virExec would only resolved the binary to $PATH if no env
variables were being set. Since there is no execvep() API
in POSIX, we use virFindFileInPath to manually resolve
the binary and then use execv() instead of execvp().
Jim Fehlig [Thu, 10 Feb 2011 22:42:34 +0000 (15:42 -0700)]
Add libxenlight driver
Add a new xen driver based on libxenlight [1], which is the primary
toolstack starting with Xen 4.1.0. The driver is stateful and runs
privileged only.
Like the existing xen-unified driver, the libxenlight driver is
accessed with xen:// URI. Driver selection is based on the status
of xend. If xend is running, the libxenlight driver will not load
and xen:// connections are handled by xen-unified. If xend is not
running *and* the libxenlight driver is available, xen://
connections are deferred to the libxenlight driver.
V6:
- Address several code style issues noted by Daniel Veillard
- Make drive work with xen:/// URI
- Hold domain object reference while domain is injected in
libvirt event loop. Race found and fixed by Markus Groß.
V5:
- Ensure events are unregistered when domain private data
is destroyed. Discovered and fixed by Markus Groß.
V4:
- Handle restart of libvirtd, reconnecting to previously
started domains
- Rebased to current master
- Tested against Xen 4.1 RC7-pre (c/s 22961:c5d121fd35c0)
V3:
- Reserve vnc port within driver when autoport=yes
V2:
- Update to Xen 4.1 RC6-pre (c/s 22940:5a4710640f81)
- Rebased to current master
- Plug memory leaks found by Stefano Stabellini and valgrind
- Handle SHUTDOWN_crash domain death event
Jiri Denemark [Mon, 7 Mar 2011 14:07:01 +0000 (15:07 +0100)]
util: Forbid calling hash APIs from iterator callback
Calling most hash APIs is not safe from inside of an iterator callback.
Exceptions are APIs that do not modify the hash table and removing
current hash entry from virHashFroEach callback.
This patch make all APIs which are not safe fail instead of just relying
on the callback being nice not calling any unsafe APIs.
Wen Congyang [Wed, 16 Mar 2011 09:01:23 +0000 (17:01 +0800)]
do not unref obj in qemuDomainObjExitMonitor*
Steps to reproduce this bug:
# cat test.sh
#! /bin/bash -x
virsh start domain
sleep 5
virsh qemu-monitor-command domain 'cpu_set 2 online' --hmp
# while true; do ./test.sh ; done
Then libvirtd will crash.
The reason is that:
we add a reference of obj when we open the monitor. We will reduce this
reference when we free the monitor.
If the reference of monitor is 0, we will free monitor automatically and
the reference of obj is reduced.
But in the function qemuDomainObjExitMonitorWithDriver(), we reduce this
reference again when the reference of monitor is 0.
It will cause the obj be freed in the function qemuDomainObjEndJob().
Then we start the domain again, and libvirtd will crash in the function
virDomainObjListSearchName(), because we pass a null pointer(obj->def->name)
to strcmp().
Wen Congyang [Mon, 7 Mar 2011 06:35:49 +0000 (14:35 +0800)]
qemu: check driver name while attaching disk
This bug was reported by Shi Jin(jinzishuai@gmail.com):
=============
# virsh attach-disk RHEL6RC /var/lib/libvirt/images/test3.img vdb \
--driver file --subdriver qcow2
Disk attached successfully
# virsh save RHEL6RC /var/lib/libvirt/images/memory.save
Domain RHEL6RC saved to /var/lib/libvirt/images/memory.save
# virsh restore /var/lib/libvirt/images/memory.save
error: Failed to restore domain from /var/lib/libvirt/images/memory.save
error: internal error unsupported driver name 'file'
for disk '/var/lib/libvirt/images/test3.img'
=============
We check the driver name when we start or restore VM, but we do
not check it while attaching a disk. This adds the same check on disk
driverName used in qemuBuildCommandLine to qemudDomainAttachDevice.
