2005-11-02 06:50:21 -06:00
|
|
|
dnl Process this file with autoconf to produce a configure script.
|
2007-09-18 18:46:18 -05:00
|
|
|
|
2015-01-08 08:36:54 -06:00
|
|
|
dnl Copyright (C) 2005-2015 Red Hat, Inc.
|
2013-05-14 18:42:12 -05:00
|
|
|
dnl
|
|
|
|
|
dnl This library is free software; you can redistribute it and/or
|
|
|
|
|
dnl modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
dnl License as published by the Free Software Foundation; either
|
|
|
|
|
dnl version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
dnl
|
|
|
|
|
dnl This library is distributed in the hope that it will be useful,
|
|
|
|
|
dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
dnl Lesser General Public License for more details.
|
|
|
|
|
dnl
|
|
|
|
|
dnl You should have received a copy of the GNU Lesser General Public
|
|
|
|
|
dnl License along with this library. If not, see
|
|
|
|
|
dnl <http://www.gnu.org/licenses/>.
|
2011-07-28 13:56:24 -05:00
|
|
|
|
2008-05-22 10:34:02 -05:00
|
|
|
AC_CONFIG_AUX_DIR([build-aux])
|
2010-02-17 07:45:10 -06:00
|
|
|
AC_CONFIG_MACRO_DIR([m4])
|
2019-04-02 19:21:28 -05:00
|
|
|
dnl Make automake keep quiet about wildcards & other GNUmake-isms
|
2019-04-02 19:01:30 -05:00
|
|
|
AM_INIT_AUTOMAKE([
|
2019-04-02 19:29:03 -05:00
|
|
|
foreign
|
2019-04-02 19:01:30 -05:00
|
|
|
-Wno-portability
|
|
|
|
|
tar-pax
|
|
|
|
|
no-dist-gzip
|
|
|
|
|
dist-xz
|
|
|
|
|
subdir-objects
|
|
|
|
|
])
|
2015-06-02 10:17:43 -05:00
|
|
|
dnl older automake's default of ARFLAGS=cru is noisy on newer binutils;
|
|
|
|
|
dnl we don't really need the 'u' even in older toolchains. Then there is
|
|
|
|
|
dnl older libtool, which spelled it AR_FLAGS
|
|
|
|
|
m4_divert_text([DEFAULTS], [: "${ARFLAGS=cr} ${AR_FLAGS=cr}"])
|
2009-07-08 04:51:59 -05:00
|
|
|
|
2013-09-04 11:26:30 -05:00
|
|
|
# Default to using the silent-rules feature when possible. Formatting
|
|
|
|
|
# chosen to bypass 'grep' checks that cause older automake to warn.
|
|
|
|
|
# Users (include rpm) can still change the default at configure time.
|
|
|
|
|
m4_ifndef([AM_SILENT_RULES],
|
|
|
|
|
[m4_define([AM_SILENT_RULES],[])])AM_SILENT_RULES([yes])
|
2009-07-08 04:51:59 -05:00
|
|
|
|
2005-11-02 06:50:21 -06:00
|
|
|
AC_CANONICAL_HOST
|
|
|
|
|
|
2016-11-12 07:24:53 -06:00
|
|
|
dnl Where we look for daemons and admin binaries during configure
|
|
|
|
|
LIBVIRT_SBIN_PATH="$PATH:/sbin:/usr/sbin:/usr/local/sbin"
|
2007-09-18 20:56:55 -05:00
|
|
|
|
2007-11-29 11:41:57 -06:00
|
|
|
dnl Checks for C compiler.
|
2005-11-02 07:19:10 -06:00
|
|
|
AC_PROG_CC
|
|
|
|
|
AC_PROG_INSTALL
|
|
|
|
|
AC_PROG_CPP
|
2007-09-20 13:40:36 -05:00
|
|
|
|
2020-01-17 05:26:26 -06:00
|
|
|
dnl get 64-int interfaces on 32-bit platforms
|
2020-07-24 07:02:39 -05:00
|
|
|
CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64"
|
2020-01-17 05:26:26 -06:00
|
|
|
|
2010-03-14 20:02:10 -05:00
|
|
|
AC_TYPE_UID_T
|
Use gnulib, starting with its physmem and getaddrinfo modules.
New files go into these directories:
gnulib/lib
gnulib/m4
gnulib/tests
* bootstrap: A wrapper around gnulib-tool.
* configure.in: Invoke gl_EARLY and gl_INIT, being careful to put gl_EARLY
before any macro that uses AC_COMPILE_IFELSE.
(AC_OUTPUT): Add lib/Makefile and gl-tests/Makefile. Remove m4/Makefile.
* Makefile.am (SUBDIRS): Add gnulib/lib and remove m4. Add gnulib/tests
early enough that those tests run before any libvirt unit tests.
* m4/Makefile.am: Remove file. Not needed.
* src/Makefile.am (INCLUDES): Add -I$(top_srcdir)/gnulib/lib -I../gnulib/lib.
(LDADDS, libvirt_la_LIBADD): Add ../gnulib/lib/libgnu.la.
* src/nodeinfo.c: Include "physmem.h".
* qemud/qemud.c, src/remote_internal.c: Include "getaddrinfo.h".
(MEMINFO_PATH, linuxNodeInfoMemPopulate): Remove definitions.
(virNodeInfoPopulate): Use physmem_total, not linuxNodeInfoMemPopulate.
* tests/Makefile.am (INCLUDES): Add -I$(top_srcdir)/gnulib/lib -I../gnulib/lib.
(LDADDS): Add ../gnulib/lib/libgnu.la.
* qemud/Makefile.am (libvirtd_LDADD): Add ../gnulib/lib/libgnu.la.
* tests/nodeinfotest.c (linuxTestCompareFiles): No longer read total
memory from a file.
Update expected output not to include "Memory: NNNN"
* tests/nodeinfodata/linux-nodeinfo-1.txt:
* tests/nodeinfodata/linux-nodeinfo-2.txt:
* tests/nodeinfodata/linux-nodeinfo-3.txt:
* tests/nodeinfodata/linux-nodeinfo-4.txt:
* tests/nodeinfodata/linux-nodeinfo-5.txt:
* tests/nodeinfodata/linux-nodeinfo-6.txt:
* src/test.c [WITH_TEST]: Remove definition of _GNU_SOURCE that
would conflict with the one now in "config.h".
* autogen.sh: Add -I gnulib/m4.
* src/conf.c, src/sexpr.c: Don't define _GNU_SOURCE.
Instead, include "config.h".
* qemud/qemud.c: Remove definition of _GNU_SOURCE.
* src/openvz_driver.c: Likewise.
* src/qemu_driver.c: Likewise.
* src/remote_internal.c: Likewise.
* configure.in: Use AC_CONFIG_AUX_DIR(build-aux), so that a bunch
of gettextize-generated files go into build-aux/, rather than in
the top-level directory.
* .cvsignore: Adjust.
* build-aux/.cvsignore: New file.
