However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Wed, 13 Jul 2016 07:22:51 +0000 (09:22 +0200)]
Introduce @secure attribute to os loader element
This element will control secure boot implemented by some
firmwares. If the firmware used in <loader/> does support the
feature we must tell it to the underlying hypervisor. However, we
can't know whether loader does support it or not just by looking
at the file. Therefore we have to have an attribute to the
element where users can tell us whether the firmware is secure
boot enabled or not.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Wed, 13 Jul 2016 12:09:20 +0000 (14:09 +0200)]
Introduce SMM feature
Since its release of 2.4.0 qemu is able to enable System
Management Module in the firmware, or disable it. We should
expose this capability in the XML. Unfortunately, there's no good
way to determine whether the binary we are talking to supports
it. I mean, if qemu's run with real machine type, the smm
attribute can be seen in 'qom-list /machine' output. But it's not
there when qemu's run with -M none. Therefore we're stuck with
version based check.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Wed, 13 Jul 2016 11:57:17 +0000 (13:57 +0200)]
qemuBuildMachineCommandLine: Follow our pattern
We use 'goto cleanup' for a reason. If a function can exit at
many places but doesn't follow the pattern, it has to copy the
free code in multiple places.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Fri, 29 Jul 2016 12:47:40 +0000 (14:47 +0200)]
tests: qemuxml2xml: Use WHEN_BOTH for most tests
A bunch of cases were only being tested for WHEN_ACTIVE or
WHEN_INACTIVE. Use WHEN_BOTH for all except the very few that
actually require the existing setup.
virObjectEventNew: Use virObjectUnref() to free virObjectEvent
While no leak was observed yet, there might be one if
virObjectEventClass is ever derived from another class. Because
in that case plain VIR_FREE() will not call dispose() from parent
classes possibly leaking some memory.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
In the cleanup path, @vm cannot be possibly NULL. If it were so,
we would receive SIGSEGV much earlier. At the beginning of the
function we do libxlDomainObjBeginJob(.., vm, ..); and so on.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
In our attempts to reconnect, we may create a polkit daemon.
However, it may happen that we would rewrite the variable that
already holds pointer to the agent.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
securityselinuxlabeltest: Prefer virGetLastErrorMessage() over virGetLastError
At the beginning of the test, some preparation work is done. For
instance new virSecurityManager is created. If this fails for
whatever reason, we try to fetch the latest error and print the
error message contained in it. However, if there's a bug in our
code and no error is reported, this approach will lead to crash,
while with virGetLastErrorMessage() it won't.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
virqemu: Reflect return type of virJSONValueArraySize()
The virJSONValueArraySize() function return ssize_t (with
possibly returning -1 if the passed json is not an array).
Storing the return value into size_t is possibly dangerous then.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Mon, 1 Aug 2016 05:35:50 +0000 (07:35 +0200)]
qemu: domain: Simplify return values of qemuDomainRefreshVcpuInfo
Call the vcpu thread info validation separately to decrease complexity
of returned values by qemuDomainRefreshVcpuInfo.
This function now returns 0 on success and -1 on error. Certain
failures of qemu to report data are still considered as success. Any
error reported now is fatal.
Peter Krempa [Fri, 8 Jul 2016 13:39:32 +0000 (15:39 +0200)]
qemu: domain: Improve vCPU data checking in qemuDomainRefreshVcpu
Validate the presence of the thread id according to state of the vCPU
rather than just checking the vCPU count. Additionally put the new
validation code into a separate function so that the information
retrieval can be split from the validation.
Jim Fehlig [Tue, 2 Aug 2016 23:36:34 +0000 (17:36 -0600)]
libxl: allow libxl to calculate shadow mem requirements
Long, long ago before libxl_get_required_shadow_memory() was
made publicly available, its code was copied to the libxl driver
for calculating shadow memory requirements of HVM domains.
Long ago, libxl_get_required_shadow_memory() was exported in
libxl_utils.h and included in xen-devel packages everywhere.
Remove the copied code, which has become stale, and let libxl
provode a proper shadow memory value.
Add support for IOThread quota/bandwidth and period parameters for non
session mode. If in session mode, then error out. Uses all the same
places where {vcpu|emulator|global}_{period|quota} are adjusted and
adds the iothread values.
Add the definitions to allow for viewing/setting cgroup period and quota
limits for IOThreads.
This is similar to the work done for emulator quota and period by
commit ids 'b65dafa' and 'e051c482'.
Being able to view/set the IOThread specific values is related to more
recent changes adding global period (commmit id '4d92d58f') and global
quota (commit id '55ecdae') definitions and qemu support (commit id
'4e17ff79' and 'fbcbd1b2'). With a global setting though, if somehow
the IOThread value in the cgroup hierarchy was set "outside of libvirt"
to a value that is incompatible with the global value.
