/etc/libvirt/nwfilter/*.xml files are installed with no UUID, which
means libvirtd will automatically alter all of them once it starts. Thus
RPM verification will always fail on them. Let's use a trick similar to
the default network XML and store nwfilter XMLs in /usr/share. They will
be copied into /etc in %post. Additionally the /etc files are marked as
%ghost so that they are uninstalled if the RPM package is removed.
Note that the %post script overwrites existing files with new ones on
upgrade, which is what has always been happening.
https://bugzilla.redhat.com/show_bug.cgi?id=1431581https://bugzilla.redhat.com/show_bug.cgi?id=1378774
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
RFC 6331 documents a number of serious security weaknesses in
the SASL DIGEST-MD5 mechanism. As such, libvirtd should not
by using it as a default mechanism. GSSAPI is the only other
viable SASL mechanism that can provide secure session encryption
so enable that by defalt as the replacement.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Create a new set of sub-packages containing the new storage driver
modules so that certain heavy-weight backends (gluster, rbd) can be
installed separately only if required.
To keep backward compatibility the 'libvirt-driver-storage' package
will be turned into a virtual package pulling in all the new storage
backend sub-packages. The storage driver module will be moved into
libvirt-driver-storage-core including the filesystem backend which is
mandatory.
This then allows to make libvirt-daemon-driver-qemu depend only on the
core of the storage driver.
All other meta-packages still depend on the full storage driver and thus
pull in all the backends.
If driver modules are enabled turn storage driver backends into
dynamically loadable objects. This will allow greater modularity for
binary distributions, where heavyweight dependencies as rbd and gluster
can be avoided by selecting only a subset of drivers if the rest is not
necessary.
The storage modules are installed into 'LIBDIR/libvirt/storage-backend/'
and users can override the location by using
'LIBVIRT_STORAGE_BACKEND_DIR' environment variable.
rpm based distros will at this point install all the backends when
libvirt-daemon-driver-storage package is installed.
Explicitly enable --with-storage-scsi and disable --without-storage-zfs
and --without-storage-vstorage so that the configure script doesn't
check for them.
Note that --with-storage-dir is enabled by default.
For the namespaces feature to work properly we need to be able
to make a perfect copy of the original /dev, including ACLs.
By adding a BuildRequires on libacl-devel we ensure that ACL
support will be enabled at configure time and made available
to the QEMU driver.
When redoing the website we deleted the libvirtLogo.png file
not remembering that the test driver screenshot API impl
relied on it.
Rather than having the test driver use the logo as a side
effect, give it its own dedicated image to use. This is
installed in /usr/share/libvirt/test-screenshot.png and
is taken from a NeXT Cube running WorldWideWeb[1]. The
very first web browser in existance, running on the
hardware it was originally written on.
[1] https://en.wikipedia.org/wiki/WorldWideWeb
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
It is already discussed in "[RFC] daemon: remove hardcode dep on libvirt-guests" [1].
Mgmt can use means to save/restore domains on system shutdown/boot other than
libvirt-guests.service. Thus we need to specify appropriate ordering dependency between
libvirtd, domains and save/restore service. This patch takes approach suggested
in RFC and introduces a systemd target, so that ordering can be built next way:
libvirtd -> domain -> virt-guest-shutdown.target -> save-restore.service.
This way domains are decoupled from specific shutdown service via intermediate
target.
[1] https://www.redhat.com/archives/libvir-list/2016-September/msg01353.html
Commit e8861f6971 changed our spec file to compile and run
tests in parallel. That's a very good step forward, but why
stop there? Let's run *all* make jobs in parallel and really
put those expensive cores to use!
On my laptop, this shaves ~10s off 'make rpm'.
So far, the main code is built in parallel, which makes it pretty
fast. But with a lots of tests we have now I've noticed this part
takes too much time to build. The problem was that tests were
build and run in a single job.