Author: Jim Meyering <meyering@redhat.com>
2007-12-05 15:31:07 -06:00
|
|
|
|
2007-11-29 11:41:57 -06:00
|
|
|
dnl Support building Win32 DLLs (must appear *before* AM_PROG_LIBTOOL)
|
|
|
|
|
AC_LIBTOOL_WIN32_DLL
|
|
|
|
|
|
2013-04-02 10:52:31 -05:00
|
|
|
m4_ifndef([LT_INIT], [
|
|
|
|
|
AM_PROG_LIBTOOL
|
|
|
|
|
], [
|
|
|
|
|
LT_INIT([shared disable-static])
|
|
|
|
|
])
|
2007-03-15 12:24:56 -05:00
|
|
|
AM_PROG_CC_C_O
|
2010-04-27 02:43:55 -05:00
|
|
|
AM_PROG_LD
|
2007-03-15 12:24:56 -05:00
|
|
|
|
2013-09-17 11:25:42 -05:00
|
|
|
dnl Specify if we rely on ifconfig instead of iproute2 (e.g. in case
|
|
|
|
|
dnl we're working on BSD)
|
|
|
|
|
want_ifconfig=no
|
|
|
|
|
|
|
|
|
|
dnl Make some notes about which OS we're compiling for, as the lxc and qemu
|
|
|
|
|
dnl drivers require linux headers, and storage_mpath, dtrace, and nwfilter
|
|
|
|
|
dnl are also linux specific. The "network" and storage_fs drivers are known
|
2019-04-02 04:04:46 -05:00
|
|
|
dnl to not work on macOS presently, so we also make a note if compiling
|
2013-09-17 11:25:42 -05:00
|
|
|
dnl for that
|
|
|
|
|
|
2020-01-14 12:34:26 -06:00
|
|
|
with_linux=no with_macos=no with_freebsd=no with_win=no
|
2013-09-17 11:25:42 -05:00
|
|
|
case $host in
|
|
|
|
|
*-*-linux*) with_linux=yes ;;
|
2019-04-02 04:04:46 -05:00
|
|
|
*-*-darwin*) with_macos=yes ;;
|
2013-09-17 11:25:42 -05:00
|
|
|
*-*-freebsd*) with_freebsd=yes ;;
|
2014-04-28 07:30:36 -05:00
|
|
|
*-*-mingw* | *-*-msvc* ) with_win=yes ;;
|
2013-09-17 11:25:42 -05:00
|
|
|
esac
|
|
|
|
|
|
|
|
|
|
if test $with_linux = no; then
|
|
|
|
|
if test "x$with_lxc" != xyes
|
|
|
|
|
then
|
|
|
|
|
with_lxc=no
|
|
|
|
|
fi
|
|
|
|
|
with_dtrace=no
|
2017-03-05 08:17:22 -06:00
|
|
|
with_storage_scsi=no
|
2013-09-17 11:25:42 -05:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if test $with_freebsd = yes; then
|
2015-10-13 15:47:42 -05:00
|
|
|
want_ifconfig=yes
|
|
|
|
|
with_firewalld=no
|
|
|
|
|
fi
|
2013-09-17 11:25:42 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
AM_CONDITIONAL([WITH_LINUX], [test "$with_linux" = "yes"])
|
|
|
|
|
AM_CONDITIONAL([WITH_FREEBSD], [test "$with_freebsd" = "yes"])
|
2019-08-21 11:13:19 -05:00
|
|
|
AM_CONDITIONAL([WITH_MACOS], [test "$with_macos" = "yes"])
|
2013-09-17 11:25:42 -05:00
|
|
|
|
2014-04-28 07:30:36 -05:00
|
|
|
if test "$with_win" = "yes" ; then
|
2020-01-14 11:38:59 -06:00
|
|
|
# We don't support the daemon yet
|
2014-04-28 07:30:36 -05:00
|
|
|
with_libvirtd=no
|
|
|
|
|
fi
|
|
|
|
|
|
2013-09-27 18:09:20 -05:00
|
|
|
# The daemon requires remote support. Likewise, if we are not using
|
|
|
|
|
# RPC, we don't need several libraries.
|
|
|
|
|
if test "$with_remote" = "no" ; then
|
|
|
|
|
with_libvirtd=no
|
|
|
|
|
with_ssh2=no
|
|
|
|
|
with_sasl=no
|
2016-11-09 08:28:35 -06:00
|
|
|
with_libssh=no
|
2013-09-27 18:09:20 -05:00
|
|
|
fi
|
|
|
|
|
# Stateful drivers are useful only when building the daemon.
|
2013-09-17 11:25:42 -05:00
|
|
|
if test "$with_libvirtd" = "no" ; then
|
|
|
|
|
with_qemu=no
|
2013-09-27 18:09:20 -05:00
|
|
|
with_lxc=no
|
|
|
|
|
with_libxl=no
|
|
|
|
|
with_vbox=no
|
2013-09-17 11:25:42 -05:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Check for compiler and library settings.
|
|
|
|
|
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_APPARMOR
|
|
|
|
|
LIBVIRT_ARG_ATTR
|
|
|
|
|
LIBVIRT_ARG_AUDIT
|
2017-11-02 08:41:53 -05:00
|
|
|
LIBVIRT_ARG_BASH_COMPLETION
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_BLKID
|
|
|
|
|
LIBVIRT_ARG_CAPNG
|
|
|
|
|
LIBVIRT_ARG_CURL
|
|
|
|
|
LIBVIRT_ARG_DBUS
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_ARG_FIREWALLD
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 22:52:37 -06:00
|
|
|
LIBVIRT_ARG_FIREWALLD_ZONE
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_FUSE
|
|
|
|
|
LIBVIRT_ARG_GLUSTER
|
|
|
|
|
LIBVIRT_ARG_HAL
|
2018-07-31 03:44:20 -05:00
|
|
|
LIBVIRT_ARG_LIBISCSI
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_ARG_LIBPCAP
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_LIBSSH
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_ARG_LIBXML
|
|
|
|
|
LIBVIRT_ARG_MACVTAP
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_NETCF
|
2018-04-03 10:39:17 -05:00
|
|
|
LIBVIRT_ARG_NLS
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_NSS
|
|
|
|
|
LIBVIRT_ARG_NUMACTL
|
|
|
|
|
LIBVIRT_ARG_OPENWSMAN
|
|
|
|
|
LIBVIRT_ARG_PCIACCESS
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_ARG_PM_UTILS
|
|
|
|
|
LIBVIRT_ARG_POLKIT
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_READLINE
|
|
|
|
|
LIBVIRT_ARG_SANLOCK
|
|
|
|
|
LIBVIRT_ARG_SASL
|
|
|
|
|
LIBVIRT_ARG_SELINUX
|
|
|
|
|
LIBVIRT_ARG_SSH2
|
|
|
|
|
LIBVIRT_ARG_UDEV
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_ARG_VIRTUALPORT
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_WIRESHARK
|
|
|
|
|
LIBVIRT_ARG_YAJL
|
|
|
|
|
|
2017-02-14 08:21:29 -06:00
|
|
|
LIBVIRT_CHECK_ACL
|
2012-09-20 07:28:45 -05:00
|
|
|
LIBVIRT_CHECK_APPARMOR
|
2012-09-19 08:00:34 -05:00
|
|
|
LIBVIRT_CHECK_ATTR
|
2012-09-20 07:12:40 -05:00
|
|
|
LIBVIRT_CHECK_AUDIT
|
2017-11-02 08:41:53 -05:00
|
|
|
LIBVIRT_CHECK_BASH_COMPLETION
|
2012-09-20 09:52:14 -05:00
|
|
|
LIBVIRT_CHECK_BLKID
|
2012-09-20 07:58:37 -05:00
|
|
|
LIBVIRT_CHECK_CAPNG
|
2013-01-08 15:31:58 -06:00
|
|
|
LIBVIRT_CHECK_CURL
|
2012-09-20 09:12:08 -05:00
|
|
|
LIBVIRT_CHECK_DBUS
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_CHECK_DEVMAPPER
|
|
|
|
|
LIBVIRT_CHECK_DLOPEN
|
|
|
|
|
LIBVIRT_CHECK_FIREWALLD
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 22:52:37 -06:00
|
|
|
LIBVIRT_CHECK_FIREWALLD_ZONE
|
2013-01-08 15:06:57 -06:00
|
|
|
LIBVIRT_CHECK_FUSE
|
2019-07-30 04:13:36 -05:00
|
|
|
LIBVIRT_CHECK_GLIB
|
2013-11-19 17:26:05 -06:00
|
|
|
LIBVIRT_CHECK_GLUSTER
|
2016-11-10 07:33:41 -06:00
|
|
|
LIBVIRT_CHECK_GNUTLS
|
2012-09-20 09:39:12 -05:00
|
|
|
LIBVIRT_CHECK_HAL
|
2018-07-31 03:44:20 -05:00
|
|
|
LIBVIRT_CHECK_LIBISCSI
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_CHECK_LIBNL
|
|
|
|
|
LIBVIRT_CHECK_LIBPARTED
|
|
|
|
|
LIBVIRT_CHECK_LIBPCAP
|
2016-11-09 08:28:35 -06:00
|
|
|
LIBVIRT_CHECK_LIBSSH
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_CHECK_LIBXML
|
|
|
|
|
LIBVIRT_CHECK_MACVTAP
|
2012-09-20 09:14:52 -05:00
|
|
|
LIBVIRT_CHECK_NETCF
|
2018-04-03 10:39:17 -05:00
|
|
|
LIBVIRT_CHECK_NLS
|
2012-09-20 07:47:23 -05:00
|
|
|
LIBVIRT_CHECK_NUMACTL
|
2016-12-06 09:00:41 -06:00
|
|
|
LIBVIRT_CHECK_NWFILTER
|
2013-01-08 16:08:53 -06:00
|
|
|
LIBVIRT_CHECK_OPENWSMAN
|
2012-09-20 09:34:13 -05:00
|
|
|
LIBVIRT_CHECK_PCIACCESS
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_CHECK_PM_UTILS
|
|
|
|
|
LIBVIRT_CHECK_POLKIT
|
|
|
|
|
LIBVIRT_CHECK_PTHREAD
|
2013-05-01 21:54:57 -05:00
|
|
|
LIBVIRT_CHECK_READLINE
|
2012-09-20 07:04:57 -05:00
|
|
|
LIBVIRT_CHECK_SANLOCK
|
2012-09-20 07:06:12 -05:00
|
|
|
LIBVIRT_CHECK_SASL
|
2012-09-20 07:21:48 -05:00
|
|
|
LIBVIRT_CHECK_SELINUX
|
2013-01-08 15:47:55 -06:00
|
|
|
LIBVIRT_CHECK_SSH2
|
2012-09-20 09:34:13 -05:00
|
|
|
LIBVIRT_CHECK_UDEV
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_CHECK_VIRTUALPORT
|
2015-03-16 06:52:13 -05:00
|
|
|
LIBVIRT_CHECK_WIRESHARK
|
2016-12-15 07:56:29 -06:00
|
|
|
LIBVIRT_CHECK_XDR
|
2012-09-20 07:03:27 -05:00
|
|
|
LIBVIRT_CHECK_YAJL
|
|
|
|
|
|
2011-05-30 05:58:57 -05:00
|
|
|
AC_CHECK_SIZEOF([long])
|
Adds CPU selection infrastructure
Each driver supporting CPU selection must fill in host CPU capabilities.
