Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2020-12-09 22:12:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new.2328 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Wed Dec 9 22:12:33 2020 rev:319 rq:854168 version:6.10.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2020-12-05 20:35:58.998635752 +0100 +++ /work/SRC/openSUSE:Factory/.libvirt.new.2328/libvirt.changes 2020-12-09 22:12:33.931136631 +0100 @@ -1,0 +2,14 @@ +Wed Dec 9 00:07:16 UTC 2020 - James Fehlig <[email protected]> + +- spec: Enable mdevctl support in the nodedev driver for SLE15 SP3 + jsc#SLE-15861, bsc#1179770 + +------------------------------------------------------------------- +Mon Dec 7 23:11:45 UTC 2020 - James Fehlig <[email protected]> + +- apparmor: Allow lxc processes to receive signals from libvirt + lxc: Set default security model in XML parser config + 0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch + bsc#1179735 + +------------------------------------------------------------------- New: ---- 0d05d51b-apparmor-lxc-fix.patch cf4e7e62-lxc-def-secmodel.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.NGaZST/_old 2020-12-09 22:12:35.075137790 +0100 +++ /var/tmp/diff_new_pack.NGaZST/_new 2020-12-09 22:12:35.083137799 +0100 @@ -291,6 +291,8 @@ Source99: baselibs.conf Source100: %{name}-rpmlintrc # Upstream patches +Patch0: 0d05d51b-apparmor-lxc-fix.patch +Patch1: cf4e7e62-lxc-def-secmodel.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -444,7 +446,7 @@ Requires: %{name}-daemon = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release} # For managing persistent mediated devices -%if 0%{?suse_version} >= 1550 +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150300 Requires: mdevctl %endif ++++++ 0002-lxc-implement-connectGetAllDomainStats.patch ++++++ --- /var/tmp/diff_new_pack.NGaZST/_old 2020-12-09 22:12:35.135137851 +0100 +++ /var/tmp/diff_new_pack.NGaZST/_new 2020-12-09 22:12:35.135137851 +0100 @@ -22,7 +22,7 @@ #define VIR_FROM_THIS VIR_FROM_LXC -@@ -5068,6 +5070,128 @@ lxcDomainHasManagedSaveImage(virDomainPt +@@ -5071,6 +5073,128 @@ lxcDomainHasManagedSaveImage(virDomainPt return ret; } @@ -151,7 +151,7 @@ /* Function Tables */ static virHypervisorDriver lxcHypervisorDriver = { -@@ -5165,6 +5289,7 @@ static virHypervisorDriver lxcHypervisor +@@ -5168,6 +5292,7 @@ static virHypervisorDriver lxcHypervisor .nodeGetFreePages = lxcNodeGetFreePages, /* 1.2.6 */ .nodeAllocPages = lxcNodeAllocPages, /* 1.2.9 */ .domainHasManagedSaveImage = lxcDomainHasManagedSaveImage, /* 1.2.13 */ ++++++ 0d05d51b-apparmor-lxc-fix.patch ++++++ commit 0d05d51b715390e08cd112f83e03b6776412aaeb Author: Jim Fehlig <[email protected]> Date: Wed Dec 2 16:24:21 2020 -0700 apparmor: Allow lxc processes to receive signals from libvirt LXC processes confined by apparmor are not permitted to receive signals from libvirtd. Attempting to destroy such a process fails virsh --connect lxc:/// destroy distro_apparmor error: Failed to destroy domain distro_apparmor error: Failed to kill process 29491: Permission denied And from /var/log/audit/audit.log type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED" operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1" pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd" Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc abstraction allowing reception of signals from libvirtd. Signed-off-by: Jim Fehlig <[email protected]> Reviewed-by: Christian Ehrhardt <[email protected]> Index: libvirt-6.10.0/src/security/apparmor/libvirt-lxc =================================================================== --- libvirt-6.10.0.orig/src/security/apparmor/libvirt-lxc +++ libvirt-6.10.0/src/security/apparmor/libvirt-lxc @@ -1,5 +1,9 @@ #include <abstractions/base> + # Allow receiving signals from libvirtd + signal (receive) peer=libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, + umount, # ignore DENIED message on / remount ++++++ cf4e7e62-lxc-def-secmodel.patch ++++++ commit cf4e7e620a3ecd109f23c8cdb577893d0e088201 Author: Jim Fehlig <[email protected]> Date: Thu Dec 3 11:55:24 2020 -0700 lxc: Set default security model in XML parser config Attempting to create a lxc domain with <seclabel type='none'/> fails virsh --connect lxc:/// create distro_nosec.xml error: Failed to create domain from distro_nosec.xml error: unsupported configuration: Security driver model '(null)' is not available Commit 638ffa2228 adjusted the logic for setting a driver's default security model. The lxc driver does not set a default security