Also, 'make' in the first hunk is useless. The test suite is not
built due to 'make all' because there's no .git in the sources
unpacked from a tar.xz archive. It's 'make check' which triggers
tests build.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
We only claim support for OSs that are still supported by the
respective vendors, which means anything older than Fedora 23
is out. Reword the comment a bit to highlight the criteria.
With newest gnutls available in Fedora 25/rawhide, it is
possible to have TLS priority fallbacks, so we can finally
use --tls-priority=@LIBVIRT,SYSTEM
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This previous commit
commit cd9fcc8be7
Author: Michal Privoznik <mprivozn@redhat.com>
Date: Wed Jul 27 16:58:32 2016 +0200
libvirt.spec.in: Adapt to newest wireshark plugindir
Adapted the libvirt spec for wireshark >= 2.1.0 but
this ignored the fact that we enable wireshark from
Fedora 21 and 2.1.0 was only added in Fedora 24
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
In the old days, when wireshark plugin was introduced it was
installed under /usr/lib64/wireshark/plugins/$VERSION/ while with
wireshark-2.1.0 this path has changed just to
/usr/lib64/wireshark/plugins. We should teach our spec file about
this change.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Commit ffc49e579c broke syntax-check:
cppi: libvirt.spec.in: line 622: not properly indented
cppi: libvirt.spec.in: line 624: not properly indented
cppi: libvirt.spec.in: line 640: not properly indented
cppi: libvirt.spec.in: line 642: not properly indented
maint.mk: incorrect preprocessor indentation
cfg.mk:697: recipe for target 'sc_spec_indentation' failed
Indent the new conditionals properly.
The systemd-machined tools libvirt uses were split into a
systemd-container RPM. Without depending on this, libvirt
may silently fallback to the non-systemd cgroup impl which
is not desirable.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Currently, we have libvirt-client library which serves as a
collection point for all the libraries and client binaries we
have. Therefore we have couple of silly dependencies, for
instance libvirt-daemon depends on libvirt-client. Only because
the shared library is in the client package.
To solve this, new package libvirt-libs is introduced where all
the libraries are going to live. The client package is then set
to depend on this new package, just like the rest of packages
that suffer the same problem.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
RHEL-6 still needs to use libnl instead of libnl3, so re-add
the spec conditional mistakenly removed in
commit 3694e038fd
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed May 4 15:43:08 2016 +0100
libvirt.spec.in: drop Fedora < 20 and RHEL < 6
With respect to to the following thread
https://www.redhat.com/archives/libvir-list/2016-June/msg01822.html, until we
introduce a new rpm package '-libs' that would allow us to drop daemon's
dependency on the client package, distribute admin API related stuff within
the client package (since it's the best analogy to the virsh client).
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Without that we might get similar messages in the log:
error : virDriverLoadModule:73 : failed to load module
/usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so
/usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so: undefined
symbol: virStorageFileCreate
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
This allows us to produce releases that are roughly a third in
size, have no limitation on path length, and are still readable
by all supported platforms.
In Fedora >= 21, there is a new crypto priority framework
that sets TLS policies globally for all apps. To activate
this with GNUTLS we must request "@SYSTEM" instead of
the traditional "NORMAL" string. The '@' causes gnutls todo
a lookup in its config file for the 'SYSTEM' keyword entry.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
The sd_notify method is used to tell systemd when libvirtd
has finished starting up. All it does is send a datagram
containing the string parameter to systemd on a UNIX socket
named in the NOTIFY_SOCKET environment variable. Rather than
pulling in the systemd libraries for this, just code the
notification directly in libvirt as this is a stable ABI
from systemd's POV which explicitly allows independant
implementations:
See "Reimplementable Independently" column in the
"$NOTIFY_SOCKET Daemon Notifications" row:
https://www.freedesktop.org/wiki/Software/systemd/InterfacePortabilityAndStabilityChart/
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1314881
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Fedora now ships edk2 firmware in its official repos, so adapt
the nvram path list to match. Eventually we can remove the nightly
links as well once some integration kinks have been worked out,
and documentation updated.