When filling them, drivers for hypervisors running on the same node as
libvirtd can use cpuNodeData() to obtain raw CPU data. Other drivers,
such as VMware, need to implement their own way of getting such data.
Raw data can be decoded into virCPUDefPtr using cpuDecode() function.
When implementing virConnectCompareCPU(), a hypervisor driver can just
call cpuCompareXML() function with host CPU capabilities.
For each guest for which a driver supports selecting CPU models, it must
set the appropriate feature in guest's capabilities:
virCapabilitiesAddGuestFeature(guest, "cpuselection", 1, 0)
Actions needed when a domain is being created depend on whether the
hypervisor understands raw CPU data (currently CPUID for i686, x86_64
architectures) or symbolic names has to be used.
Typical use by hypervisors which prefer CPUID (such as VMware and Xen):
- convert guest CPU configuration from domain's XML into a set of raw
data structures each representing one of the feature policies:
cpuEncode(conn, architecture, guest_cpu_config,
&forced_data, &required_data, &optional_data,
&disabled_data, &forbidden_data)
- create a mask or whatever the hypervisor expects to see and pass it
to the hypervisor
Typical use by hypervisors with symbolic model names (such as QEMU):
- get raw CPU data for a computed guest CPU:
cpuGuestData(conn, host_cpu, guest_cpu_config, &data)
- decode raw data into virCPUDefPtr with a possible restriction on
allowed model names:
cpuDecode(conn, guest, data, n_allowed_models, allowed_models)
- pass guest->model and guest->features to the hypervisor
* src/cpu/cpu.c src/cpu/cpu.h src/cpu/cpu_generic.c
src/cpu/cpu_generic.h src/cpu/cpu_map.c src/cpu/cpu_map.h
src/cpu/cpu_x86.c src/cpu/cpu_x86.h src/cpu/cpu_x86_data.h
* configure.in: check for CPUID instruction
* src/Makefile.am: glue the new files in
* src/libvirt_private.syms: add new private symbols
* po/POTFILES.in: add new cpu files containing translatable strings
2009-12-18 09:02:11 -06:00
|
|
|
|
2010-12-23 20:26:15 -06:00
|
|
|
dnl Availability of various common functions (non-fatal if missing),
|
|
|
|
|
dnl and various less common threadsafe functions
|
2018-09-25 08:49:33 -05:00
|
|
|
AC_CHECK_FUNCS_ONCE([\
|
2020-07-08 08:39:36 -05:00
|
|
|
elf_aux_info \
|
2018-09-25 08:49:33 -05:00
|
|
|
fallocate \
|
2020-07-08 08:39:36 -05:00
|
|
|
getauxval \
|
2019-12-11 05:28:34 -06:00
|
|
|
getegid \
|
2018-09-25 08:49:33 -05:00
|
|
|
geteuid \
|
|
|
|
|
getgid \
|
2018-09-26 08:08:30 -05:00
|
|
|
getifaddrs \
|
2018-09-25 08:49:33 -05:00
|
|
|
getmntent_r \
|
|
|
|
|
getpwuid_r \
|
|
|
|
|
getrlimit \
|
|
|
|
|
getuid \
|
2019-08-08 03:16:48 -05:00
|
|
|
getutxid \
|
2018-09-25 08:49:33 -05:00
|
|
|
if_indextoname \
|
|
|
|
|
mmap \
|
|
|
|
|
newlocale \
|
|
|
|
|
posix_fallocate \
|
|
|
|
|
posix_memalign \
|
2020-01-24 09:21:00 -06:00
|
|
|
pipe2 \
|
2018-09-25 08:49:33 -05:00
|
|
|
prlimit \
|
|
|
|
|
sched_getaffinity \
|
2018-09-26 08:08:30 -05:00
|
|
|
sched_setscheduler \
|
2018-09-25 08:49:33 -05:00
|
|
|
setgroups \
|
|
|
|
|
setns \
|
|
|
|
|
setrlimit \
|
|
|
|
|
symlink \
|
|
|
|
|
sysctlbyname \
|
|
|
|
|
unshare \
|
|
|
|
|
])
|
2010-04-28 21:39:11 -05:00
|
|
|
|
2007-06-15 10:24:20 -05:00
|
|
|
dnl Availability of various common headers (non-fatal if missing).
|
2018-09-25 08:49:33 -05:00
|
|
|
AC_CHECK_HEADERS([\
|
2020-07-08 08:39:36 -05:00
|
|
|
asm/hwcap.h \
|
2018-09-25 09:49:53 -05:00
|
|
|
ifaddrs.h \
|
|
|
|
|
libtasn1.h \
|
2020-01-07 10:19:52 -06:00
|
|
|
util.h \
|
|
|
|
|
libutil.h \
|
2018-09-25 09:49:53 -05:00
|
|
|
linux/magic.h \
|
|
|
|
|
mntent.h \
|
|
|
|
|
net/ethernet.h \
|
2020-01-07 10:19:52 -06:00
|
|
|
pty.h \
|
2018-09-25 08:49:33 -05:00
|
|
|
pwd.h \
|
2018-09-25 09:49:53 -05:00
|
|
|
stdarg.h \
|
2018-09-25 08:49:33 -05:00
|
|
|
syslog.h \
|
2020-01-17 10:24:26 -06:00
|
|
|
sys/ioctl.h \
|
2018-09-25 09:49:53 -05:00
|
|
|
sys/mount.h \
|
2018-09-25 08:49:33 -05:00
|
|
|
sys/syscall.h \
|
|
|
|
|
sys/sysctl.h \
|
|
|
|
|
sys/ucred.h \
|
2020-01-27 04:59:19 -06:00
|
|
|
xlocale.h \
|
2018-09-25 08:49:33 -05:00
|
|
|
])
|
2020-07-09 00:36:33 -05:00
|
|
|
AC_CHECK_HEADERS([net/if.h], [], [], [[#include <sys/socket.h>]])
|
2012-10-01 17:38:56 -05:00
|
|
|
dnl Check whether endian provides handy macros.
|
|
|
|
|
AC_CHECK_DECLS([htole64], [], [], [[#include <endian.h>]])
|
virtestmock: Mock stat() properly
There is a lot to explain, but I try to make it as short as
possible. I'd start by pasting some parts of sys/stat.h:
extern int stat (const char *__restrict __file,
struct stat *__restrict __buf) __THROW __nonnull ((1, 2));
extern int __REDIRECT_NTH (stat, (const char *__restrict __file,
struct stat *__restrict __buf), stat64)
__nonnull ((1, 2));
__extern_inline int
__NTH (stat (const char *__path, struct stat *__statbuf))
{
return __xstat (_STAT_VER, __path, __statbuf);
}
Only one of these is effective at once, due to some usage of
the mess we are dealing with in here. So, basically, while
compiling or linking stat() in our code can be transformed into
some other func. Or a dragon.
