diff --git a/.cvsignore b/.cvsignore index 28467d2..b91818f 100644 --- a/.cvsignore +++ b/.cvsignore @@ -22,3 +22,4 @@ libvirt-0.3.0.tar.gz libvirt-0.3.1.tar.gz libvirt-0.3.2.tar.gz libvirt-0.3.3.tar.gz +libvirt-0.4.0.tar.gz diff --git a/libvirt-0.3.3-example-config.patch b/libvirt-0.3.3-example-config.patch deleted file mode 100644 index 65c5ef4..0000000 --- a/libvirt-0.3.3-example-config.patch +++ /dev/null @@ -1,207 +0,0 @@ -changeset: 1147:7481eafdde8d -user: berrange -date: Fri Oct 12 18:54:15 2007 +0000 -files: libvirt.spec.in qemud/Makefile.am qemud/libvirtd.conf src/Makefile.am src/qemu.conf -description: -Added default example configs for libvirtd/qemu driver - - -diff -r c48e81e685a3 -r 7481eafdde8d qemud/libvirtd.conf ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/qemud/libvirtd.conf Fri Oct 12 18:54:15 2007 +0000 -@@ -0,0 +1,141 @@ -+# Master libvirt daemon configuration file -+# -+# For further information consult http://libvirt.org/format.html -+ -+ -+# Flag listening for secure TLS connections on the public TCP/IP port. -+# NB, must pass the --listen flag to the libvirtd process for this to -+# have any effect. -+# -+# It is neccessary to setup a CA and issue server certificates before -+# using this capability. -+# -+# This is enabled by default, uncomment this to disable it -+# listen_tls = 0 -+ -+# Listen for unencrypted TCP connections on the public TCP/IP port. -+# NB, must pass the --listen flag to the libvirtd process for this to -+# have any effect. -+# -+# NB, this is insecure. Do not use except for development. -+# -+# This is disabled by default, uncomment this to enable it. -+# listen_tcp = 1 -+ -+ -+ -+# Override the port for accepting secure TLS connections -+# This can be a port number, or service name -+# -+# tls_port = "16514" -+ -+# Override the port for accepting insecure TCP connections -+# This can be a port number, or service name -+# -+# tcp_port = "16509" -+ -+ -+ -+# Flag toggling mDNS advertizement of the libvirt service. -+# -+# Alternatively can disable for all services on a host by -+# stopping the Avahi daemon -+# -+# This is enabled by default, uncomment this to disable it -+# mdns_adv = 0 -+ -+# Override the default mDNS advertizement name. This must be -+# unique on the immediate broadcast network. -+# -+# The default is "Virtualization Host HOSTNAME", where HOSTNAME -+# is subsituted for the short hostname of the machine (without domain) -+# -+# mdns_name "Virtualization Host Joe Demo" -+ -+ -+ -+# Set the UNIX domain socket group ownership. This can be used to -+# allow a 'trusted' set of users access to management capabilities -+# without becoming root. -+# -+# This is restricted to 'root' by default. -+# unix_sock_group "libvirt" -+ -+# Set the UNIX socket permissions for the R/O socket. This is used -+# for monitoring VM status only -+# -+# Default allows any user. If setting group ownership may want to -+# restrict this to: -+# unix_sock_ro_perms "0777" -+ -+# Set the UNIX socket permissions for the R/W socket. This is used -+# for full management of VMs -+# -+# Default allows only root. If setting group ownership may want to -+# relax this to: -+# unix_sock_rw_perms "octal-perms" "0770" -+ -+ -+ -+# Flag to disable verification of client certificates -+# -+# Client certificate verification is the primary authentication mechanism. -+# Any client which does not present a certificate signed by the CA -+# will be rejected. -+# -+# Default is to always verify. Uncommenting this will disable -+# verification - make sure an IP whitelist is set -+# tls_no_verify_certificate 1 -+ -+# Flag to disable verification of client IP address -+# -+# Client IP