(→The PATH to CAPP Audits: last artefact URI correction)
m (added category)
|(One intermediate revision by one user not shown)|
|Line 176:||Line 176:|
=== The PATH to CAPP Audits ===
=== The PATH to CAPP Audits ===
Some tough questioning about the purpose and usefulness of the Common Criteria for Information Technology Security Evaluation (CC) was dished out to the maintainers of <code>shadow-utils</code> (the family of secure utilities for manipulating user accounts and passwords) when it appeared that the need to audit specific behaviors was causing some awkward constraints in OS design. The CC certifications are an ISO standard originally developed by the USA's National Security Agency to specify the expected behavior of systems under certain strictly defined criteria (so called Protection Profiles) to certain levels (Enterprise
Some tough questioning about the purpose and usefulness of the Common Criteria for Information Technology Security Evaluation (CC) was dished out to the maintainers of <code>shadow-utils</code> (the family of secure utilities for manipulating user accounts and passwords) when it appeared that the need to audit specific behaviors was causing some awkward constraints in OS design. The CC certifications are an ISO standard originally developed by the USA's National Security Agency to specify the expected behavior of systems under certain strictly defined criteria (so called Protection Profiles) to certain levels (Enterprise Levels). ''Red Hat Enterprise Linux'' (a downstream derivative of Fedora) is able to boast several of them, including CAPP,LSPP and RBACPP to EAL4+, enabling ''RHEL5'' to be purchased for use in government programs which require "assured information sharing." See for further information. In order to provide the auditing capabilities mandatory to achieve such certifications [[SteveGrubb|Steve Grubb]] and others on his team have been steadily committing changes to Fedora. The specific protection profile under discussion in this case was the Controlled Access Protection Profile (CAPP) and there has been a good deal of unease about the usefulness of such certification in other forums.
|Line 648:||Line 648:|
Latest revision as of 10:38, 14 April 2009
 Fedora Weekly News Issue 155
Welcome to Fedora Weekly News Issue 155 for the week ending December 7th, 2008.
FWN is pleased to announce the return of the Planet Fedora beat in which Adam Batkin lists some "Howtos and Tips" gleaned from blogs. In Announcements the "Fedora 11" naming scheme is discussed. In Developments "The PATH to CAPP" exposes disquiet with some security infrastructure. Translation provides updates on the cancellation of FLSCo elections. Artwork is again bursting at the seems with a "T-Shirt Logo Design Tool" and "Improved Document Templates". SecurityAdvisories lists this week's essential updates. Finally Virtualization continues to race the shocking pace of developments including the "Release of libvirt 0.5.0 and 0.5.1" There's plenty more a mere mouse click away!
If you are interested in contributing to Fedora Weekly News, please see our 'join' page.
In this section, we cover announcements from the Fedora Project.
Contributing Writer: Max Spevack
 FUDCon Boston (F11)
Paul Frields made a few announcements this week regarding FUDCon Boston, which is January 9-11.
Paul mentioned that the event will be held at MIT, he gives information about the social event, and also reminds people to register on the wiki and to make their hotel reservations before December 19th, in order to secure the $99 hotel room rate.
 Fedora 11
Josh Boyer wrote about the process for selecting the Fedora 11 name. "We're doing the name collection differently this year than in the past. Contributors wishing to make a suggestion are asked to go to the F11 naming wiki page, and add an entry to the suggestion table found there".
Jon Stanley announced[5,6] the Fedora 11 freeze dates. The Alpha freeze is currently scheduled for January 20, and the Final freeze for April 14.
Ignacio Vazquez-Abrams announced that Python 2.6 is now in Rawhide. For those of you who maintain Python packages, you'll want to read the full announcement.
 Planet Fedora
In this section, we cover the highlights of Planet Fedora - an aggregation of blogs from Fedora contributors worldwide.
Contributing Writer: Adam Batkin
Fabian Affolter posted a nice graph showing the number of unique fedoraproject.org visitors (progressively growing since 2006!)
Karsten Wade appealed for information about configuring a misbehaving Synaptic touchpad on Fedora 10, followed shortly thereafter by a solution.
Max Spevack wondered whether there is a nice way to build a custom Fedora mirror tailored specifically to one's installed package set.
Thorsten Leemhuis critiqued the Fedora Release Notes, providing some suggestions for how to make the important bits stand out more.
A look ahead at some of the innovations in the open source world that we can look forward to during 2009
Luis Villa mused on innovation in general and the Linux Desktop (think Gnome and KDE) in particular.
