daemon-driver-network
|
2019-04-30 10:39:31 -04:00
|
|
|
%if %{with_firewalld_zone}
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%firewalld_reload
|
|
|
|
%endif
|
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
%post daemon-config-network
|
|
|
|
if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; then
|
2014-09-10 13:10:45 -04:00
|
|
|
# see if the network used by default network creates a conflict,
|
|
|
|
# and try to resolve it
|
|
|
|
# NB: 192.168.122.0/24 is used in the default.xml template file;
|
|
|
|
# do not modify any of those values here without also modifying
|
|
|
|
# them in the template.
|
|
|
|
orig_sub=122
|
|
|
|
sub=${orig_sub}
|
|
|
|
nl='
|
|
|
|
'
|
2014-09-15 13:30:08 -04:00
|
|
|
routes="${nl}$(ip route show | cut -d' ' -f1)${nl}"
|
2014-09-10 13:10:45 -04:00
|
|
|
case ${routes} in
|
|
|
|
*"${nl}192.168.${orig_sub}.0/24${nl}"*)
|
|
|
|
# there was a match, so we need to look for an unused subnet
|
|
|
|
for new_sub in $(seq 124 254); do
|
|
|
|
case ${routes} in
|
|
|
|
*"${nl}192.168.${new_sub}.0/24${nl}"*)
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
sub=$new_sub
|
|
|
|
break;
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
UUID=`/usr/bin/uuidgen`
|
2014-09-10 13:10:45 -04:00
|
|
|
sed -e "s/${orig_sub}/${sub}/g" \
|
|
|
|
-e "s,</name>,</name>\n <uuid>$UUID</uuid>," \
|
2012-04-03 11:44:59 +01:00
|
|
|
< %{_datadir}/libvirt/networks/default.xml \
|
|
|
|
> %{_sysconfdir}/libvirt/qemu/networks/default.xml
|
|
|
|
ln -s ../default.xml %{_sysconfdir}/libvirt/qemu/networks/autostart/default.xml
|
2019-05-27 12:56:04 +02:00
|
|
|
# libvirt saves this file with mode 0600
|
|
|
|
chmod 0600 %{_sysconfdir}/libvirt/qemu/networks/default.xml
|
2015-04-16 15:42:05 -04:00
|
|
|
|
|
|
|
# Make sure libvirt picks up the new network defininiton
|
2017-10-23 13:06:44 +02:00
|
|
|
mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
|
|
|
|
touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
|
|
|
|
fi
|
|
|
|
|
|
|
|
%posttrans daemon-config-network
|
|
|
|
if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
|
|
|
|
/bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || :
|
2012-04-03 11:44:59 +01:00
|
|
|
fi
|
2017-10-23 13:06:44 +02:00
|
|
|
rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
|
2017-04-12 21:36:01 +02:00
|
|
|
|
|
|
|
%post daemon-config-nwfilter
|
|
|
|
cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/
|
2019-05-23 14:31:37 +02:00
|
|
|
# libvirt saves these files with mode 600
|
|
|
|
chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml
|
2017-04-12 21:36:01 +02:00
|
|
|
# Make sure libvirt picks up the new nwfilter defininitons
|
2017-10-23 13:06:44 +02:00
|
|
|
mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
|
|
|
|
touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
|
|
|
|
|
|
|
|
%posttrans daemon-config-nwfilter
|
|
|
|
if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
|
|
|
|
/bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || :
|
|
|
|
fi
|
|
|
|
rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
|
2017-04-12 21:36:01 +02:00
|
|
|
|
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_qemu}
|
2013-12-05 16:15:55 -07:00
|
|
|
%pre daemon-driver-qemu
|
|
|
|
# We want soft static allocation of well-known ids, as disk images
|
|
|
|
# are commonly shared across NFS mounts by id rather than name; see
|
|
|
|
# https://fedoraproject.org/wiki/Packaging:UsersAndGroups
|
|
|
|
getent group kvm >/dev/null || groupadd -f -g 36 -r kvm
|
|
|
|
getent group qemu >/dev/null || groupadd -f -g 107 -r qemu
|
|
|
|
if ! getent passwd qemu >/dev/null; then
|
|
|
|
if ! getent passwd 107 >/dev/null; then
|
|
|
|
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
|
|
|
|
else
|
|
|
|
useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
exit 0
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2005-11-02 15:37:34 +00:00