Daniel Veillard [Thu, 17 Mar 2011 07:30:49 +0000 (15:30 +0800)]
Improve logging documentation including the debug buffer
* docs/logging.html.in: document the fact that starting from
0.9.0 the server logs goes to libvirtd.log instead of syslog
by default, describe the debug buffer, restructure the page
and add a couple more examples
Daniel Veillard [Tue, 15 Mar 2011 08:10:03 +0000 (16:10 +0800)]
Avoid taking lock in libvirt debug dump
As pointed out, locking the buffer from the signal handler
cannot been guaranteed to be safe, so to avoid any hazard
we prefer the trade off of dumping logs possibly messed up
by concurrent logging activity rather than risk a daemon
crash.
* src/util/logging.c: change virLogEmergencyDumpAll() to not
take any lock on the log buffer but reset buffer content variables
to an empty set before starting the actual dump.
Wen Congyang [Wed, 16 Mar 2011 06:54:28 +0000 (14:54 +0800)]
unlock the monitor when unwatching the monitor
Steps to reproduce this bug:
# virsh qemu-monitor-command domain 'cpu_set 2 online' --hmp
The domain has 2 cpus, and we try to set the third cpu online.
The qemu crashes, and this command will hang.
The reason is that the refs is not 1 when we unwatch the monitor.
We lock the monitor, but we do not unlock it. So virCondWait()
will be blocked.
virsh: fix memtune's help message for swap_hard_limit
* Correct the documentation for cgroup: the swap_hard_limit indicates
mem+swap_hard_limit.
* Change cgroup private apis to: virCgroupGet/SetMemSwapHardLimit
Signed-off-by: Nikunj A. Dadhania <nikunj@linux.vnet.ibm.com>
Alex Williamson [Thu, 17 Mar 2011 20:26:36 +0000 (14:26 -0600)]
Add PCI sysfs reset access
I'm proposing we make use of $PCIDIR/reset in qemu-kvm to reset
devices on VM reset. We need to add it to libvirt's list of
files that get ownership for device assignment.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Jim Fehlig [Thu, 17 Mar 2011 20:16:47 +0000 (14:16 -0600)]
Support Xen sysctl v8, domctl v7
xen-unstable c/s 21118:28e5409e3fb3 bumped sysctl version to 8.
xen-unstable c/s 21212:de94884a669c introduced CPU pools feature,
adding another member to xen_domctl_getdomaininfo struct. Add a
corresponding domctl v7 struct in xen hypervisor sub-driver and
detect sysctl v8 during initialization.
Matthias Bolte [Thu, 17 Mar 2011 16:51:33 +0000 (17:51 +0100)]
remote: Add missing virCondDestroy calls
The virCond of the remote_thread_call struct was leaked in some
places. This results in leaking the underlying mutex. Which in turn
leaks a handle on Windows.
Reported by Aliaksandr Chabatar and Ihar Smertsin.
Eric Blake [Wed, 16 Mar 2011 17:50:44 +0000 (11:50 -0600)]
build: improve rpm generation for distro backports
When building for an older distro, it's convenient to just
tell rpmbuild to define dist (for example, to .el6_0), rather
than also remembering to define rhel to 6.
* libvirt.spec.in: Guess %{rhel} based on %{dist}.
Based on an idea by Jiri Denemark.
Laine Stump [Tue, 15 Mar 2011 20:22:25 +0000 (16:22 -0400)]
macvtap: log an error if on failure to connect to netlink socket
A bug in libnl (see https://bugzilla.redhat.com/show_bug.cgi?id=677724
and https://bugzilla.redhat.com/show_bug.cgi?id=677725) makes it very
easy to create a failure to connect to the netlink socket when trying
to open a macvtap network device ("type='direct'" in domain interface
XML). When that error occurred (during a call to libnl's nl_connect()
from libvirt's nlComm(), there was no log message, leading virsh (for
example) to report "unknown error".
There were two other cases in nlComm where an error in a libnl
function might return with failure but no error reported. In all three
cases, this patch logs a message which will hopefully be more useful.
Note that more detailed information about the failure might be
available from libnl's nl_geterror() function, but it calls
strerror(), which is not threadsafe, so we can't use it.
Osier Yang [Wed, 16 Mar 2011 08:28:07 +0000 (16:28 +0800)]
storage: Fix a problem which will cause libvirtd crashed
If pool xml has no definition for "port", then "Segmentation fault"
happens when jumping to "cleanup:" to do "VIR_FREE(port)", as "port"
was not initialized in this situation.
