1 |
cardoe 13/07/01 14:07:41 |
2 |
|
3 |
Modified: ChangeLog |
4 |
Added: libvirt-1.0.6-r1.ebuild |
5 |
Log: |
6 |
Fix for CVE-2013-2218 and virInterface should work read-only when using udev backend. |
7 |
|
8 |
(Portage version: 2.1.12.2/cvs/Linux x86_64, signed Manifest commit with key D7DFA8D318FA9AEF!) |
9 |
|
10 |
Revision Changes Path |
11 |
1.286 app-emulation/libvirt/ChangeLog |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/ChangeLog?rev=1.286&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/ChangeLog?rev=1.286&content-type=text/plain |
15 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/ChangeLog?r1=1.285&r2=1.286 |
16 |
|
17 |
Index: ChangeLog |
18 |
=================================================================== |
19 |
RCS file: /var/cvsroot/gentoo-x86/app-emulation/libvirt/ChangeLog,v |
20 |
retrieving revision 1.285 |
21 |
retrieving revision 1.286 |
22 |
diff -u -r1.285 -r1.286 |
23 |
--- ChangeLog 28 Jun 2013 20:52:44 -0000 1.285 |
24 |
+++ ChangeLog 1 Jul 2013 14:07:41 -0000 1.286 |
25 |
@@ -1,6 +1,15 @@ |
26 |
# ChangeLog for app-emulation/libvirt |
27 |
# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 |
28 |
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/ChangeLog,v 1.285 2013/06/28 20:52:44 ago Exp $ |
29 |
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/ChangeLog,v 1.286 2013/07/01 14:07:41 cardoe Exp $ |
30 |
+ |
31 |
+*libvirt-1.0.6-r1 (01 Jul 2013) |
32 |
+ |
33 |
+ 01 Jul 2013; Doug Goldstein <cardoe@g.o> |
34 |
+ +files/libvirt-1.0.6-CVE-2013-2218.patch, |
35 |
+ +files/libvirt-1.0.6-virinterface-udev-backend-ro.patch, |
36 |
+ +libvirt-1.0.6-r1.ebuild: |
37 |
+ Fix for CVE-2013-2218 and virInterface should work read-only when using udev |
38 |
+ backend. |
39 |
|
40 |
28 Jun 2013; Agostino Sarubbo <ago@g.o> libvirt-1.0.5.2.ebuild: |
41 |
Stable for amd64, wrt bug #475040 |
42 |
|
43 |
|
44 |
|
45 |
1.1 app-emulation/libvirt/libvirt-1.0.6-r1.ebuild |
46 |
|
47 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/libvirt-1.0.6-r1.ebuild?rev=1.1&view=markup |
48 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/libvirt-1.0.6-r1.ebuild?rev=1.1&content-type=text/plain |
49 |
|
50 |
Index: libvirt-1.0.6-r1.ebuild |
51 |
=================================================================== |
52 |
# Copyright 1999-2013 Gentoo Foundation |
53 |
# Distributed under the terms of the GNU General Public License v2 |
54 |
# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-1.0.6-r1.ebuild,v 1.1 2013/07/01 14:07:41 cardoe Exp $ |
55 |
|
56 |
EAPI=5 |
57 |
|
58 |
BACKPORTS=9eea7e71 |
59 |
AUTOTOOLIZE=yes |
60 |
|
61 |
MY_P="${P/_rc/-rc}" |
62 |
|
63 |
PYTHON_COMPAT=( python{2_5,2_6,2_7} ) |
64 |
|
65 |
inherit eutils python-single-r1 user autotools linux-info systemd |
66 |
|
67 |
if [[ ${PV} = *9999* ]]; then |
68 |
inherit git-2 |
69 |
EGIT_REPO_URI="git://libvirt.org/libvirt.git" |
