Eric Blake [Thu, 6 Jan 2011 19:00:30 +0000 (12:00 -0700)]
build: let xgettext see strings in libvirt-guests
* tools/libvirt-guests.init.in: Rename...
* tools/libvirt-guests.init.sh: ...so that xgettext's language
detection via suffix will work.
* po/POTFILES.in: Update all references.
* tools/Makefile.am (EXTRA_DIST, libvirt-guests.init): Likewise.
Laurent Léonard [Tue, 4 Jan 2011 18:13:56 +0000 (19:13 +0100)]
libvirt-guests: remove bashisms
* tools/libvirt-guests.init.sh: Use only POSIX shell features, which
includes using gettext.sh for translation rather than $"".
* tools/Makefile.am (libvirt-guests.init): Supply a few more substitutions.
* po/POTFILES.in: Mark that libvirt-guests.init needs translation.
Matthias Bolte [Fri, 14 Jan 2011 21:37:55 +0000 (22:37 +0100)]
tests: Remove obsolete secaatest
Before the security driver was refactored in d6623003 seclabeltest and
secaatest were basically the same. seclabeltest was meant for SELinux
and secaatest for AppArmor. Both tests exited early when the specific
security driver backend wasn't enabled.
With the new security manager trying to initialize a disabled security
driver backend is an error that can't be distinguished from other errors
anymore. Therefore, the updated seclabeltest just asks for the first
available backend as this will always work even with SELinux and AppArmor
backend being disabled due to the new Nop backend.
Remove the obsolete secaatest and compile and run the seclabeltest
unconditional.
This fixes make check on systems that support AppArmor.
Eric Blake [Fri, 7 Jan 2011 00:17:32 +0000 (17:17 -0700)]
maint: improve sc_prohibit_strncmp syntax check
* .gnulib: Update, for sc_prohibit_strcmp fix.
* cfg.mk: Adjust copyright; the only FSF portions come from when
this file was copied from coreutils.
(sc_prohibit_strncmp): Copy bug-fixes from sc_prohibit_strcmp.
* .x-sc_prohibit_strcmp: Delete, now that rule is smarter.
* .x-sc_prohibit_strncmp: Likewise.
* Makefile.am (syntax_check_exceptions): Track deletion.
Eric Blake [Wed, 12 May 2010 02:57:56 +0000 (20:57 -0600)]
datatypes: avoid redundant __FUNCTION__
virLibConnError already includes __FUNCTION__ in its output, so we
were redundant. Furthermore, clang warns that __FUNCTION__ is not
a string literal (at least __FUNCTION__ will never contain %, so
it was not a security risk).
* src/datatypes.c: Replace __FUNCTION__ with a descriptive string.
In short, under heavy load, it's possible for qemu's networking to
lock up due to the tap device's default 1MB sndbuf being
inadequate. adding "sndbuf=0" to the qemu commandline -netdevice
option will alleviate this problem (sndbuf=0 actually sets it to
0xffffffff).
Because we must be able to explicitly specify "0" as a value, the
standard practice of "0 means not specified" won't work here. Instead,
virDomainNetDef also has a sndbuf_specified, which defaults to 0, but
is set to 1 if some value was given.
The sndbuf value is put inside a <tune> element of each <interface> in
the domain. The intent is that further tunable settings will also be
placed inside this element.
The existing libvirt support for the vhost-net backend to the virtio
network driver happens automatically - if the vhost-net device is
available, it is always enabled, otherwise the standard userland
virtio backend is used.
This patch makes it possible to force whether or not vhost-net is used
with a bit of XML. Adding a <driver> element to the interface XML, eg:
will force use of vhost-net (if it's not available, the domain will
fail to start). if driver name="qemu", vhost-net will not be used even
if it is available.
If there is no <driver name='xxx'/> in the config, libvirt will revert
to the pre-existing automatic behavior - use vhost-net if it's
available, and userland backend if vhost-net isn't available.
Use the new set_password monitor command to set password.
We try to use that command first when setting a VNC/SPICE password. If
that doesn't work we fallback to the legacy VNC only password
Allow an expiry time to be set, if that doesn't work, throw an error
if they try to use SPICE.
Change since v1:
- moved qemuInitGraphicsPasswords to qemu_hotplug, renamed
to qemuDomainChangeGraphicsPasswords.