Move the macro building into the %build target, which lets us
build up a shell variable and make things a bit more readable
https://bugzilla.redhat.com/show_bug.cgi?id=1335395
It was only needed for rpm versions that are much older than our
minimally supported distro
Some more details here: https://fedorahosted.org/fpc/ticket/77
syntax-check complained about broken indentation in libvirt.spec.in which was
broken by commit 3694e038
Signed-off-by: Erik Skultety <eskultet@redhat.com>
We were adding a sheepdog requirement at runtime, but forgetting
to turn it on at build time, so the underlying code was never
built.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
The %changelog entries in the RPM are just a poor immitation
of the release notes, which is not what %changelog section
is for. It should be reflecting changes in the RPM packaging,
not changes in the application releases. Further, this bogus
list of changes has to be manually deleted every time we sync
the RPM with Fedora. Remove them, since they serve no useful
purpose.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Rather than letting the configure script auto-detect features
we expect, use --with-xxx to explicitly mandate them. This
ensures that we get an error upfront when running configure,
rather than a failure later during build or RPM file packaging
time.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Both RHEL and Fedora build with the storage driver and
most of its sub-drivers enabled at all times.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Both RHEL and Fedora build with driver modules enabled by
default, so there is no need for any conditional.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
A client only build dates back to RHEL5 where some architectures
did not build the libvirtd daemon, only the clients. Since RHEL5
was dropped this is no longer required.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Simplify conditionals to assume Fedora >= 20 or RHEL >= 6
The %prep section will explicitly check the version and
refuse to run if insufficient.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Previous commit moved some lists out of the -devel package
and into the -docs package
commit feffcc03a0
Author: Cole Robinson <crobinso@redhat.com>
Date: Wed Apr 13 10:37:42 2016 -0400
spec: Only pull in API docs with -devel package
What was not realized is that the rule 'libvirt-docs/*'
and ' docs/*.html docs/html docs/*.gif' actually point
to the exact same content. ie, we had previously included
the website HTML in *both* the -docs and -devel packages.
So this change ended up listing the files twice, which
caused RPM to print a load of warnings:
warning: File listed twice: /usr/share/doc/libvirt-docs/html
warning: File listed twice: /usr/share/doc/libvirt-docs/html/32favicon.png
warning: File listed twice: /usr/share/doc/libvirt-docs/html/404.html
warning: File listed twice: /usr/share/doc/libvirt-docs/html/acl.html
warning: File listed twice: /usr/share/doc/libvirt-docs/html/aclpolkit.html
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
If libvirt-daemon-config-network is installed while libvirtd is already
running, the daemon doesn't notice the network. Users then have to
manually restart libvirtd (or reboot) to pick up the network.
Instead let's trigger a daemon restart when the package is first installed.
Then the default network is available immediately if libvirtd was already
running.
https://bugzilla.redhat.com/show_bug.cgi?id=867546
This reverts commit 1e9808d3a1.
We shouldn't advertise libvirtd.socket activation, since currently
it means VM/network/... autostart won't work as expected.
We tried to find a middle ground by installing the config file without
an [Install] section, since systemd won't allow .socket to be enabled
without one... or at least it did do that; presently on f24 it allows
activating the socket quite happily. This also caused user confusion[1]
Just remove the socket file. I've filed a new RFE to track coming up
with a solution to the autostart problem[2], we can point users at that
if there's more confusion:
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1279348
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1326136
Move some API specific documentation out of -docs package and into
-devel, and some end user docs out of -devel and into -docs, then
drop the -devel dep on -docs. This is more in line with the suggested
Fedora guidelines.
https://bugzilla.redhat.com/show_bug.cgi?id=1310155
Using one Makefile per example subdirectory essentially serializes 'make'
calls. Convert to one example/Makefile that builds and distributes
all the subdir files. This reduces example/ rebuild time from about 5.8
seconds to 1.5 seconds on my machine.
One slight difference is that we no longer ship Makefile.am with the
examples in the rpm. This was virtually useless anyways since the Makefile
was very specific to libvirt infrastructure, so wasn't generically
reusable anyways.
