[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/master] 5 commits: d/p/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch: fix libvirt-lxc (LP: #1892826)
Andrea Bolognani
gitlab at salsa.debian.org
Fri Aug 28 15:47:58 BST 2020
Andrea Bolognani pushed to branch debian/master at Libvirt Packaging Team / libvirt
Commits:
92acaf68 by Christian Ehrhardt at 2020-08-28T07:43:17+02:00
d/p/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch: fix libvirt-lxc (LP: #1892826)
The build against libtirpc causes linking errors using the headers of
libtirpc but calling into the compat functions of glibc as discussed
here:
https://www.redhat.com/archives/libvir-list/2020-August/msg00921.html
Current glibc 2.31-0ubuntu1 and 2.31-3 for us are built with
--enable-obsolete-rpc which then leads to the wrong linking.
What happens otherwise is a crash like:
[582093.524644] libvirt_lxc[261446]: segfault at 0 ip 0000000000000000
sp 00007ffdd2345598 error 14 in libvirt_lxc[5587e42aa000+8000]
[582093.524650] Code: Bad RIP value.
The reason is that due to bad linking (should link to 3.0 versions
instead):
$ eu-readelf -a /usr/lib/libvirt/libvirt_lxc | grep xdr_uint64
0x0000000000026820 X86_64_JUMP_SLOT 000000000000000000 +0 xdr_uint64_t
99: 0000000000000000 0 FUNC GLOBAL DEFAULT UNDEF
xdr_uint64_t GLIBC_2 2 5 (4)
[ 1c02] xdr_uint64_t
It will use the headers and structs of libtirpc but then call ito glibc
which breaks badly.
As soon as we rebuild agains 2.32 which is about to arrive we can drop
this revert and follow upstream as 2.32 dropped the option to enable
--enable-obsolete-rpc.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
c12faf12 by Christian Ehrhardt at 2020-08-28T07:46:37+02:00
replace patches for pki and pygrub with clean upstream backports
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
6377d90d by Christian Ehrhardt at 2020-08-28T07:47:43+02:00
apparmor: allow libvirtd to call virtiofsd (LP: #1892736)
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
90093c0a by Christian Ehrhardt at 2020-08-28T10:28:05+02:00
Revert "control: Add Build-Depends on libtirpc-dev"
This reverts commit ab2a1b4a885b7332618953e6b851e099dacbf503.
- - - - -
db67a5d5 by Christian Ehrhardt at 2020-08-28T10:30:10+02:00
changelog: Create entry for 6.6.0-2
Gbp-Dch: Ignore
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
7 changed files:
- debian/changelog
- debian/control
- debian/patches/forward/Include-etc-pki-qemu-in-apparmor.patch → debian/patches/backport/apparmor-allow-default-pki-path.patch
- debian/patches/forward/apparmor-Allow-run-pygrub.patch → debian/patches/backport/apparmor-allow-libvirtd-to-call-pygrub.patch
- + debian/patches/backport/apparmor-allow-libvirtd-to-call-virtiofsd.patch
- + debian/patches/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+libvirt (6.6.0-2) unstable; urgency=medium
+
+ * fix libvirt-lxc that was broken by libtirpc linking issues (LP: #1892826)
+ - [92acaf6] d/p/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch:
+ - [90093c0] Revert "control: Add Build-Depends on libtirpc-dev"
+ * [c12faf1] replace patches for pki and pygrub with clean upstream backports
+ * [6377d90] apparmor: allow libvirtd to call virtiofsd (LP: #1892736)
+
+ -- Christian Ehrhardt <christian.ehrhardt at canonical.com> Fri, 28 Aug 2020 10:28:14 +0200
+
libvirt (6.6.0-1) unstable; urgency=medium
* Team upload
=====================================
debian/control
=====================================
@@ -39,7 +39,6 @@ Build-Depends:
libsasl2-dev,
libselinux1-dev (>= 2.0.82) [linux-any],
libssh2-1-dev,
- libtirpc-dev,
libudev-dev [linux-any],
libwireshark-dev (>= 1.11.3),
libwiretap-dev,
=====================================
debian/patches/forward/Include-etc-pki-qemu-in-apparmor.patch → debian/patches/backport/apparmor-allow-default-pki-path.patch
=====================================
@@ -1,12 +1,21 @@
From: Sam Hartman <hartmans at debian.org>
-Date: Tue, 18 Jun 2019 09:02:09 -0400
-Subject: Include /etc/pki/qemu in apparmor
+Date: Mon, 3 Aug 2020 12:08:41 +0200
+Subject: apparmor: allow default pki path
-We already permit /etc/pki/libvirt-{spice,vnc} to be read in the
-apparmor profile. However the default tls directory in qemu.conf that
-we ship is /etc/pki/qemu. So permit that as well.