- updated what looks like a typo (that appears to work anyway) in
initial patch from Daniel:
- ret = qemuInitGraphicsPasswords(driver, vm,
- VIR_DOMAIN_GRAPHICS_TYPE_SPICE,
- &vm->def->graphics[0]->data.vnc.auth,
- driver->vncPassword);
+ ret = qemuInitGraphicsPasswords(driver, vm,
+ VIR_DOMAIN_GRAPHICS_TYPE_SPICE,
+ &vm->def->graphics[0]->data.spice.auth,
+ driver->spicePassword);
Based on patch by Daniel P. Berrange <berrange@redhat.com>.
I broke 'make check' with commit 04197350 by unconditionally
emitting 'hap=' in xen xm driver. Only emit 'hap=' if
xendConfigVersion >= 3. I've tested sending 'hap=' to a Xen 3.2
machine without support for hap setting and verified that xend
silently drops the unrecognized setting.
Eric Blake [Thu, 13 Jan 2011 16:09:15 +0000 (09:09 -0700)]
qemu: improve device flag parsing
* src/qemu/qemu_capabilities.h (qemuCapsParseDeviceStr): New
prototype.
* src/qemu/qemu_capabilities.c (qemuCapsParsePCIDeviceStrs)
Rename and split...
(qemuCapsExtractDeviceStr, qemuCapsParseDeviceStr): ...to make it
easier to add and test device-specific checks.
(qemuCapsExtractVersionInfo): Update caller.
* tests/qemuhelptest.c (testHelpStrParsing): Also test parsing of
device-related flags.
(mymain): Update expected flags.
* tests/qemuhelpdata/qemu-0.12.1-device: New file.
* tests/qemuhelpdata/qemu-kvm-0.12.1.2-rhel60-device: New file.
* tests/qemuhelpdata/qemu-kvm-0.12.3-device: New file.
* tests/qemuhelpdata/qemu-kvm-0.13.0-device: New file.
It was awkward having only int conversion in the virStrToLong family,
but only long conversion in the virXPath family. Make both families
support both types.
Eric Blake [Wed, 12 Jan 2011 23:26:34 +0000 (16:26 -0700)]
qemu: convert capabilities to use virCommand
* src/qemu/qemu_capabilities.c (qemuCapsProbeMachineTypes)
(qemuCapsProbeCPUModels, qemuCapsParsePCIDeviceStrs)
(qemuCapsExtractVersionInfo): Use virCommand rather than virExec.
Jim Fehlig [Wed, 5 Jan 2011 22:20:01 +0000 (15:20 -0700)]
Add HAP to xen hypervisor capabilities
xen-unstable c/s 16931 introduced a per-domain setting for hvm
guests to enable/disable hardware assisted paging. If disabled,
software techniques such as shadow page tables are used. If enabled,
and the feature exists in underlying hardware, hardware support for
paging is used.
Xen does not provide a mechanism to discover the HAP capability, so
we advertise its availability for hvm guests on Xen >= 3.3.
Jim Fehlig [Wed, 5 Jan 2011 22:16:57 +0000 (15:16 -0700)]
Add support for HAP feature to xen drivers
xen-unstable c/s 16931 introduced a per-domain setting for hvm
guests to enable/disable hardware assisted paging. If disabled,
software techniques such as shadow page tables are used. If enabled,
and the feature exists in underlying hardware, hardware support for
paging is used.
This provides implementation for mapping HAP setting to/from
domxml/native formats in xen drivers.
Jim Fehlig [Wed, 5 Jan 2011 21:56:48 +0000 (14:56 -0700)]
Add HAP to virDomainFeature enum
Extend the virDomainFeature enumeration to include HAP (hardware
assisted paging) feature.
Hardware features such as Extended Page Table and Nested Page
Table augment hypervisor software techniques such as shadow
page table. Adding HAP to the virDomainFeature enumeration
allows users to select between hardware and software memory
management mechanisms for their guests.
Eric Blake [Wed, 12 Jan 2011 20:13:22 +0000 (13:13 -0700)]
tests: virsh is no longer in builddir/src
Commit 870dba0 (Mar 2008) added builddir/src to PATH to pick
up virsh. Later, virsh was moved to tools; commit db68d6b
(Oct 2009) noticed this, but only added the new location rather
than deleting the old location.
* tests/Makefile.am (path_add): Drop now-useless directory.