70 |
AUTOTOOLIZE=yes |
71 |
SRC_URI="" |
72 |
KEYWORDS="" |
73 |
else |
74 |
SRC_URI="http://libvirt.org/sources/${MY_P}.tar.gz |
75 |
ftp://libvirt.org/libvirt/${MY_P}.tar.gz |
76 |
${BACKPORTS:+ |
77 |
http://dev.gentoo.org/~cardoe/distfiles/${MY_P}-${BACKPORTS}.tar.xz}" |
78 |
KEYWORDS="~amd64 ~x86" |
79 |
fi |
80 |
S="${WORKDIR}/${P%_rc*}" |
81 |
|
82 |
DESCRIPTION="C toolkit to manipulate virtual machines" |
83 |
HOMEPAGE="http://www.libvirt.org/" |
84 |
LICENSE="LGPL-2.1" |
85 |
SLOT="0" |
86 |
IUSE="audit avahi +caps firewalld fuse iscsi +libvirtd lvm lxc +macvtap nfs \ |
87 |
nls numa openvz parted pcap phyp policykit python +qemu rbd sasl \ |
88 |
selinux +udev uml +vepa virtualbox virt-network xen elibc_glibc \ |
89 |
systemd" |
90 |
REQUIRED_USE="libvirtd? ( || ( lxc openvz qemu uml virtualbox xen ) ) |
91 |
lxc? ( caps libvirtd ) |
92 |
openvz? ( libvirtd ) |
93 |
qemu? ( libvirtd ) |
94 |
uml? ( libvirtd ) |
95 |
vepa? ( macvtap ) |
96 |
virtualbox? ( libvirtd ) |
97 |
xen? ( libvirtd ) |
98 |
virt-network? ( libvirtd ) |
99 |
firewalld? ( virt-network ) |
100 |
python? ( ${PYTHON_REQUIRED_USE} )" |
101 |
|
102 |
# gettext.sh command is used by the libvirt command wrappers, and it's |
103 |
# non-optional, so put it into RDEPEND. |
104 |
# We can use both libnl:1.1 and libnl:3, but if you have both installed, the |
105 |
# package will use 3 by default. Since we don't have slot pinning in an API, |
106 |
# we must go with the most recent |
107 |
RDEPEND="sys-libs/readline |
108 |
sys-libs/ncurses |
109 |
>=net-misc/curl-7.18.0 |
110 |
dev-libs/libgcrypt |
111 |
>=dev-libs/libxml2-2.7.6 |
112 |
dev-libs/libnl:3 |
113 |
>=net-libs/gnutls-1.0.25 |
114 |
net-libs/libssh2 |
115 |
sys-apps/dmidecode |
116 |
>=sys-apps/util-linux-2.17 |
117 |
sys-devel/gettext |
118 |
>=net-analyzer/netcat6-1.0-r2 |
119 |
app-misc/scrub |
120 |
audit? ( sys-process/audit ) |
121 |
avahi? ( >=net-dns/avahi-0.6[dbus] ) |
122 |
caps? ( sys-libs/libcap-ng ) |
123 |
fuse? ( >=sys-fs/fuse-2.8.6 ) |
124 |
iscsi? ( sys-block/open-iscsi ) |
125 |
lxc? ( sys-power/pm-utils ) |
126 |
lvm? ( >=sys-fs/lvm2-2.02.48-r2 ) |
127 |
nfs? ( net-fs/nfs-utils ) |
128 |
numa? ( |
129 |
>sys-process/numactl-2.0.2 |
130 |
sys-process/numad |
131 |
) |
132 |
openvz? ( sys-kernel/openvz-sources ) |
133 |
parted? ( |
134 |
>=sys-block/parted-1.8[device-mapper] |
135 |
sys-fs/lvm2 |
136 |
) |
137 |
pcap? ( >=net-libs/libpcap-1.0.0 ) |
138 |
policykit? ( >=sys-auth/polkit-0.9 ) |
139 |
python? ( ${PYTHON_DEPS} ) |
140 |
qemu? ( |
141 |
>=app-emulation/qemu-0.13.0 |
142 |
dev-libs/yajl |
143 |
sys-power/pm-utils |
144 |
) |
145 |
rbd? ( sys-cluster/ceph ) |
146 |
sasl? ( dev-libs/cyrus-sasl ) |
147 |
selinux? ( >=sys-libs/libselinux-2.0.85 ) |
148 |
virtualbox? ( || ( app-emulation/virtualbox >=app-emulation/virtualbox-bin-2.2.0 ) ) |
149 |
xen? ( app-emulation/xen-tools app-emulation/xen ) |
