powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
Browse Source

NetworkManager add missing patches 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 5 years ago
parent
4a6eb1a9a0
commit
856e358059
17 changed files with 43546 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 32
      SOURCES/0004-ibft-cap-sys-admin-rh1371201.patch
  2. 46
      SOURCES/0005-dhcp-internal-default-client-id-rh1695723.patch
  3. 39
      SOURCES/0006-no-keyfile-file-name-extension-rh1697858.patch
  4. 397
      SOURCES/1000-cli-hide-certificate-blobs-rh1702199.patch
  5. 41
      SOURCES/1001-device-fix-reapply-of-MTU-rh1702657.patch
  6. 33
      SOURCES/1002-settings-fix-failed-assertion-rh1707261.patch
  7. 80
      SOURCES/1003-sw-devices-managed-after-wake-rh1701585.patch
  8. 122
      SOURCES/1004-device-restore-ipv6-config-on-link-up-rh1548237.patch
  9. 126
      SOURCES/1005-load-connection-dbus-fixes-rh1708660.patch
  10. 42
      SOURCES/1006-fix-file-permissions-secret-key-rh1709849.patch
  11. 2448
      SOURCES/1007-tc-update-rh1546802.patch
  12. 32
      SOURCES/1008-don-t-kill-teamd-for-external-devices-rh1711952.patch
  13. 304
      SOURCES/1009-ifcfg-rh-use-PKCS12-private-as-client-cert-rh1714610.patch
  14. 39526
      SOURCES/1010-translations-rh1689962.patch
  15. 39
      SOURCES/1011-cli-editor-no-wait-on-failure-rh1702203.patch
  16. 36
      SOURCES/1012-team-fix-validate-send-always-flags-rh1720153.patch
  17. 203
      SOURCES/1013-ovs-slaves-restart-fixes-rh1733709.patch

32
SOURCES/0004-ibft-cap-sys-admin-rh1371201.patch
Unescape View File

@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
From 53a95f9ebd941c9fd2464f69ee420c4c82842eda Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 2 Sep 2016 15:58:42 +0200
Subject: [PATCH] service: give CAP_SYS_ADMIN for ibft/iscsiadm (rh#1371201)

systemd on rhel-7.3 has a bug with merging CapabilityBoundingSet.
https://github.com/systemd/systemd/issues/1221
Thus it is all in one line.
---
data/NetworkManager.service.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index ff90456ff..680b5889a 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -14,10 +14,10 @@ ExecStart=@sbindir@/NetworkManager --no-daemon
Restart=on-failure
# NM doesn't want systemd to kill its children for it
KillMode=process
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+#CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT

-# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN
-#CapabilityBoundingSet=CAP_SYS_ADMIN
+# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN (rh#1371201)
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT CAP_SYS_ADMIN

ProtectSystem=true
ProtectHome=read-only
--
2.17.1

46
SOURCES/0005-dhcp-internal-default-client-id-rh1695723.patch
Unescape View File

@ -0,0 +1,46 @@ @@ -0,0 +1,46 @@
From 5ca3888861d4f05935c9f330804c1f30ab8c57e5 Mon Sep 17 00:00:00 2001
From: Francesco Giudici <fgiudici@redhat.com>
Date: Tue, 9 Apr 2019 11:41:27 +0200
Subject: [PATCH] dhcp/internal: make default dhcp-client-id based on systemd
DUID-EN

For RHEL-7 we want to stick to the legacy behavior of the internal
dhcp client: the default dhcp-client-id is based on systemd DUID-EN.

https://bugzilla.redhat.com/show_bug.cgi?id=1695723

This reverts commit cfd696cc3cf43f5f510046b757949546bcee4cdc.
---
src/dhcp/nm-dhcp-manager.c | 2 +-
src/dhcp/nm-dhcp-systemd.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/dhcp/nm-dhcp-manager.c b/src/dhcp/nm-dhcp-manager.c
index 7063c82cf..4a40d2e52 100644
--- a/src/dhcp/nm-dhcp-manager.c
+++ b/src/dhcp/nm-dhcp-manager.c
@@ -237,7 +237,7 @@ client_start (NMDhcpManager *self,
*
* - for IPv4, the calling code may determine a client-id (from NM's connection profile).
* If present, it is taken. If not present, the DHCP plugin uses a plugin specific default.
- * - for "internal" plugin, the default is just "mac".
+ * - for "internal" plugin, the default is just "duid".
* - for "dhclient", we try to get the configuration from dhclient's /etc/dhcp or fallback
* to whatever dhclient uses by default.
* We do it this way, because for dhclient the user may configure a default
diff --git a/src/dhcp/nm-dhcp-systemd.c b/src/dhcp/nm-dhcp-systemd.c
index 70ed87150..84973aa2a 100644
--- a/src/dhcp/nm-dhcp-systemd.c
+++ b/src/dhcp/nm-dhcp-systemd.c
@@ -750,7 +750,8 @@ ip4_start (NMDhcpClient *client,

client_id = nm_dhcp_client_get_client_id (client);
if (!client_id) {
- client_id_new = nm_utils_dhcp_client_id_mac (arp_type, hwaddr_arr, hwaddr_len);
+ client_id_new = nm_utils_dhcp_client_id_systemd_node_specific (TRUE,
+ nm_dhcp_client_get_iface (client));
client_id = client_id_new;
}

--
2.20.1

39
SOURCES/0006-no-keyfile-file-name-extension-rh1697858.patch
Unescape View File

@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
From a67de1d4f7025f86701c1e2cc319238cbbc88f98 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 9 Apr 2019 18:00:21 +0200
Subject: [PATCH 1/1] Revert "keyfile: also add ".nmconnection" extension when
writing keyfiles in /etc"

This reverts commit d37ad15f12bafd91cf724cda50aea7093e04bf7a.
---
src/settings/plugins/keyfile/nms-keyfile-writer.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/settings/plugins/keyfile/nms-keyfile-writer.c b/src/settings/plugins/keyfile/nms-keyfile-writer.c
index 8c75d8c79..fe05df28e 100644
--- a/src/settings/plugins/keyfile/nms-keyfile-writer.c
+++ b/src/settings/plugins/keyfile/nms-keyfile-writer.c
@@ -357,16 +357,19 @@ nms_keyfile_writer_connection (NMConnection *connection,
GError **error)
{
const char *keyfile_dir;
+ gboolean with_extension = FALSE;

if (save_to_disk)
keyfile_dir = nms_keyfile_utils_get_path ();
- else
+ else {
keyfile_dir = NM_KEYFILE_PATH_NAME_RUN;
+ with_extension = TRUE;
+ }

return _internal_write_connection (connection,
keyfile_dir,
nms_keyfile_utils_get_path (),
- TRUE,
+ with_extension,
0,
0,
existing_path,
--
2.20.1

397
SOURCES/1000-cli-hide-certificate-blobs-rh1702199.patch
Unescape View File

@ -0,0 +1,397 @@ @@ -0,0 +1,397 @@
From ff8fb5975a6cf8d904256fa414b359c9f1c4682d Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 14:17:47 +0200
Subject: [PATCH 1/6] cli: fix setting private key password

Fixes: fe390556abfe ('cli: add property type for 802-1x certificate properties (pt3)')
(cherry picked from commit ee96387578ca5428b9836dda382f9e6d64d5a7a8)
(cherry picked from commit d8badb280ce2acfcd0ae6fb3d8d133cae6326b7c)
---
clients/common/nm-meta-setting-desc.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c
index 698ded869..b21ce37cf 100644
--- a/clients/common/nm-meta-setting-desc.c
+++ b/clients/common/nm-meta-setting-desc.c
@@ -2276,6 +2276,7 @@ _set_fcn_cert_8021x (ARGS_SET_FCN)
password = path + strcspn (path, " \t");
if (password[0] != '\0') {
password[0] = '\0';
+ password++;
while (nm_utils_is_separator (password[0]))
password++;
} else {
--
2.20.1

From 2fe6e3a039fa1c1b1975020f409a1b505c27ec3d Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 14:55:32 +0200
Subject: [PATCH 2/6] cli: parse escape sequences when reading an 802.1x
private key

In this way it become possible to specify a filename that includes one
of the delimiters.

