Ján Tomko [Fri, 14 Jun 2019 07:16:14 +0000 (09:16 +0200)]
api: disallow virConnectGetDomainCapabilities on read-only connections
This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.
Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) Signed-off-by: Ján Tomko <jtomko@redhat.com>
Ján Tomko [Fri, 14 Jun 2019 06:47:42 +0000 (08:47 +0200)]
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.
Forbid it on read-only connections.
Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032cead4386472afb24b16196579e239580) Signed-off-by: Ján Tomko <jtomko@redhat.com>
Conflicts:
src/libvirt-domain.c
src/remote/remote_protocol.x
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.
Fix the regex for excluding files for this syntax-rule. The rule "include/"
will not work, because we are matching the whole line like this
"^(...|include/|...)$ so we need to use "include/libvirt/libvirt.+". The second
issue is that we are using only one '$' but there should be two of those at the
end. The last small adjustment is to escape dots '.' so it match only dot.
Eric Blake [Wed, 24 Feb 2016 22:02:44 +0000 (15:02 -0700)]
build: accomodate selinux 2.5 header API change
Yet again, selinux has been adding const-correctness; this change
is ABI-compatible, but breaks API, which affects us when we try to
override things in our testsuite:
../../tests/securityselinuxhelper.c:307:24: error: conflicting types for 'selabel_open'
struct selabel_handle *selabel_open(unsigned int backend,
^~~~~~~~~~~~
In file included from ../../tests/securityselinuxhelper.c:32:0:
/usr/include/selinux/label.h:73:24: note: previous declaration of 'selabel_open' was here
The problem is a new 'const' prior to the second parameter.
Fix it the same way we did in commit 292d3f2d: check for the new
const at configure time.
While trying to build with -Os couple of compile errors showed
up.
conf/domain_conf.c: In function 'virDomainChrRemove':
conf/domain_conf.c:13666:24: error: 'ret' may be used uninitialized in this function [-Werror=maybe-uninitialized]
virDomainChrDefPtr ret, **arrPtr = NULL;
^
Compiler fails to see that @ret is used only if set in the loop,
but whatever, there's no harm in initializing the variable.
In vboxAttachDrivesNew and _vboxAttachDrivesOld compiler thinks
that @rc may be used uninitialized. Well, not directly, but maybe
after some optimization. Yet again, no harm in initializing a
variable.
In file included from ./util/virthread.h:26:0,
from ./datatypes.h:28,
from vbox/vbox_tmpl.c:43,
from vbox/vbox_V3_1.c:37:
vbox/vbox_tmpl.c: In function '_vboxAttachDrivesOld':
./util/virerror.h:181:5: error: 'rc' may be used uninitialized in this function [-Werror=maybe-uninitialized]
virReportErrorHelper(VIR_FROM_THIS, code, __FILE__, \
^
In file included from vbox/vbox_V3_1.c:37:0:
vbox/vbox_tmpl.c:1041:14: note: 'rc' was declared here
nsresult rc;
^
Yet again, one uninitialized variable:
qemu/qemu_driver.c: In function 'qemuDomainBlockCommit':
qemu/qemu_driver.c:17194:9: error: 'baseSource' may be used uninitialized in this function [-Werror=maybe-uninitialized]
qemuDomainPrepareDiskChainElement(driver, vm, baseSource,
^
And another one:
storage/storage_backend_logical.c: In function 'virStorageBackendLogicalMatchPoolSource.isra.2':
storage/storage_backend_logical.c:618:33: error: 'thisSource' may be used uninitialized in this function [-Werror=maybe-uninitialized]
thisSource->devices[j].path))
^
A function call with an empty bitmap leads to undefined
behavior. Because if 'bitmap->map_len == 0' 'unusedBits' will be <= 0
and 'sz == 1'. So the non global and non static variable 'bits' would
have never been set. Consequently the check 'bits == 0' results in
undefined behavior.
This patch clarifies the current version of the function by handling the
empty bitmap explicitly. Also, for an empty bitmap there is obviously no
bit set so we can just return -1 (indicating no bit set) right away. The
explicit check for 'bits == 0' after the loop is unnecessary because we
only get to this point if no set bit was found.
Reviewed-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com> Reviewed-by: Sascha Silbe <silbe@linux.vnet.ibm.com> Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com> Signed-off-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
(cherry picked from commit 7cd01a248b3995909adad29a6edbe76d3d16510f)
When building using -Og, gcc sees that some variables can be used
uninitialized It can be debatable whether it is possible with our
codeflow, but functions should be self-contained and initializations are
always good. The return instead of goto is due to actualType being used
in the cleanup.
