2005-11-02 15:50:21 +03:00
dnl Process this file with autoconf to produce a configure script.
2007-09-19 03:46:18 +04:00
2015-01-08 17:36:54 +03:00
dnl Copyright (C) 2005-2015 Red Hat, Inc.
2013-05-15 03:42:12 +04:00
dnl
dnl This library is free software; you can redistribute it and/or
dnl modify it under the terms of the GNU Lesser General Public
dnl License as published by the Free Software Foundation; either
dnl version 2.1 of the License, or (at your option) any later version.
dnl
dnl This library is distributed in the hope that it will be useful,
dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
dnl Lesser General Public License for more details.
dnl
dnl You should have received a copy of the GNU Lesser General Public
dnl License along with this library. If not, see
dnl <http://www.gnu.org/licenses/>.
2011-07-28 22:56:24 +04:00
2008-05-22 19:34:02 +04:00
AC_CONFIG_AUX_DIR([build-aux])
2010-02-17 16:45:10 +03:00
AC_CONFIG_MACRO_DIR([m4])
2019-04-03 03:21:28 +03:00
dnl Make automake keep quiet about wildcards & other GNUmake-isms
2019-04-03 03:01:30 +03:00
AM_INIT_AUTOMAKE([
2019-04-03 03:29:03 +03:00
foreign
2019-04-03 03:01:30 +03:00
-Wno-portability
tar-pax
no-dist-gzip
dist-xz
subdir-objects
])
2015-06-02 18:17:43 +03:00
dnl older automake's default of ARFLAGS=cru is noisy on newer binutils;
dnl we don't really need the 'u' even in older toolchains. Then there is
dnl older libtool, which spelled it AR_FLAGS
m4_divert_text([DEFAULTS], [: "${ARFLAGS=cr} ${AR_FLAGS=cr}"])
2009-07-08 13:51:59 +04:00
2013-09-04 20:26:30 +04:00
# Default to using the silent-rules feature when possible. Formatting
# chosen to bypass 'grep' checks that cause older automake to warn.
# Users (include rpm) can still change the default at configure time.
m4_ifndef([AM_SILENT_RULES],
[m4_define([AM_SILENT_RULES],[])])AM_SILENT_RULES([yes])
2009-07-08 13:51:59 +04:00
2005-11-02 15:50:21 +03:00
AC_CANONICAL_HOST
2016-12-22 14:49:51 +03:00
LIBVIRT_ARG_WITH([PACKAGER], [Extra packager name], [no])
LIBVIRT_ARG_WITH([PACKAGER_VERSION], [Extra packager version], [no])
Imprint all logs with version + package build information
The logging functions are enhanced so that immediately prior to
the first log message being printed to any output channel, the
libvirt package version will be printed.
eg
$ LIBVIRT_DEBUG=1 virsh
18:13:28.013: 17536: info : libvirt version: 0.8.7
18:13:28.013: 17536: debug : virInitialize:361 : register drivers
...
The 'configure' script gains two new arguments which can be
used as
--with-packager="Fedora Project, x86-01.phx2.fedoraproject.org, 01-27-2011-18:00:10"
--with-packager-version="1.fc14"
to allow distros to append a custom string with package specific
data.
The RPM specfile is modified so that it appends the RPM version,
the build host, the build date and the packager name.
eg
$ LIBVIRT_DEBUG=1 virsh
18:14:52.086: 17551: info : libvirt version: 0.8.7, package: 1.fc13 (Fedora Project, x86-01.phx2.fedoraproject.org, 01-27-2011-18:00:10)
18:14:52.086: 17551: debug : virInitialize:361 : register drivers
Thus when distro packagers receive bug reports they can clearly
see what version was in use, even if the bug reporter mistakenly
or intentionally lies about version/builds
* src/util/logging.c: Output version data prior to first log message
* libvirt.spec.in: Include RPM release, date, hostname & packager
* configure.ac: Add --with-packager & --with-packager-version args
2011-01-27 21:11:16 +03:00
if test "x$with_packager" != "xno"
then
AC_DEFINE_UNQUOTED([PACKAGER], ["$with_packager"],
[Extra package name])
fi
if test "x$with_packager_version" != "xno"
then
AC_DEFINE_UNQUOTED([PACKAGER_VERSION], ["$with_packager_version"],
[Extra package version])
fi
2016-11-12 16:24:53 +03:00
dnl Where we look for daemons and admin binaries during configure
LIBVIRT_SBIN_PATH="$PATH:/sbin:/usr/sbin:/usr/local/sbin"
2007-09-19 05:56:55 +04:00
2007-11-29 20:41:57 +03:00
dnl Checks for C compiler.
2005-11-02 16:19:10 +03:00
AC_PROG_CC
AC_PROG_INSTALL
AC_PROG_CPP
2007-09-20 22:40:36 +04:00
2020-01-17 14:26:26 +03:00
dnl get 64-int interfaces on 32-bit platforms
2020-07-24 15:02:39 +03:00
CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64"
2020-01-17 14:26:26 +03:00
2010-03-15 04:02:10 +03:00
AC_TYPE_UID_T
Use gnulib, starting with its physmem and getaddrinfo modules.
New files go into these directories:
gnulib/lib
gnulib/m4
gnulib/tests
* bootstrap: A wrapper around gnulib-tool.
* configure.in: Invoke gl_EARLY and gl_INIT, being careful to put gl_EARLY
before any macro that uses AC_COMPILE_IFELSE.
(AC_OUTPUT): Add lib/Makefile and gl-tests/Makefile. Remove m4/Makefile.
* Makefile.am (SUBDIRS): Add gnulib/lib and remove m4. Add gnulib/tests
early enough that those tests run before any libvirt unit tests.
* m4/Makefile.am: Remove file. Not needed.
* src/Makefile.am (INCLUDES): Add -I$(top_srcdir)/gnulib/lib -I../gnulib/lib.
(LDADDS, libvirt_la_LIBADD): Add ../gnulib/lib/libgnu.la.
* src/nodeinfo.c: Include "physmem.h".
* qemud/qemud.c, src/remote_internal.c: Include "getaddrinfo.h".
(MEMINFO_PATH, linuxNodeInfoMemPopulate): Remove definitions.
(virNodeInfoPopulate): Use physmem_total, not linuxNodeInfoMemPopulate.
* tests/Makefile.am (INCLUDES): Add -I$(top_srcdir)/gnulib/lib -I../gnulib/lib.
(LDADDS): Add ../gnulib/lib/libgnu.la.
* qemud/Makefile.am (libvirtd_LDADD): Add ../gnulib/lib/libgnu.la.
* tests/nodeinfotest.c (linuxTestCompareFiles): No longer read total
memory from a file.
Update expected output not to include "Memory: NNNN"
* tests/nodeinfodata/linux-nodeinfo-1.txt:
* tests/nodeinfodata/linux-nodeinfo-2.txt:
* tests/nodeinfodata/linux-nodeinfo-3.txt:
* tests/nodeinfodata/linux-nodeinfo-4.txt:
* tests/nodeinfodata/linux-nodeinfo-5.txt:
* tests/nodeinfodata/linux-nodeinfo-6.txt:
* src/test.c [WITH_TEST]: Remove definition of _GNU_SOURCE that
would conflict with the one now in "config.h".
* autogen.sh: Add -I gnulib/m4.
* src/conf.c, src/sexpr.c: Don't define _GNU_SOURCE.
Instead, include "config.h".
* qemud/qemud.c: Remove definition of _GNU_SOURCE.
* src/openvz_driver.c: Likewise.
* src/qemu_driver.c: Likewise.
* src/remote_internal.c: Likewise.
* configure.in: Use AC_CONFIG_AUX_DIR(build-aux), so that a bunch
of gettextize-generated files go into build-aux/, rather than in
the top-level directory.
* .cvsignore: Adjust.
* build-aux/.cvsignore: New file.
Author: Jim Meyering <meyering@redhat.com>
2007-12-06 00:31:07 +03:00
2007-11-29 20:41:57 +03:00
dnl Support building Win32 DLLs (must appear *before* AM_PROG_LIBTOOL)
AC_LIBTOOL_WIN32_DLL
2013-04-02 19:52:31 +04:00
m4_ifndef([LT_INIT], [
AM_PROG_LIBTOOL
], [
LT_INIT([shared disable-static])
])
2007-03-15 20:24:56 +03:00
AM_PROG_CC_C_O
2010-04-27 11:43:55 +04:00
AM_PROG_LD
2007-03-15 20:24:56 +03:00
Prevent crash from dlclose() of libvirt.so
When libvirt calls virInitialize it creates a thread local
for the virErrorPtr storage, and registers a callback to
cleanup memory when a thread exits. When libvirt is dlclose()d
or otherwise made non-resident, the callback function is
removed from memory, but the thread local may still exist
and if a thread later exists, it will invoke the callback
and SEGV. There may also be other thread locals with callbacks
pointing to libvirt code, so it is in general never safe to
unload libvirt.so from memory once initialized.
