Peter Krempa [Tue, 13 Mar 2018 17:19:39 +0000 (18:19 +0100)]
qemu: hotplug: Clean up memory backing files after failed memory hotplug
Libvirt provides full path to the backing file since commit fec8f9c49afb479f6. This made qemu create the backend object but did not
delete it. This was fixed for unplug case in 4d83a6722f but not in case
of failure to hotplug the frontend. We'd leave the files behind which
would make memory unusable in case of hugepages.
Jiri Denemark [Tue, 13 Mar 2018 14:50:41 +0000 (15:50 +0100)]
qemu: Switch context for job related private XML parsing
Having to repeat "./job[1]/" XPath prefix for every single element or
attribute we want to parse is suboptimal. And even more so once we
further extract code from qemuDomainObjPrivateXMLParseJob into separate
functions.
Michal Privoznik [Mon, 12 Mar 2018 09:18:05 +0000 (10:18 +0100)]
daemonStreamHandleWriteData: Preserve error when aborting stream
The daemonStreamHandleWriteData() function is called whenever
server side of stream is able to receive some data. Nevertheless,
it calls virStreamSend() (to pass data down to virFDStream) and
depending on its return value it may abort the stream. However,
the functions it called when doing so are public APIs and as such
reset any error set previously. Therefore, if there was any error
in writing data to stream (i.e. repored in virStreamSend) it is
reset before virNetServerProgramSendReplyError() can get to it.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Michal Privoznik [Tue, 13 Mar 2018 15:03:13 +0000 (16:03 +0100)]
virsysinfo: Use more virSkipSpacesBackwards()
Some fields reported by dmidecode have plenty of useless spaces
(in fact some have nothing but spaces). To deal with this we have
introduced virSkipSpacesBackwards() and use it in
virSysinfoParseX86Processor() and virSysinfoParseX86Memory().
However, other functions (e.g. virSysinfoParseX86Chassis()) don't
use it at all and thus we are reporting nonsense:
Andrea Bolognani [Wed, 14 Mar 2018 14:40:07 +0000 (15:40 +0100)]
m4: Fix xenstore detection
Commit 596fc3e3897e introduced the ability to detect xenstore
using pkg-config for systems with Xen 4.9, but accidentally broke
detection for all other systems. Fix the logic so that it works
in all cases.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
qemu: avoid denial of service reading from QEMU guest agent (CVE-2018-1064)
We read from the agent until seeing a \r\n pair to indicate a completed
reply or event. To avoid memory denial-of-service though, we must have a
size limit on amount of data we buffer. 10 MB is large enough that it
ought to cope with normal agent replies, and small enough that we're not
consuming unreasonable mem.
This is identical to the flaw we had reading from the QEMU monitor
as CVE-2018-5748, so rather embarrassing that we forgot to fix
the agent code at the same time.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Thu, 8 Mar 2018 16:32:15 +0000 (17:32 +0100)]
conf: Parse and validate disk source seclabels together with the source
Since seclabels are formatted along with the source element and will
also make sense to be passed for the backing chain we should parse them
in the place where we parse the disk source. Same applies for
validation.
Peter Krempa [Thu, 8 Mar 2018 16:23:46 +0000 (17:23 +0100)]
conf: Validate disk source configuration also for the backing store
Since we already parse the <backingStore> of a disk source, we should
also validate the configuration for the whole backing chain and not only
for the top level image.
Peter Krempa [Mon, 5 Mar 2018 14:13:41 +0000 (15:13 +0100)]
conf: disk: Separate virStorageSource formatting
Move out formatting of 'startuPolicy' which is a property of the disk
out of the <source> element. Extracting the code formating the content
and attributes will also allow reuse in other parts of the code.
Peter Krempa [Wed, 7 Mar 2018 16:42:13 +0000 (17:42 +0100)]
conf: Remove virDomainDiskSourceDefFormatSeclabel
The wrapper functionality can be moved to the only user
virDomainDiskSourceFormatInternal. Also removes comment which does not
reflect the truth any more.