(cherry picked from commit eac15501b2364a20505a90661e037a339a63b0ea)
(cherry picked from commit 0f03773b75548151a98cae8d696fcfc698a23bb7)
---
clients/common/nm-meta-setting-desc.c | 28 +++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c
index b21ce37cf..768e371e9 100644
--- a/clients/common/nm-meta-setting-desc.c
+++ b/clients/common/nm-meta-setting-desc.c
@@ -2268,17 +2268,25 @@ _set_fcn_cert_8021x (ARGS_SET_FCN)
vtable = &nm_setting_8021x_scheme_vtable[property_info->property_typ_data->subtype.cert_8021x.scheme_type];

if (vtable->is_secret) {
- gs_free char *path = NULL;
nm_auto_free_secret char *password_free = NULL;
- char *password;
-
- path = g_strdup (value);
- password = path + strcspn (path, " \t");
- if (password[0] != '\0') {
- password[0] = '\0';
- password++;
- while (nm_utils_is_separator (password[0]))
- password++;
+ gs_free const char **strv = NULL;
+ const char *password;
+ const char *path;
+ gsize len;
+
+ strv = nm_utils_escaped_tokens_split (value, NM_ASCII_SPACES);
+ len = NM_PTRARRAY_LEN (strv);
+ if (len > 2) {
+ g_set_error_literal (error,
+ NM_UTILS_ERROR,
+ NM_UTILS_ERROR_INVALID_ARGUMENT,
+ _("too many arguments. Please only specify a private key file and optionally a password"));
+ return FALSE;
+ }
+
+ path = len > 0 ? strv[0] : NULL;
+ if (len == 2) {
+ password = strv[1];
} else {
password_free = g_strdup (vtable->passwd_func (NM_SETTING_802_1X (setting)));
password = password_free;
--
2.20.1

From 312f84cefd672ee141c999e374d49711176ff877 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 21:14:31 +0200
Subject: [PATCH 3/6] cli: remove bluetooth completion code

The 'bt-type' property alias accepts values provided by
gen_func_bt_type(); instead the 'bluetooth.type' property can only be
set to [dun, panu, nap] and therefore it doesn't need special
handling.

(cherry picked from commit 78b9448b69d1e511aab9f24f4da8a6731c2dc7ee)
(cherry picked from commit a9728a61125ef44ac5008ebb0d6d028d26d683af)
---
clients/cli/connections.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/clients/cli/connections.c b/clients/cli/connections.c
index 6ee3b49f9..b8f9b5f27 100644
--- a/clients/cli/connections.c
+++ b/clients/cli/connections.c
@@ -4561,14 +4561,8 @@ complete_property (const char *setting_name, const char *property, const char *p
const NMMetaPropertyInfo *property_info;

property_info = nm_meta_property_info_find_by_name (setting_name, property);
- if (property_info) {
- if (complete_option ((const NMMetaAbstractInfo *) property_info, prefix, connection))
- return;
- }
-
- if ( strcmp (setting_name, NM_SETTING_BLUETOOTH_SETTING_NAME) == 0
- && strcmp (property, NM_SETTING_BLUETOOTH_TYPE) == 0)
- run_rl_generator (gen_func_bt_type, prefix);
+ if (property_info)
+ complete_option ((const NMMetaAbstractInfo *) property_info, prefix, connection);
}

/*****************************************************************************/
--
2.20.1

From 00cffb99f83e058835ed1f5a0ce78e4b2dc92e5c Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 21:35:19 +0200
Subject: [PATCH 4/6] cli: allow completing filenames

Allow the completion function to indicate that the word should be
completed as a filename by the shell.

(cherry picked from commit eb724293c25038c7e0f0d6789af2cea11da176eb)
(cherry picked from commit 09f9831fc628c2bfa406987bc1e1b77c036a3b20)
---
clients/cli/connections.c | 23 ++++++++++++++++-------
clients/common/nm-meta-setting-access.c | 2 ++
clients/common/nm-meta-setting-access.h | 1 +
clients/common/nm-meta-setting-desc.c | 4 +++-
clients/common/nm-meta-setting-desc.h | 2 ++
5 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/clients/cli/connections.c b/clients/cli/connections.c
index b8f9b5f27..034fc19f5 100644
--- a/clients/cli/connections.c
+++ b/clients/cli/connections.c
@@ -3785,6 +3785,7 @@ _meta_abstract_complete (const NMMetaAbstractInfo *abstract_info, const char *te
nmc_meta_environment_arg,
&ctx,
text,
+ NULL,
&values_to_free);
if (values)
return values_to_free ?: g_strdupv ((char **) values);
@@ -4525,11 +4526,12 @@ run_rl_generator (rl_compentry_func_t *generator_func, const char *prefix)
}

static gboolean
-complete_option (const NMMetaAbstractInfo *abstract_info, const char *prefix, NMConnection *context_connection)
+complete_option (NmCli *nmc, const NMMetaAbstractInfo *abstract_info, const char *prefix, NMConnection *context_connection)
{
const OptionInfo *candidate;
const char *const*values;
gs_strfreev char **values_to_free = NULL;
+ gboolean complete_filename = FALSE;
const NMMetaOperationContext ctx = {
.connection = context_connection,
};
@@ -4539,7 +4541,12 @@ complete_option (const NMMetaAbstractInfo *abstract_info, const char *prefix, NM
nmc_meta_environment_arg,
&ctx,
prefix,
+ &complete_filename,
&values_to_free);
+ if (complete_filename) {
+ nmc->return_value = NMC_RESULT_COMPLETE_FILE;
+ return TRUE;
+ }
if (values) {
for (; values[0]; values++)
g_print ("%s\n", values[0]);
@@ -4556,13 +4563,13 @@ complete_option (const NMMetaAbstractInfo *abstract_info, const char *prefix, NM
}

static void
-complete_property (const char *setting_name, const char *property, const char *prefix, NMConnection *connection)
+complete_property (NmCli *nmc, const char *setting_name, const char *property, const char *prefix, NMConnection *connection)
{
const NMMetaPropertyInfo *property_info;

property_info = nm_meta_property_info_find_by_name (setting_name, property);
if (property_info)
- complete_option ((const NMMetaAbstractInfo *) property_info, prefix, connection);
+ complete_option (nmc, (const NMMetaAbstractInfo *) property_info, prefix, connection);
}

/*****************************************************************************/
@@ -4652,8 +4659,10 @@ nmc_read_connection_properties (NmCli *nmc,
if (!get_value (&value, argc, argv, option, error))
return FALSE;

- if (!*argc && nmc->complete)
- complete_property (setting, strv[1], value ?: "", connection);
+ if (!*argc && nmc->complete) {
+ complete_property (nmc, setting, strv[1], value ?: "", connection);
+ return TRUE;
+ }

if (!set_property (nmc->client, connection, setting_name, strv[1], value, modifier, error))
return FALSE;
@@ -4734,7 +4743,7 @@ nmc_read_connection_properties (NmCli *nmc,
return FALSE;

if (!*argc && nmc->complete)
- complete_option (chosen, value ?: "", connection);
+ complete_option (nmc, chosen, value ?: "", connection);

if (!set_option (nmc, connection, chosen, value, error))
return FALSE;
@@ -8861,7 +8870,7 @@ do_connection_import (NmCli *nmc, int argc, char **argv)
if ( argc == 1
&& nmc->complete) {
nmc_complete_strings (*argv, "wireguard");
- complete_option ((const NMMetaAbstractInfo *) nm_meta_property_info_vpn_service_type,
+ complete_option (nmc, (const NMMetaAbstractInfo *) nm_meta_property_info_vpn_service_type,
*argv,
NULL);
}
diff --git a/clients/common/nm-meta-setting-access.c b/clients/common/nm-meta-setting-access.c
index 8399f29db..ce5cd331c 100644
--- a/clients/common/nm-meta-setting-access.c
+++ b/clients/common/nm-meta-setting-access.c
@@ -273,6 +273,7 @@ nm_meta_abstract_info_complete (const NMMetaAbstractInfo *abstract_info,
gpointer environment_user_data,
const NMMetaOperationContext *operation_context,
const char *text,
+ gboolean *out_complete_filename,
char ***out_to_free)
{
const char *const*values;
@@ -292,6 +293,7 @@ nm_meta_abstract_info_complete (const NMMetaAbstractInfo *abstract_info,
environment_user_data,
operation_context,
text,
+ out_complete_filename,
out_to_free);

nm_assert (!*out_to_free || values == (const char *const*) *out_to_free);
diff --git a/clients/common/nm-meta-setting-access.h b/clients/common/nm-meta-setting-access.h
index ec1c2ba00..38f22c7a4 100644
--- a/clients/common/nm-meta-setting-access.h
+++ b/clients/common/nm-meta-setting-access.h
@@ -69,6 +69,7 @@ const char *const*nm_meta_abstract_info_complete (const NMMetaAbstractInfo *abst
gpointer environment_user_data,
const NMMetaOperationContext *operation_context,
const char *text,
+ gboolean *out_complete_filename,
char ***out_to_free);