Eric Blake [Wed, 22 Dec 2010 20:48:05 +0000 (13:48 -0700)]
qemu: improve efficiency of dd during snapshots
POSIX states about dd:
If the bs=expr operand is specified and no conversions other than
sync, noerror, or notrunc are requested, the data returned from each
input block shall be written as a separate output block; if the read
returns less than a full block and the sync conversion is not
specified, the resulting output block shall be the same size as the
input block. If the bs=expr operand is not specified, or a conversion
other than sync, noerror, or notrunc is requested, the input shall be
processed and collected into full-sized output blocks until the end of
the input is reached.
Since we aren't using conv=sync, there is no zero-padding, but our
use of bs= means that a short read results in a short write. If
instead we use ibs= and obs=, then short reads are collected and dd
only has to do a single write, which can make dd more efficient.
* src/qemu/qemu_monitor.c (qemuMonitorMigrateToFile):
Avoid 'dd bs=', since it can cause short writes.
Eric Blake [Mon, 14 Mar 2011 16:44:37 +0000 (10:44 -0600)]
virsh: allow empty string arguments
"virsh connect ''" should try to connect to the default connection,
but the previous patch made it issue a warning about an invalid URI.
* tools/virsh.c (VSH_OFLAG_EMPTY_OK): New option flag.
(vshCommandOptString): Per the declaration, value is required to
be non-NULL. Honor new flag.
(opts_connect): Allow empty string connection.
The virCommandNewArgs() method would free the virCommandPtr
if it failed to add the args. This meant errors reported in
virCommandAddArgSet() were lost. Simply removing the check
for errors from the constructor means they can be reported
correctly later
The virCommandAddEnvPassCommon() method failed to check for
errors before reallocating the cmd->env array, causing a
potential SEGV if cmd was NULL
The virCommandAddArgSet() method needs to validate that at
least 1 element in 'val's parameter is non-NULL, otherwise
code like
Add virSetBlocking() to allow O_NONBLOCK to be toggle on or off
The virSetNonBlock() API only allows enabling non-blocking
operations. It doesn't allow turning blocking back on. Add
a new API to allow arbitrary toggling.
Taku Izumi [Tue, 15 Mar 2011 07:49:31 +0000 (16:49 +0900)]
libvirt: fix a simple bug in virDomainSetMemoryFlags()
This patch fix a simple bug in virDomainSetMemoryFlags function.
The patch sent before lacks the consideration of the case
where the driver doesn't support virDomainSetMemoryFlags API.
Make LXC container startup/shutdown/I/O more robust
The current LXC I/O controller looks for HUP to detect
when a guest has quit. This isn't reliable as during
initial bootup it is possible that 'init' will close
the console and let mingetty re-open it. The shutdown
of containers was also flakey because it only killed
the libvirt I/O controller and expected container
processes to gracefully follow.
Change the I/O controller such that when it see HUP
or an I/O error, it uses kill($PID, 0) to see if the
process has really quit.
Change the container shutdown sequence to use the
virCgroupKillPainfully function to ensure every
really goes away
This change makes the use of the 'cpu', 'devices'
and 'memory' cgroups controllers compulsory with
LXC
* docs/drvlxc.html.in: Document that certain cgroups
controllers are now mandatory
* src/lxc/lxc_controller.c: Check if PID is still
alive before quitting on I/O error/HUP
* src/lxc/lxc_driver.c: Use virCgroupKillPainfully
Daniel Veillard [Tue, 8 Mar 2011 10:31:20 +0000 (18:31 +0800)]
Allow to dynamically set the size of the debug buffer
This is the part allowing to dynamically resize the debug log
buffer from it's default 64kB size. The buffer is now dynamically
allocated.
It adds a new API virLogSetBufferSize() which resizes the buffer
If passed a zero size, the buffer is deallocated and we do the small
optimization of not formatting messages which are not output anymore.