Peter Krempa [Mon, 5 Mar 2018 13:52:38 +0000 (14:52 +0100)]
conf: Remove unnecessary condition from virDomainDiskSourceFormatInternal
Now that the function is using virXMLFormatElement we don't need to
conditionally format anything, since we'll format the element according
to the presence of content.
Andrea Bolognani [Wed, 14 Mar 2018 11:00:27 +0000 (12:00 +0100)]
docs: Call reformat-news.py with $(PYTHON)
This is the only Python script which we invoke directly, which
works pretty fine in general but becomes a problem if the user
has explicitly overridden Python binary detection at configure
time.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
We're freeing individual items in it but not the array itself.
==19200== 40 bytes in 1 blocks are definitely lost in loss record 847 of 1,059
==19200== at 0x4C2D12F: realloc (vg_replace_malloc.c:785)
==19200== by 0x52C5532: virReallocN (viralloc.c:245)
==19200== by 0x52C5628: virExpandN (viralloc.c:294)
==19200== by 0x52C58FC: virInsertElementsN (viralloc.c:436)
==19200== by 0x542856B: virSecurityDACChownListAppend (security_dac.c:115)
==19200== by 0x54286B4: virSecurityDACTransactionAppend (security_dac.c:167)
==19200== by 0x542902F: virSecurityDACSetOwnershipInternal (security_dac.c:560)
==19200== by 0x54295D6: virSecurityDACSetOwnership (security_dac.c:650)
==19200== by 0x542AEE0: virSecurityDACSetInputLabel (security_dac.c:1472)
==19200== by 0x542B61D: virSecurityDACSetAllLabel (security_dac.c:1693)
==19200== by 0x542DD67: virSecurityManagerSetAllLabel (security_manager.c:869)
==19200== by 0x54279C2: virSecurityStackSetAllLabel (security_stack.c:361)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Tue, 13 Mar 2018 11:48:28 +0000 (12:48 +0100)]
virSysinfoParseX86Chassis: Store asset tag into correct pointer
Probably due to copy-paste error we're storing asset tag into
def->sku which we even use in the next step to store SKU number
and thus the asset tag leaks.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Thu, 1 Mar 2018 17:01:08 +0000 (18:01 +0100)]
qemu: domain: Don't overwrite job type in private data
The code overwrote the internal job type and then fixed it back. Since
the job type is not accessed in the code this does not make much sense.
Use the temporary value instead.
Peter Krempa [Fri, 2 Mar 2018 15:47:32 +0000 (16:47 +0100)]
tests: qemuxml2xml: Add proper domain status XML testing
Add new approach to properly test status XML files by supplying a full
XML file rather than generating synthetic test cases by prepending the
status header. The two tests introduced here are copies of existing
cases using the synthetic header so that current level of testing is
kept. The files are chosen to excercising the vcpu and blockjob quirks
present in the current testing.
Peter Krempa [Wed, 7 Mar 2018 09:44:55 +0000 (10:44 +0100)]
tests: domainsnapshotxml2xml: Remove testing with allowed format detection
We have a test of the domain XML that allows format detection, so
there's no need to do it for snapshot XMLs where the parameter would
influence the domain XML portion.
Peter Krempa [Fri, 2 Mar 2018 14:43:55 +0000 (15:43 +0100)]
tests: qemuxml2xml: Remove testing with allowed format detection
Nobody should use format detection due to security implications. The
result of the change is that 'raw' format will be printed unless
specified explicitly.
Ján Tomko [Tue, 13 Mar 2018 09:38:48 +0000 (10:38 +0100)]
qemuDomainUSBAddressAddHubs: use numeric comparison
Since data.count is not a pointer, but an integer,
compare it against an integer value instead of using
the implicit "boolean" conversion that is customarily
used for pointers.