|
|
|
|
2010-05-27 14:47:11 +02:00
|
|
|
%preun client
|
|
|
|
|
2018-07-20 11:54:37 +01:00
|
|
|
%systemd_preun libvirt-guests.service
|
2010-05-27 14:47:11 +02:00
|
|
|
|
|
|
|
%post client
|
2018-07-20 11:54:37 +01:00
|
|
|
%systemd_post libvirt-guests.service
|
2009-07-29 09:55:43 +01:00
|
|
|
|
2012-12-17 18:34:25 -05:00
|
|
|
%postun client
|
2018-07-20 11:54:37 +01:00
|
|
|
%systemd_postun libvirt-guests.service
|
|
|
|
|
2013-11-22 12:13:03 +01:00
|
|
|
%if %{with_lxc}
|
|
|
|
%pre login-shell
|
|
|
|
getent group virtlogin >/dev/null || groupadd -r virtlogin
|
|
|
|
exit 0
|
|
|
|
%endif
|
|
|
|
|
2012-04-03 14:26:41 +08:00
|
|
|
%files
|
2012-03-30 14:14:00 +01:00
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
%files docs
|
2017-10-13 16:31:07 +01:00
|
|
|
%doc AUTHORS ChangeLog.gz NEWS README README.md
|
2016-04-13 10:37:42 -04:00
|
|
|
%doc libvirt-docs/*
|
2012-04-03 11:44:59 +01:00
|
|
|
|
|
|
|
# API docs
|
|
|
|
%dir %{_datadir}/gtk-doc/html/libvirt/
|
|
|
|
%doc %{_datadir}/gtk-doc/html/libvirt/*.devhelp
|
|
|
|
%doc %{_datadir}/gtk-doc/html/libvirt/*.html
|
|
|
|
%doc %{_datadir}/gtk-doc/html/libvirt/*.png
|
|
|
|
%doc %{_datadir}/gtk-doc/html/libvirt/*.css
|
2016-04-13 10:37:42 -04:00
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
|
|
|
|
%files daemon
|
|
|
|
|
2007-03-12 16:32:43 +00:00
|
|
|
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/
|
2008-09-17 14:09:13 +00:00
|
|
|
|
2011-07-07 14:45:07 +01:00
|
|
|
%{_unitdir}/libvirtd.service
|
2016-10-14 10:13:48 +03:00
|
|
|
%{_unitdir}/virt-guest-shutdown.target
|
2015-02-09 16:35:05 +00:00
|
|
|
%{_unitdir}/virtlogd.service
|
|
|
|
%{_unitdir}/virtlogd.socket
|
2018-02-06 10:57:25 -05:00
|
|
|
%{_unitdir}/virtlogd-admin.socket
|
2011-07-07 15:02:32 +01:00
|
|
|
%{_unitdir}/virtlockd.service
|
|
|
|
%{_unitdir}/virtlockd.socket
|
2018-02-06 10:51:08 -05:00
|
|
|
%{_unitdir}/virtlockd-admin.socket
|
2007-06-26 23:48:46 +00:00
|
|
|
%config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
|
2015-02-09 16:35:05 +00:00
|
|
|
%config(noreplace) %{_sysconfdir}/sysconfig/virtlogd
|
2012-08-02 20:06:50 +01:00
|
|
|
%config(noreplace) %{_sysconfdir}/sysconfig/virtlockd
|
2007-10-12 19:54:15 +00:00
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
|
2015-02-09 16:35:05 +00:00
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/virtlogd.conf
|
2013-08-08 16:06:31 +01:00
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/virtlockd.conf
|
2018-06-21 16:14:48 +02:00
|
|
|
%config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
|
2015-04-15 11:49:22 +02:00
|
|
|
%config(noreplace) %{_prefix}/lib/sysctl.d/60-libvirtd.conf
|
2008-09-17 14:09:13 +00:00
|
|
|
|
2011-03-03 15:26:22 +08:00
|
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd
|
2007-03-15 17:51:11 +00:00
|
|
|
%dir %{_datadir}/libvirt/
|
2009-09-16 16:02:38 +01:00
|
|
|
|
spec: mark directories in /var/run as ghosts
We have several directories that are created on the fly, and which
only contain state relevant to a running libvirtd process (all
located in /var/run). Since the directories are created as needed,
and make no sense without a running libvirtd, we want them deleted
if libvirt is uninstalled. And in F15 and newer, /var/run is on
tmpfs (forcing us to recreate on the fly); which means that someone
trying to verify a complete rpm will fail if the directory does not
currently exist because libvirtd has not been started since boot.
The solution, then, is to mark the directories as %ghost, so that
rpm knows that we own them and will clean it up if libvirt is
uninstalled, but will no longer create the directory for us at
install, nor complain at verify time if the directory does not exist.
See https://bugzilla.redhat.com/show_bug.cgi?id=656611.
* libvirt.spec.in (%files): Add %ghost to temporary directories
that we don't install, but want cleaned up on libvirt removal.
