rpc: avoid ssh interpreting malicious hostname as arguments
Inspired by the recent GIT / Mercurial security flaws
(http://blog.recurity-labs.com/2017-08-10/scm-vulns),
consider someone/something manages to feed libvirt a bogus
URI such as:
In this case, the hosname "-oProxyCommand=gnome-calculator"
will get interpreted as an argument to ssh, not a hostname.
Fortunately, due to the set of args we have following the
hostname, SSH will then interpret our bit of shell script
that runs 'nc' on the remote host as a cipher name, which is
clearly invalid. This makes ssh exit during argv parsing and
so it never tries to run gnome-calculator.
We are lucky this time, but lets be more paranoid, by using
'--' to explicitly tell SSH when it has finished seeing
command line options. This forces it to interpret
"-oProxyCommand=gnome-calculator" as a hostname, and thus
see a fail from hostname lookup.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
qemu: Also treat directories properly when using namespaces
When recreating folders with namespaces, the directory type was not
being handled at all. It's not special, we probably just didn't know
that that can be used as a volume path as well. The code failed
gracefully, but we want to allow that so that we can use <disk
type='dir'> in domains again.
qemu: Don't mangle the storage format for type='dir'
Our backing probing code handles directory file types properly in
virStorageFileGetMetadataRecurse(), by that I mean it leaves them
alone. However its caller, the virStorageFileGetMetadata() resets the
type to raw before probing, without even checking the type. We need
to special-case TYPE_DIR in order to achieve desired results.
Also, in order to properly test this, we need to stop resetting format
of volumes in tests for TYPE_DIR (probably the reason why we didn't
catch that and why the test data didn't need to be modified).
lib: Add API to edit domain's managed save state xml configuration
Similar to domainSaveImageDefineXML this commit adds domainManagedSaveDefineXML
API which allows to edit domain's managed save state xml configuration.
Michal Privoznik [Tue, 15 Aug 2017 07:12:43 +0000 (09:12 +0200)]
qemu: Introduce and use qemuDomainRemoveInactiveJob
At some places we either already have synchronous job or we just
released it. Also, some APIs might want to use this code without
having to release their job. Anyway, the job acquire code is
moved out to qemuDomainRemoveInactiveJob so that
qemuDomainRemoveInactive does just what it promises.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
util: Umark virBufferCheckErrorInternal as ATTRIBUTE_RETURN_CHECK
The function is useful even without using the return value. And if
needed, the return value can be obtained by other calls as well. The
potential for clean-up can be seen in the following patch.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
conf: Properly truncate wide character names in virDomainObjGetShortName
We always truncated the name at 20 bytes instead of characters. In
case 20 bytes were in the middle of a multi-byte character, then the
string became invalid and various parts of the code would error
out (e.g. XML parsing of that string). Let's instead properly
truncate it after 20 characters instead.
We cannot test this in our test suite because we would need to know
what locales are installed on the system where the tests are ran and
if there is supported one (most probably there will be, but we cannot
be 100% sure), we could initialize gettext in qemuxml2argvtest, but
there would still be a chance of getting two different (both valid,
though) results.
In order to test this it is enough to start a machine with a name for
which trimming it after 20 bytes would create invalid sequence (e.g.
1234567890123456789č where č is any multi-byte character). Then start
the domain and restart libvirtd. The domain would disappear because
such illegal sequence will not go through the XML parser. And that's
not a bug of the parser, it should not be in the XML in the first
place, but since we don't use any sophisticated formatter, just
mash some strings together, the formatting succeeds.
Pavel Hrdina [Fri, 25 Aug 2017 16:57:15 +0000 (18:57 +0200)]
qemu: implement chardev source reconnect
The reconnect attribute for chardev devices in QEMU is used to
configure the reconnect timeout in seconds. Setting '0' value disables
the reconnect functionality thus we don't allow to set '0' for QEMU.
To disable the reconnect user should use <reconnect enabled='no'/>.
More recent reviews/changes don't have the vir*ObjNew APIs
consuming the @def, so remove from Interface as well. Changes
needed to also deal with conflicts from commit id '46f5eca4'.
Eric Blake [Thu, 24 Aug 2017 19:36:36 +0000 (14:36 -0500)]
maint: correct quoting for gl_WARN_ADD
3 out of 4 uses of gl_WARN_ADD() were incorrectly adding "" around
the argument, which in turn resulted in the argument being used
unquoted (configure had gl_positive=""-fstack-protector-all"",
rather than the intended gl_positive="-fstack-protector-all").
Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Erik Skultety [Fri, 25 Aug 2017 14:58:51 +0000 (16:58 +0200)]
daemon: logging: Fix --verbose option being ignored by the daemon
Commit 94c465d0 refactored the logging setup phase but introduced an
issue, where the daemon ignores verbose mode when there are no outputs
defined and the default must be used. The problem is that the default
output was determined too early, thus ignoring the potential '--verbose'
option taking effect. This patch postpones the creation of the default
output to the very last moment when nothing else can change. Since the
default output is only created during the init phase, it's safe to leave
the pointer as NULL for a while, but it will be set eventually, thus not
affecting runtime.
Patch also adjusts both the other daemons.
Andrea Bolognani [Thu, 24 Aug 2017 14:33:29 +0000 (16:33 +0200)]
qemu: Handle host devices not being available better
We can't retrieve the isolation group of a device that's not present
in the system. However, it's very common for VFs to be created late
in the boot, so they might not be present yet when libvirtd starts,
which would cause the guests using them to disappear.
Moreover, for other architectures and even ppc64 before isolation
groups were introduced, it's considered perfectly fine to configure a
guest to use a device that's not yet (or no longer) available to the
host, with the obvious caveat that such a guest won't be able to
start before the device is available.
In order to be consistent, when a device's isolation group can't be
determined fall back to not isolating it rather than erroring out or,
worse, making the guest disappear.
Pavel Hrdina [Thu, 24 Aug 2017 14:46:58 +0000 (16:46 +0200)]
conf: don't close the source element inside different function
While formatting disk or chardev element they both uses
virDomainDiskSourceDefFormatSeclabel() function which also closes
the source element. This is not extendable.
Use the new virXMLFormatElement() to properly format the source
element with possible child elements.
As a side effect it fixes a bug in disk source formatting.
Reviewed-by: John Ferlan <jferlan@redhat.com> Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Cole Robinson [Sun, 27 Aug 2017 13:29:50 +0000 (09:29 -0400)]
qemu: Remove remnants of xenner support
Both of these are dead code: qemu_command.c explicitly rejects
VIRT_XEN earlier in the call chain, and qemu_parse_command.c
will never set VIRT_XEN anymore
Reviewed-by: John Ferlan <jferlan@redhat.com> Signed-off-by: Cole Robinson <crobinso@redhat.com>
Nitesh Konkar [Thu, 17 Aug 2017 13:48:05 +0000 (19:18 +0530)]
virt-host-validate: Fix warning for IOMMU detection on PPC
Fix the warning generated on PPC by virt-host-validate for IOMMU.
In case of PPC, IOMMU in the host kernel either has it or it's not
compiled in. The /sys/kernel/iommu_groups check is good enough to
verify if it was compiled with the kernel or not.
Modify the error message when "if (sb.st_nlink <= 2)" to indicate
what the problem would be since there would be no @bootarg.
George Dunlap [Thu, 24 Aug 2017 11:34:13 +0000 (12:34 +0100)]
libxl: Avoid a variable named 'stat'
Using a variable named 'stat' clashes with the system function
'stat()' causing compiler warnings on some platforms:
libxl/libxl_driver.c: In function 'libxlDomainBlockStatsVBD':
libxl/libxl_driver.c:5387: error: declaration of 'stat' shadows a global declaration [-Wshadow]
/usr/include/sys/stat.h:455: error: shadowed declaration is here [-Wshadow]
Signed-off-by: George Dunlap <george.dunlap@citrix.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Ján Tomko [Mon, 21 Aug 2017 14:44:42 +0000 (16:44 +0200)]
vmx: do not treat controllers as implicit devices
When parsing the config, we look for the SCSI controllers one by one,
remembering their models, then let virDomainDefAddImplicitDevices
add them if any SCSI disk is using them.
Since these controllers are not really implicit (they are present
in the source config), add them explicitly.
This patch maintains the behavior of not adding a controller
if it was present in the config, but no disk was using it.
This also resolves the memory leak of virVMXParseConfig overwriting
the video device added by calling virDomainDefAddImplicitDevices
before the parsing is finished.
Reported-by: Michal Privoznik <mprivozn@redhat.com>
At the time the check was written virtuozzo did not use disabled items in boot
order configuration. Boot items were always enabled. Now they can be disabled
as well. Supporting such items is easy - they just should be ignored.
Andrea Bolognani [Wed, 23 Aug 2017 11:55:01 +0000 (13:55 +0200)]
docs: Define anchors correctly in pci-hotplug
HTML5 obsoletes the 'name' attribute in favor of 'id',
and our TOC generator apparently follows the recommendation
to the letter, resulting in a broken TOC if you use the
old-school attribute.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Ján Tomko [Fri, 18 Aug 2017 15:55:54 +0000 (17:55 +0200)]
conf: do not count per-device boot elements when parsing <os><boot>
When parsing bootable devices, we maintain a bitmap of used
<boot order=""> elements. Use it in the post-parse function
to figure out whether the user tried to mix per-device and
per-domain boot elements.