Jim Fehlig [Thu, 8 Mar 2018 22:04:48 +0000 (15:04 -0700)]
libvirtd: fix potential deadlock when reloading
It is possible to deadlock libvirtd when concurrently starting a domain
and restarting the daemon. Threads involved in the deadlock are
Thread 4 (Thread 0x7fc13b53e700 (LWP 64084)):
/lib64/libpthread.so.0
at util/virthread.c:154
at qemu/qemu_monitor.c:1083
cmd=0x7fc110017700, scm_fd=-1, reply=0x7fc13b53d318) at
qemu/qemu_monitor_json.c:305
cmd=0x7fc110017700,
reply=0x7fc13b53d318) at qemu/qemu_monitor_json.c:335
at qemu/qemu_monitor_json.c:1298
at qemu/qemu_monitor.c:1697
vm=0x7fc110003d00, asyncJob=QEMU_ASYNC_JOB_START) at qemu/qemu_process.c:1763
vm=0x7fc110003d00,
asyncJob=6, logCtxt=0x7fc1100089c0) at qemu/qemu_process.c:1835
vm=0x7fc110003d00, asyncJob=6, logCtxt=0x7fc1100089c0) at
qemu/qemu_process.c:2180
driver=0x7fc12004e1e0,
vm=0x7fc110003d00, asyncJob=QEMU_ASYNC_JOB_START, incoming=0x0, snapshot=0x0,
vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE, flags=17) at qemu/qemu_process.c:6111
driver=0x7fc12004e1e0,
vm=0x7fc110003d00, updatedCPU=0x0, asyncJob=QEMU_ASYNC_JOB_START,
migrateFrom=0x0,
migrateFd=-1, migratePath=0x0, snapshot=0x0,
vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
flags=17) at qemu/qemu_process.c:6334
xml=0x7fc110000ed0 "<!--\nWARNING: THIS IS AN AUTO-GENERATED FILE.
CHANGES TO IT ARE LIKELY TO BE\nOVERWRITTEN AND LOST. Changes to this xml
configuration should be made using:\n virsh edit testvv\nor other
applicati"..., flags=0) at qemu/qemu_driver.c:1776
...
Reloading of the nwfilter driver is stuck waiting for a write lock, which
already has a reader (from qemuDomainCreateXML) in the critical section.
Since the reload occurs in the context of the main event loop thread,
libvirtd becomes deadlocked. The deadlock can be avoided by offloading
the reload work to a thread.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
The bhyve driver crashes in bhyveBuildNetArgStr() when
network interface model is not defined. As it has to be provided
explicitly, add a check to report an error if it's missing.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Mon, 12 Mar 2018 11:10:47 +0000 (12:10 +0100)]
keycodemapdb: Update submodule
This time around it's not enough to just pick the latest commit,
because with aed87bb2aa6ed83b49574eb982e3bdd4c36acf17 keycodemapdb
renamed the 'rfb' keycode to 'qnum' and we need to accept the new
name while maintaining backwards compatibility.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
John Ferlan [Thu, 8 Mar 2018 23:17:10 +0000 (18:17 -0500)]
tools: Add support for additional adapter parent options
Add the ability to provide the adapter parent_wwnn and parent_wwpn
or the parent_fabric_wwn on the virsh command line for the pool
define/create as commands. Update the virsh.pod description.
John Ferlan [Thu, 8 Mar 2018 23:03:00 +0000 (18:03 -0500)]
tools: Add the wwnn/wwpn to the man page for storage pool fields
The description was missing the wwnn and wwpn names for the
--adapter-wwnn and --adapter-wwpn switches. Just add it to be
clear that the fields cannot be empty (IOW they are not boolean).
When validating a device XML config we check if user provided
alias is unique. We do this by maintaining a hash table of device
aliases as we iterated over all devices defined for the domain.
However, it may happen that what appears as two devices in domain
XML is in fact just one interface in hypervisor. We can assume
libvirt generated aliases to be unique and thus really check user
provided ones only.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
For some weird reason this function is getting live and
persistent def for domain but then accesses vm->def and
vm->newDef directly. This is rather unsafe as we can be
accessing NULL pointer.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
GnuLib has now fixed the incompatibility with latest GLibC
that was affecting builds on Fedora rawhide. We can thus
update and drop our local workaround.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Julio Faracco [Fri, 9 Mar 2018 03:24:15 +0000 (00:24 -0300)]
qemu: different declarations for the same method
Recently, this warning is appearing while libvirt is being compiled:
Function 'qemuAssignDeviceDiskAlias' argument order different:
declaration 'vmdef, def' definition 'def, disk'
This commit change the default declaration for qemuAssignDeviceDiskAlias
specified at src/qemu/qemu_alias.c.
