Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package lxd.16125 for openSUSE:Leap:15.2:Update checked in at 2021-04-24 14:05:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/lxd.16125 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.lxd.16125.new.12324 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxd.16125" Sat Apr 24 14:05:22 2021 rev:1 rq:887262 version:4.13 Changes: -------- New Changes file: --- /dev/null 2021-04-15 00:52:17.177990775 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.lxd.16125.new.12324/lxd.changes 2021-04-24 14:05:23.448947467 +0200 @@ -0,0 +1,480 @@ +------------------------------------------------------------------- +Wed Apr 21 00:19:11 UTC 2021 - Aleksa Sarai <[email protected]> + +- Don't use SecureBoot OVMF blobs, they don't work with LXD. +- Add backport of <https://github.com/lxc/lxd/pull/8700> to fix LXD VMs on + openSUSE. boo#1181549 + + boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch + +------------------------------------------------------------------- +Mon Apr 12 05:19:43 UTC 2021 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.13. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-13-has-been-released/10737 + boo#1184580 + + + Support for instance filters in "lxc list" + + NVIDIA MIG support for containers + + System wide configuration in /etc/lxd + + Project resource usage + + Snapshot schedule aliases (cron-like @... aliases) + + images.default_architecture for multi-architecture setups + + New description column in "lxc {project,profile,storage} list" + + Reworked handling of default action in network ACLs + + "lxc stop --console" + + More auto-generated REST-API documentation + +------------------------------------------------------------------- +Mon Mar 15 16:49:41 UTC 2021 - Callum Farmer <[email protected]> + +- Move OVMF symlinks to /usr/share, /opt is not allowed in SUSE + packages. + +------------------------------------------------------------------- +Fri Mar 5 16:31:52 UTC 2021 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.12. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-12-has-been-released/10424 + boo#1183111 + + + Initial Network ACLs support (OVN-only) + + Project restricted certificates + + Server configuration options now supported at the project level + + Configuration option for Ceph features + * Projects now supported by lxd init --dump and --preseed + * Initial auto-generated REST-API documentation + + + VM: Stateful stop and stateful snapshots for virtual machines +- Updated packaging to support VMs, though note that LXD's usage of QEMU causes + issues with QEMU 5.2 on openSUSE (because of how we package it). See + <https://github.com/lxc/lxd/issues/8416> for more details. bsc#1181549 +- Prefix all binaries with lxd- if they don't start with "lx[cd]". This is to + avoid having cases like lxd-generate where there's a binary in /usr/bin that + has a super-generic name. + +------------------------------------------------------------------- +Fri Feb 5 07:41:04 UTC 2021 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.11. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-11-has-been-released/10135 + boo#1181825 + + + Bulk instance state change API + + GVRP support for dynamic vlan configuration + + Server-side instance storage pool migration + + Volume usage API + + + VM: SR-IOV GPU Support + + VM: PCI Device Type + + VM: ISO images now exposed as cdrom + +------------------------------------------------------------------- +Mon Jan 11 12:53:22 UTC 2021 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.10. