From f317f8248297f0640c8688a97baf0d124bc4d1c4 Mon Sep 17 00:00:00 2001 From: Jiri Denemark Date: Fri, 1 Nov 2024 13:54:59 +0100 Subject: [PATCH] libvirt-10.9.0-1.el9 - Rebased to libvirt-10.9.0 (RHEL-50574) - The rebase also fixes the following bugs: RHEL-7036, RHEL-7122, RHEL-35752, RHEL-46870, RHEL-52314 RHEL-60030, RHEL-60033, RHEL-64341 Resolves: RHEL-35752, RHEL-46870, RHEL-50574, RHEL-52314, RHEL-60030 Resolves: RHEL-60033, RHEL-64341, RHEL-7036, RHEL-7122 --- ...e-for-bridge-device-of-open-networks.patch | 178 ---------- ...d-zone-while-shutting-down-a-network.patch | 161 --------- ...walld-zone-when-network-is-destroyed.patch | 133 ------- ...irewalld-zone-for-mode-open-networks.patch | 168 --------- ...-FirewallRules-for-forward-mode-open.patch | 333 ------------------ libvirt.spec | 41 ++- sources | 2 +- 7 files changed, 21 insertions(+), 995 deletions(-) delete mode 100644 libvirt-Revert-network-support-setting-firewalld-zone-for-bridge-device-of-open-networks.patch delete mode 100644 libvirt-Revert-network-un-set-the-firewalld-zone-while-shutting-down-a-network.patch delete mode 100644 libvirt-network-a-different-implementation-of-un-setting-firewalld-zone-when-network-is-destroyed.patch delete mode 100644 libvirt-network-a-different-way-of-supporting-firewalld-zone-for-mode-open-networks.patch delete mode 100644 libvirt-network-call-network-Add-Remove-FirewallRules-for-forward-mode-open.patch diff --git a/libvirt-Revert-network-support-setting-firewalld-zone-for-bridge-device-of-open-networks.patch b/libvirt-Revert-network-support-setting-firewalld-zone-for-bridge-device-of-open-networks.patch deleted file mode 100644 index da5cce7..0000000 --- a/libvirt-Revert-network-support-setting-firewalld-zone-for-bridge-device-of-open-networks.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 6ff21bba02737104c43e21c7ff640428c77b7656 Mon Sep 17 00:00:00 2001 -Message-ID: <6ff21bba02737104c43e21c7ff640428c77b7656.1728549391.git.jdenemar@redhat.com> -From: Laine Stump -Date: Fri, 4 Oct 2024 13:46:20 -0400 -Subject: [PATCH] Revert "network: support setting firewalld zone for bridge - device of open networks" - -This reverts commit 1a72b83d566df952033529001b0f88a66d7f4393. That -patch had made the incorrect assumption that the firewalld zone of a -bridge would not be changed/removed when firewalld reloaded its rules -(e.g. with "killall -HUP firewalld"). It turns out my memory was -faulty, and this *does* remove the bridge interface's zone, which -results in guest networking failure after a firewalld reload, until -the virtual network is restarted. - -The functionality reverted as a result of this patch reversion will be -added back in an upcoming patch that keeps the zone setting in -networkAddFirewallRules() (rather than moving it into a separate -function) so that it is called every time the network's firewall rules -are reloaded (including the reload that happens in response to a -reload notification from firewalld). - -Signed-off-by: Laine Stump -Reviewed-by: Jiri Denemark -(cherry picked from commit ef760a413361a8992a3e56884a1ec09290954c71) - -https://issues.redhat.com/browse/RHEL-61576 - -Signed-off-by: Jiri Denemark ---- - src/network/bridge_driver.c | 4 -- - src/network/bridge_driver_linux.c | 61 ++++++++++++---------------- - src/network/bridge_driver_nop.c | 13 ------ - src/network/bridge_driver_platform.h | 2 - - 4 files changed, 26 insertions(+), 54 deletions(-) - -diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c -index c9c6fcbccc..fe053f423a 100644 ---- a/src/network/bridge_driver.c -+++ b/src/network/bridge_driver.c -@@ -1999,10 +1999,6 @@ networkStartNetworkVirtual(virNetworkDriverState *driver, - if (networkSetIPv6Sysctls(obj) < 0) - goto error; - -- /* set the firewall zone for the bridge device on the host */ -- if (networkSetBridgeZone(def) < 0) -- goto error; -- - /* Add "once per network" rules */ - if (def->forward.type != VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) { -diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c -index af758d4f3d..5981e3bd19 100644 ---- a/src/network/bridge_driver_linux.c -+++ b/src/network/bridge_driver_linux.c -@@ -333,8 +333,28 @@ int networkCheckRouteCollision(virNetworkDef *def) - - - int --networkSetBridgeZone(virNetworkDef *def) -+networkAddFirewallRules(virNetworkDef *def, -+ virFirewallBackend firewallBackend, -+ virFirewall **fwRemoval) - { -+ -+ networkSetupPrivateChains(firewallBackend, false); -+ -+ if (errInitV4 && -+ (virNetworkDefGetIPByIndex(def, AF_INET, 0) || -+ virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { -+ virSetError(errInitV4); -+ return -1; -+ } -+ -+ if (errInitV6 && -+ (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || -+ virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || -+ def->ipv6nogw)) { -+ virSetError(errInitV6); -+ return -1; -+ } -+ - if (def->bridgeZone) { - - /* if a firewalld zone has been specified, fail/log an error -@@ -350,14 +370,12 @@ networkSetBridgeZone(virNetworkDef *def) - if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) - return -1; - -- } else if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) { -+ } else { - -- /* if firewalld is active, try to set the "libvirt" zone by -- * default (forward mode='open' networks have no zone set by -- * default, but we honor it if one is specified). This is -- * desirable (for consistency) if firewalld is using the -- * iptables backend, but is necessary (for basic network -- * connectivity) if firewalld is using the nftables backend -+ /* if firewalld is active, try to set the "libvirt" zone. This is -+ * desirable (for consistency) if firewalld is using the iptables -+ * backend, but is necessary (for basic network connectivity) if -+ * firewalld is using the nftables backend - */ - if (virFirewallDIsRegistered() == 0) { - -@@ -388,33 +406,6 @@ networkSetBridgeZone(virNetworkDef *def) - } - } - -- return 0; --} -- -- --int --networkAddFirewallRules(virNetworkDef *def, -- virFirewallBackend firewallBackend, -- virFirewall **fwRemoval) --{ -- -- networkSetupPrivateChains(firewallBackend, false); -- -- if (errInitV4 && -- (virNetworkDefGetIPByIndex(def, AF_INET, 0) || -- virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { -- virSetError(errInitV4); -- return -1; -- } -- -- if (errInitV6 && -- (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || -- virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || -- def->ipv6nogw)) { -- virSetError(errInitV6); -- return -1; -- } -- - switch (firewallBackend) { - case VIR_FIREWALL_BACKEND_NONE: - virReportError(VIR_ERR_NO_SUPPORT, "%s", -diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c -index 20c7a2a595..8bf3367bff 100644 ---- a/src/network/bridge_driver_nop.c -+++ b/src/network/bridge_driver_nop.c -@@ -38,19 +38,6 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) - return 0; - } - -- --int --networkSetBridgeZone(virNetworkDef *def) --{ -- if (def->bridgeZone) { -- virReportError(VIR_ERR_NO_SUPPORT, "%s", -- _("This platform does not support setting the bridge device zone")); -- return -1; -- } -- return 0; --} -- -- - int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval G_GNUC_UNUSED) -diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h -index 02abdc197f..cd2e3fa7b5 100644 ---- a/src/network/bridge_driver_platform.h -+++ b/src/network/bridge_driver_platform.h -@@ -32,8 +32,6 @@ void networkPostReloadFirewallRules(bool startup); - - int networkCheckRouteCollision(virNetworkDef *def); - --int networkSetBridgeZone(virNetworkDef *def); -- - int networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval); --- -2.47.0 diff --git a/libvirt-Revert-network-un-set-the-firewalld-zone-while-shutting-down-a-network.patch b/libvirt-Revert-network-un-set-the-firewalld-zone-while-shutting-down-a-network.patch deleted file mode 100644 index d7028e8..0000000 --- a/libvirt-Revert-network-un-set-the-firewalld-zone-while-shutting-down-a-network.patch +++ /dev/null @@ -1,161 +0,0 @@ -From b22e871fe2e611e54594b27009abf0dff94403ca Mon Sep 17 00:00:00 2001 -Message-ID: -From: Laine Stump -Date: Fri, 4 Oct 2024 13:44:32 -0400 -Subject: [PATCH] Revert "network: *un*set the firewalld zone while shutting - down a network" - -This reverts commit 200f60b2e12e68d618f6d59f0173bb507b678838. The same -functionality will be re-added in a different way in an upcoming patch. - -Signed-off-by: Laine Stump -Reviewed-by: Jiri Denemark -(cherry picked from commit 816876f51740da8b73c2176de3a64646772218f3) - -https://issues.redhat.com/browse/RHEL-61576 - -Signed-off-by: Jiri Denemark ---- - src/libvirt_private.syms | 1 - - src/network/bridge_driver.c | 4 ---- - src/network/bridge_driver_linux.c | 14 -------------- - src/network/bridge_driver_nop.c | 6 ------ - src/network/bridge_driver_platform.h | 2 -- - src/util/virfirewalld.c | 23 ----------------------- - src/util/virfirewalld.h | 2 -- - 7 files changed, 52 deletions(-) - -diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms -index 02dacea857..d186dc40df 100644 ---- a/src/libvirt_private.syms -+++ b/src/libvirt_private.syms -@@ -2451,7 +2451,6 @@ virFirewallDGetPolicies; - virFirewallDGetVersion; - virFirewallDGetZones; - virFirewallDInterfaceSetZone; --virFirewallDInterfaceUnsetZone; - virFirewallDIsRegistered; - virFirewallDPolicyExists; - virFirewallDSynchronize; -diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c -index 74ba59b4e9..c9c6fcbccc 100644 ---- a/src/network/bridge_driver.c -+++ b/src/network/bridge_driver.c -@@ -2127,8 +2127,6 @@ networkStartNetworkVirtual(virNetworkDriverState *driver, - def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(obj); - -- networkUnsetBridgeZone(def); -- - virNetworkObjUnrefMacMap(obj); - - ignore_value(virNetDevBridgeDelete(def->bridge)); -@@ -2167,8 +2165,6 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) - if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(obj); - -- networkUnsetBridgeZone(def); -- - ignore_value(virNetDevBridgeDelete(def->bridge)); - - /* See if its still alive and really really kill it */ -diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c -index 3b3608c085..af758d4f3d 100644 ---- a/src/network/bridge_driver_linux.c -+++ b/src/network/bridge_driver_linux.c -@@ -392,20 +392,6 @@ networkSetBridgeZone(virNetworkDef *def) - } - - --void --networkUnsetBridgeZone(virNetworkDef *def) --{ -- /* If there is a libvirt-managed bridge device remove it from any -- * zone it had been placed in as a part of deleting the bridge. -- * DO NOT CALL THIS FOR 'bridge' forward mode, since that -- * bridge is not managed by libvirt. -- */ -- if (def->bridge && def->forward.type != VIR_NETWORK_FORWARD_BRIDGE -- && virFirewallDIsRegistered() == 0) { -- virFirewallDInterfaceUnsetZone(def->bridge); -- } --} -- - int - networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend, -diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c -index 831a5a5010..20c7a2a595 100644 ---- a/src/network/bridge_driver_nop.c -+++ b/src/network/bridge_driver_nop.c -@@ -51,12 +51,6 @@ networkSetBridgeZone(virNetworkDef *def) - } - - --void --networkUnsetBridgeZone(virNetworkDef *def G_GNUC_UNUSED) --{ --} -- -- - int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval G_GNUC_UNUSED) -diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h -index a0291532a1..02abdc197f 100644 ---- a/src/network/bridge_driver_platform.h -+++ b/src/network/bridge_driver_platform.h -@@ -38,6 +38,4 @@ int networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval); - --void networkUnsetBridgeZone(virNetworkDef *def); -- - void networkRemoveFirewallRules(virNetworkObj *obj); -diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c -index 4aec33ac45..827e201dbb 100644 ---- a/src/util/virfirewalld.c -+++ b/src/util/virfirewalld.c -@@ -449,29 +449,6 @@ virFirewallDInterfaceSetZone(const char *iface, - } - - --int --virFirewallDInterfaceUnsetZone(const char *iface) --{ -- GDBusConnection *sysbus = virGDBusGetSystemBus(); -- g_autoptr(GVariant) message = NULL; -- -- if (!sysbus) -- return -1; -- -- message = g_variant_new("(ss)", "", iface); -- -- return virGDBusCallMethod(sysbus, -- NULL, -- NULL, -- NULL, -- VIR_FIREWALL_FIREWALLD_SERVICE, -- "/org/fedoraproject/FirewallD1", -- "org.fedoraproject.FirewallD1.zone", -- "removeInterface", -- message); --} -- -- - void - virFirewallDSynchronize(void) - { -diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h -index 0dbe66d435..0e94d3507b 100644 ---- a/src/util/virfirewalld.h -+++ b/src/util/virfirewalld.h -@@ -46,6 +46,4 @@ int virFirewallDApplyRule(virFirewallLayer layer, - int virFirewallDInterfaceSetZone(const char *iface, - const char *zone); - --int virFirewallDInterfaceUnsetZone(const char *iface); -- - void virFirewallDSynchronize(void); --- -2.47.0 diff --git a/libvirt-network-a-different-implementation-of-un-setting-firewalld-zone-when-network-is-destroyed.patch b/libvirt-network-a-different-implementation-of-un-setting-firewalld-zone-when-network-is-destroyed.patch deleted file mode 100644 index 100b0dc..0000000 --- a/libvirt-network-a-different-implementation-of-un-setting-firewalld-zone-when-network-is-destroyed.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 48337ce4950f6681fb7d52cf4e4ee6f85f36125b Mon Sep 17 00:00:00 2001 -Message-ID: <48337ce4950f6681fb7d52cf4e4ee6f85f36125b.1728549391.git.jdenemar@redhat.com> -From: Laine Stump -Date: Fri, 4 Oct 2024 18:43:02 -0400 -Subject: [PATCH] network: a different implementation of *un*setting firewalld - zone when network is destroyed - -(this is a remake of commit v10.7.0-78-g200f60b2e1, which was reverted -due to a regression in another patch it was dependent on. The new -implementation just adds the call to virFirewallDInterfaceUnsetZone() -into the existing networkRemoveFirewallRules() (but only if we had set -a zone when the network was first started). - -Replaces: 200f60b2e12e68d618f6d59f0173bb507b678838 -Resolves: https://issues.redhat.com/browse/RHEL-61576 -Signed-off-by: Laine Stump -Reviewed-by: Jiri Denemark -(cherry picked from commit c0ba3ed69d14a4b9a03475d1ba1d734b27a141f8) -Signed-off-by: Jiri Denemark ---- - src/libvirt_private.syms | 1 + - src/network/bridge_driver_linux.c | 30 ++++++++++++++++++++++++------ - src/util/virfirewalld.c | 23 +++++++++++++++++++++++ - src/util/virfirewalld.h | 2 ++ - 4 files changed, 50 insertions(+), 6 deletions(-) - -diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms -index d186dc40df..02dacea857 100644 ---- a/src/libvirt_private.syms -+++ b/src/libvirt_private.syms -@@ -2451,6 +2451,7 @@ virFirewallDGetPolicies; - virFirewallDGetVersion; - virFirewallDGetZones; - virFirewallDInterfaceSetZone; -+virFirewallDInterfaceUnsetZone; - virFirewallDIsRegistered; - virFirewallDPolicyExists; - virFirewallDSynchronize; -diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c -index 8956d38ab1..6c3ec403a4 100644 ---- a/src/network/bridge_driver_linux.c -+++ b/src/network/bridge_driver_linux.c -@@ -459,19 +459,37 @@ networkRemoveFirewallRules(virNetworkObj *obj) - } else { - - if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) { -+ - /* No information about firewall rules in the network status, - * so we assume the old iptables-based rules from 10.2.0 and - * earlier. - */ - VIR_DEBUG("No firewall info in status of network '%s', assuming old-style iptables", def->name); - iptablesRemoveFirewallRules(def); -- return; -+ -+ } else { -+ -+ /* fwRemoval info was stored in the network status, so use that to -+ * remove the firewall -+ */ -+ VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name); -+ virFirewallApply(fw); - } -+ } - -- /* fwRemoval info was stored in the network status, so use that to -- * remove the firewall -- */ -- VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name); -- virFirewallApply(fw); -+ /* all forward modes could have had a zone set, even 'open' mode -+ * iff it was