remote: check for negative array lengths before allocation
While the C API entry points will validate non-negative lengths
for various parameters, the RPC server de-serialization code
will need to allocate memory for arrays before entering the C
API. These allocations will thus happen before the non-negative
length check is performed.
Passing a negative length to the g_new0 function will usually
result in a crash due to the negative length being treated as
a huge positive number.
This was found and diagnosed by ALT Linux Team with AFLplusplus.
CVE-2024-2494 Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Found-by: Alexandr Shashkin <dutyrok@altlinux.org> Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Andrea Bolognani [Tue, 28 Nov 2023 15:09:43 +0000 (16:09 +0100)]
qemu: Tweak augeas schema
Current entries should always be listed before obsolete ones.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Andrea Bolognani [Tue, 21 Nov 2023 17:20:32 +0000 (18:20 +0100)]
security: Drop virSecurity(DAC|SELinux)SetImageLabelRelative()
The single caller for each function passes the same value
for @src and @parent, which means that we don't really need
the additional API.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Andrea Bolognani [Mon, 20 Nov 2023 18:17:02 +0000 (19:17 +0100)]
security: Drop virSecurity(DAC|SELinux)RestoreImageLabelSingle()
Each one only has a single, trivial caller.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Andrea Bolognani [Tue, 21 Nov 2023 16:36:56 +0000 (17:36 +0100)]
security: Fix name for _virSecurityDACChardevCallbackData
It was clearly copied over from the SELinux driver without
updating its name in the process.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Andrea Bolognani [Tue, 21 Nov 2023 16:17:10 +0000 (17:17 +0100)]
security: Fix alignment
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Following callbacks have been implemented
* domainRestore
* domainRestoreFlags
The path parameter to these callbacks has to be of the directory where
libvirt has performed save. Additionally, call restore in `domainCreate`
if the domain has managedsave.
Signed-off-by: Purna Pavan Chandra Aekkaladevi <paekkaladevi@linux.microsoft.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Following callbacks have been implemented
* domainSaveImageGetXMLDesc
* domainManagedSaveRemove
* domainManagedSaveGetXMLDesc
* domainHasManagedSaveImage
Signed-off-by: Purna Pavan Chandra Aekkaladevi <paekkaladevi@linux.microsoft.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Implemented save callbacks. CH's vmm.snapshot API is called to save the
domain state. The path passed to these callbacks has to be of directory
as CH takes dir as input to snapshot and saves multiple files under it.
Signed-off-by: Purna Pavan Chandra Aekkaladevi <paekkaladevi@linux.microsoft.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Tue, 27 Feb 2024 14:58:27 +0000 (15:58 +0100)]
meson: Check for sched_get_priority_min()
virProcessSetScheduler() uses not just sched_setscheduler() but
also sched_get_priority_{min,max}(). Currently we assume that
the former being available implies that the latter are as well,
but that's not the case for at least GNU/Hurd.
Make sure all functions are actually available before
attempting to use them.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Tue, 27 Feb 2024 14:52:15 +0000 (15:52 +0100)]
meson: Restore check for sched_getaffinity()
Commit c07cf0a68693 replaced this check with one for the
presence of cpu_set_t.
The idea at the time was that only sched_{get,set}affinity()
were visible by default, while making cpu_set_t visible required
defining _WITH_CPU_SET_T. So libvirt would detect the function
and attempt to use it, but the code would not compile because
the necessary data type had not been made accessible.
The commit in question brought three FreeBSD commits as evidence
of this. While [1] and [2] do indeed seem to support this
explanation, [3] from just a few days later made it so that not
just cpu_set_t, but also the functions, required user action to
be visible. This arguably would have made the change unnecessary.
However, [4] from roughly a month later changed things once
again: it completely removed _WITH_CPU_SET_T, making both the
functions and the data type visible by default.
This is the status quo that seems to have persisted until
today. If one were to check any recent FreeBSD build job
performed as part of our CI pipeline, for example [5] and [6]
for FreeBSD 13 and 14 respectively, they would be able to
confirm that in both cases cpu_set_t is detected as available.