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-10-has-been-released/9894 + boo#1180772 + + + VLAN information in network state + + Proxy device support for VMs (NAT only) + + Bridge port isolation + + New sub-commands for image properties + + Multi-queue networking in VMs + +------------------------------------------------------------------- +Sat Dec 12 06:32:48 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.9. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-9-has-been-released/9673 + boo#1179972 + + + Mediated GPU devices for Virtual Machines + + IOMMU groups for PCI devices + + QEMU version in server environment information + * Improved lifecycle events + + "user." keys allowed on all objects + + usb_address and pci_address properties in USB/network resources + + ipv4.dhcp and ipv6.dhcp on OVN networks + + ovn.ingress_mode on physical networks + + ipv4.routes.anycast and ipv6.routes.anycast on physical networks + + limits.instances project option + + zstd compression for images and backups + +------------------------------------------------------------------- +Fri Nov 13 06:15:10 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.8. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-8-has-been-released/9458 + boo#1178759 + + + vTPM support + + VirtioFS support for virtual machines + + Full CGroup2 support + + rebase mode for zfs.clone_copy + + --reuse option in lxc snapshot and lxc storage volume snapshot + * restarted lifecycle event + * Improved logging of user requests + +------------------------------------------------------------------- +Sat Oct 17 09:03:58 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.7. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-7-has-been-released/9213 + boo#1177825 + + + Backup (export/import) of custom storage volumes + + Import of instances with alternative name + + Virtual machine memory shrinking (and re-grow) + + USB device passthrough for virtual machines + + Configurable rsync compression in migration + + Restrict available uplinks for project networks + + Add new physical managed network type + + Support for external routed addresses/subnets on OVN + +------------------------------------------------------------------- +Sat Sep 19 04:50:10 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.6. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-6-has-been-released/8981 + boo#1176737 + + + Networks in projects + + AppArmor profiles for qemu + - Removal of custom sqlite fork. + +------------------------------------------------------------------- +Sat Aug 29 02:59:26 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.5. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-5-has-been-released/8824 + boo#1175910 + + + Initial support for OVN virtual networks + + Initial bpf syscall interception + * Support for native terminal device allocation + * VGA console now working on Windows + * Improved handling of remote storage pools + * forkdns and forkproxy now running under AppArmor confinement + + lxc move now let???s you select a cluster target too + +------------------------------------------------------------------- +Sat Aug 1 07:14:32 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.4. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-4-has-been-released/8574 + boo#1174789 + + + VGA console for virtual machines + + Clustering failure domains + + /dev/lxd API in virtual machines + + Graceful daemon shutdown + + macvlan and sriov managed network types + + Disk usage limits in projects + + AppAmor confinement for dnsmasq + + GPU mediated devices in resources API + + --console option in lxc launch + +------------------------------------------------------------------- +Thu Jul 2 02:12:53 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.3. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-3-has-been-released/8303 + boo#1173608 + + + Block custom storage volumes + + VM: Initial work for graphical console + * VM: Rework of PCIe layout + + VM: GPU passthrough + * Direct console attach on lxc start and lxc restart + * Isolated CPUs reporting in resources API + +------------------------------------------------------------------- +Fri Jun 5 23:58:50 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to LXD 4.2. The full upstream changelog is available from: + https://discuss.linuxcontainers.org/t/lxd-4-2-has-been-released/8071 + bsc#1172605 + ++++ 283 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.lxd.16125.new.12324/lxd.changes New: ---- boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch lxd-4.13.tar.gz lxd-4.13.tar.gz.asc lxd-config.yml lxd-rpmlintrc lxd.changes lxd.dnsmasq lxd.keyring lxd.service lxd.spec lxd.sysctl ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxd.spec ++++++ # # spec file for package lxd # # Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # # nodebuginfo %go_nostrip %define _buildshell /bin/bash %define import_path github.com/lxc/lxd %define lxd_datadir %{_datadir}/lxd %define lxd_ovmfdir %{lxd_datadir}/ovmf Name: lxd Version: 4.13 Release: 0 Summary: Container hypervisor based on LXC License: Apache-2.0 Group: System/Management URL: https://linuxcontainers.org/lxd Source: https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz Source1: https://linuxcontainers.org/downloads/%{name}/%{name}-%{version}.tar.gz.asc Source2: %{name}.keyring Source3: %{name}-rpmlintrc # LXD upstream doesn't use systemd, they use snapd. Source100: %{name}.service # LXD upstream doesn't have a sample config file. Source101: %{name}-config.yml # Additional runtime configuration. Source200: %{name}.sysctl Source201: %{name}.dnsmasq # Backport of <https://github.com/lxc/lxd/pull/8700>. boo#1181549 Patch1: boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch BuildRequires: fdupes BuildRequires: golang-packaging BuildRequires: libacl-devel BuildRequires: libcap-devel BuildRequires: patchelf BuildRequires: pkg-config BuildRequires: rsync BuildRequires: sqlite3-devel >= 3.25 # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires # for 'golang(API) >= 1.14' here, so just require 1.14 exactly. bsc#1172608 BuildRequires: golang(API) = 1.14 BuildRequires: pkgconfig(libudev) BuildRequires: pkgconfig(lxc) >= 3.0.0 # Needed to build dqlite and raft. BuildRequires: autoconf BuildRequires: libtool BuildRequires: pkgconfig(libuv) >= 1.8.0 # Bits required for images and other things at runtime. Requires: acl Requires: ebtables BuildRequires: dnsmasq Requires: criu >= 2.0 Requires: dnsmasq Requires: lxcfs Requires: lxcfs-hooks-lxc Requires: rsync Requires: squashfs Requires: tar Requires: xz # Needed for VM support. Requires: qemu-ovmf-x86_64 BuildRequires: qemu-ovmf-x86_64 # QEMU spice became a separate package for QEMU 5.2, which is not in Leap 15.2. # But it exists in Tumbleweed so only require this in Tumbleweed. %if 0%{?suse_version} > 1500 || 0%{?sle_version} == 150300 Requires: qemu-ui-spice-core %else Requires: qemu-ui-spice-app %endif Requires: qemu-x86 # Storage backends -- we don't recommend ZFS since it's not *technically* a # blessed configuration. Recommends: lvm2 Recommends: btrfsprogs Recommends: thin-provisioning-tools Suggests: zfs %description LXD is a system container manager. It offers a user experience similar to virtual machines but uses Linux containers (LXC) instead. %package bash-completion Summary: Bash Completion for %{name} Group: System/Management Requires: %{name} = %{version} Supplements: packageand(%{name}:bash-completion) BuildArch: noarch %description bash-completion Bash command line completion support for %{name}. %prep %setup -q # boo#1181549 %patch1 -p1 # Create fake "go mod"-like import paths. This is going to be really fun to # maintain but it's unfortunately necessary because openSUSE doesn't