Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Control: tags -1 + pending On Wed, 2015-08-26 at 09:58 +0200, Guido Günther wrote: Hi, On Mon, Aug 24, 2015 at 10:16:40PM +0100, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2015-08-24 at 20:10 +0200, intrigeri wrote: Control: tag -1 - moreinfo Hi, Guido Günther wrote (20 Aug 2015 11:57:36 GMT) : On Wed, Aug 19, 2015 at 04:53:32PM +0100, Adam D. Barratt wrote: I have to admit that I'm also confused by the patch for #786650: [...] We've discussed this on #786650, and as a result here's an updated debdiff: the only change, compared to the one Guido submitted initially, is that Allow-access-to-libnl-3-config-files.patch now does not include these changes, that are unrelated to #786650, that this patch as meant to fix. That means it also still contains the typo where it claims to fix bug #7788171. :-) I've just built and tested on Jessie, and could successfully start a VM with AppArmor enforced. Thanks. Please feel free to upload, preferably with the changelog typo fixed. Uploaded with the bugnumber fixed. Thanks intrigeri, Adam and Felix! Flagged for acceptance, thanks. Regards, Adam
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Hi, On Mon, Aug 24, 2015 at 10:16:40PM +0100, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2015-08-24 at 20:10 +0200, intrigeri wrote: Control: tag -1 - moreinfo Hi, Guido Günther wrote (20 Aug 2015 11:57:36 GMT) : On Wed, Aug 19, 2015 at 04:53:32PM +0100, Adam D. Barratt wrote: I have to admit that I'm also confused by the patch for #786650: [...] We've discussed this on #786650, and as a result here's an updated debdiff: the only change, compared to the one Guido submitted initially, is that Allow-access-to-libnl-3-config-files.patch now does not include these changes, that are unrelated to #786650, that this patch as meant to fix. That means it also still contains the typo where it claims to fix bug #7788171. :-) I've just built and tested on Jessie, and could successfully start a VM with AppArmor enforced. Thanks. Please feel free to upload, preferably with the changelog typo fixed. Uploaded with the bugnumber fixed. Thanks intrigeri, Adam and Felix! -- Guido
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Control: tags -1 + confirmed On Mon, 2015-08-24 at 20:10 +0200, intrigeri wrote: Control: tag -1 - moreinfo Hi, Guido Günther wrote (20 Aug 2015 11:57:36 GMT) : On Wed, Aug 19, 2015 at 04:53:32PM +0100, Adam D. Barratt wrote: I have to admit that I'm also confused by the patch for #786650: [...] We've discussed this on #786650, and as a result here's an updated debdiff: the only change, compared to the one Guido submitted initially, is that Allow-access-to-libnl-3-config-files.patch now does not include these changes, that are unrelated to #786650, that this patch as meant to fix. That means it also still contains the typo where it claims to fix bug #7788171. :-) I've just built and tested on Jessie, and could successfully start a VM with AppArmor enforced. Thanks. Please feel free to upload, preferably with the changelog typo fixed. Regards, Adam
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Control: tag -1 - moreinfo Hi, Guido Günther wrote (20 Aug 2015 11:57:36 GMT) : On Wed, Aug 19, 2015 at 04:53:32PM +0100, Adam D. Barratt wrote: I have to admit that I'm also confused by the patch for #786650: [...] That seems to make sense... + # for hostdev + /sys/devices/ r, + /sys/devices/** r, ++ deny /dev/sd* r, ++ deny /dev/vd* r, ++ deny /dev/dm-* r, ++ deny /dev/mapper/ r, ++ deny /dev/mapper/* r, ... these not so much. According to Felix (cc:) these are only here to silence some denials filling the logs otherwise. So they cause not harm but are not mentioned in the changelog. I could fix that up before an upload. We've discussed this on #786650, and as a result here's an updated debdiff: the only change, compared to the one Guido