When adding vtpm virSecret usage type (in v5.6.0-rc1~61) we
forgot to update polkit access check. This limited user's ability
to match secrets in their rules. Add missing case into switch in
virAccessDriverPolkitCheckSecret().
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jonathon Jongsma [Thu, 25 Jan 2024 17:51:51 +0000 (11:51 -0600)]
qemu: handle adding/removing nbdkit-backed disk sources
Previously we were only starting or stopping nbdkit when the guest was
started or stopped or when hotplugging/unplugging a disk. But when doing
block operations, the disk backing store sources can also be be added or
removed independently of the disk device. When this happens the nbdkit
backend was not being handled properly. For example, when doing a
blockcopy from a nbdkit-backed disk to a new disk and pivoting to that
new location, the nbdkit process did not get cleaned up properly. Add
some functionality to qemuDomainStorageSourceAccessModify() to handle
this scenario.
Since we're now starting nbdkit from the ChainAccessAllow/Revoke()
functions, we no longer need to explicitly start nbdkit in hotplug code
paths because the hotplug functions already call these allow/revoke
functions and will start/stop nbdkit if necessary.
Add a check to qemuNbdkitProcessStart() to report an error if we
are trying to start nbdkit for a disk source that already has a running
nbdkit process. This shouldn't happen, and if it does it indicates an
error in another part of our code.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Jonathon Jongsma [Thu, 25 Jan 2024 20:02:16 +0000 (14:02 -0600)]
qemu: roll back if not all nbdkit backends are successful
When starting nbdkit processes for the backing store of a disk, we were
returning an error if any backing store failed, but we were not cleaning
up processes that succeeded higher in the chain. Make sure that if we
return a failure status from qemuNbdkitStartStorageSource() that we roll
back any processes that had been started.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Jonathon Jongsma [Thu, 25 Jan 2024 17:30:02 +0000 (11:30 -0600)]
qemu: add a 'chain' parameter to nbdkit start/stop
This will allow us to start or stop nbdkit for just a single disk source
or for every source in the backing chain. This will be used in following
patches.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
tests: Update capabilities for QEMU 8.1.0 on s390x
The existing capabilities were generated against a build made
quite early in the QEMU 8.1.0 development cycle. Update them
to match the final release.
A notable effect of this is that the recently introduced
s390-usb-model test now passes instead of failing: QEMU 8.1.0
enables several new devices on s390x, including the qemu-xhci
USB controller.
There's a small amount of additional churn caused by the fact
that the machine on which I have generated these capabilities
is apparently slightly less fancy than the one used originally.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Show what happens when trying to use a specific type of USB
controller. This currently fails because the QEMU binary doesn't
include the necessary device.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
These tests currently cover the scenarios in which the guest
can end up with no USB controller, one of which is specific
to s390x. We are going to add more USB on s390x scenarios, so
a different naming convention is needed.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Jonathon Jongsma [Fri, 26 Jan 2024 16:41:58 +0000 (10:41 -0600)]
qemu: fix nbdkit command test for backing chains
Previously this test only tested the generated nbdkit command for the
top level disk source. Update it to test the generated commmands for all
sources in the chain.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
I've seen examples in the wild of the cluster attribute having
non-zero value on x86_64.
This is obviously quite confusing, but it's the information that
Linux exposes to userspace and we don't really have a way to tell
apart a valid die/cluster ID from a dummy one.
What ultimately matters is that the underlying assumptions about
topology are respected, which they are: in the x86_64 cases that
I have analyzed, for example, each "cluster" contained exactly
one core, so any program that would use this information to
influence guest topology decisions would be unaffected by the
additional level showing up in the hierarchy.
In an attempt to reduce confusion, remove any reference to any
specific value for the attributes having any special meaning
attached to it.