+/etc/pki/qemu is a pki path recommended by qemu tls docs [1]
+and one that can cause issues with spice connections when missing.
-Closes: #930100
+Add the path to the allowed list of pki paths to fix the issue.
+
+Note: this is active in Debian/Ubuntu [1] for quite a while already.
+
+[1]: https://www.qemu.org/docs/master/system/tls.html
+[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930100
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
+Reviewed-by: Andrea Bolognani <abologna at redhat.com>
+Acked-by: Jamie Strandboge <jamie at canonical.com>
+(cherry picked from commit 155d4fe3fa8b2115003973f692512a7007ab9264)
---
src/security/apparmor/libvirt-qemu | 2 ++
1 file changed, 2 insertions(+)
=====================================
debian/patches/forward/apparmor-Allow-run-pygrub.patch → debian/patches/backport/apparmor-allow-libvirtd-to-call-pygrub.patch
=====================================
@@ -1,20 +1,40 @@
-From: Tobias Wolter <towo at b1-systems.de>
-Date: Wed, 21 Aug 2019 10:27:05 +0200
-Subject: apparmor: Allow run pygrub
+From: Stefan Bader <stefan.bader at canonical.com>
+Date: Mon, 3 Aug 2020 12:21:23 +0200
+Subject: apparmor: allow libvirtd to call pygrub
+When using xen through libxl in Debian/Ubuntu it needs to be able to
+call pygrub.
+
+This is placed in a versioned path like /usr/lib/xen-4.11/bin.
+In theory the rule could be more strict by rendering the libexec_dir
+setting pkg-config can derive from libbxen-dev. But that would make
+particular libvirt/xen packages version-depend on each other. It seems
+more reasonable to avoid these versioned dependencies and use a wildcard
+rule instead as it is already in place for libxl-save-helper.
+
+Note: This change was in Debian [1] and Ubuntu [2] for quite some time
+already.
+
+[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931768
+[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1326003
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
+Reviewed-by: Andrea Bolognani <abologna at redhat.com>
+Acked-by: Jamie Strandboge <jamie at canonical.com>
+(cherry picked from commit 8b6ee1afdb664ef5d90e1a92b69fc9f2f9221090)
---
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
-index 1e13703..d7c0539 100644
+index 1e13703..312fa4b 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
-@@ -87,6 +87,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+@@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64}/xen/bin/* Ux,
/usr/lib/xen-*/bin/libxl-save-helper PUx,
- /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
+ /usr/lib/xen-*/bin/pygrub PUx,
+ /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
- # read and run an ebtables script.
=====================================
debian/patches/backport/apparmor-allow-libvirtd-to-call-virtiofsd.patch
=====================================
@@ -0,0 +1,56 @@
+From: Kevin Locke <kevin at kevinlocke.name>
+Date: Tue, 25 Aug 2020 07:31:27 -0600
+Subject: apparmor: allow libvirtd to call virtiofsd
+
+When using [virtiofs], libvirtd must launch [virtiofsd] to provide
+filesystem access on the host. When a guest is configured with
+virtiofs, such as:
+
+ <filesystem type='mount' accessmode='passthrough'>
+ <driver type='virtiofs'/>
+ <source dir='/path'/>
+ <target dir='mount_tag'/>
+ </filesystem>
+
+Attempting to start the guest fails with:
+
+ internal error: virtiofsd died unexpectedly
+
+/var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains (as a single
+line, wrapped below):
+
+ libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd:
+ Permission denied
+
+dmesg contains (as a single line, wrapped below):
+
+ audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
+ operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd"
+ pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x"
+ fsuid=0 ouid=0
+
+To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
+profile.