Allowing control over IOThread specific values provides the capability
to alter the IOThread values as necessary.
Don't error when attaching security label of model "none"
If you invoke virDomainLxcEnterSecurityLabel() on security
model of "none" it will report an error. Logically a "none"
security model should be treated as a no-op, so we should
just return success immediately, instead of an error.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Peter Krempa [Mon, 1 Aug 2016 04:13:39 +0000 (06:13 +0200)]
virsh: qemu-monitor-command: Don't print extra newline with --pretty
The prettified JSON string already contains a newline so don't print
another one. This allows to pipe the json output (in conjunction with
the --quiet option) to files without having to truncate them afterwards.
Peter Krempa [Tue, 2 Aug 2016 07:11:33 +0000 (09:11 +0200)]
tests: Make schema test fail on XML schema errors
Failure to parse the schema file would not trigger a test suite failure.
In addition to making the test fail it's necessary to split up the
parsing of the schema file into a separate test.
This is necessary as the XML validator uses libvirt errors to report
problems parsing of the actual schema RNG needs to be split out into a
separate function and called via virTestRun which has the
infrastructure to report them.
Rather than pass the whole drive string (which contained the alias),
pass only the alias for the qemuMonitorDriveDel call in the error
path when adding a host device in the monitor fails.
John Ferlan [Wed, 29 Jun 2016 17:34:00 +0000 (13:34 -0400)]
qemu: Make QEMU_DRIVE_HOST_PREFIX more private
Move QEMU_DRIVE_HOST_PREFIX into the qemu_alias.c to dissuade future
callers from using it. Create qemuAliasDiskDriveSkipPrefix in order
to handle the current consumers that desire to check if an alias has
the drive- prefix and "get beyond it" in order to get the disk alias.
John Ferlan [Mon, 1 Aug 2016 12:11:44 +0000 (08:11 -0400)]
qemu: Remove generation of drive alias from qcow passphrase backends
Rather than pass the disks[i]->info.alias to qemuMonitorSetDrivePassphrase
and then generate the "drive-%s" alias from that, let's use qemuAliasFromDisk
prior to the call to generate the drive alias and then pass that along
thus removing the need to generate the alias from the monitor code.
Node device lifecycle event API entry points for registering and
deregistering node deivce events, as well as types of events
associated with node device.
These entry points will be used for implementing asynchronous
lifecycle events.
Node device API:
virConnectNodeDeviceEventRegisterAny
virConnectNodeDeviceEventDeregisterAny
virNodeDeviceEventLifecycleType which has events CREATED and DELETED
qemu: Set fake reboot flag to false when mode=agent
As commit id 'e2b86f580' notes, when mode=agent possibly setting the
fake reboot flag to true wouldn't be necessary; however, it doesn't
"force" the issue by just ensuring the fake reboot is false, so this
patch adds the explicit setting for the reboot path.
More investigation and details can be found in commit id '8be502fd'
as well as in the archives at:
qemu: Set fake reboot flag only in acpi mode for shutdown
Conditional setting of the fake reboot flag should only happen for
the acpi mode shutdown path; however, for the agent mode shutdown,
the fake reboot should be cleared. This patch will essentially revert
commit id '8be502fd', but adds an explicit setting of the flag to false
when using mode=agent while also only conditionally setting the reboot
flag if the guest went away. This also avoids an issue where a shutdown
with reboot semantics is done from agent mode which sets the reboot
flag followed by a shutdown from within the guest which would result
in a reboot due to the fake reboot flag being set. The change will
also properly handle the cases described in the following archive post:
Commit id '44304c6eb' added the API libxlDomainAttachControllerDevice
inside a conditional LIBXL_HAVE_PVUSB, but called that function outside
the conditional in libxlDomainAttachDeviceLive.
Similarly, the API libxlDomainDetachControllerDevice was added inside a
conditional LIBXL_HAVE_PVUSB, but called outside the conditional in
libxlDomainDetachDeviceLive.
This patch adds the conditional LIBXL_HAVE_PVUSB around those two calls
from within the switch.
Erik Skultety [Wed, 20 Jul 2016 10:39:50 +0000 (12:39 +0200)]
rpc: virnetserver: Remove dead code checking the client limits
Prior to commit 2737aaaf, we allowed every client to connect successfully,
however, if accepting a client would eventually lead to an overcommit of the
limits, we would disconnect it immediately with "Too many active clients,
dropping connection from...". Recent changes refactored the code in a way, that
it is not possible for the client-related callback to be dispatched and the
client to be accepted if the limits wouldn't permit to do so, therefore a check
if a connection should be dropped due to limits violation has become a dead
code that could be removed.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Erik Skultety [Wed, 20 Jul 2016 10:10:29 +0000 (12:10 +0200)]
admin: rpc: virnetserver: Fix updating of the client limits
Commit 2737aaaf changed our policy for accepting new clients in a way, that
instead of accepting new clients only to disconnect them immediately, since
that would overcommit the limit, we temporarily disable polling for the
dedicated file descriptor, so any new connection will queue on the socket.
