From 26baf2ce0c0d924746fb9028ec33ee4d5e0428fe Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 18 Feb 2025 15:57:15 +0100 Subject: [PATCH 01/10] Makefile: do not build twice netavark netavark-dhcp-proxy-client is alreayd build as part of the normal cargo build. So there is really no need to build again. Signed-off-by: Paul Holzinger (cherry picked from commit 9b0209c041eb181b6eb916c1ab64fe662eaa3f8f) Signed-off-by: Paul Holzinger --- Makefile | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 4b0a18a..11e4d57 100644 --- a/Makefile +++ b/Makefile @@ -50,12 +50,10 @@ $(CARGO_TARGET_DIR): mkdir -p $@ .PHONY: build -build: build_netavark build_proxy_client - -.PHONY: build_netavark -build_netavark: bin $(CARGO_TARGET_DIR) +build: bin $(CARGO_TARGET_DIR) $(CARGO) build $(release) cp $(CARGO_TARGET_DIR)/$(profile)/netavark bin/netavark$(if $(debug),.debug,) + cp $(CARGO_TARGET_DIR)/$(profile)/netavark-dhcp-proxy-client bin/netavark-dhcp-proxy-client$(if $(debug),.debug,) .PHONY: examples examples: bin $(CARGO_TARGET_DIR) @@ -152,8 +150,3 @@ mock-rpm: .PHONY: help help: @echo "usage: make $(prog) [debug=1]" - -.PHONY: build_proxy_client -build_proxy_client: bin $(CARGO_TARGET_DIR) - $(CARGO) build --bin netavark-dhcp-proxy-client $(release) - cp $(CARGO_TARGET_DIR)/$(profile)/netavark-dhcp-proxy-client bin/netavark-dhcp-proxy-client$(if $(debug),.debug,) From c4c37ca2c7b564b4d1c4345937e0a53ae363a02d Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 18 Feb 2025 16:42:40 +0100 Subject: [PATCH 02/10] Makefile: build docs by default A normal make should build the binaries and docs. Signed-off-by: Paul Holzinger (cherry picked from commit c1518c9fd1deb57aa2c7cf0fd2aba28da5f971b6) Signed-off-by: Paul Holzinger --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 11e4d57..9f3dfaf 100644 --- a/Makefile +++ b/Makefile @@ -41,7 +41,7 @@ else endif .PHONY: all -all: build +all: build docs bin: mkdir -p $@ From 3b5bf92ae4ee564258799fbfa289633fede0edbe Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 18 Feb 2025 16:52:48 +0100 Subject: [PATCH 03/10] docs/Makefile: several fixes - build docs on install if needed - clean should remove the .7 page - add uninstall target so users can remove the pages from the system Fixes #1179 Signed-off-by: Paul Holzinger (cherry picked from commit 86686431eb288627e754c6a6f2e66fad847d009d) Signed-off-by: Paul Holzinger --- Makefile | 1 + docs/Makefile | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 9f3dfaf..2099a50 100644 --- a/Makefile +++ b/Makefile @@ -102,6 +102,7 @@ install: $(NV_UNIT_FILES) .PHONY: uninstall uninstall: + $(MAKE) -C docs uninstall rm -f $(DESTDIR)$(LIBEXECPODMAN)/netavark rm -f $(PREFIX)/share/man/man1/netavark*.1 rm -f ${DESTDIR}${SYSTEMDDIR}/netavark-dhcp-proxy.service diff --git a/docs/Makefile b/docs/Makefile index 72449fb..9d24f30 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -17,12 +17,17 @@ docs: $(patsubst %.md,%,$(wildcard *.[0-9].md)) $(GO) install github.com/cpuguy83/go-md2man/v2@latest .PHONY: install -install: +install: docs install -d ${DESTDIR}/${MANDIR}/man1 install -m 0644 *.1 ${DESTDIR}/${MANDIR}/man1 install -d ${DESTDIR}/${MANDIR}/man7 install -m 0644 *.7 ${DESTDIR}/${MANDIR}/man7 +.PHONY: uninstall +uninstall: + rm -f ${DESTDIR}/${MANDIR}/man1/*.1 + rm -f ${DESTDIR}/${MANDIR}/man7/*.7 + .PHONY: clean clean: - $(RM) *.1 + $(RM) *.1 *.7 From 1e5dc1cd40b4cba002df1a8b576d1c95bc14bee8 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 18 Feb 2025 17:04:11 +0100 Subject: [PATCH 04/10] Makefile: uninstall netavark-firewalld-reload.service Ensure we also uninstall netavark-firewalld-reload.service. Signed-off-by: Paul Holzinger (cherry picked from commit 4ac156310e5534821b2dd649e2ac236ff5032b03) Signed-off-by: Paul Holzinger --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 2099a50..9337b3f 100644 --- a/Makefile +++ b/Makefile @@ -107,6 +107,7 @@ uninstall: rm -f $(PREFIX)/share/man/man1/netavark*.1 rm -f ${DESTDIR}${SYSTEMDDIR}/netavark-dhcp-proxy.service rm -f ${DESTDIR}${SYSTEMDDIR}/netavark-dhcp-proxy.socket + rm -f ${DESTDIR}${SYSTEMDDIR}/netavark-firewalld-reload.service .PHONY: test test: unit integration From ce947adfabae7b5eb6ce54c20a0571ff88e77106 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 18 Feb 2025 17:22:17 +0100 Subject: [PATCH 05/10] Makefile: do not rebuild if nothing changed If the src has not changed there is no need to rebuild. This removes the -debug suffix from the binary if build with debug set, I doubt anyone actually uses this and we need the same name for the bin/netavark target to actually work. This is even better because now you could build a debug binary and run the test with it without changing the test path manually. Fixes #1178 Signed-off-by: Paul Holzinger (cherry picked from commit a08bb557fd606e12cc5b6452df0e88fbc544fe67) Signed-off-by: Paul Holzinger --- Makefile | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 9337b3f..210eb4c 100644 --- a/Makefile +++ b/Makefile @@ -29,6 +29,8 @@ CARGO ?