+
+[virtiofs]: https://libvirt.org/kbase/virtiofs.html
+[virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
+
+Signed-off-by: Kevin Locke <kevin at kevinlocke.name>
+Reviewed-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
+(cherry picked from commit 44cbd3afaf9b6ba84af9b68825cede9ff60e1138)
+---
+ src/security/apparmor/usr.sbin.libvirtd.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
+index 6cfb812..8664460 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd.in
++++ b/src/security/apparmor/usr.sbin.libvirtd.in
+@@ -88,6 +88,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+ /usr/lib/xen-*/bin/libxl-save-helper PUx,
+ /usr/lib/xen-*/bin/pygrub PUx,
+ /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
++ /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # read and run an ebtables script.
=====================================
debian/patches/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch
=====================================
@@ -0,0 +1,186 @@
+From: Christian Ehrhardt <christian.ehrhardt at canonical.com>
+Date: Wed, 26 Aug 2020 10:52:17 +0200
+Subject: Revert "m4: virt-xdr: rewrite XDR check"
+
+This reverts commit d7147b3797380de2d159ce6324536f3e1f2d97e3.
+
+Reasoning:
+The build against libtirpc causes linking errors using the headers of
+libtirpc but calling into the compat functions of glibc as discussed
+here:
+https://www.redhat.com/archives/libvir-list/2020-August/msg00921.html
+
+Current glibc 2.31-0ubuntu1 and 2.31-3 for us are built with
+--enable-obsolete-rpc which then leads to the wrong linking.
+
+What happens otherwise is a crash like:
+[582093.524644] libvirt_lxc[261446]: segfault at 0 ip 0000000000000000
+sp 00007ffdd2345598 error 14 in libvirt_lxc[5587e42aa000+8000]
+[582093.524650] Code: Bad RIP value.
+
+The reason is that due to bad linking (should link to 3.0 versions
+instead):
+$ eu-readelf -a /usr/lib/libvirt/libvirt_lxc | grep xdr_uint64
+ 0x0000000000026820 X86_64_JUMP_SLOT 000000000000000000 +0 xdr_uint64_t
+ 99: 0000000000000000 0 FUNC GLOBAL DEFAULT UNDEF
+xdr_uint64_t GLIBC_2 2 5 (4)
+ [ 1c02] xdr_uint64_t
+
+It will use the headers and structs of libtirpc but then call ito glibc
+which breaks badly.
+
+As soon as we rebuild agains 2.32 which is about to arrive we can drop
+this revert and follow upstream as 2.32 dropped the option to enable
+--enable-obsolete-rpc.
+---
+ libvirt.spec.in | 4 +---
+ m4/virt-xdr.m4 | 39 ++++++++++++++++++++++++++++-----------
+ src/Makefile.am | 4 +---
+ src/admin/Makefile.inc.am | 1 -
+ src/locking/Makefile.inc.am | 2 --
+ src/logging/Makefile.inc.am | 1 -
+ src/remote/Makefile.inc.am | 1 -
+ 7 files changed, 30 insertions(+), 22 deletions(-)
+
+diff --git a/libvirt.spec.in b/libvirt.spec.in
+index be48231..e1b0be6 100644
+--- a/libvirt.spec.in
++++ b/libvirt.spec.in
+@@ -405,12 +405,10 @@ BuildRequires: wireshark-devel >= 2.4.0
+ BuildRequires: libssh-devel >= 0.7.0
+ %endif
+
+-# On RHEL-7 rpcgen is still part of glibc-common package
+ %if 0%{?fedora} || 0%{?rhel} > 7
+ BuildRequires: rpcgen
+-%endif
+-
+ BuildRequires: libtirpc-devel
++%endif
+
+ %if %{with_firewalld_zone}
+ BuildRequires: firewalld-filesystem
+diff --git a/m4/virt-xdr.m4 b/m4/virt-xdr.m4
+index 09d0c2b..8375415 100644
+--- a/m4/virt-xdr.m4
++++ b/m4/virt-xdr.m4
+@@ -18,20 +18,37 @@ dnl <http://www.gnu.org/licenses/>.
