Michal Privoznik [Fri, 28 Jun 2019 06:17:45 +0000 (08:17 +0200)]
qemu: Don't leak storage perms on failure in qemuDomainAttachDiskGeneric
At the very beginning of the attach function the
qemuDomainStorageSourceChainAccessAllow() is called which
modifies CGroups, locks and seclabels for new disk and its
backing chain. This must be followed by a counterpart which
reverts back all the changes if something goes wrong. This boils
down to calling qemuDomainStorageSourceChainAccessRevoke() which
is done under 'error' label. But not all failure branches jump
there. They just jump onto 'cleanup' label where no revoke is
done. Such mistake is easy to do because 'cleanup' label does
exist. Therefore, dissolve 'error' block in 'cleanup' and have
everything jump onto 'cleanup' label.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Michal Privoznik [Thu, 26 Sep 2019 06:25:50 +0000 (08:25 +0200)]
qemu_monitor_text: Catch IOMMU/VFIO related errors in qemuMonitorTextAddDrive
Because this is a HMP we're dealing with, there is nothing like
class of reply message, so we have to do some string comparison
to guess if the command fails. Well, with NVMe disks whole new
class of errors comes to play because qemu needs to initialize
IOMMU and VFIO for them. You can see all the messages it may
produce in qemu_vfio_init_pci().
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
This function is currently not called for any type of storage
source that is not considered 'local' (as defined by
virStorageSourceIsLocalStorage()). Well, NVMe disks are not
'local' from that point of view and therefore we will need to
call this function more frequently.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Michal Privoznik [Mon, 24 Jun 2019 10:34:45 +0000 (12:34 +0200)]
qemu: Allow NVMe disk in CGroups
If a domain has an NVMe disk configured, then we need to allow it
on devices CGroup so that qemu can access it. There is one caveat
though - if an NVMe disk is read only we need CGroup to allow
write too. This is because when opening the device, qemu does
couple of ioctl()-s which are considered as write.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Michal Privoznik [Wed, 18 Sep 2019 09:36:18 +0000 (11:36 +0200)]
qemu: Mark NVMe disks as 'need VFIO'
There are couple of places where a domain with a VFIO device gets
special treatment: in CGroups when enabling/disabling access to
/dev/vfio/vfio, and when creating/removing nodes in domain mount
namespace. Well, a NVMe disk is a VFIO device too. Fortunately,
we have this qemuDomainNeedsVFIO() function which is the only
place that needs adjustment.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Michal Privoznik [Tue, 25 Jun 2019 13:36:44 +0000 (15:36 +0200)]
qemu: Take NVMe disks into account when calculating memlock limit
We have this beautiful function that does crystal ball
divination. The function is named
qemuDomainGetMemLockLimitBytes() and it calculates the upper
limit of how much locked memory is given guest going to need. The
function bases its guess on devices defined for a domain. For
instance, if there is a VFIO hostdev defined then it adds 1GiB to
the guessed maximum. Since NVMe disks are pretty much VFIO
hostdevs (but not quite), we have to do the same sorcery.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> ACKed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
The qemu driver has its own wrappers around virHostdev module (so
that some arguments are filled in automatically). Extend these to
include NVMe devices too.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> ACKed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Now that we have virNVMeDevice module (introduced in previous
commit), let's use it int virHostdev to track which NVMe devices
are free to be used by a domain and which are taken.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
This module will be used by virHostdevManager and it's inspired
by virPCIDevice module. They are very similar except instead of
what makes a NVMe device: PCI address AND namespace ID. This
means that a NVMe device can appear in a domain multiple times,
each time with a different namespace.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
To simplify implementation, some restrictions are added. For
instance, an NVMe disk can't go to any bus but virtio and has to
be type of 'disk' and can't have startupPolicy set.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
There is this class of PCI devices that act like disks: NVMe.