= cargo CARGO_TARGET_DIR ?= targets export CARGO_TARGET_DIR # 'cargo' is sensitive to this env. var. value. +SOURCES = src/** Cargo.toml Cargo.lock + ifdef debug $(info debug is $(debug)) # These affect both $(CARGO_TARGET_DIR) layout and contents @@ -50,10 +52,13 @@ $(CARGO_TARGET_DIR): mkdir -p $@ .PHONY: build -build: bin $(CARGO_TARGET_DIR) +build: bin/netavark + +bin/netavark: $(SOURCES) bin $(CARGO_TARGET_DIR) $(CARGO) build $(release) - cp $(CARGO_TARGET_DIR)/$(profile)/netavark bin/netavark$(if $(debug),.debug,) - cp $(CARGO_TARGET_DIR)/$(profile)/netavark-dhcp-proxy-client bin/netavark-dhcp-proxy-client$(if $(debug),.debug,) + cp $(CARGO_TARGET_DIR)/$(profile)/netavark bin/netavark + cp $(CARGO_TARGET_DIR)/$(profile)/netavark-dhcp-proxy-client bin/netavark-dhcp-proxy-client + .PHONY: examples examples: bin $(CARGO_TARGET_DIR) From 99bd7d7c7443a7d3b6e5dd4a2f7b26eaf3c08886 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Thu, 20 Feb 2025 12:07:36 +0100 Subject: [PATCH 06/10] cirrus: do not build debug bins They are not used anywhere so it is just a waste of time and given we no longer use a different name we cannot store them. Instead build the examples as part of the build task. Signed-off-by: Paul Holzinger (cherry picked from commit f990a783a089c231d608cd7d46abf4194ad4b0d3) Signed-off-by: Paul Holzinger --- .cirrus.yml | 2 -- contrib/cirrus/runner.sh | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 4989481..6e0c51f 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -257,10 +257,8 @@ success_task: API_URL_BASE: "https://api.cirrus-ci.com/v1/artifact/build/${CIRRUS_BUILD_ID}" EXP_BINS: >- netavark - netavark.debug netavark.info netavark.aarch64-unknown-linux-gnu - netavark.debug.aarch64-unknown-linux-gnu netavark.info.aarch64-unknown-linux-gnu clone_script: *noop bin_cache: *ro_bin_cache diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh index 6ecdb6e..2202ea4 100755 --- a/contrib/cirrus/runner.sh +++ b/contrib/cirrus/runner.sh @@ -19,9 +19,9 @@ _run_noarg() { _run_build() { # Assume we're on a fast VM, compile everything needed by the # rest of CI since subsequent tasks may have limited resources. - make all debug=1 make build_unit # reuses some debug binaries make all # optimized/non-debug binaries + make examples # build the examples binaries needed by the integration tests # This will get scooped up and become part of the artifact archive. # Identify where the binary came from to benefit downstream consumers. cat | tee bin/netavark.info << EOF From 6267803a7389df63f5197e319e4f5991b3caf4bb Mon Sep 17 00:00:00 2001 From: Ricardo Branco Date: Thu, 6 Mar 2025 14:54:00 +0100 Subject: [PATCH 07/10] test/001-basic: Make commit test optional Some distros like openSUSE & Debian don't build netavark from git, so the commit information won't be available. Make this test conditional when NETAVARK_UPSTREAM is set. Signed-off-by: Ricardo Branco (cherry picked from commit 3902d992a0abf0e204f1da718c55283d4b812d77) Signed-off-by: Paul Holzinger --- .cirrus.yml | 1 + test/001-basic.bats | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.cirrus.yml b/.cirrus.yml index 6e0c51f..febb758 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -22,6 +22,7 @@ env: AARDVARK_DNS_URL: "https://api.cirrus-ci.com/v1/artifact/github/containers/aardvark-dns/success/binary.zip?branch=${AARDVARK_DNS_BRANCH}" FEDORA_NETAVARK_AARCH64_AMI: "fedora-netavark-aws-arm64-${IMAGE_SUFFIX}" EC2_INST_TYPE: "t4g.xlarge" + NETAVARK_UPSTREAM: "1" gcp_credentials: ENCRYPTED[d6efdb7d6d4c61e3831df2193ca6348bb02f26cd931695f69d41930b1965f7dab72a838ca0902f6ed8cde66c7deddae2] diff --git a/test/001-basic.bats b/test/001-basic.bats index bc30a17..f74220d 100644 --- a/test/001-basic.bats +++ b/test/001-basic.bats @@ -12,7 +12,9 @@ load helpers run_netavark version json="$output" assert_json "$json" ".version" =~ "^1\.