To allow dlclose() to succeed, but keep libvirt.so resident
in memory, link with '-z nodelete'. This issue was first
found with the libvirt CIM provider, but can potentially
hit many of the dynamic language bindings which all ultimately
involve dlopen() in some way, either on libvirt.so itself,
or on the glue code for the binding which in turns links
to libvirt
* configure.ac, src/Makefile.am: Ensure libvirt.so is linked
with -z nodelete
* cfg.mk, .gitignore, tests/Makefile.am, tests/shunloadhelper.c,
tests/shunloadtest.c: A test case to unload libvirt while
a thread is still running.
2011-09-01 20:57:06 +04:00
AC_MSG_CHECKING([for how to mark DSO non-deletable at runtime])
LIBVIRT_NODELETE=
`$LD --help 2>&1 | grep -- "-z nodelete" >/dev/null` && \
LIBVIRT_NODELETE="-Wl,-z -Wl,nodelete"
AC_MSG_RESULT([$LIBVIRT_NODELETE])
AC_SUBST([LIBVIRT_NODELETE])
AC_MSG_CHECKING([for how to set DSO symbol versions])
2016-12-08 16:12:18 +03:00
case "$host" in
*-*-mingw* | *-*-msvc* )
# mingw's ld has the --version-script parameter, but it requires a .def file
# instead to work properly, therefore clear --version-script here and use
# -Wl, to pass the .def file to the linker
VERSION_SCRIPT_FLAGS="-Wl,"
;;
* )
VERSION_SCRIPT_FLAGS=-Wl,--version-script=
`$LD --help 2>&1 | grep -- --version-script >/dev/null` || \
VERSION_SCRIPT_FLAGS="-Wl,-M -Wl,"
;;
esac
Prevent crash from dlclose() of libvirt.so
When libvirt calls virInitialize it creates a thread local
for the virErrorPtr storage, and registers a callback to
cleanup memory when a thread exits. When libvirt is dlclose()d
or otherwise made non-resident, the callback function is
removed from memory, but the thread local may still exist
and if a thread later exists, it will invoke the callback
and SEGV. There may also be other thread locals with callbacks
pointing to libvirt code, so it is in general never safe to
unload libvirt.so from memory once initialized.
To allow dlclose() to succeed, but keep libvirt.so resident
in memory, link with '-z nodelete'. This issue was first
found with the libvirt CIM provider, but can potentially
hit many of the dynamic language bindings which all ultimately
involve dlopen() in some way, either on libvirt.so itself,
or on the glue code for the binding which in turns links
to libvirt
* configure.ac, src/Makefile.am: Ensure libvirt.so is linked
with -z nodelete
* cfg.mk, .gitignore, tests/Makefile.am, tests/shunloadhelper.c,
tests/shunloadtest.c: A test case to unload libvirt while
a thread is still running.
2011-09-01 20:57:06 +04:00
AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS])
2016-12-08 16:12:18 +03:00
AC_SUBST([VERSION_SCRIPT_FLAGS])
2008-12-18 00:39:41 +03:00
2020-04-30 15:34:33 +03:00
dnl macOS has two-level namespaces by default.
dnl Override it to allow symbol replacement with DYLD_INSERT_LIBRARIES
case "$host" in
*-*-darwin*)
FLAT_NAMESPACE_FLAGS=-Wl,-flat_namespace
;;
* )
FLAT_NAMESPACE_FLAGS=""
;;
esac
AC_MSG_RESULT([$FLAT_NAMESPACE_FLAGS])
AC_SUBST([FLAT_NAMESPACE_FLAGS])
2013-09-17 20:25:42 +04:00
dnl Specify if we rely on ifconfig instead of iproute2 (e.g. in case
dnl we're working on BSD)
want_ifconfig=no
dnl Make some notes about which OS we're compiling for, as the lxc and qemu
dnl drivers require linux headers, and storage_mpath, dtrace, and nwfilter
dnl are also linux specific. The "network" and storage_fs drivers are known
2019-04-02 12:04:46 +03:00
dnl to not work on macOS presently, so we also make a note if compiling
2013-09-17 20:25:42 +04:00
dnl for that
2020-01-14 21:34:26 +03:00
with_linux=no with_macos=no with_freebsd=no with_win=no
2013-09-17 20:25:42 +04:00
case $host in
*-*-linux*) with_linux=yes ;;
2019-04-02 12:04:46 +03:00
*-*-darwin*) with_macos=yes ;;
2013-09-17 20:25:42 +04:00
*-*-freebsd*) with_freebsd=yes ;;
2014-04-28 16:30:36 +04:00
*-*-mingw* | *-*-msvc* ) with_win=yes ;;
2013-09-17 20:25:42 +04:00
esac
if test $with_linux = no; then
if test "x$with_lxc" != xyes
then
with_lxc=no
fi
with_dtrace=no
2017-03-05 17:17:22 +03:00
with_storage_scsi=no
2013-09-17 20:25:42 +04:00
fi
if test $with_freebsd = yes; then
2015-10-13 23:47:42 +03:00
want_ifconfig=yes
with_firewalld=no
fi
2013-09-17 20:25:42 +04:00
AM_CONDITIONAL([WITH_LINUX], [test "$with_linux" = "yes"])
AM_CONDITIONAL([WITH_FREEBSD], [test "$with_freebsd" = "yes"])
2019-08-21 19:13:19 +03:00
AM_CONDITIONAL([WITH_MACOS], [test "$with_macos" = "yes"])