150 |
udev? ( virtual/udev >=x11-libs/libpciaccess-0.10.9 ) |
151 |
virt-network? ( net-dns/dnsmasq |
152 |
>=net-firewall/iptables-1.4.10 |
153 |
net-misc/radvd |
154 |
net-firewall/ebtables |
155 |
sys-apps/iproute2[-minimal] |
156 |
firewalld? ( net-firewall/firewalld ) |
157 |
) |
158 |
elibc_glibc? ( || ( >=net-libs/libtirpc-0.2.2-r1 <sys-libs/glibc-2.14 ) )" |
159 |
# one? ( dev-libs/xmlrpc-c ) |
160 |
DEPEND="${RDEPEND} |
161 |
virtual/pkgconfig |
162 |
app-text/xhtml1 |
163 |
dev-libs/libxslt" |
164 |
|
165 |
LXC_CONFIG_CHECK=" |
166 |
~CGROUPS |
167 |
~CGROUP_FREEZER |
168 |
~CGROUP_DEVICE |
169 |
~CGROUP_CPUACCT |
170 |
~CGROUP_SCHED |
171 |
~CGROUP_PERF |
172 |
~BLK_CGROUP |
173 |
~NET_CLS_CGROUP |
174 |
~NETPRIO_CGROUP |
175 |
~CPUSETS |
176 |
~RESOURCE_COUNTERS |
177 |
~NAMESPACES |
178 |
~UTS_NS |
179 |
~IPC_NS |
180 |
~PID_NS |
181 |
~NET_NS |
182 |
~DEVPTS_MULTIPLE_INSTANCES |
183 |
~VETH |
184 |
~MACVLAN |
185 |
~POSIX_MQUEUE |
186 |
~!GRKERNSEC_CHROOT_MOUNT |
187 |
~!GRKERNSEC_CHROOT_DOUBLE |
188 |
~!GRKERNSEC_CHROOT_PIVOT |
189 |
~!GRKERNSEC_CHROOT_CHMOD |
190 |
~!GRKERNSEC_CHROOT_CAPS |
191 |
" |
192 |
|
193 |
VIRTNET_CONFIG_CHECK=" |
194 |
~BRIDGE_NF_EBTABLES |
195 |
~BRIDGE_EBT_MARK_T |
196 |
~NETFILTER_ADVANCED |
197 |
~NETFILTER_XT_TARGET_CHECKSUM |
198 |
~NETFILTER_XT_CONNMARK |
199 |
~NETFILTER_XT_MARK |
200 |
" |
201 |
|
202 |
MACVTAP_CONFIG_CHECK="~MACVTAP" |
203 |
|
204 |
pkg_setup() { |
205 |
enewgroup qemu 77 |
206 |
enewuser qemu 77 -1 -1 qemu kvm |
207 |
|
208 |
# Some people used the masked ebuild which was not adding the qemu |
209 |
# user to the kvm group originally. This results in VMs failing to |
210 |
# start for some users. bug #430808 |
211 |
egetent group kvm | grep -q qemu |
212 |
if [[ $? -ne 0 ]]; then |
213 |
gpasswd -a qemu kvm |
214 |
fi |
215 |
|
216 |
python-single-r1_pkg_setup |
217 |
|
218 |
# Handle specific kernel versions for different features |
219 |
kernel_is lt 3 6 && LXC_CONFIG_CHECK+=" ~CGROUP_MEM_RES_CTLR" |
220 |
kernel_is ge 3 6 && LXC_CONFIG_CHECK+=" ~MEMCG ~MEMCG_SWAP ~MEMCG_KMEM" |
221 |
|
222 |
CONFIG_CHECK="" |
223 |
use fuse && CONFIG_CHECK+=" ~FUSE_FS" |
224 |
use lxc && CONFIG_CHECK+="${LXC_CONFIG_CHECK}" |
225 |
use macvtap && CONFIG_CHECK+="${MACVTAP}" |
226 |
use virt-network && CONFIG_CHECK+="${VIRTNET_CONFIG_CHECK}" |
227 |
if [[ -n ${CONFIG_CHECK} ]]; then |
228 |
linux-info_pkg_setup |
229 |
fi |
230 |
} |
231 |
|
232 |
src_prepare() { |
233 |
touch "${S}/.mailmap" |
234 |
[[ -n ${BACKPORTS} ]] && \ |
235 |
EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ |
236 |
epatch |
237 |
|
238 |
if [[ ${PV} = *9999* ]]; then |
239 |
|
240 |
# git checkouts require bootstrapping to create the configure script. |
241 |
# Additionally the submodules must be cloned to the right locations |
242 |
# bug #377279 |
243 |
./bootstrap || die "bootstrap failed" |
244 |