There is a logic in place that if there is no real need for
memory-backend-file, qemuBuildMemoryBackendStr() returns 0. However
that wasn't the case with hugepage backing. The reason for that was
that we abused the 'pagesize' variable for storing that information, but
we should rather have a separate one that specifies whether we really
need the new object for hugepage backing. And that variable should be
set only if this particular NUMA cell needs special treatment WRT
hugepages.
Jiri Denemark [Tue, 28 Jun 2016 12:39:58 +0000 (14:39 +0200)]
qemu: Let empty default VNC password work as documented
CVE-2016-5008
Setting an empty graphics password is documented as a way to disable
VNC/SPICE access, but QEMU does not always behaves like that. VNC would
happily accept the empty password. Let's enforce the behavior by setting
password expiration to "now".
Since commit 714080791778e3dfbd484ccb3953bffd820b8ba9 we are generating
socket path later than before -- when starting a domain. That makes one
particular inconsistent state of a chardev, which was not possible
before, currently valid. However, SELinux security driver forgot to
guard the main restoring function by a check for NULL-paths. So make it
no-op for NULL paths, as in the DAC driver.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 1794a0103ae4fa91d9c11617e7981471173e27ce) Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
In my previous commit a70f3b1c779120129 I've tried to fix case
when building from VPATH and a file wasn't being installed.
However, my fix broke non-VPATH build.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 0d0e41a71910e0415a924648f44a0b00389a576a) Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Sat, 30 Jan 2016 10:55:45 +0000 (11:55 +0100)]
includes: Install libvirt-common.h
The libvirt-common.h is build time generated file from .in.
Obviously, it's generated into builddir and not srcdir. Problem
is, the list of header files to install, virinc_HEADERS contains
only $(srcdir)/*.h and this misses libvirt-common.h. This problem
is pretty obvious when doing a VPATH build.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit a70f3b1c77912012905c6c5be3bf37b05592e80f) Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Mon, 18 Jan 2016 10:13:22 +0000 (11:13 +0100)]
virLogManagerDomainReadLogFile: Don't do dummy allocs
Since we pass dummy variables @fdout and @fdoutlen into
virNetClientProgramCall() we make it alloc @fdout array (even
though it's an array of 0 elements since vitlogd can hardly pass
us some FDs at this stage). Nevertheless, it's an allocation not
followed by free():
==29385== 0 bytes in 60 blocks are definitely lost in loss record 2 of 1,009
==29385== at 0x4C2C070: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29385== by 0x54B99EF: virAllocN (viralloc.c:191)
==29385== by 0x56821B1: virNetClientProgramCall (virnetclientprogram.c:359)
==29385== by 0x563B304: virLogManagerDomainReadLogFile (log_manager.c:272)
==29385== by 0x217CD613: qemuDomainLogContextRead (qemu_domain.c:2485)
==29385== by 0x217EDC76: qemuProcessReadLog (qemu_process.c:1660)
==29385== by 0x217EDE1D: qemuProcessReportLogError (qemu_process.c:1696)
==29385== by 0x217EE8C1: qemuProcessWaitForMonitor (qemu_process.c:1957)
==29385== by 0x217F6636: qemuProcessLaunch (qemu_process.c:4955)
==29385== by 0x217F71A4: qemuProcessStart (qemu_process.c:5152)
==29385== by 0x21846582: qemuDomainObjStart (qemu_driver.c:7396)
==29385== by 0x218467DE: qemuDomainCreateWithFlags (qemu_driver.c:7450)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit c03fbecc7cd463900d0291034e873f00062a75db) Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Mon, 18 Jan 2016 09:50:14 +0000 (10:50 +0100)]
qemuProcessReadLog: Fix memmove arguments
So I can observe this crasher that with freshly started daemon
(and virtlogd enabled) I am trying to startup a domain that
immediately dies (because it's said to use huge pages but I
haven't allocated a single one in the pool). Hardly reproducible
with -O0 or under valgrind. But I just got lucky:
==20469== Invalid write of size 8
==20469== at 0x4C2E99B: memcpy@GLIBC_2.2.5 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20469== by 0x217EDD07: qemuProcessReadLog (qemu_process.c:1670)
==20469== by 0x217EDE1D: qemuProcessReportLogError (qemu_process.c:1696)
==20469== by 0x217EE8C1: qemuProcessWaitForMonitor (qemu_process.c:1957)
==20469== by 0x217F6636: qemuProcessLaunch (qemu_process.c:4955)
==20469== by 0x217F71A4: qemuProcessStart (qemu_process.c:5152)
==20469== by 0x21846582: qemuDomainObjStart (qemu_driver.c:7396)
==20469== by 0x218467DE: qemuDomainCreateWithFlags (qemu_driver.c:7450)
==20469== by 0x21846845: qemuDomainCreate (qemu_driver.c:7468)