2013-09-17 20:25:42 +04:00
2014-04-28 16:30:36 +04:00
if test "$with_win" = "yes" ; then
2020-01-14 20:38:59 +03:00
# We don't support the daemon yet
2014-04-28 16:30:36 +04:00
with_libvirtd=no
fi
2013-09-28 03:09:20 +04:00
# The daemon requires remote support. Likewise, if we are not using
# RPC, we don't need several libraries.
if test "$with_remote" = "no" ; then
with_libvirtd=no
with_ssh2=no
with_sasl=no
2016-11-09 17:28:35 +03:00
with_libssh=no
2013-09-28 03:09:20 +04:00
fi
# Stateful drivers are useful only when building the daemon.
2013-09-17 20:25:42 +04:00
if test "$with_libvirtd" = "no" ; then
with_qemu=no
2013-09-28 03:09:20 +04:00
with_lxc=no
with_libxl=no
with_vbox=no
2013-09-17 20:25:42 +04:00
fi
# Check for compiler and library settings.
2012-03-27 19:47:11 +04:00
LIBVIRT_COMPILE_WARNINGS
2013-04-03 15:36:32 +04:00
LIBVIRT_LINKER_RELRO
2013-08-13 15:49:05 +04:00
LIBVIRT_LINKER_NO_INDIRECT
2018-01-25 12:35:58 +03:00
LIBVIRT_LINKER_NO_UNDEFINED
2007-03-01 19:18:55 +03:00
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_APPARMOR
LIBVIRT_ARG_ATTR
LIBVIRT_ARG_AUDIT
2017-11-02 16:41:53 +03:00
LIBVIRT_ARG_BASH_COMPLETION
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_BLKID
LIBVIRT_ARG_CAPNG
LIBVIRT_ARG_CURL
LIBVIRT_ARG_DBUS
2016-12-15 16:56:29 +03:00
LIBVIRT_ARG_FIREWALLD
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-26 07:52:37 +03:00
LIBVIRT_ARG_FIREWALLD_ZONE
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_FUSE
LIBVIRT_ARG_GLUSTER
LIBVIRT_ARG_HAL
2018-07-31 11:44:20 +03:00
LIBVIRT_ARG_LIBISCSI
2016-12-15 16:56:29 +03:00
LIBVIRT_ARG_LIBPCAP
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_LIBSSH
2016-12-15 16:56:29 +03:00
LIBVIRT_ARG_LIBXML
LIBVIRT_ARG_MACVTAP
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_NETCF
2018-04-03 18:39:17 +03:00
LIBVIRT_ARG_NLS
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_NSS
LIBVIRT_ARG_NUMACTL
LIBVIRT_ARG_OPENWSMAN
LIBVIRT_ARG_PCIACCESS
2016-12-15 16:56:29 +03:00
LIBVIRT_ARG_PM_UTILS
LIBVIRT_ARG_POLKIT
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_READLINE
LIBVIRT_ARG_SANLOCK
LIBVIRT_ARG_SASL
LIBVIRT_ARG_SELINUX
LIBVIRT_ARG_SSH2
LIBVIRT_ARG_UDEV
2016-12-15 16:56:29 +03:00
LIBVIRT_ARG_VIRTUALPORT
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_WIRESHARK
LIBVIRT_ARG_YAJL
2017-02-14 17:21:29 +03:00
LIBVIRT_CHECK_ACL
2012-09-20 16:28:45 +04:00
LIBVIRT_CHECK_APPARMOR
2012-09-19 17:00:34 +04:00
LIBVIRT_CHECK_ATTR
2012-09-20 16:12:40 +04:00
LIBVIRT_CHECK_AUDIT
2017-11-02 16:41:53 +03:00
LIBVIRT_CHECK_BASH_COMPLETION
2012-09-20 18:52:14 +04:00
LIBVIRT_CHECK_BLKID
2012-09-20 16:58:37 +04:00
LIBVIRT_CHECK_CAPNG
2013-01-09 01:31:58 +04:00
LIBVIRT_CHECK_CURL
2012-09-20 18:12:08 +04:00
LIBVIRT_CHECK_DBUS
2016-12-15 16:56:29 +03:00
LIBVIRT_CHECK_DEVMAPPER
LIBVIRT_CHECK_DLOPEN
LIBVIRT_CHECK_FIREWALLD
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-26 07:52:37 +03:00
LIBVIRT_CHECK_FIREWALLD_ZONE
2013-01-09 01:06:57 +04:00
LIBVIRT_CHECK_FUSE
2019-07-30 12:13:36 +03:00
LIBVIRT_CHECK_GLIB
2013-11-20 03:26:05 +04:00
LIBVIRT_CHECK_GLUSTER
2016-11-10 16:33:41 +03:00
LIBVIRT_CHECK_GNUTLS
2012-09-20 18:39:12 +04:00
LIBVIRT_CHECK_HAL
2018-07-31 11:44:20 +03:00
LIBVIRT_CHECK_LIBISCSI
2016-12-15 16:56:29 +03:00
LIBVIRT_CHECK_LIBNL
LIBVIRT_CHECK_LIBPARTED
LIBVIRT_CHECK_LIBPCAP
2016-11-09 17:28:35 +03:00
LIBVIRT_CHECK_LIBSSH
2016-12-15 16:56:29 +03:00
LIBVIRT_CHECK_LIBXML
LIBVIRT_CHECK_MACVTAP
2012-09-20 18:14:52 +04:00
LIBVIRT_CHECK_NETCF
2018-04-03 18:39:17 +03:00
LIBVIRT_CHECK_NLS
2012-09-20 16:47:23 +04:00
LIBVIRT_CHECK_NUMACTL
2016-12-06 18:00:41 +03:00
LIBVIRT_CHECK_NWFILTER
2013-01-09 02:08:53 +04:00
LIBVIRT_CHECK_OPENWSMAN
2012-09-20 18:34:13 +04:00
LIBVIRT_CHECK_PCIACCESS
2016-12-15 16:56:29 +03:00
LIBVIRT_CHECK_PM_UTILS
LIBVIRT_CHECK_POLKIT
LIBVIRT_CHECK_PTHREAD
2013-05-02 06:54:57 +04:00
LIBVIRT_CHECK_READLINE
2012-09-20 16:04:57 +04:00
LIBVIRT_CHECK_SANLOCK
2012-09-20 16:06:12 +04:00
LIBVIRT_CHECK_SASL
2012-09-20 16:21:48 +04:00
LIBVIRT_CHECK_SELINUX
2013-01-09 01:47:55 +04:00
LIBVIRT_CHECK_SSH2
2012-09-20 18:34:13 +04:00
LIBVIRT_CHECK_UDEV
2016-12-15 16:56:29 +03:00
LIBVIRT_CHECK_VIRTUALPORT
2015-03-16 14:52:13 +03:00
LIBVIRT_CHECK_WIRESHARK
2016-12-15 16:56:29 +03:00
LIBVIRT_CHECK_XDR
2012-09-20 16:03:27 +04:00
LIBVIRT_CHECK_YAJL
2011-05-30 14:58:57 +04:00
AC_CHECK_SIZEOF([long])
Adds CPU selection infrastructure
Each driver supporting CPU selection must fill in host CPU capabilities.
When filling them, drivers for hypervisors running on the same node as
libvirtd can use cpuNodeData() to obtain raw CPU data. Other drivers,
such as VMware, need to implement their own way of getting such data.
Raw data can be decoded into virCPUDefPtr using cpuDecode() function.
When implementing virConnectCompareCPU(), a hypervisor driver can just
call cpuCompareXML() function with host CPU capabilities.
For each guest for which a driver supports selecting CPU models, it must
set the appropriate feature in guest's capabilities:
virCapabilitiesAddGuestFeature(guest, "cpuselection", 1, 0)
Actions needed when a domain is being created depend on whether the
hypervisor understands raw CPU data (currently CPUID for i686, x86_64
architectures) or symbolic names has to be used.
Typical use by hypervisors which prefer CPUID (such as VMware and Xen):
- convert guest CPU configuration from domain's XML into a set of raw
data structures each representing one of the feature policies:
cpuEncode(conn, architecture, guest_cpu_config,
&forced_data, &required_data, &optional_data,
&disabled_data, &forbidden_data)
- create a mask or whatever the hypervisor expects to see and pass it
to the hypervisor
Typical use by hypervisors with symbolic model names (such as QEMU):
- get raw CPU data for a computed guest CPU:
cpuGuestData(conn, host_cpu, guest_cpu_config, &data)
- decode raw data into virCPUDefPtr with a possible restriction on
allowed model names:
cpuDecode(conn, guest, data, n_allowed_models, allowed_models)
- pass guest->model and guest->features to the hypervisor
* src/cpu/cpu.c src/cpu/cpu.h src/cpu/cpu_generic.c
src/cpu/cpu_generic.h src/cpu/cpu_map.c src/cpu/cpu_map.h
src/cpu/cpu_x86.c src/cpu/cpu_x86.h src/cpu/cpu_x86_data.h
* configure.in: check for CPUID instruction
* src/Makefile.am: glue the new files in
* src/libvirt_private.syms: add new private symbols
* po/POTFILES.in: add new cpu files containing translatable strings
2009-12-18 18:02:11 +03:00
2010-12-24 05:26:15 +03:00
dnl Availability of various common functions (non-fatal if missing),
dnl and various less common threadsafe functions
2018-09-25 16:49:33 +03:00
AC_CHECK_FUNCS_ONCE([\
2020-07-08 16:39:36 +03:00
elf_aux_info \
2018-09-25 16:49:33 +03:00
fallocate \
2020-07-08 16:39:36 +03:00
getauxval \
2019-12-11 14:28:34 +03:00
getegid \
2018-09-25 16:49:33 +03:00
geteuid \
getgid \
2018-09-26 16:08:30 +03:00
getifaddrs \
2018-09-25 16:49:33 +03:00
getmntent_r \
getpwuid_r \
getrlimit \
getuid \
2019-08-08 11:16:48 +03:00
getutxid \
2018-09-25 16:49:33 +03:00
if_indextoname \
mmap \
newlocale \
posix_fallocate \
posix_memalign \
2020-01-24 18:21:00 +03:00
pipe2 \
2018-09-25 16:49:33 +03:00
prlimit \
sched_getaffinity \
2018-09-26 16:08:30 +03:00
sched_setscheduler \
2018-09-25 16:49:33 +03:00
setgroups \
setns \
setrlimit \
symlink \
sysctlbyname \
unshare \
])
2010-04-29 06:39:11 +04:00
2007-06-15 19:24:20 +04:00
dnl Availability of various common headers (non-fatal if missing).
2018-09-25 16:49:33 +03:00
AC_CHECK_HEADERS([\
2020-07-08 16:39:36 +03:00
asm/hwcap.h \
2018-09-25 17:49:53 +03:00
ifaddrs.h \
libtasn1.h \
2020-01-07 19:19:52 +03:00
util.h \
libutil.h \
2018-09-25 17:49:53 +03:00
linux/magic.h \
mntent.h \
net/ethernet.h \
2020-01-07 19:19:52 +03:00
pty.h \
2018-09-25 16:49:33 +03:00
pwd.h \
2018-09-25 17:49:53 +03:00
stdarg.h \
2018-09-25 16:49:33 +03:00
syslog.h \
2020-01-17 19:24:26 +03:00
sys/ioctl.h \
2018-09-25 17:49:53 +03:00
sys/mount.h \
2018-09-25 16:49:33 +03:00
sys/syscall.h \
sys/sysctl.h \
sys/ucred.h \
2020-01-27 13:59:19 +03:00
xlocale.h \
2018-09-25 16:49:33 +03:00
])
2020-07-09 08:36:33 +03:00
AC_CHECK_HEADERS([net/if.h], [], [], [[#include <sys/socket.h>]])
2012-10-02 02:38:56 +04:00
dnl Check whether endian provides handy macros.