( |
245 |
git submodule status | sed 's/^[ +-]//;s/ .*//' |
246 |
git hash-object bootstrap.conf |
247 |
) >.git-module-status |
248 |
fi |
249 |
|
250 |
epatch "${FILESDIR}/libvirt-1.0.6-CVE-2013-2218.patch" |
251 |
epatch "${FILESDIR}/libvirt-1.0.6-virinterface-udev-backend-ro.patch" |
252 |
|
253 |
epatch_user |
254 |
|
255 |
[[ -n ${AUTOTOOLIZE} ]] && eautoreconf |
256 |
|
257 |
# Tweak the init script |
258 |
local avahi_init= |
259 |
local iscsi_init= |
260 |
local rbd_init= |
261 |
local firewalld_init= |
262 |
cp "${FILESDIR}/libvirtd.init-r12" "${S}/libvirtd.init" |
263 |
use avahi && avahi_init='avahi-daemon' |
264 |
use iscsi && iscsi_init='iscsid' |
265 |
use rbd && rbd_init='ceph' |
266 |
use firewalld && firewalld_init='need firewalld' |
267 |
|
268 |
sed -e "s/USE_FLAG_FIREWALLD/${firewalld_init}/" -i "${S}/libvirtd.init" |
269 |
sed -e "s/USE_FLAG_AVAHI/${avahi_init}/" -i "${S}/libvirtd.init" |
270 |
sed -e "s/USE_FLAG_ISCSI/${iscsi_init}/" -i "${S}/libvirtd.init" |
271 |
sed -e "s/USE_FLAG_RBD/${rbd_init}/" -i "${S}/libvirtd.init" |
272 |
} |
273 |
|
274 |
src_configure() { |
275 |
local myconf="" |
276 |
|
277 |
## enable/disable daemon, otherwise client only utils |
278 |
myconf="${myconf} $(use_with libvirtd)" |
279 |
|
280 |
## enable/disable the daemon using avahi to find VMs |
281 |
myconf="${myconf} $(use_with avahi)" |
282 |
|
283 |
## hypervisors on the local host |
284 |
myconf="${myconf} $(use_with xen) $(use_with xen xen-inotify)" |
285 |
myconf+=" --without-xenapi" |
286 |
if use xen && has_version ">=app-emulation/xen-tools-4.2.0"; then |
287 |
myconf+=" --with-libxl" |
288 |
else |
289 |
myconf+=" --without-libxl" |
290 |
fi |
291 |
myconf="${myconf} $(use_with openvz)" |
292 |
myconf="${myconf} $(use_with lxc)" |
293 |
if use virtualbox && has_version app-emulation/virtualbox-ose; then |
294 |
myconf="${myconf} --with-vbox=/usr/lib/virtualbox-ose/" |
295 |
else |
296 |
myconf="${myconf} $(use_with virtualbox vbox)" |
297 |
fi |
298 |
myconf="${myconf} $(use_with uml)" |
299 |
myconf="${myconf} $(use_with qemu)" |
300 |
myconf="${myconf} $(use_with qemu yajl)" # Use QMP over HMP |
301 |
myconf="${myconf} $(use_with phyp)" |
302 |
myconf="${myconf} --with-esx" |
303 |
myconf="${myconf} --with-vmware" |
304 |
|
305 |
## additional host drivers |
306 |
myconf="${myconf} $(use_with virt-network network)" |
307 |
myconf="${myconf} --with-storage-fs" |
308 |
myconf="${myconf} $(use_with lvm storage-lvm)" |
309 |
myconf="${myconf} $(use_with iscsi storage-iscsi)" |
310 |
myconf="${myconf} $(use_with parted storage-disk)" |
311 |
myconf="${myconf} $(use_with lvm storage-mpath)" |
312 |
myconf="${myconf} $(use_with rbd storage-rbd)" |
313 |
myconf="${myconf} $(use_with numa numactl)" |
314 |
myconf="${myconf} $(use_with numa numad)" |
315 |
myconf="${myconf} $(use_with selinux)" |
316 |
myconf="${myconf} $(use_with fuse)" |