Greg DeKoenigsberg wrote a few posts chronicling his experiences with Sugar
Apparently Luis Villa had a similar idea
A video interview with Paul W. Frields about the Fedora 10 release
 How-To and Tips
Tom Tromey wrote an 8-part (so far) series on using a Python-enabled GDB. The series is not just about debugging Python with GDB, but also extending GDB using Python.
Jeroen van Meeuwen provided some instructions for composing EL5 media on Fedora 9 or 10 systems by running Revisor inside mock
James Laska wrote a tutorial on how to automate a classroom/lab-type setup using tools such as Cobbler, Snake and Koan
Michael Stahnke had some problems (and solutions) for getting Fedora 10 running as a Xen guest on EL5
Dale Bewley wrote about expanding an Encrypted Filesystem with LVM and Fedora 10
Steven Moix managed to get iTunes music sharing working in Fedora 10
Dave Jones had some tips for making an ASUS Eee PC 900 (or any generally underpowered UMPC with a solid state disk) happier under Linux
Harald Hoyer also provided some performance advice, this time to help identify disk IO bottlenecks during bootup using SystemTap
A number of people wrote up their experiences and provided pictures from FOSS.IN:
In this section the people, personalities and debates on the @fedora-devel mailing list are summarized.
Contributing Writer: Oisin Feeley
 The PATH to CAPP Audits
Some tough questioning about the purpose and usefulness of the Common Criteria for Information Technology Security Evaluation (CC) was dished out to the maintainers of
shadow-utils (the family of secure utilities for manipulating user accounts and passwords) when it appeared that the need to audit specific behaviors was causing some awkward constraints in OS design. The CC certifications are an ISO standard originally developed by the USA's National Security Agency to specify the expected behavior of systems under certain strictly defined criteria (so called Protection Profiles) to certain levels (Enterprise Assurance Levels). Red Hat Enterprise Linux (a downstream derivative of Fedora) is able to boast several of them, including CAPP,LSPP and RBACPP to EAL4+, enabling RHEL5 to be purchased for use in government programs which require "assured information sharing." See for further information. In order to provide the auditing capabilities mandatory to achieve such certifications Steve Grubb and others on his team have been steadily committing changes to Fedora. The specific protection profile under discussion in this case was the Controlled Access Protection Profile (CAPP) and there has been a good deal of unease about the usefulness of such certification in other forums.
 A good blog entry by Sun's Jim Laurent: http://blogs.sun.com/jimlaurent/entry/faq_what_is_a_common
When Callum Lerwick noticed that he could not run
usermod as an unprivileged user in order to get its
help page he suggested that "[...] it and all the other account tools have been changed to mode 750, inaccessible to normal users" and erroneously attributed this to recent changes made to accommodate changes to the
PATH environment variable. Earlier discussion of the addition of the
sbin directories to users' PATHs can be found in FWN#146. Jon Stanley replied "These permissions have been in place for over 2 years, with valid reasoning. Just because it's in your PATH doesn't mean you should be able to execute it." Jon appended the 2006 log message which attributed the change to "fix regression. Permissions on user* group* binaries should be 0750, because of CAPP/LSPP certification." Callum posted a list of all the account tools which had such permissions including the shadow-utils account tools and the audit subsystem tools.
Although the change was actually several years old it appeared to cause surprise in many circles and prompted demands for information on what CAPP was and whether it was of any use to the Fedora Project. Steve Grubb responded to the original query that "[...] you cannot do anything with [the user* commands] unless you are root. Allowing anyone to execute them would require lots of bad things for our LSPP/CAPP evaluations" and suggested that man pages should be used instead of running the tools with the
Jesse Keating probed what appeared to be a reliance on restricting execution permissions for security. When Steve corrected this to be "[...] more to do with the fact that we have to audit all attempts to modify trusted databases - in this case, shadow [...] if we open the permissions, we need to make these become setuid root so that we send audit events saying they failed" Jesse was even more perturbed and asked "Why would the binary have to be suid? Why can't the binary detect that [the] calling user is not root, and just print out the usage and a message saying that you have to be root? How would this action make it any less auditable?" Later Chris Adams extended the apparent logic: "[...] cat will have to be setuid root so it can audit? What about echo, bash, perl, etc.? This is absurd."
From this point onwards the confusion and questioning gained in volume and intensity with several points being made to question the usefulness of this particular (CAPP) certification. These included the points that any user could obtain copies of the restricted binaries from outside of the system for nefarious testing purposes; and that there were plenty of other tools on the system which might allow violations of the policy.