/*****************************************************************************/
diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c
index 768e371e9..7e4eb3d31 100644
--- a/clients/common/nm-meta-setting-desc.c
+++ b/clients/common/nm-meta-setting-desc.c
@@ -788,7 +788,7 @@ _env_warn_fcn (const NMMetaEnvironment *environment,
const NMMetaPropertyInfo *property_info, const NMMetaEnvironment *environment, gpointer environment_user_data, NMSetting *setting, const char *value, GError **error

#define ARGS_COMPLETE_FCN \
- const NMMetaPropertyInfo *property_info, const NMMetaEnvironment *environment, gpointer environment_user_data, const NMMetaOperationContext *operation_context, const char *text, char ***out_to_free
+ const NMMetaPropertyInfo *property_info, const NMMetaEnvironment *environment, gpointer environment_user_data, const NMMetaOperationContext *operation_context, const char *text, gboolean *out_complete_filename, char ***out_to_free

#define ARGS_VALUES_FCN \
const NMMetaPropertyInfo *property_info, char ***out_to_free
@@ -8159,6 +8159,7 @@ _meta_type_property_info_complete_fcn (const NMMetaAbstractInfo *abstract_info,
gpointer environment_user_data,
const NMMetaOperationContext *operation_context,
const char *text,
+ gboolean *out_complete_filename,
char ***out_to_free)
{
const NMMetaPropertyInfo *info = (const NMMetaPropertyInfo *) abstract_info;
@@ -8171,6 +8172,7 @@ _meta_type_property_info_complete_fcn (const NMMetaAbstractInfo *abstract_info,
environment_user_data,
operation_context,
text,
+ out_complete_filename,
out_to_free);
}

diff --git a/clients/common/nm-meta-setting-desc.h b/clients/common/nm-meta-setting-desc.h
index b69a07b50..2fee080b9 100644
--- a/clients/common/nm-meta-setting-desc.h
+++ b/clients/common/nm-meta-setting-desc.h
@@ -221,6 +221,7 @@ struct _NMMetaPropertyType {
gpointer environment_user_data,
const NMMetaOperationContext *operation_context,
const char *text,
+ gboolean *out_complete_filename,
char ***out_to_free);

/* Whether set_fcn() supports the '-' modifier. That is, whether the property
@@ -444,6 +445,7 @@ struct _NMMetaType {
gpointer environment_user_data,
const NMMetaOperationContext *operation_context,
const char *text,
+ gboolean *out_complete_filename,
char ***out_to_free);
};

--
2.20.1

From 4fe5505236fdf1d268d8d8a8cc9a339c4e2eb47e Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 22:01:15 +0200
Subject: [PATCH 5/6] cli: complete 802.1x certificate file names

(cherry picked from commit ec4a12ecdbebbca5b8108e1611e95fa93b43d637)
(cherry picked from commit 3d3fac55e38c5da544f8acc36aaf9334a92cbf11)
---
clients/common/nm-meta-setting-desc.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)

diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c
index 7e4eb3d31..7c8f89563 100644
--- a/clients/common/nm-meta-setting-desc.c
+++ b/clients/common/nm-meta-setting-desc.c
@@ -2307,6 +2307,26 @@ _set_fcn_cert_8021x (ARGS_SET_FCN)
}
}

+static const char *const*
+_complete_fcn_cert_8021x (ARGS_COMPLETE_FCN)
+{
+ const NMSetting8021xSchemeVtable *vtable;
+
+ vtable = &nm_setting_8021x_scheme_vtable[property_info->property_typ_data->subtype.cert_8021x.scheme_type];
+
+ if (vtable->is_secret) {
+ gs_free const char **strv = NULL;
+
+ strv = nm_utils_escaped_tokens_split (text, NM_ASCII_SPACES);
+ /* don't try to complete the password */
+ if (NM_PTRARRAY_LEN (strv) > 1)
+ return NULL;
+ }
+
+ NM_SET_OUT (out_complete_filename, TRUE);
+ return NULL;
+}
+
static gconstpointer
_get_fcn_gobject_bytes (ARGS_GET_FCN)
{
@@ -4466,6 +4486,7 @@ static const NMMetaPropertyType _pt_dcb = {
static const NMMetaPropertyType _pt_cert_8021x = {
.get_fcn = _get_fcn_cert_8021x,
.set_fcn = _set_fcn_cert_8021x,
+ .complete_fcn = _complete_fcn_cert_8021x,
};

static const NMMetaPropertyType _pt_ethtool = {
--
2.20.1

From 1d02cd13072aa90471cdf0f0f2dde048a126c007 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Wed, 24 Apr 2019 15:21:34 +0200
Subject: [PATCH 6/6] cli: hide certificate blobs unless --show-secrets is
passed

This restores the behavior before commit 99711579ed43.

Fixes: 99711579ed43 ('cli: add property type for 802-1x certificate properties (pt2)').
(cherry picked from commit c91aad49695fc0d5ff1dd07a4459dc7fbe9bdbc0)
(cherry picked from commit 8c75120df055ac6c7b778a885473af202897abf9)
---
clients/common/nm-meta-setting-desc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c
index 7c8f89563..9b5debcfe 100644
--- a/clients/common/nm-meta-setting-desc.c
+++ b/clients/common/nm-meta-setting-desc.c
@@ -2229,8 +2229,7 @@ _get_fcn_cert_8021x (ARGS_GET_FCN)

switch (vtable->scheme_func (s_8021X)) {
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
- if ( vtable->is_secret
- && !NM_FLAGS_HAS (get_flags, NM_META_ACCESSOR_GET_FLAGS_SHOW_SECRETS))
+ if (!NM_FLAGS_HAS (get_flags, NM_META_ACCESSOR_GET_FLAGS_SHOW_SECRETS))
return _get_text_hidden (get_type);
str = bytes_to_string (vtable->blob_func (s_8021X));
break;
--
2.20.1

41
SOURCES/1001-device-fix-reapply-of-MTU-rh1702657.patch
Unescape View File

@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
From 89af6353940018621493764927a3f10335084628 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Fri, 26 Apr 2019 10:49:21 +0200
Subject: [PATCH] device: fix reapply of MTU

When we set the MTU on the link we remember its previous source
(ip-config, parent-device or connection profile) and don't change it
again afterwards to avoid interfering with user's manual changes. The
only exceptions when we change it again are (1) if the parent device
MTU changes and (2) if the new MTU has higher priority than the one
previously set.

To allow a live reapply of the MTU property we also need to clear the
saved source, or the checks described above will prevent setting the
new value.

Fixes: 2f8917237fdf ('device: rework mtu priority handling')

https://bugzilla.redhat.com/show_bug.cgi?id=1702657
(cherry picked from commit 4ed72fa658c03790700ba9084e9328fe38afdee9)
(cherry picked from commit e738479bdd714f754aa311bada3315147efab376)
---
src/devices/nm-device.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index b909f0ddf..8ae64b968 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -11312,6 +11312,9 @@ check_and_reapply_connection (NMDevice *self,
s_ip6_old = nm_connection_get_setting_ip6_config (con_old);
s_ip6_new = nm_connection_get_setting_ip6_config (con_new);

+ /* Allow reapply of MTU */
+ priv->mtu_source = NM_DEVICE_MTU_SOURCE_NONE;
+
nm_device_reactivate_ip4_config (self, s_ip4_old, s_ip4_new);
nm_device_reactivate_ip6_config (self, s_ip6_old, s_ip6_new);

--
2.20.1

33
SOURCES/1002-settings-fix-failed-assertion-rh1707261.patch
Unescape View File

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
From f85322d23536c1004db8ddc722d4f2f6abc56aba Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 11:10:33 +0200
Subject: [PATCH] settings: fix failed assertion

Fix the following assertion failure:

g_object_ref: assertion 'G_IS_OBJECT (object)' failed.

nm_settings_add_connection() can return a NULL connection.

Fixes: f034f17ff69c ('settings: keep the added connection alive for a bit longer')
(cherry picked from commit 48ce3628c528553d4105ed443934d733998e81b4)
(cherry picked from commit d80818e6cad94def1402be8326274bde998aa276)
---
src/settings/nm-settings.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c
index 8e18a33e0..e594860bc 100644
--- a/src/settings/nm-settings.c
+++ b/src/settings/nm-settings.c
@@ -1174,7 +1174,7 @@ pk_add_cb (NMAuthChain *chain,
* because it's found to be incompatible with the device on AddAndActivate).
* But we need to keep it alive for a bit longer, precisely to check wehther
* it's still known to the setting manager. */
- g_object_ref (added);
+ nm_g_object_ref (added);
}

callback = nm_auth_chain_get_data (chain, "callback");
--
2.20.1

80
SOURCES/1003-sw-devices-managed-after-wake-rh1701585.patch
Unescape View File

@ -0,0 +1,80 @@ @@ -0,0 +1,80 @@
From 98b1cf070bfa857a8a39b6499b39494bc4f4e54b Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 16:39:17 +0200
Subject: [PATCH 1/2] manager: clear unmanaged-sleeping flag on software
devices on resume

When networking is disabled at NM startup we unmanage all devices
(including software ones) due to SLEEPING. After networking gets
enabled again we must clear the unmanaged-sleeping flag on software
devices.