==20469== by 0x5611CD0: virDomainCreate (libvirt-domain.c:6753)
==20469== by 0x125D9A: remoteDispatchDomainCreate (remote_dispatch.h:3613)
==20469== by 0x125CB7: remoteDispatchDomainCreateHelper (remote_dispatch.h:3589)
==20469== Address 0x27a52ad0 is 0 bytes after a block of size 5,584 alloc'd
==20469== at 0x4C29F80: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20469== by 0x9B8D1DB: xdr_string (in /lib64/libc-2.21.so)
==20469== by 0x563B39C: xdr_virLogManagerProtocolNonNullString (log_protocol.c:24)
==20469== by 0x563B6B7: xdr_virLogManagerProtocolDomainReadLogFileRet (log_protocol.c:123)
==20469== by 0x164B34: virNetMessageDecodePayload (virnetmessage.c:407)
==20469== by 0x5682360: virNetClientProgramCall (virnetclientprogram.c:379)
==20469== by 0x563B30E: virLogManagerDomainReadLogFile (log_manager.c:272)
==20469== by 0x217CD613: qemuDomainLogContextRead (qemu_domain.c:2485)
==20469== by 0x217EDC76: qemuProcessReadLog (qemu_process.c:1660)
==20469== by 0x217EDE1D: qemuProcessReportLogError (qemu_process.c:1696)
==20469== by 0x217EE8C1: qemuProcessWaitForMonitor (qemu_process.c:1957)
==20469== by 0x217F6636: qemuProcessLaunch (qemu_process.c:4955)
This points to memmove() in qemuProcessReadLog(). Imagine we just
read the following string from qemu:
After the first pass of the while() loop in the
qemuProcessReadLog() (in which we have taken the false branch in
the if) @buf still points to the beginning of the string,
@filter_next points to the beginning of the second line. So we
start second iteration because there is yet another newline
character at the end. In this iteration @eol points to it
actually. Now, the control gets inside true branch of if(). Just
to remind you:
got = 58
filter_next = buf + 5,
eol = buf + 58.
Therefore skip = 54 which is correct. The message we want to skip
is 54 bytes long. However:
memmove(filter_next, eol + 1, (got - skip) +1);
which is
memmove(filter_next, eol + 1, 5)
is obviously wrong as there is only one byte we can access, not 5!
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 105b51f42ecd26914186239f36e73ee1e5e990c1) Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Jiri Denemark [Fri, 15 Jan 2016 15:34:37 +0000 (16:34 +0100)]
security: Do not restore labels on device tree binary
A device tree binary file specified by /domain/os/dtb element is a
read-only resource similar to kernel and initrd files. We shouldn't
restore its label when destroying a domain to avoid breaking other
domains configure with the same device tree.
Jiri Denemark [Fri, 15 Jan 2016 09:55:58 +0000 (10:55 +0100)]
security: Do not restore kernel and initrd labels
Kernel/initrd files are essentially read-only shareable images and thus
should be handled in the same way. We already use the appropriate label
for kernel/initrd files when starting a domain, but when a domain gets
destroyed we would remove the labels which would make other running
domains using the same files very unhappy.
Yaniv Kaul [Fri, 15 Jan 2016 07:33:49 +0000 (08:33 +0100)]
qemu: Print better warning in qemuAgentNotifyEvent
We have this function qemuAgentNotifyEvent() which is supposed to
be called from thread pool responsible for processing qemu
monitor events. The function then should wake up other thread
that is waiting for a guest to shutdown or reboot. However, if we
have received a different error a warning is printed out. This
warning lacks info on which event is expected.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
John Ferlan [Tue, 22 Dec 2015 14:46:01 +0000 (09:46 -0500)]
cgroup: Fix possible bug as a result of code motion for vcpu cgroup setup
Commit id '90b721e43' moved where the virCgroupAddTask was made until
after the check for the vcpupin checks. However, in doing so it missed
an option where if the cpumap didn't exist, then the code would continue
back to the top of the current vcpu loop. The results was that the
virCgroupAddTask wouldn't be called.
After much testing and upstream discussion this has been deemed to be
the incorrect operation since it means we no longer have any guarantee
about which resource controllers the QEMU processes in general are in.
Cédric Bosdonnat [Tue, 17 Nov 2015 09:11:30 +0000 (10:11 +0100)]
virt-aa-helper: don't deny writes to readonly mounts
There is no need to deny writes on a readonly mount: write still
won't be accepted, even if the user remounts the folder as RW in
the guest as qemu sets the 9p mount as ro.
This deny rule was leading to problems for example with readonly /:
The qemu process had to write to a bunch of files in / like logs,
sockets, etc. This deny rule was also preventing auditing of these
denials, making it harder to debug.
