The virtlogd could only be restarted when the daemons run. The update.sh
script tried to restart the daemon no matter if the daemons run or not.
This behaviour produce problems.
An If statement now checks if the daemon runs or not and execute the
command that is suitable for the situation.
Fixes: #11172
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is the update of libvirt to the latest version 2.1.
The most important change from a packager view is the new virtlogd
daemon.
This daemon handles the qemu output and wrote it to log files.
The require some changes:
- A new init script to start, stop restart the daemon called virtlogd.
The daemon is restart with SIGUSR1 (this is important because the daemon
keeps all pipelines etc. open).
This introduces a problem with the uninstall.sh install.sh script.
It is not possible to stop the daemon while virtual machines are
running, so the script update.sh execute from now not uninstall.sh and
install.sh instead it contains all steps from uninstall.sh install.sh
expect the start / stop routine for virtlogd. The daemon is just
restarted after the update, which makes sure that all changes take
effect.
- new symlinks in the uninstall.sh and install.sh script and some root
file changes because of the new virtlogd init script.
- the archive format changes from tar.gz to tar.xz
For Changelogs see:
https://libvirt.org/news-2015.htmlhttps://libvirt.org/news.html (2017 and later:
https://libvirt.org/news-2016.html )
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If the kernel module vhot_net is loaded, the performance of virtio
networking is better then without vhost_net.
So the module is loaded before libvirtd ist started to get the benefit
of vhost_net.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package adds support for the use redirection of spice.
It is now possible to attach USB devices of the host where the spice
client run to the virtual machine.
The binary is not needed for this functionality and that's why they is
not shipped with the package
This feature is also enabled in qemu.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The directory /etc/libvirt is backed up on uninstallation and is
restored on installation.
Alle Files in /var are commented in the rootfile so they are not
removed on uninstallation.
Because of the fact that the directories are not shipped with the
package they were created at installation time.
The permissions of 3 directories are changed because the qemu user is
nobody and the qemu group is kvm, so the permissions must be nobody:kvm
Fixes: #11151
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Includes various security fixes:
* sshd(8): Mitigate a potential denial-of-service attack against
the system's crypt(3) function via sshd(8). An attacker could
send very long passwords that would cause excessive CPU use in
crypt(3). sshd(8) now refuses to accept password authentication
requests of length greater than 1024 characters. Independently
reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password authentication
that could be used to discern valid from invalid account names
when long passwords were sent and particular password hashing
algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
are disabled by default and only included for legacy compatibility.
* ssh(1), sshd(8): Improve operation ordering of MAC verification for
Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
MAC before decrypting any ciphertext. This removes the possibility
of timing differences leaking facts about the plaintext, though no
such leakage has been observed. Reported by Jean Paul Degabriele,
Kenny Paterson, Torben Hansen and Martin Albrecht.
* sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.
Fixes: #11160
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The perl-Net-IP module provides various methods for validating
and calculating IP-addresses (both IP protocols supported) and
is a runtime dependency of guardian 2.0.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This patch update qemu to version 2.6
For changelogs see:
http://wiki.qemu.org/ChangeLog/2.5http://wiki.qemu.org/ChangeLog/2.6
Qemu try to built with bluez, but before version 2.6 bluez was not used
by qemu on IPFire, so I think it is better to disable bluez because
nobody needs it before version 2.6 and our bluez is not the latest
version so I think this will cause more problems than benefits.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is an security update.
Recent were 2 serious security vulnerabilities published.
This patch update spice to a version which is not vulnerable.
Changelog:
Changes in 0.12.8:
==================
* Fixes for CVE-2016-0749 and CVE-2016-2150
Changes in 0.12.7:
==================
* spice-server will now send TCP keepalive probes on the TCP connections
it
uses. This can prevent unwanted idle disconnections if proxies are
used
between the client and the host.
* Fix important memory usage when the webdav channel is used
* Do not disconnect when the client requests an unsupported compression
type
* Fix a few race conditions
* Fix display glitch when using XSpice
* Improve help string for 'replay -s'
* Fix crashes in corner cases (buggy spice-html5 + win10, vnc + SPICE
port
configured, USB webcam redirection over a slow link)
* Fix various compilation warning when building on 32 bit machines
* Some fixes for big-endian machines, more work is likely to be needed
* Do not build static libraries by default, this can be reenabled with
--enable-static
* Fix small leak in MJPEG code
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The libvirt daemon was not started after installation because the
initscritp is named 'libvirtd' not like the package 'libvirt'.
The same problem appear in the uninstall.sh. The service was not
stopped.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