Therefore, they are both PCI devices and disks. While we already
have <hostdev/> (and can assign a NVMe device to a domain
successfully) we don't have disk representation. There are three
problems with PCI assignment in case of a NVMe device:
1) domains with <hostdev/> can't be migrated
2) NVMe device is assigned whole, there's no way to assign only a
namespace
3) Because hypervisors see <hostdev/> they don't put block layer
on top of it - users don't get all the fancy features like
snapshots
NVMe namespaces are way of splitting one continuous NVDIMM memory
into smaller ones, effectively creating smaller NVMe-s (which can
then be partitioned, LVMed, etc.)
Because of all of this the following XML was chosen to model a
NVMe device:
There are going to be more disk types that are considered unsafe
with respect to migration. Therefore, move the error reporting
call outside of if() body and rework if-else combo to switch().
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
This helper is cleaner than plain memcpy() because one doesn't
have to look into virPCIDeviceAddress struct to see if it
contains any strings / pointers.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> ACKed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Michal Privoznik [Tue, 11 Jun 2019 08:24:04 +0000 (10:24 +0200)]
virHostdevReAttachPCIDevices: Separate out function body
In near future we will have a list of PCI devices we want to
re-attach to the host (held in virPCIDeviceListPtr) but we don't
have virDomainHostdevDefPtr. That's okay because
virHostdevReAttachPCIDevices() works with virPCIDeviceListPtr
mostly anyway. And in very few places where it needs
virDomainHostdevDefPtr are not interesting for our case.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> ACKed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
virHostdevPreparePCIDevices: Separate out function body
In near future we will have a list of PCI devices we want to
detach (held in virPCIDeviceListPtr) but we don't have
virDomainHostdevDefPtr. That's okay because
virHostdevPreparePCIDevices() works with virPCIDeviceListPtr
mostly anyway. And in very few places where it needs
virDomainHostdevDefPtr are not interesting for our case.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> ACKed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Michal Privoznik [Thu, 19 Sep 2019 12:43:13 +0000 (14:43 +0200)]
virpci: Introduce and use virPCIDeviceAddressGetIOMMUGroupDev
Sometimes, we have a PCI address and not fully allocated
virPCIDevice and yet we still want to know its /dev/vfio/N path.
Introduce virPCIDeviceAddressGetIOMMUGroupDev() function exactly
for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Michal Privoznik [Tue, 17 Sep 2019 09:47:59 +0000 (11:47 +0200)]
qemuDomainGetHostdevPath: Don't include /dev/vfio/vfio in returned paths
Now that all callers of qemuDomainGetHostdevPath() handle
/dev/vfio/vfio on their own, we can safely drop handling in this
function. In near future the decision whether domain needs VFIO
file is going to include more device types than just
virDomainHostdev.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
Michal Privoznik [Tue, 17 Sep 2019 09:31:24 +0000 (11:31 +0200)]
qemuDomainGetHostdevPath: Use more g_autoptr()/g_autofree
There are several variables which could be automatically freed
upon return from the function. I'm not changing @tmpPaths (which
is a string list) because it is going to be removed in next
commit.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
In near future, the decision what to do with /dev/vfio/vfio with
respect to domain namespace and CGroup is going to be moved out
of qemuDomainGetHostdevPath() because there will be some other
types of devices than hostdevs that need access to VFIO.
All functions that I'm changing (except qemuSetupHostdevCgroup())
assume that hostdev we are adding/removing to VM is not in the
definition yet (because of how qemuDomainNeedsVFIO() is written).
Fortunately, this assumption is true.
For qemuSetupHostdevCgroup(), the worst thing that may happen is
that we allow /dev/vfio/vfio which was already allowed.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
qemu: command: move sound codec validation to qemu_domain.c
qemuBuildSoundCodecStr() validates if a given QEMU binary
supports the sound codec. This validation can be moved to
qemu_domain.c to be executed in domain define time.