Tested with 'make distcheck' and 'make rpm'
When installing the libvirt-daemon RPM, we have a %post rule to
enable the libvirtd.service, virtlockd.socket and virtlogd.socket
files. This is only done, however, when the RPM is first installed,
not when upgrading RPMs. So virtlogd will not get activated on
upgrading, which is a problem as libvirt qemu driver will expect
it to be available by default.
This adds a trigger that is run when uninstalling libvirt-daemon
older than 1.3.0 that will enable & start virtlogd.socket if
libvirtd is enabled and/or started. Using the trigger rather
than %post ensures that it only runs once, allowing admins to
disable it explicitly thereafter without future upgrades
re-enabling it.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Commit 48cd3dfa66 introduced configuration
file for libvirt-admin but forgot to distribute it. Also the change
made to libvirt.conf in commit dbecb87f94
should've been removed thanks to introduction of separate config file.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
The virt-admin binary and its man page should not yet be distributed,
but we need libvirt-common.h. RPM build fails without specifying these.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Copy the virtlockd codebase across to form the initial virlogd
code. Simple search & replace of s/lock/log/ and gut the remote
protocol & dispatcher. This gives us a daemon that starts up
and listens for connections, but does nothing with them.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
There has been a report on the list [1] that we are not
installing the wireshark dissector into the correct plugin
directory. And in fact we are not. The problem is, the plugin
directory path is constructed at compile time. However, it's
dependent on the wireshark version, e.g.
/usr/lib/wireshark/plugins/1.12.6
This is rather unfortunate, because if libvirt RPMs were built
with one version, but installed on a system with newer one, the
plugins are not really loaded. This problem lead fedora packagers
to unify plugin path to:
/usr/lib/wireshark/plugins/
Cool! But this was enabled just in wireshark-1.12.6-4. Therefore,
we must require at least that version.
And while at it, on some distributions, the wireshark.pc file
already has a variable that defines where plugin dir is. Use that
if possible.
1: https://www.redhat.com/archives/libvirt-users/2015-October/msg00063.html
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
I'm hitting this little annoyance in fedora's package repo:
$ fedpkg prep
Downloading libvirt-1.2.20.tar.gz
...
+ /usr/bin/gzip -dc /home/crobinso/src/fedora/libvirt/libvirt-1.2.20.tar.gz
$ git clean -xdf
Removing libvirt-1.2.20.tar.gz
Skipping repository libvirt-1.2.20/
We git-ify the libvirt directory as part of applying patches in the spec
file, but 'git clean' will ignore subfolders that appear to be standalone
git repos.
Let's just delete the .git directory after we're done with it.
In previous change:
commit 29b5167417
Author: Jiri Denemark <jdenemar@redhat.com>
Date: Tue Aug 4 14:05:52 2015 +0200
examples: Add example polkit ACL rules
The polkit examples were accidentally added to the spec inside
a %if %{with_network} conditional.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
$ rpmbuild -ba libvirt.spec
warning: Macro expanded in comment on line 5: # If neither fedora nor rhel was defined, try to guess them from %{dist}
warning: Macro %enable_autotools defined but not used within scope
warning: Macro %client_only defined but not used within scope
...
Commit f1f68ca334 tried fixing running multiple domains under various
users, but if the user can't browse the directory, it's hard for the
qemu running under that user to create the monitor socket.
The permissions need to be fixed in two places in the spec file due to
support for both installations with and without driver modules.
Creating a directory with '$(MKDIR_P) -m' shouldn't fail even on systems
where autoconf needs to fallback to 'install-sh -d'.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Commit e755186c5c added the rename example, but forgot to build some
essential files in there as well as add it to the spec file.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Creating ACL rules is not exactly easy and existing examples are pretty
simple. This patch adds a somewhat complex example which defines several
roles. Admins can do everything, operators can do basic operations
on any domain and several groups of users who act as operators but only
on a limited set of domains.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
As of fedora polkit-0.113-2, polkit-devel only pulls in polkit-libs, not
full polkit, but we need the latter for pkcheck otherwise our configure
test fails.