It would be fair to characterize most of the reactions as hostile. Some of this was due to an apparent impatience with "security certifications" which seemed to be of more interest to managers than achieving practical security. Callum Lerwick suggested "[...] just because RHEL has to do stupid ignorant shit to appease certification authorities doesn't mean Fedora has to do it too." Another part was undoubtedly due to concern about who had made the decision to follow this path. Jesse Keating expressed some frustration and asked "Who's 'we'? Perhaps 'we' shouldn't piss on Fedora in order to meet some cert that I highly highly doubt any Fedora install will find useful." When Seth Vidal and Dominik Mierzejewski also wondered when, and by whom, the decision was made Steve answered: "By me after a group presented the options back in 2005. Back in those days shadow-utils was in 'Core' and that was maintained by Red Hat."
Another part of the hostility seemed to originate in the novelty of the certification requirements to many participants. Steve answered many queries as they came in and suggested that it was necessary to take an overview of how the whole process worked. He was pressed by Jeff Spaleta for further details. This led to an interesting quote from the CAPP guidelines and the example of how they are applied to shadow-utils. The guidelines make some assumptions which many will find unrealistic, such as the "[t]he system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the administrator documentation." While this criticism obviously calls into question the practical usefulness of the CAPP certification it is just one layer designed to perform a specific function, other more apparently useful security can only be built on top of these layers after they are implemented. Steve's post also contained some interesting practical examples of how administrators can use the audit tools to view information gained by instrumenting the shadow-utils code. To see who has modified accounts, and how, one can:
#ausearch --start this-month -m ADD_USER #ausearch --start this-month -m ADD_GROUP
A view of attempts to change accounts both through the approved shadow-utils (restricted to root) or other non-approved tools can be obtained with a
ausearch --start this-month -f /etc/shadow --raw | aureport -x -i
Enrico Scholz pointed out that this seemed like security through obscurity because there were other tools (
ldapadd) which could modify the trusted database and Steve responded that
vipw was forbidden and that it would be possible to extend the auditing to
ldap if someone had the time. In response to Andrew Bartlett Jesse Keating interpreted this "forbidden" as "`forbidden by policy' in which using anything /but/ the audit-able tools is `forbidden by policy'. If you're expecting everybody to follow policy, why not just set policy that says `don't hack this box'. That'll work right?"
Callum Lerwick jumped to what was for him the central point: "So I guess this is what all this really comes down to: Do we care about certification?" and asked whether the shadow-utils maintainer(s) would care to put the permissions to a FESCo vote. Steve affirmed that certification was worthwhile with a detailed list of the positive side-effects of the certification process which include: man pages for each syscall, bug fixing and reporting, test suites, crypto work, virtualization with strong guarantees of
VM separation and more. It was an impressive list which seemed to counter the dominant assumption that certification was merely another item to be ticked off on a bureaucrat's mindless list. Steve noted that "[a]s a result, Fedora is the ONLY community distribution that actually meets certification requirements. OpenSuse might be close for CAPP, but not LSPP/RSBAC, but that would be the only one I can think of that might be getting close."
While this summary might make it seem as though certification is a slamdunk (and your correspondent has to admit a strong bias in favor of it) it has probably failed to convey the sense of unease expressed by Fedora Project contributors that decisions have been taken without discussion or consultation. Jesse Keating asked Steve Grubb to explain who was providing impetus to the shadow-utils/certification team: "Where is this yelling going on? Where are the bug reports? Where is the public discussion about supposed problems in our install processes? Where is the discussion with domain knowledge experts debating whether or not the complaint has merit? Where is the open and frank discussion?"
One possible route around what seems to be an impasse was suggested by Jeff Spaleta. Jeff observed that CAPP certification for putative "appliance spins", but not the current set of spins, might make sense and asked: "could some of the restrictions like the permissions be handled in a more modular way? Could for example, things be changed so I could install a specialized fedora-CAPP package at install time which tightens up aspects of the system to bring it into CAPP compliance, instead of expressing those restrictions in the default settings of all installs?"
 The Looming Py3K Monster
Last week we reported that Ignacio Vazquez-Abrams was busy shepherding
Python-2.6 into Fedora. This week Michael DeHaan raised the question of what the plan for incorporating Python 3K will be. Michael worried that Py3K's incompatibilities with Python-2.6 "[are] pretty bad for someone who wants to keep a single codebase across EL 4 (Python 2.3) and up, which I think a lot of us do. That gets to be darn impossible and we have to double our involvement with code because we essentially have to maintain a differently-compatible fork for each project." He asked: "Are we looking at also carrying on with packaging 2.N indefinitely when we do decide to carry 3, because as I know it, the code changes to make something Python 3 compatible will be severe and that's a big item for any release, and will probably result in some undiscovered bugs even after the initial ports (if applied)."