driver model in the XML parser config, causing seclabels of type='none' to have a null model. The lxc driver's security manager is initialized in lxcStateInitialize() by calling lxcSecurityInit(). Use the model of this manager as the default in the XML parser config. For the record, this is a regression caused by commit 638ffa2228, which changed the logic for setting a driver's default security model. The qemu driver was adjusted accordingly, but a similar change was missed in the lxc driver. Signed-off-by: Jim Fehlig <[email protected]> Reviewed-by: Michal Privoznik <[email protected]> Index: libvirt-6.10.0/src/lxc/lxc_conf.c =================================================================== --- libvirt-6.10.0.orig/src/lxc/lxc_conf.c +++ libvirt-6.10.0/src/lxc/lxc_conf.c @@ -209,9 +209,10 @@ virCapsPtr virLXCDriverGetCapabilities(v virDomainXMLOptionPtr -lxcDomainXMLConfInit(virLXCDriverPtr driver) +lxcDomainXMLConfInit(virLXCDriverPtr driver, const char *defsecmodel) { virLXCDriverDomainDefParserConfig.priv = driver; + virLXCDriverDomainDefParserConfig.defSecModel = defsecmodel; return virDomainXMLOptionNew(&virLXCDriverDomainDefParserConfig, &virLXCDriverPrivateDataCallbacks, &virLXCDriverDomainXMLNamespace, Index: libvirt-6.10.0/src/lxc/lxc_conf.h =================================================================== --- libvirt-6.10.0.orig/src/lxc/lxc_conf.h +++ libvirt-6.10.0/src/lxc/lxc_conf.h @@ -112,7 +112,8 @@ int virLXCLoadDriverConfig(virLXCDriverC virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver); virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver, bool refresh); -virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver); +virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver, + const char *defsecmodel); static inline void lxcDriverLock(virLXCDriverPtr driver) { Index: libvirt-6.10.0/src/lxc/lxc_controller.c =================================================================== --- libvirt-6.10.0.orig/src/lxc/lxc_controller.c +++ libvirt-6.10.0/src/lxc/lxc_controller.c @@ -169,7 +169,7 @@ virLXCControllerDriverNew(void) } driver->caps = virLXCDriverCapsInit(NULL); - driver->xmlopt = lxcDomainXMLConfInit(driver); + driver->xmlopt = lxcDomainXMLConfInit(driver, NULL); return driver; } Index: libvirt-6.10.0/src/lxc/lxc_driver.c =================================================================== --- libvirt-6.10.0.orig/src/lxc/lxc_driver.c +++ libvirt-6.10.0/src/lxc/lxc_driver.c @@ -1470,6 +1470,7 @@ static int lxcStateInitialize(bool privi { virLXCDriverConfigPtr cfg = NULL; bool autostart = true; + const char *defsecmodel; if (root != NULL) { virReportError(VIR_ERR_INVALID_ARG, "%s", @@ -1525,7 +1526,9 @@ static int lxcStateInitialize(bool privi if (!(lxc_driver->hostdevMgr = virHostdevManagerGetDefault())) goto cleanup; - if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver))) + defsecmodel = virSecurityManagerGetModel(lxc_driver->securityManager); + + if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver, defsecmodel))) goto cleanup; if (!(lxc_driver->closeCallbacks = virCloseCallbacksNew())) Index: libvirt-6.10.0/tests/testutilslxc.c =================================================================== --- libvirt-6.10.0.orig/tests/testutilslxc.c +++ libvirt-6.10.0/tests/testutilslxc.c @@ -71,7 +71,7 @@ testLXCDriverInit(void) } driver->caps = testLXCCapsInit(); - driver->xmlopt = lxcDomainXMLConfInit(driver); + driver->xmlopt = lxcDomainXMLConfInit(driver, NULL); return driver; } ++++++ lxc-wait-after-eth-del.patch ++++++ --- /var/tmp/diff_new_pack.NGaZST/_old 2020-12-09 22:12:35.247137965 +0100 +++ /var/tmp/diff_new_pack.NGaZST/_new 2020-12-09 22:12:35.251137969 +0100 @@ -37,7 +37,7 @@ #include "virstring.h" #include "viraccessapicheck.h" #include "viraccessapichecklxc.h" -@@ -3546,6 +3547,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive +@@ -3549,6 +3550,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive case VIR_DOMAIN_NET_TYPE_NETWORK: case VIR_DOMAIN_NET_TYPE_ETHERNET: ignore_value(virNetDevVethDelete(veth)); @@ -45,7 +45,7 @@ break; case VIR_DOMAIN_NET_TYPE_DIRECT: -@@ -3985,6 +3987,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb +@@ -3988,6 +3990,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb virDomainAuditNet(vm, detach, NULL, "detach", false); goto cleanup; } _______________________________________________ openSUSE Commits mailing list -- [email protected] To unsubscribe, email [email protected] List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/[email protected]