AC_CHECK_DECLS([htole64], [], [], [[#include <endian.h>]])
virtestmock: Mock stat() properly
There is a lot to explain, but I try to make it as short as
possible. I'd start by pasting some parts of sys/stat.h:
extern int stat (const char *__restrict __file,
struct stat *__restrict __buf) __THROW __nonnull ((1, 2));
extern int __REDIRECT_NTH (stat, (const char *__restrict __file,
struct stat *__restrict __buf), stat64)
__nonnull ((1, 2));
__extern_inline int
__NTH (stat (const char *__path, struct stat *__statbuf))
{
return __xstat (_STAT_VER, __path, __statbuf);
}
Only one of these is effective at once, due to some usage of
the mess we are dealing with in here. So, basically, while
compiling or linking stat() in our code can be transformed into
some other func. Or a dragon.
Now, if you read stat(2) manpage, esp. "C library/kernel
differences" section, you'll learn that glibc uses some tricks
for older applications to work. I haven't gotten around actual
code that does this, but based on my observations, if 'stat'
symbol is found, glibc assumes it's dealing with ancient
application. Unfortunately, it can be just ours stat coming from
our mock. Therefore, calling stat() from a test will end up in
our mock. But since glibc is not exposing the symbol anymore, our
call of real_stat() will SIGSEGV immediately as the pointer to
function is NULL. Therefore, we should expose only those symbols
we know glibc has.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-05-17 17:26:53 +03:00
AC_CHECK_FUNCS([stat stat64 __xstat __xstat64 lstat lstat64 __lxstat __lxstat64])
2011-07-22 21:59:37 +04:00
2012-09-06 02:27:42 +04:00
AC_CHECK_TYPE([struct ifreq],
[AC_DEFINE([HAVE_STRUCT_IFREQ],[1],
[Defined if struct ifreq exists in net/if.h])],
[], [[#include <sys/socket.h>
#include <net/if.h>
]])
2011-12-01 17:31:18 +04:00
2016-01-08 00:31:17 +03:00
AC_CHECK_TYPE([struct sockpeercred],
[AC_DEFINE([HAVE_STRUCT_SOCKPEERCRED], [1],
[Defined if struct sockpeercred is available])],
[], [[#include <sys/socket.h>
]])
2015-03-10 19:00:15 +03:00
AC_CHECK_DECLS([ETH_FLAG_TXVLAN, ETH_FLAG_NTUPLE, ETH_FLAG_RXHASH, ETH_FLAG_LRO,
2017-04-07 18:38:06 +03:00
ETHTOOL_GGSO, ETHTOOL_GGRO, ETHTOOL_GFLAGS, ETHTOOL_GFEATURES,
ETHTOOL_SCOALESCE, ETHTOOL_GCOALESCE],
2015-03-10 19:00:15 +03:00
[], [], [[#include <linux/ethtool.h>
]])
2017-05-18 12:55:12 +03:00
AC_CHECK_DECLS([SEEK_HOLE], [], [],
[#include <sys/types.h>
#include <unistd.h>])
2011-07-22 21:59:37 +04:00
dnl Our only use of libtasn1.h is in the testsuite, and can be skipped
dnl if the header is not present. Assume -ltasn1 is present if the
dnl header could be found.
AM_CONDITIONAL([HAVE_LIBTASN1], [test "x$ac_cv_header_libtasn1_h" = "xyes"])
2007-06-15 19:24:20 +04:00
2008-09-05 16:03:45 +04:00
AC_CHECK_LIB([intl],[gettext],[])
2020-01-07 19:19:52 +03:00
AC_CHECK_LIB([util],[openpty],[])
2008-09-05 16:03:45 +04:00
2016-12-13 15:47:07 +03:00
dnl
dnl Check for external programs
dnl
LIBVIRT_CHECK_EXTERNAL_PROGRAMS
2016-12-14 17:28:55 +03:00
dnl
dnl Virtualization drivers check
dnl
2016-12-08 12:35:30 +03:00
LIBVIRT_DRIVER_ARG_QEMU
2016-11-29 10:50:58 +03:00
LIBVIRT_DRIVER_ARG_OPENVZ
2016-11-29 10:54:02 +03:00
LIBVIRT_DRIVER_ARG_VMWARE
2016-12-12 18:18:02 +03:00
LIBVIRT_DRIVER_ARG_LIBXL
2016-12-12 20:19:21 +03:00
LIBVIRT_DRIVER_ARG_VBOX
2016-12-08 12:36:55 +03:00
LIBVIRT_DRIVER_ARG_LXC
2016-12-14 17:28:55 +03:00
LIBVIRT_DRIVER_ARG_VZ
LIBVIRT_DRIVER_ARG_BHYVE
2016-12-01 12:40:31 +03:00
LIBVIRT_DRIVER_ARG_ESX
2016-12-01 12:43:13 +03:00
LIBVIRT_DRIVER_ARG_HYPERV
2016-12-01 12:23:41 +03:00
LIBVIRT_DRIVER_ARG_TEST
2016-12-01 12:27:19 +03:00
LIBVIRT_DRIVER_ARG_REMOTE
2016-12-01 14:01:33 +03:00
LIBVIRT_DRIVER_ARG_LIBVIRTD
2016-12-14 17:28:55 +03:00
LIBVIRT_DRIVER_ARG_NETWORK
LIBVIRT_DRIVER_ARG_INTERFACE
LIBVIRT_DRIVER_CHECK_QEMU
LIBVIRT_DRIVER_CHECK_OPENVZ
LIBVIRT_DRIVER_CHECK_VMWARE
LIBVIRT_DRIVER_CHECK_LIBXL
LIBVIRT_DRIVER_CHECK_VBOX
LIBVIRT_DRIVER_CHECK_LXC
LIBVIRT_DRIVER_CHECK_VZ
LIBVIRT_DRIVER_CHECK_BHYVE
LIBVIRT_DRIVER_CHECK_ESX
LIBVIRT_DRIVER_CHECK_HYPERV
LIBVIRT_DRIVER_CHECK_TEST
LIBVIRT_DRIVER_CHECK_REMOTE
LIBVIRT_DRIVER_CHECK_LIBVIRTD
LIBVIRT_DRIVER_CHECK_NETWORK
LIBVIRT_DRIVER_CHECK_INTERFACE
2016-11-14 17:25:41 +03:00
2005-12-02 15:11:06 +03:00
dnl
2010-09-09 19:06:00 +04:00
dnl in case someone want to build static binaries
dnl STATIC_BINARIES="-static"
2005-12-02 15:11:06 +03:00
dnl
2010-09-09 19:06:00 +04:00
STATIC_BINARIES=
2008-05-22 19:34:02 +04:00
AC_SUBST([STATIC_BINARIES])
2005-12-02 15:11:06 +03:00
2016-12-15 17:04:23 +03:00
dnl
dnl Miscellaneous checks
dnl
2007-02-16 21:30:55 +03:00
2016-12-15 17:04:23 +03:00
LIBVIRT_ARG_DTRACE
LIBVIRT_ARG_NUMAD
2016-12-12 20:11:51 +03:00
LIBVIRT_ARG_INIT_SCRIPT
2016-12-15 17:04:23 +03:00
LIBVIRT_ARG_CHRDEV_LOCK_FILES
LIBVIRT_ARG_LOADER_NVRAM
LIBVIRT_ARG_LOGIN_SHELL
LIBVIRT_ARG_HOST_VALIDATE
LIBVIRT_ARG_TLS_PRIORITY
2016-11-29 10:33:19 +03:00
LIBVIRT_ARG_SYSCTL_CONFIG
2016-12-15 17:04:23 +03:00
LIBVIRT_CHECK_DTRACE
LIBVIRT_CHECK_NUMAD
LIBVIRT_CHECK_INIT_SCRIPT
LIBVIRT_CHECK_CHRDEV_LOCK_FILES
LIBVIRT_CHECK_LOADER_NVRAM
LIBVIRT_CHECK_LOGIN_SHELL
LIBVIRT_CHECK_HOST_VALIDATE
LIBVIRT_CHECK_TLS_PRIORITY
2016-11-29 10:33:19 +03:00
LIBVIRT_CHECK_SYSCTL_CONFIG
2016-12-25 15:42:42 +03:00
LIBVIRT_CHECK_NSS
2012-04-04 14:16:34 +04:00
2010-03-25 20:46:12 +03:00
2005-11-02 16:19:10 +03:00
2011-03-29 16:39:18 +04:00
2008-09-17 18:07:49 +04:00
dnl
dnl check for kvm headers
2008-09-18 12:54:23 +04:00
dnl
2008-09-17 18:07:49 +04:00
AC_CHECK_HEADERS([linux/kvm.h])