2011-11-30 15:34:42 -07:00
|
|
|
%ghost %dir %{_localstatedir}/run/libvirt/
|
2009-01-20 22:36:10 +00:00
|
|
|
|
2009-07-31 09:49:08 +01:00
|
|
|
%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
|
2011-11-01 11:21:21 +00:00
|
|
|
%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/filesystems/
|
2009-08-06 15:20:36 +01:00
|
|
|
%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/boot/
|
2011-05-20 16:18:11 +01:00
|
|
|
%dir %attr(0711, root, root) %{_localstatedir}/cache/libvirt/
|
2008-09-17 14:09:13 +00:00
|
|
|
|
2009-01-20 22:36:10 +00:00
|
|
|
|
2017-08-27 12:35:07 -04:00
|
|
|
%dir %attr(0755, root, root) %{_libdir}/libvirt/
|
|
|
|
%dir %attr(0755, root, root) %{_libdir}/libvirt/connection-driver/
|
2012-08-02 20:06:50 +01:00
|
|
|
%dir %attr(0755, root, root) %{_libdir}/libvirt/lock-driver
|
2012-12-14 11:57:27 +01:00
|
|
|
%attr(0755, root, root) %{_libdir}/libvirt/lock-driver/lockd.so
|
2012-08-02 20:06:50 +01:00
|
|
|
|
2008-09-17 14:09:13 +00:00
|
|
|
%{_datadir}/augeas/lenses/libvirtd.aug
|
|
|
|
%{_datadir}/augeas/lenses/tests/test_libvirtd.aug
|
2015-02-09 16:35:05 +00:00
|
|
|
%{_datadir}/augeas/lenses/virtlogd.aug
|
|
|
|
%{_datadir}/augeas/lenses/tests/test_virtlogd.aug
|
2013-08-08 16:06:31 +01:00
|
|
|
%{_datadir}/augeas/lenses/virtlockd.aug
|
|
|
|
%{_datadir}/augeas/lenses/tests/test_virtlockd.aug
|
2012-12-14 11:57:27 +01:00
|
|
|
%{_datadir}/augeas/lenses/libvirt_lockd.aug
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_qemu}
|
2012-12-14 11:57:27 +01:00
|
|
|
%{_datadir}/augeas/lenses/tests/test_libvirt_lockd.aug
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2008-09-17 14:09:13 +00:00
|
|
|
|
2009-08-06 13:54:08 +01:00
|
|
|
%{_datadir}/polkit-1/actions/org.libvirt.unix.policy
|
2013-06-25 13:44:47 +02:00
|
|
|
%{_datadir}/polkit-1/actions/org.libvirt.api.policy
|
2015-04-28 17:38:00 -04:00
|
|
|
%{_datadir}/polkit-1/rules.d/50-libvirt.rules
|
2008-09-17 14:09:13 +00:00
|
|
|
|
2009-07-28 19:07:51 +01:00
|
|
|
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/
|
2008-09-17 14:09:13 +00:00
|
|
|
|
2011-03-30 08:54:23 +08:00
|
|
|
%attr(0755, root, root) %{_libexecdir}/libvirt_iohelper
|
2013-07-30 12:04:55 +01:00
|
|
|
|
2007-06-26 23:04:49 +00:00
|
|
|
%attr(0755, root, root) %{_sbindir}/libvirtd
|
2015-02-09 16:35:05 +00:00
|
|
|
%attr(0755, root, root) %{_sbindir}/virtlogd
|
2012-08-02 20:06:50 +01:00
|
|
|
%attr(0755, root, root) %{_sbindir}/virtlockd
|
2008-09-17 14:09:13 +00:00
|
|
|
|
2010-07-13 05:33:35 +10:00
|
|
|
%{_mandir}/man8/libvirtd.8*
|
2015-02-09 16:35:05 +00:00
|
|
|
%{_mandir}/man8/virtlogd.8*
|
2013-08-08 15:10:38 +01:00
|
|
|
%{_mandir}/man8/virtlockd.8*
|
2017-03-03 12:43:51 +00:00
|
|
|
%{_mandir}/man7/virkey*.7*
|
2005-11-02 15:37:34 +00:00
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
%files daemon-config-network
|
2014-03-06 13:46:45 +11:00
|
|
|
%dir %{_datadir}/libvirt/networks/
|
|
|
|
%{_datadir}/libvirt/networks/default.xml
|
2019-05-27 12:56:04 +02:00
|
|
|
%ghost %{_sysconfdir}/libvirt/qemu/networks/default.xml
|
|
|
|
%ghost %{_sysconfdir}/libvirt/qemu/networks/autostart/default.xml
|
2012-04-03 10:52:12 +01:00
|
|
|
|
2012-04-03 11:44:59 +01:00
|
|
|
%files daemon-config-nwfilter
|
2017-04-12 21:36:01 +02:00
|
|
|
%dir %{_datadir}/libvirt/nwfilter/
|
|
|
|
%{_datadir}/libvirt/nwfilter/*.xml
|
|
|
|
%ghost %{_sysconfdir}/libvirt/nwfilter/*.xml
|
2012-04-03 11:54:27 +01:00
|
|
|
|
2012-04-02 20:53:43 +01:00
|
|
|
%files daemon-driver-interface
|
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_interface.so
|
|
|
|
|
|
|
|
%files daemon-driver-network
|
2013-12-13 17:03:26 +02:00
|
|
|
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/
|
|
|
|
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/
|
|
|
|
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart
|
|
|
|
%ghost %dir %{_localstatedir}/run/libvirt/network/
|
|
|
|
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/
|
|
|
|
%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/dnsmasq/
|
Add helper program to create custom leases
Introduce helper program to catch events from dnsmasq and maintain a custom
lease file per network. It supports dhcpv4 and dhcpv6. The file is saved as
"<interface-name>.status".