In fact, since there are plans to make it possible to create
guests with multiple CPU clusters on x86_64, rework the note
into a more generic warning cautioning users that an attribute
showing up here does not imply that the same attribute can be
used when defining a guest CPU topology.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Wed, 7 Feb 2024 16:05:49 +0000 (17:05 +0100)]
docs: page.xsl: Split up 'href_base' for assets and links
To allow reuse of this template as-is in libvirt-wiki, we need to be
able to specify a distinct asset_href_base and link_href_base. Adjust
the template to allow that.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 7 Feb 2024 09:31:02 +0000 (10:31 +0100)]
js: Separate the virt-tools blog planet loader code
In order to promote simple assets sharing between main libvirt web and
the libvirt-wiki separate the virt tools blog feed loader from the main
code used for search.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 7 Feb 2024 13:28:28 +0000 (14:28 +0100)]
gitlab_pages: Fix 'maven' redirect
The redirect to the 'maven' repository of libvirt doesn't work currently
for libvirt pages as the ':splat' replacement doesn't match due to a
missing '/'.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Put _GNU_SOURCE definition at the top of corresponding files so
that users can just grab the code and compile it (in contrast
with the rest of the code where _GNU_SOURCE is declared in
meson-config.h).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
virsh-domain: Fix return of virshGetDBusDisplay() in one error path
The virshGetDBusDisplay() function is declared to return a
pointer and yet, in one error path false is returned. Switch the
statement to return NULL, which is what other error paths use to
indicate an error.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jiri Denemark [Wed, 31 Jan 2024 11:20:54 +0000 (12:20 +0100)]
network: Make virtual domains resolvable from the host
This patch adds a new attribute "register" to the <domain> element. If
set to "yes", the DNS server created for the virtual network is
registered with systemd-resolved as a name server for the associated
domain. The names known to the dnsmasq process serving DNS and DHCP
requests for the virtual network will then be resolvable from the host
by appending the domain name to them.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jiri Denemark [Thu, 25 Jan 2024 11:38:00 +0000 (12:38 +0100)]
util: Unify virSystemdHas{Machined,Logind}
When checking for machined we do not really care whether systemd itself
is running, we just need machined to be either running or socket
activated by systemd. That is, exactly the same we do for logind.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
After previous cleanups, qemuMonitorIOWriteWithFD() is but a thin wrapper
over virSocketSendMsgWithFDs(). Replace the body of the former
with a call to the latter.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
After previous cleanups, virSocketSendFD() is but a thin wrapper
over virSocketSendMsgWithFDs(). Replace the body of the former
with a call to the latter.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Instead of using strlen() to calculate length of payload we're
sending, let caller specify the size: they may want to send just
a portion of a buffer (even though the only current user
doesn't).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
virSocketSendMsgWithFDs: Don't report errors, just set errno
Currently, virSocketSendMsgWithFDs() reports two errors:
1) if CMSG_FIRSTHDR() fails,
2) if sendmsg() fails.
Well, the latter sets an errno, so caller can just use
virReportSystemError(). And the former - it is very unlikely to
fail because memory for whole control message was allocated just
a few lines above.
The motivation is to unify behavior of virSocketSendMsgWithFDs()
and virSocketSendFD() because the latter is just a subset of the
former (will be addressed later).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 1 Feb 2024 09:40:41 +0000 (10:40 +0100)]
virt-admin: Add warning when connection to default daemon fails
The admin connection defaults to the system-wide 'libvirtd' daemon to
manage (libvirtd:///system). As we've now switched to modular daemons
this will not work for most users out of the box:
$ virt-admin version
error: Failed to connect to the admin server
error: no valid connection
error: Failed to connect socket to '/run/user/1000/libvirt/libvirt-admin-sock': No such file or directory
As we don't want to assume which daemon the user wants to manage in the
modular topology there's no reasonable default to pick.