2009-08-05 14:59:58 +04:00
dnl
dnl check for kernel headers required by src/bridge.c
dnl
2012-12-12 11:44:21 +04:00
if test "$with_linux" = "yes"; then
2013-09-13 20:11:26 +04:00
# Various kernel versions have headers that are not self-standing, but
# yet are incompatible with the corresponding glibc headers. In order
# to guarantee compilation across a wide range of versions (from RHEL 5
# to rawhide), we first have to probe whether glibc and kernel can be
# used in tandem; and if not, provide workarounds that ensure that
# ABI-compatible IPv6 types are present for use by the kernel headers.
# These probes mirror the usage in virnetdevbridge.c
AC_CACHE_CHECK(
[whether <linux/*.h> and <netinet/*.h> headers are compatible],
[lv_cv_netinet_linux_compatible],
[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
#include <netinet/in.h>
#include <linux/in6.h>
]])],
[lv_cv_netinet_linux_compatible=yes],
[lv_cv_netinet_linux_compatible=no])])
if test "x$lv_cv_netinet_linux_compatible" != xyes; then
AC_DEFINE([NETINET_LINUX_WORKAROUND], [1],
[define to 1 if Linux kernel headers require a workaround to avoid
compilation errors when mixed with glibc netinet headers])
fi
2012-12-12 11:44:21 +04:00
AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],,
2013-01-14 20:54:25 +04:00
[AC_MSG_ERROR([You must install kernel-headers in order to compile libvirt with QEMU or LXC support])],
2013-09-13 20:11:26 +04:00
[[#include <netinet/in.h>
#if NETINET_LINUX_WORKAROUND
# define in6_addr in6_addr_
# define sockaddr_in6 sockaddr_in6_
# define ipv6_mreq ipv6_mreq_
# define in6addr_any in6addr_any_
# define in6addr_loopback in6addr_loopback_
#endif
2013-08-07 20:34:08 +04:00
#include <linux/in6.h>
2013-01-14 20:54:25 +04:00
]])
2009-08-05 14:59:58 +04:00
fi
2009-08-05 12:52:14 +04:00
2009-09-10 17:21:10 +04:00
dnl Need to test if pkg-config exists
PKG_PROG_PKG_CONFIG
2009-05-25 15:56:00 +04:00
2016-12-12 20:20:45 +03:00
dnl Security driver checks
LIBVIRT_SECDRIVER_ARG_SELINUX
2016-12-01 14:08:20 +03:00
LIBVIRT_SECDRIVER_ARG_APPARMOR
2009-10-08 18:34:22 +04:00
2016-12-01 14:08:20 +03:00
LIBVIRT_SECDRIVER_CHECK_SELINUX
LIBVIRT_SECDRIVER_CHECK_APPARMOR
2009-10-08 18:34:22 +04:00
2009-09-14 16:31:23 +04:00
2016-12-22 14:49:51 +03:00
LIBVIRT_ARG_WITH_FEATURE([SECRETS], [local secrets management driver], [yes])
2011-05-24 15:21:51 +04:00
2009-09-14 16:31:23 +04:00
if test "$with_libvirtd" = "no"; then
with_secrets=no
fi
if test "$with_secrets" = "yes" ; then
AC_DEFINE_UNQUOTED([WITH_SECRETS], 1, [whether local secrets management driver is available])
fi
AM_CONDITIONAL([WITH_SECRETS], [test "$with_secrets" = "yes"])
2016-12-13 12:36:14 +03:00
dnl
dnl Storage driver checks
dnl
2016-12-07 10:46:51 +03:00
LIBVIRT_STORAGE_ARG_DIR
2016-12-07 12:16:19 +03:00
LIBVIRT_STORAGE_ARG_FS
2016-12-07 12:22:05 +03:00
LIBVIRT_STORAGE_ARG_LVM
2016-12-07 15:12:31 +03:00
LIBVIRT_STORAGE_ARG_ISCSI
2018-07-31 11:44:21 +03:00
LIBVIRT_STORAGE_ARG_ISCSI_DIRECT
2016-12-07 15:13:00 +03:00
LIBVIRT_STORAGE_ARG_SCSI
2016-12-12 20:21:11 +03:00
LIBVIRT_STORAGE_ARG_MPATH
2016-12-12 20:21:51 +03:00
LIBVIRT_STORAGE_ARG_DISK
2016-12-07 17:44:08 +03:00
LIBVIRT_STORAGE_ARG_RBD
2016-12-07 17:48:37 +03:00
LIBVIRT_STORAGE_ARG_SHEEPDOG
2016-12-07 17:52:39 +03:00
LIBVIRT_STORAGE_ARG_GLUSTER
2016-12-07 17:59:19 +03:00
LIBVIRT_STORAGE_ARG_ZFS
2017-01-17 17:10:55 +03:00
LIBVIRT_STORAGE_ARG_VSTORAGE
2008-02-20 18:42:30 +03:00
2008-09-05 16:03:45 +04:00
if test "$with_libvirtd" = "no"; then
with_storage_dir=no
with_storage_fs=no
with_storage_lvm=no
with_storage_iscsi=no
2018-07-31 11:44:21 +03:00
with_storage_iscsi_direct=no
2009-04-01 20:03:22 +04:00
with_storage_scsi=no
2009-09-08 17:47:45 +04:00
with_storage_mpath=no
2008-09-05 16:03:45 +04:00
with_storage_disk=no
2012-05-14 13:06:42 +04:00
with_storage_rbd=no
2012-07-18 23:06:58 +04:00
with_storage_sheepdog=no
2013-11-20 03:26:05 +04:00
with_storage_gluster=no
2014-07-21 18:38:42 +04:00
with_storage_zfs=no
2017-01-17 17:10:55 +03:00
with_storage_vstorage=no
2008-09-05 16:03:45 +04:00
fi
2016-12-07 10:46:51 +03:00
2019-04-02 12:04:46 +03:00
dnl storage-fs does not work on macOS
2010-10-05 05:31:05 +04:00
2019-04-02 12:04:46 +03:00
if test "$with_macos" = "yes"; then
2010-10-05 05:31:05 +04:00
with_storage_fs=no
fi
2008-09-05 16:03:45 +04:00
2016-12-13 12:36:14 +03:00
LIBVIRT_STORAGE_CHECK_DIR
2016-12-07 12:16:19 +03:00
LIBVIRT_STORAGE_CHECK_FS
2016-12-07 12:22:05 +03:00
LIBVIRT_STORAGE_CHECK_LVM
2016-12-07 15:12:31 +03:00
LIBVIRT_STORAGE_CHECK_ISCSI
2018-07-31 11:44:21 +03:00
LIBVIRT_STORAGE_CHECK_ISCSI_DIRECT
2016-12-07 15:13:00 +03:00
LIBVIRT_STORAGE_CHECK_SCSI
2016-12-12 20:21:11 +03:00
LIBVIRT_STORAGE_CHECK_MPATH
2016-12-13 12:36:14 +03:00
LIBVIRT_STORAGE_CHECK_DISK
2016-12-07 17:44:08 +03:00
LIBVIRT_STORAGE_CHECK_RBD
2016-12-07 17:48:37 +03:00
LIBVIRT_STORAGE_CHECK_SHEEPDOG
2016-12-07 17:52:39 +03:00
LIBVIRT_STORAGE_CHECK_GLUSTER
2016-12-07 17:59:19 +03:00
LIBVIRT_STORAGE_CHECK_ZFS
2017-01-17 17:10:55 +03:00
LIBVIRT_STORAGE_CHECK_VSTORAGE
2008-02-20 18:45:33 +03:00
2012-06-05 20:28:52 +04:00
with_storage=no
2018-07-31 11:44:21 +03:00
for backend in dir fs lvm iscsi iscsi_direct scsi mpath rbd disk; do
2012-06-05 20:28:52 +04:00
if eval test \$with_storage_$backend = yes; then
with_storage=yes
break
fi
done
if test $with_storage = yes; then
AC_DEFINE([WITH_STORAGE], [1],
[Define to 1 if at least one storage backend is in use])
fi
AM_CONDITIONAL([WITH_STORAGE], [test "$with_storage" = "yes"])
2015-01-23 13:22:34 +03:00
dnl
dnl check for kernel headers required by btrfs ioctl
dnl
if test "$with_linux" = "yes"; then
AC_CHECK_HEADERS([linux/btrfs.h])
fi
2018-07-06 16:43:00 +03:00
dnl
dnl check for xfs dev headers required by xfs ioctl
dnl
if test "$with_linux" = "yes"; then
AC_CHECK_HEADERS([xfs/xfs.h])
fi
2017-08-21 12:19:53 +03:00
dnl
2017-09-18 20:21:47 +03:00
dnl check for DEVLINK_CMD_ESWITCH_GET
dnl
dnl Assume DEVLINK_ESWITCH_MODE_SWITCHDEV is also
dnl available, as it was introudced in kernel 4.8
dnl along with the original spelling of this constant
dnl (DEVLINK_CMD_ESWITCH_MODE_GET, not supported by libvirt)
2017-08-21 12:19:53 +03:00
dnl
if test "$with_linux" = "yes"; then
AC_CHECK_HEADERS([linux/devlink.h])
2017-09-18 20:21:47 +03:00
AC_CHECK_DECLS([DEVLINK_CMD_ESWITCH_GET], [], [],
2017-08-21 12:19:53 +03:00
[[#include <linux/devlink.h>]])
fi
2018-05-22 16:52:52 +03:00
dnl
dnl check for VHOST_VSOCK_SET_GUEST_CID
dnl
if test "$with_linux" = "yes"; then
AC_CHECK_DECLS([VHOST_VSOCK_SET_GUEST_CID], [], [],
[[#include <linux/vhost.h>]])
fi
2013-11-22 20:42:22 +04:00
dnl Allow perl/python overrides
2019-12-03 19:29:12 +03:00
AC_PATH_PROGS([PYTHON], [python3])
2017-05-08 13:35:17 +03:00
if test -z "$PYTHON"; then
2019-12-03 19:29:12 +03:00
AC_MSG_ERROR(['python3' binary is required to build libvirt])
2017-05-08 13:35:17 +03:00
fi
2019-12-09 17:30:10 +03:00
AC_DEFINE_UNQUOTED([PYTHON], "$PYTHON", [path to python binary])
2019-09-18 07:19:43 +03:00
AC_PATH_PROG([FLAKE8], [flake8])
if test -z "$FLAKE8"; then
AC_MSG_WARN(['flake8' binary is required to check python code style])
fi
2019-09-05 18:45:27 +03:00
dnl Python3 < 3.7 treats the C locale as 7-bit only.
