Currently, nbdkit support will automatically be enabled as long as
the pidfd_open(2) syscall is available. Optionally, libnbd is used
to generate more user-friendly error messages.
In theory this is all good, since use of nbdkit is supposed to be
transparent to the user. In practice, however, there is a problem:
if support for it is enabled at build time and the necessary
runtime components are installed, nbdkit will always be preferred,
with no way for the user to opt out.
This will arguably be fine in the long run, but right now none of
the platforms that we target ships with a SELinux policy that
allows libvirt to launch nbdkit, and the AppArmor policy that we
maintain ourselves hasn't been updated either.
So, in practice, as of today having nbdkit installed on the host
makes network disks completely unusable unless you're willing to
compromise the overall security of the system by disabling
SELinux/AppArmor.
In order to make the transition smoother, provide a convenient
way for users and distro packagers to disable nbdkit support at
compile time until SELinux and AppArmor are ready.
In the process, detection is completely overhauled. libnbd is
made mandatory when nbdkit support is enabled, since availability
across operating systems is comparable and offering users the
option to make error messages worse doesn't make a lot of sense;
we also make sure that an explicit request from the user to
enable/disable nbdkit support is either complied with, or results
in a build failure when that's not possible. Last but not least,
we avoid linking against libnbd when nbdkit support is disabled.
At the RPM level, we disable the feature when building against
anything older than Fedora 40, which still doesn't have the
necessary SELinux bits but will hopefully gain them by the time
it's released. We also allow nbdkit support to be disabled at
build time the same way as other optional features, that is, by
passing "--define '_without_nbdkit 1'" to rpmbuild. Finally, if
nbdkit support has been disabled, installing libvirt will no
longer drag it in as a (weak) dependency.
Signed-off-by: Andrea Bolognani
---
libvirt.spec.in| 28 +---
meson.build| 29 +
meson_options.txt | 2 +-
src/qemu/qemu_nbdkit.c | 6 +++---
4 files changed, 50 insertions(+), 15 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index f3d21ccc8f..fe54c45c5c 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -95,6 +95,7 @@
%define with_fuse 0
%define with_sanlock 0
%define with_numad0
+%define with_nbdkit 0
%define with_firewalld_zone 0
%define with_netcf0
%define with_libssh2 0
@@ -173,6 +174,18 @@
%endif
%endif
+# We should only enable nbdkit support if the OS ships a SELinux policy that
+# allows libvirt to launch it. Right now that's not the case anywhere, but
+# things should be fine by the time Fedora 40 is released.
+#
+# TODO: add RHEL 9 once a minor release that contains the necessary SELinux
+# bits exists (we only support the most recent minor release)
+%if %{with_qemu}
+%if 0%{?fedora} >= 40
+%define with_nbdkit 0%{!?_without_nbdkit:1}
+%endif
+%endif
+
%ifarch %{arches_dmidecode}
%define with_dmidecode 0%{!?_without_dmidecode:1}
%endif
@@ -312,6 +325,9 @@ BuildRequires: util-linux
BuildRequires: libacl-devel
# From QEMU RPMs, used by virstoragetest
BuildRequires: /usr/bin/qemu-img
+%endif
+# nbdkit support requires libnbd
+%if %{with_nbdkit}
BuildRequires: libnbd-devel
%endif
# For LVM drivers
@@ -769,9 +785,11 @@ Requires: numad
Recommends: passt
Recommends: passt-selinux
%endif
+%if %{with_nbdkit}
Recommends: nbdkit
Recommends: nbdkit-curl-plugin
Recommends: nbdkit-ssh-plugin
+%endif
%description daemon-driver-qemu
The qemu driver plugin for the libvirtd daemon, providing
@@ -1078,10 +1096,8 @@ exit 1
%if %{with_qemu}
%define arg_qemu -Ddriver_qemu=enabled
-%define arg_libnbd -Dlibnbd=enabled
%else
%define arg_qemu -Ddriver_qemu=disabled
-%define arg_libnbd -Dlibnbd=disabled
%endif
%if %{with_openvz}
@@ -1158,6 +1174,12 @@ exit 1
%define arg_numad -Dnumad=disabled
%endif
+%if %{with_nbdkit}
+%define arg_nbdkit -Dnbdkit=enabled
+%else
+%define arg_nbdkit -Dnbdkit=disabled
+%endif
+
%if %{with_fuse}
%define arg_fuse -Dfuse=enabled
%else
@@ -1270,7 +1292,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y'
%{_specdir}/libvirt.spec)
-Dyajl=enabled \
%{?arg_sanlock} \
-Dlibpcap=enabled \
- %{?arg_libnbd} \
+ %{?arg_nbdkit} \
-Dlibnl=enabled \
-Daudit=enabled \
-Ddtrace=enabled \
diff --git a/meson.build b/meson.build
index 6fa1f74670..de23fbda1e 100644
--- a/meson.build
+++ b/meson.build
@@ -1011,10 +1011,27 @@ endif
libiscsi_version = '1.18.0'
libiscsi_dep =