Give a hint to the users to use the '-c' if the connection to the
default URI fails:
$ virt-admin version
NOTE: Connecting to default daemon. Specify daemon using '-c' (e.g. virtqemud:///system)
error: Failed to connect to the admin server
error: no valid connection
error: Failed to connect socket to '/run/user/1000/libvirt/libvirt-admin-sock': No such file or directory
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
Peter Krempa [Thu, 19 Oct 2023 20:07:49 +0000 (22:07 +0200)]
qemuBlockStorageSourceNeedsFormatLayer: Stop formatting 'raw' driver when not needed
The 'raw' driver without any special configuration is not needed and
creates overhead in qemu.
Stop using the 'raw' format driver in cases when it's not needed. A
special case when it is needed is for FD passed images with only a
single writable FD passed, where we need an overlay driver to properly
reflect the 'read-only' flag.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
The capability is asserted when both block-stream and block-commit QMP
commands support the 'backing-mask-protocol' argument.
The argument causes qemu to record 'raw' as the backing file format in
case when a protocol node is used directly. This is needed to preserve
compatibility of images after a block-commit or block-pull libvirt
operation with older libvirt versions in case when we'll want to remove
the unneded 'raw' format drivers from the block graph.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Notable changes:
- 'backing-mask-protocol' feature added for block-commit and block-stream
- 'singlestep' mode dropped
- 'cmpccxadd' cpu feature became available
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Inside of virsocket.c there is an include of poll.h and
PKT_TIMEOUT_MS macro definition. Neither of these is really
needed and in fact it's a leftover after I reworked one of
previously merged commits during review.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
ch: Introduce version based cap for network support
This capability checks if ch can receive multiple fds along with net-add
api. This capability is required to enable multiple queues for
domain/guest interfaces.
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
virSocketSendMsgWithFDs method send fds along with payload using
SCM_RIGHTS. virSocketRecv method polls, receives and sends the response
to callers.
These methods are required to add network suppport in ch driver.
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Move domain interface management methods from qemu to hypervisor. This
refactoring allows the domain management methods to be shared between CH and
qemu drivers.
This commit does not introduce any functional changes.
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Thu, 4 Jan 2024 12:22:34 +0000 (13:22 +0100)]
qemu-replies-tool: Dump 'device-list-properties'
The order of properties in 'device-list-properties' can hange
arbitrarily and git is not great at picking the contexts in JSON to help
seeing what changed.
The new --dump-device-list-properties produces a stable order of
properties and dumps also the type and default value mainly useful for
comparing two .replies files.
Peter Krempa [Mon, 15 Jan 2024 20:56:39 +0000 (21:56 +0100)]
qemu-replies-tool: Add mode to dump all QMP schema query strings
Make the tool useful also for non-testing purposes by adding 'dump'
mode, which will process the data and output information about the qemu
version.
The first 'dump' mode produces all possible valid query strings per
virQEMUQAPISchemaPathGet/virQEMUCapsQMPSchemaQueries. This is useful for
users to look up a query string via 'grep' rather than trying to come up
with it manually.
Additionally the data as represented by qemu changes naming very often
and that makes it un-reviewable to find changes between two qemu builds.
By using the dump mode, which produces results in stable order we can
use it to 'diff' two .replies file without churn.
Peter Krempa [Mon, 15 Jan 2024 16:07:51 +0000 (17:07 +0100)]
qemu-replies-tool: Add validation of known fields in 'query-qmp-schema'
If the schema itself is extended in qemu we need to have a notification
to add appropriate handling to ensure that we have full coverage of all
fields.
Add validation that only fields that libvirt currently knows about are
present in the schema.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Peter Krempa [Thu, 18 May 2023 14:12:09 +0000 (16:12 +0200)]
scripts: Add 'qemu-replies-tool' script for testing and modifying data for qemucapabilitiestest
The tool in the current shape functionally replaces
tests/qemucapabilitiesnumbering.c
It validates that the output '.replies' files conform to how we generate
them from qemu and also allows programmatic modification of the
'.replies' files if re-generation is not feasible any more.