specified in the config. firewalld preserves the -+ * name of an interface in a zone's list even after the interface -+ * has been deleted, which is problematic if the next use of that -+ * same interface name wants *no* zone set. To avoid this, we must -+ * "unset" the zone if we set it when the network was started. -+ */ -+ if (virFirewallDIsRegistered() == 0 && -+ (def->forward.type != VIR_NETWORK_FORWARD_OPEN || -+ def->bridgeZone)) { -+ -+ VIR_DEBUG("unsetting zone for '%s' (current zone is '%s')", -+ def->bridge, def->bridgeZone); -+ virFirewallDInterfaceUnsetZone(def->bridge); - } - } -diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c -index 827e201dbb..ca61ed5ac0 100644 ---- a/src/util/virfirewalld.c -+++ b/src/util/virfirewalld.c -@@ -449,6 +449,29 @@ virFirewallDInterfaceSetZone(const char *iface, - } - - -+int -+virFirewallDInterfaceUnsetZone(const char *iface) -+{ -+ GDBusConnection *sysbus = virGDBusGetSystemBus(); -+ g_autoptr(GVariant) message = NULL; -+ -+ if (!sysbus) -+ return -1; -+ -+ message = g_variant_new("(ss)", "", iface); -+ -+ return virGDBusCallMethod(sysbus, -+ NULL, -+ NULL, -+ NULL, -+ VIR_FIREWALL_FIREWALLD_SERVICE, -+ "/org/fedoraproject/FirewallD1", -+ "org.fedoraproject.FirewallD1.zone", -+ "removeInterface", -+ message); -+} -+ -+ - void - virFirewallDSynchronize(void) - { -diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h -index 0e94d3507b..0dbe66d435 100644 ---- a/src/util/virfirewalld.h -+++ b/src/util/virfirewalld.h -@@ -46,4 +46,6 @@ int virFirewallDApplyRule(virFirewallLayer layer, - int virFirewallDInterfaceSetZone(const char *iface, - const char *zone); - -+int virFirewallDInterfaceUnsetZone(const char *iface); -+ - void virFirewallDSynchronize(void); --- -2.47.0 diff --git a/libvirt-network-a-different-way-of-supporting-firewalld-zone-for-mode-open-networks.patch b/libvirt-network-a-different-way-of-supporting-firewalld-zone-for-mode-open-networks.patch deleted file mode 100644 index d42e744..0000000 --- a/libvirt-network-a-different-way-of-supporting-firewalld-zone-for-mode-open-networks.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 1801682651a8b3123d4e7a95b26055b521ce0818 Mon Sep 17 00:00:00 2001 -Message-ID: <1801682651a8b3123d4e7a95b26055b521ce0818.1728549391.git.jdenemar@redhat.com> -From: Laine Stump -Date: Fri, 4 Oct 2024 18:14:36 -0400 -Subject: [PATCH] network: a different way of supporting firewalld zone for - mode='open' networks - -Now that networkAddFirewallRules and networkRemoveFirewallRules() are -being called for mode='open' networks, we just need to move the code -that sets the zone outside of the if (mode != ...OPEN) clause, so that -it's done for all forward modes, with the exception of setting the -implied 'libvirt*' zones, which are set when no zone is specified for -all forward modes *except* 'open'. - -This was previously done in commit v10.7.0-76-g1a72b83d56, but in a -manner that caused the zone to be unset whenever firewalld reloaded -its rules. That patch was reverted, and this new better patch takes -its place. - -Replaces: 1a72b83d566df952033529001b0f88a66d7f4393 -Resolves: https://issues.redhat.com/browse/RHEL-61576 -Re-Resolves: https://gitlab.com/libvirt/libvirt/-/issues/215 -Signed-off-by: Laine Stump -Reviewed-by: Jiri Denemark -(cherry picked from commit cb4e38d4b1e947d0718232a59f964f35ad156c74) -Signed-off-by: Jiri Denemark ---- - src/network/bridge_driver_linux.c | 111 ++++++++++++++++-------------- - 1 file changed, 60 insertions(+), 51 deletions(-) - -diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c -index 31feec9c9f..8956d38ab1 100644 ---- a/src/network/bridge_driver_linux.c -+++ b/src/network/bridge_driver_linux.c -@@ -337,6 +337,64 @@ networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval) - { -+ /* If firewalld is running on the system, a firewalld zone is -+ * always set for the bridge device of all bridge-based managed -+ * networks of all forward modes *except* 'open', which is only -+ * set if specifically requested in the config. -+ */ -+ if (def->bridgeZone) { -+ -+ /* if a firewalld zone has been specified, fail/log an error -+ * if we can't honor it -+ */ -+ if (virFirewallDIsRegistered() < 0) { -+ virReportError(VIR_ERR_INTERNAL_ERROR, -+ _("zone %1$s requested for network %2$s but firewalld is not active"), -+ def->bridgeZone, def->name); -+ return -1; -+ } -+ -+ if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) -+ return -1; -+ -+ } else if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) { -+ -+ /* if firewalld is active, try to set the "libvirt" zone by -+ * default (forward mode='open' networks have no zone set by -+ * default, but we honor it if one is specified). This is -+ * desirable (for consistency) if firewalld is using the -+ * iptables backend, but is necessary (for basic network -+ * connectivity) if firewalld is using the nftables backend -+ */ -+ if (virFirewallDIsRegistered() == 0) { -+ -+ /* if the "libvirt" zone exists, then set it. If not, and -+ * if firewalld is using the nftables backend, then we -+ * need to log an error because the combination of -+ * nftables + default zone means that traffic cannot be -+ * forwarded (and even DHCP and DNS from guest to host -+ * will probably no be permitted by the default zone -+ * -+ * Routed