Now, if you read stat(2) manpage, esp. "C library/kernel
differences" section, you'll learn that glibc uses some tricks
for older applications to work. I haven't gotten around actual
code that does this, but based on my observations, if 'stat'
symbol is found, glibc assumes it's dealing with ancient
application. Unfortunately, it can be just ours stat coming from
our mock. Therefore, calling stat() from a test will end up in
our mock. But since glibc is not exposing the symbol anymore, our
call of real_stat() will SIGSEGV immediately as the pointer to
function is NULL. Therefore, we should expose only those symbols
we know glibc has.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-05-17 09:26:53 -05:00
|
|
|
AC_CHECK_FUNCS([stat stat64 __xstat __xstat64 lstat lstat64 __lxstat __lxstat64])
|
2011-07-22 12:59:37 -05:00
|
|
|
|
2012-09-05 17:27:42 -05:00
|
|
|
AC_CHECK_TYPE([struct ifreq],
|
|
|
|
|
[AC_DEFINE([HAVE_STRUCT_IFREQ],[1],
|
|
|
|
|
[Defined if struct ifreq exists in net/if.h])],
|
|
|
|
|
[], [[#include <sys/socket.h>
|
|
|
|
|
#include <net/if.h>
|
|
|
|
|
]])
|
2011-12-01 07:31:18 -06:00
|
|
|
|
2016-01-07 15:31:17 -06:00
|
|
|
AC_CHECK_TYPE([struct sockpeercred],
|
|
|
|
|
[AC_DEFINE([HAVE_STRUCT_SOCKPEERCRED], [1],
|
|
|
|
|
[Defined if struct sockpeercred is available])],
|
|
|
|
|
[], [[#include <sys/socket.h>
|
|
|
|
|
]])
|
|
|
|
|
|
2015-03-10 11:00:15 -05:00
|
|
|
AC_CHECK_DECLS([ETH_FLAG_TXVLAN, ETH_FLAG_NTUPLE, ETH_FLAG_RXHASH, ETH_FLAG_LRO,
|
2017-04-07 10:38:06 -05:00
|
|
|
ETHTOOL_GGSO, ETHTOOL_GGRO, ETHTOOL_GFLAGS, ETHTOOL_GFEATURES,
|
|
|
|
|
ETHTOOL_SCOALESCE, ETHTOOL_GCOALESCE],
|
2015-03-10 11:00:15 -05:00
|
|
|
[], [], [[#include <linux/ethtool.h>
|
|
|
|
|
]])
|
|
|
|
|
|
2017-05-18 04:55:12 -05:00
|
|
|
AC_CHECK_DECLS([SEEK_HOLE], [], [],
|
|
|
|
|
[#include <sys/types.h>
|
|
|
|
|
#include <unistd.h>])
|
|
|
|
|
|
|
|
|
|
|
2011-07-22 12:59:37 -05:00
|
|
|
dnl Our only use of libtasn1.h is in the testsuite, and can be skipped
|
|
|
|
|
dnl if the header is not present. Assume -ltasn1 is present if the
|
|
|
|
|
dnl header could be found.
|
|
|
|
|
AM_CONDITIONAL([HAVE_LIBTASN1], [test "x$ac_cv_header_libtasn1_h" = "xyes"])
|
2007-06-15 10:24:20 -05:00
|
|
|
|
2008-09-05 07:03:45 -05:00
|
|
|
AC_CHECK_LIB([intl],[gettext],[])
|
2020-01-07 10:19:52 -06:00
|
|
|
AC_CHECK_LIB([util],[openpty],[])
|
2008-09-05 07:03:45 -05:00
|
|
|
|
2016-12-13 06:47:07 -06:00
|
|
|
|
|
|
|
|
dnl
|
|
|
|
|
dnl Check for external programs
|
|
|
|
|
dnl
|
|
|
|
|
|
|
|
|
|
LIBVIRT_CHECK_EXTERNAL_PROGRAMS
|
|
|
|
|
|
2016-12-14 08:28:55 -06:00
|
|
|
dnl
|
|
|
|
|
dnl Virtualization drivers check
|
|
|
|
|
dnl
|
|
|
|
|
|
2016-12-08 03:35:30 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_QEMU
|
2016-11-29 01:50:58 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_OPENVZ
|
2016-11-29 01:54:02 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_VMWARE
|
2016-12-12 09:18:02 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_LIBXL
|
2016-12-12 11:19:21 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_VBOX
|
2016-12-08 03:36:55 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_LXC
|
2016-12-14 08:28:55 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_VZ
|
|
|
|
|
LIBVIRT_DRIVER_ARG_BHYVE
|
2016-12-01 03:40:31 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_ESX
|
2016-12-01 03:43:13 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_HYPERV
|
2016-12-01 03:23:41 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_TEST
|
2016-12-01 03:27:19 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_REMOTE
|
2016-12-01 05:01:33 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_LIBVIRTD
|
2016-12-14 08:28:55 -06:00
|
|
|
LIBVIRT_DRIVER_ARG_NETWORK
|
|
|
|
|
LIBVIRT_DRIVER_ARG_INTERFACE
|
|
|
|
|
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_QEMU
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_OPENVZ
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_VMWARE
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_LIBXL
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_VBOX
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_LXC
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_VZ
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_BHYVE
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_ESX
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_HYPERV
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_TEST
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_REMOTE
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_LIBVIRTD
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_NETWORK
|
|
|
|
|
LIBVIRT_DRIVER_CHECK_INTERFACE
|
|
|
|
|
|
2016-11-14 08:25:41 -06:00
|
|
|
|
2005-12-02 06:11:06 -06:00
|
|
|
dnl
|
2010-09-09 10:06:00 -05:00
|
|
|
dnl in case someone want to build static binaries
|
|
|
|
|
dnl STATIC_BINARIES="-static"
|
2005-12-02 06:11:06 -06:00
|
|
|
dnl
|
2010-09-09 10:06:00 -05:00
|
|
|
STATIC_BINARIES=
|
2008-05-22 10:34:02 -05:00
|
|
|
AC_SUBST([STATIC_BINARIES])
|
2005-12-02 06:11:06 -06:00
|
|
|
|
2016-12-15 08:04:23 -06:00
|
|
|
dnl
|
|
|
|
|
dnl Miscellaneous checks
|
|
|
|
|
dnl
|
2007-02-16 12:30:55 -06:00
|
|
|
|
2016-12-15 08:04:23 -06:00
|
|
|
LIBVIRT_ARG_DTRACE
|
|
|
|
|
LIBVIRT_ARG_NUMAD
|
2016-12-12 11:11:51 -06:00
|
|
|
LIBVIRT_ARG_INIT_SCRIPT
|
2016-12-15 08:04:23 -06:00
|
|
|
LIBVIRT_ARG_CHRDEV_LOCK_FILES
|
|
|
|
|
LIBVIRT_ARG_LOADER_NVRAM
|
|
|
|
|
LIBVIRT_ARG_LOGIN_SHELL
|
|
|
|
|
LIBVIRT_ARG_HOST_VALIDATE
|
|
|
|
|
LIBVIRT_ARG_TLS_PRIORITY
|
2016-11-29 01:33:19 -06:00
|
|
|
LIBVIRT_ARG_SYSCTL_CONFIG
|
2016-12-15 08:04:23 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
|
LIBVIRT_CHECK_DTRACE
|
|
|
|
|
LIBVIRT_CHECK_NUMAD
|
|
|
|
|
LIBVIRT_CHECK_INIT_SCRIPT
|
|
|
|
|
LIBVIRT_CHECK_CHRDEV_LOCK_FILES
|
|
|
|
|
LIBVIRT_CHECK_LOADER_NVRAM
|
|
|
|
|
LIBVIRT_CHECK_LOGIN_SHELL
|
|
|
|
|
LIBVIRT_CHECK_HOST_VALIDATE
|
|
|
|
|
LIBVIRT_CHECK_TLS_PRIORITY
|
2016-11-29 01:33:19 -06:00
|
|
|
LIBVIRT_CHECK_SYSCTL_CONFIG
|
2016-12-25 06:42:42 -06:00
|
|
|
LIBVIRT_CHECK_NSS
|
2012-04-04 05:16:34 -05:00
|
|
|
|
2010-03-25 12:46:12 -05:00
|
|
|
|
2005-11-02 07:19:10 -06:00
|
|
|
|
2011-03-29 07:39:18 -05:00
|
|
|
|
2008-09-17 09:07:49 -05:00
|
|
|
dnl
|
|
|
|
|
dnl check for kvm headers
|
2008-09-18 03:54:23 -05:00
|
|
|
dnl
|
2008-09-17 09:07:49 -05:00
|
|
|
AC_CHECK_HEADERS([linux/kvm.h])
