This supports sockets created by libvirt and passed by FD using the
same method as in security_dac.c.
Signed-off-by: David Michael <david@bigbadwolfsecurity.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Wed, 29 Jun 2022 09:16:06 +0000 (11:16 +0200)]
virnettlscontext: Don't set DH parameters ourselves
According to [1]:
Prior to GnuTLS 3.6.0 for the ephemeral or anonymous
Diffie-Hellman (DH) TLS ciphersuites the application was
required to generate or provide DH parameters. That is no
longer necessary as GnuTLS utilizes DH parameters and
negotiation from [RFC7919].
This allows us to:
a) drop the code that's setting DH params,
b) drop @dhParams member from _virNetTLSContext struct. and
c) drop gnutls_dh_params_generate2() mock.
Michal Privoznik [Tue, 28 Jun 2022 08:02:01 +0000 (10:02 +0200)]
virnetdevbandwidthtest: Test QoS for OVS
Ever since v7.6.0-rc1~235 we can use ovs-vsctl to set QoS instead
of tc. However, we don't have a test that's verifying generated
cmd line for ovs-vsctl.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
However, one can argue that there are few cases where shifting
the alignment makes the code more readable. And this is the case
of expected cmd line for DO_TEST_SET() where a long cmd line can
be aligned on the arguments rather than the binary:
TC " filter ..."
" police ..."
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Jiri Denemark [Thu, 30 Jun 2022 10:52:38 +0000 (12:52 +0200)]
qemu_migration: Apply max-postcopy-bandwidth on post-copy resume
When resuming post-copy migration users may want to limit the bandwidth
used by the migration and use a value that is different from the one
specified when the migration was originally started.
We will need to annotate individual parameters a bit more than just
noting their type. Let's introduce qemuMigrationParamInfo replacing
simple qemuMigrationParamTypes with an array of structs.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Jiri Denemark [Fri, 24 Jun 2022 14:26:06 +0000 (16:26 +0200)]
qemu_migration: Avoid mem.hard_limit > 0 check
My original commit v8.4.0-288-gf01fc4d119 accidentally forgot to fix
both instances of the same problem. While it fixed the destination side
of migration, the source one remained broken.
However, that commit was also wrong in saying the issue could have
caused unlimited memory locking to be allowed for QEMU when RDMA
migration was used. It could not, because the code would refuse to even
think about starting RDMA migration if hard_limit was not set. But
avoiding the "mem.hard_limit > 0" check is useful anyway.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu_hotplug: Don't skip cleanup in qemuDomainAttachNetDevice()
Introduced in v8.4.0-rc1~183 but the first real problem
introduced in v8.4.0-rc1~170, there's a
qemuBuildInterfaceConnect() call inside of
qemuDomainAttachNetDevice(). If the former fails, then the
function is immediately returned from instead of jumping onto the
cleanup label. This is crucial, because at this point the domain
definition contains 'borrowed' net definition, which is then
freed, since an error was met. The domain definition is then left
with a dangling pointer which leads to all sorts of different
crashes.
Michal Privoznik [Thu, 30 Jun 2022 06:32:49 +0000 (08:32 +0200)]
API: Remove internal impl detail from VIR_DOMAIN_IOTHREAD_THREAD_POOL_{MIN,MAX} description
When introducing VIR_DOMAIN_IOTHREAD_THREAD_POOL_MIN and
VIR_DOMAIN_IOTHREAD_THREAD_POOL_MAX typed parameters, I've made a
shortcut. Since at the monitor level these two are set in two
separate calls and minimum has to be always smaller than maximum
(or equal to it), it may happen that one of the values we want to
set violates this restriction. So I've put a little note in the
public API description warning users about this.
However, the proper solution is to have a logic that checks the
current values and based on that set either minimum or maximum
value first. But until we get there, remove that note from the
public API before it gets released.
Related: https://gitlab.com/libvirt/libvirt/-/issues/339 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Jiri Denemark [Thu, 23 Jun 2022 12:25:30 +0000 (14:25 +0200)]
qemu_migration: Don't set unlimited memlock limit for RDMA
Our documentation says RDMA migration requires hard_limit to be set so
that we know how big memory locking limit should be set for the domain
during migration. But since commit v1.2.13-71-gcf521fc8ba (which changed
the default hard_limit value from 0 to
VIR_DOMAIN_MEMORY_PARAM_UNLIMITED) we were actually setting memlock
limit to unlimited if hard_limit was not set.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jiri Denemark [Wed, 22 Jun 2022 14:12:02 +0000 (16:12 +0200)]
qemu_migration: Restore original memory locking limit
For RDMA migration we update memory locking limit, but never set it back
once migration finishes (on the destination host) or aborts (on the
source host).