John Ferlan [Wed, 13 Jan 2016 22:01:04 +0000 (17:01 -0500)]
conf: Initialize 'deflate' for balloon parse XML
Commit id '7bf3198df' neglected to initialize deflate leading to a
possibility if model allocation/checks fail, then the VIR_FREE(deflate)
would be erroneous. Noted by Jan Tomko.
Michal Privoznik [Wed, 13 Jan 2016 15:10:15 +0000 (16:10 +0100)]
wireshark: Drop DESTDIR from install path
In 50078cfbcbf3c8 I've tried to fix distcheck but accidentally
broke rpm build. The problem is that rpm build not only sets
DESTDIR but also passes plugindir path. This results in double
DESTDIR being in the plugin path, Drop one.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
So, you try to start a domain, but before we even get to the part
where chardev part of qemu command line is generated (and
possibly missing path to unix sockets is made up) an error occurs
which results in calling qemuProcessStop. This will then try to
clean up the mess and possibly ends up calling unlink(NULL).
==8085== Thread 3:
==8085== Syscall param unlink(pathname) points to unaddressable byte(s)
==8085== at 0xA85EA57: unlink (in /lib64/libc-2.21.so)
==8085== by 0x213D3C24: qemuProcessCleanupChardevDevice (qemu_process.c:2866)
==8085== by 0x558D6B1: virDomainChrDefForeach (domain_conf.c:22924)
==8085== by 0x213DA9AE: qemuProcessStop (qemu_process.c:5326)
==8085== by 0x213DA2F2: qemuProcessStart (qemu_process.c:5190)
==8085== by 0x2142957F: qemuDomainObjStart (qemu_driver.c:7396)
==8085== by 0x214297DB: qemuDomainCreateWithFlags (qemu_driver.c:7450)
==8085== by 0x21429842: qemuDomainCreate (qemu_driver.c:7468)
==8085== by 0x5611B95: virDomainCreate (libvirt-domain.c:6753)
==8085== by 0x125D9A: remoteDispatchDomainCreate (remote_dispatch.h:3613)
==8085== by 0x125CB7: remoteDispatchDomainCreateHelper (remote_dispatch.h:3589)
==8085== by 0x568BF41: virNetServerProgramDispatchCall (virnetserverprogram.c:437)
==8085== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==8085==
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Jim Fehlig [Mon, 11 Jan 2016 22:17:53 +0000 (15:17 -0700)]
Xen: use correct domctl version in domaininfolist union
Commmit fd2e3c4c used the domctl version 8 structure for version 9
in the xen_getdomaininfolist union, resulting in insufficient buffer
size (and subsequent memory corruption) for the GETDOMAININFOLIST
ioctl.
Michal Privoznik [Tue, 12 Jan 2016 15:22:24 +0000 (16:22 +0100)]
Expand $(wildcard) correctly
So after da176bf6b756 and friend we have switched to $(wildcard
some/path/*.xml) instead of enumerating the files explicitly.
This is nice, however it makes distcheck build from VPATH fail.
The reason is that it's is not obvious to what does the wildcard
refer to: srcdir or builddir?
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Dmitry Andreev [Fri, 8 Jan 2016 10:45:06 +0000 (13:45 +0300)]
qemu: add capability check for memballoon 'deflate-on-oom' feature
Add appropriate capability check and new virQEMUCaps flag for the new
virtio balloon feature. QEMU commit with the complete feature description:
http://git.qemu.org/?p=qemu.git;a=commit;h=e3816255bf4b6377bb405331e2ee0dc14d841b80
Dmitry Andreev [Fri, 8 Jan 2016 10:45:05 +0000 (13:45 +0300)]
conf: introduce 'autodeflate' attribute for memballoon device
Excessive memory balloon inflation can cause invocation of OOM-killer,
when Linux is under severe memory pressure. QEMU memballoon device
has a feature to release some memory at the last moment before some
process will be get killed by OOM-killer.
Introduce a new optional balloon device attribute 'autodeflate' to
enable or disable this feature.
Cole Robinson [Tue, 12 Jan 2016 01:01:24 +0000 (20:01 -0500)]
rpc: socket: Minor cleanups
- Add some debugging
- Make the loop dependent only on retries
- Make it explicit that connect(2) success exits the loop
- Invert the error checking logic
Commit 2b6f6ad introduced the virxdrdefs.h header with
common definitions to be included in the protocol files,
but logging/log_protocol.x was missed, so add it there as well.
