Michal Privoznik [Fri, 24 Aug 2012 10:36:03 +0000 (12:36 +0200)]
security: Add DAC to security_drivers
Currently, if users set 'security_driver="dac"' in qemu.conf libvirtd
fails to initialize as DAC driver is not found because it is missing
in our security drivers array.
Laine Stump [Fri, 24 Aug 2012 05:38:19 +0000 (01:38 -0400)]
nwfilter: don't log error if firewalld is disabled, improve diagnostics
The original patch to support firewalld in nwfilter wasn't personally
checking the exit status of firewall-cmd, but was instead sending NULL
in the *exitstatus arg, which meant that virCommandWait would log an
error just for the exit status being non-0 (and a "more scary than
useful" error at that).
We don't want to treat this as an error, though, just as a reason to
use standard (ip|eb)tables commands instead of firewall-cmd.
This patch modifies the virCommandRun in the nwfilter code to request
status back from the caller. This avoids virCommandWait logging an
error message, and allows the caller to do as it likes after examining
the status.
The VIR_DEBUG() logged when firewalld is enabled has also been
reworded and changed to a VIR_INFO, and a similar VIR_INFO has been
added in the case that firewalld is *not* found+enabled.
request an exit status from virCommandRun (thus assuring that
virCommandRun won't log any errors just due to a non-0 exit status),
but then fail to examine that exit status. This could result in the
functions believing that the call to "vzlist" was successful, even
though it may have encountered an error.
Laine Stump [Thu, 23 Aug 2012 15:21:47 +0000 (11:21 -0400)]
network: fix virtual network bridge delay setting
libvirt's network config documents that a bridge's STP "forward delay"
(called "delay" in the XML) should be specified in seconds, but
virNetDevBridgeSetSTPDelay() assumes that it is given a delay in
milliseconds (although the comment at the top of the function
incorrectly says "seconds".
This fixes the comment, and converts the delay to milliseconds before
calling virNetDevBridgeSetSTPDelay().
Michal Privoznik [Thu, 23 Aug 2012 13:26:20 +0000 (15:26 +0200)]
qemu: forbid suspend if already pmsuspended
If a domain is pmsuspended then virsh suspend will succeed. Beside
obvious flaw, virsh resume will report success and change domain
state to running which is another mistake. Therefore we must forbid
any attempts for suspend and resume when pmsuspended.
MATSUDA Daiki [Thu, 23 Aug 2012 03:29:21 +0000 (12:29 +0900)]
agent : add @seconds variable to qemuAgentSend().
Add @seconds variable to qemuAgentSend().
When @timemout is true, @seconds controls how long to wait for a
response (if @seconds is VIR_DOMAIN_QEMU_AGENT_COMMAND_DEFAULT,
default to QEMU_AGENT_WAIT_TIME).
In addition, @seconds must be >= 0 or VIR_DOMAIN_QEMU_AGENT_COMMAND_DEFAULT.
If @timeout is false, @seconds is ignored.
Laine Stump [Wed, 22 Aug 2012 20:00:28 +0000 (16:00 -0400)]
util: eliminate erroneous VIR_WARNs in (eb|ip)tables.c
Several VIR_DEBUG()'s were changed to VIR_WARN() while I was testing
the firewalld support patch, and I neglected to change them back
before I pushed.
In the meantime I've decided that it would be useful to have them be
VIR_INFO(), just so there will be logged evidence of which method is
being used (firewall-cmd vs. (eb|ip)tables) without needing to crank
logging to 11. (at most this adds 2 lines to libvirtd's logs per
libvirtd start).
Gene Czarcinski [Wed, 22 Aug 2012 16:59:24 +0000 (12:59 -0400)]
dnsmasq: avoid forwarding queries without a domain
dnsmasq is forwarding a number of queries upstream that should not
be done. There still remains an MX query for a plain name with no
domain specified that will be forwarded is dnsmasq has --domain=xxx
--local=/xxx/ specified. This does not happen with no domain name
and --local=// ... not a libvirt problem.
Fix parameter list in virNetlinkEvent{Add,Remove}Client Win32 stubs
The virNetlinkEventAddClient / virNetlinkEventRemoveClient stub
impls had syntax errors in their parameter lists, using a ')'
after the second-to-last parameter instead of a ','
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Peter Krempa [Tue, 21 Aug 2012 15:54:26 +0000 (17:54 +0200)]
client: Change default location of known_hosts file for libssh2 layer
Unfortunately libssh2 doesn't support all types of host keys that can be
saved in the known_hosts file. Also it does not report that parsing of
the file failed. This results into truncated known_hosts files where the
standard client stores keys also in other formats (eg.
ecdsa-sha2-nistp256).