|
|
|
|
|
|
2009-08-05 05:59:58 -05:00
|
|
|
|
|
|
|
|
dnl
|
|
|
|
|
dnl check for kernel headers required by src/bridge.c
|
|
|
|
|
dnl
|
2012-12-12 01:44:21 -06:00
|
|
|
if test "$with_linux" = "yes"; then
|
2013-09-13 11:11:26 -05:00
|
|
|
# Various kernel versions have headers that are not self-standing, but
|
|
|
|
|
# yet are incompatible with the corresponding glibc headers. In order
|
|
|
|
|
# to guarantee compilation across a wide range of versions (from RHEL 5
|
|
|
|
|
# to rawhide), we first have to probe whether glibc and kernel can be
|
|
|
|
|
# used in tandem; and if not, provide workarounds that ensure that
|
|
|
|
|
# ABI-compatible IPv6 types are present for use by the kernel headers.
|
|
|
|
|
# These probes mirror the usage in virnetdevbridge.c
|
|
|
|
|
AC_CACHE_CHECK(
|
|
|
|
|
[whether <linux/*.h> and <netinet/*.h> headers are compatible],
|
|
|
|
|
[lv_cv_netinet_linux_compatible],
|
|
|
|
|
[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#include <linux/in6.h>
|
|
|
|
|
]])],
|
|
|
|
|
[lv_cv_netinet_linux_compatible=yes],
|
|
|
|
|
[lv_cv_netinet_linux_compatible=no])])
|
|
|
|
|
if test "x$lv_cv_netinet_linux_compatible" != xyes; then
|
|
|
|
|
AC_DEFINE([NETINET_LINUX_WORKAROUND], [1],
|
|
|
|
|
[define to 1 if Linux kernel headers require a workaround to avoid
|
|
|
|
|
compilation errors when mixed with glibc netinet headers])
|
|
|
|
|
fi
|
2012-12-12 01:44:21 -06:00
|
|
|
AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],,
|
2013-01-14 10:54:25 -06:00
|
|
|
[AC_MSG_ERROR([You must install kernel-headers in order to compile libvirt with QEMU or LXC support])],
|
2013-09-13 11:11:26 -05:00
|
|
|
[[#include <netinet/in.h>
|
|
|
|
|
#if NETINET_LINUX_WORKAROUND
|
|
|
|
|
# define in6_addr in6_addr_
|
|
|
|
|
# define sockaddr_in6 sockaddr_in6_
|
|
|
|
|
# define ipv6_mreq ipv6_mreq_
|
|
|
|
|
# define in6addr_any in6addr_any_
|
|
|
|
|
# define in6addr_loopback in6addr_loopback_
|
|
|
|
|
#endif
|
2013-08-07 11:34:08 -05:00
|
|
|
#include <linux/in6.h>
|
2013-01-14 10:54:25 -06:00
|
|
|
]])
|
2009-08-05 05:59:58 -05:00
|
|
|
fi
|
|
|
|
|
|
2009-08-05 03:52:14 -05:00
|
|
|
|
2009-09-10 08:21:10 -05:00
|
|
|
dnl Need to test if pkg-config exists
|
|
|
|
|
PKG_PROG_PKG_CONFIG
|
|
|
|
|
|
2009-05-25 06:56:00 -05:00
|
|
|
|
2016-12-12 11:20:45 -06:00
|
|
|
dnl Security driver checks
|
|
|
|
|
LIBVIRT_SECDRIVER_ARG_SELINUX
|
2016-12-01 05:08:20 -06:00
|
|
|
LIBVIRT_SECDRIVER_ARG_APPARMOR
|
2009-10-08 09:34:22 -05:00
|
|
|
|
2016-12-01 05:08:20 -06:00
|
|
|
LIBVIRT_SECDRIVER_CHECK_SELINUX
|
|
|
|
|
LIBVIRT_SECDRIVER_CHECK_APPARMOR
|
2009-10-08 09:34:22 -05:00
|
|
|
|
2009-09-14 07:31:23 -05:00
|
|
|
|
2016-12-22 05:49:51 -06:00
|
|
|
LIBVIRT_ARG_WITH_FEATURE([SECRETS], [local secrets management driver], [yes])
|
2011-05-24 06:21:51 -05:00
|
|
|
|
2009-09-14 07:31:23 -05:00
|
|
|
if test "$with_libvirtd" = "no"; then
|
|
|
|
|
with_secrets=no
|
|
|
|
|
fi
|
|
|
|
|
if test "$with_secrets" = "yes" ; then
|
|
|
|
|
AC_DEFINE_UNQUOTED([WITH_SECRETS], 1, [whether local secrets management driver is available])
|
|
|
|
|
fi
|
|
|
|
|
AM_CONDITIONAL([WITH_SECRETS], [test "$with_secrets" = "yes"])
|
|
|
|
|
|
|
|
|
|
|
2016-12-13 03:36:14 -06:00
|
|
|
dnl
|
|
|
|
|
dnl Storage driver checks
|
|
|
|
|
dnl
|
|
|
|
|
|
2016-12-07 01:46:51 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_DIR
|
2016-12-07 03:16:19 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_FS
|
2016-12-07 03:22:05 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_LVM
|
2016-12-07 06:12:31 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_ISCSI
|
2018-07-31 03:44:21 -05:00
|
|
|
LIBVIRT_STORAGE_ARG_ISCSI_DIRECT
|
2016-12-07 06:13:00 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_SCSI
|
2016-12-12 11:21:11 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_MPATH
|
2016-12-12 11:21:51 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_DISK
|
2016-12-07 08:44:08 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_RBD
|
2016-12-07 08:48:37 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_SHEEPDOG
|
2016-12-07 08:52:39 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_GLUSTER
|
2016-12-07 08:59:19 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_ZFS
|
2017-01-17 08:10:55 -06:00
|
|
|
LIBVIRT_STORAGE_ARG_VSTORAGE
|
2008-02-20 09:42:30 -06:00
|
|
|
|
2008-09-05 07:03:45 -05:00
|
|
|
if test "$with_libvirtd" = "no"; then
|
|
|
|
|
with_storage_dir=no
|
|
|
|
|
with_storage_fs=no
|
|
|
|
|
with_storage_lvm=no
|
|
|
|
|
with_storage_iscsi=no
|
2018-07-31 03:44:21 -05:00
|
|
|
with_storage_iscsi_direct=no
|
2009-04-01 11:03:22 -05:00
|
|
|
with_storage_scsi=no
|
2009-09-08 08:47:45 -05:00
|
|
|
with_storage_mpath=no
|
2008-09-05 07:03:45 -05:00
|
|
|
with_storage_disk=no
|
2012-05-14 04:06:42 -05:00
|
|
|
with_storage_rbd=no
|
2012-07-18 14:06:58 -05:00
|
|
|
with_storage_sheepdog=no
|
2013-11-19 17:26:05 -06:00
|
|
|
with_storage_gluster=no
|
2014-07-21 09:38:42 -05:00
|
|
|
with_storage_zfs=no
|
2017-01-17 08:10:55 -06:00
|
|
|
with_storage_vstorage=no
|
2008-09-05 07:03:45 -05:00
|
|
|
fi
|
2016-12-07 01:46:51 -06:00
|
|
|
|
2019-04-02 04:04:46 -05:00
|
|
|
dnl storage-fs does not work on macOS
|
2010-10-04 20:31:05 -05:00
|
|
|
|
2019-04-02 04:04:46 -05:00
|
|
|
if test "$with_macos" = "yes"; then
|
2010-10-04 20:31:05 -05:00
|
|
|
with_storage_fs=no
|
|
|
|
|
fi
|
2008-09-05 07:03:45 -05:00
|
|
|
|
2016-12-13 03:36:14 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_DIR
|
2016-12-07 03:16:19 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_FS
|
2016-12-07 03:22:05 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_LVM
|
2016-12-07 06:12:31 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_ISCSI
|
2018-07-31 03:44:21 -05:00
|
|
|
LIBVIRT_STORAGE_CHECK_ISCSI_DIRECT
|
2016-12-07 06:13:00 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_SCSI
|
2016-12-12 11:21:11 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_MPATH
|
2016-12-13 03:36:14 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_DISK
|
2016-12-07 08:44:08 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_RBD
|
2016-12-07 08:48:37 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_SHEEPDOG
|
2016-12-07 08:52:39 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_GLUSTER
|
2016-12-07 08:59:19 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_ZFS
|
2017-01-17 08:10:55 -06:00
|
|
|
LIBVIRT_STORAGE_CHECK_VSTORAGE
|
2008-02-20 09:45:33 -06:00
|
|
|
|
2012-06-05 11:28:52 -05:00
|
|
|
with_storage=no
|
2018-07-31 03:44:21 -05:00
|
|
|
for backend in dir fs lvm iscsi iscsi_direct scsi mpath rbd disk; do
|
2012-06-05 11:28:52 -05:00
|
|
|
if eval test \$with_storage_$backend = yes; then
|
|
|
|
|
with_storage=yes
|
|
|
|
|
break
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
if test $with_storage = yes; then
|
|
|
|
|
AC_DEFINE([WITH_STORAGE], [1],
|
|
|
|
|
[Define to 1 if at least one storage backend is in use])
|
|
|
|
|
fi
|
|
|
|
|
AM_CONDITIONAL([WITH_STORAGE], [test "$with_storage" = "yes"])
|
|
|
|
|
|
2015-01-23 04:22:34 -06:00
|
|
|
dnl
|
|
|
|
|