Since there is no longer a difference between the availability
of the functions and that of the data type, go back to what we
had before.
This has the interesting side-effect of fixing a bug
introduced by the commit in question.
When detection was changed from the function to the data type,
most uses of WITH_SCHED_GETAFFINITY were replaced with uses of
WITH_DECL_CPU_SET_T, but not all of them: specifically, those
that decided whether qemuProcessInitCpuAffinity() would be
actually implemented or replaced with a no-op stub were not
updated, which means that we've been running the stub version
everywhere except on FreeBSD ever since.
The code has been copied to the Cloud Hypervisor driver in
the meantime, which is similarly affected. Now that we're
building the actual implementation, we need to add virnuma.h
to the includes.
As a nice bonus this also makes things work correctly on
GNU/Hurd, where cpu_set_t is available but
sched_{get,set}affinity() are non-working stubs.
Andrea Bolognani [Fri, 23 Feb 2024 00:29:28 +0000 (01:29 +0100)]
util: Accept TIDs for virProcess{Get,Set}Affinity() on BSD
Depending on the situation, the IDs that we pass to these
functions can be either referring to processes or threads.
Linux doesn't have separate interfaces for one or the other,
but FreeBSD does and we're explicitly telling it that the ID
refers to a process. When it refers to a thread instead, the
call will fail, and the VM will not be able to start.
Luckily, another possible choice is CPU_WHICH_TIDPID, which
makes things behave the same as Linux.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Rayhan Faizel [Tue, 19 Mar 2024 15:16:30 +0000 (16:16 +0100)]
qemu_command: Generate command line for MTP filesystem
The source tag sets the rootdir property of the device, which is
the directory exposed to the guest via the MTP device. The target
tag sets the desc property. This device supports read-only mode
as well. Like virtiofs, it does not support additional access
modes.
Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Adam Julis [Tue, 19 Mar 2024 11:02:51 +0000 (12:02 +0100)]
virt-admin: Fix segfault when libvirtd dies
vshAdmCatchDisconnect requires non-NULL structure vshControl for
getting connection name (stored at opaque), but
virAdmConnectRegisterCloseCallback at vshAdmConnect called it
with NULL.
Signed-off-by: Adam Julis <ajulis@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
Karim Taha [Sun, 17 Mar 2024 15:19:20 +0000 (17:19 +0200)]
openvz_driver: use g_autofree instead of VIR_FREE()
Signed-off-by: Karim Taha <kariem.taha2.7@gmail.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Wei Gong [Mon, 18 Mar 2024 13:31:14 +0000 (21:31 +0800)]
virthreadpool: create threads from the newly expanded workers
when the thread pool is dynamically expanded, threads should
not be created from the existing workers; they should be created
from the newly expanded workers
Signed-off-by: Wei Gong <gongwei833x@gmail.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Jiri Denemark [Mon, 11 Mar 2024 16:04:48 +0000 (17:04 +0100)]
qemu: domain: Drop added features from migratable CPU
Features marked with added='yes' in CPU model definitions have to be
removed before migration, otherwise older libvirt would complain about
unknown CPU features. We only do this for features that were enabled for
a given CPU model even with older libvirt, which just ignored the
features. And only for features we added ourselves when updating CPU
definition during domain startup, that is we do not remove features
which were explicitly mentioned by a user.
That said, this is not the safest thing we could do, but it's
effectively the same thing we did before the affected features were
added: we ignored them completely on both sides of migration.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Tim Wiederhake <twiederh@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Jiri Denemark [Thu, 7 Mar 2024 13:50:48 +0000 (14:50 +0100)]
cpu: x86: Add support for adding features to existing CPU models
This is not a good idea in general, but we can (and have to) do it in
specific cases when a feature has always been part of a CPU model in
hypervisor's definition, but we ignored it and did not include the
feature in our definition.