This patch changes the default location of the known_hosts file into the
libvirt private configuration directory, where it will be only written
by the libssh2 layer itself. This prevents trashing user's known_host
file.
Peter Krempa [Tue, 21 Aug 2012 16:28:11 +0000 (18:28 +0200)]
libssh2_session: Add support for creating known_hosts file
The libssh2 code wasn't supposed to create the known_hosts file, but
recent findings show, that we can't use the default created by OpenSSH
as libssh2 might damage it. We need to create a private known_hosts file
in the config path.
This patch adds support for skipping error if the known_hosts file is
not present and let libssh2 create a new one.
Hu Tao [Tue, 21 Aug 2012 09:18:43 +0000 (17:18 +0800)]
new interface to control emulator_period/emulator_quota
This patch adds two macros: VIR_DOMAIN_SCHEDULER_EMULATOR_PERIOD,
VIR_DOMAIN_SCHEDULER_EMULATOR_QUOTA for controlling cpu bandwidth
for emulator activities not tied to vcpus
Hu Tao [Tue, 21 Aug 2012 09:18:42 +0000 (17:18 +0800)]
qemu: introduce period/quota tuning for emulator
This patch introduces support of setting emulator's period and
quota to limit cpu bandwidth when the vm starts. Also updates
XML Schema for new entries and docs.
Hu Tao [Tue, 21 Aug 2012 09:18:41 +0000 (17:18 +0800)]
limit cpu bandwidth only for vcpus
This patch changes the behaviour of xml element cputune.period
and cputune.quota to limit cpu bandwidth only for vcpus, and no
longer limit cpu bandwidth for the whole guest.
The reasons to do this are:
- This matches docs of cputune.period and cputune.quota.
- The other parts excepting vcpus are treated as "emulator",
and there are separate period/quota settings for emulator
in the subsequent patches
Tang Chen [Tue, 21 Aug 2012 09:18:38 +0000 (17:18 +0800)]
remote: introduce emulator pinning RPCs
Introduce 2 APIs to support emulator threads in remote driver.
1) remoteDomainPinEmulator: call driver api, such as qemudDomainPinEmulator.
2) remoteDomainGetEmulatorPinInfo: call driver api, such as qemudDomainGetEmulatorPinInfo.
They are similar to remoteDomainPinVcpuFlags and remoteDomainGetVcpuPinInfo.
Signed-off-by: Tang Chen <tangchen@cn.fujitsu.com> Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Hu Tao [Tue, 21 Aug 2012 09:18:37 +0000 (17:18 +0800)]
qemu: support emulator pinning
Introduce 2 APIs to support emulator threads pin in qemu driver.
1) qemudDomainPinEmulator: setup emulator threads pin info.
2) qemudDomainGetEmulatorPinInfo: get all emulator threads pin info.
They are similar to qemudDomainPinVcpuFlags and qemudDomainGetVcpuPinInfo.
And also, remoteDispatchDomainPinEmulatorFlags and remoteDispatchDomainGetEmulatorPinInfo
functions are introduced.
Signed-off-by: Tang Chen <tangchen@cn.fujitsu.com> Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Tang Chen [Tue, 21 Aug 2012 09:18:36 +0000 (17:18 +0800)]
Introduce virDomainEmulatorPinAdd and virDomainEmulatorPinDel functions
Introduce 2 APIs to support emulator threads pin.
1) virDomainEmulatorPinAdd: setup emulator threads pin with a given cpumap string.
2) virDomainEmulatorPinDel: remove all emulator threads pin.
Signed-off-by: Tang Chen <tangchen@cn.fujitsu.com> Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Tang Chen [Tue, 21 Aug 2012 09:18:32 +0000 (17:18 +0800)]
Support emulatorpin xml parse.
This patch adds a new xml element <emulatorpin>, which is a sibling
to the existing <vcpupin> element under the <cputune>, to pin emulator
threads to specified physical CPUs.
Signed-off-by: Tang Chen <tangchen@cn.fujitsu.com> Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Wen Congyang [Tue, 21 Aug 2012 09:18:26 +0000 (17:18 +0800)]
create a new cgroup and move all emulator threads to the new cgroup
Create a new cgroup and move all emulator threads to the new cgroup.