Each lease contains the following info:
<expiry-time (epoch time)> <mac> <iaid> <ip-address> <hostname> <clientid>
Example of custom leases file content:
[
{
"iaid": "1221229",
"ip-address": "2001:db8:ca2:2:1::95",
"mac-address": "52:54:00:12:a2:6d",
"hostname": "Fedora20",
"client-id": "00:04:1a:c1:d9:6b:5a:0a:e2:bc:f8:4b:1e:37:2e:38:22:55",
"expiry-time": 1393244216
},
{
"ip-address": "192.168.150.208",
"mac-address": "52:54:00:11:56:b3",
"hostname": "Wani-PC",
"client-id": "01:52:54:00:11:56:b3",
"expiry-time": 1393244248
}
]
src/Makefile.am:
* Add options to compile the helper program
src/network/bridge_driver.c:
* Introduce networkDnsmasqLeaseFileNameCustom()
* Invoke helper program along with dnsmasq
* Delete the .status file when corresponding n/w is destroyed.
src/network/leaseshelper.c
* Helper program to create the custom lease file
2014-06-02 11:19:26 +01:00
|
|
|
%attr(0755, root, root) %{_libexecdir}/libvirt_leaseshelper
|
2012-04-02 20:53:43 +01:00
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_network.so
|
|
|
|
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 23:52:37 -05:00
|
|
|
%if %{with_firewalld_zone}
|
|
|
|
%{_prefix}/lib/firewalld/zones/libvirt.xml
|
|
|
|
%endif
|
|
|
|
|
2012-04-02 20:53:43 +01:00
|
|
|
%files daemon-driver-nodedev
|
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_nodedev.so
|
|
|
|
|
|
|
|
%files daemon-driver-nwfilter
|
2014-03-06 13:46:45 +11:00
|
|
|
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/
|
|
|
|
%ghost %dir %{_localstatedir}/run/libvirt/network/
|
2012-04-02 20:53:43 +01:00
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_nwfilter.so
|
|
|
|
|
|
|
|
%files daemon-driver-secret
|
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_secret.so
|
|
|
|
|
|
|
|
%files daemon-driver-storage
|
2017-02-08 09:20:21 +01:00
|
|
|
|
|
|
|
%files daemon-driver-storage-core
|
2013-12-05 16:15:55 -07:00
|
|
|
%attr(0755, root, root) %{_libexecdir}/libvirt_parthelper
|
2016-05-04 16:20:58 +01:00
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_storage.so
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_fs.so
|
2018-04-25 14:37:07 +01:00
|
|
|
%{_libdir}/%{name}/storage-file/libvirt_storage_file_fs.so
|
2017-02-08 09:20:21 +01:00
|
|
|
|
|
|
|
%files daemon-driver-storage-disk
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_disk.so
|
2017-02-08 09:20:21 +01:00
|
|
|
|
|
|
|
%files daemon-driver-storage-logical
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_logical.so
|
2017-02-08 09:20:21 +01:00
|
|
|
|
|
|
|
%files daemon-driver-storage-scsi
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_scsi.so
|
2017-02-08 09:20:21 +01:00
|
|
|
|
|
|
|
%files daemon-driver-storage-iscsi
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_iscsi.so
|
2017-02-08 09:20:21 +01:00
|
|
|
|
2018-08-14 14:31:35 +02:00
|
|
|
%if %{with_storage_iscsi_direct}
|
2018-08-08 19:43:25 -04:00
|
|
|
%files daemon-driver-storage-iscsi-direct
|
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_iscsi-direct.so
|
2018-08-14 14:31:35 +02:00
|
|
|
%endif
|
2018-08-08 19:43:25 -04:00
|
|
|
|
2017-02-08 09:20:21 +01:00
|
|
|
%files daemon-driver-storage-mpath
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_mpath.so
|
2017-02-08 09:20:21 +01:00
|
|
|
|
2017-02-07 19:40:29 +01:00
|
|
|
%if %{with_storage_gluster}
|
2017-02-08 09:20:21 +01:00
|
|
|
%files daemon-driver-storage-gluster
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_gluster.so
|
2018-04-25 14:37:07 +01:00