dnl We must force env vars so it treats it as UTF-8
dnl regardless of the user's locale.
RUNUTF8="LC_ALL= LANG=C LC_CTYPE=en_US.UTF-8"
AC_SUBST(RUNUTF8)
2012-05-30 01:49:13 +04:00
AC_PATH_PROG([PERL], [perl])
2014-08-14 07:37:45 +04:00
if test -z "$PERL"; then
2017-05-08 13:35:17 +03:00
AC_MSG_ERROR(['perl' binary is required to build libvirt])
2014-08-14 07:37:45 +04:00
fi
2012-05-30 01:49:13 +04:00
2016-12-13 15:34:42 +03:00
LIBVIRT_ARG_ENABLE([EXPENSIVE_TESTS],
[set the default for enabling expensive tests ]
2020-01-17 19:00:27 +03:00
[(long timeouts), use VIR_TEST_EXPENSIVE to ]
2016-12-13 15:34:42 +03:00
[override during make],
[check])
case "$enable_expensive_tests" in
0|no) VIR_TEST_EXPENSIVE_DEFAULT=0 ;;
1|yes) VIR_TEST_EXPENSIVE_DEFAULT=1 ;;
check) ;;
*) AC_MSG_ERROR([bad value ${enable_expensive_tests} for enable-expensive-tests option]) ;;
esac
if test "$enable_expensive_tests" = check; then
build: add configure option to disable gnulib tests
The gnulib testsuite is relatively stable - the only times it is
likely to have a test change from pass to fail is on a gnulib
submodule update or a major system change (such as moving from
Fedora 18 to 19, or other large change to libc). While it is an
important test for end users on arbitrary machines (to make sure
that the portability glue works for their machine), it mostly
wastes time for development testing (as most developers aren't
making any of the major changes that would cause gnulib tests
to alter behavior). Thus, it pays to make the tests optional
at configure time, defaulting to off for development, on for
tarballs, with autobuilders requesting it to be on. It also
helps to allow a make-time override, via VIR_TEST_EXPENSIVE=[01]
(much the way automake sets up V=[01] for overriding the configure
time default of how verbose to be).
Automake has some pretty hard-coded magic with regards to the
TESTS variable; I had quite a job figuring out how to keep
'make distcheck' passing regardless of the configure option
setting in use, while still disabling the tests at runtime
when I did not configure them on and did not use the override
variable. Thankfully, we require GNU make, which lets me
hide some information from Automake's magic handling of TESTS.
* bootstrap.conf (bootstrap_epilogue): Munge gnulib test variable.
* configure.ac (--enable-expensive-tests): Add new enable switch.
(VIR_TEST_EXPENSIVE_DEFAULT, WITH_EXPENSIVE_TESTS): Set new
witnesses.
* gnulib/tests/Makefile.am (TESTS): Make tests conditional on
configure settings and the VIR_TEST_EXPENSIVE variable.
* tests/Makefile.am (TESTS_ENVIRONMENT): Expose VIR_TEST_EXPENSIVE
to all tests.
* autobuild.sh: Enable all tests during autobuilds.
* libvirt.spec.in (%configure): Likewise.
* mingw-libvirt.spec.in (%mingw_configure): Likewise.
* docs/hacking.html.in: Document the option.
* HACKING: Regenerate.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-31 17:18:58 +04:00
if test -d $srcdir/.git ; then
VIR_TEST_EXPENSIVE_DEFAULT=0
else
VIR_TEST_EXPENSIVE_DEFAULT=1
fi
fi
AC_SUBST([VIR_TEST_EXPENSIVE_DEFAULT])
AM_CONDITIONAL([WITH_EXPENSIVE_TESTS], [test $VIR_TEST_EXPENSIVE_DEFAULT = 1])
2019-08-02 14:05:37 +03:00
LIBVIRT_ARG_ENABLE([TEST_COVERAGE], [turn on code coverage instrumentation], [no])
case "$enable_test_coverage" in
yes|no) ;;
*) AC_MSG_ERROR([bad value ${enable_test_coverga} for test-coverage option]) ;;
esac
if test "$enable_test_coverage" = yes; then
save_WARN_CFLAGS=$WARN_CFLAGS
WARN_CFLAGS=
gl_WARN_ADD([-fprofile-arcs])
gl_WARN_ADD([-ftest-coverage])
COVERAGE_FLAGS=$WARN_CFLAGS
AC_SUBST([COVERAGE_CFLAGS], [$COVERAGE_FLAGS])
AC_SUBST([COVERAGE_LDFLAGS], [$COVERAGE_FLAGS])
WARN_CFLAGS=$save_WARN_CFLAGS
fi
2020-01-14 21:34:26 +03:00
dnl MinGW checks
2016-12-15 13:48:38 +03:00
LIBVIRT_WIN_CHECK_COMMON
2016-12-06 15:55:50 +03:00
LIBVIRT_WIN_CHECK_MINGW
2016-12-06 15:56:38 +03:00
LIBVIRT_WIN_CHECK_SYMBOLS
2016-12-06 15:57:12 +03:00
LIBVIRT_WIN_CHECK_WINDRES
2016-12-15 13:48:38 +03:00
2016-11-14 17:34:04 +03:00
dnl Driver-Modules library support
LIBVIRT_CHECK_DRIVER_MODULES
2008-11-21 15:16:08 +03:00
2008-02-28 20:07:37 +03:00
# Set LV_LIBTOOL_OBJDIR to "." or $lt_cv_objdir, depending on whether
# we're building shared libraries. This is the name of the directory
# in which .o files will be created.
test "$enable_shared" = no && lt_cv_objdir=.