Although there was some optimism that the "from future import" syntax would allow the use of
python-3 features in
python-2 Daniel P. Berrange quashed the idea that this was a simple fix because it "[...] isn't much help if python 2.3, 2.4 and 2.5 don't support 'from future import' and you care about shipping stuff that works on the 99% of deployed Linux boxes today which don't have 2.6 let alone 3.0." Basil Mohamed Gohar suggested running the
2to3 tool on the Core packages to gain a sense of what needs to be done.
Some strategies and their implications were detailed by Toshio Kuratomi in a post which comprehensively explains the options. Toshio suggested avoiding maintaining separate
python3 packages within a single version of Fedora due to the resulting double work and space. He suggested that "[...] this decision is only partially within the powers of the Fedora Project to decide. If 80% of our upstream libraries move to py3, we'll need to move to py3 sooner. If 80% refuse to move off of py2, we can take our time working on migration code." In later discussion with Arthur Pemberton he seemed to favor the idea of using
python-2.6 while ensuring that all code is as compatible as possible with
python-3 and avoided estimating how hard this would be until actual experience is gained with "[...] porting code to 2.6 with 3.x features turned on at some point."
James Antill was skeptical that Py3K would be seen in Fedora any time soon due to the massive changes required and the past history (FWN#114)of votes on maintaining compatibility packages: "I'll put money on python3k not being the default in Fedora 12. Hell, I'll even put some money on it not being the default in Fedora 14, at this point. My personal opinion is that we stay with 2.6.* for as long as possible, giving everyone time to dual port and the problems to be found/fixed and then it "should be easy" to have it as a feature and move for one release. But I'll point out that Ignacio Vazquez-Abrams did .all. the work for 2.6 in Fedora 11 ... so feel free to take this as just my opinion."
 PackageKit Stealth Installations
Robert Locke asked how
preupgrade had been installed without his permission on a fresh Fedora 10 install.
An answer was posted by Jesse Keating to the effect that this had been done by
PackageKit "[...] so that it could offer you the ability to upgrade. We've moved that information to a public webserver rather than being in the preupgrade package so that PK can get this information without stealth installing packages." He added that while there were no "[...] current guidelines that would have caught this [...] it does fall into the `don't do that' category."
In further answers Jesse explained: "It was installed so that PackageKit could have the appropriate information to check if there were distro level upgrades (say 9 to 10) available for you. The upstream has been asked to please not install any software in Fedora without a users consent, so hopefully this scenario won't happen again, at least not with PackageKit."
 DNS Resolution Unreliable
Previously in FWN#154 we reported on some strange name resolution problems. Seth Vidal, as maintainer of the
YUM package which looked as though it might be implicated, requested follow-up information.
Tim Niemuller replied that the problems persisted for him and were probably not to do with YUM. He added failures with
svn to the mix and suggested that "[...] yum is [not] the problem but there is a more general problem related to DNS lookups. As a specialty I'm using nss-mdns. But on F-8/F-9 this has never been a problem, so I suspect this is not what is causing the problem, especially because others have the same problem and I don't think nss-mdns is installed on many machines."
Jonathan Underwood posted a link to a heavily commented
bugzilla entry opened by Tom Horsley on 2008-08-21. The gist of the comments appears to be that with certain
DNS servers there is a problem with simultaneous
IPv6 requests being sent. A reported work-around involved using a non-glibc resolver such as
dnsmasq and was added to the Fedora Project wiki by Christopher Stone.
Jakub Jelinek prepared a
glibc update which temporarily disables the simultaneous requests and Ben Williams promised that once the issue is cleanly resolved the Fedora Unity team will issue a Fedora 10 re-spin.
This section covers the news surrounding the Fedora Translation (L10n) Project.
Contributing Writer: Runa Bhattacharjee
 FLSco Elections Cancelled
The mid-term elections for Fedora Localization Steering Committee (FLSCo) were cancelled and the Fedora Localization Project decided to go ahead with the current Committee for another release.
 Fedora-website Translation Repo Re-enabled
The main repository for the Fedora Website translation was re-enabled post Fedora 10 release and the intermediate test repository is now disabled. As reiterated by RickyZhou, any updations to Fedora Website content are to be submitted to the main repository.