On the daemon side, it just adds a new option log_buffer_size to
libvirtd.conf and call virLogSetBufferSize() if needed
* src/util/logging.h src/util/logging.c src/libvirt_private.syms:
make buffer dynamic and add virLogSetBufferSize() internal API
* daemon/libvirtd.conf: document the new log_buffer_size option
* daemon/libvirtd.c: read and use the new log_buffer_size option
Eric Blake [Mon, 14 Mar 2011 14:36:26 +0000 (08:36 -0600)]
maint: make spacing in .sh files easier
Commit 7f193757 renamed libvirt-guests.init from .in to .sh, which
made it slip past sc_TAB_in_indentation. I nearly reintroduced a
tab, so I'm pushing this to prevent that from happening.
* cfg.mk (sc_TAB_in_indentation): Update rule to include .sh files.
* .dir-locals.el: List spacing preference for .sh files.
Philipp Hahn [Wed, 9 Mar 2011 08:54:57 +0000 (09:54 +0100)]
libvirt-guest.init: quoting variables
At least protect the $uri variable against further expansion by properly
quoting it. While doing that, also quote all other variables to protect
against shell meta characters.
Laine Stump [Mon, 14 Mar 2011 15:15:19 +0000 (11:15 -0400)]
audit: eliminate potential null pointer deref when auditing macvtap devices
The newly added call to qemuAuditNetDevice in qemuPhysIfaceConnect was
assuming that res_ifname (the name of the macvtap device) was always
valid, but this isn't the case. If openMacvtapTap fails, it always
returns NULL, which would result in a segv.
Since the audit log only needs a record of devices that are actually
sent to qemu, and a failure to open the macvtap device means that no
device will be sent to qemu, we can solve this problem by only doing
the audit if openMacvtapTap is successful (in which case res_ifname is
guaranteed valid).
Laine Stump [Sun, 13 Mar 2011 08:42:58 +0000 (04:42 -0400)]
network driver: don't send default route to clients on isolated networks
Normally dnsmasq will send a default route (the address of the host in
the network definition) to any client requesting an address via
DHCP. On an isolated network this makes no sense, as we have iptables
to prevent any traffic going out via that interface, so anything sent
that way would be dropped anyway.
This extra/unusable default route becomes problematic if you have
setup a guest with multiple network interfaces, with one connected to
an isolated network and another that provides connectivity to the
outside (example - one interface directly connecting to a physical
interface via macvtap, with a second connected to an isolated network
so that the host and guest can communicate (macvtap doesn't support
guest<->host communication without an external switch that supports
vepa, or reflecting all traffic back)). In this case, if the guest
chooses the default route of the isolated network, the guest will not
be able to get network traffic beyond the host.
To prevent dnsmasq from sending a default route, you can tell it to
send 0 bytes of data for the default route option (option number 3)
with --dhcp-option=3 (normally the data to send for the option would
follow the option number; no extra data means "don't send this option").
I have checked on RHEL5 (a good representative of the oldest supported
libvirt platforms) and its version of dnsmasq (2.45) does support
--dhcp-option, so this shouldn't create any compatibility problems.
Jiri Denemark [Fri, 11 Mar 2011 12:44:20 +0000 (13:44 +0100)]
python: Use hardcoded python path in libvirt.py
This partially reverts (and fixes that part in a different way) commit e4384459c93e3e786aa483c7f077d1d22148f689, which replaced
``/usr/bin/python'' with ``/usr/bin/env python'' in all examples or
scripts used during build to generate other files.
However, python bindings module is compiled and linked against a
specific python discovered or explicitly provided in configure phase.
Thus libvirt.py, which is generated and installed into the system,
should use the same python binary for which the module has been built.
The hunk in Makefile.am replaces $(srcdir) with $(PYTHON), which might
seem wrong but it is not. generator.py didn't use any of its command
line arguments so passing $(srcdir) to it was redundant.
Guido Günther [Mon, 14 Mar 2011 02:56:28 +0000 (10:56 +0800)]
Add missing checks for read only connections
As pointed on CVE-2011-1146, some API forgot to check the read-only
status of the connection for entry point which modify the state
of the system or may lead to a remote execution using user data.