have nice # "go mod" support in OBS... ln -s . _dist/src/github.com/cpuguy83/go-md2man/v2 %build # Make sure any leftover go build caches are gone. go clean -cache # Set up GOPATH. export GOPATH="$PWD/.gopath" export PKGDIR="$GOPATH/src/%{import_path}" mkdir -p "$PKGDIR" cp -a * "$PKGDIR" # Set up temporary installation paths. export INSTALL_ROOT="$PKGDIR/.install" export INSTALL_INCLUDEDIR="$INSTALL_ROOT/%{_includedir}" export INSTALL_LIBDIR="$INSTALL_ROOT/%{_libdir}/%{name}" # We first need to build all of the LXD-specific dependencies. To avoid binary # bloat, we build them as dylibs -- but we then later need to mess around with # the ELF headers to stop the openSUSE packaging scripts from freaking out. export CFLAGS="%{optflags} -fPIC -DPIC" # We have a temporary-install directory which contains all of the dylib deps. export PKG_CONFIG_SYSROOT_DIR="$INSTALL_ROOT" export PKG_CONFIG_PATH="$INSTALL_LIBDIR/pkgconfig" # For some reason, Leap need us to specify this explicitly now. export CPPFLAGS="-I$INSTALL_INCLUDEDIR" # raft pushd "$PKGDIR/_dist/deps/raft" autoreconf -fiv %configure \ --libdir="%{_libdir}/%{name}" \ --disable-static make %{?_smp_mflags} make DESTDIR="$INSTALL_ROOT" install popd # dqlite pushd "$PKGDIR/_dist/deps/dqlite" ( autoreconf -fiv %configure \ --libdir="%{_libdir}/%{name}" \ --disable-static make clean make %{?_smp_mflags} make DESTDIR="$INSTALL_ROOT" install ) popd # Find all of the main packages using go-list. readarray -t mainpkgs \ <<<"$(go list -f '{{.Name}}:{{.ImportPath}}' %{import_path}/... | \ awk -F: '$1 == "main" { print $2 }' | \ grep -Ev '^github.com/lxc/lxd/(test|shared)')" # _dist/src is effectively an old-school "vendor/" tree, so add it to GOPATH. export GOPATH="$GOPATH:$PKGDIR/_dist" # And now we can finally build LXD and all of the related binaries. mkdir bin for mainpkg in "${mainpkgs[@]}" do # Make sure all binaries *except* "lxc" have an lxd- prefix. binary="$(basename "$mainpkg")" if ( echo "$binary" | grep -Eqv '^lx[cd].*$' ) then binary="lxd-$binary" fi ( # We need to link against our particular dylib deps. export \ CGO_CFLAGS="-I $INSTALL_INCLUDEDIR" \ CGO_LDFLAGS="-L $INSTALL_LIBDIR" ||: go build -buildmode=pie -tags "libsqlite3" -o "bin/$binary" "$mainpkg" ) done # This part is quite ugly, so I apologise upfront. # # We want to have our _dist/deps/* libraries be dylibs so that we don't bloat # our lxd binary. Unfortunately, we are presented with a few challenges: # # * Doing this naively (put it in {_libdir}) results in sqlite3 package # conflicts -- and we aren't going to maintain sqlite3 for all of openSUSE # here. # # * Putting everything in a hidden {_libdir}/{name} with RUNPATH configured # accordingly works a little better, but still results in lxd ending up with # {Provides,Requires}: libsqlite3.so.0. This results in more esoteric # conflicts but is still an issue (we'd need to add Prefer: libsqlite3-0 # everywhere). # # So, the only reasonable choice left is to use absolute paths as DT_NEEDED # entries -- which bypasses the need for RUNPATH and allows us to set garbage # sonames for our _dist/deps/* libraries. Absolute paths for DT_NEEDED is # *slightly* undefined behaviour, but glibc has had this behaviour for a very # long time -- and others have considered using it in a similar manner[1]. # # What F U N. # # [1]: https://github.com/NixOS/nixpkgs/issues/24844 ( # A simple check that lxd isn't broken. We can't do this after patchelf # because we'd need to chroot(2) into {buildroot} which isn't permitted due # to user namespaces being blocked inside rpmbuild. boo#1138769 export LD_LIBRARY_PATH="$INSTALL_LIBDIR" ./bin/lxd help ) for lib in "$INSTALL_LIBDIR"/lib*.so do # Strip off last two version digits. name="$(basename "$(readlink "$lib")" | sed -E 's/\.[0-9]+\.