Signed-off-by: Julio Faracco <jcfaracco@gmail.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
According to latest discussion on fedora devel list [1] gcc will
be removed from default buildroot and packages requiring it must
have explicit build dependency,
Andrea Bolognani [Tue, 20 Feb 2018 13:26:01 +0000 (14:26 +0100)]
qemu: Create new qemuDomainDeviceDefValidateControllerPCI()
The existing function is renamed and called from the new one, so
that even while we're in the process of implementing new checks
all the existing ones will be performed.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Laine Stump <laine@laine.org>
apparmor: add ro rule for sasl GSSAPI plugin on /etc/gss/mech.d/
If a system has sasl GSSAPI plugin available qemu with sasl support will
try to read /etc/gss/mech.d/.
It is required to allow that to let the modules fully work and it should
be safe to do so as it only registers/configures plugins but has no secrets.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Acked-by: Jamie Strandboge <jamie@canonical.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
rpc: switch virtlockd and virtlogd to use single-threaded dispatch
Currently both virtlogd and virtlockd use a single worker thread for
dispatching RPC messages. Even this is overkill and their RPC message
handling callbacks all run in short, finite time and so blocking the
main loop is not an issue like you'd see in libvirtd with long running
QEMU commands.
By setting max_workers==0, we can turn off the worker thread and run
these daemons single threaded. This in turn fixes a serious problem in
the virtlockd daemon whereby it loses all fcntl() locks at re-exec due
to multiple threads existing. fcntl() locks only get preserved if the
process is single threaded at time of exec().
Reviewed-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
rpc: avoid crashing in pre-exec if no workers are present
If max_workers is set to zero, then the worker thread pool won't be
created, so when serializing state for pre-exec we must set various
parameters to zero.
Reviewed-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
rpc: invoke the message dispatch callback with client unlocked
Currently if the virNetServer instance is created with max_workers==0 to
request a non-threaded dispatch process, we deadlock during dispatch
#0 0x00007fb845f6f42d in __lll_lock_wait () from /lib64/libpthread.so.0
#1 0x00007fb845f681d3 in pthread_mutex_lock () from /lib64/libpthread.so.0
#2 0x000055a6628bb305 in virMutexLock (m=<optimized out>) at util/virthread.c:89
#3 0x000055a6628a984b in virObjectLock (anyobj=<optimized out>) at util/virobject.c:435
#4 0x000055a66286fcde in virNetServerClientIsAuthenticated (client=client@entry=0x55a663a7b960)
at rpc/virnetserverclient.c:1565
#5 0x000055a66286cc17 in virNetServerProgramDispatchCall (msg=0x55a663a7bc50, client=0x55a663a7b960,
server=0x55a663a77550, prog=0x55a663a78020) at rpc/virnetserverprogram.c:407
#6 virNetServerProgramDispatch (prog=prog@entry=0x55a663a78020, server=server@entry=0x55a663a77550,
client=client@entry=0x55a663a7b960, msg=msg@entry=0x55a663a7bc50) at rpc/virnetserverprogram.c:307
#7 0x000055a662871d56 in virNetServerProcessMsg (msg=0x55a663a7bc50, prog=0x55a663a78020, client=0x55a663a7b960,
srv=0x55a663a77550) at rpc/virnetserver.c:148
#8 virNetServerDispatchNewMessage (client=0x55a663a7b960, msg=0x55a663a7bc50, opaque=0x55a663a77550)
at rpc/virnetserver.c:227
#9 0x000055a66286e4c0 in virNetServerClientDispatchRead (client=client@entry=0x55a663a7b960)
at rpc/virnetserverclient.c:1322
#10 0x000055a66286e813 in virNetServerClientDispatchEvent (sock=<optimized out>, events=1, opaque=0x55a663a7b960)
at rpc/virnetserverclient.c:1507
#11 0x000055a662899be0 in virEventPollDispatchHandles (fds=0x55a663a7bdc0, nfds=<optimized out>)
at util/vireventpoll.c:508
#12 virEventPollRunOnce () at util/vireventpoll.c:657
#13 0x000055a6628982f1 in virEventRunDefaultImpl () at util/virevent.c:327
#14 0x000055a6628716d5 in virNetDaemonRun (dmn=0x55a663a771b0) at rpc/virnetdaemon.c:858
#15 0x000055a662864c1d in main (argc=<optimized out>,
#argv=0x7ffd105b4838) at logging/log_daemon.c:1235
Reviewed-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
rpc: simplify calling convention of virNetServerClientDispatchFunc
Currently virNetServerClientDispatchFunc implementations are only
responsible for free'ing the "msg" parameter upon success. Simplify the
calling convention by making it their unconditional responsibility to
free the "msg", and close the client if desired.