(cherry picked from commit 656753b70888badc29ffca592f82fd8355894596)
(cherry picked from commit bb555ff6b5959767ab663d610cdabb8baa280447)
---
src/nm-manager.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/nm-manager.c b/src/nm-manager.c
index 40e068ac5..ed2fa3df4 100644
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@@ -5923,10 +5923,10 @@ do_sleep_wake (NMManager *self, gboolean sleeping_changed)
c_list_for_each_entry (device, &priv->devices_lst_head, devices_lst) {
guint i;

- if (nm_device_is_software (device)) {
- /* We do not manage/unmanage software devices but
- * their dhcp leases could have gone stale so we need
- * to renew them */
+ if ( nm_device_is_software (device)
+ && !nm_device_get_unmanaged_flags (device, NM_UNMANAGED_SLEEPING)) {
+ /* DHCP leases of software devices could have gone stale
+ * so we need to renew them. */
nm_device_update_dynamic_ip_setup (device);
continue;
}
--
2.20.1

From 9b08f52f043cb5f3794f1432df157a16c222b21c Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 15:30:53 +0200
Subject: [PATCH 2/2] manager: unmanage software devices when networking gets
disabled

If a user disables networking, we consider that as an indication that
also software devices must be disconnected. OTOH, we don't want to
destroy them for external events as a system suspend.

(cherry picked from commit 32ee51eee002f5e6717b856fd0a095114a02cc96)
(cherry picked from commit da8462df1a273cd6b31f885b866726a64ca14550)
---
src/nm-manager.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/nm-manager.c b/src/nm-manager.c
index ed2fa3df4..c0cd15c0c 100644
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@@ -5866,9 +5866,15 @@ do_sleep_wake (NMManager *self, gboolean sleeping_changed)
* suspend/resume?
*/
c_list_for_each_entry (device, &priv->devices_lst_head, devices_lst) {
- /* FIXME: shouldn't we be unmanaging software devices if !suspending? */
- if (nm_device_is_software (device))
- continue;
+ if (nm_device_is_software (device)) {
+ /* If a user disables networking we consider that as an
+ * indication that also software devices must be disconnected.
+ * But we don't want to destroy them for external events as
+ * a system suspend.
+ */
+ if (suspending)
+ continue;
+ }
/* Wake-on-LAN devices will be taken down post-suspend rather than pre- */
if ( suspending
&& device_is_wake_on_lan (priv->platform, device)) {
--
2.20.1

122
SOURCES/1004-device-restore-ipv6-config-on-link-up-rh1548237.patch
Unescape View File

@ -0,0 +1,122 @@ @@ -0,0 +1,122 @@
From bb782ab4b2058e0ae14aae1a4c71bd0dc908fbdc Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 7 May 2019 16:26:09 +0200
Subject: [PATCH 1/3] all: fix typos (milli seconds -> milliseconds)

(cherry picked from commit 4735d6764a5dc9c3bc6bc09d3220751e789b39c4)
(cherry picked from commit f6b9366eb4435d7ee45f862dabdefb5f87c4739d)
---
shared/nm-glib-aux/nm-time-utils.c | 2 +-
src/devices/nm-device.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/nm-glib-aux/nm-time-utils.c b/shared/nm-glib-aux/nm-time-utils.c
index ae526c342..98a414595 100644
--- a/shared/nm-glib-aux/nm-time-utils.c
+++ b/shared/nm-glib-aux/nm-time-utils.c
@@ -231,7 +231,7 @@ nm_utils_get_monotonic_timestamp_s (void)
* @timestamp: the monotonic-timestamp that should be converted into CLOCK_BOOTTIME.
* @timestamp_ns_per_tick: How many nano seconds make one unit of @timestamp? E.g. if
* @timestamp is in unit seconds, pass %NM_UTILS_NS_PER_SECOND; @timestamp in nano
- * seconds, pass 1; @timestamp in milli seconds, pass %NM_UTILS_NS_PER_SECOND/1000; etc.
+ * seconds, pass 1; @timestamp in milliseconds, pass %NM_UTILS_NS_PER_SECOND/1000; etc.
*
* Returns: the monotonic-timestamp as CLOCK_BOOTTIME, as returned by clock_gettime().
* The unit is the same as the passed in @timestamp basd on @timestamp_ns_per_tick.
diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index 8ae64b968..7bf1eb4ce 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -3588,7 +3588,7 @@ nm_device_set_carrier (NMDevice *self, gboolean carrier)
now_ms = nm_utils_get_monotonic_timestamp_ms ();
until_ms = NM_MAX (now_ms + _get_carrier_wait_ms (self), priv->carrier_wait_until_ms);
priv->carrier_defer_id = g_timeout_add (until_ms - now_ms, carrier_disconnected_action_cb, self);
- _LOGD (LOGD_DEVICE, "carrier: link disconnected (deferring action for %ld milli seconds) (id=%u)",
+ _LOGD (LOGD_DEVICE, "carrier: link disconnected (deferring action for %ld milliseconds) (id=%u)",
(long) (until_ms - now_ms), priv->carrier_defer_id);
}
}
--
2.20.1

From ef2113cf7c06d5157ddd2cdc26c1f781b60c477c Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 7 May 2019 16:25:04 +0200
Subject: [PATCH 2/3] device: unconditionally reapply IP configuration on link
up

Consider the situation in which ipv4.method=auto and there is an
address configured. Also, the DHCP timeout is long and there is no
DHCP server. If the link is brought down temporarily, the prefix route
for the static address is lost and not restored by NM because we
reapply the IP configuration only when the IP state is DONE.

The same can happen also for IPv6, but in that case also static IPv6
addresses are lost.

We should always reapply the IP configuration when the link goes up.

(cherry picked from commit d0b16b9283dc16e9db642280be9d6b10a04092a8)
(cherry picked from commit 4482ca64ba5bbf1c173ea5b4a3854da0173542a8)
---
src/devices/nm-device.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index 7bf1eb4ce..510d9792e 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -3890,16 +3890,12 @@ device_link_changed (NMDevice *self)
if (priv->up && (!was_up || seen_down)) {
/* the link was down and just came up. That happens for example, while changing MTU.
* We must restore IP configuration. */
- if (priv->ip_state_4 == NM_DEVICE_IP_STATE_DONE) {
- if (!ip_config_merge_and_apply (self, AF_INET, TRUE))
- _LOGW (LOGD_IP4, "failed applying IP4 config after link comes up again");
- }
+ if (!ip_config_merge_and_apply (self, AF_INET, TRUE))
+ _LOGW (LOGD_IP4, "failed applying IP4 config after link comes up again");

priv->linklocal6_dad_counter = 0;
- if (priv->ip_state_6 == NM_DEVICE_IP_STATE_DONE) {
- if (!ip_config_merge_and_apply (self, AF_INET6, TRUE))
- _LOGW (LOGD_IP6, "failed applying IP6 config after link comes up again");
- }
+ if (!ip_config_merge_and_apply (self, AF_INET6, TRUE))
+ _LOGW (LOGD_IP6, "failed applying IP6 config after link comes up again");
}

if (update_unmanaged_specs)
--
2.20.1

From b3f9c33557951ed90767ff50e9e72e533a211b45 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 7 May 2019 16:32:12 +0200
Subject: [PATCH 3/3] device: fix intersecting IPv6 configurations

If the link is down we shouldn't drop the link-local address from
configuration as it wasn't removed by user but by kernel.