networks use a different zone and policy which we also -+ * need to verify exist. Probing for the policy guarantees the -+ * running firewalld has support for policies (firewalld >= 0.9.0). -+ */ -+ if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE && -+ virFirewallDPolicyExists("libvirt-routed-out") && -+ virFirewallDZoneExists("libvirt-routed")) { -+ if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0) -+ return -1; -+ } else if (virFirewallDZoneExists("libvirt")) { -+ if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0) -+ return -1; -+ } else { -+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", -+ _("firewalld can't find the 'libvirt' zone that should have been installed with libvirt")); -+ return -1; -+ } -+ } -+ } -+ - if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) { - - VIR_DEBUG("No firewall rules to add for mode='open' network '%s'", def->name); -@@ -348,6 +406,7 @@ networkAddFirewallRules(virNetworkDef *def, - def->name, - virFirewallBackendTypeToString(firewallBackend)); - -+ /* one-time (per system boot) initialization */ - networkSetupPrivateChains(firewallBackend, false); - - if (errInitV4 && -@@ -365,57 +424,7 @@ networkAddFirewallRules(virNetworkDef *def, - return -1; - } - -- if (def->bridgeZone) { -- -- /* if a firewalld zone has been specified, fail/log an error -- * if we can't honor it -- */ -- if (virFirewallDIsRegistered() < 0) { -- virReportError(VIR_ERR_INTERNAL_ERROR, -- _("zone %1$s requested for network %2$s but firewalld is not active"), -- def->bridgeZone, def->name); -- return -1; -- } -- -- if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) -- return -1; -- -- } else { -- -- /* if firewalld is active, try to set the "libvirt" zone. This is -- * desirable (for consistency) if firewalld is using the iptables -- * backend, but is necessary (for basic network connectivity) if -- * firewalld is using the nftables backend -- */ -- if (virFirewallDIsRegistered() == 0) { -- -- /* if the "libvirt" zone exists, then set it. If not, and -- * if firewalld is using the nftables backend, then we -- * need to log an error because the combination of -- * nftables + default zone means that traffic cannot be -- * forwarded (and even DHCP and DNS from guest to host -- * will probably no be permitted by the default zone -- * -- * Routed networks use a different zone and policy which we also -- * need to verify exist. Probing for the policy guarantees the -- * running firewalld has support for policies (firewalld >= 0.9.0). -- */ -- if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE && -- virFirewallDPolicyExists("libvirt-routed-out") && -- virFirewallDZoneExists("libvirt-routed")) { -- if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0) -- return -1; -- } else if (virFirewallDZoneExists("libvirt")) { -- if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0) -- return -1; -- } else { -- virReportError(VIR_ERR_INTERNAL_ERROR, "%s", -- _("firewalld can't find the 'libvirt' zone that should have been installed with libvirt")); -- return -1; -- } -- } -- } -- -+ /* now actually add the rules */ - switch (firewallBackend) { - case VIR_FIREWALL_BACKEND_NONE: - virReportError(VIR_ERR_NO_SUPPORT, "%s", --- -2.47.0 diff --git a/libvirt-network-call-network-Add-Remove-FirewallRules-for-forward-mode-open.patch b/libvirt-network-call-network-Add-Remove-FirewallRules-for-forward-mode-open.patch deleted file mode 100644 index 49bc153..0000000 --- a/libvirt-network-call-network-Add-Remove-FirewallRules-for-forward-mode-open.patch +++ /dev/null @@ -1,333 +0,0 @@ -From 1c58e627b6825d53e875e3555ad7268499bb0ead Mon Sep 17 00:00:00 2001 -Message-ID: <1c58e627b6825d53e875e3555ad7268499bb0ead.1728549391.git.jdenemar@redhat.com> -From: Laine Stump -Date: Fri, 4 Oct 2024 17:17:59 -0400 -Subject: [PATCH] network: call network(Add|Remove)FirewallRules() for forward - mode='open' - -Previously networkAddFirewallRules() and networkRemoveFirewallRules() -were only called if the forward mode was none, 'route', or 'nat', so -those functions didn't check the forward mode. Although their current -contents shouldn't be executed for forward mode='open', soon they will -have extra functionality that should be executed for all the current -forward modes and also mode='open'. - -This patch modifies all places either of the functions are called to -make sure they are called for mode='open' in addition to current modes -(by either adding 'case ..._OPEN:' to the case of a switch statement, -or just removing an 'if (mode != ...OPEN)' around the calls; to -balance out for that, it puts the entirety of the contents of both -functions inside if (mode != ...OPEN) to retain current behavior. (an -upcoming patch will add code outside that if clause). - -debug log messages were also added to make it easier to test that the -right thing is being done in all cases. - -Signed-off-by: Laine Stump -Reviewed-by: Jiri Denemark -(cherry picked from commit d552d810b97d478675eac830164349d8a1a35e63) - -https://issues.redhat.com/browse/RHEL-61576 - -Signed-off-by: Jiri Denemark ---- - src/network/bridge_driver.c | 26 ++--- - src/network/bridge_driver_linux.c | 175 +++++++++++++++++------------- - 2 files changed, 110 insertions(+), 91 deletions(-) - -diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c -index fe053f423a..f604b2695c 100644 ---- a/src/network/bridge_driver.c -+++ b/src/network/bridge_driver.c -@@ -1735,10 +1735,15 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, - case VIR_NETWORK_FORWARD_NONE: - case VIR_NETWORK_FORWARD_NAT: - case VIR_NETWORK_FORWARD_ROUTE: -- /* Only three of the L3 network types that are configured by -- * libvirt need to have iptables rules reloaded. The 4th L3 -- * network type, forward='open', doesn't need this because it -- * has no iptables rules. -+ case VIR_NETWORK_FORWARD_OPEN: -+ /* even 'open' forward type networks need to call -+ * networkAdd/RemoveFirewallRules() in spite of the fact -+ * that, by definition, libvirt doesn't add any firewall -+ * rules for those networks.. This is because libvirt -+ * *does* support explicitly naming (in the config) a -+ * firewalld zone the network's bridge should be added to, -+ * and this functionality is also handled by -+ * networkAdd/RemoveFirewallRules() - */ - networkRemoveFirewallRules(obj); - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval)); -@@ -1746,7 +1751,6 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, - saveStatus = true; - break; - -- case VIR_NETWORK_FORWARD_OPEN: - case VIR_NETWORK_FORWARD_BRIDGE: - case VIR_NETWORK_FORWARD_PRIVATE: - case VIR_NETWORK_FORWARD_VEPA: -@@ -2000,10 +2004,8 @@ networkStartNetworkVirtual(virNetworkDriverState *driver, - goto error; - - /* Add "once per network" rules */ -- if (def->forward.type != VIR_NETWORK_FORWARD_OPEN && -- networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) { -+ if (networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) - goto error; -- } - - virNetworkObjSetFwRemoval(obj, fwRemoval); - firewalRulesAdded = true; -@@ -2119,8 +2121,7 @@ networkStartNetworkVirtual(virNetworkDriverState *driver, - if (devOnline) - ignore_value(virNetDevSetOnline(def->bridge, false)); - -- if (firewalRulesAdded && -- def->forward.type != VIR_NETWORK_FORWARD_OPEN) -+ if (firewalRulesAdded) - networkRemoveFirewallRules(obj); - - virNetworkObjUnrefMacMap(obj); -@@ -2158,8 +2159,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) - - ignore_value(virNetDevSetOnline(def->bridge, false)); - -- if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) -- networkRemoveFirewallRules(obj); -+ networkRemoveFirewallRules(obj); - - ignore_value(virNetDevBridgeDelete(def->bridge)); - -@@ -3307,6 +3307,7 @@ networkUpdate(virNetworkPtr net, - case VIR_NETWORK_FORWARD_NONE: - case VIR_NETWORK_FORWARD_NAT: - case VIR_NETWORK_FORWARD_ROUTE: -+ case VIR_NETWORK_FORWARD_OPEN: - switch (section) { - case VIR_NETWORK_SECTION_FORWARD: - case VIR_NETWORK_SECTION_FORWARD_INTERFACE: -@@ -3325,7 +3326,6 @@ networkUpdate(virNetworkPtr net, - } - break; - -- case VIR_NETWORK_FORWARD_OPEN: - case VIR_NETWORK_FORWARD_BRIDGE: - case VIR_NETWORK_FORWARD_PRIVATE: - case VIR_NETWORK_FORWARD_VEPA: -diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c -index 5981e3bd19..31feec9c9f 100644 ---- a/src/network/bridge_driver_linux.c -+++ b/src/network/bridge_driver_linux.c -@@ -337,90 +337,101 @@ networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval) - { -+ if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) { - -- networkSetupPrivateChains(firewallBackend, false); -+ VIR_DEBUG("No firewall rules to add for mode='open' network '%s'", def->name); - -- if (errInitV4 && -- (virNetworkDefGetIPByIndex(def, AF_INET, 0) || -- virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { -- virSetError(errInitV4); -- return -1; -- } -+ } else { - -- if (errInitV6 && -- (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || -- virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || -- def->ipv6nogw)) { -- virSetError(errInitV6); -- return -1; -- } -+ VIR_DEBUG("Adding firewall rules for mode='%s' network '%s' using %s", -+ virNetworkForwardTypeToString(def->forward.type), -+ def->name, -+ virFirewallBackendTypeToString(firewallBackend)); - -- if (def->bridgeZone) { -+ networkSetupPrivateChains(firewallBackend, false); - -- /* if a firewalld zone has been specified, fail/log an error -- * if we can't honor it -- */ -- if (virFirewallDIsRegistered() < 0) { -- virReportError(VIR_ERR_INTERNAL_ERROR, -- _("zone %1$s requested for network %2$s but firewalld is not active"), -- def->bridgeZone, def->name); -+ if (errInitV4 && -+ (virNetworkDefGetIPByIndex(def, AF_INET, 0) || -+ virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { -+ virSetError(errInitV4); - return -1; - } - -- if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) -+ if (errInitV6 && -+ (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || -+ virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || -+ def->ipv6nogw)) { -+ virSetError(errInitV6); - return -1; -+ } - -- } else { -+ if (def->bridgeZone) { - -- /* if firewalld is active, try to set the "libvirt" zone. This is -- * desirable (for consistency) if firewalld is using the iptables -- * backend, but is necessary (for basic network connectivity) if -- * firewalld is using the nftables backend -- */ -- if (virFirewallDIsRegistered() == 0) { -- -- /* if the "libvirt" zone exists, then set it. If not, and -- * if firewalld is using the nftables backend, then we -- * need to log an error because the combination of -- * nftables + default zone means that traffic cannot be -- * forwarded (and even DHCP and DNS from guest to host -- * will probably no be permitted by the default zone -- * -- * Routed networks use a different zone and policy which we also -- * need to verify exist. Probing for the policy guarantees the -- * running firewalld has support for policies (firewalld >= 0.9.0). -+ /* if a firewalld zone has been specified, fail/log an error -+ * if we can't honor it - */ -- if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE && -- virFirewallDPolicyExists("libvirt-routed-out") && -- virFirewallDZoneExists("libvirt-routed")) { -- if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0) -- return -1; -- } else if (virFirewallDZoneExists("libvirt")) { -- if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0) -- return -1; -- } else { -- virReportError(VIR_ERR_INTERNAL_ERROR, "%s", -- _("firewalld can't find the 'libvirt' zone that should have been installed with libvirt")); -+ if (virFirewallDIsRegistered() < 0) { -+ virReportError(VIR_ERR_INTERNAL_ERROR, -+ _("zone %1$s requested for network %2$s but firewalld is not active"), -+ def->bridgeZone, def->name); - return -1; - } -+ -+ if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) -+ return -1; -+ -+ } else { -+ -+ /* if firewalld is active, try to set the "libvirt" zone. This is -+ * desirable (for consistency) if firewalld is using the iptables -+ * backend, but is necessary (for basic network connectivity) if -+ * firewalld is using the nftables backend -+ */ -+ if (virFirewallDIsRegistered() == 0) { -+ -+ /* if the "libvirt" zone exists, then set it. If not, and -+ * if firewalld is using the nftables backend, then we -+ * need to log an error because the combination of -+ * nftables + default zone means that traffic cannot be -+ * forwarded (and even DHCP and DNS from guest to host -+ * will probably no be permitted by the default zone -+ * -+ * Routed networks use a different zone and policy which we also -+ * need to verify exist. Probing for the policy guarantees the -+ * running firewalld has support for policies (firewalld >= 0.9.0). -+ */ -+ if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE && -+ virFirewallDPolicyExists("libvirt-routed-out") && -+ virFirewallDZoneExists("libvirt-routed")) { -+ if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0) -+ return -1; -+ } else if (virFirewallDZoneExists("libvirt")) { -+ if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0) -+ return -1; -+ } else { -+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", -+ _("firewalld can't find the 'libvirt' zone that should have been installed with libvirt")); -+ return -1; -+ } -+ } - } -- } - -- switch (firewallBackend) { -- case VIR_FIREWALL_BACKEND_NONE: -- virReportError(VIR_ERR_NO_SUPPORT, "%s", -- _("No firewall backend is available")); -- return -1; -+ switch (firewallBackend) { -+ case VIR_FIREWALL_BACKEND_NONE: -+ virReportError(VIR_ERR_NO_SUPPORT, "%s", -+ _("No firewall backend is available")); -+ return -1; - -- case VIR_FIREWALL_BACKEND_IPTABLES: -- return iptablesAddFirewallRules(def, fwRemoval); -+ case VIR_FIREWALL_BACKEND_IPTABLES: -+ return iptablesAddFirewallRules(def, fwRemoval); - -- case VIR_FIREWALL_BACKEND_NFTABLES: -- return nftablesAddFirewallRules(def, fwRemoval); -+ case VIR_FIREWALL_BACKEND_NFTABLES: -+ return nftablesAddFirewallRules(def, fwRemoval); - -- case VIR_FIREWALL_BACKEND_LAST: -- virReportEnumRangeError(virFirewallBackend, firewallBackend); -- return -1; -+ case VIR_FIREWALL_BACKEND_LAST: -+ virReportEnumRangeError(virFirewallBackend, firewallBackend); -+ return -1; -+ } - } - return 0; - } -@@ -429,21 +440,29 @@ networkAddFirewallRules(virNetworkDef *def, - void - networkRemoveFirewallRules(virNetworkObj *obj) - { -+ virNetworkDef *def = virNetworkObjGetDef(obj); - virFirewall *fw; - -- if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) { -- /* No information about firewall rules in the network status, -- * so we assume the old iptables-based rules from 10.2.0 and -- * earlier. -+ if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) { -+ -+ VIR_DEBUG("No firewall rules to remove for mode='open' network '%s'", def->name); -+ -+ } else { -+ -+ if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) { -+ /* No information about firewall rules in the network status, -+ * so we assume the old iptables-based rules from 10.2.0 and -+ * earlier. -+ */ -+ VIR_DEBUG("No firewall info in status of network '%s', assuming old-style iptables", def->name); -+ iptablesRemoveFirewallRules(def); -+ return; -+ } -+ -+ /* fwRemoval info was stored in the network status, so use that to -+ * remove the firewall - */ -- VIR_DEBUG("No firewall info in network status, assuming old-style iptables"); -- iptablesRemoveFirewallRules(virNetworkObjGetDef(obj)); -- return; -+ VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name); -+ virFirewallApply(fw); - } -- -- /* fwRemoval info was stored in the network status, so use that to -- * remove the firewall -- */ -- VIR_DEBUG("Removing firewall rules with commands saved in network status"); -- virFirewallApply(fw); - } --- -2.47.0 diff --git a/libvirt.spec b/libvirt.spec index 84829e1..23ef3e8 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -19,7 +19,7 @@ %define