[0-9]+$//')" # Give our libraries unrecognisable DT_SONAME entries. patchelf --set-soname "._LXD_INTERNAL-$name" "$lib" # Make sure they're executable. chmod +x "$lib" done # Switch to absolute DT_NEEDED for all dylibs we have as well as the main LXD # binary. We do this for all dylibs to make sure we don't end up with weird # chain-loading problems. for target in bin/* "$INSTALL_LIBDIR"/lib*.so do # Drop RPATH in case it got included during builds. patchelf --remove-rpath "$target" # And now replace all the possible DT_NEEDEDs to absolute paths. for lib in "$INSTALL_LIBDIR"/lib*.so do # Strip off last two version digits. name="$(basename "$(readlink "$lib")" | sed -E 's/\.[0-9]+\.[0-9]+$//')" patchelf --replace-needed {,%{_libdir}/%{name}/}"$name" "$target" done done # Generate man pages. mkdir man ./bin/lxc manpage man/ # Final sanity-check during build. pushd bin/ for bin in * do # Ensure that all our binaries are dynamic. boo#1138769 file "$bin" | grep 'dynamically linked' # Check what they are linked against. ldd "$bin" done popd %install export GOPATH="$PWD/.gopath" export PKGDIR="$GOPATH/src/%{import_path}" export INSTALL_LIBDIR="$PKGDIR/.install/%{_libdir}/%{name}" install -d -m 0755 %{buildroot}%{_libdir}/%{name} # We can't use install because *.so.$n are symlinks. cp -avt %{buildroot}%{_libdir}/%{name}/ "$INSTALL_LIBDIR"/lib*.so.* # Install all the binaries. pushd bin/ for bin in * do install -D -m 0755 "$bin" "%{buildroot}%{_bindir}/$bin" done popd # System-wide client configuration. install -D -m0644 %{S:101} %{buildroot}/etc/lxd/config.yml install -d -m0755 %{buildroot}/etc/lxd/servercerts # Install man pages. pushd man/ for man in * do section="${man##*.}" install -D -m 0644 "$man" "%{buildroot}%{_mandir}/man$section/$man" done popd # bash-completion. install -D -m 0644 scripts/bash/lxd-client %{buildroot}%{_datadir}/bash-completion/completions/lxc # sysv-init and systemd setup. install -D -m 0644 %{S:100} %{buildroot}%{_unitdir}/%{name}.service mkdir -p %{buildroot}%{_sbindir} ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} # Run-time configuration. install -D -m 0644 %{S:200} %{buildroot}%{_sysctldir}/60-lxd.conf install -D -m 0644 %{S:201} %{buildroot}%{_sysconfdir}/dnsmasq.d/60-lxd.conf # Run-time directories. install -d -m 0711 %{buildroot}%{_localstatedir}/lib/%{name} install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name} # In order for VM support in LXD to function, you need to have OVMF configured # in the way it expects. In particular, LXD depends on specific filenames for # the firmware files so we create fake ones with symlinks. mkdir -p %{buildroot}%{lxd_ovmfdir} ln -s %{_datarootdir}/qemu/ovmf-x86_64-code.bin %{buildroot}%{lxd_ovmfdir}/OVMF_CODE.fd ln -s %{_datarootdir}/qemu/ovmf-x86_64-vars.bin %{buildroot}%{lxd_ovmfdir}/OVMF_VARS.fd ln -s OVMF_VARS.fd %{buildroot}%{lxd_ovmfdir}/OVMF_VARS.ms.fd %fdupes %{buildroot} %pre # Group which owns the lxd socket, which allows people to administer it. getent group %{name} >/dev/null || groupadd -r %{name} # /etc/sub[ug]id should exist already (it's part of shadow-utils), but older # distros don't have it. LXD just parses it and doesn't need any special # shadow-utils helpers. touch /etc/subuid /etc/subgid ||: # Add sub[ug]ids for LXD's unprivileged containers -- in order to support # isolated containers we add quite a few subuids. Since LXD runs as root we add # them for the root user (not the lxd group). We only bother if there aren't # any mappings available already. # # We have no guarantee that the range we pick will be unique -- which ideally # we would want it to be. There isn't a nice way to do this without # reimplementing a bunch of range-handling code for /etc/sub[ug]id in bash. So # we just pick the 400-900 million range, and