And then we can do the other things:
1. limit only vcpu usage rather than the whole qemu
2. limit for emulator threads(include vhost-net threads)
Signed-off-by: Wen Congyang <wency@cn.fujitsu.com> Signed-off-by: Tang Chen <tangchen@cn.fujitsu.com> Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Gerd v. Egidy [Tue, 21 Aug 2012 15:03:40 +0000 (17:03 +0200)]
output status information during guest shutdown again
Since the move to systemd libvirt-guests doesn't output this progress
information anymore. This patch brings back this feature.
It is helpful to show the admin what the system is waiting for and what
is left of the timeout (e.g. for calibrating the shutdown timing of a ups).
Rewriting the current line with \r doesn't work anymore in the context
of systemd. So always write new lines, but move to 5 second intervals
to avoid flooding the console.
J.B. Joret [Mon, 20 Aug 2012 13:58:50 +0000 (15:58 +0200)]
Support for Disk Geometry Override
A hypervisor may allow to override the disk geometry of drives.
Qemu, as an example with cyls=,heads=,secs=[,trans=].
This patch extends the domain config to allow the specification of
disk geometry with libvirt.
Signed-off-by: J.B. Joret <jb@linux.vnet.ibm.com> Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
Eric Blake [Tue, 21 Aug 2012 20:33:03 +0000 (14:33 -0600)]
build: avoid $(builddir) in Makefile
Older automake 1.9.6 (hello there, RHEL 5) did not populate
$(builddir), which meant 'make check' failed with:
make[3]: *** No rule to make target `/.libs/libvirt.la', needed by `check-symfile'. Stop.
For that matter, even newer automake doesn't directly emit rules
to build .libs/libvirt.la; we are better off basing our rules
on the public ./libvirt.la.
Eric Blake [Tue, 21 Aug 2012 20:23:35 +0000 (14:23 -0600)]
build: network requires location of dbus headers
Without this patch, RHEL 5 fails to compile, since the dbus
files lives under /usr/include/dbus-1.0/dbus/dbus.h, and
DBUS_CFLAGS contains -I/usr/include/dbus-1.0.
In file included from network/bridge_driver.c:67:
../src/util/virdbus.h:26:25: error: dbus/dbus.h: No such file or directory
Eric Blake [Tue, 21 Aug 2012 19:51:00 +0000 (13:51 -0600)]
atomic: mark header functions static
When gcc atomic intrinsics are not available (such as on RHEL 5
with gcc 4.1.2), we were getting link errors due to multiple
definitions:
./.libs/libvirt_util.a(libvirt_util_la-virobject.o): In function `virAtomicIntXor':
/home/dummy/l,ibvirt/src/util/viratomoic.h:404: multiple definition of `virAtomicIntXor'
./.libs/libvirt_util.a(libvirt_util_la-viratomic.o):/home/dummy/libvirt/src/util/viratomic.h:404: first defined here
Solve this by conditionally marking the functions static (the
condition avoids falling foul of gcc warnings about unused
static function declarations).
* src/util/viratomic.h: When not using gcc intrinsics, use static
functions to avoid linker errors on duplicate functions.
Eric Blake [Tue, 21 Aug 2012 16:26:18 +0000 (10:26 -0600)]
build: work with older RHEL 5 kernel
We already skip out on building the LXC under RHEL 5, because the
kernel is too old (commits 4c18acf, 2dee896); but commit 9612e4b
moved some LXC-only code into common files, resulting in this
build failure:
util/virfile.c: In function 'virFileLoopDeviceAssociate':
util/virfile.c:580: error: 'LO_FLAGS_AUTOCLEAR' undeclared (first use in this function)
Unfortunately, the kernel folks only made it an enum, rather than
also a #define, so we have to modify configure.ac to record when
it is usable.
* configure.ac (with_lxc): Mark when LO_FLAGS_AUTOCLEAR was found.
* src/util/virfile.c (virFileLoopDeviceAssociate): Avoid
compilation when kernel is too old.
Ján Tomko [Tue, 21 Aug 2012 09:01:44 +0000 (11:01 +0200)]
command: avoid double close in virExecWithHook
Fix possible double close in the child process after the fork in case
infd and outfd are equal, just like they are after being called from
virNetSocketNewConnectCommand.