The entry points concerned are:
- virConnectDomainXMLToNative
- virNodeDeviceDettach
- virNodeDeviceReAttach
- virNodeDeviceReset
- virDomainRevertToSnapshot
- virDomainSnapshotDelete
* src/libvirt.c: fix the above set of entry points to error on read-only
connections
Laine Stump [Fri, 11 Mar 2011 18:20:48 +0000 (13:20 -0500)]
network driver: Use a separate dhcp leases file for each network
By default, all dnsmasq processes share the same leases file. libvirt
also uses the --dhcp-lease-max option to control the maximum number of
leases allowed. The problem is that libvirt puts in a number equal to
the number of addresses in the range for the one network handled by a
single instance of dnsmasq, but dnsmasq checks the total number of
leases in the file (which could potentially contain many more).
The solution is to tell each instance of dnsmasq to create and use its
own leases file. (/var/lib/libvirt/network/<net-name>.leases).
This file is created by dnsmasq when it starts, but not deleted when
it exists. This is fine when the network is just being stopped, but if
the leases file was left around when a network was undefined, we could
end up with an ever-increasing number of dead files - instead, we
explicitly unlink the leases file when a network is undefined.
Note that Ubuntu carries a patch against an older version of libvirt for this:
The problem in that commit was that we began searching a list of ip
address definitions (rather than just having one) to look for a dhcp
range or static host; when we didn't find any, our pointer (ipdef) was
left at NULL, and when ipdef was NULL, we returned without starting up
dnsmasq.
Previously dnsmasq was started even without any dhcp ranges or static
entries, because it's still useful for DNS services.
Another problem I noticed while investigating was that, if there are
IPv6 addresses, but no IPv4 addresses of any kind, we would jump out
at an ever higher level in the call chain.
This patch does the following:
1) networkBuildDnsmasqArgv() = all uses of ipdef are protected from
NULL dereference. (this patch doesn't change indentation, to make
review easier. The next patch will change just the
indentation). ipdef is intended to point to the first IPv4 address
with DHCP info (or the first IPv4 address if none of them have any
dhcp info).
2) networkStartDhcpDaemon() = if the loop looking for an ipdef with
DHCP info comes up empty, we then grab the first IPv4 def from the
list. Also, instead of returning if there are no IPv4 defs, we just
return if there are no IP defs at all (either v4 or v6). This way a
network that is IPv6-only will still get dnsmasq listening for DNS
queries.
3) in networkStartNetworkDaemon() - we will startup dhcp not just if there
are any IPv4 addresses, but also if there are any IPv6 addresses.
Philipp Hahn [Tue, 1 Mar 2011 17:57:01 +0000 (18:57 +0100)]
libvirt-guest.init: handle domain name with spaces
awk splits the line on consecutive spaces, which breaks getting the name
of a domain whose name contains spaces. Use sed instead to strip the
"Name:" prefix from the line
Philipp Hahn [Tue, 1 Mar 2011 10:23:20 +0000 (11:23 +0100)]
domain.rng vs. formatdomain.html#elementsUSB
The Relax-NG schema for domains regarding <hostdev> doesn't match what's
implemented in src/conf/domain_conf.c#virDomainHostdevDefFormat(): The
implementation only requires @type, but the schema currently either
required none or all three attributes (@mode, @type, and @managed) to be
defined together, because they are declared in the same
<optional)-section. (@managed is currently even undocumented on
<http://libvirt.org/formatdomain.html#elementsUSB>).
Thus the following minimal <hostdev>-example fails to validate:
<domain type='test'>
<name>N</name>
<memory>4096</memory>
<bootloader>/bin/false</bootloader>
<os>
<type arch='x86_64' machine='xenpv'>linux</type>
</os>
<devices>
<hostdev type='pci'>
<source>
<address bus='0x06' slot='0x00' function='0x0'/>
</source>
</hostdev>
</devices>
</domain>
The schema is changed to match the current implementation:
1. @mode is optional (which defaults to 'subsystem')
2. @type is required
3. @managed is optional (which defaults to 'no')
Philipp Hahn [Tue, 1 Mar 2011 15:48:20 +0000 (16:48 +0100)]
Ignore backing file errors in FS storage pool
Currently a single storage volume with a broken backing file will disable the
whole storage pool. This can happen when the backing file is on some
unavailable network storage or if the backing volume is deleted, while the
storage volumes using it remain.