[0-9]+\.[0-9]+(-rc[0-9]|-dev)?" "correct version" - assert_json "$json" ".commit" =~ "[0-9a-f]{40}" "shows commit sha" + if [ -n "$NETAVARK_UPSTREAM" ]; then + assert_json "$json" ".commit" =~ "[0-9a-f]{40}" "shows commit sha" + fi assert_json "$json" ".build_time" =~ "20.*" "show build date" assert_json "$json" ".target" =~ ".*" "contains target string" } From 389d8d9da2357d32d5f005d9d8c0c4e71dfb4da5 Mon Sep 17 00:00:00 2001 From: Matt Heon Date: Fri, 14 Mar 2025 11:04:44 -0400 Subject: [PATCH 08/10] Fix detect of Firewalld's StrictForwardPorts property The code was written to work with a boolean property. Unfortunately, it's not a boolean, it's a DBus Variant holding a String which can be either "yes" or "no". This, unfortunately, complicates our decoding code somewhat considerably. I don't know how this actually worked when I tested it in the first place, unless the API type changed in firewalld before final release, which I don't *think* happened? Fortunately, the code here is written to be very forgiving of errors, but I added some warning logs to give us a trail if stuff starts blowing up in the future (because Variant means the type can, theoretically, change in the future, which would be unpleasant). Fixes https://issues.redhat.com/browse/RHEL-80266 Signed-off-by: Matt Heon (cherry picked from commit 850d6af74b7bf8c42a98e25d4b08c2eec16c3ca3) Signed-off-by: Paul Holzinger --- src/firewall/firewalld.rs | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/src/firewall/firewalld.rs b/src/firewall/firewalld.rs index bfcbb43..de51fff 100644 --- a/src/firewall/firewalld.rs +++ b/src/firewall/firewalld.rs @@ -1062,7 +1062,35 @@ pub fn is_firewalld_strict_forward_enabled(dbus_con: &Option) -> boo "Get", &("org.fedoraproject.FirewallD1.config", "StrictForwardPorts"), ) { - Ok(b) => b.body().deserialize().unwrap_or(false), + Ok(b) => { + let variant_str: String = match b.body().deserialize::() { + Ok(v) => match v.downcast::() { + Ok(s) => s, + Err(e) => { + warn!( + "couldn't downcast StrictForwardPorts value to string: {}", + e + ); + return false; + } + }, + Err(e) => { + warn!("couldn't retrieve StrictForwardPorts property: {}", e); + return false; + } + }; + match variant_str.to_lowercase().as_str() { + "yes" => true, + "no" => false, + other => { + warn!( + "unexpected value from StrictForwardPorts property: {}", + other + ); + false + } + } + } Err(_) => { // Assume any error is related to the property not existing // (As it will not on older firewalld versions) From 0b7cbc53d8e2cabce62475f457f7010fa1c6098c Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Mon, 17 Mar 2025 17:30:03 +0100 Subject: [PATCH 09/10] Release notes for v1.14.0 Signed-off-by: Paul Holzinger --- RELEASE_NOTES.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index c695316..dc8c177 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,5 +1,11 @@ # Release Notes +## v1.14.1 + +* Fixed an issue where the Makefile did not install the `netavark-firewalld(7)` man page. ([#1179](https://github.com/containers/netavark/issues/1179)) +* Fixed the detection of Firewalld's StrictForwardPorts property. +* Upstream tests no longer check for the commit sha in the version output by default so downstream tests on packaged versions without the commit info can pass. + ## v1.14.0 * bridge: Add support for a new option called `mode`. When set to `unmanaged` only the veth pair and ip addresses are setup. The bridge must exist and no firewall or sysctl setting will be configured in this mode. ([#1090](https://github.com/containers/netavark/issues/1090)) From 8711e83883b5b3f683d84d847cdd196cb9550352 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Mon, 17 Mar 2025 17:31:43 +0100 Subject: [PATCH 10/10] Release v1.14.1 Signed-off-by: Paul Holzinger --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 969a288..25234b6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1433,7 +1433,7 @@ checksum = "defc4c55412d89136f966bbb339008b474350e5e6e78d2714439c386b3137a03" [[package]] name = "netavark" -version = "1.14.0" +version = "1.14.1" dependencies = [ "anyhow", "chrono", diff --git a/Cargo.toml b/Cargo.toml index 816b5cd..375c842 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "netavark" -version = "1.14.0" +version = "1.14.1" edition = "2021" authors = ["github.com/containers"] license = "Apache-2.0"