spec: Update polkit dependencies for CVE-2013-4311
Use secured polkit on distros which provide it. However, RHEL-6 will
still allow for older polkit-0.93 rather than forcing polkit-0.96-5
which is not available in all RHEL-6 releases.
4cc1f1a01fb338de939ba88eb933931687b22336 introduced a crash when doing a
block copy as virStorageSourceInitChainElement was called on
"disk->mirror" that is still NULL at that point instead of "mirror"
which temporarily holds the mirror source struct until it's fully
initialized. This resulted into a crash as a NULL was dereferenced.
John Ferlan [Mon, 14 Jul 2014 16:17:44 +0000 (12:17 -0400)]
GetBlockInfo: Use the correct path to qemuOpenFile
Commit id '3ea661de' refactored the code to use the 'disk->src->path'
instead of getting the path from virDomainDiskGetSource(). The one
call to qemuOpenFile() didn't use the disk source path, rather it used
the path as passed from the caller (in this case 'vda') - this caused
a failure with the virt-test/tp-libvirt as follows:
$ virsh domblkinfo virt-tests-vm1 vda
error: cannot stat file '/home/virt-test/shared/data/images/jeos-20-64.qcow2': Bad file descriptor
Eric Blake [Mon, 23 Jun 2014 21:59:02 +0000 (15:59 -0600)]
docs: mention more about older capability feature bits
Our documentation for features was rather sparse; this fleshes out
more of the details for other existing capabilities (and cost me
some time trawling git history).
* docs/formatcaps.html.in: Document it feature bits.
Chunhe Li [Mon, 14 Jul 2014 10:37:50 +0000 (12:37 +0200)]
openvswitch: Delete port if it exists while adding a new one
If the openvswitch service is stopped, and is followed by destroying a
VM, the openvswitch bridge translates into a state where it doesn't
recover the port configuration. While it successfully fetches data
from the internal DB, since the corresponding virtual interface does
not exists anymore the whole recovery process fails leaving restarted
VM with inability to connect to the bridge. The following set of
commands will trigger the problem:
virsh start vm
service openvswitch-switch stop
virsh destroy vm
service openvswitch-switch start
virsh start vm
Signed-off-by: Chunhe Li <lichunhe@huawei.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
We've always done that. Well, until 990e46c45. Point is, if we don't
format model, we may lose a domain on libvirtd restart. If the
seclabel is implicit however, we should skip it's formatting.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Mon, 7 Jul 2014 12:38:10 +0000 (14:38 +0200)]
doc: Be more specific about semantics of _REUSE_EXT flag
Snapshots and block-copy have a flag that forces qemu to re-use existing
file. Our docs weren't exactly clear on what the existing file should
contain for this to actually work.
Re-word the docs a bit to state that the file needs to be pre-created in
the desired format and the backing chain metadata needs to be set prior
to handing it over to qemu.
conf: Fix possible NULL dereference in virStorageVolTargetDefFormat
Commit dae1568c6c6455091e8cd9bc2e90a22af3d3880c converted the perms
member of the virStorageVolTarget struct into a pointer to make it
optional. But virStorageVolTargetDefFormat did not check perms for
NULL before dereferencing it.
Ian Campbell [Fri, 11 Jul 2014 13:43:47 +0000 (14:43 +0100)]
libxl: Correct cast to virDomainDiskDiscard enum.
This was converted to a typedef in 5a2bd4c9171d "conf: more enum
cleanups in "src/conf/domain_conf.h"" causing:
libxl/libxl_conf.c: In function 'libxlDiskSetDiscard':
libxl/libxl_conf.c:724:19: error: conversion to incomplete type
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Peter Krempa [Mon, 7 Jul 2014 14:50:11 +0000 (16:50 +0200)]
storage: Split out volume upload/download as separate backend function
For non-local storage drivers we can't expect to use the FDStream
backend for up/downloading volumes. Split the code into a separate
backend function so that we can add protocol specific code later.
Ján Tomko [Wed, 9 Jul 2014 08:57:33 +0000 (10:57 +0200)]
check for cfg->spiceTLS earlier in qemuProcessSPICEAllocatePorts
This saves a few lines of code and catches the error when:
<spice autoport ='yes' defaultMode='any' ..>
<channel name='main' mode='secure'/>
</spice>
is specified with spice_tls = 0 in qemu.conf.