Since the storage pool can not be re-activated, re-creating the missing
or deleting the now useless volumes using libvirt only is not possible.
Fixing this is a little bit tricky:
1. virStorageBackendProbeTarget() only detects the missing backing file,
if the backing file format is not explicitly specified. If the
backing file is created using
kvm-img create -f qcow2 -o backing_fmt=qcow2,backing_file=... ...
no error is detected at this stage.
The new return code -3 signals that the backing file could not be
opened.
2. The backingStore.format must be >= 0, since values < 0 would break
virStorageVolTargetDefFormat() when dumping the XML data such as
<format type='...'/>
Because of this the format is faked as VIR_STORAGE_FILE_RAW.
3. virStorageBackendUpdateVolTargetInfo() always opens the backing file
and thus always detects a missing backing file.
Since it "only" updates the capacity, allocation, owner, group, mode
and SELinux label, just ignore errors at this stage, print an error
message and continue.
4. Using vol-dump on a broken volume still doesn't work, but at least
vol-destroy and pool-refresh do work now.
To reproduce:
dir=$(mktemp -d)
virsh pool-create-as tmp dir '' '' '' '' "$dir"
virsh vol-create-as --format qcow2 tmp back 1G
virsh vol-create-as --format qcow2 --backing-vol-format qcow2 --backing-vol back tmp cow 1G
virsh vol-delete --pool tmp back
virsh pool-refresh tmp
After the last step, the pool will be gone (because it was not persistent). As
long as the now broken image stays in the directory, you will not be able to
re-create or re-start the pool.
Taku Izumi [Wed, 2 Mar 2011 08:13:39 +0000 (17:13 +0900)]
setmem: add the new options to "virsh setmem" command
This patch adds the new options (--live and --config) to "virsh setmem" command.
The behavior of above options is the same as that of "virsh setvcpus" and so on.
That is, when the --config option is specified, a modification is effective for
the persistent domain. Moreover we can modify the memory size of inactive domains
as well as that of active domains.
Eric Blake [Tue, 8 Mar 2011 18:00:59 +0000 (11:00 -0700)]
audit: audit use of /dev/net/tun, /dev/tapN, /dev/vhost-net
Opening raw network devices with the intent of passing those fds to
qemu is worth an audit point. This makes a multi-part audit: first,
we audit the device(s) that libvirt opens on behalf of the MAC address
of a to-be-created interface (which can independently succeed or
fail), then we audit whether qemu actually started the network device
with the same MAC (so searching backwards for successful audits with
the same MAC will show which fd(s) qemu is actually using). Note that
it is possible for the fd to be successfully opened but no attempt
made to pass the fd to qemu (for example, because intermediate
nwfilter operations failed) - no interface start audit will occur in
that case; so the audit for a successful opened fd does not imply
rights given to qemu unless there is a followup audit about the
attempt to start a new interface.
Likewise, when a network device is hot-unplugged, there is only one
audit message about the MAC being discontinued; again, searching back
to the earlier device open audits will show which fds that qemu quits
using (and yes, I checked via /proc/<qemu-pid>/fd that qemu _does_
close out the fds associated with an interface on hot-unplug). The
code would require much more refactoring to be able to definitively
state which device(s) were discontinued at that point, since we
currently don't record anywhere in the XML whether /dev/vhost-net was
opened for a given interface.
Eric Blake [Wed, 9 Mar 2011 22:05:00 +0000 (15:05 -0700)]
qemu: don't request cgroup ACL access for /dev/net/tun
Since libvirt always passes /dev/net/tun to qemu via fd, we should
never trigger the cases where qemu tries to directly open the
device. Therefore, it is safer to deny the cgroup device ACL.
Jiri Denemark [Wed, 23 Feb 2011 11:12:11 +0000 (12:12 +0100)]
qemu: Fallback to HMP for snapshot commands
qemu driver in libvirt gained support for creating domain snapshots
almost a year ago in libvirt 0.8.0. Since then we enabled QMP support
for qemu >= 0.13.0 but QMP equivalents of {save,load,del}vm commands are
not implemented in current qemu (0.14.0) so the domain snapshot support
is not very useful.