317 |
|
318 |
# udev for device support details |
319 |
myconf="${myconf} $(use_with udev)" |
320 |
|
321 |
# linux capability support so we don't need privileged accounts |
322 |
myconf="${myconf} $(use_with caps capng)" |
323 |
|
324 |
## auth stuff |
325 |
myconf="${myconf} $(use_with policykit polkit)" |
326 |
myconf="${myconf} $(use_with sasl)" |
327 |
|
328 |
# network bits |
329 |
myconf="${myconf} $(use_with macvtap)" |
330 |
myconf="${myconf} $(use_with pcap libpcap)" |
331 |
myconf="${myconf} $(use_with vepa virtualport)" |
332 |
myconf="${myconf} $(use_with firewalld)" |
333 |
|
334 |
## other |
335 |
myconf="${myconf} $(use_enable nls)" |
336 |
myconf="${myconf} $(use_with python)" |
337 |
|
338 |
# user privilege bits fir qemu/kvm |
339 |
if use caps; then |
340 |
myconf="${myconf} --with-qemu-user=qemu" |
341 |
myconf="${myconf} --with-qemu-group=qemu" |
342 |
else |
343 |
myconf="${myconf} --with-qemu-user=root" |
344 |
myconf="${myconf} --with-qemu-group=root" |
345 |
fi |
346 |
|
347 |
# audit support |
348 |
myconf="${myconf} $(use_with audit)" |
349 |
|
350 |
## stuff we don't yet support |
351 |
myconf="${myconf} --without-netcf" |
352 |
|
353 |
# we use udev over hal |
354 |
myconf="${myconf} --without-hal" |
355 |
|
356 |
# locking support |
357 |
myconf="${myconf} --without-sanlock" |
358 |
|
359 |
# systemd unit files |
360 |
use systemd && myconf="${myconf} --with-init-script=systemd" |
361 |
|
362 |
# this is a nasty trick to work around the problem in bug |
363 |
# #275073. The reason why we don't solve this properly is that |
364 |
# it'll require us to rebuild autotools (and we don't really want |
365 |
# to do that right now). The proper solution has been sent |
366 |
# upstream and should hopefully land in 0.7.7, in the mean time, |
367 |
# mime the same functionality with this. |
368 |
case ${CHOST} in |
369 |
*cygwin* | *mingw* ) |
370 |
;; |
371 |
*) |
372 |
ac_cv_prog_WINDRES=no |
373 |
;; |
374 |
esac |
375 |
|
376 |
econf \ |
377 |
${myconf} \ |
378 |
--disable-static \ |
379 |
--docdir=/usr/share/doc/${PF} \ |
380 |
--with-remote \ |
381 |
--localstatedir=/var |
382 |
|
383 |
if [[ ${PV} = *9999* ]]; then |
384 |
# Restore gnulib's config.sub and config.guess |
385 |
# bug #377279 |
386 |
(cd .gnulib && git reset --hard > /dev/null) |
387 |
fi |
388 |
} |
389 |
|
390 |
src_test() { |
391 |
# Explicitly allow parallel build of tests |
392 |
export VIR_TEST_DEBUG=1 |
393 |
HOME="${T}" emake check || die "tests failed" |
394 |
} |
395 |
|
396 |
src_install() { |
397 |
emake install \ |
398 |
DESTDIR="${D}" \ |
399 |
HTML_DIR=/usr/share/doc/${PF}/html \ |
400 |
DOCS_DIR=/usr/share/doc/${PF} \ |
401 |
EXAMPLE_DIR=/usr/share/doc/${PF}/examples \ |
402 |
SYSTEMD_UNIT_DIR="$(systemd_get_unitdir)" \ |
403 |
|| die "emake install failed" |
404 |
|
405 |
find "${D}" -name '*.la' -delete || die |
406 |
|
407 |