submitted initially, is that Allow-access-to-libnl-3-config-files.patch now does not include these changes, that are unrelated to #786650, that this patch as meant to fix. I've just built and tested on Jessie, and could successfully start a VM with AppArmor enforced. Cheers, -- intrigeri diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog --- libvirt-1.2.9/debian/changelog 2015-02-06 15:43:48.0 +0100 +++ libvirt-1.2.9/debian/changelog 2015-08-24 16:21:08.0 +0200 @@ -1,3 +1,28 @@ +libvirt (1.2.9-9+deb8u1) jessie; urgency=medium + + [ Guido Günther ] + * [8e4cf5a] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm +or kqemu. +Thanks to Luke Faraone for the report (Closes: #786650) + * [ad1ff0b] Adjust gbp.conf for jessie + * [c830a54] Disable test suite due to libxml2 bug #781232 in jessie + * [be70aec] Fix crash on live migration +this supplements 07dbec0a64783f644854a22aa0355720f0328d17. +Thanks to Eckebrecht von Pappenheim (Closes: #7788171) + + [ Felix Geyer ] + * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652) + + [ intrigeri ] + * Allow-access-to-libnl-3-config-files.patch: revert changes that are +unrelated to the bug this patch is meant to fix. + + [ Daniel P. Berrange ] + * [afae69a] Report original error when QMP probing fails with new QEMU +(Closes: #780093) + + -- Guido Günther a...@sigxcpu.org Thu, 13 Aug 2015 15:56:49 +0200 + libvirt (1.2.9-9) unstable; urgency=medium * [4c14b83] qemu: Don't try to parse -help for new QEMU. diff -Nru libvirt-1.2.9/debian/gbp.conf libvirt-1.2.9/debian/gbp.conf --- libvirt-1.2.9/debian/gbp.conf 2015-02-05 21:22:11.0 +0100 +++ libvirt-1.2.9/debian/gbp.conf 2015-08-24 16:21:08.0 +0200 @@ -1,6 +1,7 @@ [DEFAULT] upstream-branch=upstream/sid -debian-branch=master +debian-branch=debian/jessie +dist=jessie [gbp-pq] patch-numbers = False diff -Nru libvirt-1.2.9/debian/patches/Allow-access-to-libnl-3-config-files.patch libvirt-1.2.9/debian/patches/Allow-access-to-libnl-3-config-files.patch --- libvirt-1.2.9/debian/patches/Allow-access-to-libnl-3-config-files.patch 1970-01-01 01:00:00.0 +0100 +++ libvirt-1.2.9/debian/patches/Allow-access-to-libnl-3-config-files.patch 2015-08-24 16:21:08.0 +0200 @@ -0,0 +1,22 @@ +From: Felix Geyer fge...@debian.org +Date: Sat, 13 Jun 2015 10:22:40 +0200 +Subject: Allow access to libnl-3 config files + +Closes: #786650 +--- + examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper +index bceaaff..a3c9938 100644 +--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -16,6 +16,8 @@ + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + ++ /etc/libnl-3/classid r, ++ + # for hostdev + /sys/devices/ r, + /sys/devices/** r, diff -Nru libvirt-1.2.9/debian/patches/Fix-crash-on-live-migration.patch libvirt-1.2.9/debian/patches/Fix-crash-on-live-migration.patch --- libvirt-1.2.9/debian/patches/Fix-crash-on-live-migration.patch 1970-01-01 01:00:00.0 +0100 +++ libvirt-1.2.9/debian/patches/Fix-crash-on-live-migration.patch 2015-08-24 16:21:08.0 +0200 @@ -0,0 +1,25 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= a...@sigxcpu.org +Date: Sat, 13 Jun 2015 10:38:26 +0200 +Subject: Fix crash on live migration + +this supplements 07dbec0a64783f644854a22aa0355720f0328d17. + +Closes: #7788171 +Thanks: Eckebrecht von Pappenheim +--- + src/qemu/qemu_migration.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c +index e18556f..87f3f1a 100644 +--- a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c +@@ -2746,7 +2746,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, + QEMU_ASYNC_JOB_MIGRATION_IN) 0) + goto stop; + +-if (STREQ(protocol, rdma) ++if (STREQ_NULLABLE(protocol, rdma) + virProcessSetMaxMemLock(vm-pid, vm-def-mem.hard_limit 10) 0) { + goto stop; +