Thomas Woerner [Tue, 14 Aug 2012 18:59:52 +0000 (20:59 +0200)]
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
Jiri Denemark [Tue, 21 Aug 2012 13:27:10 +0000 (15:27 +0200)]
sanlock: Provide better error if lockspace directory is missing
Generating "Unable to add lockspace /lock/space/dir/__LIBVIRT__DISKS__:
No such file or directory" is correct but not exactly clear. This patch
changes the error message to "Unable to create lockspace
/lock/space/dir/__LIBVIRT__DISKS__: parent directory does not exist or
is not a directory".
Jiri Denemark [Tue, 21 Aug 2012 13:21:47 +0000 (15:21 +0200)]
daemon: Autodetect lock driver directory
When running libvirtd from a build directory, libvirtd would load lock
drivers from system directory unless explicitly overridden by setting
LIBVIRT_LOCK_MANAGER_PLUGIN_DIR environment variable. Since we already
autodetect driver directory if libvirt is build with driver modules, we
can use the same trick to automagically set lock driver directory.
Eric Blake [Tue, 21 Aug 2012 12:50:28 +0000 (06:50 -0600)]
build: split driver_storage into convenience library
Commit 1d22ba95 was complete at the time, but we have since
reintroduced a warning that is fixed in the same manner:
CCLD storagebackendsheepdogtest
*** Warning: Linking the executable storagebackendsheepdogtest against the loadable module
*** libvirt_driver_storage.so is not portable!
* src/Makefile.am (libvirt_driver_storage.la): Factor into new
convenience library libvirt_driver_storage_impl.la.
* tests/Makefile.am (storagebackendsheepdogtest_LDADD): Link to
convenience library, not shared library.
Eric Blake [Mon, 20 Aug 2012 19:05:31 +0000 (13:05 -0600)]
build: silence stupid gcc warning on STREQ_NULLABLE
Our existing STRNEQ_NULLABLE() triggered a warning in gcc 4.7 when
used with a literal NULL argument:
qemumonitorjsontest.c: In function 'testQemuMonitorJSONGetMachines':
qemumonitorjsontest.c:289:5: error: null argument where non-null required (argument 1) [-Werror=nonnull]
even though the strcmp is provably dead when a null argument is
present. Squelch the warning by refactoring things so that gcc
never sees strcmp() called with NULL arguments (we still compare
NULL as not equal to "", this rewrite merely aids gcc).
Next, gcc has a valid warning about a literal NULLSTR(NULL):
qemumonitorjsontest.c:289:5: error: invalid application of 'sizeof' to a void type [-Werror=pointer-arith]
Of course, you'd never write NULLSTR(NULL) directly, but it is
handy to use through macros. But the entire part about verify_true()
is unnecessary - gcc already warns about type mismatch with ?:,
without needing to make it more complex.
The DAC security driver uses the virStrToLong_ui function to
parse the uid/gid out of the seclabel string. This works on
Linux where 'uid_t' is an unsigned int, but on Mingw32 it is
just an 'int'. This causes compiler warnings about signed/
unsigned int pointer mis-match.
To avoid this, use explicit 'unsigned int ouruid' local
vars to pass into virStrToLong_ui, and then simply assign
to the 'uid_t' type after parsing
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Peter Krempa [Tue, 17 Jul 2012 13:48:04 +0000 (15:48 +0200)]
libssh2_transport: Use libssh2 driver code in remote driver
This patch adds URI options to support libssh2 transport in the remote
driver.
A new transport sceme is introduced eg. "qemu+libssh2://..." that
utilizes the libssh2 code added in previous patches.
The libssh2 code requires the authentication callback to be able to
perform keyboard-interactive authentication or to ask t passprhases or
add host keys to known hosts database.
Added URI components:
- known_hosts - path to a knownHosts file in OpenSSH format to check
for known ssh host keys
- known_hosts_verify - how to deal with server key verification:
* "normal" (default) - ask to add new keys
* "auto" - automaticaly add new keys
* "ignore" - don't validate host keys
- sshauth - authentication methods to use. Default is
"agent,privkey,keyboard-interactive". It's a comma separated
string of methods to try while authenticating. The order is
preserved. Some of the methods may require additional
parameters.
Locations of the known_hosts file and private keys are set to default
values if they're present. (~/.ssh/known_hosts, ~/.ssh/id_rsa,
~/.ssh/id_dsa)
Peter Krempa [Mon, 14 Nov 2011 14:50:02 +0000 (15:50 +0100)]
libssh2_transport: add ssh context support to virNetSocket
This patch enables virNetSocket to be used as an ssh client when
properly configured.