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jiri Denemark [Wed, 22 Jun 2022 07:04:04 +0000 (09:04 +0200)]
qemu_migration: Use qemuDomainSetMaxMemLock
This helper will not try to set the limit if it is already big enough,
which may be useful when libvirt daemon is running in a containerized
environment and is not allowed to change memory locking limit.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jiri Denemark [Wed, 22 Jun 2022 13:21:30 +0000 (15:21 +0200)]
qemu: Add qemuDomainSetMaxMemLock helper
qemuDomainAdjustMaxMemLock combined computing the desired limit with
applying it. This patch separates the code to apply a memory locking
limit to a new qemuDomainSetMaxMemLock helper for better reusability.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Ján Tomko [Wed, 22 Jun 2022 11:37:18 +0000 (13:37 +0200)]
docs: update links to listman
The mailman for mailing lists hosted by Red Hat seems to have moved
to listman.redhat.com. While the old links still seem to work,
point our docs to the new location to avoid the redirect.
Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Cole Robinson [Fri, 17 Jun 2022 21:09:32 +0000 (17:09 -0400)]
libxl: Fix domain startup failure error reporting
When domain startup fails, domain cleanup calls
libxlNetworkUnwindDevices, which calls virGetConnectNetwork, which
is a top level API entry point, which resets the initial saved error,
leading to clients seeing:
error: An error occurred, but the cause is unknown
This preserves the error around the entire teardown process, similar
to what is done in the qemu driver.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Cole Robinson <crobinso@redhat.com>
nwfilter: spawn thread for reloading on firewalld trigger
When firewalld is restarted or has its rules reloaded, we trigger a
reload of the nwfilter driver. This is done directly in the main
event loop thread which is a bad idea.
In a previous commit we fixed a actual deadlock problem with the
virStateReload API, when triggered from SIGHUP:
The same deadlock problem previously existed with the firewalld reload
trigger, however, today it is not quite so series. The QEMU driver uses
a private event thread for each VM, so the particular deadlock would
not occur. None the less during the time the filters are reloading all
use of the event loop is blocked, which prevents APIs being serviced.
Reviewed-by: Erik Skultety <eskultet@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
tools: add '--xpath EXPRESSION --wrap' args to all dumpxml commands
While you can chain the virsh output up to a later 'xmllint' or 'xpath'
command, integrating it into virsh avoids needs for installing extra
binaries which we've often found to be missing on production installs
of libvirt. It also gives better response if the initial virsh command
hits an error, as you don't get an aborted pipeline.
Fixes https://gitlab.com/libvirt/libvirt/-/issues/244 Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
tools: add helper method for printing an XML document
The trivial case of fully printing an XML document is boring, but
this helper does more by allowing an XPath expression to be given.
It will then print just the subset of nodes which match the
expression. It either print each match as a standalone XML doc
or can put them into one new XML doc wrapped woith <nodes>...</nodes>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Even when the os.loader element is absent, we still have to
validate that the user is not attempting to use firmware
autoselection with a driver that doesn't implement the feature.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Andrea Bolognani [Fri, 10 Jun 2022 08:05:01 +0000 (10:05 +0200)]
vmx: Declare support for firmware autoselection
The feature was implemented in commits b4e34d1083bc and 9bb6e4e739fa but the corresponding feature flag was not set in
the driver, so other parts of of libvirt wouldn't be able to
know about it.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Yalan Zhang [Thu, 16 Jun 2022 05:11:42 +0000 (13:11 +0800)]
docs: formatdomain: update hostdev interface section a bit
Update the default "driver" value for hostdev interface since
the default is not "KVM" anymore (refer to "Host device
asssignment" part and by test results). And update the mac
address in one xml example.
Signed-off-by: Yalan Zhang <yalzhang@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 14 Jun 2022 12:21:33 +0000 (14:21 +0200)]
virDomainDiskTranslateSourcePool: Fix check of 'startupPolicy' definition
The check was historically done only for _TYPE_VOLUME disks, but
refactors to allow _TYPE_VOLUME disks in the backing chain caused a
regression where we'd reject startupPolicy also for _TYPE_BLOCK disks
which historically worked well.
Fix it by using the 'virDomainDiskDefValidateStartupPolicy' helper and
use it only when the top level image is a _TYPE_VOLUME as in other cases
it was already validated. This also allows _TYPE_BLOCK volumes to use
startup policy.
Fixes: 37f01262eed9f37dd5eb7de8b83edd2fea741054
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2095758 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
projects / libvirt.git / log