Suggested by Daniel P. Berrange.
Eric Blake [Wed, 12 Jan 2011 16:12:24 +0000 (09:12 -0700)]
virFindFileInPath: only find executable non-directory
Without this patch, at least tests/daemon-conf (which sticks
$builddir/src in the PATH) tries to execute the directory
$builddir/src/qemu rather than a real qemu binary.
* src/util/util.h (virFileExists): Adjust prototype.
(virFileIsExecutable): New prototype.
* src/util/util.c (virFindFileInPath): Reject non-executables and
directories. Avoid huge stack allocation.
(virFileExists): Use lighter-weight syscall.
(virFileIsExecutable): New function.
* src/libvirt_private.syms (util.h): Export new function.
Wen Congyang [Wed, 12 Jan 2011 06:12:29 +0000 (14:12 +0800)]
report error when specifying wrong desturi
When we do peer2peer migration, the dest uri is an address of the
target host as seen from the source machine. So we must specify
the ip or hostname of target host in dest uri. If we do not specify
it, report an error to the user.
Osier Yang [Wed, 12 Jan 2011 14:44:00 +0000 (22:44 +0800)]
qemu: Reject SDL graphic if it's not supported by qemu
If the emulator doesn't support SDL graphic, we should reject
the use of SDL graphic xml with error messages, but not ignore
it silently, and pretend things are fine.
"-sdl" flag was exposed explicitly by qemu since 0.10.0, more detail:
http://www.redhat.com/archives/libvir-list/2011-January/msg00442.html
And we already have capability flag "QEMUD_CMD_FLAG_0_10", which
could be used to prevent the patch affecting the older versions
of QEMU.
qemu: Watchdog IB700 is not a PCI device (RHBZ#667091).
Skip IB700 when assigning PCI slots.
Note: the I6300ESB watchdog _is_ a PCI device.
To test this: I applied this patch to libvirt-0.8.3-2.fc14 (rebasing
it slightly: qemu_command.c didn't exist in that version) and
installed this on my machine, then tested that I could successfully
add an ib700 watchdog device to a guest, start the guest, and the
ib700 was available to the guest. I also added an i6300esb (PCI)
watchdog to another guest, and verified that libvirt assigned a PCI
device to it, that the guest could be started, and that i6300esb was
present in the guest.
Note that if you previously had a domain with a ib700 watchdog, it
would have had an <address type='pci' .../> clause added to it in the
libvirt configuration. This patch does not attempt to remove this.
You cannot start such a domain -- qemu gives an error if you try.
With this patch you are able to remove the bogus address element
without libvirt adding it back.
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Eric Blake [Mon, 10 Jan 2011 22:08:56 +0000 (15:08 -0700)]
network: plug unininitialized read found by valgrind
* src/util/network.c (virSocketAddrMask): Zero out port, so that
iptables can initialize just the netmask then call
virSocketFormatAddr without an uninitialized read in getnameinfo.
Cole Robinson [Thu, 2 Dec 2010 17:15:10 +0000 (12:15 -0500)]
python: Use PyCapsule API if available
On Fedore 14, virt-manager spews a bunch of warnings to the console:
/usr/lib64/python2.7/site-packages/libvirt.py:1781: PendingDeprecationWarning: The CObject type is marked Pending Deprecation in Python 2.7. Please use capsule objects instead.
Have libvirt use the capsule API if available. I've verified this compiles
fine on older python (2.6 in RHEL6 which doesn't have capsules), and
virt-manager seems to function fine.
Cole Robinson [Wed, 5 Jan 2011 21:35:07 +0000 (16:35 -0500)]
remote: Don't lose track of events when callbacks are slow
After the remote driver runs an event callback, it unconditionally disables the
loop timer, thinking it just flushed every queued event. This doesn't work
correctly though if an event is queued while a callback is running.
The events actually aren't being lost, it's just that the event loop didn't
think there was anything that needed to be dispatched. So all those 'lost
events' should actually get re-triggered if you manually kick the loop by
generating a new event (like creating a new guest).
The solution is to disable the dispatch timer _before_ we invoke any event
callbacks. Events queued while a callback is running will properly reenable the
timer.