This patch detects when the appropriate QMP command is not implemented
and tries to use human-monitor-command (aka HMP passthrough) to run
it's HMP equivalent.
Jiri Denemark [Wed, 9 Mar 2011 20:24:04 +0000 (21:24 +0100)]
qemu: Setup infrastructure for HMP passthrough
JSON monitor command implementation can now just directly call text
monitor implementation and it will be automatically encapsulated into
QMP's human-monitor-command.
Jiri Denemark [Tue, 8 Mar 2011 13:42:05 +0000 (14:42 +0100)]
qemu: Fix warnings in event handlers
Some qemu monitor event handlers were issuing inadequate warning when
virDomainSaveStatus() failed. They copied the message from I/O error
handler without customizing it to provide better information on why
virDomainSaveStatus() was called.
Eric Blake [Wed, 9 Mar 2011 03:13:18 +0000 (20:13 -0700)]
cgroup: allow fine-tuning of device ACL permissions
Adding audit points showed that we were granting too much privilege
to qemu; it should not need any mknod rights to recreate any
devices. On the other hand, lxc should have all device privileges.
The solution is adding a flag parameter.
This also lets us restrict write access to read-only disks.
Eric Blake [Mon, 7 Mar 2011 23:41:40 +0000 (16:41 -0700)]
audit: also audit cgroup controller path
Although the cgroup device ACL controller path can be worked out
by researching the code, it is more efficient to include that
information directly in the audit message.
* src/util/cgroup.h (virCgroupPathOfController): New prototype.
* src/util/cgroup.c (virCgroupPathOfController): Export.
* src/libvirt_private.syms: Likewise.
* src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.
Eric Blake [Mon, 7 Mar 2011 23:17:26 +0000 (16:17 -0700)]
audit: split cgroup audit types to allow more information
Device names can be manipulated, so it is better to also log
the major/minor device number corresponding to the cgroup ACL
changes that libvirt made. This required some refactoring
of the relatively new qemu cgroup audit code.
Also, qemuSetupChardevCgroup was only auditing on failure, not success.
* src/qemu/qemu_audit.h (qemuDomainCgroupAudit): Delete.
(qemuAuditCgroup, qemuAuditCgroupMajor, qemuAuditCgroupPath): New
prototypes.
* src/qemu/qemu_audit.c (qemuDomainCgroupAudit): Rename...
(qemuAuditCgroup): ...and drop a parameter.
(qemuAuditCgroupMajor, qemuAuditCgroupPath): New functions, to
allow listing device major/minor in audit.
(qemuAuditGetRdev): New helper function.
* src/qemu/qemu_driver.c (qemudDomainSaveFlag): Adjust callers.
* src/qemu/qemu_cgroup.c (qemuSetupDiskPathAllow)
(qemuSetupHostUsbDeviceCgroup, qemuSetupCgroup)
(qemuTeardownDiskPathDeny): Likewise.
(qemuSetupChardevCgroup): Likewise, fixing missing audit.
Eric Blake [Sat, 26 Feb 2011 00:28:21 +0000 (17:28 -0700)]
audit: tweak audit messages to match conventions
* src/qemu/qemu_audit.c (qemuDomainHostdevAudit): Avoid use of
"type", which has a pre-defined meaning.
(qemuDomainCgroupAudit): Likewise, as well as "item".
Eric Blake [Wed, 9 Mar 2011 03:42:19 +0000 (20:42 -0700)]
docs: silence warnings about generated API docs
I noticed these while testing 'make dist'.
Parsing ./../src/util/event.c
Function comment for virEventRegisterDefaultImpl lacks description of return value
Function comment for virEventRunDefaultImpl lacks description of return value
Parsing ./../src/util/virterror.c
Missing comment for function virSetErrorLogPriorityFunc
Cole Robinson [Tue, 8 Mar 2011 18:46:29 +0000 (13:46 -0500)]
Don't overwrite virRun error messages
virRun gives pretty useful error output, let's not overwrite it unless there
is a good reason. Some places were providing more information about what
the commands were _attempting_ to do, however that's usually less useful from
a debugging POV than what actually happened.