Instead of this error in qemuBuildGraphicsSPICECommandLine:
error: unsupported configuration: spice secure channels set in XML
configuration, but TLS port is not provided
an error is reported in qemuProcessSPICEAllocatePorts:
error: unsupported configuration: Auto allocation of spice TLS port
requested but spice TLS is disabled in qemu.conf
When creating cgroups for vcpu and emulator threads whilst starting a
domain, we explicitly skip creating those cgroups in case priv->cgroup
is NULL (cgroups not supported) because SetAffinity() serves the same
purpose. If the host supports only some cgroups (the ones we need are
either unmounted or disabled in qemu.conf), we error out with weird
message even though we could continue starting the domain.
virsh: document the possibility of accepting integers for numatune mode
According to the code, 'virsh numatune' supports integers for
specifying --mode as well as the string definitions "strict",
"interleave", and "preferred". However, this possibility was not
documented anywhere, so this patch adds it to both the man page and
command help.
The commit referenced above changed function arguments of
virStorageFileGetMetadataFromBuf() but didn't tweak the
ATTRIBUTE_NONNULL tied to them. This was caught by coverity as it
actually obeys them. We disabled them for GCC and thus it didn't show
up.
Additionally in commit 3ea661deeabadc3c114dfb6f662b9fd17d714a01 I passed
NULL to the backingFormat argument which was also marked as nonnull. Use
a dummy int's address when the argument isn't supplied so that the code
doesn't need to change much.
Peter Krempa [Tue, 8 Jul 2014 13:52:32 +0000 (15:52 +0200)]
conf: Improve metadata type verification
Split out checking of invalid metadata type from the switch statement so
that we can use the typecasted enum value to allow tracking addition of
new items by the compliler.
Jincheng Miao [Fri, 27 Jun 2014 14:37:02 +0000 (22:37 +0800)]
qemu: fix domxml-to-native failing when spice_tls is not enabled
The default graphics channel mode is 'any', so as to defaultMode attribute.
If defaultMode and channel mode are all the default value 'any',
qemuConnectDomainXMLToNative will set TLSPort.
But in qemuBuildGraphicsSPICECommandLine, if spice_tls is not enabled, libvirtd
will report an error to tell the user that spice TLS is disabled in qemu.conf.
So qemuConnectDomainXMLToNative should check spice_tls is enabled,
then decide to allocate an tlsPort number to this graphics.
If user specified defaultMode is 'secure', qemuConnectDomainXMLToNative
could allocate tlsPort, and then let qemuBuildGraphicsSPICECommandLine reports
the spice_tls disabled error.
The related bug is:
https://bugzilla.redhat.com/show_bug.cgi?id=1113868
Signed-off-by: Jincheng Miao <jmiao@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 30 Jun 2014 12:21:23 +0000 (14:21 +0200)]
qemu: snapshot: Refactor image labelling of new snapshot files
Now that cgroups/security driver/locking driver support labelling of
individual images and tolerate network storage we don't have to refrain
from passing all image files to it. This allows removing the checking
code as we already make sure that the snapshot function won't be called
with unsupported options.
Peter Krempa [Wed, 25 Jun 2014 15:23:44 +0000 (17:23 +0200)]
qemu: Refactor qemuDomainPrepareDiskChainElement
Now that security, cgroup and locking APIs support working on individual
images and we track the backing chain security info on a per-image basis
we can finally kill swapping the disk source in virDomainDiskDef and use
the virStorageSource directly.
Peter Krempa [Thu, 12 Jun 2014 14:57:43 +0000 (16:57 +0200)]
qemu: snapshot: Improve approach to deal with snapshot metadata
Until now we were changing information about the disk source via
multiple steps of copying data. Now that we changed to a pointer to
store the disk source we might use it to change the approach to track
the data.
Additionally this will allow proper tracking of the backing chain.
Peter Krempa [Fri, 27 Jun 2014 14:12:20 +0000 (16:12 +0200)]
qemu: block: Properly track disk source while pivoting to new image
When pivoting to a new disk source after a block commit (and possibly
after a soon-to-be-added active block commit) we changed just a few
fields to the new target. In case we'd copy a network disk to a local
file we'd not change the type properly.
To avoid such problems, switch to tracking of the source via changing of
the complete source struct to the one tracking the mirroring info.
Peter Krempa [Wed, 25 Jun 2014 15:15:17 +0000 (17:15 +0200)]
qemu: blockcopy: Use the mirror disk source to label the files
Use the source struct and the corresponding function so that we can
avoid using the path separately. Now that
qemuDomainPrepareDiskChainElementPath isn't use anywhere, we can safely
remove it.
Additionally, the removal fixes a misaligned comment as the removed
function was added under a comment for a different function.