The main advantage is that JSON objects are parsed into native python
types and thus the programatic modification is much more convenient.
The tool will be later extended to also do validation that we properly
handle the whole of QMP schema as well as help in reviewing the
differences in the .replies file after qemu updates.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Peter Krempa [Wed, 3 Jan 2024 21:02:43 +0000 (22:02 +0100)]
tests: qemucaps: Make JSON output identical to python's 'json.dump' method
YAJL formats empty objects and arrays in a weird way:
{
"emptyarray": [
],
"emptyobject": {
}
}
We want to use empty lines to separate commands and replies as well as
be compatible with python's 'json.dump' method, thus we drop any
whitespace between array/object braces.
Adjust the two formatters which are used for capabilities and fix all
output files.
Note that the code is duplicated in qemucapabilitiesnumbering.c and
qemucapsprobemock.c, but later patches will replace
qemucapabilitiesnumbering.c by a python tool.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
The qemuDomainGetSCSIControllerModel() function, which is
responsible for choosing a model for a SCSI controller that
didn't have one provided by the user, considers values >0 to
mean "model has been set".
Since MODEL_SCSI_AUTO == 0, this means that such a value is
considered the same as MODEL_SCSI_DEFAULT (-1). This makes
sense, as not specifying a model name or explicitly asking for
one to be automatically chosen intuitively should result in
the same behavior.
Specifically, there is no case in which a value of
MODEL_SCSI_AUTO or MODEL_SCSI_DEFAULT is encountered after the
initial controller creation: it is either replaced with an
actual model, or an error is raised.
Despite this, there are a few places in the QEMU driver where
we incorrectly treat these values as if they were actual
model names. To reduce confusion, make sure that no longer
happens.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
Rewrite the conditions after exiting the parser so that they are easier
to understand. This partially decreases the granularity of "error"
messages as they are not strictly necessary albeit for debugging.
As it was already observed in this code the logic itself often does
something else than the comment claims, thus the code logic is
preserved.
Changes:
- any case when not all data was processed is aggregated together and
gets a common "error" message
- absence of 'checksum' field is checked separately
- helper variables are removed as they are no longer needed
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 29 Jan 2024 22:33:07 +0000 (23:33 +0100)]
virPCIVPDReadVPDBytes: Refactor error handling
Each caller was checking that the function read as many bytes as it
expected. Move the check inside virPCIVPDReadVPDBytes and make it report
a proper error rather than just a combination of VIR_DEBUG inside the
function and a random VIR_INFO in the caller.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 29 Jan 2024 21:32:33 +0000 (22:32 +0100)]
virPCIDeviceGetVPD: Handle errors in callers
Until now 'virPCIDeviceGetVPD' couldn't reallistically raise an error,
but that will change. Handle the errors by either resetting it if we'd
be ignoring it or forward it.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 24 Jan 2024 16:15:10 +0000 (17:15 +0100)]
util: virpcivpd: Remove return value from virPCIVPDResourceUpdateKeyword
The function always succeeded and after the removal of programing error
checks doesn't even have a 'return false' case. Additionally one of the
tests in 'virpcivpdtest' tested that this function never failed on wrong
data. Embrace this logic and remove the return value and adjust logging
to VIR_DEBUG level to avoid spamming logs.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 24 Jan 2024 16:13:51 +0000 (17:13 +0100)]
virpcivpdtest: testPCIVPDResourceBasic: Remove tests for uninitialized 'ro'/'rw' section
This is a synthetic case which tests the behaviour if the 'ro' or 'rw'
struct members are uninitialized, basically excercising only a pointless
programming-error NULL check in 'virPCIVPDResourceUpdateKeyword' as real
usage does always pass a proper pointer.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 29 Jan 2024 16:55:06 +0000 (17:55 +0100)]
tests: virpcivpd: Remove 'testVirPCIVPDParseVPDStringResource' case
The test case excercises 'virPCIVPDParseVPDLargeResourceString' which is
also tested by other cases which parse the whole VPD block. Remove the
specific test case as it's not adding any additional value.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 24 Jan 2024 13:55:47 +0000 (14:55 +0100)]
tests: virpcivpdtest: Remove 'testVirPCIVPDReadVPDBytes' case
The case checks only the 'virPCIVPDReadVPDBytes' which is also tested
multiple times via 'virPCIVPDParse' as it's used to read the data, thus
having a special case for this is pointless.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 29 Jan 2024 14:50:27 +0000 (15:50 +0100)]
Don't overwrite error message from 'virXPathNodeSet'
'virXPathNodeSet' returns -1 only when 'ctxt' or 'xpath' are NULL or
when the 'xpath' string is invalid. Both are programming errors. It
doesn't make sense for the code to overwrite the error message for
anything supposedly more relevant.
