tamiko 15/07/28 16:54:00
Added: libvirt-1.2.17-fix_paths_for_apparmor.patch
libvirtd.init-r16 libvirtd.confd-r6
Removed: libvirtd.init-r15 libvirtd.confd-r5
Log:
Change default behavior for kvm guest in openrc runscript, bug #555736; fix
apparmor configuration, bug #554628; ebuild maintenance
(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key
BD3A97A3)
Revision Changes Path
1.1
app-emulation/libvirt/files/libvirt-1.2.17-fix_paths_for_apparmor.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirt-1.2.17-fix_paths_for_apparmor.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirt-1.2.17-fix_paths_for_apparmor.patch?rev=1.1&content-type=text/plain
Index: libvirt-1.2.17-fix_paths_for_apparmor.patch
===================================================================
>From bde898de482645f6963b673e8ff0b486a0a6db25 Mon Sep 17 00:00:00 2001
From: Matthias Maier <[email protected]>
Date: Tue, 28 Jul 2015 11:10:59 -0500
Subject: [PATCH] adapt paths for gentoo's fs layout
https://bugs.gentoo.org/show_bug.cgi?id=554628
---
examples/apparmor/Makefile.am | 4 +-
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 48 ------------------------
examples/apparmor/usr.libexec.virt-aa-helper | 48 ++++++++++++++++++++++++
examples/apparmor/usr.sbin.libvirtd | 4 +-
4 files changed, 52 insertions(+), 52 deletions(-)
delete mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper
create mode 100644 examples/apparmor/usr.libexec.virt-aa-helper
diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am
index 7a20e16..c3c67b6 100644
--- a/examples/apparmor/Makefile.am
+++ b/examples/apparmor/Makefile.am
@@ -19,13 +19,13 @@ EXTRA_DIST= \
TEMPLATE.lxc \
libvirt-qemu \
libvirt-lxc \
- usr.lib.libvirt.virt-aa-helper \
+ usr.libexec.virt-aa-helper \
usr.sbin.libvirtd
if WITH_APPARMOR_PROFILES
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
- usr.lib.libvirt.virt-aa-helper \
+ usr.libexec.virt-aa-helper \
usr.sbin.libvirtd \
$(NULL)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
deleted file mode 100644
index b34fb35..0000000
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,48 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
-#include <tunables/global>
-
-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
- #include <abstractions/base>
-
- # needed for searching directories
- capability dac_override,
- capability dac_read_search,
-
- # needed for when disk is on a network filesystem
- network inet,
-
- deny @{PROC}/[0-9]*/mounts r,
- @{PROC}/[0-9]*/net/psched r,
- owner @{PROC}/[0-9]*/status r,
- @{PROC}/filesystems r,
-
- # for hostdev
- /sys/devices/ r,
- /sys/devices/** r,
-
- /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
- /sbin/apparmor_parser Ux,
-
- /etc/apparmor.d/libvirt/* r,
-
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
rw,
-
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
- audit deny @{HOME}/.* mrwkl,
- audit deny @{HOME}/.*/ rw,
- audit deny @{HOME}/.*/** mrwkl,
- audit deny @{HOME}/bin/ rw,
- audit deny @{HOME}/bin/** mrwkl,
- @{HOME}/ r,
- @{HOME}/** r,
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
- /{media,mnt,opt,srv}/** r,
-
- /**.img r,
- /**.qcow{,2} r,
- /**.qed r,
- /**.vmdk r,
- /**.[iI][sS][oO] r,
- /**/disk{,.*} r,
-}
diff --git a/examples/apparmor/usr.libexec.virt-aa-helper
b/examples/apparmor/usr.libexec.virt-aa-helper
new file mode 100644
index 0000000..b34fb35
--- /dev/null
+++ b/examples/apparmor/usr.libexec.virt-aa-helper
@@ -0,0 +1,48 @@
+# Last Modified: Mon Apr 5 15:10:27 2010
+#include <tunables/global>
+
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+
+ /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+ /sbin/apparmor_parser Ux,
+
+ /etc/apparmor.d/libvirt/* r,
+
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ /{media,mnt,opt,srv}/** r,
+
+ /**.img r,
+ /**.qcow{,2} r,
+ /**.qed r,
+ /**.vmdk r,
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+}
diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
index 5d606e6..ab2f1a9 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -58,8 +58,8 @@
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/{lib,lib64}/libvirt/* PUxr,
- /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
- /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
+ /usr/libexec/libvirt_parthelper ix,
+ /usr/libexec/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
--
2.3.6
1.1 app-emulation/libvirt/files/libvirtd.init-r16
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirtd.init-r16?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirtd.init-r16?rev=1.1&content-type=text/plain
Index: libvirtd.init-r16
===================================================================
#!/sbin/runscript
description="Virtual Machine Management daemon (libvirt)"
extra_started_commands="reload halt"
description_halt="Stops the libvirt daemon without stopping your VMs"
description_reload="Restarts the libvirt daemon without stopping your VMs"