Blindly adding the features to the CPU map and not adding them to
existing CPU models breaks migration between old and new libvirt in both
directions. New libvirt would complain the features got unexpectedly
enabled (as they were not mentioned in the incoming domain XML) even
though they were also enabled on the source and the old libvirt just
didn't know about them. On the other hand, old libvirt would refuse to
accept incoming migration of a domain started by new libvirt because the
domain XML would contain CPU features unknown to the old libvirt.
This is exactly what happened when several vmx-* features were added a
few releases back. Migration between libvirt releases before and after
the addition is now broken.
This patch adds support for added these features to existing CPU models
by marking them with added='yes'. The features will not be considered
part of the CPU model and will be described explicitly via additional
<feature/> elements, but the compatibility check will not complain if
they are enabled by the hypervisor even though they were not explicitly
mentioned in the CPU definition and incoming migration from old libvirt
will succeed.
To fix outgoing migration to old libvirt, we also need to drop all those
features from domain XML unless they were explicitly requested by the
user. This will be handled by a later patch.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Tim Wiederhake <twiederh@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Michal Privoznik [Wed, 13 Mar 2024 16:25:35 +0000 (17:25 +0100)]
tests: mock __open_2()
As of commit [1] glibc may overwrite a call to open() with call
to __open_2() (if only two arguments are provided and the code is
compiled with clang). But since we are not mocking the latter our
test suite is broken as tests try to access paths outside of our
repo.
1: https://sourceware.org/git/?p=glibc.git;a=commit;h=86889e22db329abac618c6a41f86c84657a15324 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Michal Privoznik [Wed, 13 Mar 2024 16:35:15 +0000 (17:35 +0100)]
virusbmock: Switch to VIR_MOCK_REAL_INIT()
Since virusbmock was written 10 years ago, back when we didn't
have virmock.h and its helpers, it open codes symbol resolution
(VIR_MOCK_REAL_INIT). With a bit of cleanup (e.g. renaming
realopen to real_open and so on) it can use virmock.h provided
macros.
And while at it, drop include of virusb.h - there is no
compelling reason for it include the file. The mock just
redirects paths passed to open()/opendir().
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
[...]
OPTIONS
- [--timeout] <number> number of seconds the daemon will run without any active connection
+ --timeout <number> number of seconds the daemon will run without any active connection
Resolves: https://issues.redhat.com/browse/RHEL-25993 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 5 Mar 2024 15:00:41 +0000 (16:00 +0100)]
vsh: Fix broken assumption that required VSH_OT_INT must be positional
In at least one case we've wanted a mandatory argument which requires
the explicit flag. Fix the assumption before converting everything over
to the new flags.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 5 Mar 2024 14:07:47 +0000 (15:07 +0100)]
vsh: Annotate 'required' and 'positional' arguments explicitly
Add 'positional' and 'required' fields to vshCmdOptDef, which will
explicitly track the two properties of arguments.
To ensure that we have proper coverage, add checks to
vshCmddefCheckInternals validating the state of the above flags by
infering it from existing data.
This conversion will allow us:
- remove VSH_OT_DATA in favor of VSH_OT_STRING
- use VSH_OT_INT when required both as positional and non-positional
- properly annotate which VSH_OT_ARGV are positional and which are not
(currently inferred by whether an previous positional option exists)
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 1 Mar 2024 13:51:46 +0000 (14:51 +0100)]
vshCmddefHelp: Refactor printing of help (argument description)
Extract flag check to a separate variable and replace ternary operators
by normal conditions and use allocated buffer instead of a static one
to improve readability.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 1 Mar 2024 13:51:46 +0000 (14:51 +0100)]
vshCmddefHelp: Refactor printing of help (list of arguments)
Extract flag check to a separate variable and replace ternary operators
by normal conditions and directly output the text rather than using
extra variable to improve readability.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 1 Mar 2024 22:01:54 +0000 (23:01 +0100)]
vsh: Add '--dump-help' option for 'self-test' command
The new option dumps the full help outputs for every command so that
it's possible to conveniently check that subsequent refactors will not
impact any of the external functionality.