Ben Gray [Thu, 26 Nov 2015 16:10:40 +0000 (16:10 +0000)]
rpc: Don't rewrite msg->fds on every read dispatch
When we are receiving data in smaller chunks it might happen that
virNetServerClientDispatchRead() will be called multiple times. And as
that happens, if it is a message that also transfer headers, we decode
the number of them every single time and, unfortunately, also allocate
the memory for them. That causes a leak, in the best scenario.
Best viewed with '-w'.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
John Ferlan [Sat, 9 Jan 2016 13:36:35 +0000 (08:36 -0500)]
virsh: Create macro for common "interface" option
Rather than continually cut-n-paste the strings into each command,
create a common macro to be used generically. Note that not all
'{.name = "interface",' entries are replaced, just those that have the
common .help string of "interface name or MAC address".
John Ferlan [Sat, 9 Jan 2016 13:36:34 +0000 (08:36 -0500)]
virsh: Create macro for common "network" option
Rather than continually cut-n-paste the strings into each command,
create a common macro to be used generically. Note that not all
'{.name = "network",' entries are replaced, just those that have the
common .help string of "network name or uuid".
John Ferlan [Sat, 9 Jan 2016 13:36:31 +0000 (08:36 -0500)]
virsh: Create macros for common "vol" options
Rather than continually cut-n-paste the strings into each command,
create common macros to be used generically. Replace the more commonly
used "vol" option with a macro. This also adjusts 2 commands that
didn't have the correct helpstr - 'vol-create-from' and 'vol-clone'.
Both are described in the man page as taking vol, path, or key and
the code uses the virshCommandOptVol instead of virshCommandOptVolBy.
John Ferlan [Sat, 9 Jan 2016 13:36:29 +0000 (08:36 -0500)]
virsh: Create macro for common "file" option
Rather than continually cut-n-paste the strings into each command,
create a common macro to be used generically. The macro will take a
single argument _helpstr for the less common help string for each
command option. Note that only file options using "OT_DATA" and
"OFLAG_REQ" will be replace - others are left as is.
John Ferlan [Sat, 9 Jan 2016 13:36:28 +0000 (08:36 -0500)]
virsh: Create macro for common "current" option
Rather than continually cut-n-paste the strings into each command,
create a common macro to be used generically. The macro will take a
single argument _helpstr which for many options in virsh-domain.c
is simply "affect current domain". So, create a second macro within that
file in order to define the more common use as a revector to the
common macro with the common _helpstr.
John Ferlan [Sat, 9 Jan 2016 13:36:27 +0000 (08:36 -0500)]
virsh: Create macro for common "live" option
Rather than continually cut-n-paste the strings into each command,
create a common macro to be used generically. The macro will take a
single argument _helpstr which for many options in virsh-domain.c
is simply "affect running domain". So, create a second macro within that
file in order to define the more common use as a revector to the
common macro with the common _helpstr.
John Ferlan [Sat, 9 Jan 2016 13:36:26 +0000 (08:36 -0500)]
virsh: Create macro for common "config" option
Rather than continually cut-n-paste the strings into each command,
create a common macro to be used generically. The macro will take a
single argument _helpstr which for many options in virsh-domain.c
is simply "affect next boot". So, create a second macro within that
file in order to define the more common use as a revector to the
common macro with the common _helpstr.
John Ferlan [Sat, 9 Jan 2016 13:36:25 +0000 (08:36 -0500)]
virsh: Create macro for common "persistent" option
Rather than continually cut-n-paste the strings into each command,
create a common macro to be used generically. Note that not all
'{.name = "persistent",' entries are replaced, just those that have the
common .help string of "make live change persistent".
John Ferlan [Sat, 9 Jan 2016 13:36:24 +0000 (08:36 -0500)]
virsh: Create macro for common "domain" option
Rather than continually cut-n-paste the strings into each command,
create a common macro to be used generically. The macro will take a
single argument _helpstr which will be used to pass the translatable
helpstr since not all domain options can take the same string.
The majority of the options take 'N_("domain name, id or uuid")', so
create a separate macro with a _FULL suffix while those that do not
take the same string will use the VIRSH_COMMON_OPT_DOMAIN macro.
John Ferlan [Sat, 9 Jan 2016 13:36:23 +0000 (08:36 -0500)]
virsh: Adjustments for the VIRSH_COMMON_OPT_POOL
The macro is slightly adjusted to add an argument "_helpstr". This
will be passed as a translation macro string since other uses of the
option may not have the same exact help string (such as is the case
when the uuid is not suppliable for create commands).
In virsh-pool.c - we'll create a singular VIRSH_COMMON_OPT_POOL_FULL
in order to pass along the 'N_("pool name or uuid")'
In virsh-volume.c there will be a VIRSH_COMMON_OPT_POOL_FULL and a
VIRSH_COMMON_OPT_POOL_NAME, which passes 'N_("pool name")' for
the commands that can only pass a name. There will also be a
VIRSH_COMMON_OPT_POOL_OPTIONAL which is used for the command
options which use OT_STRING and don't require the --pool argument.