The codec validation was moved to the existing
qemuDomainDeviceDefValidateSound() function.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildSoundDevStr caps validation to qemu_domain
Move QEMU caps validation of QEMU_CAPS_OBJECT_USB_AUDIO and
QEMU_CAPS_DEVICE_ICH9_INTEL_HDA to a new function in qemu_domain.c,
qemuDomainDeviceDefValidateSound(). This function is called by
qemuDomainDeviceDefValidate() to validate the sound device
in domain define time.
qemuxml2xmltest.c was adjusted to add the now required caps for
domain definition.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildTPMDevStr TPM validation to qemu_domain.c
qemuBuildTPMDevStr() does TPM model validation that can be moved to
qemu_domain.c, allowing validation in domain define time. This patch
moves it to the existing qemuDomainDeviceDefValidateTPM() function.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildConsoleCommandLine validation to qemu_domain.c
Console validation is currently being done by qemuBuildConsoleCommandLine().
This patch moves it to a new qemuDomainDefValidateConsole() function. This
new function is then called by qemuDomainDefValidate(), validating the
console in domain define time.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildGraphicsSPICECommandLine validation to qemu_domain.c
Move the SPICE caps validation from qemuBuildGraphicsSPICECommandLine()
to a new function called qemuDomainDeviceDefValidateSPICEGraphics().
This function is called by qemuDomainDeviceDefValidateGraphics(),
which in turn is called by qemuDomainDefValidate(), validating the graphics
parameters in domain define time.
This validation move exposed a flaw in the 'default-video-type' tests
for PPC64, AARCH64 and s390 archs. The XML was considering 'spice' as
the default video type, which isn't true for those architectures.
This was flying under the radar until now because the SPICE validation
was being made in 'virsh start' time, while the XML validation done in
qemuxml2xmltest.c considers define time.
All other tests were adapted to consider SPICE validation in this
earlier stage.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildGraphicsVNCCommandLine validation to qemu_domain.c
Move the VNC cap validation from qemuBuildGraphicsVNCCommandLine()
to qemuDomainDeviceDefValidateGraphics(). This function is called by
qemuDomainDefValidate(), validating the graphics parameters in domain
define time.
Tests were adapted to consider SDL validation in this earlier stage.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildGraphicsSDLCommandLine validation to qemu_domain.c
There are validations for SDL, VNC, SPICE and EGL_HEADLESS
around several BuildGraphics*CommandLine in qemu_command.c. This
patch starts to move all of them to qemu_domain.c, inside the
existent qemuDomainDeviceDefValidateGraphics() function. This
function is called by qemuDomainDefValidate(), validating the
graphics parameters in domain define time.
In this patch we'll move the SDL validation code from
qemuBuildGraphicsSDLCommandLine(). Tests were adapted to consider
SDL validation in this earlier stage.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move pcihole64 validation to qemu_domain.c
Move the pcihole64 validation being done by
qemuBuildGlobalControllerCommandLine() to the existing function
qemuDomainDeviceDefValidateControllerPCI(), which provides
domain define time validation.
The existing pcihole64 validations in qemu_domain.c were replaced
by the ones moved from qemu_command.c. The reason is that they
are more specific, allowing VIR_DOMAIN_CONTROLLER_MODEL_PCI_ROOT
and VIR_DOMAIN_CONTROLLER_MODEL_PCIE_ROOT to have distinct validation,
with exclusive QEMU caps and machine types.
Tests were adapted to consider the new caps being needed in
this earlier stage.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildBootCommandLine validation to qemu_domain.c
Move the boot validation being done by qemuBuildBootCommandLine()
to to a new qemuDomainDefValidateBoot() function. This new function
is called by qemuDomainDefValidate(), allowing boot validation in
domain define time.
Tests were adapted to consider the new caps being needed in
this earlier stage.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildPMCommandLine validation to qemu_domain.c
Move the PM validation being done by qemuBuildPMCommandLine() to
to a new qemuDomainDefValidatePM() function. This new function
is called by qemuDomainDefValidate(), promoting PM validation in
domain define time.
