Laine Stump [Tue, 16 Nov 2021 17:19:18 +0000 (12:19 -0500)]
util: eliminate pointless switch in virFirewallApplyRule
Since commit b19863640 both useful cases of the switch statement in
this function have made the same call (and the other/default case is
just an error that can never happen). Eliminate the switch to help
eliminate use of currentBackend.
Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Laine Stump [Mon, 15 Nov 2021 18:28:12 +0000 (13:28 -0500)]
tests: document why virgdbus must be mocked in networkxml2firewalltest.c
It isn't intuitive (to me) that a test just converting xml text into
iptables commands should need to call dbus, so rather than forcing the
next person to look through the commit logs and/or run the test under
gdb to understand why this is needed, just add a short comment in the
source.
Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Laine Stump [Sun, 14 Nov 2021 20:50:26 +0000 (15:50 -0500)]
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Laine Stump [Tue, 9 Nov 2021 20:18:42 +0000 (15:18 -0500)]
util: rename iptables operators to something less generic
Rather than calling these "ADD" and "REMOVE", which could be confused
with some other random items with the same names, make them more
specific by prepending "VIR_NETFILTER_" (because they will also be
used by the nftables backend) and rename them to match the
iptables/nftables operators they signify, i.e. INSERT and DELETE, just
to eliminate confusion (in particular, in case someone ever decides
that we need to also use the nftables "add" operator, which appends a
rule to a chain rather than inserting it at the beginning of the
chain).
Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Laine Stump [Sun, 14 Nov 2021 18:09:47 +0000 (13:09 -0500)]
util: rename/move iptablesFormatNetwork to virSocketAddrFormatWithPrefix
This function formats an address + prefix as, e.g. 192.168.122.0/24,
which is useful in places other than iptables. Move it to
virsocketaddr.c and make it public so that others can use it. While
moving, the bit that masks off the host bits of the address is made
optional, so that the function is more generally useful.
Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Laine Stump [Mon, 8 Nov 2021 17:15:29 +0000 (12:15 -0500)]
network: eliminate code that uses default iptables chains
The network driver has put all its rules into private chains (created
by libvirt) since commit 7431b3eb9a, which was included in
libvirt-5.1.0. When the conversion was made, code was included that
would attempt to delete existing rules in the default chains, to make
it possible to upgrade libvirt without restarting the host OS.
Almost 3 years has passed, and it is doubtful that anyone will be
attempting to upgrade directly from a pre-5.1.0 libvirt to something
as new as 8.0.0 (possibly with the exception of upgrading the entire
OS to a new release, which would include also rebooting), so it is now
safe to remove this code.
Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Tue, 30 Nov 2021 12:37:54 +0000 (13:37 +0100)]
qemu: Validate TCG feature is enabled only for TCG domains
After previous commit it's possible for domains to fine tune TCG
features (well, just one - tb-cache). Check that domain has TCG
enabled, otherwise the feature makes no sense.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
It may come handy to be able to tweak TCG options, in this
specific case the size of translation block cache size (tb-size).
Since we can expect more knobs to tweak let's put them under
common element, like this:
When using the monolithic daemon the driver for virStream is
always virFDStreamDrv and thus calling virStreamInData() results
in calling virFDStreamInData().
But things are different with split daemon, especially when a
client connects to one of hypervisor daemons (e.g. virtqemud) and
then lets the daemon connect to the storage daemon for
vol-upload/vol-download. Here, the hypervisor daemon acts like
both client and server. This is reflected by stream->driver
pointing to remoteStreamDrv, which doesn't have streamInData
callback implemented and thus vol-upload/vol-download with sparse
flag fails.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2026537 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
The aim of this function is to look at a virNetClientStream and
tell whether the incoming packet (if there's one) contains data
(type VIR_NET_STREAM) or a hole (type VIR_NET_STREAM_HOLE) and
how big the section is. This function will be called from the
remote driver in one of future commits.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
virStreamInData: Allow callback to not rewind the stream
So far, virStreamInData() is effectively a wrapper over
virFDStreamInData() which means it deals with files which can be
rewound (lseek()-ed) to whatever position we need. And in fact,
that's what virFDStreamInData() does - it makes sure that the FD
is left unchanged in terms of position in the file. Skipping the
hole happens soon after - in daemonStreamHandleRead() when
virStreamSendHole() is called.
But this is about to change. Soon we will have another implementation
where we won't be dealing with FDs but virNetMessage queue and it will
be handy to pop message at the beginning of the queue. Implement and
document this new behavior.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Andrea Bolognani [Sat, 11 Dec 2021 00:10:40 +0000 (01:10 +0100)]
nss: Use shared_library() for nss_libvirt_lib
shared_module() is intended for shared objects that are
loaded at runtime using dlopen() whereas NSS plugins need to
be full-fledged shared libraries with, among other things, a
proper SONAME.
Meson seems to have become more strict about this recently,
because libnss_libvirt.so.2 gets a SONAME when I build it with
Meson 0.59.4 on Fedora 34 but doesn't when I use Meson 0.60.2
on Debian testing instead.
Either way, shared_library() was always the right function
to use for NSS plugins.
Fixes: 36780c931900555706fd6db9fc2ce2b4cabf9045 Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Mon, 13 Dec 2021 11:17:14 +0000 (12:17 +0100)]
qemuProcessPrepareHost: Create domain private dirs as early as possible
As of ff024b60cc3 we are opening chardevs before starting QEMU.
However, we are also doing that before domain private directories
are created. This leaves us unable to create guest agent socket
which lives under priv->channelTargetDir.
While creating the dirs can be moved just before
qemuProcessPrepareHostBackendChardev() it's better to do it as
the very first step so that this kind of error is prevented in
future.