(cherry picked from commit 18d2edfaa13d97597ddf5551e6dd5ea854f1fdbf)
(cherry picked from commit 6f6914450072b79a91731e042e498ca26892696c)
---
src/devices/nm-device.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index 510d9792e..06a95110b 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -12882,7 +12882,8 @@ update_ext_ip_config (NMDevice *self, int addr_family, gboolean intersect_config
for (iter = priv->vpn_configs_6; iter; iter = iter->next)
nm_ip6_config_intersect (iter->data, priv->ext_ip_config_6, is_up, is_up, 0);

- if ( priv->ipv6ll_has
+ if ( is_up
+ && priv->ipv6ll_has
&& !nm_ip6_config_lookup_address (priv->ext_ip_config_6, &priv->ipv6ll_addr))
priv->ipv6ll_has = FALSE;
}
--
2.20.1

126
SOURCES/1005-load-connection-dbus-fixes-rh1708660.patch
Unescape View File

@ -0,0 +1,126 @@ @@ -0,0 +1,126 @@
From 48193ae383de29c52bf37d869f2e0a8534fbe825 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 10 May 2019 14:35:52 +0200
Subject: [PATCH 1/2] settings: avoid assertion for LoadConnections D-Bus
method with relative paths

$ busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager/Settings org.freedesktop.NetworkManager.Settings LoadConnections as 1 relative/filename

triggers a g_critical() assertion in nm_utils_file_is_in_path():

...
#3 0x00007ffff7a19e7d in g_return_if_fail_warning
(log_domain=log_domain@entry=0x55555586c333 "NetworkManager", pretty_function=pretty_function@entry=0x55555586c0a0 <__FUNCTION__.38585> "nm_utils_file_is_in_path", expression=expression@entry=0x55555586c010 "abs_filename && abs_filename[0] == '/'") at ../glib/gmessages.c:2767
#4 0x00005555555f1128 in nm_utils_file_is_in_path (abs_filename=abs_filename@entry=0x555555b56670 "dfd", abs_path=<optimized out>) at src/NetworkManagerUtils.c:1077
#5 0x00005555555a4779 in load_connection (config=<optimized out>, filename=0x555555b56670 "dfd") at src/settings/plugins/keyfile/nms-keyfile-plugin.c:522
#6 0x00005555557ce291 in nm_settings_plugin_load_connection (self=0x5555559fd400 [NMSKeyfilePlugin], filename=0x555555b56670 "dfd") at src/settings/nm-settings-plugin.c:70
#7 0x000055555559ccdf in impl_settings_load_connections
(obj=<optimized out>, interface_info=<optimized out>, method_info=<optimized out>, connection=<optimized out>, sender=<optimized out>, invocation=0x7fffe0015ed0 [GDBusMethodInvocation], parameters=<optimized out>) at src/settings/nm-settings.c:1439
#8 0x00005555555a9bf9 in dbus_vtable_method_call
(connection=0x5555559b91b0 [GDBusConnection], sender=sender@entry=0x555555b5c360 ":1.32283", object_path=object_path@entry=0x7fffe0019070 "/org/freedesktop/NetworkManager/Settings", interface_name=<optimized out>, interface_name@entry=0x7fffe002aa70 "org.freedesktop.NetworkManager.Settings", method_name=<optimized out>,
method_name@entry=0x7fffe00276b0 "LoadConnections", parameters=parameters@entry=0x555555c4a690, invocation=0x7fffe0015ed0 [GDBusMethodInvocation], user_data=0x5555559a1a00)
at src/nm-dbus-manager.c:947
#9 0x00007ffff7c506c4 in call_in_idle_cb (user_data=user_data@entry=0x7fffe0015ed0) at ../gio/gdbusconnection.c:4874
#10 0x00007ffff7a0e8eb in g_idle_dispatch (source=source@entry=0x7fffe00208a0, callback=0x7ffff7c50590 <call_in_idle_cb>, user_data=0x7fffe0015ed0) at ../glib/gmain.c:5627
#11 0x00007ffff7a11fd0 in g_main_dispatch (context=0x555555994d00) at ../glib/gmain.c:3189
#12 0x00007ffff7a11fd0 in g_main_context_dispatch (context=context@entry=0x555555994d00) at ../glib/gmain.c:3854
#13 0x00007ffff7a12368 in g_main_context_iterate (context=0x555555994d00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3927
#14 0x00007ffff7a126b3 in g_main_loop_run (loop=0x555555995e60) at ../glib/gmain.c:4123
#15 0x000055555558a741 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:444

Filter out relative filenames early.

(cherry picked from commit a1b102eae4bc412297b72c327530abc1ca38d659)
(cherry picked from commit c21171e06987353868e91d6e1cd395ade05e9390)
---
src/settings/nm-settings.c | 31 ++++++++++++++++++-------------
1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c
index e594860bc..1f8314847 100644
--- a/src/settings/nm-settings.c
+++ b/src/settings/nm-settings.c
@@ -1409,8 +1409,6 @@ impl_settings_load_connections (NMDBusObject *obj,
NMSettings *self = NM_SETTINGS (obj);
NMSettingsPrivate *priv = NM_SETTINGS_GET_PRIVATE (self);
gs_unref_ptrarray GPtrArray *failures = NULL;
- GSList *iter;
- guint i;
gs_free const char **filenames = NULL;

g_variant_get (parameters, "(^a&s)", &filenames);
@@ -1427,21 +1425,28 @@ impl_settings_load_connections (NMDBusObject *obj,
return;

if (filenames) {
+ gsize i;
+
for (i = 0; filenames[i]; i++) {
- for (iter = priv->plugins; iter; iter = g_slist_next (iter)) {
- NMSettingsPlugin *plugin = NM_SETTINGS_PLUGIN (iter->data);
+ GSList *iter;

- if (nm_settings_plugin_load_connection (plugin, filenames[i]))
- break;
- }
+ if (filenames[i][0] != '/')
+ _LOGW ("load: connection filename '%s' is not an absolute path", filenames[i]);
+ else {
+ for (iter = priv->plugins; iter; iter = iter->next) {
+ NMSettingsPlugin *plugin = NM_SETTINGS_PLUGIN (iter->data);

- if (!iter) {
- if (!g_path_is_absolute (filenames[i]))
- _LOGW ("connection filename '%s' is not an absolute path", filenames[i]);
- if (!failures)
- failures = g_ptr_array_new ();
- g_ptr_array_add (failures, (char *) filenames[i]);
+ if (nm_settings_plugin_load_connection (plugin, filenames[i]))
+ goto next_filename;
+ }
}
+
+ if (!failures)
+ failures = g_ptr_array_new ();
+ g_ptr_array_add (failures, (char *) filenames[i]);
+
+next_filename:
+ ;
}
}

--
2.21.0


From b9123eb59de18ddf30b2cb5eab0f5a0c0eeef345 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 10 May 2019 14:53:51 +0200
Subject: [PATCH 2/2] settings/d-bus: fix boolean return value of
"LoadConnections"

The boolean value is intended to indicate success. It would indicated
failure due to a bug.

Fixes: 297d4985abcc ('core/dbus: rework D-Bus implementation to use lower layer GDBusConnection API'):
(cherry picked from commit 22e830f0469a654159e71b5bbddb2774bb5342c2)
(cherry picked from commit e73a505866a784b41393ae6082a26ff7389633d3)
---
src/settings/nm-settings.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c
index 1f8314847..90dd892cb 100644
--- a/src/settings/nm-settings.c
+++ b/src/settings/nm-settings.c
@@ -1455,7 +1455,7 @@ next_filename:

g_dbus_method_invocation_return_value (invocation,
g_variant_new ("(b^as)",
- (gboolean) (!!failures),
+ (gboolean) (!failures),
failures
? (const char **) failures->pdata
: NM_PTRARRAY_EMPTY (const char *)));
--
2.21.0

42
SOURCES/1006-fix-file-permissions-secret-key-rh1709849.patch
Unescape View File

@ -0,0 +1,42 @@ @@ -0,0 +1,42 @@
From a6562097a4d0f35c22c4f0f949012dee918bf510 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 14 May 2019 13:55:41 +0200
Subject: [PATCH 1/1] core: fix file permissions for
"/var/lib/NetworkManager/secret_key"

Ooherwise, the file has wrong permissions:

# ls -la /var/lib/NetworkManager/secret_key
----r-xr-x. 1 root root 50 May 14 13:52 /var/lib/NetworkManager/secret_key

Luckily, /var/lib/NetworkManager should be already

# ls -lad /var/lib/NetworkManager
drwx------. 2 root root 8192 May 14 13:57 /var/lib/NetworkManager

which mitigates this a bit.