No man page entry is needed as the command is internal/undocumented.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 1 Mar 2024 14:02:07 +0000 (15:02 +0100)]
virsh: Remove uncommon redundant descriptions of virsh commands
Some description of virsh commands referenced itself in a multi-line
example of usage, which is pointless as virsh help already shows how to
use the command:
.data = N_("Get or set the current memory parameters for a guest"
" domain.\n"
" To get the memory parameters use following command: \n\n"
" virsh # memtune <domain>")
Change it to just state what the command does and leave the example for
the help printer.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 4 Mar 2024 14:51:28 +0000 (15:51 +0100)]
vsh: Always assume that command groups are used
None of the clients use the 'command set' approach and other pieces of
code such as the command validator already assume that command groups
are in use. Remove the unused 'command set' stuff.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
capabilities: Allow suppressing error message from virCapabilitiesDomainSupported()
In a few cases (CH driver) we want
virCapabilitiesDomainSupported() just to check whether given
virtType is supported and report a different error message (that
suggests how to solve the problem). Introduce reportError
argument which makes the function report an error iff set.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
capabilities: Allow suppressing error message from virCapabilitiesDomainDataLookup()
In near future we will want to check whether capabilities for
given virtType exist, but report an error on our own. Introduce
reportError argument which makes the function report an error iff
set.
In one specific case (virQEMUCapsGetDefaultVersion()) we were
even overwriting (more specific) error message reportd by
virCapabilitiesDomainDataLookup(). Drop that too.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
If the host doesn't have /dev/kvm nor /dev/mshv, i.e. CH driver
is unable to run any guests, then an error is reported. But the
usual thing to do here is print an info message into the logs and
return VIR_DRV_STATE_INIT_SKIPPED. It is a recoverable error
after all.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
As of previous commit, the CH driver checks for /dev/kvm and/or
/dev/mshv presence. In order to make chxml2xmltest work
regardless of host configuration, introduce a mock that pretends
both of these files are accessible.
Fixes: 51c14df9670ba2f5d193b700f39e6464e1bc18c6 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Abhiram Tilak [Tue, 5 Mar 2024 19:50:13 +0000 (01:20 +0530)]
storage: Upgrade default qcow2 verion to 1.1
Change the default to modern qcow2 as it's supported by all qemu
versions supported by libvirt and in fact 'qemu-img' already defaults to
the new format for a long time.
Some Unittests require changes to pass, now that version 1.1 is default.
Unittests like `qcow2-1.1.argv` may not be relevant anymore, but this
patch doesn't affect them.
Closes: https://gitlab.com/libvirt/libvirt/-/issues/602 Signed-off-by: Abhiram Tilak <atp.exp@gmail.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Cloud-Hypervisor is capable of running VMs with kvm or mshv as the
hypervisor on Linux Host. Guest to hypevisor ABI with mshv hypervisor is
the same as in the case of VIR_DOMAIN_VIRT_HYPERV. So, VIR_DOMAIN_VIRT_HYPERV
type will be reused to represent the config with Linux Host and mshv as the
hypervisor.
While initializing ch driver, check if either of /dev/kvm or /dev/mshv
device is present on the host. Before starting ch domains, check if the
requested hypervisor device is present on the host.
Users can specify hypervisor in ch guests's domain definitions like
below:
<domain type='kvm'>
_or_
<domain type='hyperv'>
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Signed-off-by: Praveen K Paladugu <praveenkpaladugu@gmail.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
ch: Add support for `Unix` mode to serial port dev
With Unix mode, pass a socket path to cloud-hypervisor.
Cloud-Hypervisor will attach guest's serial port to this socket path.
Users can connect to the serial port using one of the following commands:
`socat -,crnl UNIX-CONNECT:<path/to/socket>`
OR
`minicom --device unix#<path/to/socket>`
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
projects / libvirt.git / log