More info at https://bugzilla.redhat.com/show_bug.cgi?id=624252
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
Jiri Denemark [Fri, 7 Jan 2011 11:34:12 +0000 (12:34 +0100)]
daemon: Fix core dumps if unix_sock_group is set
Setting unix_sock_group to something else than default "root" in
/etc/libvirt/libvirtd.conf prevents system libvirtd from dumping core on
crash. This is because we used setgid(unix_sock_group) before binding to
/var/run/libvirt/libvirt-sock* and setgid() back to original group.
However, if a process changes its effective or filesystem group ID, it
will be forbidden from leaving core dumps unless fs.suid_dumpable sysctl
is set to something else then 0 (and it is 0 by default).
Changing socket's group ownership after bind works better. And we can do
so without introducing a race condition since we loosen access rights by
changing the group from root to something else.
Laine Stump [Wed, 5 Jan 2011 21:53:03 +0000 (16:53 -0500)]
Don't chown qemu saved image back to root after save if dynamic_ownership=0
When dynamic_ownership=0, saved images must be owned by the same uid
as is used to run the qemu process, otherwise restore won't work. To
accomplish this, qemuSecurityDACRestoreSavedStateLabel() needs to
simply return when it's called.
Eric Blake [Wed, 5 Jan 2011 17:58:35 +0000 (10:58 -0700)]
maint: document dislike of mismatched if/else bracing
* docs/hacking.html.in (Curly braces): Tighten recommendations to
disallow if (cond) one-line; else { block; }.
* HACKING: Regenerate.
Suggested by Daniel P. Berrange.
Laine Stump [Tue, 4 Jan 2011 17:31:40 +0000 (12:31 -0500)]
Log an error on attempts to add a NAT rule for non-IPv4 addresses
Although the upper-layer code protected against it, it was possible to
call iptablesForwardMasquerade() with an IPv6 address and have it
attempt to add a rule to the MASQUERADE chain of ip6tables (which
doesn't exist).
This patch changes that function to check the protocol of the given
address, generate an error log if it's not IPv4 (AF_INET), and finally
hardcodes all the family parameters sent down to lower-level functions.
The crash in that report was coincidentally fixed when we switched
from using inet_pton() to using virSocketParseAddr(), but the absence
of an ip address in a dhcp static host definition was still silently
ignored (and that entry discarded from the saved XML). This patch
turns that into a logged failure; likewise if the entry has neither a
mac address nor a name attribute (the entry is useless without at
least one of those, plus an ip address).
Since the network name is now pulled into this function in order for
those error logs to be more informative, the other error messages in
the function have also been changed to take advantage.
Stefan Berger [Tue, 4 Jan 2011 17:46:10 +0000 (12:46 -0500)]
qemu driver: fix positioning to end of log file
While doing some testing with Qemu and creating huge logfiles I encountered the case where the VM could not start anymore due to the lseek() to the end of the Qemu VM's log file failing. The patch below fixes the problem by replacing the previously used 'int' with 'off_t'.
To reproduce this error, you could do the following:
dd if=/dev/zero of=/var/log/libvirt/qemu/<name of VM>.log bs=1024 count=$((1024*2048))
and you should get an error like this:
error: Failed to start domain <name of VM>
error: Unable to seek to -2147482651 in /var/log/libvirt/qemu/<name of VM>.log: Success
Eric Blake [Mon, 3 Jan 2011 22:26:33 +0000 (15:26 -0700)]
build: avoid compilation warnings
Detected on cygwin:
util/util.c: In function 'virSetUIDGID':
util/util.c:2824: warning: format '%d' expects type 'int', but argument 7 has type 'gid_t' [-Wformat]
(and three other lines)
* src/util/util.c (virSetUIDGID): Cast, as is done elsewhere in
this file, to avoid printf type mismatch warnings.
Chris Wright [Fri, 24 Dec 2010 18:41:52 +0000 (10:41 -0800)]
node_device: udev driver does not handle SR-IOV devices
The udev driver does not update a PCI device with its SR-IOV capabilities,
when applicable, the way the hal driver does. As a result, dumping the
device's XML will not include the relevant physical or virtual function
information.
Eric Blake [Fri, 24 Dec 2010 15:40:42 +0000 (08:40 -0700)]
virExec: fix logic bug
As pointed out in https://bugzilla.redhat.com/show_bug.cgi?id=659855#c9,
commit c3568ec2 introduced a regression where we no longer close any
fd's beyond FD_SETSIZE.
* src/util/util.c (__virExec): Continue to close fd's beyond
keepfd range.