depend() {
USE_FLAG_FIREWALLD
use USE_FLAG_AVAHI USE_FLAG_ISCSI USE_FLAG_RBD dbus virtlockd
after ntp-client ntpd nfs nfsmount portmap rpc.statd iptables ip6tables
ebtables corosync sanlock cgconfig xenconsoled
}
libvirtd_virsh() {
local mode=$1
shift
# Silence errors because virsh always throws an error about
# not finding the hypervisor version when connecting to libvirtd
LC_ALL=C virsh -c ${mode}:///system "$@" 2>/dev/null
}
libvirtd_dom_list() {
# Make sure that it wouldn't be confused if the domain name
# contains the word running.
libvirtd_virsh $1 list | awk '$3 == "running" { print $1 }'
}
libvirtd_dom_count() {
# Make sure that it wouldn't be confused if the domain name
# contains the word running.
libvirtd_virsh $1 list | awk 'BEGIN { count = 0 } \
$3 == "running" { count++ } \
END { print count }'
}
libvirtd_net_list() {
# The purpose of the awk is to avoid networks with 'active' in the name
libvirtd_virsh $1 net-list | awk '$2 == "active" { print $1 }'
}
libvirtd_net_count() {
# The purpose of the awk is to avoid networks with 'active' in the name
libvirtd_virsh $1 net-list | awk 'BEGIN { count = 0 } \
$2 == "active" { count++ } \
END { print count }'
}
start() {
# Test configuration directories in /etc/libvirt/ to be either not
# present or a directory, i.e. not a regular file, bug #532892
for dir in lxc nwfilter qemu storage; do
if [ -f /etc/libvirt/$dir ]; then
eerror "/etc/libvirt/$dir was created as a regular file. It must be
either"
eerror "a directory or not present for libvirtd to start up
successfully."
return 1
fi
done
ebegin "Starting libvirtd"
start-stop-daemon --start \
--env KRB5_KTNAME=/etc/libvirt/krb5.tab \
--exec /usr/sbin/libvirtd -- -d ${LIBVIRTD_OPTS}
eend $?
}
stop() {
local policy=
local counter=
local net_policy=
local vm_name=
local net_name=
local dom_id=
ebegin "Stopping libvirtd"
if [ "${RC_CMD}" = "restart" -a -n "${LIBVIRTD_KVM_RESTART}" ] ; then
policy="${LIBVIRTD_KVM_RESTART}"
else
policy="${LIBVIRTD_KVM_SHUTDOWN}"
fi
# sanitize policy:
if [ "${policy}" != "none" -a "${policy}" != "managedsave" -a "${policy}"
!= "shutdown" ] ; then
if [ -n "${policy}" ] ; then
eerror " !!! Invalid policy \"${policy}\" specified in
LIBVIRTD_KVM_SHUTDOWN/RESTART"
fi
if [ "${RC_CMD}" = "restart" ] ; then
einfo " Using default (restart) policy \"none\" for domains"
policy="none"
else
einfo " Using default policy \"shutdown\" for domains"
policy="shutdown"
fi
fi
if [ -n "${LIBVIRTD_KVM_SHUTDOWN_MAXWAIT}" ] ; then
counter="${LIBVIRTD_KVM_SHUTDOWN_MAXWAIT}"
else
counter=500
fi
if [ "${RC_CMD}" = "restart" -a -n "${LIBVIRTD_KVM_NET_RESTART}" ] ; then
net_policy="${LIBVIRTD_KVM_NET_RESTART}"
else
net_policy="${LIBVIRTD_KVM_NET_SHUTDOWN}"
fi
# try to shutdown all (KVM/Qemu) domains
if [ "${policy}" != "none" ] \
&& [ "$(libvirtd_dom_count qemu)" != "0" ] ; then
einfo " Shutting down domain(s):"
for dom_id in $(libvirtd_dom_list qemu) ; do
vm_name="$(libvirtd_virsh qemu domname ${dom_id} | head -n 1)"
einfo " ${vm_name}"
libvirtd_virsh qemu ${policy} ${dom_id} > /dev/null
done
if [ "${policy}" = "shutdown" ]; then
einfo " Waiting ${counter} seconds while domains shutdown ..."