Fixes: dbcb1d6d97c6 ('core: let nm_utils_secret_key_read() handle failures internally')

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/175
(cherry picked from commit dc3a2f9bc4c35030bcaf9e81953daf7894ab62b6)
(cherry picked from commit 2d46247c6ac6f89a0b8bac86d684431c07dc6c8e)
---
src/nm-core-utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nm-core-utils.c b/src/nm-core-utils.c
index b0cc914e7..fd1628027 100644
--- a/src/nm-core-utils.c
+++ b/src/nm-core-utils.c
@@ -2697,7 +2697,7 @@ _host_id_read (guint8 **out_host_id,
} else if (!nm_utils_file_set_contents (SECRET_KEY_FILE,
(const char *) new_content,
len,
- 0077,
+ 0600,
&error)) {
nm_log_warn (LOGD_CORE, "secret-key: failure to persist secret key in \"%s\" (%s) (use non-persistent key)",
SECRET_KEY_FILE, error->message);
--
2.21.0

2448
SOURCES/1007-tc-update-rh1546802.patch
View File

File diff suppressed because it is too large Load Diff

32
SOURCES/1008-don-t-kill-teamd-for-external-devices-rh1711952.patch
Unescape View File

@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
From 2711e9be108063d9e269412c9026c10c63f1cda3 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Sun, 19 May 2019 11:35:02 +0200
Subject: [PATCH] team: don't kill teamd for external devices

The teamd instance must not be killed if the device was externally
activated.

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/158
https://bugzilla.redhat.com/show_bug.cgi?id=1693142
(cherry picked from commit 008a4b4215dcce40345b2c372ffc8cfd0d388fa5)
(cherry picked from commit bd113fe72eac3f609a6d05ab33ef52d6773c1985)
---
src/devices/team/nm-device-team.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/src/devices/team/nm-device-team.c b/src/devices/team/nm-device-team.c
index 287f4d1b1..4ae276dbf 100644
--- a/src/devices/team/nm-device-team.c
+++ b/src/devices/team/nm-device-team.c
@@ -694,6 +694,9 @@ deactivate (NMDevice *device)
NMDeviceTeam *self = NM_DEVICE_TEAM (device);
NMDeviceTeamPrivate *priv = NM_DEVICE_TEAM_GET_PRIVATE (self);

+ if (nm_device_sys_iface_state_is_external (device))
+ return;
+
if (priv->teamd_pid || priv->tdc)
_LOGI (LOGD_TEAM, "deactivation: stopping teamd...");

--
2.20.1

304
SOURCES/1009-ifcfg-rh-use-PKCS12-private-as-client-cert-rh1714610.patch
Unescape View File

@ -0,0 +1,304 @@ @@ -0,0 +1,304 @@
From 51c47c0a9d77f04d04c6cde7f1254623328898f9 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 14 May 2019 13:59:00 +0200
Subject: [PATCH 1/3] ifcfg-rh: write client certificate even if it is pkcs12

The writer should only persist properties without too much additional
logic, which should be instead embedded in the setting itself.

(cherry picked from commit a995244e9bf526b2d10143858655c3ea3731bf91)
(cherry picked from commit 5a5cd8d05dfbde11b0983e09a5a37f6929bb2178)
---
.../plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 4 ----
.../plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 24 ++++++-------------
2 files changed, 7 insertions(+), 21 deletions(-)

diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
index e5423b181..9b7511064 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@@ -3117,10 +3117,6 @@ eap_tls_reader (const char *eap_method,
&client_cert,
error))
return FALSE;
- /* FIXME: writer does not actually write IEEE_8021X_CLIENT_CERT_PASSWORD and other
- * certificate related passwords. It should, because otherwise persisting such profiles
- * to ifcfg looses information. As this currently only matters for PKCS11 URIs, it seems
- * a seldom used feature so that it is not fixed yet. */
_secret_set_from_ifcfg (s_8021x,
ifcfg,
keys_ifcfg,
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
index 80b1bffe1..90f06e183 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@@ -358,23 +358,13 @@ write_8021x_certs (NMSetting8021x *s_8021x,
if (!write_object (s_8021x, ifcfg, secrets, blobs, otype, error))
return FALSE;

- /* Client certificate */
- if (otype->vtable->format_func (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
- /* Don't need a client certificate with PKCS#12 since the file is both
- * the client certificate and the private key in one file.
- */
- svSetValueStr (ifcfg,
- phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT",
- NULL);
- } else {
- /* Save the client certificate */
- if (!write_object (s_8021x, ifcfg, secrets, blobs,
- phase2
- ? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT]
- : &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT],
- error))
- return FALSE;
- }
+ /* Save the client certificate */
+ if (!write_object (s_8021x, ifcfg, secrets, blobs,
+ phase2
+ ? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT]
+ : &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT],
+ error))
+ return FALSE;

return TRUE;
}
--
2.20.1

From c62a97f608c4c28cbefe1b5b57bec5f6da24b342 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 14 May 2019 14:32:19 +0200
Subject: [PATCH 2/3] ifcfg-rh: don't check for 802.1x private key or client
cert in reader

Let the setting check it in verify().

(cherry picked from commit d9b3b2b8cec9fdb984a6103240688dc46f33866e)
(cherry picked from commit c28db67a781388e1f742b3406e26a35c8c2522a8)
---
.../plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
index 9b7511064..da3b89e1a 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@@ -3077,6 +3077,7 @@ eap_tls_reader (const char *eap_method,
svGetValueStr (ifcfg, "IEEE_8021X_IDENTITY", &identity_free),
NULL);

+ /* CA certificate */
if (!_cert_set_from_ifcfg (s_8021x,
ifcfg,
phase2 ? "IEEE_8021X_INNER_CA_CERT" : "IEEE_8021X_CA_CERT",
@@ -3090,6 +3091,7 @@ eap_tls_reader (const char *eap_method,
phase2 ? "IEEE_8021X_INNER_CA_CERT_PASSWORD" : "IEEE_8021X_CA_CERT_PASSWORD",
phase2 ? NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD : NM_SETTING_802_1X_CA_CERT_PASSWORD);

+ /* Private key */
if (!_cert_set_from_ifcfg (s_8021x,
ifcfg,
phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY" : "IEEE_8021X_PRIVATE_KEY",
@@ -3102,14 +3104,8 @@ eap_tls_reader (const char *eap_method,
keys_ifcfg,
phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD" : "IEEE_8021X_PRIVATE_KEY_PASSWORD",
phase2 ? NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD : NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
- if (!privkey) {
- g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
- "Missing %s for EAP method '%s'.",
- phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY" : "IEEE_8021X_PRIVATE_KEY",
- eap_method);
- return FALSE;
- }

+ /* Client certificate */
if (!_cert_set_from_ifcfg (s_8021x,
ifcfg,
phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT",
@@ -3122,12 +3118,6 @@ eap_tls_reader (const char *eap_method,
keys_ifcfg,
phase2 ? "IEEE_8021X_INNER_CLIENT_CERT_PASSWORD" : "IEEE_8021X_CLIENT_CERT_PASSWORD",
phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD : NM_SETTING_802_1X_CLIENT_CERT_PASSWORD);
- if (!client_cert) {
- g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
- "Missing certificate for EAP method '%s'.",
- eap_method);
- return FALSE;
- }

return TRUE;
}
--
2.20.1

From b3935bb0f25bede6e9c29735314f42f4bd773e09 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 14 May 2019 15:27:45 +0200
Subject: [PATCH 3/3] ifcfg-rh: use PKCS #12 private key also as client cert in
reader

Before commit e3ac45c02610 the reader set the private key in the
setting using the libnm function, which also set the key as client
certificate if it was in PKCS #12 format.

After the commit, existing connections with a PKCS #12 private key but
without a client certificate became invalid. Restore the old behavior.

Fixes: e3ac45c02610 ('ifcfg-rh: don't use 802-1x certifcate setter functions')
(cherry picked from commit 9a410fc312c50ac405c57ff4e9eb692e798e248d)
(cherry picked from commit 51896e1e6b24e0b5d6aefce3c4945d27a5b9f5b7)
---
Makefile.am | 2 ++
.../plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 28 ++++++++++++++++--
.../plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 21 +++++++++----
...fg-test-wired-8021x-tls-p12-no-client-cert | 13 ++++++++
.../tests/network-scripts/test_client.p12 | Bin 0 -> 2848 bytes
.../plugins/ifcfg-rh/tests/test-ifcfg-rh.c | 23 ++++++++++++++
6 files changed, 79 insertions(+), 8 deletions(-)
create mode 100644 src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-8021x-tls-p12-no-client-cert
create mode 100644 src/settings/plugins/ifcfg-rh/tests/network-scripts/test_client.p12

diff --git a/Makefile.am b/Makefile.am
index d78bfdeda..8c470df31 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3014,6 +3014,7 @@ EXTRA_DIST += \
src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-8021x-peap-mschapv2 \
src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-8021x-tls-agent \
src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-8021x-tls-always \
+ src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-8021x-tls-p12-no-client-cert \
src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-auto-negotiate-on \
src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-autoip \
src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-ctc-static \
@@ -3083,6 +3084,7 @@ EXTRA_DIST += \
src/settings/plugins/ifcfg-rh/tests/network-scripts/route6-test-wired-ipv6-manual \
src/settings/plugins/ifcfg-rh/tests/network-scripts/test1_key_and_cert.pem \
src/settings/plugins/ifcfg-rh/tests/network-scripts/test_ca_cert.pem \
+ src/settings/plugins/ifcfg-rh/tests/network-scripts/test_client.p12 \
$(NULL)