The majority of calls to 'virXPathNodeSet' already didn't do this, so
this patch fixes the rest to prevent it from spreading again.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 23 Jan 2024 15:40:34 +0000 (16:40 +0100)]
tests: Test the previously mishandled PCI VPD characters
Modify the test data to validate '<>' and other characters.
Unfortunately the test suite doesn't have a proper end-to-end test, thus
we just add a XML->XML variant and also add data to the binary parser.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Similarly to previous commit other specific fields which come from the
system data and aren't sanitized enough to be safe for XML were also
formatted via virBufferAsprintf.
Other static and safe strings used virBufferEscapeString instead of
virBufferAddLit.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
The custom field data is taken from PCI device data which can contain
any printable characters, and thus must be escaped when putting into
XML.
Originally, based on the comment and XML schema which was fixed in
previous commits the idea seemed to be that the parser would validate
that only characters which don't break the XML would be present but that
didn't seem to materialize.
Switch to proper escaping of the XML.
Fixes: 3954378d06a
Resolves: https://issues.redhat.com/browse/RHEL-22314 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 16 Jan 2024 14:52:25 +0000 (15:52 +0100)]
qemu: migration: Properly handle reservation of manually specified NBD port
Originally the migration code didn't register the NBD disk port with the
port allocator when it was manually specified. Later when commit e74d627bb3bc2684cbe3 refactored the code and started registering it, the
old logic which was clearing 'priv->nbdPort' in case when it was manually
specified was not removed.
This caused following problems:
- the port was not released after successful migration
- the port was released even when it was not allocated on failures
regarding the NBD server start
- the port was not released on other failures of the migration after
NBD server startup
To address this we remove the assumption that 'priv->nbdPort' is used
only for auto-allocated port and fill it only once the port is
allocated and make the caller of qemuMigrationDstStartNBDServer
responsible for releasing it.
Fixes: e74d627bb3bc2684cbe3edc1e2f7cc745b4e1ff3
Resolves: https://issues.redhat.com/browse/RHEL-21543 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Peter Krempa [Wed, 17 Jan 2024 14:55:35 +0000 (15:55 +0100)]
remoteDispatchAuthPolkit: Fix lock ordering deadlock if client closes connection during auth
Locks in following text:
A: virNetServer
B: virNetServerClient
C: daemonClientPrivate
'virNetServerSetClientAuthenticated' locks A then B
'remoteDispatchAuthPolkit' calls 'virNetServerSetClientAuthenticated'
while holding C.
If a client closes its connection 'virNetServerProcessClients' with the
lock A and B locked will call 'virNetServerClientCloseLocked' which will
try to dispose of the 'client' private data by:
Unfortunately remoteClientFreePrivateCallbacks() tries lock C.
Thus the locks are held in the following order:
polkit auth: C -> A
connection close: A -> C
causing a textbook-example deadlock. To resolve it we can simply drop
lock 'C' before calling 'virNetServerSetClientAuthenticated' as the lock
is not needed any more.
Resolves: https://issues.redhat.com/browse/RHEL-20337 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
projects / libvirt.git / log