LV_LIBTOOL_OBJDIR=${lt_cv_objdir-.}
2008-05-22 19:34:02 +04:00
AC_SUBST([LV_LIBTOOL_OBJDIR])
2008-02-28 20:07:37 +03:00
2008-11-21 15:27:11 +03:00
with_nodedev=no;
2010-03-25 00:31:31 +03:00
if test "$with_hal" = "yes" || test "$with_udev" = "yes";
2008-11-21 15:27:11 +03:00
then
with_nodedev=yes
AC_DEFINE_UNQUOTED([WITH_NODE_DEVICES], 1, [with node device driver])
fi
AM_CONDITIONAL([WITH_NODE_DEVICES], [test "$with_nodedev" = "yes"])
2014-02-10 18:08:26 +04:00
dnl GET_VLAN_VID_CMD is required for virNetDevGetVLanID
AC_CHECK_DECLS([GET_VLAN_VID_CMD], [], [], [[#include <linux/if_vlan.h>]])
2010-02-12 20:03:07 +03:00
2013-04-27 19:50:19 +04:00
# Check for Linux vs. BSD ifreq members
AC_CHECK_MEMBERS([struct ifreq.ifr_newname,
struct ifreq.ifr_ifindex,
2014-10-29 21:20:47 +03:00
struct ifreq.ifr_index,
struct ifreq.ifr_hwaddr],
2013-04-27 19:50:19 +04:00
[], [],
[#include <sys/socket.h>
#include <net/if.h>
])
2013-07-17 22:02:17 +04:00
2013-05-03 17:35:20 +04:00
# Check for BSD approach for setting MAC addr
2013-07-17 22:02:17 +04:00
AC_LINK_IFELSE([AC_LANG_PROGRAM(
[[
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if_dl.h>
]],
[[
2013-07-24 17:02:00 +04:00
link_addr(0, 0)]])],
2013-07-17 22:02:17 +04:00
[AC_DEFINE([HAVE_DECL_LINK_ADDR],
[1],
[whether link_addr is available])])
2013-05-03 17:35:20 +04:00
2013-06-19 20:47:31 +04:00
# Check for BSD approach for bridge management
AC_CHECK_DECLS([BRDGSFD, BRDGADD, BRDGDEL],
[AC_DEFINE([HAVE_BSD_BRIDGE_MGMT],
[1],
[whether BSD style bridge management is available])],
[],
2013-07-10 13:38:06 +04:00
[#include <stdint.h>
#include <net/if.h>
2013-06-19 20:47:31 +04:00
#include <net/ethernet.h>
#include <net/if_bridgevar.h>
])
2014-01-29 22:31:44 +04:00
# Check for BSD CPU affinity availability
AC_CHECK_DECLS([cpuset_getaffinity],
[AC_DEFINE([HAVE_BSD_CPU_AFFINITY],
[1],
[whether BSD CPU affinity management is available])],
[],
[#include <sys/param.h>
#include <sys/cpuset.h>
])
2014-04-21 14:59:58 +04:00
# Check for BSD kvm (kernel memory interface)
if test $with_freebsd = yes; then
AC_CHECK_LIB([kvm], [kvm_getprocs], [],
[AC_MSG_ERROR([BSD kernel memory interface library is required to build on FreeBSD])]
)
fi
2016-11-19 20:42:27 +03:00
AC_CHECK_DECLS([clock_serv_t, host_get_clock_service, clock_get_time],
[AC_DEFINE([HAVE_MACH_CLOCK_ROUTINES],
[1],
[whether Mach clock routines are available])],
[],
[#include <mach/clock.h>
#include <mach/mach.h>
])
2019-09-09 10:37:32 +03:00
# Check if we have new enough kernel to support BPF devices for cgroups v2
if test "$with_linux" = "yes"; then
2019-09-09 10:40:06 +03:00
AC_CHECK_DECLS([BPF_PROG_QUERY, BPF_CGROUP_DEVICE],
[], [], [#include <linux/bpf.h>])
2019-09-09 10:37:32 +03:00
fi
2013-08-11 17:54:48 +04:00
# Check if we need to look for ifconfig
if test "$want_ifconfig" = "yes"; then
AC_PATH_PROG([IFCONFIG_PATH], [ifconfig])
if test -z "$IFCONFIG_PATH"; then
AC_MSG_ERROR([Failed to find ifconfig.])
fi
AC_DEFINE_UNQUOTED([IFCONFIG_PATH], "$IFCONFIG_PATH", [path to ifconfig binary])
fi
2010-04-07 19:02:25 +04:00
# Detect when running under the clang static analyzer's scan-build driver
# or Coverity-prevent's cov-build. Define STATIC_ANALYSIS accordingly.
2011-08-02 22:25:58 +04:00
AC_CACHE_CHECK([whether this build is done by a static analysis tool],
[lv_cv_static_analysis], [
lv_cv_static_analysis=no
if test -n "${CCC_ANALYZER_ANALYSIS+set}" || \
test -n "$COVERITY_BUILD_COMMAND$COVERITY_LD_PRELOAD"; then
lv_cv_static_analysis=yes
fi
])
2011-06-03 23:43:15 +04:00
t=0
2011-08-02 22:25:58 +04:00
test "x$lv_cv_static_analysis" = xyes && t=1
2010-04-07 19:02:25 +04:00
AC_DEFINE_UNQUOTED([STATIC_ANALYSIS], [$t],
[Define to 1 when performing static analysis.])
2019-10-02 19:04:31 +03:00
GNUmakefile=GNUmakefile
m4_if(m4_version_compare([2.61a.100],
m4_defn([m4_PACKAGE_VERSION])), [1], [],
[AC_CONFIG_LINKS([$GNUmakefile:$GNUmakefile], [],
[GNUmakefile=$GNUmakefile])])
2012-09-14 13:08:54 +04:00
AC_CONFIG_FILES([run],
[chmod +x,-w run])
2013-08-01 00:52:16 +04:00
AC_CONFIG_FILES([\
makefile: Move include/Makefile.am to include/libvirt/Makefile.am
The reason for this is to fix the automatic rebuild of libvirt-common.h.in.
All *.in files should be automatically rebuilt each time they're modified.
It works well for makefiles and pkgconfig files, since they do have a valid
dependency in the top-level Makefile. However, with libvirt-common.h.in
there is no dependency in the top-level Makefile and there's no need for it
either, so this rule
include/libvirt/libvirt-common.h: $(top_builddir)/config.status \
$(top_srcdir)/include/libvirt/libvirt-common.h.in
cd $(top_builddir) && $(SHELL) ./config.status $@
is never hit and should be moved to include/Makefile, but that's automake's
job. According to GNU automake docs:
"Files created by AC_CONFIG_FILES, be they
Automake Makefiles or not, are all removed by ‘make distclean’. Their inputs
are automatically distributed, unless they are the output of prior
AC_CONFIG_FILES commands. Finally, rebuild rules are generated in the Automake
Makefile existing in the subdirectory of the output file, if there is one, or
in the top-level Makefile otherwise."
Which means that if we want to have the rule for libvirt-common.h automatically
generated by automake, the include/Makefile.am needs to be moved into libvirt/
subdirectory and $SUBDIRS in the top-level Makefile need to be adjusted as
well. This patch moves Makefile.am from include/ to include/libvirt, adjusting
the prefixes accordingly as well as updates the top-level Makefile $SUBDIRS to
properly hint automake to generate all rules at proper places.
Best way to see the changes, use -M with 'git show'.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-04-05 22:04:06 +03:00
Makefile src/Makefile include/libvirt/Makefile docs/Makefile \
2017-04-21 17:05:19 +03:00
.color_coded \
2017-04-21 17:47:02 +03:00
.ycm_extra_conf.py \
2014-06-20 20:47:15 +04:00
libvirt.pc \
libvirt-qemu.pc \
libvirt-lxc.pc \
2015-04-15 17:16:24 +03:00
libvirt-admin.pc \
2014-06-20 20:48:12 +04:00
src/libvirt.pc \
src/libvirt-qemu.pc \
src/libvirt-lxc.pc \
2014-06-20 20:47:15 +04:00
libvirt.spec mingw-libvirt.spec \