Reported by Stefan Praszalowicz.
Laine Stump [Fri, 31 Dec 2010 11:20:43 +0000 (06:20 -0500)]
Improve virSocketAddrMask[ByPrefix] API
The original version of these functions would modify the address sent
in, meaning that the caller would usually need to copy the address
first. This change makes the original a const, and puts the resulting
masked address into a new arg (which could point to the same
virSocketAddr as the original, if the caller really wants to modify
it).
This also makes the API consistent with virSocketAddrBroadcast[ByPrefix].
Laine Stump [Fri, 31 Dec 2010 08:57:37 +0000 (03:57 -0500)]
Set broadcast address for IPv4 addresses on virtual network bridges
Previously we used ioctl() to set the IP address and netmask of the
bridges used for virtual networks, and apparently the SIOCSIFNETMASK
ioctl implicitly set the broadcast address for the interface. The new
method of using the "ip" command requires broadcast address to be
explicitly specified though.
Laine Stump [Fri, 31 Dec 2010 02:33:24 +0000 (21:33 -0500)]
Utility functions to produce an IPv4 broadcast address
These functions work only for IPv4, becasue IPv6 doesn't have the same
concept of "broadcast address" as IPv4. They merely OR the inverse of
the netmask with the given host address, thus turning on all the host
bits.
Matthias Bolte [Mon, 27 Dec 2010 22:35:30 +0000 (23:35 +0100)]
vbox: Add support for VirtualBox 4.0
Add vboxArrayGetWithUintArg to handle new signature variations. Also
refactor vboxArrayGet* implementation to use a common helper function.
Deal with the incompatible changes in the VirtualBox 4.0 API. This
includes major changes in virtual machine and storage medium lookup,
in RDP server property handling, in session/lock handling and other
minor areas.
VirtualBox 4.0 also dropped the old event API and replaced it with a
completely new one. This is not fixed yet and will be addressed in
another patch. Therefore, currently the domain events are supported
for VirtualBox 3.x only.
Matthias Bolte [Thu, 23 Dec 2010 16:25:56 +0000 (17:25 +0100)]
vbox: Handle different IID representation in Version 2.2 on Windows
On Windows IID's are represented as GUID by value, instead of nsID
by reference on non-Windows platforms.
Patch the vbox_CAPI_v2_2.h header to deal with this difference.
Rewrite vboxIID abstraction that deals with the different IID
representations. Add support for the GUID representation. Also unify
the four context dependent free functions for vboxIIDs
Wen Congyang [Fri, 24 Dec 2010 06:21:48 +0000 (14:21 +0800)]
build: fix building error when building without libvirtd
When I build libvirt without libvirtd, I receive some errors:
cp: cannot stat `/home/wency/rpmbuild/BUILDROOT/libvirt-0.8.6-1.el6.x86_64/etc/libvirt/qemu/networks/default.xml': No such file or directory
My build step:
# ./autogen.sh --without-libvirtd
# make dist
# rpmbuild --nodeps --define "_sourcedir `pwd`" --define "_without_libvirtd 1" -ba libvirt.spec
The reason is we disable network when we do not build libvirt daemon in configure.ac.
After fixing this bug, I build libvirt without libvirtd, I receive other errors:
RPM build errors:
Installed (but unpackaged) file(s) found:
/usr/share/doc/libvirt-0.8.6/html/32favicon.png
/usr/share/doc/libvirt-0.8.6/html/api.html
..
A number of the libvirt APIs require the use of cgroups. This is not
enabled by default on a RHEL6 install. After discussion with cgroups
team, it was decided that upon installation of the libvirt RPM, we
should automatically turn on the cgroups service. This will activate a
default configuration that turns on all cgroups controllers libvirt
requires for full operation.
Laine Stump [Tue, 21 Dec 2010 20:34:41 +0000 (15:34 -0500)]
Replace setuid/setgid/initgroups with virSetUIDGID()
This patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=664406
If qemu is run as a different uid, it has been unable to access mode
0660 files that are owned by a different user, but with a group that
the qemu is a member of (aside from the one group listed in the passwd
file), because initgroups() is not being called prior to the
exec. initgroups will change the group membership of the process (and
its children) to match the new uid.
To make this happen, the setregid()/setreuid() code in
qemuSecurityDACSetProcessLabel has been replaced with a call to
virSetUIDGID(), which does both of those, plus calls initgroups.