John Ferlan [Sat, 9 Jan 2016 13:36:22 +0000 (08:36 -0500)]
virsh: Convert VSH_POOL_ macro to VIRSH_COMMON_OPT_
Commit id's 'cf793b00', 'e178688f', 'f9a6110f', '5372d49', and 'e193735'
added new VSH_POOL_ macros; however, it was pointed out after push that
commit id '834c5720' preferred use of VIRSH_ for the prefix over VSH_.
So this patch just changes the VSH_ to VIRSH_ and it changes the naming
format from VIRSH_<opt>_OPT_COMMON to VIRSH_COMMON_OPT_<opt>.
Laine Stump [Mon, 11 Jan 2016 22:08:43 +0000 (17:08 -0500)]
util: eliminate bogus error log in virNetDevVPortProfileGetStatus
if instanceId is NULL
When virNetDevVPortProfileGetStatus() was called with instanceId =
NULL (which is the case for all DISASSOCIATE requests in 802.1Qbh) it
would log the following error:
Could not find netlink response with expected parameters
even though the disassociate had been successfully completely. Then,
due to the fortunate coincidence of status having been initialized to
0 and then not changed when the "failure" was encountered, it would
still return a status of 0 (PORT_VDP_RESPONSE_SUCCESS), so the caller
would assume a successful operation.
This would result in a spurious log message though, and would fill in
LastErrorMessage, so that the API would return that error if it
happened during cleanup from some other error. That, in turn, would
lead to an incorrect supposition that the response to the port profile
disassociate was the cause of the failure.
During debugging, I noticed that the VF in question usually had *no
uuid* associated with it (big surprise)by the time the disassociate
completed, so the solution is *not* to send the previous instanceId
down.
This patch fixes virNetDevVPortProfileGetStatus() to only check the
VF's uuid in the status if it was given an instanceId to check against
when originally called. Otherwise it only checks that the particular
VF is present (it will be).
This does cause a slight difference in behavior - rather than
returning with status unchanged (and thus always 0) it will actually
get the IFLA_PORT_RESPONSE. This could lead to revelation of error
conditions we were previously ignoring. Or not. So far "not".
Laine Stump [Tue, 20 Oct 2015 16:08:56 +0000 (12:08 -0400)]
qemu: auto-add a USB2 controller set for Q35 machines
Use virDomainDefAddUSBController() to add an EHCI1+UHCI1+UHCI2+UHCI3
controller set to newly defined Q35 domains that don't have any USB
controllers defined.
Laine Stump [Thu, 5 Nov 2015 20:16:50 +0000 (15:16 -0500)]
qemu: define virDomainDevAddUSBController()
This new function will add a single controller of the given model,
except the case of ich9-usb-ehci1 (the master controller for a USB2
controller set) in which case a set of related controllers will be
added (EHCI1, UHCI1, UHCI2, UHCI3). These controllers will not be
given PCI addresses, but should be otherwise ready to use.
"-1" is allowed for controller model, and means "default for this
machinetype". This matches the existing practice in
qemuDomainDefPostParse(), which always adds the default controller
with model = -1, and relies on the commandline builder to set a model
(that is wrong, but will be fixed later).
Laine Stump [Fri, 6 Nov 2015 18:01:29 +0000 (13:01 -0500)]
conf: add virDomainDefAddController()
We need a virDomainDefAddController() that doesn't check for an
existing controller at the same index (since USB2 controllers must be
added in sets of 4 that are all at the same index), so rather than
duplicating the code in virDomainDefMaybeAddController(), split it
into two functions, in the process eliminating existing duplicated
code that loops through the controller list by calling
virDomainControllerFind(), which does the same thing).
Laine Stump [Wed, 21 Oct 2015 19:08:49 +0000 (15:08 -0400)]
qemu: prefer 00:1D.x and 00:1A.x for USB2 controllers on Q35
The real Q35 machine puts the first USB controller set (EHCI+(UHCIx4))
on bus 0 slot 0x1D, and the 2nd USB controller set on bus 0 slot 0x1A,
so let's attempt to make the virtual machine match that for
controllers with auto-assigned addresses when possible.
Three test cases were added to assure that the proper addresses are
assigned - one with a single set of unaddressed USB controllers, one
with 3 (to grab both preferred slots plus one more), and one with the
order of the controller definitions reordered, to assure that the
auto-assignment isn't mixed up by order.
Laine Stump [Wed, 21 Oct 2015 18:49:06 +0000 (14:49 -0400)]
qemu: don't assume slot 0 is unused/reserved.