Peter Krempa [Mon, 23 Jun 2014 14:35:34 +0000 (16:35 +0200)]
security: Introduce APIs to label single images
Add security driver functions to label separate storage images using the
virStorageSource definition. This will help to avoid the need to do ugly
changes to the disk struct and use the source directly.
Peter Krempa [Wed, 18 Jun 2014 11:09:05 +0000 (13:09 +0200)]
qemu: cgroup: Add functions to set cgroup image stuff on individual imgs
Add functions that will allow to set all the required cgroup stuff on
individual images taking a virStorageSourcePtr. Also convert functions
designed to setup whole backing chain to take advantage of the change.
When dispatching events from the event loop, the array of registered
handles is searched to see what handles happened an event on. However,
the array is searched in weird way: the check for the array boundaries
is at the end, so we may touch the elements after the end of the
array:
==10434== Invalid read of size 4
==10434== at 0x52D06B6: virEventPollDispatchHandles (vireventpoll.c:486)
==10434== by 0x52D10E4: virEventPollRunOnce (vireventpoll.c:660)
==10434== by 0x52CF207: virEventRunDefaultImpl (virevent.c:308)
==10434== by 0x1639D1: virNetServerRun (virnetserver.c:1139)
==10434== by 0x1220DC: main (libvirtd.c:1507)
==10434== Address 0xc11ff04 is 4 bytes after a block of size 960 alloc'd
==10434== at 0x4C2CA5E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10434== by 0x52AD378: virReallocN (viralloc.c:245)
==10434== by 0x52AD46E: virExpandN (viralloc.c:294)
==10434== by 0x52AD5B1: virResizeN (viralloc.c:352)
==10434== by 0x52CF2EC: virEventPollAddHandle (vireventpoll.c:116)
==10434== by 0x52CEF5B: virEventAddHandle (virevent.c:78)
==10434== by 0x11F69A90: nodeStateInitialize (node_device_udev.c:1797)
==10434== by 0x53C3C89: virStateInitialize (libvirt.c:743)
==10434== by 0x120563: daemonRunStateInit (libvirtd.c:919)
==10434== by 0x5317719: virThreadHelper (virthread.c:197)
==10434== by 0x8376F39: start_thread (in /lib64/libpthread-2.17.so)
==10434== by 0x8A7F9FC: clone (in /lib64/libc-2.17.so)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Tue, 8 Jul 2014 15:34:56 +0000 (17:34 +0200)]
util: cgroup: Fix build on non-cgroup platforms
Commit a48f44510098cead629ede9a49ea4e840a28ccca introduced a helper
function to convert cgroup device mode to string. The function was only
conditionally compiled on platforms that support cgroup. This broke the
build when attempting to export the symbol:
CCLD libvirt.la
Cannot export virCgroupGetDevicePermsString: symbol not defined
Move the function out of the ifdef, as it doesn't really depend on the
cgroup code being present.
Jim Fehlig [Tue, 8 Jul 2014 21:34:48 +0000 (15:34 -0600)]
libxl: fix crash in migrate confirm for transient domains
In libxlDomainMigrationConfirm(), a transient domain is removed
from the domain list after successful migration. Later in cleanup,
the domain object is unlocked, resulting in a crash
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fb4208ed700 (LWP 12044)]
0x00007fb4267251e6 in virClassIsDerivedFrom (klass=0xdeadbeef,
parent=0x7fb42830d0c0) at util/virobject.c:169
169 if (klass->magic == parent->magic)
(gdb) bt
0 0x00007fb4267251e6 in virClassIsDerivedFrom (klass=0xdeadbeef,
parent=0x7fb42830d0c0) at util/virobject.c:169
1 0x00007fb42672591b in virObjectIsClass (anyobj=0x7fb4100082b0,
klass=0x7fb42830d0c0) at util/virobject.c:365
2 0x00007fb42672583c in virObjectUnlock (anyobj=0x7fb4100082b0)
at util/virobject.c:338
3 0x00007fb41a8c7d7a in libxlDomainMigrationConfirm (driver=0x7fb4100404c0,
vm=0x7fb4100082b0, flags=1, cancelled=0) at libxl/libxl_migration.c:583
Fix by setting the virDomainObjPtr to NULL after removing it from
the domain list.
Jim Fehlig [Tue, 8 Jul 2014 21:17:58 +0000 (15:17 -0600)]
libxl: acquire job though begin phase only
During migration, the libxl driver starts a modify job in the
begin phase, ending the job in the confirm phase. This is
essentially VIR_MIGRATE_CHANGE_PROTECTION semantics, but the
driver does not support that flag. Without CHANGE_PROTECTION
support, the job would never be terminated in error conditions
where migrate confirm phase is not executed. Further attempts
to modify the domain would result in failure to acquire a job
after LIBXL_JOB_WAIT_TIME.