|
|
|
%{_libdir}/%{name}/storage-file/libvirt_storage_file_gluster.so
|
2017-02-07 19:40:29 +01:00
|
|
|
%endif
|
2017-02-08 09:20:21 +01:00
|
|
|
|
2017-02-07 19:40:29 +01:00
|
|
|
%if %{with_storage_rbd}
|
2017-02-08 09:20:21 +01:00
|
|
|
%files daemon-driver-storage-rbd
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_rbd.so
|
|
|
|
%endif
|
2017-02-08 09:20:21 +01:00
|
|
|
|
2017-02-07 19:40:29 +01:00
|
|
|
%if %{with_storage_sheepdog}
|
2017-02-08 09:20:21 +01:00
|
|
|
%files daemon-driver-storage-sheepdog
|
2017-02-07 19:40:29 +01:00
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_sheepdog.so
|
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
2017-07-17 11:32:46 -04:00
|
|
|
%if %{with_storage_zfs}
|
|
|
|
%files daemon-driver-storage-zfs
|
|
|
|
%{_libdir}/%{name}/storage-backend/libvirt_storage_backend_zfs.so
|
|
|
|
%endif
|
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_qemu}
|
2012-04-02 20:53:43 +01:00
|
|
|
%files daemon-driver-qemu
|
2014-03-06 13:46:45 +11:00
|
|
|
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/
|
2013-12-05 16:15:55 -07:00
|
|
|
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
|
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
|
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
|
|
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
|
2019-05-23 14:55:13 +02:00
|
|
|
%ghost %dir %{_localstatedir}/run/libvirt/qemu/
|
2015-09-08 18:34:36 +02:00
|
|
|
%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
|
2013-12-05 16:15:55 -07:00
|
|
|
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
|
|
|
|
%{_datadir}/augeas/lenses/libvirtd_qemu.aug
|
|
|
|
%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
|
2013-12-12 13:35:40 +00:00
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_qemu.so
|
2017-04-04 12:22:31 -04:00
|
|
|
%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/swtpm/
|
|
|
|
%dir %attr(0711, root, root) %{_localstatedir}/log/swtpm/libvirt/qemu/
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_lxc}
|
2012-04-02 20:53:43 +01:00
|
|
|
%files daemon-driver-lxc
|
2013-12-05 16:15:55 -07:00
|
|
|
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
|
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
|
|
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
|
|
|
|
%ghost %dir %{_localstatedir}/run/libvirt/lxc/
|
|
|
|
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/
|
|
|
|
%{_datadir}/augeas/lenses/libvirtd_lxc.aug
|
|
|
|
%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
|
|
|
|
%attr(0755, root, root) %{_libexecdir}/libvirt_lxc
|
2012-04-02 20:53:43 +01:00
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_lxc.so
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_libxl}
|
2012-04-02 20:53:43 +01:00
|
|
|
%files daemon-driver-libxl
|
2015-04-22 15:43:38 -04:00
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/libxl.conf
|
2015-04-30 15:16:49 -06:00
|
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.libxl
|
2015-04-30 17:18:59 +02:00
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/libxl-lockd.conf
|
2015-04-22 15:43:38 -04:00
|
|
|
%{_datadir}/augeas/lenses/libvirtd_libxl.aug
|
|
|
|
%{_datadir}/augeas/lenses/tests/test_libvirtd_libxl.aug
|
2013-12-05 16:15:55 -07:00
|
|
|
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/
|
|
|
|
%ghost %dir %{_localstatedir}/run/libvirt/libxl/
|
|
|
|
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/
|
2012-04-02 20:53:43 +01:00