Tests were adapted to consider the new caps being needed in
this earlier stage.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move virDomainClockDef validation to qemu_domain.c
@def->clock validation is done by qemuBuildClockCommandLine() and
qemuBuildClockArgStr(). This patch centralize the validation done
in both these functions to a new qemuDomainDefValidateClockTimers()
function. This new function is then called by qemuDomainDefValidate(),
promoting clock validation in domain define time.
Tests were adapted to consider the new caps being needed in
this earlier stage.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildHostdevCommandLine caps validation to qemu_domain
Move QEMU caps validation of qemuBuildHostdevCommandLine() to
qemuDomainDeviceDefValidateHostdev() and qemuDomainMdevDefValidate(),
allowing them to be validated at domain define time.
Tests were adapted to consider the new caps being needed in
this earlier stage.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move qemuBuildHubDevStr caps validation to qemu_domain
Move QEMU caps validation of QEMU_CAPS_USB_HUB to a new function in
qemu_domain.c, qemuDomainDeviceDefValidateHub(). This function is
called by qemuDomainDeviceDefValidate() to validate the sound device
in domain define time.
qemuxml2xmltest.c was adjusted to add the now required caps for
domain definition.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move NVRAM validation to qemu_domain.c
A new function qemuDomainDeviceDefValidateNVRAM() was created
to validate the NVRAM in domain define time. Unit test was
adjusted to account for the extra QEMU_CAPS_DEVICE_NVRAM required
during domain define.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move NUMA validation to qemu_domain.c
A new qemuDomainDefValidateNuma() function was created to host
all the QEMU caps validation being done inside qemuBuildNumaArgStr().
This new function is called by qemuDomainValidateCpuCount()
to allow NUMA validation in domain define time.
Tests were changed to account for the QEMU capabilities
that need to be present at domain define time.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Next patch will validate QEMU_CAPS_NUMA_DIST in a new qemu_domain.c
function. The code to verify if a NUMA node distance is being
set will still be needed in qemuBuildNumaArgStr() though.
To avoid code repetition, let's put this logic in a helper to be
used in qemuBuildNumaArgStr() and in the new function.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
qemu: command: move PSeries features validation to qemu_domain.c
Introduce a new function called qemuDomainDefValidatePSeriesFeature()
that will center all the PSeries validation done in qemu_command.c.
qemuDomainDefValidatePSeriesFeature() is then called during domain
define time, in qemuDomainDefValidateFeatures().
qemuxml2argvtest.c is also changed to include all the caps that now
are being validated in define time.
Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Ani Sinha [Tue, 3 Dec 2019 11:09:12 +0000 (03:09 -0800)]
cpu: add CLZERO CPUID support for AMD platforms
Qemu commit e900135dcfb67 ("i386: Add CPUID bit for CLZERO and XSAVEERPTR")
adds support for CLZERO CPUID bit.
This commit extends support for this CPUID bit into libvirt.
Signed-off-by: Ani Sinha <ani.sinha@nutanix.com>
Message-Id: <1575371352-99055-1-git-send-email-ani.sinha@nutanix.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
These days libvirt is pretty reliable and even remote connections
(not the default for libvirt-guests anyway) either work or fail but are
uncommon to be flaky.
On the other hand users might have disabled the service and while we are
After=libvirtd for ordering we are not Requiring it. Adding that or any
harder dependency might break our ordering. But if people have disabled
libvirt they will do a full retry loop until timeout.
Lets drop the loop to be much faster if a remote is not reachable.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1854653
This reverts
The race described in that commit no longer exists using systemd as
we now have socket activation. If not using systemd, then it is also
safe if using the libvirtd --daemon flag, since the parent process
won't return to the caller until the child is accepting connections.