Similar, but not identical, code in qemudOpenAsUID() has been replaced
with virSetUIDGID(). This not only consolidates the functionality to a
single location, but also potentially fixes some as-yet unreported
bugs.
Laine Stump [Thu, 23 Dec 2010 06:44:02 +0000 (01:44 -0500)]
new virSetUIDGID() utility function
virSetUIDGID() sets both the real and effective group and user of the
process, and additionally calls initgroups() to assure that the
process joins all the auxiliary groups that the given uid is a member
of.
Laine Stump [Thu, 23 Dec 2010 18:23:42 +0000 (13:23 -0500)]
Preserve errno across calls to error reporting functions & VIR_FREE
There are cases when we want log an error message, and possibly free
some memory as part of the cleanup, while still preserving errno for a
caller, but the functions that log errors, and virFree (VIR_FREE) make
system calls that will clear errno. This patch preserves errno during
those most basic functions (corresponding to virReportSystemError(),
virReportOOMError(), networkReportError(), etc, as well as
virStrError()). It does *not preserve errno across calls to higher
level items such as virDispatchError(), as it's assumed the caller is
all finished with any need for errno by the time it dispatches the
error.
Laine Stump [Mon, 20 Dec 2010 06:14:11 +0000 (01:14 -0500)]
Run radvd for virtual networks with IPv6 addresses
Running an instance of the router advertisement daemon (radvd) allows
guests using the virtual network to automatically acquire an IPv6
address and default route. Note that acquiring an address only works
for networks with a prefix length of exactly 64 - radvd is still run
in other circumstances, and still advertises routes, but autoconf will
not work because it requires exactly 64 bits of address info from the
network prefix.
This patch avoids a race condition with the pidfile by manually
daemonizing radvd rather than allowing it to daemonize itself, then
creating our own pidfile (in addition to radvd's own file, which is
unnecessary, but there is no way to tell radvd to not create it). This
is accomplished by exec'ing it with "--debug 1" in the commandline,
and using virCommand's features to fork, create a pidfile, and detach
from the newly forked process.
Laine Stump [Thu, 16 Dec 2010 20:50:01 +0000 (15:50 -0500)]
Turn on IPv6 support in the bridge_driver.c virtual network driver
At this point everything is already in place to make IPv6 happen, we just
need to add a few rules, remove some checks for IPv4-only, and document
the changes to the XML on the website.
Laine Stump [Wed, 8 Dec 2010 19:09:25 +0000 (14:09 -0500)]
Update iptables.c to also support ip6tables.
All of the iptables functions eventually call down to a single
bottom-level function, and fortunately, ip6tables syntax (for all the
args that we use) is identical to iptables format (except the
addresses), so all we need to do is:
1) Get an address family down to the lowest level function in each
case, either implied through an address, or explicitly when no
address is in the parameter list, and
2) At the lowest level, just decide whether to call "iptables" or
"ip6tables" based on the family.
The location of the ip6tables binary is determined at build time by
autoconf. If a particular target system happens to not have ip6tables
installed, any attempts to run it will generate an error, but that
won't happen unless someone tries to define an IPv6 address for a
network. This is identical behavior to IPv4 addresses and iptables.
Laine Stump [Fri, 10 Dec 2010 21:04:37 +0000 (16:04 -0500)]
Support multiple IP addresses on one network in bridge_driver.c
This patch reorganizes the code in bridge_driver.c to account for the
concept of a single network with multiple IP addresses, without adding
in the extra variable of IPv6. A small bit of code has been
temporarily added that checks all given addresses to verify they are
IPv4 - this will be removed when full IPv6 support is turned on.
Laine Stump [Wed, 17 Nov 2010 18:36:19 +0000 (13:36 -0500)]
Change virtual network XML parsing/formatting to support IPv6
This commit adds support for IPv6 parsing and formatting to the
virtual network XML parser, including moving around data definitions
to allow for multiple <ip> elements on a single network, but only
changes the consumers of this API to accommodate for the changes in
API/structure, not to add any actual IPv6 functionality. That will
come in a later patch - this patch attempts to maintain the same final
functionality in both drivers that use the network XML parser - vbox
and "bridge" (the Linux bridge-based driver used by the qemu
hypervisor driver).
* src/libvirt_private.syms: Add new private API functions.