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_libxl.so
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2013-05-17 13:31:59 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_vbox}
|
2013-05-17 13:31:59 +01:00
|
|
|
%files daemon-driver-vbox
|
|
|
|
%{_libdir}/%{name}/connection-driver/libvirt_driver_vbox.so
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-02 20:53:43 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_qemu_tcg}
|
2012-04-03 11:54:27 +01:00
|
|
|
%files daemon-qemu
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 11:54:27 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_qemu_kvm}
|
2012-04-03 11:54:27 +01:00
|
|
|
%files daemon-kvm
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 11:54:27 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_lxc}
|
2012-04-03 11:54:27 +01:00
|
|
|
%files daemon-lxc
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 11:54:27 +01:00
|
|
|
|
2018-03-28 17:57:10 -06:00
|
|
|
%if %{with_libxl}
|
2012-04-03 11:54:27 +01:00
|
|
|
%files daemon-xen
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2013-05-17 13:31:59 +01:00
|
|
|
|
2016-05-04 16:20:58 +01:00
|
|
|
%if %{with_vbox}
|
2013-05-17 13:31:59 +01:00
|
|
|
%files daemon-vbox
|
2016-05-04 16:20:58 +01:00
|
|
|
%endif
|
2012-04-03 10:52:12 +01:00
|
|
|
|
2011-01-18 18:37:45 +00:00
|
|
|
%if %{with_sanlock}
|
|
|
|
%files lock-sanlock
|
2013-01-09 13:50:03 -07:00
|
|
|
%if %{with_qemu}
|
2011-06-14 09:20:49 +01:00
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/qemu-sanlock.conf
|
2013-01-09 13:50:03 -07:00
|
|
|
%endif
|
2015-05-01 12:39:30 -06:00
|
|
|
%if %{with_libxl}
|
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/libxl-sanlock.conf
|
|
|
|
%endif
|
2011-01-18 18:37:45 +00:00
|
|
|
%attr(0755, root, root) %{_libdir}/libvirt/lock-driver/sanlock.so
|
2011-06-14 09:20:49 +01:00
|
|
|
%{_datadir}/augeas/lenses/libvirt_sanlock.aug
|
|
|
|
%{_datadir}/augeas/lenses/tests/test_libvirt_sanlock.aug
|
2019-05-21 13:09:22 +02:00
|
|
|
%dir %attr(0770, root, sanlock) %{_localstatedir}/lib/libvirt/sanlock
|
2011-06-14 09:29:00 +01:00
|
|
|
%{_sbindir}/virt-sanlock-cleanup
|
|
|
|
%{_mandir}/man8/virt-sanlock-cleanup.8*
|
2012-09-18 13:41:26 +02:00
|
|
|
%attr(0755, root, root) %{_libexecdir}/libvirt_sanlock_helper
|
2011-01-18 18:37:45 +00:00
|
|
|
%endif
|
|
|
|
|
2016-06-25 08:37:22 +02:00
|
|
|
%files client
|
2009-07-21 11:16:15 +02:00
|
|
|
%{_mandir}/man1/virsh.1*
|
|
|
|
%{_mandir}/man1/virt-xml-validate.1*
|
2009-09-16 14:42:57 +01:00
|
|
|
%{_mandir}/man1/virt-pki-validate.1*
|
2012-01-10 17:31:21 +00:00
|
|
|
%{_mandir}/man1/virt-host-validate.1*
|
2009-07-21 11:16:15 +02:00
|
|
|
%{_bindir}/virsh
|
|
|
|
%{_bindir}/virt-xml-validate
|
2009-09-16 14:42:57 +01:00
|
|
|
%{_bindir}/virt-pki-validate
|
2012-01-10 17:31:21 +00:00
|
|
|
%{_bindir}/virt-host-validate
|
2009-07-21 11:16:15 +02:00
|
|
|
|
2012-10-20 22:46:58 -04:00
|
|
|
%{_datadir}/systemtap/tapset/libvirt_probes*.stp
|
2012-03-31 12:55:41 +01:00
|
|
|
%{_datadir}/systemtap/tapset/libvirt_functions.stp
|
2018-05-18 17:15:16 +02:00
|
|
|
%if %{with_qemu}
|
|
|
|
%{_datadir}/systemtap/tapset/libvirt_qemu_probes*.stp
|
|
|
|
%endif
|
2012-03-31 12:55:41 +01:00
|
|
|
|
2018-01-17 10:21:31 +01:00
|
|
|
%if %{with_bash_completion}
|
2018-01-24 16:42:00 +01:00
|
|
|
%{_datadir}/bash-completion/completions/virsh
|
2018-01-17 10:21:31 +01:00
|
|
|
%endif
|
2017-11-02 14:41:53 +01:00
|
|
|
|
2016-06-25 08:37:22 +02:00
|
|
|
|
|
|
|
%{_unitdir}/libvirt-guests.service