Commit 8b1f0469 then added the possibility to change the limits during runtime
but it didn't re-enable polling for the previously disabled file descriptor,
thus any new connection would still continue to queue on the socket. This patch
forces an update of the services each time the limits were changed in some way.
Erik Skultety [Wed, 20 Jul 2016 08:36:06 +0000 (10:36 +0200)]
rpc: virnetserver: Add code to CheckLimits to handle suspending of services
So far, virNetServerCheckLimits was only used to possibly re-enable accepting
new clients that might have previously been disabled due to client limits
violation (max_clients, max_anonymous_clients). This patch refactors
virNetServerAddClient, which is currently the only place where the services get
disabled, in order to use the virNetServerCheckLimits helper instead of
checking the limits by itself.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Erik Skultety [Wed, 20 Jul 2016 08:17:19 +0000 (10:17 +0200)]
rpc: virnetserver: Move virNetServerCheckLimits which is static up in the file
Since virNetServerAddClient checks for the limits in order to temporarily
suspend the services, thus not accepting any more clients, there is no reason
why virNetServerCheckLimits, which is only responsible for re-enabling
previously disabled services according to the limits, could not do both. To be
able to do that however, it needs to be moved up in the file since it's static
(and because it's just a helper and there's only one caller it should remain
static).
Signed-off-by: Erik Skultety <eskultet@redhat.com>
In case of error, libxlReconnectDomain may call
virDomainObjListRemoveLocked. However it has no local reference on
the domain object, leading to segfault. Get a reference to the domain
object at the start of the function and release it at the end to avoid
problems.
This commit also factorizes code between the error and normal ends.
Chunyan Liu [Wed, 15 Jun 2016 06:00:14 +0000 (14:00 +0800)]
qemuDomainDeviceDefPostParse: add USB controller model check
To sync with virDomainControllerModelUSB, we add two models
in qemuControllerModelUSB 'qusb1' and 'qusb2', but those
models are not supported in qemu driver. So add check in
device post parse to report errors if 'qusb1' and 'qusb2'
are specified.
Chunyan Liu [Wed, 15 Jun 2016 06:00:12 +0000 (14:00 +0800)]
xenconfig: add conversion of usb controller config to and from xml
libxl configuration files conversion can now handle USB controllers.
When parting libxl config file, USB controllers with type PV are
ignored as those aren't handled.
Chunyan Liu [Wed, 15 Jun 2016 06:00:11 +0000 (14:00 +0800)]
libxl: check available controller and port when hotplugging USB device
When hotplugging a USB device, check if there is an available controller
and port, if not, automatically create a USB controller of version
2.0 and 8 ports.
Chunyan Liu [Wed, 15 Jun 2016 06:00:09 +0000 (14:00 +0800)]
libxl: support USB controllers in creation time
To support USB Controller in xen guest domains, just add
USB controller in domain config xml as following:
<controller type='usb' model='qusb2' ports='4'/>
Chunyan Liu [Wed, 15 Jun 2016 06:00:08 +0000 (14:00 +0800)]
extend usb controller model to support xen pvusb
According to libxl implementation, it supports pvusb
controller of version 1.1 and version 2.0, and it
supports two types of backend, 'pvusb' (dom0 backend)
and 'qusb' (qemu backend). But currently pvusb backend
is not checked in yet.
To match libxl support, extend usb controller schema
to support two more models: qusb1 (qusb, version 1.1)
and 'qusb2' (qusb version 2.0).
Let's cleanly differentiate what wiping a volume does for ploop and
other volumes so it's more readable what is done for each one instead of
branching out multiple times in different parts of the same function.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
storage: Use path instead of volume as an argument
Some functions use volume specification merely to use the target path
from it. Let's change it to pass the path only so that it can be used
for other files than just volumes.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
qemu: Fix support for startupPolicy with volume/pool disks
Until now we simply errored out when the translation from pool+volume
failed. However, we should instead check whether that disk is needed or
not since there is an option for that.
qemu: Make qemuDomainCheckDiskStartupPolicy self-contained
There is an error reset following the function and check for
startupPolicy before that. Let's reflect those things inside that
function so that future code doesn't have to be that complex.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Erik Skultety [Thu, 28 Jul 2016 14:42:04 +0000 (16:42 +0200)]
daemon: sasl: Don't forget to save SASL username to client's identity
Once the SASL authentication process has successfully passed, we should also
save the SASL username used to client's identity, so that when a client like
virt-admin tries to obtain it, the server will actually format the username to
the response data.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Erik Skultety [Tue, 19 Jul 2016 06:55:31 +0000 (08:55 +0200)]
admin: Retrieve the SASL context for both local and remote connection
When commit 4a0e9108 added a support for client information retrieval, it made
the API return SASL identity info only for clients connected remotely, yet SASL
can be happily used with UNIX sockets as well.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
When wiping a volume we just rewrite all the data of the volume, not
only the content. Since format gets overridden, we need to recreate the
volume. However we can't do that for every possible format out there.