Reported-by: Doug Smythies <dsmythies@telus.net> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Michal Privoznik [Thu, 31 Oct 2019 17:59:19 +0000 (18:59 +0100)]
configure: Provide OpenRC scripts for sub-daemons
There is plenty of distributions that haven't switched to
systemd nor they force their users to (Gentoo, Alpine Linux to
name a few). With the daemon split merged their only option is to
still use the monolithic daemon which will go away eventually.
Provide init scripts for these distros too.
For now, I'm not introducing config files which would correspond
to the init files except for libvirtd and virtproxyd init scripts
where it might be desirable to tweak the command line of
corresponding daemons.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Marc Hartmayer [Thu, 14 Nov 2019 17:44:23 +0000 (18:44 +0100)]
rpc: Introduce virNetServerGetProgramLocked helper function
This patch introduces virNetServerGetProgramLocked. It's a function to
determine which program has to be used for a given @msg. This function
will be reused in the next patch.
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Marc Hartmayer [Thu, 14 Nov 2019 17:44:21 +0000 (18:44 +0100)]
remote: Save reference to program in daemonClientEventCallback
As a result, you can later determine during the callback which program
was used. This makes it easier to refactor the code in the future and
is less prone to error.
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Marc Hartmayer [Thu, 14 Nov 2019 17:44:19 +0000 (18:44 +0100)]
rpc: use the return value of virObjectRef directly
Use the return value of virObjectRef directly. This way, it's easier
for another reader to identify the reason why the additional reference
is required.
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Huaqiang [Fri, 13 Dec 2019 15:34:10 +0000 (15:34 +0000)]
conf: create memory bandwidth monitor.
Following domain configuration changes create two memory bandwidth
monitors: one is monitoring the bandwidth consumed by vCPU 0,
another is for vCPU 5.
Huaqiang [Wed, 13 Nov 2019 17:08:21 +0000 (01:08 +0800)]
cachetune schema: a looser check for the order of <cache> and <monitor> element
Originally, inside <cputune/cachetune>, it requires the <cache> element to
be in the position before <monitor>, and following configuration is not
permitted by schema, but it is better to let it be valid.
<cputune>
<cachetune vcpus='0-1'>
<monitor level='3' vcpus='0-1'/>
^
|__ Not permitted originally because it is in the place
before <cache> element.
And, let schema do more strict check by identifying following configuration to
be invalid, due to <cachetune> should contain at least one <cache> or <monitor>
element.
<cputune>
<cachetune vcpus='0-1'>
^
|__ a <cachetune> SHOULD contain at least one <cache> or <monitor>
</cachetune>
...
</cputune>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Huaqiang <huaqiang.wang@intel.com>
Huaqiang [Wed, 13 Nov 2019 17:08:20 +0000 (01:08 +0800)]
conf: showing cache/memoryBW monitor features in capabilities
We learned that the hardware features of CAT, CMT, MBA and MBM
are orthogonal ones, if CAT or MBA is not supported in system,
but CMT or MBM are supported, then the cache monitor or
memoryBW monitor features may not be correctly displayed in
host capabilities through command 'virsh capabilites'.
Showing the cache/memoryBW monitor capabilities even there is
no support of cache allocation or memoryBW allocation features.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Huaqiang <huaqiang.wang@intel.com>
docs: remove link to virsh cmd ref & app dev guide
Both the application developer guide and virsh command
reference are unmaintained for best part of 8 years, and
so horrifically out of date. This does not give a good
impression to people reading the docs. Now that we are
publishing the man pages online, those are a better
doc to read for virsh. We can also highlight the API
reference instead of the app dev guide.
The virsh command reference & app dev guide will
still exist on the web root, but will not be linked
to.
Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Yingle Hou [Thu, 12 Dec 2019 02:58:18 +0000 (10:58 +0800)]
cpu: Remove the verification conditions of the model in the x86 signatures
The x86ModelParseSignatures function makes an assumption that CPU signature
model equals 0 as an invalid case. While in Hygon processor definition, A1
version (model 0, stepping 1) is mass production version, to support Hygon
Dhyana A1 version, we have removed CPU signature model zero checking condition.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Yingle Hou <houyingle@hygon.cn>
Jiri Denemark [Thu, 12 Dec 2019 14:12:05 +0000 (15:12 +0100)]
cpu_map: Add TAA_NO bit for IA32_ARCH_CAPABILITIES MSR
CVE-2019-11135
CPUs with TAA_NO bit of IA32_ARCH_CAPABILITIES MSR set to 1 are not
vulnerable to TSX Asynchronous Abort and passing this bit to a guest
may avoid unnecessary mitigations.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 4 Dec 2019 16:39:16 +0000 (17:39 +0100)]
qemu: backup: Merge bitmaps accross the backing chain
To allow backups work across external snapshots we need to improve the
algorithm which calculates which bitmaps to merge.
The algorithm must look for appropriately named bitmaps in the image and
possibly descend into a backing image if the current image does not have
the bitmap.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Krempa [Thu, 12 Dec 2019 15:01:22 +0000 (16:01 +0100)]
tests: qemublock: Add testing of bitmap merging for incremental backups
Add test code which will crawl a fake internal list of checkpoints and
generate the list of bitmaps for merging to gather the final bitmap for
the backup.
The initial tests cover the basic case of all bitmaps being present in
the top layer of the backing chain.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Krempa [Thu, 12 Dec 2019 14:46:19 +0000 (15:46 +0100)]
qemu: backup: Propagate bitmap metadata into qemuBackupDiskPrepareOneBitmapsChain
The function will require the bitmap topology for the full
implementation. To facilitate testing, add the propagation of the
necessary data beforehand so that the test code can stay unchanged
during the changes.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Krempa [Thu, 12 Dec 2019 14:20:48 +0000 (15:20 +0100)]
qemu: backup: Extract calculations of bitmaps to merge for incremental backup
Separate the for now incomplete code that collects the bitmaps to be
merged for an incremental backup into a separate function. This will
allow adding testing prior to the improvement of the algorithm to
include snapshots.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Krempa [Thu, 12 Dec 2019 12:50:55 +0000 (13:50 +0100)]
tests: qemublock: Add test case for detecting bitmaps as we create snapshots
Add test data gathered from a run of qemu after creating bitmaps and
snapshots together in various combinations.
The following sequence of commands was used to achieve the
configuration:
virsh checkpoint-create-as VM --name a
virsh snapshot-create-as VM --disk-only
virsh snapshot-create-as VM --disk-only
virsh checkpoint-create-as VM --name b
virsh checkpoint-create-as VM --name c
virsh snapshot-create-as VM --disk-only
virsh checkpoint-create-as VM --name d
virsh snapshot-create-as VM --disk-only
virsh checkpoint-create-as VM --name current
Note that VM was restarted after these operations to allow renumbering
of the bitmaps in a more human-readable way.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Krempa [Thu, 28 Nov 2019 15:06:31 +0000 (16:06 +0100)]
qemu: snapshot: Propagate active bitmaps through external snapshots
Re-create any active persistent bitmap in the snapshot overlay image so
that tracking for a checkpoint is persisted. While this basically
duplicates data in the allocation map it's currently the only possible
way as qemu can't mirror the allocation map into a dirty bitmap if we'd
ever want to do a backup.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Krempa [Thu, 28 Nov 2019 14:01:14 +0000 (15:01 +0100)]
qemu: snapshot: Fold formatting of snapshot transaction into prepare func
qemuDomainSnapshotDiskPrepareOne is already called for each disk which
is member of the snapshot so we don't need to iterate through the
snapshot list again to generate members of the 'transaction' command for
each snapshot.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Krempa [Thu, 12 Dec 2019 12:37:01 +0000 (13:37 +0100)]
tests: qemublock: Add test for bitmap detection
Test the extraction of data about changed block tracking bitmaps. The
first test case adds a simple scenario of multiple bitmaps in one layer.