hope for the best (most tutorials # use the 1-million range, so we avoid that pitfall). # # This default setting of 500 million is enough for ~8000 isolated containers, # which should be enough for most users. grep -q '^root:' /etc/subuid || \ usermod -v 400000000-900000000 root &>/dev/null || \ echo "root:400000000:500000001" >>/etc/subuid ||: grep -q '^root:' /etc/subgid || \ usermod -w 400000000-900000000 root &>/dev/null || \ echo "root:400000000:500000001" >>/etc/subgid ||: %service_add_pre %{name}.service %post %sysctl_apply %service_add_post %{name}.service %preun %service_del_preun %{name}.service %postun %sysctl_apply %service_del_postun %{name}.service %files %defattr(-,root,root) %doc AUTHORS README.md doc/ %license COPYING %{_bindir}/lx{c,d}* %{_mandir}/man*/* %{_libdir}/%{name} %dir /etc/lxd %config(noreplace) /etc/lxd/config.yml %dir /etc/lxd/servercerts %{lxd_datadir} %{_sbindir}/rc%{name} %{_unitdir}/%{name}.service %dir %{_localstatedir}/lib/%{name} %dir %{_localstatedir}/log/%{name} %{_sysctldir}/60-lxd.conf %config(noreplace) %{_sysconfdir}/dnsmasq.d/60-lxd.conf %files bash-completion %defattr(-,root,root) %{_datadir}/bash-completion/ %changelog ++++++ boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch ++++++ >From f86eaf85c38cda988589e64b643670189d22923f Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 21 Apr 2021 10:11:21 +1000 Subject: [PATCH] vm/qemu: configure spice using -spice parameter Since QEMU 5.2, if QEMU has its modules compiled as dynamic objects to be dlopen(2)'d rather than statically compiled into the QEMU binary, QEMU will not accept [spice] directives through -readconfig. This is a known issue with QEMU but has been effectively marked as WONTFIX because -readconfig has sort-of been soft-deprecated[1,2,3]. In the meantime, just switch to the -spice commandline since this appears to only affect modules rather than core QEMU options. [1]: https://bugs.launchpad.net/qemu/+bug/1910696 [2]: https://lists.gnu.org/archive/html/qemu-devel/2020-11/msg02934.html [3]: https://bugzilla.suse.com/show_bug.cgi?id=1181549#c11 SUSE-Bugs: bsc#1181549 Signed-off-by: Aleksa Sarai <[email protected]> --- lxd/instance/drivers/driver_qemu.go | 6 +++++- lxd/instance/drivers/driver_qemu_templates.go | 6 ------ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/lxd/instance/drivers/driver_qemu.go b/lxd/instance/drivers/driver_qemu.go index 13211f1c651f..d14267bdbb87 100644 --- a/lxd/instance/drivers/driver_qemu.go +++ b/lxd/instance/drivers/driver_qemu.go @@ -1043,6 +1043,7 @@ func (d *qemu) Start(stateful bool) error { "-no-user-config", "-sandbox", "on,obsolete=deny,elevateprivileges=allow,spawn=deny,resourcecontrol=deny", "-readconfig", confFile, + "-spice", d.spiceCmdlineConfig(), "-pidfile", d.pidFilePath(), "-D", d.LogFilePath(), } @@ -1572,6 +1573,10 @@ func (d *qemu) spicePath() string { return filepath.Join(d.LogPath(), "qemu.spice") } +func (d *qemu) spiceCmdlineConfig() string { + return fmt.Sprintf("unix=on,disable-ticketing=on,addr=%s", d.spicePath()) +} + // generateConfigShare generates the config share directory that will be exported to the VM via // a 9P share. Due to the unknown size of templates inside the images this directory is created // inside the VM's config volume so that it can be restricted by quota. @@ -2004,7 +2009,6 @@ func (d *qemu) generateQemuConfigFile(mountInfo *storagePools.MountInfo, busName err := qemuBase.Execute(sb, map[string]interface{}{ "architecture": d.architectureName, - "spicePath": d.spicePath(), }) if err != nil { return "", err diff --git a/lxd/instance/drivers/driver_qemu_templates.go b/lxd/instance/drivers/driver_qemu_templates.go index aa51f45c1426..3999c2bfbb9c 100644 --- a/lxd/instance/drivers/driver_qemu_templates.go +++ b/lxd/instance/drivers/driver_qemu_templates.go @@ -44,12 +44,6 @@ strict = "on" # Console [chardev "console"] backend = "pty" - -# Graphical console -[spice] -unix = "on" -addr = "{{.spicePath}}" -disable-ticketing = "on" `)) var qemuMemory = template.Must(template.New("qemuMemory").Parse(` -- 2.30.2 ++++++ lxd-config.yml ++++++ # This is an example system-wide configuration file for the lxc client. Any # configuration entries added here will be merged with a user's configuration # when they run "lxc". This is primarily useful for defining system-wide # remotes, whose certificates are stored in /etc/lxd/servercerts. # An example configuration (from </usr/share/doc/packages/lxd/doc/remotes.md>) # looks like the following: # # remotes: # foo: # addr: https://10.0.2.4:8443 # auth_type: tls # project: default # protocol: lxd # public: false # bar: # addr: https://10.0.2.5:8443 # auth_type: tls # project: default # protocol: lxd # public: false ++++++ lxd-rpmlintrc ++++++ # The linking against full paths underneath /usr/lib64/lxd/ is intentional, as # our shared libraries are internal and aren't meant to be used outside LXD. # This error only appears in old SLE versions. addFilter ("^lxd.* E: invalid-filepath-dependency .* /usr/lib(32|64)?/lxd/") ++++++ lxd.dnsmasq ++++++ # WARNING: DO NOT MODIFY THIS FILE. # Changes to this file will be lost when the lxd package is updated or removed. # Instead, add changes to /etc/dnsmasq.d/. # Tell any system-wide dnsmasq instance to make sure to bind to interfaces # instead of listening on 0.0.0.0. bind-interfaces except-interface=lxdbr0 ++++++ lxd.keyring ++++++ pub rsa4096/0xC638974D64792D67 2010-10-23 [SC] 602F567663E593BCBD14F338C638974D64792D67 uid [ unknown] St??phane Graber <[email protected]> uid [ unknown] St??phane Graber <[email protected]> sub rsa4096/0x9E4B2A99D7B3258F 2010-10-23 [E] -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBEzDJtYBEADeY2GjCIHiP69HyT6dea1bcBYKHzGusmPjUGfNExAgseCgkFGo xROSpjt5ez8FGyvjvSevVTtWTO955eLrhj7fUzfcN8ot+Lj5EeCeyX6evR/jv/Kw dJZfKNHEKFlsRL74NEodSIvxDxANsu4iggpPWe+RMcZt7yP/4j5j7/yfZHCtDNVe 6vYr6FvR9YmJ1TK3SudKQ0eLYBgW75V45xtgl1dzcTfmmnQKRq0NBgGHQ9P+VdA5 TTaKDxDyVGuGL3eSBABLKiOTVxn8cLK75NOHH920PbOIKAfXh0StvIRbHL0EcwNj 4nrSHHsDqFwQaieVueEpxaL3OfKXlF/4KdkCz8J1fXMiKd7MrOaVCGfriU4J9H3V 2JUPzHCv1QOLlJFkzyfbAh/62xRuUKihqBnLvMStl1wCesbMSAUxZZs2u+emqjD7 wqf7bj5u34bCb/7eBnirBhk7fCPrWeiw+tyr8focN3TB9ZjoFba+lzReP+ehYpFI 15ro7wJ82VvEYw3/UIOyUhGBdGWZzwoag6Y2sm7zY84YGtNV44LsaKpJYZUi7er4 2JQZ6PN68lfkGgTyjd3eFQ4la7pmhOWDZt9ldy8rz8dw0K8gKRP+b5NNmaPznCcM tg8s+mQqcjWpeqwmq93JrgbxGwgiI2qw9P+dZI0jn+Aoth+DDki3MC6ZXwARAQAB tCZTdMOpcGhhbmUgR3JhYmVyIDxzdGdyYWJlckB1YnVudHUuY29tPokCNwQTAQoA IQUCTMMuOgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDGOJdNZHktZ35S D/434tFecFY622NY/YLjQUN++bSvP+mbeCeOXnOULZozURQTuQzneTWFgkPOL7Uv RIrw0WznQEwhUMai7PUF3SbOYcj7iYSXJM6t3aNfW0zmjS185Ny2bRB7URihTAyE eM4Jpk6oMTmhqmH2OHnFQuNqmCl1tiH44KVv/sQAEzN/txjxj64YSq5NSzkQKlMG /n7QfLL+RhoB4db1wY8vhnrryP7vUx5DR1A5z9MYfFTIJb75vsQM6r4s3sVtwSTG kozJMUZAs0EXbI2Tgx2Wd7t2ix21lBu0PDb/RINpXQV0pyhT1kQxa1ZKfpLoM2LR Wp6ctqmU+qkryaW8cLEHkYmDKEQIgQ7/DrOJPrPgjfBIC9LOcXgI1LbIh1L7tNFA OiOVS/e4C3zxBowCS4VCWq9m0LrmC531sFF46cmAMhrmtStWqJpn/Yaxn8VmhhTU zIVOUr3gL9RzbynYGIiSif+LXsrPLzEaDTGjmKm3oFvDadUHmb6HyuQ0M9UCgLQK kWiOvybx6Q16doFm61VQsJMqHDSpLBjOc5cSHO9PiXlYzkK0dv8h8e0LG2MORHCJ K4s8SfsPAXBCJwoZufcohaO0DD/fx93ErcAyNlDiwL2TxrQ4wEMHj73lt18A/HqP VpU0zTWDpNDe/N12a3sfTfs9IdB/izq6k2kTzZwHmqgpKbQoU3TDqXBoYW5lIEdy YWJlciA8c3RncmFiZXJAc3RncmFiZXIub3JnPokCOgQTAQoAJAIbAwULCQgHAwUV CgkICwUWAgMBAAIeAQIXgAUCTMMuYQIZAQAKCRDGOJdNZHktZyTdEACcaGpJvqa8 uDiVrmbyaK/LDWhKdVE9JujTg4g05xtRpEE/yQKwHXKKxQfe8wQRuNOXWLj66w4o UBKJs7Rc/DdNEM/RfYiTJD0dZ2fPq3GcU5rbZos1Tvmdpc1qVOyEMf3VJQ/vZEEy 7SM+i+jHx7lCx8lE0D6TsdrLVyh9cvr5+MwiqcVQXqK0aqGKjCdbEjUtsPz1d5Cu