Similar to the qemu driver, end the job in the begin phase.
Protecting the domain object across all phases of migration can
be done in a future patch adding CHANGE_PROTECTION support.
Jim Fehlig [Tue, 8 Jul 2014 17:15:34 +0000 (11:15 -0600)]
libxl: remove domain when migration prepare fails
In libxlDomainMigrationPrepare(), a new virDomainObj is created
from the incoming domain def and added to the driver's domain
list, but never removed if there are subsequent failures during
the prepare phase.
targethost# virsh list --all
sourcehost# virsh migrate --live dom xen+ssh://targethost/system
error: operation failed: Fail to create socket for incoming migration.
targethost# virsh list --all
error: Failed to list domains
error: name in virGetDomain must not be NULL
After adding code to remove the domain on prepare failure, noticed
that libvirtd crashed due to double free of the virDomainDef. Similar
to the qemu driver, pass a pointer to virDomainDefPtr so it can be set
to NULL once a virDomainObj is created from it.
Eric Blake [Tue, 8 Jul 2014 20:46:49 +0000 (14:46 -0600)]
maint: update to latest gnulib
When run under an environment that inherits an ignored SIGPIPE
(hello, annoying buildbots), a syntax-check was producing quite
a bit of noise, such as:
Ján Tomko [Tue, 8 Jul 2014 10:56:59 +0000 (12:56 +0200)]
Don't require iptables-ipv6 on >= F17 and RHEL >= 7
We only need ip6tables, which is now a part of the iptables package:
http://pkgs.fedoraproject.org/cgit/iptables.git/commit/?h=1392835
This needlessly pulls in iptables-services:
https://bugzilla.redhat.com/show_bug.cgi?id=1101510
which can conflict with firewalld:
https://bugzilla.redhat.com/show_bug.cgi?id=1101484
Peter Krempa [Fri, 20 Jun 2014 11:33:16 +0000 (13:33 +0200)]
util: cgroup: Add helper to convert device mode to string
Cgroups code uses VIR_CGROUP_DEVICE_* flags to specify the mode but in
the end it needs to be converted to a string. Add a helper to do it and
use it in the cgroup code before introducing it into the rest of the
code.
Peter Krempa [Fri, 27 Jun 2014 12:33:01 +0000 (14:33 +0200)]
util: storage: Copy parent's disk metadata to backing chain elements
When discovering a disk backing chain the parent disk's metadata need to
be populated into the guest images so that each piece of the backing
chain contains a copy of those. This will allow us to refactor the
security driver so that it will not need to carry around the original
disk definition.
Peter Krempa [Wed, 25 Jun 2014 16:48:27 +0000 (18:48 +0200)]
util: storage: Add function to transfer config parts to new chain element
We are going to modify storage source chains in place. Add a helper that
will copy relevant information such as security labels to the new
element if that doesn't contain it.
Peter Krempa [Tue, 24 Jun 2014 13:15:55 +0000 (15:15 +0200)]
storage: Move readonly and shared flags to disk source from disk def
In the future we might need to track state of individual images. Move
the readonly and shared flags to the virStorageSource struct so that we
can keep them in a per-image basis.
Peter Krempa [Mon, 30 Jun 2014 09:38:08 +0000 (11:38 +0200)]
conf: Don't output seclabels for backingStore elements
Some of the further changes will propagate seclabels from a disk source
element into the backing store elements. This would change the XML
output of the backing store as the seclabels would be formatted for each
backing store element. Skip the seclabels formatting until we decide
that it's necessary.
Peter Krempa [Mon, 28 Apr 2014 13:39:19 +0000 (15:39 +0200)]
qemu: Add support for networked disks for block pull/block rebase
Now that we are able to select images from the backing chain via indexed
access we should also convert possible network sources to
qemu-compatible strings before passing them to qemu.
Peter Krempa [Mon, 28 Apr 2014 13:39:19 +0000 (15:39 +0200)]
qemu: Add support for networked disks for block commit
Now that we are able to select images from the backing chain via indexed
access we should also convert possible network sources to
qemu-compatible strings before passing them to qemu.
Peter Krempa [Fri, 16 May 2014 13:40:06 +0000 (15:40 +0200)]
lib: Introduce flag VIR_DOMAIN_BLOCK_REBASE_RELATIVE
Introduce flag for the block rebase API to allow the rebase operation to
leave the chain relatively addressed. Also adds a virsh switch to enable
this behavior.