The test data will be also later reused for testing the code that
determines which bitmaps to merge for an incremental backup.
The sequence of bitmaps was created by the libvirt checkpoint API with
the following sequence of commands:
virsh checkpoint-create-as VM --name a
virsh checkpoint-create-as VM --name b
virsh checkpoint-create-as VM --name c
virsh checkpoint-create-as VM --name d
virsh checkpoint-create-as VM --name current
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Peter Krempa [Mon, 9 Dec 2019 06:46:53 +0000 (07:46 +0100)]
qemu: monitor: Extract internals of qemuMonitorJSONBlockGetNamedNodeData
For testing purposes it will be beneficial to be able to parse the data
from JSON directly rather than trying to simulate the monitor. Extract
the worker bits and export them.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Andrea Bolognani [Fri, 13 Dec 2019 11:56:24 +0000 (12:56 +0100)]
gitlab: Move mips job to Debian 9
Support for the mips architecture has been dropped from Debian
sid. Move the mipsel job from Debian 9 to Debian sid at the same
time to keep things balanced.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
conf: don't use passed in caps in post parse method
causing the method to re-fetch qemuCaps that were already just
fetched and put into parseOpaque.
This is inefficient when parsing incoming XML, but for live
XML this is more serious as it means we use the capabilities
for the current QEMU binary on disk, rather than the running
QEMU.
That commit, however, did have a useful side effect of fixing
a crasher bug in the qemu post parse callback introduced by
The qemuDomainDefSetDefaultCPU() method in that patch did not
allow for the possibility that qemuCaps would be NULL and thus
resulted in a SEGV.
This shows a risk in letting each check in the post parse
callback look for qemuCaps == NULL. The safer option is to
check once upfront and immediately stop (postpone) further
validation.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
qemu: check os type / virt type / arch in validate callback
Don't check os type / virt type / arch in the post-parse callback
because we can't assume qemuCaps is non-NULL at this point. It
also conceptually belongs to the validation callback.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
qemu: remove use of qemuDomainObjBeginJobWithAgent()
This function will be removed in a future commit because it allows the
caller to acquire both monitor and agent jobs at the same time. Holding
both job types creates a vulnerability to denial of service from a
malicious guest agent.
qemuDomainSetVcpusFlags() always passes NONE for either the monitor job
or the agent job (and thus is not vulnerable to the DoS), so we can
simply replace this function with the functions for acquiring the
appropriate type of job.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu: don't hold monitor and agent job when setting time
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding
a monitor job while we're querying the agent, we open ourselves up to a
DoS.
Split the function so that the portion issuing the agent command only
holds an agent job and the portion issuing the monitor command holds
only a monitor job.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding a
monitor job while we're querying the agent, we open ourselves up to a
DoS.
So split the function up a bit to only hold the monitor job while
querying qemu for whether the domain supports suspend. Then acquire only
an agent job while issuing the agent suspend command.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu: don't hold a monitor and agent job for reboot
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding
a monitor job while we're querying the agent, we open ourselves up to a
DoS.
Split the function so that we only hold the appropriate type of job
while rebooting.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu: don't take agent and monitor job for shutdown
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding
a monitor job while we're querying the agent, we open ourselves up to a
DoS. So split the function into separate parts: one that does the agent
shutdown and one that does the monitor shutdown. Each part holds only a
job of the appropriate type.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Ján Tomko [Thu, 24 Oct 2019 22:26:06 +0000 (00:26 +0200)]
docs: hacking: document removal of VIR_STR(N)DUP
Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Ján Tomko [Thu, 24 Oct 2019 22:25:03 +0000 (00:25 +0200)]
util: remove VIR_STRDUP and VIR_STRNDUP
Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
projects / libvirt.git / log