|
|
|
|
%config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
|
|
|
|
%attr(0755, root, root) %{_libexecdir}/libvirt-guests.sh
|
|
|
|
|
|
|
|
%files libs -f %{name}.lang
|
2017-09-14 17:21:29 -04:00
|
|
|
%license COPYING COPYING.LESSER
|
2016-06-25 08:37:22 +02:00
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/libvirt.conf
|
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/libvirt-admin.conf
|
|
|
|
%{_libdir}/libvirt.so.*
|
|
|
|
%{_libdir}/libvirt-qemu.so.*
|
|
|
|
%{_libdir}/libvirt-lxc.so.*
|
|
|
|
%{_libdir}/libvirt-admin.so.*
|
2009-07-21 11:16:15 +02:00
|
|
|
%dir %{_datadir}/libvirt/
|
|
|
|
%dir %{_datadir}/libvirt/schemas/
|
2016-06-25 08:37:22 +02:00
|
|
|
%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/
|
2009-07-21 11:16:15 +02:00
|
|
|
|
2011-08-12 19:33:15 -06:00
|
|
|
%{_datadir}/libvirt/schemas/basictypes.rng
|
|
|
|
%{_datadir}/libvirt/schemas/capability.rng
|
2016-09-27 13:27:52 +02:00
|
|
|
%{_datadir}/libvirt/schemas/cputypes.rng
|
2009-07-21 11:16:15 +02:00
|
|
|
%{_datadir}/libvirt/schemas/domain.rng
|
2014-06-25 13:24:53 +02:00
|
|
|
%{_datadir}/libvirt/schemas/domaincaps.rng
|
2011-08-12 19:33:15 -06:00
|
|
|
%{_datadir}/libvirt/schemas/domaincommon.rng
|
2010-05-26 23:03:47 +02:00
|
|
|
%{_datadir}/libvirt/schemas/domainsnapshot.rng
|
2011-08-12 19:33:15 -06:00
|
|
|
%{_datadir}/libvirt/schemas/interface.rng
|
2009-07-21 11:16:15 +02:00
|
|
|
%{_datadir}/libvirt/schemas/network.rng
|
2011-08-12 19:33:15 -06:00
|
|
|
%{_datadir}/libvirt/schemas/networkcommon.rng
|
2009-07-21 11:16:15 +02:00
|
|
|
%{_datadir}/libvirt/schemas/nodedev.rng
|
2011-08-12 19:33:15 -06:00
|
|
|
%{_datadir}/libvirt/schemas/nwfilter.rng
|
2018-06-27 10:42:52 +02:00
|
|
|
%{_datadir}/libvirt/schemas/nwfilter_params.rng
|
|
|
|
%{_datadir}/libvirt/schemas/nwfilterbinding.rng
|
2009-07-28 02:39:48 +02:00
|
|
|
%{_datadir}/libvirt/schemas/secret.rng
|
2014-04-11 19:33:45 -06:00
|
|
|
%{_datadir}/libvirt/schemas/storagecommon.rng
|
2011-08-12 19:33:15 -06:00
|
|
|
%{_datadir}/libvirt/schemas/storagepool.rng
|
2019-02-07 12:29:15 -05:00
|
|
|
%{_datadir}/libvirt/schemas/storagepoolcaps.rng
|
2011-08-12 19:33:15 -06:00
|
|
|
%{_datadir}/libvirt/schemas/storagevol.rng
|
2009-07-21 11:16:15 +02:00
|
|
|
|
2018-08-16 12:39:39 +01:00
|
|
|
%{_datadir}/libvirt/cpu_map/*.xml
|
2009-12-23 14:28:42 +01:00
|
|
|
|
2016-12-06 12:45:18 +00:00
|
|
|
%{_datadir}/libvirt/test-screenshot.png
|
|
|
|
|
2016-06-27 10:15:21 +02:00
|
|
|
%files admin
|
|
|
|
%{_mandir}/man1/virt-admin.1*
|
|
|
|
%{_bindir}/virt-admin
|
2018-01-24 16:42:00 +01:00
|
|
|
%if %{with_bash_completion}
|
|
|
|
%{_datadir}/bash-completion/completions/virt-admin
|
|
|
|
%endif
|
2016-06-27 10:15:21 +02:00
|
|
|
|
2018-01-24 16:42:00 +01:00
|
|
|
%if %{with_bash_completion}
|
|
|
|
%files bash-completion
|
|
|
|
%{_datadir}/bash-completion/completions/vsh
|
|
|
|
%endif
|
2016-06-27 10:15:21 +02:00
|
|
|
|
2014-02-04 12:37:15 -07:00
|
|
|
%if %{with_wireshark}
|
|
|
|
%files wireshark
|
2018-05-03 12:17:31 +01:00
|
|
|
%{wireshark_plugindir}/libvirt.so
|
2014-02-04 12:37:15 -07:00
|
|
|
%endif
|
|
|
|
|
2016-02-16 09:41:30 +01:00
|
|
|
%files nss
|
|
|
|
%{_libdir}/libnss_libvirt.so.2
|
2016-12-08 15:25:17 +01:00
|
|
|
%{_libdir}/libnss_libvirt_guest.so.2
|
2016-02-16 09:41:30 +01:00
|
|
|
|
2013-10-17 14:18:18 +01:00
|
|
|
%if %{with_lxc}
|
|
|
|
%files login-shell
|
2013-11-22 12:13:03 +01:00
|
|
|
%attr(4750, root, virtlogin) %{_bindir}/virt-login-shell