* src/conf/network_conf.[ch]: Change C data structure and
parsing/formatting.
* src/network/bridge_driver.c: Update to use new parser/formatter.
* src/vbox/vbox_tmpl.c: update to use new parser/formatter
* docs/schemas/network.rng: changes to the schema -
* there can now be more than one <ip> element.
* ip address is now an ip-addr (ipv4 or ipv6) rather than ipv4-addr
* new optional "prefix" attribute that can be used in place of "netmask"
* new optional "family" attribute - "ipv4" or "ipv6"
(will default to ipv4)
* define data types for the above
* tests/networkxml2xml(in|out)/nat-network.xml: add multiple <ip> elements
(including IPv6) to a single network definition to verify they are being
correctly parsed and formatted.
Laine Stump [Thu, 16 Dec 2010 17:36:19 +0000 (12:36 -0500)]
make the <dhcp> element optional in network.rng
In practice this has always been optional, but the RNG has shown it as
mandatory, and since all the examples for make check had it, it was
never noticed. One of the existing test cases has been changed to
check for this.
I also noticed that the dhcp/host/ip was still defined as <text/>,
but should really be <ref name='ipv4-addr'/>
Laine Stump [Tue, 14 Dec 2010 17:14:39 +0000 (12:14 -0500)]
Replace brSetInetAddress/brSetInetNetmask with brAddInetAddress
brSetInetAddress can only set a single IP address on the bridge, and
uses a method (ioctl(SIOCSETIFADDR)) that only works for IPv4. Replace
it and brSetInetNetmask with a single function that uses the external
"ip addr add" command to add an address/prefix to the interface - this
supports IPv6, and allows adding multiple addresses to the interface.
Although it isn't currently used in the code, we also add a
brDelInetAddress for completeness' sake.
Also, while we're modifying bridge.c, we change brSetForwardDelay and
brSetEnableSTP to use the new virCommand API rather than the
deprecated virRun, and also log an error message in bridge_driver.c if
either of those fail (previously the failure would be completely
silent).
Laine Stump [Tue, 30 Nov 2010 20:53:17 +0000 (15:53 -0500)]
Make virtual network netmasks optional
When a netmask isn't specified for an IPv4 address, one can be implied
based on what network class range the address is in. The
virNetworkDefPrefix function does this for us, so netmask isn't
required.
Laine Stump [Tue, 30 Nov 2010 19:35:58 +0000 (14:35 -0500)]
Pass prefix rather than netmask into iptables functions
IPv6 will use prefix exclusively, and IPv4 will also optionally be
able to use it, and the iptables functions really need a prefix
anyway, so use the new virNetworkDefPrefix() function to send prefixes
into iptables functions instead of netmasks.
Also, in a couple places where a netmask is actually needed, use the
new private API function for it rather than getting it directly. This
will allow for cases where no netmask or prefix is specified (it
returns the default for the current class of network.)
Laine Stump [Wed, 15 Dec 2010 06:49:29 +0000 (01:49 -0500)]
Consistently return 0 on success, -1 on failure in bridge_driver.c
Some functions in this file were returning 1 on success and 0 on
failure, and others were returning 0 on success and -1 on
failure. Switch them all to return the libvirt-preferred 0/-1.
Laine Stump [Tue, 14 Dec 2010 20:01:10 +0000 (15:01 -0500)]
Fix logging of failed iptables commands
The functions in iptables.c all return -1 on failure, but all their
callers (which all happen to be in bridge_driver.c) assume that they
are returning an errno, and the logging is done accordingly. This
patch fixes all the error checking and logging to assume < 0 is an
error, and nothing else.
Laine Stump [Fri, 26 Nov 2010 22:20:37 +0000 (17:20 -0500)]
New virNetworkDef utility functions
Later patches will add the possibility to define a network's netmask
as a prefix (0-32, or 0-128 in the case of IPv6). To make it easier to
deal with definition of both kinds (prefix or netmask), add two new
functions:
virNetworkDefNetmask: return a copy of the netmask into a
virSocketAddr. If no netmask was specified in the XML, create a
default netmask based on the network class of the virNetworkDef's IP
address.
virNetworkDefPrefix: return the netmask as numeric prefix (or the
default prefix for the network class of the virNetworkDef's IP
address, if no netmask was specified in the XML)
projects / libvirt.git / log