use libvirtd || return 0 |
408 |
# From here, only libvirtd-related instructions, be warned! |
409 |
|
410 |
newinitd "${S}/libvirtd.init" libvirtd || die |
411 |
newconfd "${FILESDIR}/libvirtd.confd-r4" libvirtd || die |
412 |
|
413 |
keepdir /var/lib/libvirt/images |
414 |
|
415 |
use python && python_optimize |
416 |
} |
417 |
|
418 |
pkg_preinst() { |
419 |
# we only ever want to generate this once |
420 |
if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then |
421 |
rm -rf "${D}"/etc/libvirt/qemu/networks/default.xml |
422 |
fi |
423 |
|
424 |
# We really don't want to use or support old PolicyKit cause it |
425 |
# screws with the new polkit integration |
426 |
if has_version sys-auth/policykit; then |
427 |
rm -rf "${D}"/usr/share/PolicyKit/policy/org.libvirt.unix.policy |
428 |
fi |
429 |
|
430 |
# Only sysctl files ending in .conf work |
431 |
mv "${D}"/usr/lib/sysctl.d/libvirtd.conf "${D}"/etc/sysctl.d/libvirtd.conf |
432 |
} |
433 |
|
434 |
pkg_postinst() { |
435 |
if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then |
436 |
touch "${ROOT}"/etc/libvirt/qemu/networks/default.xml |
437 |
fi |
438 |
|
439 |
# support for dropped privileges |
440 |
if use qemu; then |
441 |
fperms 0750 "${EROOT}/var/lib/libvirt/qemu" |
442 |
fperms 0750 "${EROOT}/var/cache/libvirt/qemu" |
443 |
fi |
444 |
|
445 |
if use caps && use qemu; then |
446 |
fowners -R qemu:qemu "${EROOT}/var/lib/libvirt/qemu" |
447 |
fowners -R qemu:qemu "${EROOT}/var/cache/libvirt/qemu" |
448 |
elif use qemu; then |
449 |
fowners -R root:root "${EROOT}/var/lib/libvirt/qemu" |
450 |
fowners -R root:root "${EROOT}/var/cache/libvirt/qemu" |
451 |
fi |
452 |
|
453 |
if ! use policykit; then |
454 |
elog "To allow normal users to connect to libvirtd you must change the" |
455 |
elog "unix sock group and/or perms in /etc/libvirt/libvirtd.conf" |
456 |
fi |
457 |
|
458 |
use libvirtd || return 0 |
459 |
# From here, only libvirtd-related instructions, be warned! |
460 |
|
461 |
elog |
462 |
elog "For the basic networking support (bridged and routed networks)" |
463 |
elog "you don't need any extra software. For more complex network modes" |
464 |
elog "including but not limited to NATed network, you can enable the" |
465 |
elog "'virt-network' USE flag." |
466 |
elog |
467 |
if has_version net-dns/dnsmasq; then |
468 |
ewarn "If you have a DNS server setup on your machine, you will have" |
469 |
ewarn "to configure /etc/dnsmasq.conf to enable the following settings: " |
470 |
ewarn " bind-interfaces" |
471 |
ewarn " interface or except-interface" |
472 |
ewarn |
473 |
ewarn "Otherwise you might have issues with your existing DNS server." |
474 |
fi |
475 |
|
476 |
if use caps && use qemu; then |
477 |
elog "libvirt will now start qemu/kvm VMs with non-root privileges." |
478 |
elog "Ensure any resources your VMs use are accessible by qemu:qemu" |
479 |
fi |
480 |
} |