Peter Krempa [Tue, 13 May 2014 15:59:32 +0000 (17:59 +0200)]
lib: Introduce flag VIR_DOMAIN_BLOCK_COMMIT_RELATIVE
Introduce flag for the block commit API to allow the commit operation to
leave the chain relatively addressed. Also adds a virsh switch to enable
this behavior.
Peter Krempa [Mon, 7 Jul 2014 10:56:23 +0000 (12:56 +0200)]
qemu: refactor qemuDomainGetBlockInfo to work with remote storage
The qemu block info function relied on working with local storage. Break
this assumption by adding support for remote volumes. Unfortunately we
still need to take a hybrid approach as some of the operations require a
filedescriptor.
Previously you'd get:
$ virsh domblkinfo gl vda
error: cannot stat file '/img10': Bad file descriptor
Now you get some stats:
$ virsh domblkinfo gl vda
Capacity: 10485760
Allocation: 197120
Physical: 197120
Peter Krempa [Mon, 7 Jul 2014 09:38:28 +0000 (11:38 +0200)]
util: storage: Allow specifying format for virStorageFileGetMetadataFromBuf
To allow reusing this function in the qemu driver we need to allow
specifying the storage format. Also separate return of the backing store
path now isn't necessary.
Peter Krempa [Fri, 4 Jul 2014 13:03:07 +0000 (15:03 +0200)]
virsh: domain: Use inactive XML when unplugging interface with --config
Similary to cmdDetachDisk fetch the inactive definition when --config
is specified as the active may not contain the network interface
if it was plugged with --config.
virt-lxc-convert: make free return values in bytes
Tiny fix for virt-lxc-convert: we are setting memory values in bytes, while
free may give us values in a different unit by default: force free to output
bytes with -b flag.
Peter Krempa [Mon, 7 Jul 2014 08:00:46 +0000 (10:00 +0200)]
qemu: dump: Report better error when dumping VM with passthrough devices
For the regular dump operation we migrate the VM to a file. This won't
work when the VM has passthrough devices assigned. Rather than reporting
a cryptic error from qemu run our check whether it can be migrated.
This does not influence the memory-only dump that is allowed with
passthrough devices.
wireshark: Honor API change coming with 1.12 release
https://bugs.gentoo.org/show_bug.cgi?id=508336
At wireshark, they have this promise to change public dissector APIs
only with minor version number change. Which they did when releasing
the version of 1.12.
Firstly, they've changed tvb_memdup() in a0c53ffaa1bb46d8c9db2ec739401aa411c9790e so now it takes four arguments
instead of three. The new argument is placed at the very beginning of
the list of arguments and basically says the scope where we'd like to
allocate the memory. According to the documentation NULL should be the
default value.
Then, the tcp_dissect_pdus() signature changed too. Well, the function
that actually dissects reassembled packets as tcp_dissect_pdus()
reorder TCP packets into one big chunk and then calls a user function
to dissect the PDU at once. The change is dated back to 8081cf1d90397cbbb4404f9720595e1537ed5e14.
The rationale is to not duplicate code which is done in
packet-libvirt.h for instance. Moreover, this way we can drop
__attribute_((unused)) used int packet-libvirt.c in favor of
ATTRIBUTE_UNUSED.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Fri, 16 May 2014 15:51:21 +0000 (17:51 +0200)]
qemu: monitor: Add support for backing name specification for block-stream
To allow changing the name that is recorded in the top of the current
image chain used in a block pull/rebase operation, we need to specify
the backing name to qemu. This is done via the "backing-file" attribute
to the block-stream commad.
Peter Krempa [Tue, 13 May 2014 15:41:33 +0000 (17:41 +0200)]
qemu: monitor: Add argument for specifying backing name for block commit
To allow changing the name that is recorded in the overlay of the TOP
image used in a block commit operation, we need to specify the backing
name to qemu. This is done via the "backing-file" attribute to the
block-commit command.
Peter Krempa [Mon, 26 May 2014 12:09:22 +0000 (14:09 +0200)]
qemu: caps: Add capability for change-backing-file command
This command allows to change the backing file name recorded in the
metadata of a qcow (or other) image. The capability also notifies that
the "block-stream" and "block-commit" commands understand the
"backing-file" attribute.
Peter Krempa [Wed, 2 Jul 2014 09:24:24 +0000 (11:24 +0200)]
conf: audit: Split out common steps to audit domain devices
Extract common operations done when creating an audit message to a
separate generic function that can be reused and convert RNG, disk, FS
and net audit to use it.
projects / libvirt.git / log