aboutgitcodebugslistschat
path: root/contrib
Commit message (Collapse)AuthorAgeFilesLines
* selinux: Define interfaces for libvirt and similar frameworksStefano Brivio2023-02-212-0/+27
| | | | | | | | | | Services running passt will commonly need to transition to its domain, terminate it, connect and write to its socket. The init_daemon_domain() macro now defines the default transition to the passt_t domain, using the passt_exec_t type. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* selinux/passt.if: Fix typo in passt_read_data interface definitionStefano Brivio2023-02-211-1/+1
| | | | | | | | | This is an example interface, currently unused, so it went undetected: m4 macros need a backtick at the beginning of a block instead of a single quote. Fixes: 1f4b7fa0d75d ("passt, pasta: Add examples of SELinux policy modules") Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Remove contrib/debian, Debian package development now happens on SalsaStefano Brivio2022-11-166-63/+0
| | | | | | | | | The development of the Debian package is now at: https://salsa.debian.org/sbrivio/passt Drop contrib/debian, it's finally obsolete. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib/apparmor: Merge pasta and passt profiles, update rulesStefano Brivio2022-11-162-88/+51
| | | | | | | | | | | | | AppArmor resolves executable links before profile attachment rules are evaluated, so, as long as pasta is installed as a link to passt, there's no way to differentiate the two cases. Merge the two profiles and leave a TODO note behind, explaining two possible ways forward. Update the rules so that passt and pasta are actually usable, once the profile is installed. Most required changes are related to isolation and sandboxing features. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, log, Makefile: Add versioning informationStefano Brivio2022-10-151-1/+1
| | | | | | | Add a --version option displaying that, and also include this information in the log files. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib/podman: Rebase to latest upstreamStefano Brivio2022-09-241-45/+50
| | | | | | One check moved from networking_linux.go to networking_common.go. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Escape % characters in spec file's changelog2022_09_06.e2cae8fStefano Brivio2022-09-071-1/+1
| | | | | | ...rpmbuild otherwise expands valid macro names in changelog entries. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Add selinux-policy Requires: tag2022_09_01.7ce9fd1Stefano Brivio2022-09-021-2/+5
| | | | | | | | | | | | | | | | fedora-review says: Note: Directories without known owners: /usr/share/selinux/packages/passt, /usr/share/doc/passt, /usr/share/selinux, /usr/share/selinux/packages and selinux-policy owns those two last ones. While at it, split Requires: tags also for post and preun actions onto different lines, for consistency. Reported-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Add %dir entries for own SELinux policy directory and documentationStefano Brivio2022-09-021-3/+5
| | | | | | | | | | | | | fedora-review says: Note: No known owner of /usr/share/selinux/packages/passt, /usr/share/doc/passt While at it, replace "passt" by "%{name}" in a few places for consistency. Reported-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* podman, slirp4netns.sh: Use --netns option on pasta's command line2022_08_29.0cb795eStefano Brivio2022-08-301-3/+3
| | | | | | | | | | ...instead of PATH. This seems to be the only change needed in existing pasta integrations after patch: Use explicit --netns option rather than multiplexing with PID Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
* contrib: Rebase Podman patch to latest upstreamStefano Brivio2022-08-301-47/+47
| | | | | | Trivial conflicts in man pages only. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Pass explicit bindir, mandir, docdir, and drop OpenSUSE overrideStefano Brivio2022-08-301-5/+1
| | | | | | | | | | | | Fedora's parameters currently match the ones from the Makefile (which is based on GNU recommendations), but that's not necessarily guaranteed. This should make the OpenSUSE Tumbleweed override for docdir unnecessary: drop it. Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Use full versioning for SELinux subpackage Requires: tagStefano Brivio2022-08-301-1/+1
| | | | | | | | ...as recommended in: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_requiring_base_package Reported-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Define git_hash in spec file and reuse itStefano Brivio2022-08-301-2/+4
| | | | | | | | | ...as it's used twice. The short version, however, appears hardcoded only once in the output, and it comes straight from the rpkg macro building the version string -- leave that macro as it is. Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Drop comment stating the spec file is an example fileStefano Brivio2022-08-301-2/+0
| | | | | | | ...as this ends up in the actual spec file. Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Drop SPDX identifier from spec fileStefano Brivio2022-08-301-2/+0
| | | | | | | | | | | | | | | | ...which makes it fall under MIT licensing terms. Daniel reports that it's very unusual for spec files to contain explicit licensing terms and might cause minor inconveniences later on, on mass changes to spec files. I originally added licensing information using SPDX identifiers to make the project fully compliant with the REUSE Specification 3.0 (https://reuse.software/spec/), but there are anyway a few more files not including explicit licensing information. It might be worth to fix that later on, in any case. Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Adopt versioning guideline for snapshotsStefano Brivio2022-08-301-2/+5
| | | | | | | | | | | | The "Simple versioning" scheme: https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_simple_versioning probably doesn't apply to passt, given that upstream git tags are not really releases. Switch to the "Snapshots" versioning scheme: https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_snapshots Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Use more GNU-style directory variables, explicit docdir for OpenSUSE2022_08_21.7b71094Stefano Brivio2022-08-211-0/+4
| | | | | | | | | | | | | It turns out that, while on most distributions "docdir" would be /usr/share/doc, it's /usr/share/doc/packages/ on OpenSUSE Tumbleweed. Use an explicit docdir as shown in: https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto and don't unnecessarily hardcode directory variables in the Makefile. Otherwise, RPM builds for OpenSUSE will fail now that we have a README there. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Fix man pages wildcards in spec fileStefano Brivio2022-08-201-5/+5
| | | | | | | | If the man pages are not compressed, the current wildcards wouldn't match them. Drop the trailing '.' from them. Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Don't hardcode CFLAGS setting, use %set_build_flags macro insteadStefano Brivio2022-08-201-1/+1