|
2013-10-17 14:18:18 +01:00
|
|
|
%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
|
|
|
|
%{_mandir}/man1/virt-login-shell.1*
|
|
|
|
%endif
|
|
|
|
|
2005-11-02 15:37:34 +00:00
|
|
|
%files devel
|
2014-06-20 17:47:15 +01:00
|
|
|
%{_libdir}/libvirt.so
|
2016-06-24 19:50:10 +02:00
|
|
|
%{_libdir}/libvirt-admin.so
|
2014-06-20 17:47:15 +01:00
|
|
|
%{_libdir}/libvirt-qemu.so
|
|
|
|
%{_libdir}/libvirt-lxc.so
|
2007-03-28 08:48:52 +00:00
|
|
|
%dir %{_includedir}/libvirt
|
2014-06-20 17:47:15 +01:00
|
|
|
%{_includedir}/libvirt/virterror.h
|
|
|
|
%{_includedir}/libvirt/libvirt.h
|
2016-06-24 19:50:10 +02:00
|
|
|
%{_includedir}/libvirt/libvirt-admin.h
|
2015-12-01 11:07:59 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-common.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-domain.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-domain-snapshot.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-event.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-host.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-interface.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-network.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-nodedev.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-nwfilter.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-secret.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-storage.h
|
2014-10-23 11:28:16 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-stream.h
|
2014-06-20 17:47:15 +01:00
|
|
|
%{_includedir}/libvirt/libvirt-qemu.h
|
|
|
|
%{_includedir}/libvirt/libvirt-lxc.h
|
2006-02-09 17:45:11 +00:00
|
|
|
%{_libdir}/pkgconfig/libvirt.pc
|
2016-06-24 19:50:10 +02:00
|
|
|
%{_libdir}/pkgconfig/libvirt-admin.pc
|
2014-06-20 17:47:15 +01:00
|
|
|
%{_libdir}/pkgconfig/libvirt-qemu.pc
|
|
|
|
%{_libdir}/pkgconfig/libvirt-lxc.pc
|
2005-11-02 15:37:34 +00:00
|
|
|
|
2012-02-15 11:29:38 +00:00
|
|
|
%dir %{_datadir}/libvirt/api/
|
|
|
|
%{_datadir}/libvirt/api/libvirt-api.xml
|
2016-06-24 19:50:10 +02:00
|
|
|
%{_datadir}/libvirt/api/libvirt-admin-api.xml
|
2012-02-15 11:29:38 +00:00
|
|
|
%{_datadir}/libvirt/api/libvirt-qemu-api.xml
|
Introduce an LXC specific public API & library
This patch introduces support for LXC specific public APIs. In
common with what was done for QEMU, this creates a libvirt_lxc.so
library and libvirt/libvirt-lxc.h header file.
The actual APIs are
int virDomainLxcOpenNamespace(virDomainPtr domain,
int **fdlist,
unsigned int flags);
int virDomainLxcEnterNamespace(virDomainPtr domain,
unsigned int nfdlist,
int *fdlist,
unsigned int *noldfdlist,
int **oldfdlist,
unsigned int flags);
which provide a way to use the setns() system call to move the
calling process into the container's namespace. It is not
practical to write in a generically applicable manner. The
nearest that we could get to such an API would be an API which
allows to pass a command + argv to be executed inside a
container. Even if we had such a generic API, this LXC specific
API is still useful, because it allows the caller to maintain
the current process context, in particular any I/O streams they
have open.
NB the virDomainLxcEnterNamespace() API is special in that it
runs client side, so does not involve the internal driver API.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-21 13:15:19 +00:00
|
|
|
%{_datadir}/libvirt/api/libvirt-lxc-api.xml
|
2016-04-13 10:37:42 -04:00
|
|
|
|
2005-12-07 13:45:20 +00:00
|
|
|
|
2005-11-02 15:37:34 +00:00
|
|
|
%changelog
|