Since it was only coded for the ploop volume type, let's document what
might be the consequences instead of forbidding it for every other
format out there.
The only function that we currently use from glib is g_sprintf().
That's a very big gun for such small target. Not only that, but
we've silently relied on wireshark dragging in the glib. Replace
the g_sprintf() with plain sprinf() so that we can drop the glib
dependency.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This patch reflects cases when <interface> element and its <source>
subelement for network type are formated based on actual type resolved
from referenced network instead of original one. networkAllocateActualDevice
and virDomainActualNetDefContentsFormat are taken as reference.
Ever since virDomainCreateWithFlags() was introduced by de3aadaa
[drivers: add virDomainCreateWithFlags if virDomainCreate exists], the
domain ID retrieved with virDomainGetID() was incorrect for several
drivers after virDomainCreateWithFlags() was called. The API consumer
had to look up the domain anew to retrieve the correct ID.
For the ESX driver, this was fixed in 6139b274 [esx: Update ID after
starting a domain]. For the openvz driver, it was fixed in fd81a097
[openvzDomainCreateWithFlags: set domain id to the correct value]. The
test driver, the OpenNebula driver (removed in the meantime) and the
vbox driver were already updating the domain ID correctly in
domainCreate().
Copy over the ID in qemuDomainCreateWithFlags() to fix this for the qemu
driver, too.
Fixes: de3aadaa ("drivers: add virDomainCreateWithFlags if virDomainCreate exists") Reported-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com> Signed-off-by: Sascha Silbe <silbe@linux.vnet.ibm.com> Tested-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com> Reviewed-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
Peter Krempa [Fri, 29 Jul 2016 16:06:51 +0000 (18:06 +0200)]
tests: qemu: Don't leak security manager object
==2064442== 200 (88 direct, 112 indirect) bytes in 1 blocks are definitely lost in loss record 54 of 73
==2064442== at 0x4C2E0F0: calloc (vg_replace_malloc.c:711)
==2064442== by 0x18E75B80: virAllocVar (viralloc.c:560)
==2064442== by 0x18EC43B0: virObjectNew (virobject.c:193)
==2064442== by 0x18EC476E: virObjectLockableNew (virobject.c:219)
==2064442== by 0x1906BC73: virSecurityManagerNewDriver (security_manager.c:93)
==2064442== by 0x1906C076: virSecurityManagerNewStack (security_manager.c:115)
==2064442== by 0x43CC39: qemuTestDriverInit (testutilsqemu.c:548)
==2064442== by 0x4337ED: mymain (qemumonitorjsontest.c:2440)
==2064442== by 0x43BABE: virTestMain (testutils.c:982)
==2064442== by 0x43A490: main (qemumonitorjsontest.c:2558)
Whats wrong you ask? The @model attribute. This should result in
an error thrown into users faces during virDomainDefine phase.
Except it doesn't. The XML validation catches this error, but if
users chose to ignore that, they will end up with invalid XML.
Well, they won't be able to start the machine - that's when error
is produced currently. But it would be nice if we could catch the
error like this earlier.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Erik Skultety [Wed, 27 Jul 2016 11:23:03 +0000 (13:23 +0200)]
admin: Fix default uri config option name s/admin_uri_default/uri_default
The original name 'admin_uri_default' was introduced to our code by commit dbecb87f. However, at that time we already had a separate config file for
admin library but the commit mentioned above didn't properly adjust the
config's option name. The result is that when we're loading the config, we
check a non-existent config option (there's not much to do with the URIs
anyway, since we only allow local connection). Additionally, virt-admin's man
page documents, that the default URI can be altered by setting
admin_uri_default option. So the fix proposed by this patch leaves the
libvirt-admin.conf as is and adjusts the naming in the code as well as in the
virt-admin's man page.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Michal Privoznik [Thu, 28 Jul 2016 08:21:45 +0000 (10:21 +0200)]
wireshark: Adapt to dissector function header change
In wireshark commit bbdd89b9 (contained in 2.1.0 release) they
have changed prototype of dissector function. Now it returns
number of bytes consumed by the dissector, and can get a pointer
to user specified data (which we don't use).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
projects / libvirt.git / log