 Transifex version updated for translate.fedoraproject.org
RickyZhou announced that the transifex version on translate.fedoraproject.org has been updated and very soon new features like translated interface and module descriptions would also be added.
 New Members in FLP
Nikolay Vladimirov and Daniel Cabrera are the two new members joining the Fedora Localization Project for the Bulgarian and Spanish team respectively.
In this section, we cover the Fedora Artwork Project.
Contributing Writer: Nicu Buculei
 Improved Document Templates
Máirín Duffy proposed on @fedora-art a new project for Fedora 11 "finding and developing nice-looking, general-purpose templates we could then package up for programs like OpenOffice.org Writer, OpenOffice.org Impress, Scribus, Inkscape, Gimp, etc.", proposal received with enthusiasm by Seth Kenlon, who also asked bout font requirements in those templates "does anyone know if there are special requirements in terms of fonts we could actually use and expect upstream to definitely have?", a question answered quickly by Máirín "I think we should only assume users will have access to the fonts packaged for Fedora proper. If we use a font that isn't included in the default live media installation, then we should require the Fedora font package needed."
 Postprocessing in Icons
MartinSourada raised a technical debate on @fedora-art, questioning if the desktop icons should be always generated directly from the SVG sources or if some additional raster post-processing is allowed "My reason for this is that while I am unable to achieve, to my eye, perfect antialiasing in some cases when using direct export in inkscape, but after exporting it in bigger size applying some filters and resizing to desired size I am able to achieve, to my eye, better results", a question still under debate, awaiting input for contributors with more experience in icon creation.
 FirstAidKit Artwork
Maria Leandro resumed the work on an older DesignService request "I made some tries and finally came up something he like" a graphic received with only a small concern from Mike Langlie "The Red Cross owns the trademark to the red cross icon/logo. They have sent cease and desist orders to game companies that use it as an icon for health re-ups. They do suggest using a green cross or white cross on a green background instead as a generic alternative", something easily addressed by Maria
 T-Shirt Logo Design Tool
Following a chat on the IRC channel, Charles Brej followed on @fedora-art with a small application which can be used to create T-shirt designs flom 'tag clouds': "I wrote a little tool to create these 'word splat' things with the idea of using the generated images as the Fudcon t-shirt designs". There is a strong possibility to see a number of graphics created during the upcoming year with this tool.
 Security Advisories
In this section, we cover Security Advisories from fedora-package-announce.
Contributing Writer: David Nalley
 Fedora 10 Security Advisories
- lynx-2.8.6-18.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00065.html
- wordpress-2.6.5-2.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00083.html
- samba-3.2.5-0.23.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00116.html
- blender-2.48a-4.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00178.html
- grip-3.2.0-24.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00183.html
- dbus-1.2.6-1.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00209.html
- squirrelmail-1.4.17-2.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00232.html
- clamav-0.94.2-1.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00308.html
- syslog-ng-2.0.10-1.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00397.html
- java-1.6.0-openjdk-126.96.36.199-7.b12.fc10 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00444.html
 Fedora 9 Security Advisories
- wordpress-2.6.5-2.fc9 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00000.html
- samba-3.2.5-0.22.fc9 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00021.html
- lynx-2.8.6-17.fc9 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00066.html
- squirrelmail-1.4.17-1.fc9 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00223.html
- syslog-ng-2.0.10-1.fc9 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00237.html
- java-1.6.0-openjdk-188.8.131.52-0.20.b09.fc9 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00384.html
- dbus-1.2.6-1.fc9 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00436.html
 Fedora 8 Security Advisories
- samba-3.0.33-0.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00141.html
- lynx-2.8.6-12.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00143.html
- wordpress-2.6.5-2.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00176.html
- squirrelmail-1.4.17-1.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00449.html
- syslog-ng-2.0.10-1.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00450.html
In this section, we cover discussion on the @et-mgmnt-tools-list, @fedora-xen-list, @libvirt-list and @ovirt-devel-list of Fedora virtualization technologies.
Contributing Writer: Dale Bewley
 Enterprise Management Tools List
This section contains the discussion happening on the et-mgmt-tools list
 Enabling Builds of libvirt for Windows
Richard W.M. Jones sought help in enabling builds of
libvirt binaries under Fedora. "It seems like we should have the base MinGW (Windows cross-compiler)
packages in Fedora 11 by the end of this week. This email is to
document the additional packages we need to get approved, in order to
get the cross-compiled
libvirt and virt tools into (or buildable by)
If you want to help out, please start reviewing by following the Bugzilla links, and looking at the approved packaging guidelines"
 Solaris Support in virtinst
John Levon submitted several patches to improve Solaris support
including and not limited to the following:
- Add an option for passing Solaris JumpStart information.