dnl check for kernel headers required by btrfs ioctl
|
|
|
|
|
dnl
|
|
|
|
|
if test "$with_linux" = "yes"; then
|
|
|
|
|
AC_CHECK_HEADERS([linux/btrfs.h])
|
|
|
|
|
fi
|
|
|
|
|
|
2018-07-06 08:43:00 -05:00
|
|
|
dnl
|
|
|
|
|
dnl check for xfs dev headers required by xfs ioctl
|
|
|
|
|
dnl
|
|
|
|
|
if test "$with_linux" = "yes"; then
|
|
|
|
|
AC_CHECK_HEADERS([xfs/xfs.h])
|
|
|
|
|
fi
|
|
|
|
|
|
2017-08-21 04:19:53 -05:00
|
|
|
dnl
|
2017-09-18 12:21:47 -05:00
|
|
|
dnl check for DEVLINK_CMD_ESWITCH_GET
|
|
|
|
|
dnl
|
|
|
|
|
dnl Assume DEVLINK_ESWITCH_MODE_SWITCHDEV is also
|
|
|
|
|
dnl available, as it was introudced in kernel 4.8
|
|
|
|
|
dnl along with the original spelling of this constant
|
|
|
|
|
dnl (DEVLINK_CMD_ESWITCH_MODE_GET, not supported by libvirt)
|
2017-08-21 04:19:53 -05:00
|
|
|
dnl
|
|
|
|
|
if test "$with_linux" = "yes"; then
|
|
|
|
|
AC_CHECK_HEADERS([linux/devlink.h])
|
2017-09-18 12:21:47 -05:00
|
|
|
AC_CHECK_DECLS([DEVLINK_CMD_ESWITCH_GET], [], [],
|
2017-08-21 04:19:53 -05:00
|
|
|
[[#include <linux/devlink.h>]])
|
|
|
|
|
fi
|
|
|
|
|
|
2018-05-22 08:52:52 -05:00
|
|
|
dnl
|
|
|
|
|
dnl check for VHOST_VSOCK_SET_GUEST_CID
|
|
|
|
|
dnl
|
|
|
|
|
if test "$with_linux" = "yes"; then
|
|
|
|
|
AC_CHECK_DECLS([VHOST_VSOCK_SET_GUEST_CID], [], [],
|
|
|
|
|
[[#include <linux/vhost.h>]])
|
|
|
|
|
fi
|
|
|
|
|
|
2013-11-22 10:42:22 -06:00
|
|
|
dnl Allow perl/python overrides
|
2019-12-03 10:29:12 -06:00
|
|
|
AC_PATH_PROGS([PYTHON], [python3])
|
2017-05-08 05:35:17 -05:00
|
|
|
if test -z "$PYTHON"; then
|
2019-12-03 10:29:12 -06:00
|
|
|
AC_MSG_ERROR(['python3' binary is required to build libvirt])
|
2017-05-08 05:35:17 -05:00
|
|
|
fi
|
2019-12-09 08:30:10 -06:00
|
|
|
AC_DEFINE_UNQUOTED([PYTHON], "$PYTHON", [path to python binary])
|
2019-09-17 23:19:43 -05:00
|
|
|
AC_PATH_PROG([FLAKE8], [flake8])
|
|
|
|
|
if test -z "$FLAKE8"; then
|
|
|
|
|
AC_MSG_WARN(['flake8' binary is required to check python code style])
|
|
|
|
|
fi
|
2019-09-05 10:45:27 -05:00
|
|
|
|
|
|
|
|
dnl Python3 < 3.7 treats the C locale as 7-bit only.
|
|
|
|
|
dnl We must force env vars so it treats it as UTF-8
|
|
|
|
|
dnl regardless of the user's locale.
|
|
|
|
|
RUNUTF8="LC_ALL= LANG=C LC_CTYPE=en_US.UTF-8"
|
|
|
|
|
AC_SUBST(RUNUTF8)
|
|
|
|
|
|
|
|
|
|
|
2012-05-29 16:49:13 -05:00
|
|
|
AC_PATH_PROG([PERL], [perl])
|
2014-08-13 22:37:45 -05:00
|
|
|
if test -z "$PERL"; then
|
2017-05-08 05:35:17 -05:00
|
|
|
AC_MSG_ERROR(['perl' binary is required to build libvirt])
|
2014-08-13 22:37:45 -05:00
|
|
|
fi
|
2012-05-29 16:49:13 -05:00
|
|
|
|
2020-01-14 12:34:26 -06:00
|
|
|
dnl MinGW checks
|
2016-12-15 04:48:38 -06:00
|
|
|
LIBVIRT_WIN_CHECK_COMMON
|
2016-12-06 06:55:50 -06:00
|
|
|
LIBVIRT_WIN_CHECK_MINGW
|
2016-12-06 06:56:38 -06:00
|
|
|
LIBVIRT_WIN_CHECK_SYMBOLS
|
2016-12-06 06:57:12 -06:00
|
|
|
LIBVIRT_WIN_CHECK_WINDRES
|
2016-12-15 04:48:38 -06:00
|
|
|
|
|
|
|
|
|
2016-11-14 08:34:04 -06:00
|
|
|
dnl Driver-Modules library support
|
|
|
|
|
LIBVIRT_CHECK_DRIVER_MODULES
|
2008-11-21 06:16:08 -06:00
|
|
|
|
|
|
|
|
|
2008-02-28 11:07:37 -06:00
|
|
|
# Set LV_LIBTOOL_OBJDIR to "." or $lt_cv_objdir, depending on whether
|
|
|
|
|
# we're building shared libraries. This is the name of the directory
|
|
|
|
|
# in which .o files will be created.
|
|
|
|
|
test "$enable_shared" = no && lt_cv_objdir=.
|
|
|
|
|
LV_LIBTOOL_OBJDIR=${lt_cv_objdir-.}
|
2008-05-22 10:34:02 -05:00
|
|
|
AC_SUBST([LV_LIBTOOL_OBJDIR])
|
2008-02-28 11:07:37 -06:00
|
|
|
|
2008-11-21 06:27:11 -06:00
|
|
|
|
|
|
|
|
with_nodedev=no;
|
2010-03-24 16:31:31 -05:00
|
|
|
if test "$with_hal" = "yes" || test "$with_udev" = "yes";
|
2008-11-21 06:27:11 -06:00
|
|
|
then
|
|
|
|
|
with_nodedev=yes
|
|
|
|
|
AC_DEFINE_UNQUOTED([WITH_NODE_DEVICES], 1, [with node device driver])
|
|
|
|
|
fi
|
|
|
|
|
AM_CONDITIONAL([WITH_NODE_DEVICES], [test "$with_nodedev" = "yes"])
|
|
|
|
|
|
2014-02-10 08:08:26 -06:00
|
|
|
dnl GET_VLAN_VID_CMD is required for virNetDevGetVLanID
|
|
|
|
|
AC_CHECK_DECLS([GET_VLAN_VID_CMD], [], [], [[#include <linux/if_vlan.h>]])
|
2010-02-12 11:03:07 -06:00
|
|
|
|
2013-04-27 10:50:19 -05:00
|
|
|
# Check for Linux vs. BSD ifreq members
|
|
|
|
|
AC_CHECK_MEMBERS([struct ifreq.ifr_newname,
|
|
|
|
|
struct ifreq.ifr_ifindex,
|
2014-10-29 13:20:47 -05:00
|
|
|
struct ifreq.ifr_index,
|
|
|
|
|
struct ifreq.ifr_hwaddr],
|
2013-04-27 10:50:19 -05:00
|
|
|
[], [],
|
|
|
|
|
[#include <sys/socket.h>
|
|
|
|
|
#include <net/if.h>
|
|
|
|
|
])
|
2013-07-17 13:02:17 -05:00
|
|
|
|
2013-05-03 08:35:20 -05:00
|
|
|
# Check for BSD approach for setting MAC addr
|
2013-07-17 13:02:17 -05:00
|
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM(
|
|
|
|
|
[[
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <net/if_dl.h>
|
|
|
|
|
]],
|
|
|
|
|
[[
|
2013-07-24 08:02:00 -05:00
|
|
|
link_addr(0, 0)]])],
|
2013-07-17 13:02:17 -05:00
|
|
|
[AC_DEFINE([HAVE_DECL_LINK_ADDR],
|
|
|
|
|
[1],
|
|
|
|
|
[whether link_addr is available])])
|
2013-05-03 08:35:20 -05:00
|
|
|
|
2013-06-19 11:47:31 -05:00
|
|
|
# Check for BSD approach for bridge management
|
|
|
|
|
AC_CHECK_DECLS([BRDGSFD, BRDGADD, BRDGDEL],
|
|
|
|
|
[AC_DEFINE([HAVE_BSD_BRIDGE_MGMT],
|
|
|
|
|
[1],
|
|
|
|
|
[whether BSD style bridge management is available])],
|
|
|
|
|
[],
|
2013-07-10 04:38:06 -05:00
|
|
|
[#include <stdint.h>
|
|
|
|
|
#include <net/if.h>
|
2013-06-19 11:47:31 -05:00
|
|
|
#include <net/ethernet.h>
|
|
|
|
|
#include <net/if_bridgevar.h>
|
|
|
|
|
])
|
|
|
|
|
|
2014-01-29 12:31:44 -06:00
|
|
|
# Check for BSD CPU affinity availability
|
|
|
|
|
AC_CHECK_DECLS([cpuset_getaffinity],
|
|
|
|
|
[AC_DEFINE([HAVE_BSD_CPU_AFFINITY],
|
|
|
|
|
[1],
|
|
|
|
|
[whether BSD CPU affinity management is available])],
|
|
|
|
|
[],
|
|
|
|
|
[#include <sys/param.h>
|
|
|
|
|
#include <sys/cpuset.h>
|
|
|
|
|
])
|
|
|
|
|
|
2014-04-21 05:59:58 -05:00
|
|
|
# Check for BSD kvm (kernel memory interface)
|
|
|
|
|
if test $with_freebsd = yes; then
|
|
|
|
|
AC_CHECK_LIB([kvm], [kvm_getprocs], [],
|
|
|
|
|
[AC_MSG_ERROR([BSD kernel memory interface library is required to build on FreeBSD])]
|
|
|
|
|
)
|
|
|
|
|
fi
|
|
|
|
|
|
2016-11-19 11:42:27 -06:00
|
|
|
AC_CHECK_DECLS([clock_serv_t, host_get_clock_service, clock_get_time],
|
|
|
|
|
[AC_DEFINE([HAVE_MACH_CLOCK_ROUTINES],
|
|
|
|
|
[1],
|
|
|
|
|
[whether Mach clock routines are available])],
|
|
|
|
|
[],
|
|
|
|
|
[#include <mach/clock.h>
|
|
|
|
|
#include <mach/mach.h>
|
|
|
|
|
])
|
|
|
|
|
|
2019-09-09 02:37:32 -05:00
|
|
|
# Check if we have new enough kernel to support BPF devices for cgroups v2
|
|
|
|
|
if test "$with_linux" = "yes"; then
|
2019-09-09 02:40:06 -05:00
|
|
|
AC_CHECK_DECLS([BPF_PROG_QUERY, BPF_CGROUP_DEVICE],
|
|
|
|
|
[], [], [#include <linux/bpf.h>])
|
2019-09-09 02:37:32 -05:00
|
|
|
fi
|
|
|
|
|
|
2013-08-11 08:54:48 -05:00
|
|
|
# Check if we need to look for ifconfig
|
|
|
|
|
if test "$want_ifconfig" = "yes"; then
|
|
|
|
|
AC_PATH_PROG([IFCONFIG_PATH], [ifconfig])
|
|
|
|
|
if test -z "$IFCONFIG_PATH"; then
|
|
|
|
|
AC_MSG_ERROR([Failed to find ifconfig.])