+ dnl
+
+ AC_DEFUN([LIBVIRT_CHECK_XDR], [
++ with_xdr="no"
+ if test x"$with_remote" = x"yes" || test x"$with_libvirtd" = x"yes"; then
+- dnl On MinGW portablexdr provides XDR functions, on linux they are
+- dnl provided by libtirpc and on FreeBSD/macOS there is no need to
+- dnl use extra library as it's provided by libc directly.
+-
++ dnl Where are the XDR functions?
++ dnl If portablexdr is installed, prefer that.
++ dnl Otherwise try -lxdr (some MinGW)
++ dnl -ltirpc (glibc 2.13.90 or newer) or none (most Unix)
++ AC_CHECK_LIB([portablexdr],[xdrmem_create],[],[
++ AC_SEARCH_LIBS([xdrmem_create],[xdr tirpc],[],
++ [AC_MSG_ERROR([Cannot find a XDR library])])
++ ])
+ with_xdr="yes"
+
+- if test "$with_win" = "yes"; then
+- LIBVIRT_CHECK_LIB([XDR], [portablexdr], [xdrmem_create], [rpc/rpc.h])
+- elif test "$with_linux" = "yes"; then
+- LIBVIRT_CHECK_PKG([XDR], [libtirpc], [0.1.10])
+- else
+- AM_CONDITIONAL([WITH_XDR], [test "x$with_xdr" = "xyes"])
+- fi
++ dnl Recent glibc requires -I/usr/include/tirpc for <rpc/rpc.h>
++ old_CFLAGS=$CFLAGS
++ AC_CACHE_CHECK([where to find <rpc/rpc.h>], [lv_cv_xdr_cflags], [
++ for add_CFLAGS in '' '-I/usr/include/tirpc' 'missing'; do
++ if test x"$add_CFLAGS" = xmissing; then
++ lv_cv_xdr_cflags=missing; break
++ fi
++ CFLAGS="$old_CFLAGS $add_CFLAGS"
++ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <rpc/rpc.h>
++ ]])], [lv_cv_xdr_cflags=${add_CFLAGS:-none}; break])
++ done
++ ])
++ CFLAGS=$old_CFLAGS
++ case $lv_cv_xdr_cflags in
++ none) XDR_CFLAGS= ;;
++ missing) AC_MSG_ERROR([Unable to find <rpc/rpc.h>]) ;;
++ *) XDR_CFLAGS=$lv_cv_xdr_cflags ;;
++ esac
++ AC_SUBST([XDR_CFLAGS])
+ fi
+ ])
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 834e356..57e1d4d 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -434,9 +434,7 @@ libvirt_la_LDFLAGS = \
+ $(AM_LDFLAGS) \
+ $(NULL)
+ libvirt_la_LIBADD += \
+- $(DLOPEN_LIBS) \
+- $(XDR_LIBS) \
+- $(NULL)
++ $(DLOPEN_LIBS)
+ libvirt_la_CFLAGS = -DIN_LIBVIRT $(AM_CFLAGS)
+ # Because we specify libvirt_la_DEPENDENCIES for $(LIBVIRT_SYMBOL_FILE), we
+ # lose automake's automatic dependencies on an appropriate subset of
+diff --git a/src/admin/Makefile.inc.am b/src/admin/Makefile.inc.am
+index 8556a3b..0a9717a 100644
+--- a/src/admin/Makefile.inc.am
++++ b/src/admin/Makefile.inc.am
+@@ -72,7 +72,6 @@ libvirt_admin_la_LDFLAGS = \
+
+ libvirt_admin_la_LIBADD = \
+ libvirt.la \
+- $(XDR_LIBS) \
+ $(CAPNG_LIBS) \
+ $(YAJL_LIBS) \
+ $(DEVMAPPER_LIBS) \
+diff --git a/src/locking/Makefile.inc.am b/src/locking/Makefile.inc.am