Mq95ZQff6W6m1yNlxMnRMxdreYXCrjtv78RzlQi8dTgboaOOBC3TYQQwHx9ZrLGM 3WuPmUl9uecPTOSxIqoZHEpvz5fUQ0DhnlcxCd3R2qgPneEq0yEuaZrq8UZNyp/o 4iQAAz9BH/I7i34HySBuEzkCOSgRd1zMmuXGyrgg67kSMUFs8zyMqyjgups+ig1f x8mKmwykVdH5Wgc310sy2W9wG5lWET45Z7gCDiu9x8B+3l6Qwn4WNffSI39ryTG4 aPGbQ/Z3+Ipm+uEV98Gm8TDcj0GUhL5XmsQ9DEcftGfw/Kxt4vaDtCOFaSZqmsoV b325sKF+LhCZTUwZVCHrkSIC75bJ0JtxRWu+4qWtBgbFTgx5jpr1zWP524x+c0a7 aLGrsB1lAnmFqFoipzvfj2grNgtY7zDf3rcf/lBwt6VKGTCPuoJW0iRLhJQGK3AZ Nkeu4F9t4IC5XcNKSnWJNQg0PiF0sfxTFbkCDQRMwybWARAApvNuefvVycI47ABo T7AzBsHf0lbt4ihMpugZ+GfubzK98kn8pDRprUAfACx6+NLkxuAf9WyL7CFoFLSJ je1m7ZhYeeNckrF5Ir1VRsF+6DueantQzawL8tq6o/sr+4/F5e0jwpXAbHNKiuqj Q/DbLVPEmln29aYtJT3Vtm1eVzK2XkxicSlRROKHrGbaGSHEJgWr/7zqNcDPY9Ss /pms2lqGCWK7MMG/PGVhYIJ9LKNK4yGQtxD51UuruAy6MmRfu1cKDzJ4frQjJTkr c746uofRzK7F/uTQYFpXXd2uQ2/xi+dRnTyoqszvlS7Cm5/V2AhblbnUVE+gWgcR lg3WXetJmI/jMwPCYSy1wxWFwZGYs/VTXcimHBcOZWu7cAur8zDNkm6uQaMaFRrq LmkkLjoY0e8cXZIkcmQfvlWHdDkebQevRvKlNWIJChRXLU7SAKjrIe5y1lxyzy3y dS8saK1nt7swubf737jHahQkNev9QwZ3r9ZxsyRXXRkXpKOoHQ2MVqyId+6Nk8Pn /0yE6RPN+t01je/I731fLUZzsCs6y2e5d+xxQzQSTGBiJfxfHodBts3D6r3sxxYn nvIe3H2Trzv34lNmiwX6RhxqPGiHBSvRxoTXz4luydDKIrBdaN+sgTkMINa3KDhf VMmbdnwTOQbW2pi3qUCbjA0TI+EAEQEAAYkCHwQYAQoACQUCTMMm1gIbDAAKCRDG OJdNZHktZxrrD/97bryBoLKJNc4tAtDY8umo+phdL/kUTx9gVeKHpZZVoymHW7pS 3stXC9UJigHuaDjkdvHq1v9fUdIp9mD8uqWgGJNO+hV99ARZSEkXfAFtNHYw0gVi izz0J0FEmMibJJBjj4kDi9Z/2fWRKsvNfwQ6UKrKtYkkM1DWNnqhNJVDVNJ+4Mr5 Y8wbkItPV07f5L3kdYFE90K08IJh/pvalt383RuNmuqFwNGjStLcfo2YRpTyjmWA oR7qaGflTAKm0+Qj/vx8vfHu7WAfcdcAT6ftZ5Q7C0LcPPuNkTBGFUyvJwW+7AV5 3Pln6vsbZg451J4iFQ0FTAYys40LbkLKYSAXfvfYHXY9ZOCvoZvsoeDG8zDUEGj5 EnsiJNlJx2xCRwjIrCzujUs91HdxQoVtXWwtlknZNwO46x433+ukhkTGJGQ7YFao x/JxkvQOhndYJBKm5C1P7ZlLmcRndv7Lrld9rVsYGk4/lCLDPXb/ZJ0jmZLYNqez 2z0Pcd0m+jtbVVuMxuIMI2NOFIccVsQxlrtWCdhnGfs+KH1D1eyLNB7PpzWq01yI z3pNBo5YYOLovpu0wVB0vxLTkDxmcl4aoM6MGkbnDfK4al+RQ+hDJlCAW+z3hUxH 2CmlO+WHtRJyXqE37QX6y9xmflvckMvo+CB+gopGyzMJuLqkBL2sFHZbIw== =JVth -----END PGP PUBLIC KEY BLOCK----- ++++++ lxd.service ++++++ [Unit] Description=LXD Container Hypervisor After=network-online.target lxcfs.service Requires=network-online.target lxcfs.service Documentation=man:lxd(1) [Service] Environment=LXD_OVMF_PATH=/usr/share/lxd/ovmf ExecStart=/usr/bin/lxd --group=lxd --logfile=/var/log/lxd/lxd.log ExecStartPost=/usr/bin/lxd waitready --timeout=600 TimeoutStartSec=600s TimeoutStopSec=30s Restart=on-failure # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNOFILE=1048576 LimitNPROC=infinity LimitCORE=infinity # No need to add a task limit. TasksMax=infinity # Set delegate yes so that systemd does not mess with LXD cgroups. Delegate=yes # Kill only the LXD process, not all processes in the cgroup. KillMode=process [Install] WantedBy=multi-user.target ++++++ lxd.sysctl ++++++ # WARNING: DO NOT MODIFY THIS FILE. # Changes to this file will be lost when the lxd package is updated or removed. # Instead, add changes to /etc/sysctl.d/. # These defaults come from doc/production-setup.md, but have been slightly # modified to be less extreme. The recommended value is included as a comment # below each changed value. # inotify limits. fs.inotify.max_queued_events = 131072 # 1048576 fs.inotify.max_user_instances = 131072 # 1048576 fs.inotify.max_user_watches = 131072 # 1048576 # Number of memory mappings a process can have (lxd can have quite a lot). #vm.max_map_count = 262144 # Deny container access to kmsg, but this also blocks non-root host users so # it's disabled by default. This isn't a bad hardening measure in general. #kernel.dmesg_restrict = 1 # ARP table size (one per container) net.ipv4.neigh.default.gc_thresh3 = 2048 # 8192 net.ipv6.neigh.default.gc_thresh3 = 2048 # 8192 # Number of kernel keyrings for unprivileged users (one per container). kernel.keys.maxkeys = 2048