When qemuAssignDevicePCISlots() is looking for companion controllers
for a USB controller that has no PCI address specified, it initializes
a virDevicePCIAddress to 0000:00:00.0, fills it in with the
companion's address if one is found, then checks whether or not there
was a find based on slot == 0. On a system with a single PCI bus, that
is a valid way to check, because slot 0 is reserved, but on most other
PCI buses, slot 0 is not reserved, and is open for use by any
device. This patch adds a separate bool that is set when a companion
is found rather than relying on the faulty information provided with
"slot == 0".
Some of the protocol files already include handing of the missing int
types such as xdr_uint64_t, some don't. To fix it everywhere, move out
of the appropriate defines to the utils/virxdrdefs.h file and include
it where needed.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
OpenBSD uses 'struct sockpeercred' instead of 'struct ucred'. Add a
configure check that detects its presence and use if in the code that
could be compiled on OpenBSD.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
As cgroup implementation only works on Linux, it does not
make much sense to include sys/mount.h if other requirements are
not met, such as HAVE_MNTENT_H and HAVE_GETMNTENT_R.
Also, it fixes build on OpenBSD that requires to include sys/param.h
along with sys/mount.h.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
Michal Privoznik [Sun, 27 Dec 2015 10:00:22 +0000 (11:00 +0100)]
wireshark: Fix header of get_message_len()
In wireshark commit ceb8d954 (v1.99.2) they have changed the
signature of a function that determines how long a libvirt packet
is. Now it accepts a void pointer for passing data into the
function. Well, this is nice, but we don't need it right now.
Anyway, we have to change our code.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
wireshark: Replace WIRESHARK_COMPAT with actual version comparison
In the upcoming patch we will need yet another #ifdef code block
depending on wireshark version. Instead of defining
WIRESHARK_COMPAT2 or something lets just compare the version
right at the place so that we can clearly see what version broke
API.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Sun, 27 Dec 2015 09:55:29 +0000 (10:55 +0100)]
wireshark: s/tvb_length/tvb_captured_length/
In wireshak commit 22149c55 (v.1.11.3) the API was renamed.
Follow the change in our code too. Since the wireshark change was
made in the very same version that we require at least we are
good to go.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Sun, 27 Dec 2015 09:49:10 +0000 (10:49 +0100)]
wireshark: s/ep_alloc/wmem_alloc/
In wireshark, they have introduced their own memory allocator
wmem. This means that we need to adapt our code to that change
too. Notably 0ad15f88ccf434e8210ca is the wireshark commit you
want to look at. It's the one where they dropped the old API. The
new allocator has been introduced in 84cc3daa (v1.10.0), however,
was not exposed until 5c05c9e0 (v1.10.0). Since we already are
requiring 1.11.3 or higher no other change is needed.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
In the wireshark commit e2735ecfdd7a96c they dropped
proto_tree_add_text in favor of proto_tree_add_item. Adapt to
this change.
Moreover, the proto_tree_add_item API is around for ages and we
are already using it anyway. Therefore we don't need to change
required version of wireshark.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
While this is no functional change, whole channel definition is
going to be needed very soon. Moreover, while touching this obey
const correctness rule in qemuAgentOpen() - so far it was passed
regular pointer to channel config even though the function is
expected to not change pointee at all. Pass const pointer
instead.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
In qemu driver we listen to virtio channel events like an agent
connected to or disconnected from the guest part of socket.
However, with a little exception - when we find out that the
socket in question is the guest agent one, we connect or
disconnect guest agent which is done prior setting new state in
internal structure. Due to a bug in our code it may happen that
we got the event but failed to set it in internal structure
representing the channel.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Fix LSB requirements in service script and sync them
Commit b22344f3285187ee1768d6e031bc0ff20e32552d mistakenly reordered
Default-* lines. Thanks to that I noticed that we are very inconsistent
with our init scripts, so I took the liberty of synchronizing them,
updating them and making them all look shiny and new. So apart from
fixing the LSB requirements, I also fixed the ordering, specified
runlevels and fix the link to the reference specification.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Michal Privoznik [Mon, 11 Jan 2016 11:48:30 +0000 (12:48 +0100)]
virDomainInterfaceAddresses: Allow API on RO connection too
This API does not change domain state. However, we have a policy
that an API talking to a guest agent requires RW access. But that
happens only if source == VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Mon, 21 Dec 2015 15:22:58 +0000 (16:22 +0100)]
virsh: Add timestamps to QEMU monitor events
Implement a --timestamp option for 'virsh qemu-monitor-event', similar
to the one for 'virsh event'.
When the option is used, the human-readable timestamp will be printed
before the message, and the timing information provided by QEMU will
not be displayed.