- Various utility functions.
- "Make 'solaris' a first-class OS type, and select USB tablet support for the appropriate variants."
- Add support for Solaris PV.
- Support for the vdisk format. John explained "
vdiskis basically " Sun's " tap implementation and disk management tool.
 Fedora Xen List
This section contains the discussion happening on the fedora-xen list.
 Support for Fedora 10 DomU on F8 Dom0
Cole Robinson announced a test build which fixes this problem. Readers are encouraged to test the release and provide positive karma points in bodhi to make the build an official update.
 RHBZ #458164
 Paravirt Ops Dom0 Feature Update
After some prompting from Pasi Kärkkäinen the dom0 support feature page was updated to better clarify where the work to bring dom0 support back to Fedora is being done, and to more accurately represent the current status.
The patches are being written by Jeremy Fitzhardinge and others at Citrix/XenSource are being submitted to the mainline
kernel. Once accepted in the upstream
kernel, efforts will resume within Fedora to make the changes necessary to support dom0. These efforts include ensuring the hypervisor supports
 Libvirt List
This section contains the discussion happening on the libvir-list.
 Release of libvirt 0.5.0 and 0.5.1
Daniel Veillard announced the releases of
0.5.0 and 0.5.1. "This is a long expected release, with a lot of new features, as a result the small version number is increased." Tarballs and signed RPMs available upstream and in Bodhi.
"As stated there is a huge amount of new features and improvement in this release, as well as a lot of bug fixes, the list is quite long". See the post for the full list including the numerous improvments, documentation updates, bug fixes, and cleanups omitted below.
- CPU and scheduler support for LXC (Dan Smith)
- SDL display configuration (Daniel Berrange)
- domain lifecycle event support for QEmu and Xen with python bindings (Ben Guthro and Daniel Berrange)
- KVM/QEmu migration support (Rich Jones and Chris Lalancette)
- User Mode Linux driver (Daniel Berrange)
- API for node device enumeration using HAL and DeviceKit with python bindings (David Lively)
"Thanks a lot to everybody who contributed to this release, it is really great to see new people providing significant patches, and the amount of feedback received on the list."
 Allow Automatic Driver Probe for Remote TCP Connections
Later described by the release of
0.5.1 as an improvement, Daniel P. Berrange posted the patch to implement a more general method for connecting to remote hypervisor drivers.
"When connecting to a local
libvirt you can let it automatically probe
the hypervisor URI if you don't know it ahead of time. This doesn't
work with remote URIs because you need to have something to put in
the URI scheme before the hostname:
This is then translated into the URI:
This patch adds a 'remote' URI scheme, usable like this:
This finally makes the Avahi broadcasts useful - they only include info on the hostname + data transport (SSH, TCP, TLS), not the HV type. So letting us use auto-probing remotely is the missing link."
 Thread Safety for libvirtd Daemon and Drivers
Daniel P. Berrange posted a huge series of 28 patches
which add "thread safety for the
daemon and drivers, and makes the daemon multi-threaded in processing
RPC calls. This enables multiple clients to be processed in parallel,
without blocking each other. It does not change the thread rules for the
virConnectPtr object though, so each individual client is still serialized."
"This touches a huge amount of code, so I'd like to get this all merged
ASAP as it'll be really hard to keep it synced with ongoing changes."
 libvirt 0.5.0 and KVM Migration Support
Mickaël Canévet wondered if
guest migration was expected to be functional.
"I just installed
0.5.0 on Debian Lenny with
kvm 0.72 to try
migration support." Tests failed with "libvir: error : this function is not supported by the hypervisor: virDomainMigrate."
Chris Lalancette confirmed
"Yes, it is supposed to work, but yes, you need a very, very new
kvm. In particular, you need at least kvm-77, and it won't really work right until you get to kvm-79."
 oVirt Devel List
This section contains the discussion happening on the ovirt-devel list.
 Some Architecture Diagrams
Daniel P. Berrange said
"I felt I wanted some additional more technically detailed/ focused diagrams
to illustrate what we're doing to developers actually writing code
for the project." And pointed to
oVirt architecure diagrams he
 Standalone Console Viewer for oVirt
Continuing work on a executable console solution for
oVirt, with a fork of
Richard W.M. Jones created