Guido Günther [Tue, 8 Mar 2011 20:44:14 +0000 (21:44 +0100)]
libvirtd: Remove indirect linking
as described at
http://wiki.debian.org/ToolChain/DSOLinking
https://fedoraproject.org/wiki/UnderstandingDSOLinkChange
otherwise the build fails on current Debian unstable with:
CCLD libvirtd
/usr/bin/ld: ../src/.libs/libvirt_driver_lxc.a(libvirt_driver_lxc_la-lxc_container.o): undefined reference to symbol 'capng_apply'
/usr/bin/ld: note: 'capng_apply' is defined in DSO //usr/lib/libcap-ng.so.0 so try adding it to the linker command line
CCLD libvirtd
/usr/bin/ld: ../src/.libs/libvirt_driver_storage.a(libvirt_driver_storage_la-storage_backend.o): undefined reference to symbol 'fgetfilecon'
/usr/bin/ld: note: 'fgetfilecon' is defined in DSO //lib/libselinux.so.1 so try adding it to the linker command line
//lib/libselinux.so.1: could not read symbols: Invalid operation
Eric Blake [Wed, 9 Mar 2011 04:47:49 +0000 (21:47 -0700)]
build: avoid compiler warning on cygwin
On cygwin:
CC libvirt_driver_security_la-security_dac.lo
security/security_dac.c: In function 'virSecurityDACSetProcessLabel':
security/security_dac.c:618: warning: format '%d' expects type 'int', but argument 7 has type 'uid_t' [-Wformat]
We've done this before (see src/util/util.c).
* src/security/security_dac.c (virSecurityDACSetProcessLabel): On
cygwin, uid_t is a 32-bit long.
Eric Blake [Wed, 9 Mar 2011 04:43:26 +0000 (21:43 -0700)]
build: fix build on cygwin
On cygwin:
CC libvirt_util_la-cgroup.lo
util/cgroup.c: In function 'virCgroupKillRecursiveInternal':
util/cgroup.c:1458: warning: implicit declaration of function 'virCgroupNew' [-Wimplicit-function-declaration]
* src/util/cgroup.c (virCgroupKill): Don't build on platforms
where virCgroupNew is unsupported.
Wen Congyang [Wed, 9 Mar 2011 03:18:36 +0000 (11:18 +0800)]
build: fix building error when building without libvirtd
When building libvirt without libvirtd, I receive the following errors:
make[1]: Leaving directory `/home/wency/source/test/libvirt/src'
(cd daemon && make top_distdir=../libvirt-0.8.8 distdir=../libvirt-0.8.8/daemon \
am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
make[1]: Entering directory `/home/wency/source/test/libvirt/daemon'
make[1]: *** No rule to make target `libvirtd.8.in', needed by `distdir'. Stop.
Guido Günther [Tue, 8 Mar 2011 18:24:28 +0000 (19:24 +0100)]
virsh: Remove indirect link against libxml2
as described at
http://wiki.debian.org/ToolChain/DSOLinking
https://fedoraproject.org/wiki/UnderstandingDSOLinkChange
otherwise the build fails on current Debian unstable with:
CCLD virsh
/usr/bin/ld: virsh-virsh.o: undefined reference to symbol 'xmlSaveTree@@LIBXML2_2.6.8'
/usr/bin/ld: note: 'xmlSaveTree@@LIBXML2_2.6.8' is defined in DSO //usr/lib/libxml2.so.2 so try adding it to the linker command line
//usr/lib/libxml2.so.2: could not read symbols: Invalid operation
virsh: Change option parsing functions to return tri-state information
This is needed to detect situations when optional argument was
specified with non-integer value: '--int-opt foo'. To keep functions
uniform vshCommandOptString function was also changed, because it
returns tri-state value as well. Given result pointer is updated only
in case of success. If parsing fails, result is not updated at all.
Daniel Veillard [Tue, 8 Mar 2011 08:01:25 +0000 (16:01 +0800)]
Fix build on cygwin
Apparently some signals found on Unix are not exposed, this led
to a compilation failure
* src/util/logging.c: make code related to each signal dependant
upon the definition of that signal
projects / libvirt.git / log