address will be verified against the CommonName field -+# of the x509 certificate. This has minimal security benefit since -+# it is easy to spoof source IP. -+# -+# Uncommenting this will disable verification -+# tls_no_verify_address 1 -+ -+# Override the default server key file path -+# -+# key_file "/etc/pki/libvirt/private/serverkey.pem" -+ -+# Override the default server certificate file path -+# -+# cert_file "/etc/pki/libvirt/servercert.pem" -+ -+# Override the default CA certificate path -+# -+# ca_file "/etc/pki/CA/cacert.pem" -+ -+# Specify a certificate revocation list. -+# -+# Defaults to not using a CRL, uncomment to enable it -+# crl_file "/etc/pki/CA/crl.pem" -+ -+# A whitelist of allowed x509 Distinguished Names -+# This list may contain wildcards such as -+# -+# "C=GB,ST=London,L=London,O=Red Hat,CN=*" -+# -+# See the POSIX fnmatch function for the format of the wildcards. -+# -+# NB If this is an empty list, no client can connect, so comment out -+# entirely rather than using empty list to disable these checks -+# -+# By default, no DN's are checked -+# tls_allowed_dn_list ["DN1", "DN2"] -+ -+ -+# A whitelist of allowed client IP addresses -+# -+# This list may contain wildcards such as 192.168.* See the POSIX fnmatch -+# function for the format of the wildcards. -+# -+# NB If this is an empty list, no client can connect, so comment out -+# entirely rather than using empty list to disable these checks -+# -+# By default, no IP's are checked. This can be IPv4 or IPv6 addresses -+# tls_allowed_ip_list ["ip1", "ip2", "ip3"] -+ -+ -diff -r c48e81e685a3 -r 7481eafdde8d src/qemu.conf ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/qemu.conf Fri Oct 12 18:54:15 2007 +0000 -@@ -0,0 +1,49 @@ -+# Master configuration file for the QEMU driver. -+# All settings described here are optional - if omitted, sensible -+# defaults are used. -+ -+# VNC is configured to listen on 127.0.0.1 by default. -+# To make it listen on all public interfaces, uncomment -+# this next option. -+# -+# NB, strong recommendation to enable TLS + x509 certificate -+# verification when allowing public access -+# -+# vnc_listen = "0.0.0.0" -+ -+ -+# Enable use of TLS encryption on the VNC server. This requires -+# a VNC client which supports the VeNCrypt protocol extension. -+# Examples include vinagre, virt-viewer, virt-manager and vencrypt -+# itself. UltraVNC, RealVNC, TightVNC do not support this -+# -+# It is neccessary to setup CA and issue a server certificate -+# before enabling this. -+# -+# vnc_tls = 1 -+ -+ -+# Use of TLS requires that x509 certificates be issued. The -+# default it to keep them in /etc/pki/libvirt-vnc. This directory -+# must contain -+# -+# ca-cert.pem - the CA master certificate -+# server-cert.pem - the server certificate signed with ca-cert.pem -+# server-key.pem - the server private key -+# -+# This option allows the certificate directory to be changed -+# -+# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" -+ -+ -+# The default TLS configuration only uses certificates for the server -+# allowing the client to verify the server's identity and establish -+# and encrypted channel. -+# -+# It is possible to use x509 certificates for authentication too, by -+# issuing a x509 certificate to every client who needs to connect. -+# -+# Enabling this option will reject any client who does not have a -+# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem -+# -+# vnc_tls_x509_verify = 1 - diff --git a/libvirt-0.3.3-qemu-config.patch b/libvirt-0.3.3-qemu-config.patch deleted file mode 100644 index 7330433..0000000 --- a/libvirt-0.3.3-qemu-config.patch +++ /dev/null @@ -1,230 +0,0 @@ -changeset: 1146:c48e81e685a3 -user: berrange -date: Fri Oct 12 15:05:44 2007 +0000 -files: ChangeLog src/qemu_conf.c src/qemu_conf.h src/qemu_driver.c -description: -Added QEMU driver config file - - -diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_conf.c ---- a/src/qemu_conf.c Wed Oct 10 18:46:17 2007 +0000 -+++ b/src/qemu_conf.c Fri Oct 12 15:05:44 2007 +0000 -@@ -45,6 +45,7 @@ - #include "qemu_conf.h" - #include "uuid.h" - #include "buf.h" -+#include "conf.h" - - #define qemudLog(level, msg...) fprintf(stderr, msg) - -@@ -65,6 +66,68 @@ void qemudReportError(virConnectPtr conn - __virRaiseError(conn, dom, net, VIR_FROM_QEMU, code, VIR_ERR_ERROR, - NULL, NULL, NULL, -1, -1, errorMessage); - } -+ -+int qemudLoadDriverConfig(struct qemud_driver *driver, -+ const char *filename) { -+ virConfPtr conf; -+ virConfValuePtr p; -+ -+ /* Setup 2 critical defaults */ -+ strcpy(driver->vncListen, "127.0.0.1"); -+ if (!(driver->vncTLSx509certdir = strdup(SYSCONF_DIR "/pki/libvirt-vnc"))) { -+ qemudReportError(NULL, NULL, NULL, VIR_ERR_NO_MEMORY, -+ "vncTLSx509certdir"); -+ return -1; -+ } -+ -+ /* Just check the file is readable before opening it, otherwise -+ * libvirt emits an error. -+ */ -+ if (access (filename, R_OK) == -1) return 0; -+ -+ conf = virConfReadFile (filename); -+ if (!conf) return 0; -+ -+ -+#define CHECK_TYPE(name,typ) if (p && p->type != (typ)) { \ -+ qemudReportError(NULL, NULL, NULL, VIR_ERR_INTERNAL_ERROR, \ -+ "remoteReadConfigFile: %s: %s: expected type " #typ "\n", \ -+ filename, (name)); \ -+ virConfFree(conf); \ -+ return -1; \ -+ } -+ -+ p = virConfGetValue (conf, "vnc_tls"); -+ CHECK_TYPE ("vnc_tls", VIR_CONF_LONG); -+ if (p) driver->vncTLS = p->l; -+ -+ p = virConfGetValue (conf, "vnc_tls_x509_verify"); -+ CHECK_TYPE ("vnc_tls_x509_verify", VIR_CONF_LONG); -+ if (p) driver->vncTLSx509verify = p->l; -+ -+ p = virConfGetValue (conf, "vnc_tls_x509_cert_dir"); -+ CHECK_TYPE ("vnc_tls_x509_cert_dir", VIR_CONF_STRING); -+ if (p && p->str) { -+ free(driver->vncTLSx509certdir); -+ if (!(driver->vncTLSx509certdir = strdup(p->str))) { -+ qemudReportError(NULL, NULL, NULL, VIR_ERR_NO_MEMORY, -+ "vncTLSx509certdir"); -+ virConfFree(conf); -+ return -1; -+ } -+ } -+ -+ p = virConfGetValue (conf, "vnc_listen"); -+ CHECK_TYPE ("vnc_listen", VIR_CONF_STRING); -+ if (p && p->str) { -+ strncpy(driver->vncListen, p->str, sizeof(driver->vncListen)); -+ driver->vncListen[sizeof(driver->vncListen)-1] = '\0'; -+ } -+ -+ virConfFree (conf); -+ return 0; -+} -+ - - struct qemud_vm *qemudFindVMByID(const struct qemud_driver *driver, int id) { - struct qemud_vm *vm = driver->vms; -@@ -1234,7 +1297,7 @@ static struct qemud_vm_def *qemudParseXM - if (vnclisten && *vnclisten) - strncpy(def->vncListen, (char *)vnclisten, BR_INET_ADDR_MAXLEN-1); - else -- strcpy(def->vncListen, "127.0.0.1"); -+ strcpy(def->vncListen, driver->vncListen); - def->vncListen[BR_INET_ADDR_MAXLEN-1] = '\0'; - xmlFree(vncport); - xmlFree(vnclisten); -@@ -1750,15 +1813,30 @@ int qemudBuildCommandLine(virConnectPtr - } - - if (vm->def->graphicsType == QEMUD_GRAPHICS_VNC) { -- char vncdisplay[BR_INET_ADDR_MAXLEN+20]; -+ char vncdisplay[PATH_MAX]; - int ret; -- if (vm->qemuCmdFlags & QEMUD_CMD_FLAG_VNC_COLON) -- ret = snprintf(vncdisplay, sizeof(vncdisplay), "%s:%d", -+ -+ if (vm->qemuCmdFlags & QEMUD_CMD_FLAG_VNC_COLON) { -+ char options[PATH_MAX] = ""; -+ if (driver->vncTLS) { -+ strcat(options, ",tls"); -+ if (driver->vncTLSx509verify) { -+ strcat(options, ",x509verify="); -+ } else { -+ strcat(options, ",x509="); -+ } -+ strncat(options, driver->vncTLSx509certdir, -+ sizeof(options) - (strlen(driver->vncTLSx509certdir)-1)); -+ options[sizeof(options)-1] = '\0'; -+ } -+ ret = snprintf(vncdisplay, sizeof(vncdisplay), "%s:%d%s", - vm->def->vncListen, -- vm->def->vncActivePort - 5900); -- else -+ vm->def->vncActivePort - 5900, -+ options); -+ } else { - ret = snprintf(vncdisplay, sizeof(vncdisplay), "%d", - vm->def->vncActivePort - 5900); -+ } - if (ret < 0 || ret >= (int)sizeof(vncdisplay)) - goto error; - -diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_conf.h ---- a/src/qemu_conf.h Wed Oct 10 18:46:17 2007 +0000 -+++ b/src/qemu_conf.h Fri Oct 12 15:05:44 2007 +0000 -@@ -289,6 +289,10 @@ struct qemud_driver { - char *networkConfigDir; - char *networkAutostartDir; - char logDir[PATH_MAX]; -+ int vncTLS : 1; -+ int vncTLSx509verify : 1; -+ char *vncTLSx509certdir; -+ char vncListen[BR_INET_ADDR_MAXLEN]; - }; - - -@@ -311,6 +315,8 @@ void qemudReportError(virConnectPtr conn - ATTRIBUTE_FORMAT(printf,5,6); - - -+int qemudLoadDriverConfig(struct qemud_driver *driver, -+ const char *filename); - - struct qemud_vm *qemudFindVMByID(const struct qemud_driver *driver, - int id); -diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_driver.c ---- a/src/qemu_driver.c Wed Oct 10 18:46:17 2007 +0000 -+++ b/src/qemu_driver.c Fri Oct 12 15:05:44 2007 +0000 -@@ -155,6 +155,7 @@ qemudStartup(void) { - uid_t uid = geteuid(); - struct passwd *pw; - char *base = NULL; -+ char driverConf[PATH_MAX]; - - if (!(qemu_driver = calloc(1, sizeof(struct qemud_driver)))) { - return -1; -@@ -167,7 +168,7 @@ qemudStartup(void) { - if (snprintf(qemu_driver->logDir, PATH_MAX, "%s/log/libvirt/qemu", LOCAL_STATE_DIR) >= PATH_MAX) - goto snprintf_error; - -- if ((base = strdup (SYSCONF_DIR "/libvirt/qemu")) == NULL) -+ if ((base = strdup (SYSCONF_DIR "/libvirt")) == NULL) - goto out_of_memory; - } else { - if (!(pw = getpwuid(uid))) { -@@ -179,7 +180,7 @@ qemudStartup(void) { - if (snprintf(qemu_driver->logDir, PATH_MAX, "%s/.libvirt/qemu/log", pw->pw_dir) >= PATH_MAX) - goto snprintf_error; - -- if (asprintf (&base, "%s/.libvirt/qemu", pw->pw_dir) == -1) { -+ if (asprintf (&base, "%s/.libvirt", pw->pw_dir) == -1) { - qemudLog (QEMUD_ERR, "out of memory in asprintf"); - goto out_of_memory; - } -@@ -188,24 +189,36 @@ qemudStartup(void) { - /* Configuration paths are either ~/.libvirt/qemu/... (session) or - * /etc/libvirt/qemu/... (system). - */ -- if (asprintf (&qemu_driver->configDir, "%s", base) == -1) -+ if (snprintf (driverConf, sizeof(driverConf), "%s/qemu.conf", base) == -1) - goto out_of_memory; -- -- if (asprintf (&qemu_driver->autostartDir, "%s/autostart", base) == -1) -+ driverConf[sizeof(driverConf)-1] = '\0'; -+ -+ if (asprintf (&qemu_driver->configDir, "%s/qemu", base) == -1) - goto out_of_memory; - -- if (asprintf (&qemu_driver->networkConfigDir, "%s/networks", base) == -1) -+ if (asprintf (&qemu_driver->autostartDir, "%s/qemu/autostart", base) == -1) - goto out_of_memory; - -- if (asprintf (&qemu_driver->networkAutostartDir, "%s/networks/autostart", -+ if (asprintf (&qemu_driver->networkConfigDir, "%s/qemu/networks", base) == -1) -+ goto out_of_memory; -+ -+ if (asprintf (&qemu_driver->networkAutostartDir, "%s/qemu/networks/autostart", - base) == -1) - goto out_of_memory; - -- if (qemudScanConfigs(qemu_driver) < 0) -+ free(base); -+ -+ if (qemudLoadDriverConfig(qemu_driver, driverConf) < 0) { - qemudShutdown(); -+ return -1; -+ } -+ -+ if (qemudScanConfigs(qemu_driver) < 0) { -+ qemudShutdown(); -+ return -1; -+ } - qemudAutostartConfigs(qemu_driver); - -- free(base); - return 0; - - snprintf_error: - diff --git a/libvirt.spec b/libvirt.spec index e3e6a20..37e18db 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,16 +1,20 @@ # -*- rpm-spec -*- +%if "%{fedora}" >= "8" +%define with_polkit 1 +%define with_proxy no +%else +%define with_polkit 0 +%define with_proxy yes +%endif + Summary: Library providing a simple API virtualization Name: libvirt -Version: 0.3.3 -Release: 2%{?dist}%{?extra_release} +Version: 0.4.0 +Release: 1%{?dist}%{?extra_release} License: LGPL Group: Development/Libraries Source: libvirt-%{version}.tar.gz -Patch1: %{name}-%{version}-qemu-config.patch -# NB, when removing this patch on next release, also remove the manual -# config file copy in the install section of this spec file -Patch2: %{name}-%{version}-example-config.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root URL: http://libvirt.org/ BuildRequires: python python-devel @@ -20,6 +24,16 @@ Requires: ncurses Requires: dnsmasq Requires: bridge-utils Requires: iptables +# So remote clients can access libvirt over SSH tunnel +# (client invokes 'nc' against the UNIX socket on the server) +Requires: nc +Requires: cyrus-sasl +# Not technically required, but makes 'out-of-box' config +# work correctly & doesn't have onerous dependancies +Requires: cyrus-sasl-md5 +%if %{with_polkit} +Requires: PolicyKit >= 0.6 +%endif %ifarch i386 x86_64 ia64 BuildRequires: xen-devel @@ -32,6 +46,10 @@ BuildRequires: gnutls-devel BuildRequires: avahi-devel BuildRequires: dnsmasq BuildRequires: bridge-utils +BuildRequires: cyrus-sasl-devel +%if %{with_polkit} +BuildRequires: PolicyKit-devel >= 0.6 +%endif Obsoletes: libvir # Fedora build root suckage @@ -49,7 +67,6 @@ Requires: pkgconfig %ifarch i386 x86_64 ia64 Requires: xen-devel %endif -Requires: gnutls-devel Obsoletes: libvir-devel %description devel @@ -70,8 +87,6 @@ of recent versions of Linux (and other OSes). %prep %setup -q -%patch1 -p1 -%patch2 -p1 %build # Xen is availble only on i386 x86_64 ia64 @@ -95,11 +110,6 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/run/libvirt/ -# Copy files from patch2 into location -install -d $RPM_BUILD_ROOT%{_sysconfdir}/libvirt -install -m 0755 src/qemu.conf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu.conf -install -m 0755 qemud/libvirtd.conf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/libvirtd.conf - # We don't want to install /etc/libvirt/qemu/networks in the main %files list # because if the admin wants to delete the default network completely, we don't # want to end up re-incarnating it on every RPM upgrade. @@ -157,13 +167,19 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf +%config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf %dir %{_datadir}/libvirt/ %dir %{_datadir}/libvirt/networks/ %{_datadir}/libvirt/networks/default.xml %dir %{_localstatedir}/run/libvirt/ %dir %{_localstatedir}/lib/libvirt/ +%if %{with_polkit} +%{_datadir}/PolicyKit/policy/libvirtd.policy +%endif %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ +%if %{with_proxy} == "yes" %attr(4755, root, root) %{_libexecdir}/libvirt_proxy +%endif %attr(0755, root, root) %{_sbindir}/libvirtd %doc docs/*.rng %doc docs/*.xml @@ -196,6 +212,14 @@ fi %doc docs/examples/python %changelog +* Tue Dec 18 2007 Daniel Veillard - 0.4.0-1.fc8 +- Release of 0.4.0 +- SASL based authentication +- PolicyKit authentication +- improved NUMA and statistics support +- lots of assorted improvements, bugfixes and cleanups +- documentation and localization improvements + * Mon Oct 15 2007 Daniel P. Berrange - 0.3.3-2.fc8 - Added QEMU driver config file support - Added example config files diff --git a/sources b/sources index c9ceb9e..a5b9c28 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -583fa13938df63bd404cc1b7cf553874 libvirt-0.3.3.tar.gz +2f6c6adb62145988f0e5021e5cbd71d3 libvirt-0.4.0.tar.gz