+index ab01d8e..d1bf49c 100644
+--- a/src/locking/Makefile.inc.am
++++ b/src/locking/Makefile.inc.am
+@@ -120,7 +120,6 @@ lockd_la_LDFLAGS = $(AM_LDFLAGS_MOD_NOUNDEF)
+ lockd_la_LIBADD = \
+ libvirt.la \
+ $(GLIB_LIBS) \
+- $(XDR_LIBS) \
+ $(NULL)
+ augeas_DATA += locking/libvirt_lockd.aug
+ if WITH_DTRACE_PROBES
+@@ -162,7 +161,6 @@ virtlockd_CFLAGS = \
+ virtlockd_LDFLAGS = \
+ $(AM_LDFLAGS) \
+ $(PIE_LDFLAGS) \
+- $(XDR_LIBS) \
+ $(NO_UNDEFINED_LDFLAGS) \
+ $(NULL)
+ virtlockd_LDADD = \
+diff --git a/src/logging/Makefile.inc.am b/src/logging/Makefile.inc.am
+index 873e602..64023aa 100644
+--- a/src/logging/Makefile.inc.am
++++ b/src/logging/Makefile.inc.am
+@@ -98,7 +98,6 @@ virtlogd_CFLAGS = \
+ virtlogd_LDFLAGS = \
+ $(AM_LDFLAGS) \
+ $(PIE_LDFLAGS) \
+- $(XDR_LIBS) \
+ $(NO_UNDEFINED_LDFLAGS) \
+ $(NULL)
+ virtlogd_LDADD = \
+diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
+index 80f4aad..5b8eb59 100644
+--- a/src/remote/Makefile.inc.am
++++ b/src/remote/Makefile.inc.am
+@@ -64,7 +64,6 @@ REMOTE_DAEMON_LD_ADD = \
+ $(LIBXML_LIBS) \
+ $(GNUTLS_LIBS) \
+ $(SASL_LIBS) \
+- $(XDR_LIBS) \
+ $(DBUS_LIBS) \
+ $(LIBNL_LIBS) \
+ $(NULL)
=====================================
debian/patches/series
=====================================
@@ -2,11 +2,12 @@ backport/virdevmapper-Don-t-cache-device-mapper-major.patch
backport/virdevmapper-Handle-kernel-without-device-mapper-support.patch
backport/virdevmapper-Ignore-all-errors-when-opening-dev-mapper-co.patch
backport/tools-fix-libvirt-guests.sh-text-assignments.patch
+backport/apparmor-allow-default-pki-path.patch
+backport/apparmor-allow-libvirtd-to-call-pygrub.patch
+backport/apparmor-allow-libvirtd-to-call-virtiofsd.patch
forward/Skip-vircgrouptest.patch
forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
-forward/Include-etc-pki-qemu-in-apparmor.patch
-forward/apparmor-Allow-run-pygrub.patch
debian/Debianize-libvirt-guests.patch
debian/Debianize-systemd-service-files.patch
debian/Debianize-virtlockd.patch
@@ -14,3 +15,4 @@ debian/Debianize-virtlogd.patch
debian/apparmor_profiles_local_include.patch
debian/Set-defaults-for-zfs-tools.patch
debian/Prefer-sbin-over-usr-sbin.patch
+debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/d9201fc2fe166da765f41e55e4847dd67012d600...db67a5d5a0caf479352739dce21cfc78740a46e1
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/d9201fc2fe166da765f41e55e4847dd67012d600...db67a5d5a0caf479352739dce21cfc78740a46e1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20200828/c1ce046f/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list