Fixes: ff024b60cc39d5d41b1e68728a00a47e103ec4dd Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Andrea Bolognani [Fri, 10 Dec 2021 10:05:54 +0000 (11:05 +0100)]
virt-qemu-run: Improve manual page
Specifically:
* use the correct notation and markup for commands, options
and arguments;
* rename arguments meta-variables to be more descriptive;
* sort options so that the most common ones come first;
* use consistent vertical spacing;
* fix a typo.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Andrea Bolognani [Fri, 10 Dec 2021 10:59:33 +0000 (11:59 +0100)]
virt-ssh-helper: Improve usage information
Specifically:
* include non-option argument 'URI' in usage summary;
* mention that it's an internal tool not meant to be
called directly;
* exit earlier if required arguments are absent.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Andrea Bolognani [Fri, 10 Dec 2021 13:53:31 +0000 (14:53 +0100)]
virt-ssh-helper: Don't use optind
It's a getopt interface and we're not using getopt, at least
directly, so even though it works relying on it feels wrong.
GOption takes care of removing any trace of the arguments it
consumes from argc and argv, leaving behind only non-option
arguments, so we can just use those standard variables.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jiri Denemark [Thu, 2 Dec 2021 14:43:27 +0000 (15:43 +0100)]
qemu: Enable unprivileged userfaultfd for post-copy migration
Userfaultfd is by default allowed only for privileged processes. Since
libvirt runs QEMU unprivileged, we need to enable unprivileged access to
userfaultfd to enable post-copy migration.
Peter Krempa [Wed, 8 Dec 2021 09:07:44 +0000 (10:07 +0100)]
qemu: Implement chardev source setup for disk
Add handling to qemuDomainDeviceBackendChardevForeachOne and callbacks
so that we can later use 'qemuBuildChardevCommand' for vhost-user disks
instead of a custom formatter.
Since we don't pass the FD for the vhost-user connection to qemu all of
the setup can be skipped.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 22 Nov 2021 13:41:23 +0000 (14:41 +0100)]
qemu: Store TLS config options for chardevs in qemuDomainChrSourcePrivate
When setting up TLS options from config in qemuDomainPrepareChardevSourceOne
we can also extract the x509 certificate path and default tlsVerify
setting so that 'qemuBuildChardevCommand' doesn't need to access the
config object any more.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 19 Nov 2021 16:35:21 +0000 (17:35 +0100)]
qemuBuildChardevCommand: Split creation of the command and setup of other objects
Completely seprate the creation of the commandline string from the setup
of other objects instantiated on the commandline.
'qemuBuildChardevCommand' will aggregate the setup of individual
parameters such as -add-fd and setup of TLS and the -chardev parameter
itself while the code formatting the commandline will be moved into
qemuBuildChardevStr.
'fdset' names are then stored in qemuDomainChrSourcePrivate.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 4 Nov 2021 12:59:47 +0000 (13:59 +0100)]
qemuBuildChrChardevStr: Directly generate command line
'qemuBuildChrChardevStr' used a hybrid approach where some arguments
were directly added to '@cmd' while the commandline itself was returned
as a string.
This patch renames qemuBuildChrChardevStr to qemuBuildChardevCommand
and adds the argument directly to @cmd inside the function.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 15 Nov 2021 16:00:56 +0000 (17:00 +0100)]
qemuxml2argvtest: Add _LATEST version for 'name-escape' case
It was impossible to use _LATEST when commit d7c814f7f75 was modernizing
the cases as improper separation in the code caused that files were
created in the host during the testsuite run.
Now that the host manipulation when instantiating chardevs is separated
we can add the missing version.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 3 Nov 2021 13:12:16 +0000 (14:12 +0100)]
qemu: Store chardev 'wait' flag in chardev source private data
We have just one case when we wish to wait for incomming connections for
a listening socket and that is for vhost-user network devices.
Passing this via a flag to qemuBuildChrChardevStr is unwieldy. Add a
field to qemuDomainChrSourcePrivate and populate it for our special
case inside of qemuDomainPrepareChardevSourceOne.
Since we wait for incomming connections only on startup of a new VM we
also need to pass in a flag whether qemuDomainPrepareChardevSourceOne
is called on a new start or on hotplug.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 25 Oct 2021 10:42:16 +0000 (12:42 +0200)]
qemu: Move creation and opening of chardev backend FDs to host prepare step
The opening of files for FD passing for a chardev backend was
historically done in the function which is formatting the commandline.
This has multiple problems. Firstly the function takes a lot of
parameters which need to be passed through the commandline formatters.
This made the 'qemuBuildChrChardevStr' extremely unappealing to the
extent that we have multiple other custom formatters in places which
didn't really want to use the function.
Additionally the function is also creating files in the host in certain
configurations which is wrong for a commandline formatter to do. This
meant that e.g. not all chardev test cases can be converted to use
DO_TEST_CAPS_LATEST as we attempt to use such code path and attempt to
create files outside of the test directory.
This patch moves the opening of the filedescriptors from
'qemuBuildChrChardevFileStr' into a new helper
'qemuProcessPrepareHostBackendChardevOne' which is called using
'qemuDomainDeviceBackendChardevForeach'.
To preserve test behaviour we also have another instance
'testPrepareHostBackendChardevOne' which is populating mock
filedescriptors.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 2 Nov 2021 13:15:58 +0000 (14:15 +0100)]
qemu: domain: Introduce helpers for initializing chardev backend of devices
Introduce qemuDomainDeviceBackendChardevForeach(One) which calls the
callback if either given device has a chardev backend or for all chardev
backends of all devices.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
projects / libvirt.git / log