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Hi, On Sat, Aug 22, 2015 at 02:51:46PM +0100, Adam D. Barratt wrote: On Wed, 2015-08-19 at 18:37 +0200, Guido Günther wrote: Hi, On Wed, Aug 19, 2015 at 04:49:56PM +0100, Adam D. Barratt wrote: Control: tags -1 + moreinfo Thanks for looking into this so quickly. On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote: the I'd like to update libvirt in unstable to fix the broken AppArmor I assume stable :-) support, a crash during live migration and a error handling problem leading lots of users into the wrong direction. The debdiff is attached and all bugs are already fixed in either sid or experimental (due to the g++ transition). I have to admit that I'd really prefer that to be already fixed in sid. I'm not sure where libvirt is in the transition pile though. How would I find out? Libvirt is C but there's very likely C++ in the dependency graph. As long as there's no C++ code in libvirt itself and it does not expose any C++ artefacts in its public ABI, uploading it to unstable now should be fine. There's no C++ involved so uploaded now... We also have to disable the test suite due to a libxml2 bug. Ewww. Yeah, that's bad. I assume simply disabling some tests isn't a useful or viable option? I'd rather put the time into fixing libxml2. While it's possible to skip the affected tests it would introduce more changes in libvirt since we'd need to swith to dh_autoreconf when changing makefiles to skip the tests. I'd rather reenable the tests once libxml2 is fixed (since the libxml2 but also leads to some user visible regressions visible in libvirt) Cheers, -- Guido + * [be70aec] Fix crash on live migration +this supplements 07dbec0a64783f644854a22aa0355720f0328d17. +Thanks to Eckebrecht von Pappenheim (Closes: #7788171) ITYM #788171. However, the metadata for that bug suggests it's not currently fixed in either experimental or unstable. Missing bug hygiene on my end. The patch was in fact a cherry-pick from a newer version and I just checked that it's still fixed in 1.2.18. Ah, thanks. Regards, Adam
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
On Wed, 2015-08-19 at 18:37 +0200, Guido Günther wrote: Hi, On Wed, Aug 19, 2015 at 04:49:56PM +0100, Adam D. Barratt wrote: Control: tags -1 + moreinfo Thanks for looking into this so quickly. On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote: the I'd like to update libvirt in unstable to fix the broken AppArmor I assume stable :-) support, a crash during live migration and a error handling problem leading lots of users into the wrong direction. The debdiff is attached and all bugs are already fixed in either sid or experimental (due to the g++ transition). I have to admit that I'd really prefer that to be already fixed in sid. I'm not sure where libvirt is in the transition pile though. How would I find out? Libvirt is C but there's very likely C++ in the dependency graph. As long as there's no C++ code in libvirt itself and it does not expose any C++ artefacts in its public ABI, uploading it to unstable now should be fine. We also have to disable the test suite due to a libxml2 bug. Ewww. Yeah, that's bad. I assume simply disabling some tests isn't a useful or viable option? + * [be70aec] Fix crash on live migration +this supplements 07dbec0a64783f644854a22aa0355720f0328d17. +Thanks to Eckebrecht von Pappenheim (Closes: #7788171) ITYM #788171. However, the metadata for that bug suggests it's not currently fixed in either experimental or unstable. Missing bug hygiene on my end. The patch was in fact a cherry-pick from a newer version and I just checked that it's still fixed in 1.2.18. Ah, thanks. Regards, Adam
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Hi, On Wed, Aug 19, 2015 at 04:53:32PM +0100, Adam D. Barratt wrote: I have to admit that I'm also confused by the patch for #786650: On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote: +Subject: Allow access to libnl-3 config files [...] ++ /etc/libnl-3/classid r, ++ That seems to make sense... + # for hostdev + /sys/devices/ r, + /sys/devices/** r, ++ deny /dev/sd* r, ++ deny /dev/vd* r, ++ deny /dev/dm-* r, ++ deny /dev/mapper/ r, ++ deny /dev/mapper/* r, ... these not so much. According to Felix (cc:) these are only here to silence some denials filling the logs otherwise. So they cause not harm but are not mentioned in the changelog. I could fix that up before an upload. Cheers, -- Guido