2018-04-03 18:39:17 +03:00
po/Makefile \
2016-01-10 22:36:13 +03:00
include/libvirt/libvirt-common.h \
2016-01-10 02:03:56 +03:00
examples/Makefile \
2013-08-01 00:52:16 +04:00
tests/Makefile \
2016-01-10 23:35:36 +03:00
tools/Makefile])
2013-08-01 00:52:16 +04:00
AC_OUTPUT
2007-09-19 03:36:30 +04:00
AC_MSG_NOTICE([])
AC_MSG_NOTICE([Configuration summary])
AC_MSG_NOTICE([=====================])
AC_MSG_NOTICE([])
AC_MSG_NOTICE([Drivers])
AC_MSG_NOTICE([])
2016-12-08 12:35:30 +03:00
LIBVIRT_DRIVER_RESULT_QEMU
2016-11-29 10:50:58 +03:00
LIBVIRT_DRIVER_RESULT_OPENVZ
2016-11-29 10:54:02 +03:00
LIBVIRT_DRIVER_RESULT_VMWARE
2016-12-12 20:19:21 +03:00
LIBVIRT_DRIVER_RESULT_VBOX
2016-12-12 18:18:02 +03:00
LIBVIRT_DRIVER_RESULT_LIBXL
2016-12-08 12:36:55 +03:00
LIBVIRT_DRIVER_RESULT_LXC
2016-12-01 12:40:31 +03:00
LIBVIRT_DRIVER_RESULT_ESX
2016-12-01 12:43:13 +03:00
LIBVIRT_DRIVER_RESULT_HYPERV
2015-07-10 17:32:00 +03:00
LIBVIRT_DRIVER_RESULT_VZ
2014-02-18 14:08:10 +04:00
LIBVIRT_DRIVER_RESULT_BHYVE
2016-12-01 12:23:41 +03:00
LIBVIRT_DRIVER_RESULT_TEST
2016-12-01 12:27:19 +03:00
LIBVIRT_DRIVER_RESULT_REMOTE
2016-12-01 14:02:30 +03:00
LIBVIRT_DRIVER_RESULT_NETWORK
2016-12-01 14:01:33 +03:00
LIBVIRT_DRIVER_RESULT_LIBVIRTD
2016-12-01 17:50:59 +03:00
LIBVIRT_DRIVER_RESULT_INTERFACE
2007-09-19 03:36:30 +04:00
AC_MSG_NOTICE([])
2008-02-20 18:42:30 +03:00
AC_MSG_NOTICE([Storage Drivers])
AC_MSG_NOTICE([])
2016-12-07 10:46:51 +03:00
LIBVIRT_STORAGE_RESULT_DIR
2016-12-07 12:16:19 +03:00
LIBVIRT_STORAGE_RESULT_FS
2016-12-07 12:22:05 +03:00
LIBVIRT_STORAGE_RESULT_LVM
2016-12-07 15:12:31 +03:00
LIBVIRT_STORAGE_RESULT_ISCSI
2018-07-31 11:44:21 +03:00
LIBVIRT_STORAGE_RESULT_ISCSI_DIRECT
2016-12-07 15:13:00 +03:00
LIBVIRT_STORAGE_RESULT_SCSI
2016-12-12 20:21:11 +03:00
LIBVIRT_STORAGE_RESULT_MPATH
2016-12-12 20:21:51 +03:00
LIBVIRT_STORAGE_RESULT_DISK
2016-12-07 17:44:08 +03:00
LIBVIRT_STORAGE_RESULT_RBD
2016-12-07 17:48:37 +03:00
LIBVIRT_STORAGE_RESULT_SHEEPDOG
2016-12-07 17:52:39 +03:00
LIBVIRT_STORAGE_RESULT_GLUSTER
2016-12-07 17:59:19 +03:00
LIBVIRT_STORAGE_RESULT_ZFS
2017-01-17 17:10:55 +03:00
LIBVIRT_STORAGE_RESULT_VSTORAGE
2008-02-20 18:42:30 +03:00
AC_MSG_NOTICE([])
2009-03-03 13:06:49 +03:00
AC_MSG_NOTICE([Security Drivers])
AC_MSG_NOTICE([])
2016-12-12 20:20:45 +03:00
LIBVIRT_SECDRIVER_RESULT_SELINUX
2016-12-01 14:08:20 +03:00
LIBVIRT_SECDRIVER_RESULT_APPARMOR
2009-03-03 13:06:49 +03:00
AC_MSG_NOTICE([])
2008-11-21 15:16:08 +03:00
AC_MSG_NOTICE([Driver Loadable Modules])
AC_MSG_NOTICE([])
2016-11-14 17:34:04 +03:00
LIBVIRT_RESULT_DRIVER_MODULES
2009-08-05 12:43:37 +04:00
AC_MSG_NOTICE([])
AC_MSG_NOTICE([Libraries])
AC_MSG_NOTICE([])
2017-02-14 17:21:29 +03:00
LIBVIRT_RESULT_ACL
2012-09-20 16:28:45 +04:00
LIBVIRT_RESULT_APPARMOR
2012-09-19 17:00:34 +04:00
LIBVIRT_RESULT_ATTR
2012-09-20 16:12:40 +04:00
LIBVIRT_RESULT_AUDIT
2017-11-02 16:41:53 +03:00
LIBVIRT_RESULT_BASH_COMPLETION
2012-09-20 18:52:14 +04:00
LIBVIRT_RESULT_BLKID
2012-09-20 16:58:37 +04:00
LIBVIRT_RESULT_CAPNG
2013-01-09 01:31:58 +04:00
LIBVIRT_RESULT_CURL
2012-09-20 18:12:08 +04:00
LIBVIRT_RESULT_DBUS
2016-11-12 02:20:21 +03:00
LIBVIRT_RESULT_DLOPEN
2016-11-14 17:34:40 +03:00
LIBVIRT_RESULT_FIREWALLD
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-26 07:52:37 +03:00
LIBVIRT_RESULT_FIREWALLD_ZONE
2013-01-09 01:06:57 +04:00
LIBVIRT_RESULT_FUSE
2019-07-30 12:13:36 +03:00
LIBVIRT_RESULT_GLIB
2013-11-20 03:26:05 +04:00
LIBVIRT_RESULT_GLUSTER
2016-11-10 16:33:41 +03:00
LIBVIRT_RESULT_GNUTLS
2012-09-20 18:39:12 +04:00
LIBVIRT_RESULT_HAL
2018-07-31 11:44:20 +03:00
LIBVIRT_RESULT_LIBISCSI
2016-12-12 12:07:24 +03:00
LIBVIRT_RESULT_LIBNL
2016-12-09 13:01:47 +03:00
LIBVIRT_RESULT_LIBPCAP
2016-11-09 17:28:35 +03:00
LIBVIRT_RESULT_LIBSSH
2016-12-12 18:18:02 +03:00
LIBVIRT_RESULT_LIBXL
2016-12-19 17:11:06 +03:00
LIBVIRT_RESULT_LIBXML
2016-12-12 11:59:15 +03:00
LIBVIRT_RESULT_MACVTAP
2012-09-20 18:14:52 +04:00
LIBVIRT_RESULT_NETCF
2018-04-03 18:39:17 +03:00
LIBVIRT_RESULT_NLS
2016-11-10 16:33:41 +03:00
LIBVIRT_RESULT_NSS
2012-09-20 16:47:23 +04:00
LIBVIRT_RESULT_NUMACTL
2013-01-09 02:08:53 +04:00
LIBVIRT_RESULT_OPENWSMAN
2012-09-20 18:34:13 +04:00
LIBVIRT_RESULT_PCIACCESS
2016-12-12 12:12:13 +03:00
LIBVIRT_RESULT_PM_UTILS
2016-12-12 10:05:18 +03:00
LIBVIRT_RESULT_POLKIT
2016-12-07 17:44:08 +03:00
LIBVIRT_RESULT_RBD
2013-05-02 06:54:57 +04:00
LIBVIRT_RESULT_READLINE
2012-09-20 16:04:57 +04:00
LIBVIRT_RESULT_SANLOCK
2012-09-20 16:06:12 +04:00
LIBVIRT_RESULT_SASL
2012-09-20 16:21:48 +04:00
LIBVIRT_RESULT_SELINUX
2013-01-09 01:47:55 +04:00
LIBVIRT_RESULT_SSH2
2012-09-20 18:34:13 +04:00
LIBVIRT_RESULT_UDEV
2016-12-13 14:40:48 +03:00
LIBVIRT_RESULT_VIRTUALPORT
2016-12-13 14:40:30 +03:00
LIBVIRT_RESULT_XDR
2012-09-20 16:03:27 +04:00
LIBVIRT_RESULT_YAJL
2016-12-15 13:48:38 +03:00
AC_MSG_NOTICE([])
AC_MSG_NOTICE([Windows])
AC_MSG_NOTICE([])
LIBVIRT_WIN_RESULT_COMMON
2016-12-06 15:57:12 +03:00
LIBVIRT_WIN_RESULT_WINDRES
2007-09-19 03:36:30 +04:00
AC_MSG_NOTICE([])
2008-05-29 19:13:07 +04:00
AC_MSG_NOTICE([Test suite])
AC_MSG_NOTICE([])
2019-09-07 13:44:31 +03:00
LIBVIRT_RESULT([Coverage], [$enable_test_coverage])
2008-05-29 19:13:07 +04:00
AC_MSG_NOTICE([])
2007-09-19 03:36:30 +04:00
AC_MSG_NOTICE([Miscellaneous])
AC_MSG_NOTICE([])
2019-09-07 13:44:31 +03:00
LIBVIRT_RESULT([Use -Werror], [$enable_werror])
LIBVIRT_RESULT([Warning Flags], [$WARN_CFLAGS])
2016-11-30 16:34:57 +03:00
LIBVIRT_RESULT_DTRACE
2016-12-12 15:54:35 +03:00
LIBVIRT_RESULT_NUMAD
2016-05-02 14:27:47 +03:00
LIBVIRT_RESULT_INIT_SCRIPT
2016-12-13 15:45:25 +03:00
LIBVIRT_RESULT_CHRDEV_LOCK_FILES
2016-12-15 15:39:21 +03:00
LIBVIRT_RESULT_LOADER_NVRAM
2016-12-14 18:51:30 +03:00
LIBVIRT_RESULT_LOGIN_SHELL
LIBVIRT_RESULT_HOST_VALIDATE
2016-12-14 18:33:57 +03:00
LIBVIRT_RESULT_TLS_PRIORITY
2007-09-19 03:36:30 +04:00
AC_MSG_NOTICE([])
2014-01-15 21:06:58 +04:00
AC_MSG_NOTICE([Developer Tools])
AC_MSG_NOTICE([])
2016-12-13 14:40:05 +03:00
LIBVIRT_RESULT_WIRESHARK
2014-01-15 21:06:58 +04:00
AC_MSG_NOTICE([])
2009-07-16 01:25:01 +04:00
AC_MSG_NOTICE([Privileges])
AC_MSG_NOTICE([])
2016-12-12 17:35:07 +03:00
LIBVIRT_RESULT_QEMU_PRIVILEGES
2009-07-24 18:17:06 +04:00
AC_MSG_NOTICE([])