# make target dependencies can't have colons in their names, which ends up
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
index da3b89e1a..317e22f7a 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@@ -3071,6 +3071,10 @@ eap_tls_reader (const char *eap_method,
gs_unref_bytes GBytes *privkey = NULL;
gs_unref_bytes GBytes *client_cert = NULL;
gs_free char *identity_free = NULL;
+ gs_free char *value_to_free = NULL;
+ const char *client_cert_var;
+ const char *client_cert_prop;
+ NMSetting8021xCKFormat format;

g_object_set (s_8021x,
NM_SETTING_802_1X_IDENTITY,
@@ -3106,10 +3110,12 @@ eap_tls_reader (const char *eap_method,
phase2 ? NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD : NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);

/* Client certificate */
+ client_cert_var = phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT";
+ client_cert_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT : NM_SETTING_802_1X_CLIENT_CERT;
if (!_cert_set_from_ifcfg (s_8021x,
ifcfg,
- phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT",
- phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT : NM_SETTING_802_1X_CLIENT_CERT,
+ client_cert_var,
+ client_cert_prop,
&client_cert,
error))
return FALSE;
@@ -3119,6 +3125,24 @@ eap_tls_reader (const char *eap_method,
phase2 ? "IEEE_8021X_INNER_CLIENT_CERT_PASSWORD" : "IEEE_8021X_CLIENT_CERT_PASSWORD",
phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD : NM_SETTING_802_1X_CLIENT_CERT_PASSWORD);

+ /* In the past when the private key and client certificate
+ * were the same PKCS #12 file we used to write only the
+ * private key variable. Still support that even if it means
+ * that we have to look into the file content, which makes
+ * the connection not self-contained.
+ */
+ if ( !client_cert
+ && privkey
+ && !svGetValue (ifcfg, client_cert_var, &value_to_free)) {
+ if (phase2)
+ format = nm_setting_802_1x_get_phase2_private_key_format (s_8021x);
+ else
+ format = nm_setting_802_1x_get_private_key_format (s_8021x);
+
+ if (format == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
+ g_object_set (s_8021x, client_cert_prop, privkey, NULL);
+ }
+
return TRUE;
}

diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
index 90f06e183..6e2bc8493 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@@ -209,6 +209,7 @@ write_object (NMSetting8021x *s_8021x,
GHashTable *secrets,
GHashTable *blobs,
const Setting8021xSchemeVtable *objtype,
+ gboolean force_write,
GError **error)
{
NMSetting8021xCKScheme scheme;
@@ -287,7 +288,7 @@ write_object (NMSetting8021x *s_8021x,
*/
standard_file = utils_cert_path (svFileGetName (ifcfg), objtype->vtable->file_suffix, extension);
g_hash_table_replace (blobs, standard_file, NULL);
- svUnsetValue (ifcfg, objtype->ifcfg_rh_key);
+ svSetValue (ifcfg, objtype->ifcfg_rh_key, force_write ? "" : NULL);
return TRUE;
}

@@ -338,31 +339,39 @@ write_8021x_certs (NMSetting8021x *s_8021x,
shvarFile *ifcfg,
GError **error)
{
- const Setting8021xSchemeVtable *otype = NULL;
+ const Setting8021xSchemeVtable *pk_otype = NULL;
+ gs_free char *value_to_free = NULL;

/* CA certificate */
if (!write_object (s_8021x, ifcfg, secrets, blobs,
phase2
? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT]
: &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT],
+ FALSE,
error))
return FALSE;

/* Private key */
if (phase2)
- otype = &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY];
+ pk_otype = &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY];
else
- otype = &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY];
+ pk_otype = &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY];

/* Save the private key */
- if (!write_object (s_8021x, ifcfg, secrets, blobs, otype, error))
+ if (!write_object (s_8021x, ifcfg, secrets, blobs, pk_otype, FALSE, error))
return FALSE;

- /* Save the client certificate */
+ /* Save the client certificate.
+ * If there is a private key, always write a property for the
+ * client certificate even if it is empty, so that the reader
+ * doesn't have to read the private key file to determine if it
+ * is a PKCS #12 one which serves also as client certificate.
+ */
if (!write_object (s_8021x, ifcfg, secrets, blobs,
phase2
? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT]
: &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT],
+ !!svGetValue (ifcfg, pk_otype->ifcfg_rh_key, &value_to_free),
error))
return FALSE;

--
2.20.1

39526
SOURCES/1010-translations-rh1689962.patch
View File

File diff suppressed because it is too large Load Diff

39
SOURCES/1011-cli-editor-no-wait-on-failure-rh1702203.patch
Unescape View File

@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
From ac383b87ffd097b67b0b1cd2818df0e41bb17903 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 23 Apr 2019 22:24:36 +0200
Subject: [PATCH] cli: don't wait for connection change on update failure

When saving a connection, we wait the connection-changed signal before
proceeding to ensure that the remote connection is up to date.
However, no signal is emitted if the update fails and so we shouldn't
wait for it.

Fixes: a370faeb59a9 ('cli: wait for changed signal after updating a connection'):

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/124
https://bugzilla.redhat.com/show_bug.cgi?id=1702203
(cherry picked from commit 2d347e7e176e7cb8daaa2e02b0758821fc3f5f04)
(cherry picked from commit 3423629ff0fc65c16c2a4c541a5fc3435cd72091)
---
clients/cli/connections.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/clients/cli/connections.c b/clients/cli/connections.c
index 034fc19f5..7bfbe0b6a 100644
--- a/clients/cli/connections.c
+++ b/clients/cli/connections.c
@@ -7817,8 +7817,10 @@ editor_menu_main (NmCli *nmc, NMConnection *connection, const char *connection_t
while (!nmc_editor_cb_called && !timeout)
g_main_context_iteration (NULL, TRUE);

- while (!connection_changed && !timeout)
- g_main_context_iteration (NULL, TRUE);
+ if (!nmc_editor_error) {
+ while (!connection_changed && !timeout)
+ g_main_context_iteration (NULL, TRUE);
+ }

if (handler_id)
g_signal_handler_disconnect (rem_con, handler_id);
--
2.20.1

36
SOURCES/1012-team-fix-validate-send-always-flags-rh1720153.patch
Unescape View File

@ -0,0 +1,36 @@ @@ -0,0 +1,36 @@
From 42c7f7dfee122b9da446c0e985187e0dc66ecb09 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Fri, 14 Jun 2019 16:31:53 +0200
Subject: [PATCH] libnm-core: fix conversion to json of team watcher flags

Team watcher flags are boolean objects: persist them as such and not
as strings.

Fixes: e59878ce1911f3930c60a104673b59fb3c5ae001
https://bugzilla.redhat.com/show_bug.cgi?id=1720153
(cherry picked from commit 28c3692023fe65d5a6def93774ff1ac7f07e27f0)
---
libnm-core/nm-utils.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libnm-core/nm-utils.c b/libnm-core/nm-utils.c
index 394ca7c3a..6d8a0fe32 100644
--- a/libnm-core/nm-utils.c
+++ b/libnm-core/nm-utils.c
@@ -5786,11 +5786,11 @@ _nm_utils_team_link_watcher_to_json (NMTeamLinkWatcher *watcher)

flags = nm_team_link_watcher_get_flags (watcher);
if (flags & NM_TEAM_LINK_WATCHER_ARP_PING_FLAG_VALIDATE_ACTIVE)
- json_object_set_new (json_element, "validate_active", json_string ("true"));
+ json_object_set_new (json_element, "validate_active", json_true ());
if (flags & NM_TEAM_LINK_WATCHER_ARP_PING_FLAG_VALIDATE_INACTIVE)
- json_object_set_new (json_element, "validate_inactive", json_string ("true"));
+ json_object_set_new (json_element, "validate_inactive", json_true ());
if (flags & NM_TEAM_LINK_WATCHER_ARP_PING_FLAG_SEND_ALWAYS)
- json_object_set_new (json_element, "send_always", json_string ("true"));
+ json_object_set_new (json_element, "send_always", json_true ());

return json_element;

--
2.20.1

203
SOURCES/1013-ovs-slaves-restart-fixes-rh1733709.patch
Unescape View File

@ -0,0 +1,203 @@ @@ -0,0 +1,203 @@
From 8775e71d12bf26f4153d12dcb20e8e92ba6f0189 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 29 Jul 2019 16:13:27 +0200
Subject: [PATCH 1/3] ovs: don't release slaves on quit