| | | | | | | | | This will also set any distribution-specific LDFLAGS. It's not needed anymore starting from Fedora 36, but the package might be built on other versions and distributions too (including e.g. CentOS Stream 8). Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Build SELinux subpackage as noarchStefano Brivio2022-08-201-0/+1
| | | | | | | | Otherwise, passt-selinux will be built separately for each supported architecture. Suggested-by: Artur Frenszek-Iwicki <fedora@svgames.pl> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Change source URL to HEAD link with explicit commit SHAStefano Brivio2022-08-202-2/+6
| | | | | | | | | This is required as Fedora doesn't accept a temporary pointer to a source URL. Reported-by: Ralf Corsepius <rc040203@freenet.de> Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Drop VCS tag from spec fileStefano Brivio2022-08-201-1/+0
| | | | | | | | | It seems to be exposed by Koji (https://pagure.io/koji/issue/2541), but it's not actually in use, so we have to drop that. The website the URL tag points to reports all the needed information anyway. Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Start Release tag from 1, not 0Stefano Brivio2022-08-201-1/+1
| | | | | | | | ...as specified by the Fedora Packaging Guidelines: https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_simple_versioning Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Introduce own rpkg macro for changelogStefano Brivio2022-08-202-1/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | git_dir_changelog is useful in theory, but it requires pairs of annotated tags, which should be generated by rpkg itself to make any sense, implying a relatively heavyweight interaction whenever I want to push a new package version. Also, the default content of the changelog entries include the full list of changes, but the Fedora Packaging Guidelines specifically mention that: [t]hey must never simply contain an entire copy of the source CHANGELOG entries. We don't have a CHANGELOG file, but the full git history is conceptually equivalent for this purpose, I guess. Introduce our own passt_git_changelog() rpkg macro, building changelog entries, using tags in the form DATE-SHA, where DATE is an ISO 8601 date representation, and SHA is a short (7-digits) form of the head commit at a given moment (git push). These changelog entries mention, specifically, changes to the packaging information itself (entries under contrib/fedora), and simply report a link to cgit for the ranges between tags. Reported-by: Benson Muite <benson_muite@emailplus.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* fedora: Install "plain" README, instead of web version, and demo scriptStefano Brivio2022-08-201-2/+2
| | | | | Suggested-by: Benson Muite <benson_muite@emailplus.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib, test: Rebase Podman patch, enable three-way merge on git am in demo2022_08_04.b516d15Stefano Brivio2022-08-011-16/+16
| | | | | | | | Given that a three-way git merge was enough to cope with context changes in man pages, it's probably a good idea to enable that for 'git am' in the demo too. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: Rebase Podman patch to latest upstreamStefano Brivio2022-07-211-50/+41
| | | | | | A few trivial conflicts came up. No semantic changes. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Don't abbreviate ip(8) arguments in examples and testsDavid Gibson2022-06-151-1/+1
| | | | | | | | ip(8)'s ability to take abbreviated arguments (e.g. "li sh" instead of "link show") is very handy when using it interactively, but it doesn't make for very readable scripts and examples when shown that way. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* contrib/fedora: Use pre-processing macros in spec fileStefano Brivio2022-06-083-6/+38
| | | | | | ...they seem to be supported by COPR now and make things simpler. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib/fedora: Drop dashes from versionStefano Brivio2022-06-071-3/+3
| | | | | | COPR doesn't like them, and I'm trying to build packages there now. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: podman: Add bound address configuration, update port specificationsStefano Brivio2022-05-021-101/+168
| | | | | | | | | | | | | | | | | | Rebase the patch for Podman on top of current upstream, and: - add support for configuration of specific addresses for forwarded ports - by default, disable port forwarding, and reflect this in the man page changes - adjust processing to a new, incompatible format for port storage, which I couldn't actually track down to a specific commit, but that resulted in https://github.com/containers/podman/issues/13643 and commit eedaaf33cdbf ("fix slirp4netns port forwarding with ranges") Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: Add example of Debian package filesStefano Brivio2022-03-306-0/+63
| | | | | | | ...using dh_apparmor to ship and apply AppArmor profiles. Tried on current Debian testing (Bookworm, 12). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: Add example spec file for FedoraStefano Brivio2022-03-301-0/+95
| | | | | | | ...with SELinux package, too. Tested on Fedora 35, but it should work on pretty much any version. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Add examples of SELinux policy modulesStefano Brivio2022-03-296-0/+362
| | | | | | These should cover any reasonably common use case in distributions. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Add examples of AppArmor policiesStefano Brivio2022-03-292-0/+125
| | | | | | These should cover any reasonably common use case in distributions. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: Add patch for Podman integrationStefano Brivio2022-02-211-0/+542
| | | | | | | | The patch introduces a "pasta" networking mode for rootless container, similar to the existing slirp4netns mode. Notable differences are described in the commit message. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: Introduce PoC for Kata Containers with user-mode networkingStefano Brivio2022-01-282-0/+764
| | | | | | | | | | | | | | | passt can be used to implement user-mode networking for the Kata Containers runtime, so that networking setup doesn't need elevated privileges or capabilities. This commit adds the patch for Kata Containers runtime and agent to support passt as networking model and endpoint, and some basic documentation. See contrib/kata-containers/README.md for more details and setup steps. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* libvirt, qemu: Move patches to new directory, contribStefano Brivio2022-01-283-0/+635
I'm about to add a new adaptation carrying out-of-tree patches for a Kata Containers PoC -- move the existing out-of-tree patches to their own directory to keep things easy to find in the main one. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>