Don't clear libvirt-internal paths when parsing status XML
Earlier commit 714080791778e3dfbd484ccb3953bffd820b8ba9 forgot to deal
properly with status XMLs where we want the libvirt-internal paths to be
kept in place and not cleared, otherwise we could end up copying a NULL
string and segfaulting th daemon.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Cole Robinson [Sat, 9 Jan 2016 21:00:01 +0000 (16:00 -0500)]
qemu: command: wire up usage of q35/ich9 disable s3/s4
If the q35 specific disable s3/s4 setting isn't supported, fallback to
specifying the PIIX setting, which is the previous behavior. It doesn't
have any effect, but qemu will just warn about it rather than error:
qemu-system-x86_64: Warning: global PIIX4_PM.disable_s3=1 not used
qemu-system-x86_64: Warning: global PIIX4_PM.disable_s4=1 not used
Since it doesn't error, I don't think we should either, since there
may be configs in the wild that already have q35 + disable_s3/4 (via
virt-manager)
Cole Robinson [Sat, 9 Jan 2016 23:03:56 +0000 (18:03 -0500)]
examples: Use one top level makefile
Using one Makefile per example subdirectory essentially serializes 'make'
calls. Convert to one example/Makefile that builds and distributes
all the subdir files. This reduces example/ rebuild time from about 5.8
seconds to 1.5 seconds on my machine.
One slight difference is that we no longer ship Makefile.am with the
examples in the rpm. This was virtually useless anyways since the Makefile
was very specific to libvirt infrastructure, so wasn't generically
reusable anyways.
virt-host-validate-common: Print warning on missing IOMMU
No only coverity warns about this, but it kind of makes sense
too. We have a test whether host supports IOMMU. Some platforms
don't have it, I know. But in that case we should print a message
that it's unknown whether platform has it or not.
Before:
(no output)
After:
QEMU: Checking for device assignment IOMMU support : WARN (Unknown if this platform has IOMMU support)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This function may be called with @dconnuri == NULL, e.g. from
virDomainMigrateToURI3() if the flags are missing
VIR_MIGRATE_PEER2PEER flag. Moreover, all later functions called
from here do wrap it into NULLSTR() so why not do the same here?
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
The condition was checking for UHCI (and OHCI for ppc64) availability so
that it can specify the proper device instead of legacy usb. However,
for ppc64, we don't need to check both OHCI and UHCI, but only OHCI as
that is the legacy default. The condition is so big that it was just a
matter of time when someone will make a mistake there, so let's use more
lines so that it is visible what the condition checks for.
This fixes usage of -device instead of -usb for ppc64 that supports
pci-usb-ohci and does not support piix3-usb-uhci.
For some reason we are not setting the driver with memset() to zeros.
But since commit 74abc3deac6e14ffa9151e425c6e6cd2b075aac5
driver->securityManager is being accessed and qemuagenttest started
crashing due to that.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Cole Robinson [Fri, 8 Jan 2016 03:50:05 +0000 (22:50 -0500)]
tests: qemuxml2xml: Wire up QEMUCaps usage
Future changes will make some of these tests dependent on specific
QEMUCaps flags, so wire up the basic handling. Flags will be added
in future patches.
Cole Robinson [Fri, 8 Jan 2016 21:41:37 +0000 (16:41 -0500)]
tests: qemuxml2xml: drop early file loading
For the standard active/inactive XML testing, if we leave the file loading
up to the generic XML2XML infrastructure, we get the benefit of
VIR_TEST_REGENERATE_OUTPUT, at the price of a few more disk reads. Seems
worth it.
Cole Robinson [Mon, 4 Jan 2016 19:31:58 +0000 (14:31 -0500)]
tests: Add newlines with VIR_TEST_REGENERATE_OUTPUT
Since test files are formatted predictably nowadays, we can make
VIR_TEST_REGENERATE_OUTPUT handle most cases for us with a simple
replacement. test-wrap-argv.pl is still canon, but this bit makes
it easier to confirm test output changes during active development.
Jim Fehlig [Tue, 29 Dec 2015 00:26:58 +0000 (17:26 -0700)]
libxl: support vif outgoing bandwidth QoS
The libxl_device_nic structure supports specifying an outgoing rate
limit based on a time interval and bytes allowed per interval. In xl
config a rate limit is specified as "<RATE>/s@<INTERVAL>". INTERVAL
is optional and defaults to 50ms.
libvirt expresses outgoing limits by average (required), peak, burst,
and floor attributes in units of KB/s. This patch supports the outgoing
bandwidth limit by converting the average KB/s to bytes per interval
based on the same default interval (50ms) used by xl.
projects / thirdparty / libvirt.git / log