Reviewed-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
rpc: push ref acquisition into RPC dispatch function
There's no reason why the virNetServerClientDispatchRead method needs to
acquire an extra reference on the "client" object. An extra reference is
only needed if the registered dispatch callback is going to keep hold of
the "client" for work in the background. Thus we can push reference
acquisition into virNetServerDispatchNewMessage.
Reviewed-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Andrea Bolognani [Wed, 28 Feb 2018 13:40:45 +0000 (14:40 +0100)]
travis: Sync packages with libvirt-jenkins-ci
Make sure we install the same packages lcitool would install on
the CentOS CI so that we have consistent results. The package
list is current as of libvirt-jenkins-ci commit ad84090b6f96.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This function was introduced in commit 41f5c2ca2776 as a way
to probe the same property for multiple devices at once.
Although the resulting representation is very compact, it
doesn't provide any extra features compared to the existing
virQEMUCapsProcessStringFlags() mechanism, which is already
used for pretty much all device properties.
Drop the custom function and datatypes and start using the
standard ones instead.
Note that, in theory, the end result is not identical
because we're no longer probing properties for
qemu: Ignore subsequent attempts to probe device properties
In some cases, we are probing multiple devices for the same
property and setting the corresponding capability if it's
found on any of the devices: when that happens, we can quit
early after finding the first property and avoiding a bunch
of string comparisons.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
qemu: Take full advantage of conditional device property probing
Commit 4ae59411fa3f introduced the ability to make probing for
device properties conditional on a capability being set, but
didn't extend the use of this feature to existing devices.
This commit does the last bit of work, which results in a lot
of pointless QMP chatter no longer happening and our test suite
shrinking a fair bit.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Peter Krempa [Tue, 6 Mar 2018 13:57:17 +0000 (14:57 +0100)]
util: storageencryption: Refactor cleanup section in virStorageEncryptionParseXML
The function used the 'cleanup' label only in error cases. This patch
makes the code pass the cleanup label in every case and removes few
unnecessary VIR_FREEs.
In certain cases a xml contains paths that do not yet exist, but
are valid as qemu will create them later on - for example
vhostuser mode=server sockets.
In any such cases so far the check to virFileExists failed and due to
that the paths stayed non-resolved in regard to symlinks.
But for apparmor those non-resolved rules are non functional as they
are evaluated after resolving any symlinks.
Therefore for non-existent files and partially non-existent paths
resolve as much as possible to get valid rules.
Erik Skultety [Mon, 5 Mar 2018 14:43:45 +0000 (15:43 +0100)]
util: mdev: Treat the 'name' sysfs attribute as optional
When commit 3545cbef moved the sysfs attribute reading logic from
_udev.c module to virmdev.c, it had to replace our udev read wrappers
with the ones available from virfile.c. The problem is that the original
logic worked correctly with udev read wrappers which don't return an
error code for a missing attribute, virfile.c readers however - not so
much. Therefore add another parameter to the macro, so we can again
accept the fact that optional attributes may be missing.
Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
projects / libvirt.git / log