An OVS bridge and its slaves can continue to work even after NM has
quit. Keep the interface enslaved when the @configure argument of
device->release_slave() is FALSE, which happens on quit and in other
circumstances when we don't really want to release the slave from its
master.

https://bugzilla.redhat.com/show_bug.cgi?id=1733709
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/215
(cherry picked from commit ccd4be4014f9f4cfdd0d298ff387ee7558d5f3a5)
(cherry picked from commit a1f39b69e0b09b7ab02513e34bd41276808ad778)
---
src/devices/ovs/nm-device-ovs-port.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/devices/ovs/nm-device-ovs-port.c b/src/devices/ovs/nm-device-ovs-port.c
index 35eb739f9..8a93a5a9d 100644
--- a/src/devices/ovs/nm-device-ovs-port.c
+++ b/src/devices/ovs/nm-device-ovs-port.c
@@ -140,13 +140,18 @@ del_iface_cb (GError *error, gpointer user_data)
static void
release_slave (NMDevice *device, NMDevice *slave, gboolean configure)
{
- nm_ovsdb_del_interface (nm_ovsdb_get (), nm_device_get_iface (slave),
- del_iface_cb, g_object_ref (slave));
-
- /* Open VSwitch is going to delete this one. We must ignore what happens
- * next with the interface. */
- if (NM_IS_DEVICE_OVS_INTERFACE (slave))
- nm_device_update_from_platform_link (slave, NULL);
+ NMDeviceOvsPort *self = NM_DEVICE_OVS_PORT (device);
+
+ if (configure) {
+ _LOGI (LOGD_DEVICE, "releasing ovs interface %s", nm_device_get_ip_iface (slave));
+ nm_ovsdb_del_interface (nm_ovsdb_get (), nm_device_get_iface (slave),
+ del_iface_cb, g_object_ref (slave));
+ /* Open VSwitch is going to delete this one. We must ignore what happens
+ * next with the interface. */
+ if (NM_IS_DEVICE_OVS_INTERFACE (slave))
+ nm_device_update_from_platform_link (slave, NULL);
+ } else
+ _LOGI (LOGD_DEVICE, "ovs interface %s was released", nm_device_get_ip_iface (slave));
}

/*****************************************************************************/
--
2.21.0

From 846a67ab95bc5f3e36099a45b0f2131c6346ef6a Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 30 Jul 2019 11:03:59 +0200
Subject: [PATCH 2/3] device: check platform link compatibility when setting
nm-owned flag

We set nm-owned to indicate whether a software device was created by
NM or it was pre-existing. When checking the existence, we must verify
also whether the link type is compatible with the device, otherwise it
is possible to match unrelated interfaces. For example, when checking
for the existence of an ovs-bridge (which is not compatible with any
platform link) we could match a unrelated platform link with the same
name.

https://bugzilla.redhat.com/show_bug.cgi?id=1733709
(cherry picked from commit 3cb4b36261684aa3d2676f922c6d53bc31085153)
(cherry picked from commit cb20d0791a6daf20d64f4cd57d6bd4b60e35a9a0)
(cherry picked from commit 511ef27d5eaf6fd0577b867d9d31de3bee0440fe)
---
src/devices/nm-device.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index 9ad69998b..eaf72a7a0 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -4106,13 +4106,14 @@ nm_device_create_and_realize (NMDevice *self,
{
nm_auto_nmpobj const NMPObject *plink_keep_alive = NULL;
NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
- const NMPlatformLink *plink = NULL;
+ const NMPlatformLink *plink;

/* Must be set before device is realized */
- priv->nm_owned = !nm_platform_link_get_by_ifname (nm_device_get_platform (self), priv->iface);
-
+ plink = nm_platform_link_get_by_ifname (nm_device_get_platform (self), priv->iface);
+ priv->nm_owned = !plink || !link_type_compatible (self, plink->type, NULL, NULL);
_LOGD (LOGD_DEVICE, "create (is %snm-owned)", priv->nm_owned ? "" : "not ");

+ plink = NULL;
/* Create any resources the device needs */
if (NM_DEVICE_GET_CLASS (self)->create_and_realize) {
if (!NM_DEVICE_GET_CLASS (self)->create_and_realize (self, connection, parent, &plink, error))
--
2.21.0

From 70ada1a2c9e936ec5abe737e1eb80463ff4fba60 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Wed, 31 Jul 2019 11:40:35 +0200
Subject: [PATCH 3/3] device: fix releasing slaves

Not all masters type have a platform link and so it's wrong to check
for it to decide whether the slave should be really released. Move the
check to master devices that need it (bond, bridge and team).

OVS ports don't need the check because they don't call to platform to
remove a slave.

https://bugzilla.redhat.com/show_bug.cgi?id=1733709
(cherry picked from commit 57e3734b6cc1bb453216c7e2150a698114507a46)
(cherry picked from commit ec1b5fb019929441fdcdf6bf7c54a2856ad61976)
(cherry picked from commit f6a90b899ab01d6dc2635faf6bc8d72839a9064c)
---
src/devices/nm-device-bond.c | 6 ++++++
src/devices/nm-device-bridge.c | 6 ++++++
src/devices/nm-device.c | 7 +------
src/devices/team/nm-device-team.c | 6 ++++++
4 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/devices/nm-device-bond.c b/src/devices/nm-device-bond.c
index 37159fca8..790f00d44 100644
--- a/src/devices/nm-device-bond.c
+++ b/src/devices/nm-device-bond.c
@@ -413,6 +413,12 @@ release_slave (NMDevice *device,
NMDeviceBond *self = NM_DEVICE_BOND (device);
gboolean success;
gs_free char *address = NULL;
+ int ifindex;
+
+ ifindex = nm_device_get_ifindex (device);
+ if ( ifindex <= 0
+ || !nm_platform_link_get (nm_device_get_platform (device), ifindex))
+ configure = FALSE;

if (configure) {
/* When the last slave is released the bond MAC will be set to a random
diff --git a/src/devices/nm-device-bridge.c b/src/devices/nm-device-bridge.c
index 4275af912..e81bcd5d2 100644
--- a/src/devices/nm-device-bridge.c
+++ b/src/devices/nm-device-bridge.c
@@ -625,6 +625,12 @@ release_slave (NMDevice *device,
{
NMDeviceBridge *self = NM_DEVICE_BRIDGE (device);
gboolean success;
+ int ifindex;
+
+ ifindex = nm_device_get_ifindex (device);
+ if ( ifindex <= 0
+ || !nm_platform_link_get (nm_device_get_platform (device), ifindex))
+ configure = FALSE;

if (configure) {
success = nm_platform_link_release (nm_device_get_platform (device),
diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index eaf72a7a0..5bb7a592e 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -4851,7 +4851,6 @@ nm_device_master_release_slaves (NMDevice *self)
{
NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
NMDeviceStateReason reason;
- gboolean configure = TRUE;
CList *iter, *safe;

/* Don't release the slaves if this connection doesn't belong to NM. */
@@ -4862,14 +4861,10 @@ nm_device_master_release_slaves (NMDevice *self)
if (priv->state == NM_DEVICE_STATE_FAILED)
reason = NM_DEVICE_STATE_REASON_DEPENDENCY_FAILED;

- if ( priv->ifindex <= 0
- || !nm_platform_link_get (nm_device_get_platform (self), priv->ifindex))
- configure = FALSE;
-
c_list_for_each_safe (iter, safe, &priv->slaves) {
SlaveInfo *info = c_list_entry (iter, SlaveInfo, lst_slave);

- nm_device_master_release_one_slave (self, info->slave, configure, reason);
+ nm_device_master_release_one_slave (self, info->slave, TRUE, reason);
}
}

diff --git a/src/devices/team/nm-device-team.c b/src/devices/team/nm-device-team.c
index 4ae276dbf..7afd18606 100644
--- a/src/devices/team/nm-device-team.c
+++ b/src/devices/team/nm-device-team.c
@@ -774,6 +774,12 @@ release_slave (NMDevice *device,
NMDeviceTeam *self = NM_DEVICE_TEAM (device);
NMDeviceTeamPrivate *priv = NM_DEVICE_TEAM_GET_PRIVATE (self);
gboolean success;
+ int ifindex;
+
+ ifindex = nm_device_get_ifindex (device);
+ if ( ifindex <= 0
+ || !nm_platform_link_get (nm_device_get_platform (device), ifindex))
+ configure = FALSE;

if (configure) {
success = nm_platform_link_release (nm_device_get_platform (device),
--
2.21.0
Write Preview
Loading…
Cancel
Save