arches_x86 %{ix86} x86_64 %define arches_systemtap_64bit %{arches_64bit} -%define arches_dmidecode %{arches_x86} +%define arches_dmidecode %{arches_x86} aarch64 riscv64 %define arches_xen %{arches_x86} aarch64 %if 0%{?fedora} %define arches_xen x86_64 aarch64 @@ -288,8 +288,8 @@ Summary: Library providing a simple virtualization API Name: libvirt -Version: 10.8.0 -Release: 2%{?dist}%{?extra_release} +Version: 10.9.0 +Release: 1%{?dist}%{?extra_release} License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1 URL: https://libvirt.org/ @@ -297,12 +297,6 @@ URL: https://libvirt.org/ %define mainturl stable_updates/ %endif Source: https://download.libvirt.org/%{?mainturl}libvirt-%{version}.tar.xz -Patch1: libvirt-Revert-network-un-set-the-firewalld-zone-while-shutting-down-a-network.patch -Patch2: libvirt-Revert-network-support-setting-firewalld-zone-for-bridge-device-of-open-networks.patch -Patch3: libvirt-network-call-network-Add-Remove-FirewallRules-for-forward-mode-open.patch -Patch4: libvirt-network-a-different-way-of-supporting-firewalld-zone-for-mode-open-networks.patch -Patch5: libvirt-network-a-different-implementation-of-un-setting-firewalld-zone-when-network-is-destroyed.patch - Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -999,7 +993,6 @@ Requires: libvirt-daemon-driver-libxl = %{version}-%{release} Requires: libvirt-daemon-driver-interface = %{version}-%{release} Requires: libvirt-daemon-driver-network = %{version}-%{release} Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} -Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} Requires: libvirt-daemon-driver-storage = %{version}-%{release} Requires: xen @@ -2048,7 +2041,7 @@ exit 0 %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf %dir %{_datadir}/libvirt/ %ghost %dir %{_rundir}/libvirt/ -%ghost %dir %{_rundir}/libvirt/common/ +%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/common/ %dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/filesystems/ @@ -2134,7 +2127,7 @@ exit 0 %{_unitdir}/virtinterfaced-ro.socket %{_unitdir}/virtinterfaced-admin.socket %attr(0755, root, root) %{_sbindir}/virtinterfaced -%ghost %dir %{_rundir}/libvirt/interface/ +%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/interface/ %{_libdir}/libvirt/connection-driver/libvirt_driver_interface.so %{_mandir}/man8/virtinterfaced.8* @@ -2176,7 +2169,7 @@ exit 0 %{_unitdir}/virtnodedevd-ro.socket %{_unitdir}/virtnodedevd-admin.socket %attr(0755, root, root) %{_sbindir}/virtnodedevd -%ghost %dir %{_rundir}/libvirt/nodedev/ +%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nodedev/ %{_libdir}/libvirt/connection-driver/libvirt_driver_nodedev.so %{_mandir}/man8/virtnodedevd.8* @@ -2191,8 +2184,8 @@ exit 0 %attr(0755, root, root) %{_sbindir}/virtnwfilterd %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/ %ghost %dir %{_rundir}/libvirt/network/ -%ghost %dir %{_rundir}/libvirt/nwfilter-binding/ -%ghost %dir %{_rundir}/libvirt/nwfilter/ +%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nwfilter-binding/ +%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nwfilter/ %{_libdir}/libvirt/connection-driver/libvirt_driver_nwfilter.so %{_mandir}/man8/virtnwfilterd.8* @@ -2206,7 +2199,7 @@ exit 0 %{_unitdir}/virtsecretd-admin.socket %attr(0755, root, root) %{_sbindir}/virtsecretd %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/secrets/ -%ghost %dir %{_rundir}/libvirt/secrets/ +%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/secrets/ %{_libdir}/libvirt/connection-driver/libvirt_driver_secret.so %{_mandir}/man8/virtsecretd.8* @@ -2285,11 +2278,11 @@ exit 0 %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf %config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu -%ghost %dir %{_rundir}/libvirt/qemu/ -%ghost %dir %{_rundir}/libvirt/qemu/dbus/ -%ghost %dir %{_rundir}/libvirt/qemu/passt/ -%ghost %dir %{_rundir}/libvirt/qemu/slirp/ -%ghost %dir %{_rundir}/libvirt/qemu/swtpm/ +%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/ +%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/dbus/ +%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/passt/ +%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/slirp/ +%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/swtpm/ %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/checkpoint/ %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/dump/ @@ -2628,6 +2621,12 @@ exit 0 %endif %changelog +* Fri Nov 1 2024 Jiri Denemark - 10.9.0-1 +- Rebased to libvirt-10.9.0 (RHEL-50574) +- The rebase also fixes the following bugs: + RHEL-7036, RHEL-7122, RHEL-35752, RHEL-46870, RHEL-52314 + RHEL-60030, RHEL-60033, RHEL-64341 + * Thu Oct 10 2024 Jiri Denemark - 10.8.0-2 - Revert "network: *un*set the firewalld zone while shutting down a network" (RHEL-61576) - Revert "network: support setting firewalld zone for bridge device of open networks" (RHEL-61576) diff --git a/sources b/sources index 77a3599..3d8cbfa 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libvirt-10.8.0.tar.xz) = 4979565015d69d078e532944d1d1cdfbb28e2d5625168a80f7b56a323949cf6072c4b8cfb96b92dbae263ee166d1c514651455389f33c90d04cc615865009eee +SHA512 (libvirt-10.9.0.tar.xz) = e650ffaaa2a3cda9151a347759d6f248c4573ca4f04fc7faa3caf6a616f84b95b7da9fc62ac48b97b54a128eacf54debc44189e7387f161b8ed676d30c5de37d