This patch adds function virNetSocketNewConnectLibSSH2() that takes all
needed parameters and creates a libssh2 session and performs steps
needed to open the connection and then create a virNetSocket that
seamlesly encapsulates the communication.
Peter Krempa [Mon, 14 Nov 2011 14:30:23 +0000 (15:30 +0100)]
libssh2_transport: add main libssh2 transport implementation
This patch adds helper functions that enable us to use libssh2 in
conjunction with libvirt's virNetSockets for ssh transport instead of
spawning "ssh" client process.
This implemetation supports tunneled plaintext, keyboard-interactive,
private key, ssh agent based and null authentication. Libvirt's Auth
callback is used for interaction with the user. (Keyboard interactive
authentication, adding of host keys, private key passphrases). This
enables seamless integration into the application using libvirt. No
helpers as "ssh-askpass" are needed.
Reading and writing of OpenSSH style "known_hosts" files is supported.
Communication is done using SSH exec channel, where the user may specify
arbitrary command to be executed on the remote side and reads and writes
to/from stdin/out are sent through the ssh channel. Usage of stderr is
not (yet) supported.
This test case validates the correct generation of SELinux labels
for VMs, wrt the current process label. Since we can't actually
change the label of the test program process, we create a shared
library libsecurityselinuxhelper.so which overrides the getcon()
and setcon() libselinux.so functions. When started the test case
will check to see if LD_PRELOAD is set, and if not, it will
re-exec() itself setting LD_PRELOAD=libsecurityselinuxhelper.so
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Honour current sensitivity and category ranges in SELinux label generation
Currently the dynamic label generation code will create labels
with a sensitivity of s0, and a category pair in the range
0-1023. This is fine when running a standard MCS policy because
libvirtd will run with a label
system_u:system_r:virtd_t:s0-s0:c0.c1023
With custom policies though, it is possible for libvirtd to have
a different sensitivity, or category range. For example
system_u:system_r:virtd_t:s2-s3:c512.c1023
In this case we must assign the VM a sensitivity matching the
current lower sensitivity value, and categories in the range
512-1023
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
The code to refactor sec label handling accidentally changed the
SELinux driver to use the 'domain_context' when generating the
image label instead of the 'file_context'
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
After the cleanup of remote display port allocation, I noticed some
messages that didn't make a lot of sense the way they were written. So
I rephrased them.
The defines QEMU_REMOTE_PORT_MIN and QEMU_REMOTE_PORT_MAX were used to
find free port when starting domains. As this was hard-coded to the
same ports as default VNC servers, there were races with these other
programs. This patch includes the possibility to change the default
starting port as well as the maximum port (mostly for completeness) in
qemu config file.
Support for two new config options in qemu.conf is added:
- remote_port_min (defaults to QEMU_REMOTE_PORT_MIN and
must be >= than this value)
- remote_port_max (defaults to QEMU_REMOTE_PORT_MAX and
must be <= than this value)
Port allocations for SPICE and VNC behave almost the same (with
default ports), but there is some mess in the code. This patch clears
these inconsistencies and makes sure the same behavior will be used
when ports for remote displays are changed.
Changes:
- hard-coded number 5900 removed (handled elsewhere like with VNC)
- reservedVNCPorts renamed to reservedRemotePorts (it's not just for
VNC anymore)
- QEMU_VNC_PORT_{MIN,MAX} renamed to QEMU_REMOTE_PORT_{MIN,MAX}
- port allocation unified for VNC and SPICE
Eric Blake [Tue, 21 Aug 2012 06:29:49 +0000 (00:29 -0600)]
build: fix build with autoconf 2.59
Commit 350583c8 broke development on a RHEL 5 box, where the
ancient Autoconf 2.59 lacks AS_VERSION_STRING. Rather than
backport the complex awk script that newer autoconf uses for
true strverscmp comparisons from the shell, it was easier to
just open-code a shell case statement.
* configure.ac (qemu_version): Open-code a replacement for
AS_VERSION_CHECK.
Eric Blake [Mon, 20 Aug 2012 23:41:24 +0000 (17:41 -0600)]
virsh: split out virsh-volume.c
Last of the file splits.
* tools/virsh-volume.h: New file.
* tools/Makefile.am (virsh_SOURCES): Build it.
* tools/virsh.c: Use new header.
* tools/virsh-volume.c: Likewise.
(vshCommandOptVolBy): Fix flag usage.
Eric Blake [Mon, 20 Aug 2012 23:29:03 +0000 (17:29 -0600)]
virsh: split out virsh-snapshot.c
Almost done with the splits.