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, the I'd like to update libvirt in unstable to fix the broken AppArmor support, a crash during live migration and a error handling problem leading lots of users into the wrong direction. The debdiff is attached and all bugs are already fixed in either sid or experimental (due to the g++ transition). We also have to disable the test suite due to a libxml2 bug. O.k. to upload to p-u? Cheers, -- Guido -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/debian/changelog b/debian/changelog index 5932017..5c79c12 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,24 @@ +libvirt (1.2.9-9+deb8u1) jessie; urgency=medium + + [ Guido Günther ] + * [8e4cf5a] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm +or kqemu. +Thanks to Luke Faraone for the report (Closes: #786650) + * [ad1ff0b] Adjust gbp.conf for jessie + * [c830a54] Disable test suite due to libxml2 bug #781232 in jessie + * [be70aec] Fix crash on live migration +this supplements 07dbec0a64783f644854a22aa0355720f0328d17. +Thanks to Eckebrecht von Pappenheim (Closes: #7788171) + + [ Felix Geyer ] + * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652) + + [ Daniel P. Berrange ] + * [afae69a] Report original error when QMP probing fails with new QEMU +(Closes: #780093) + + -- Guido Günther a...@sigxcpu.org Thu, 13 Aug 2015 15:56:49 +0200 + libvirt (1.2.9-9) unstable; urgency=medium * [4c14b83] qemu: Don't try to parse -help for new QEMU. diff --git a/debian/gbp.conf b/debian/gbp.conf index c97ab1d..3673a45 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,6 +1,7 @@ [DEFAULT] upstream-branch=upstream/sid -debian-branch=master +debian-branch=debian/jessie +dist=jessie [gbp-pq] patch-numbers = False diff --git a/debian/patches/Allow-access-to-libnl-3-config-files.patch b/debian/patches/Allow-access-to-libnl-3-config-files.patch new file mode 100644 index 000..6932e41 --- /dev/null +++ b/debian/patches/Allow-access-to-libnl-3-config-files.patch @@ -0,0 +1,30 @@ +From: Felix Geyer fge...@debian.org +Date: Sat, 13 Jun 2015 10:22:40 +0200 +Subject: Allow access to libnl-3 config files + +Closes: #786650 +--- + examples/apparmor/usr.lib.libvirt.virt-aa-helper | 7 +++ + 1 file changed, 7 insertions(+) + +diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper +index bceaaff..60739d0 100644 +--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -16,9 +16,16 @@ + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + ++ /etc/libnl-3/classid r, ++ + # for hostdev + /sys/devices/ r, + /sys/devices/** r, ++ deny /dev/sd* r, ++ deny /dev/vd* r, ++ deny /dev/dm-* r, ++ deny /dev/mapper/ r, ++ deny /dev/mapper/* r, + + /usr/lib/libvirt/virt-aa-helper mr, + /sbin/apparmor_parser Ux, diff --git a/debian/patches/Fix-crash-on-live-migration.patch b/debian/patches/Fix-crash-on-live-migration.patch new file mode 100644 index 000..9bd259c --- /dev/null +++ b/debian/patches/Fix-crash-on-live-migration.patch @@ -0,0 +1,25 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= a...@sigxcpu.org +Date: Sat, 13 Jun 2015 10:38:26 +0200 +Subject: Fix crash on live migration + +this supplements 07dbec0a64783f644854a22aa0355720f0328d17. + +Closes: #7788171 +Thanks: Eckebrecht von Pappenheim +--- + src/qemu/qemu_migration.