|
|
|
|
|
fi
|
|
|
|
|
AC_DEFINE_UNQUOTED([IFCONFIG_PATH], "$IFCONFIG_PATH", [path to ifconfig binary])
|
|
|
|
|
fi
|
|
|
|
|
|
2019-10-02 11:04:31 -05:00
|
|
|
GNUmakefile=GNUmakefile
|
|
|
|
|
m4_if(m4_version_compare([2.61a.100],
|
|
|
|
|
m4_defn([m4_PACKAGE_VERSION])), [1], [],
|
|
|
|
|
[AC_CONFIG_LINKS([$GNUmakefile:$GNUmakefile], [],
|
|
|
|
|
[GNUmakefile=$GNUmakefile])])
|
|
|
|
|
|
2012-09-14 04:08:54 -05:00
|
|
|
AC_CONFIG_FILES([run],
|
|
|
|
|
[chmod +x,-w run])
|
2013-07-31 15:52:16 -05:00
|
|
|
AC_CONFIG_FILES([\
|
makefile: Move include/Makefile.am to include/libvirt/Makefile.am
The reason for this is to fix the automatic rebuild of libvirt-common.h.in.
All *.in files should be automatically rebuilt each time they're modified.
It works well for makefiles and pkgconfig files, since they do have a valid
dependency in the top-level Makefile. However, with libvirt-common.h.in
there is no dependency in the top-level Makefile and there's no need for it
either, so this rule
include/libvirt/libvirt-common.h: $(top_builddir)/config.status \
$(top_srcdir)/include/libvirt/libvirt-common.h.in
cd $(top_builddir) && $(SHELL) ./config.status $@
is never hit and should be moved to include/Makefile, but that's automake's
job. According to GNU automake docs:
"Files created by AC_CONFIG_FILES, be they
Automake Makefiles or not, are all removed by ‘make distclean’. Their inputs
are automatically distributed, unless they are the output of prior
AC_CONFIG_FILES commands. Finally, rebuild rules are generated in the Automake
Makefile existing in the subdirectory of the output file, if there is one, or
in the top-level Makefile otherwise."
Which means that if we want to have the rule for libvirt-common.h automatically
generated by automake, the include/Makefile.am needs to be moved into libvirt/
subdirectory and $SUBDIRS in the top-level Makefile need to be adjusted as
well. This patch moves Makefile.am from include/ to include/libvirt, adjusting
the prefixes accordingly as well as updates the top-level Makefile $SUBDIRS to
properly hint automake to generate all rules at proper places.
Best way to see the changes, use -M with 'git show'.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-04-05 14:04:06 -05:00
|
|
|
Makefile src/Makefile include/libvirt/Makefile docs/Makefile \
|
2017-04-21 09:05:19 -05:00
|
|
|
.color_coded \
|
2017-04-21 09:47:02 -05:00
|
|
|
.ycm_extra_conf.py \
|
2014-06-20 11:47:15 -05:00
|
|
|
libvirt.pc \
|
|
|
|
|
libvirt-qemu.pc \
|
|
|
|
|
libvirt-lxc.pc \
|
2015-04-15 09:16:24 -05:00
|
|
|
libvirt-admin.pc \
|
2014-06-20 11:48:12 -05:00
|
|
|
src/libvirt.pc \
|
|
|
|
|
src/libvirt-qemu.pc \
|
|
|
|
|
src/libvirt-lxc.pc \
|
2014-06-20 11:47:15 -05:00
|
|
|
libvirt.spec mingw-libvirt.spec \
|
2018-04-03 10:39:17 -05:00
|
|
|
po/Makefile \
|
2016-01-10 13:36:13 -06:00
|
|
|
include/libvirt/libvirt-common.h \
|
2016-01-09 17:03:56 -06:00
|
|
|
examples/Makefile \
|
2013-07-31 15:52:16 -05:00
|
|
|
tests/Makefile \
|
2016-01-10 14:35:36 -06:00
|
|
|
tools/Makefile])
|
2013-07-31 15:52:16 -05:00
|
|
|
AC_OUTPUT
|
2007-09-18 18:36:30 -05:00
|
|
|
|
|
|
|
|
AC_MSG_NOTICE([])
|
|
|
|
|
AC_MSG_NOTICE([Configuration summary])
|
|
|
|
|
AC_MSG_NOTICE([=====================])
|
|
|
|
|
AC_MSG_NOTICE([])
|
|
|
|
|
AC_MSG_NOTICE([Drivers])
|
|
|
|
|
AC_MSG_NOTICE([])
|
2016-12-08 03:35:30 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_QEMU
|
2016-11-29 01:50:58 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_OPENVZ
|
2016-11-29 01:54:02 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_VMWARE
|
2016-12-12 11:19:21 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_VBOX
|
2016-12-12 09:18:02 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_LIBXL
|
2016-12-08 03:36:55 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_LXC
|
2016-12-01 03:40:31 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_ESX
|
2016-12-01 03:43:13 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_HYPERV
|
2015-07-10 09:32:00 -05:00
|
|
|
LIBVIRT_DRIVER_RESULT_VZ
|
2014-02-18 04:08:10 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_BHYVE
|
2016-12-01 03:23:41 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_TEST
|
2016-12-01 03:27:19 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_REMOTE
|
2016-12-01 05:02:30 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_NETWORK
|
2016-12-01 05:01:33 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_LIBVIRTD
|
2016-12-01 08:50:59 -06:00
|
|
|
LIBVIRT_DRIVER_RESULT_INTERFACE
|
2007-09-18 18:36:30 -05:00
|
|
|
AC_MSG_NOTICE([])
|
2008-02-20 09:42:30 -06:00
|
|
|
AC_MSG_NOTICE([Storage Drivers])
|
|
|
|
|
AC_MSG_NOTICE([])
|
2016-12-07 01:46:51 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_DIR
|
2016-12-07 03:16:19 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_FS
|
2016-12-07 03:22:05 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_LVM
|
2016-12-07 06:12:31 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_ISCSI
|
2018-07-31 03:44:21 -05:00
|
|
|
LIBVIRT_STORAGE_RESULT_ISCSI_DIRECT
|
2016-12-07 06:13:00 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_SCSI
|
2016-12-12 11:21:11 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_MPATH
|
2016-12-12 11:21:51 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_DISK
|
2016-12-07 08:44:08 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_RBD
|