DOM_COUNT="$(libvirtd_dom_count qemu)"
while [ ${DOM_COUNT} -gt 0 ] && [ ${counter} -gt 0 ] ; do
DOM_COUNT="$(libvirtd_dom_count qemu)"
sleep 1
counter=$((${counter} - 1))
echo -n "."
done
fi
if [ "$(libvirtd_dom_count qemu)" != "0" ] ; then
eerror " !!! Some guests are still running, stopping anyway"
fi
fi
# try to shutdown all networks
if [ "${net_policy}" != "no" ] \
&& [ "$(libvirtd_net_count qemu)" != "0" ]; then
einfo " Shutting down network(s):"
for net_name in $(libvirtd_net_list qemu); do
einfo " ${net_name}"
libvirtd_virsh qemu net-destroy ${net_name} > /dev/null
done
if [ "$(libvirtd_net_count qemu)" != "0" ]; then
eerror " !!! Some networks are still active, stopping anyway"
fi
fi
# Now actually stop the daemon
start-stop-daemon --stop --quiet --exec \
/usr/sbin/libvirtd --pidfile=/var/run/libvirtd.pid
eend $?
}
halt() {
ebegin "Stopping libvirtd without shutting down your VMs"
start-stop-daemon --stop --quiet --exec \
/usr/sbin/libvirtd --pidfile=/var/run/libvirtd.pid
eend $?
}
reload() {
halt
start
}
1.1 app-emulation/libvirt/files/libvirtd.confd-r6
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirtd.confd-r6?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirtd.confd-r6?rev=1.1&content-type=text/plain
Index: libvirtd.confd-r6
===================================================================
# /etc/conf.d/libvirtd
# Startup dependency
# libvirtd typically requires all networks to be up and settled which
# is what rc_need="net" provides. However if you only use specific networks
# for libvirtd, you may override this. Or if you only use libvirtd locally.
rc_need="net"
# LIBVIRTD_OPTS
# You may want to add '--listen' to have libvirtd listen for tcp/ip
# connections if you want to use libvirt for remote control. Please
# consult 'libvirtd --help' for more options.
#LIBVIRTD_OPTS="--listen"
# LIBVIRTD_KVM_SHUTDOWN
# controls the behavior for kvm guests on daemon shutdown. Defaults to
# "shutdown"
#
# Valid options:
# * shutdown
# - Sends an ACPI shutdown (think when you tap the power button on your
# machine and it begins a graceful shutdown). If your VM ignores this,
# it will have the power yanked out from under it in
# LIBVIRTD_KVM_SHUTDOWN_MAXWAIT seconds.
# * managedsave
# - Performs a state save external to the VM. qemu-kvm will stop stop the
# CPU and save off all state to a separate file. When the machine is
# started again, it will resume like nothing ever happened. This is
# guarenteed to always successfully stop your machine and restart it.
# However it may take some time to finish.
# * none
# - No attempts will be made to stop any VMs. If you are restarting your
# machine the qemu-kvm process will be simply killed, which may result
# in your VMs having disk corruption.
LIBVIRTD_KVM_SHUTDOWN="shutdown"
# LIBVIRTD_KVM_SHUTDOWN_MAXWAIT
# timeout in seconds until stopping libvirtd and "pulling the plug" on
# the remaining VM's still in a running state
LIBVIRTD_KVM_SHUTDOWN_MAXWAIT="500"
# LIBVIRTD_KVM_RESTART
# controls the behavior for kvm guests on daemon restart. Defaults to
# "none"
#
# Valid options:
# * <empty>
# - apply the same policy on daemon restart as defined by
# LIBVIRTD_KVM_SHUTDOWN for the shutdown
# * shutdown
# * managedsave
# * none
# - as defined for LIBVIRTD_KVM_SHUTDOWN
LIBVIRTD_KVM_RESTART="none"
# LIBVIRTD_KVM_NET_SHUTDOWN
# If libvirtd created networks for you (e.g. NATed networks) then this
# init script will shut them down for you if this is set to 'yes'.
# Otherwise, the networks will be left running once libvirt is shutdown.
# For this option to be useful you must have enabled the 'virt-network'
# USE flag and have had libvirt create a NATed network for you. Valid
# values: 'yes' or 'no'
LIBVIRTD_KVM_NET_SHUTDOWN="yes"
# LIBVIRTD_KVM_NET_RESTART
# Valid options:
# * <empty>
# - apply the same policy on daemon restart as defined by
# LIBVIRTD_KVM_NET_SHUTDOWN for the shutdown
# * yes
# * no
# - as defined for LIBVIRTD_KVM_NET_SHUTDOWN
LIBVIRTD_KVM_NET_RESTART=""