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c +index e18556f..87f3f1a 100644 +--- a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c +@@ -2746,7 +2746,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, + QEMU_ASYNC_JOB_MIGRATION_IN) 0) + goto stop; + +-if (STREQ(protocol, rdma) ++if (STREQ_NULLABLE(protocol, rdma) + virProcessSetMaxMemLock(vm-pid, vm-def-mem.hard_limit 10) 0) { + goto stop; + } diff --git a/debian/patches/series b/debian/patches/series index fcb95a0..bac1f34 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -27,3 +27,7 @@ upstream/vbox-fix-a-bug-in-_machineStateInactive.patch security/CVE-2015-0236-qemu-Check-ACLs-when-dumping-security-.patch security/CVE-2015-0236-qemu-Check-ACLs-when-dumping-securi-14.patch qemu-Don-t-try-to-parse-help-for-new-QEM.patch +upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Hi, Guido Günther wrote (19 Aug 2015 11:22:58 GMT) : the I'd like to update libvirt in unstable to fix the broken AppArmor support, [...] I'd like to add that it feels important to me to fix these bugs in Jessie, in order to avoid creating a culture of just disable AppArmor among Debian users (see e.g. how many, if not most, RHEL users relate to SELinux). Sorry this has to be handled via s-p-u. FWIW, I've reviewed and successfully tested the AppArmor changes on sid. Also, I seem to remember that someone else (Felix Geyer?) has tested these patches on Jessie as well. Cheers, -- intrigeri
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
I have to admit that I'm also confused by the patch for #786650: On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote: +Subject: Allow access to libnl-3 config files [...] ++ /etc/libnl-3/classid r, ++ That seems to make sense... + # for hostdev + /sys/devices/ r, + /sys/devices/** r, ++ deny /dev/sd* r, ++ deny /dev/vd* r, ++ deny /dev/dm-* r, ++ deny /dev/mapper/ r, ++ deny /dev/mapper/* r, ... these not so much. Regards, Adam
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Control: tags -1 + moreinfo On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote: the I'd like to update libvirt in unstable to fix the broken AppArmor I assume stable :-) support, a crash during live migration and a error handling problem leading lots of users into the wrong direction. The debdiff is attached and all bugs are already fixed in either sid or experimental (due to the g++ transition). I have to admit that I'd really prefer that to be already fixed in sid. I'm not sure where libvirt is in the transition pile though. We also have to disable the test suite due to a libxml2 bug. Ewww. + * [be70aec] Fix crash on live migration +this supplements 07dbec0a64783f644854a22aa0355720f0328d17. +Thanks to Eckebrecht von Pappenheim (Closes: #7788171) ITYM #788171. However, the metadata for that bug suggests it's not currently fixed in either experimental or unstable. Regards, Adam
Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Hi, On Wed, Aug 19, 2015 at 04:49:56PM +0100, Adam D. Barratt wrote: Control: tags -1 + moreinfo Thanks for looking into this so quickly. On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote: the I'd like to update libvirt in unstable to fix the broken AppArmor I assume stable :-) support, a crash during live migration and a error handling problem leading lots of users into the wrong direction. The debdiff is attached and all bugs are already fixed in either sid or experimental (due to the g++ transition). I have to admit that I'd really prefer that to be already fixed in sid. I'm not sure where libvirt is in the transition pile though. How would I find out? Libvirt is C but there's very likely C++ in the dependency graph. We also have to disable the test suite due to a libxml2 bug. Ewww. Yeah, that's bad. + * [be70aec] Fix crash on live migration +this supplements 07dbec0a64783f644854a22aa0355720f0328d17. +Thanks to Eckebrecht von Pappenheim (Closes: #7788171) ITYM #788171. However, the metadata for that bug suggests it's not currently fixed in either experimental or unstable. Missing bug hygiene on my end. The patch was in fact a cherry-pick from a newer version and I just checked that it's still fixed in 1.2.18. Cheers, -- Guido