2016-12-07 08:48:37 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_SHEEPDOG
|
2016-12-07 08:52:39 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_GLUSTER
|
2016-12-07 08:59:19 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_ZFS
|
2017-01-17 08:10:55 -06:00
|
|
|
LIBVIRT_STORAGE_RESULT_VSTORAGE
|
2008-02-20 09:42:30 -06:00
|
|
|
AC_MSG_NOTICE([])
|
2009-03-03 04:06:49 -06:00
|
|
|
AC_MSG_NOTICE([Security Drivers])
|
|
|
|
|
AC_MSG_NOTICE([])
|
2016-12-12 11:20:45 -06:00
|
|
|
LIBVIRT_SECDRIVER_RESULT_SELINUX
|
2016-12-01 05:08:20 -06:00
|
|
|
LIBVIRT_SECDRIVER_RESULT_APPARMOR
|
2009-03-03 04:06:49 -06:00
|
|
|
AC_MSG_NOTICE([])
|
2008-11-21 06:16:08 -06:00
|
|
|
AC_MSG_NOTICE([Driver Loadable Modules])
|
|
|
|
|
AC_MSG_NOTICE([])
|
2016-11-14 08:34:04 -06:00
|
|
|
LIBVIRT_RESULT_DRIVER_MODULES
|
2009-08-05 03:43:37 -05:00
|
|
|
AC_MSG_NOTICE([])
|
|
|
|
|
AC_MSG_NOTICE([Libraries])
|
|
|
|
|
AC_MSG_NOTICE([])
|
2017-02-14 08:21:29 -06:00
|
|
|
LIBVIRT_RESULT_ACL
|
2012-09-20 07:28:45 -05:00
|
|
|
LIBVIRT_RESULT_APPARMOR
|
2012-09-19 08:00:34 -05:00
|
|
|
LIBVIRT_RESULT_ATTR
|
2012-09-20 07:12:40 -05:00
|
|
|
LIBVIRT_RESULT_AUDIT
|
2017-11-02 08:41:53 -05:00
|
|
|
LIBVIRT_RESULT_BASH_COMPLETION
|
2012-09-20 09:52:14 -05:00
|
|
|
LIBVIRT_RESULT_BLKID
|
2012-09-20 07:58:37 -05:00
|
|
|
LIBVIRT_RESULT_CAPNG
|
2013-01-08 15:31:58 -06:00
|
|
|
LIBVIRT_RESULT_CURL
|
2012-09-20 09:12:08 -05:00
|
|
|
LIBVIRT_RESULT_DBUS
|
2016-11-11 17:20:21 -06:00
|
|
|
LIBVIRT_RESULT_DLOPEN
|
2016-11-14 08:34:40 -06:00
|
|
|
LIBVIRT_RESULT_FIREWALLD
|
configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.
But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.
This causes pain because
1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)
2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).
libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).
However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).
Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).
But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).
So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).
This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.
Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.
So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.
These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.
NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-25 22:52:37 -06:00
|
|
|
LIBVIRT_RESULT_FIREWALLD_ZONE
|
2013-01-08 15:06:57 -06:00
|
|
|
LIBVIRT_RESULT_FUSE
|
2019-07-30 04:13:36 -05:00
|
|
|
LIBVIRT_RESULT_GLIB
|
2013-11-19 17:26:05 -06:00
|
|
|
LIBVIRT_RESULT_GLUSTER
|
2016-11-10 07:33:41 -06:00
|
|
|
LIBVIRT_RESULT_GNUTLS
|
2012-09-20 09:39:12 -05:00
|
|
|
LIBVIRT_RESULT_HAL
|
2018-07-31 03:44:20 -05:00
|
|
|
LIBVIRT_RESULT_LIBISCSI
|
2016-12-12 03:07:24 -06:00
|
|
|
LIBVIRT_RESULT_LIBNL
|
2016-12-09 04:01:47 -06:00
|
|
|
LIBVIRT_RESULT_LIBPCAP
|
2016-11-09 08:28:35 -06:00
|
|
|
LIBVIRT_RESULT_LIBSSH
|
2016-12-12 09:18:02 -06:00
|
|
|
LIBVIRT_RESULT_LIBXL
|
2016-12-19 08:11:06 -06:00
|
|
|
LIBVIRT_RESULT_LIBXML
|
2016-12-12 02:59:15 -06:00
|
|
|
LIBVIRT_RESULT_MACVTAP
|
2012-09-20 09:14:52 -05:00
|
|
|
LIBVIRT_RESULT_NETCF
|
2018-04-03 10:39:17 -05:00
|
|
|
LIBVIRT_RESULT_NLS
|
2016-11-10 07:33:41 -06:00
|
|
|
LIBVIRT_RESULT_NSS
|
2012-09-20 07:47:23 -05:00
|
|
|
LIBVIRT_RESULT_NUMACTL
|
2013-01-08 16:08:53 -06:00
|
|
|
LIBVIRT_RESULT_OPENWSMAN
|
2012-09-20 09:34:13 -05:00
|
|
|
LIBVIRT_RESULT_PCIACCESS
|
2016-12-12 03:12:13 -06:00
|
|
|
LIBVIRT_RESULT_PM_UTILS
|
2016-12-12 01:05:18 -06:00
|
|
|
LIBVIRT_RESULT_POLKIT
|
2016-12-07 08:44:08 -06:00
|
|
|
LIBVIRT_RESULT_RBD
|
2013-05-01 21:54:57 -05:00
|
|
|
LIBVIRT_RESULT_READLINE
|
2012-09-20 07:04:57 -05:00
|
|
|
LIBVIRT_RESULT_SANLOCK
|
2012-09-20 07:06:12 -05:00
|
|
|
LIBVIRT_RESULT_SASL
|
2012-09-20 07:21:48 -05:00
|
|
|
LIBVIRT_RESULT_SELINUX
|
2013-01-08 15:47:55 -06:00
|
|
|
LIBVIRT_RESULT_SSH2
|
2012-09-20 09:34:13 -05:00
|
|
|
LIBVIRT_RESULT_UDEV
|
2016-12-13 05:40:48 -06:00
|
|
|
LIBVIRT_RESULT_VIRTUALPORT
|
2016-12-13 05:40:30 -06:00
|
|
|
LIBVIRT_RESULT_XDR
|
2012-09-20 07:03:27 -05:00
|
|
|
LIBVIRT_RESULT_YAJL
|
2016-12-15 04:48:38 -06:00
|
|
|
AC_MSG_NOTICE([])
|
|
|
|
|
AC_MSG_NOTICE([Windows])
|
|
|
|
|
AC_MSG_NOTICE([])
|
|
|
|
|
LIBVIRT_WIN_RESULT_COMMON
|
2016-12-06 06:57:12 -06:00
|
|
|
LIBVIRT_WIN_RESULT_WINDRES
|
2007-09-18 18:36:30 -05:00
|
|
|
AC_MSG_NOTICE([])
|
|
|
|
|
AC_MSG_NOTICE([Miscellaneous])
|
|
|
|
|
AC_MSG_NOTICE([])
|
2016-11-30 07:34:57 -06:00
|
|
|
LIBVIRT_RESULT_DTRACE
|
2016-12-12 06:54:35 -06:00
|
|
|
LIBVIRT_RESULT_NUMAD
|
2016-05-02 06:27:47 -05:00
|
|
|
LIBVIRT_RESULT_INIT_SCRIPT
|
2016-12-13 06:45:25 -06:00
|
|
|
LIBVIRT_RESULT_CHRDEV_LOCK_FILES
|
2016-12-15 06:39:21 -06:00
|
|
|
LIBVIRT_RESULT_LOADER_NVRAM
|
2016-12-14 09:51:30 -06:00
|
|
|
LIBVIRT_RESULT_LOGIN_SHELL
|
|
|
|
|
LIBVIRT_RESULT_HOST_VALIDATE
|
2016-12-14 09:33:57 -06:00
|
|
|
LIBVIRT_RESULT_TLS_PRIORITY
|
2007-09-18 18:36:30 -05:00
|
|
|
AC_MSG_NOTICE([])
|
2014-01-15 11:06:58 -06:00
|
|
|
AC_MSG_NOTICE([Developer Tools])
|
|
|
|
|
AC_MSG_NOTICE([])
|
2016-12-13 05:40:05 -06:00
|
|
|
LIBVIRT_RESULT_WIRESHARK
|
2014-01-15 11:06:58 -06:00
|
|
|
AC_MSG_NOTICE([])
|
2009-07-15 16:25:01 -05:00
|
|
|
AC_MSG_NOTICE([Privileges])
|
|
|
|
|
AC_MSG_NOTICE([])
|
2016-12-12 08:35:07 -06:00
|
|
|
LIBVIRT_RESULT_QEMU_PRIVILEGES
|
2009-07-24 09:17:06 -05:00
|
|
|
AC_MSG_NOTICE([])
|