* tools/virsh-snapshot.h: New file.
* tools/Makefile.am (virsh_SOURCES): Build it.
* tools/virsh.c: Use new header.
* tools/virsh-snapshot.c: Likewise.
Eric Blake [Mon, 20 Aug 2012 22:56:53 +0000 (16:56 -0600)]
virsh: split out virsh-pool.c
More in a series of file splits.
* tools/virsh-pool.h: New file.
* tools/Makefile.am (virsh_SOURCES): Build it.
* tools/virsh.c: Use new header.
* tools/virsh-pool.c: Likewise.
(virCommandOptPoolBy): Fix flag usage.
Eric Blake [Mon, 20 Aug 2012 22:56:03 +0000 (16:56 -0600)]
virsh: split out virsh-nwfilter.c
Yet another split file.
* tools/virsh-nwfilter.h: New file.
* tools/Makefile.am (virsh_SOURCES): Build it.
* tools/virsh.c: Use new header.
* tools/virsh-nwfilter.c: Likewise.
Eric Blake [Mon, 20 Aug 2012 21:43:25 +0000 (15:43 -0600)]
virsh: split out virsh-network.c
Another relatively easy file split.
* tools/virsh-network.h: New file.
* tools/Makefile.am (virsh_SOURCES): Build it.
* tools/virsh.c: Use new header.
* tools/virsh-network.c: Likewise.
(vshCommandOptNetworkBy): Update signature.
Eric Blake [Mon, 20 Aug 2012 20:30:53 +0000 (14:30 -0600)]
virsh: split out virsh-interface.c
Another relatively easy split, since helper functions were fixed
in the previous patch.
* tools/virsh-interface.h: New file.
* tools/Makefile.am (virsh_SOURCES): Build it.
* tools/virsh.c: Use new header.
* tools/virsh-interface.c: Likewise.
(vshCommandOptInterfaceBy): Check flags.
Eric Blake [Mon, 20 Aug 2012 20:29:27 +0000 (14:29 -0600)]
virsh: declare more common functions
In preparation for splitting virsh-interface.c, I found these
functions need to be declared in virsh.h, as well as one that
belongs more properly in virsh-domain.h. Also, since we
use the VSH_BY* flags in more than one function, I improved
how they are used.
Marcelo Cerri [Wed, 15 Aug 2012 22:10:38 +0000 (19:10 -0300)]
Support for multiple default security drivers in QEMU config
This patch updates the key "security_driver" in QEMU config to suport
both a sigle default driver or a list of default drivers. This ensures
that it will remain compatible with older versions of the config file.
Marcelo Cerri [Wed, 15 Aug 2012 22:10:37 +0000 (19:10 -0300)]
Update security layer to handle many security labels
These changes make the security drivers able to find and handle the
correct security label information when more than one label is
available. They also update the DAC driver to be used as an usual
security driver.
Marcelo Cerri [Wed, 15 Aug 2012 22:10:36 +0000 (19:10 -0300)]
Multiple security drivers in XML data
This patch updates the domain and capability XML parser and formatter to
support more than one "seclabel" element for each domain and device. The
RNG schema and the tests related to this are also updated by this patch.
Marcelo Cerri [Wed, 15 Aug 2012 22:10:35 +0000 (19:10 -0300)]
Internal refactory of data structures
This patch updates the structures that store information about each
domain and each hypervisor to support multiple security labels and
drivers. It also updates all the remaining code to use the new fields.
This is a fix for the object label generation. It uses a new flag for
virSecuritySELinuxGenNewContext that specifies whether the context is
for an object. If so the context role remains unchanged.
Without this fix it is not possible to start domains with image file or
block device backed storage when selinux is enabled.
Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
Eric Blake [Mon, 20 Aug 2012 14:26:58 +0000 (08:26 -0600)]
maint: prohibit translations in testsuite
Nothing in the testsuite or examples directory should be translated,
as it is not part of the normally installed binary. We already
meet this rule, but enforcing it will make it easier to remember.
Add support for creating sockets & RPC servers from a pre-opened fd
In order to support systemd socket based activation, it needs to
be possible to create virNetSocketPtr and virNetServerServicePtr
instance from a pre-opened file descriptor
In preparation for adding further constructors, refactor
the virNetServerClientNew method to move most of the code
into a common virNetServerClientNewInternal helper API.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
projects / people / liuw / libxenctrl-split / libvirt.git / log