Ján Tomko [Tue, 22 Aug 2017 11:29:24 +0000 (13:29 +0200)]
conf: rename virDomain*PostParseInternal to virDomain*PostParseCommon
These functions contain the post-parse steps common for all drivers.
Rename it to use the 'Common' prefix, instead of the vagueness
of 'Internal', leaving 'Internal' available for other vague uses.
Pavel Hrdina [Fri, 18 Aug 2017 16:12:08 +0000 (18:12 +0200)]
conf: assign parsed strings directly into chardev source definition
Since the source element is parsed only once for these type of
character devices we don't have to use temporary variable and
check whether the variable was already set.
Pavel Hrdina [Fri, 18 Aug 2017 17:05:20 +0000 (19:05 +0200)]
conf: move UDP chardev source parsing to separate function
The extra check whether (connect|bind)(Host|Service) was set is
required because for UDP chardev there can be two source elements.
Without the check there could be a memory leak.
That behavior is super wrong and should not be allowed. If you notice
the current parse takes the first found attribute and uses that value,
so for example from the "<source mode='bind' host='localhost'/>" only
the "host" attribute is used. It works the same way for all possible
attributes that we are able to parse for source element.
This patch enforces providing only one source element for all character
devices, only for UDP type we allow to provide two source elements
since you can specify both modes.
Ján Tomko [Fri, 18 Aug 2017 15:05:35 +0000 (17:05 +0200)]
conf: useserial: drop useless check for serial devices
Since its introduction in commit 874e65aa, if someone requests:
<os><bios useserial="yes"/><os/>
we report an error if we cannot successfully count the number
of serial devices via an XPath query.
Instead of fixing the check (and moving it to the validation phase,
to prevent existing domains from disappearing), drop it completely.
For QEMU, the number of serials is checked when building the command
line.
Jim Fehlig [Wed, 16 Aug 2017 21:46:55 +0000 (15:46 -0600)]
Don't autogenerate seclabels of type 'none'
When security drivers are active but confinement is not enabled,
there is no need to autogenerate <seclabel> elements when starting
a domain def that contains no <seclabel> elements. In fact,
autogenerating the elements can result in needless save/restore and
migration failures when the security driver is not active on the
restore/migration target.
This patch changes the virSecurityManagerGenLabel function in
src/security_manager.c to only autogenerate a <seclabel> element
if none is already defined for the domain *and* default
confinement is enabled. Otherwise the needless <seclabel>
autogeneration is skipped.
Jim Fehlig [Wed, 16 Aug 2017 21:45:54 +0000 (15:45 -0600)]
Fix building domain def in securityselinuxtest
The virDomainDef created by testBuildDomainDef in securityselinuxtest
adds a seclabel but does not increment nseclabels. Also, it should
populate seclabel->model with 'selinux'.
While at it, use the secdef itself to populate values instead of
the indirection through def->seclabels[0].
Andrea Bolognani [Thu, 17 Aug 2017 14:22:14 +0000 (16:22 +0200)]
conf: Move target index validation
Validation should happen after parsing, so the proper
location for it is virDomainControllerDefValidate()
rather than virDomainControllerDefParseXML().
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Peter Krempa [Wed, 16 Aug 2017 14:00:25 +0000 (16:00 +0200)]
qemu: Implement postParse callback skipping on config reload
Use the new facility which allows to ignore failures in post parse
callbacks if they are not fatal so that VM configs are not lost if the
emulator binary is missing.
If qemuCaps can't be populated on daemon restart skip certain portions
of the post parse callbacks during config reload and re-run the callback
during VM startup.
This fixes VMs vanishing if the emulator binary was broken or
uninstalled and libvirtd was restarted.
Peter Krempa [Wed, 16 Aug 2017 13:54:10 +0000 (15:54 +0200)]
qemu: domain: Don't set default USB model if qemuCaps is missing
qemuDomainControllerDefPostParse assigns the default USB controller
model when it was not specified by the user. Skip this step if @qemuCaps
is missing so that we don't fill wrong data. This will then be fixes by
re-running the post parse callback.
Peter Krempa [Wed, 16 Aug 2017 13:44:35 +0000 (15:44 +0200)]
qemu: capabilities: Tolerate missing @qemuCaps in virQEMUCapsSupportsGICVersion
Report the given GIC version as unsupported if @qemuCapsi is NULL. This
will be helpful to run post parse callbacks even if qemu is not
currently installed.
Peter Krempa [Tue, 15 Aug 2017 16:41:59 +0000 (18:41 +0200)]
conf: add infrastructure for tolerating certain post parse callback failures
Some failures of the post parse callback can be tolerated. This is
specifically desired when loading the configs of existing VMs. In such
case the post parse callback should not really be modifying anything
in the definition.
This patch adds a parse flag VIR_DOMAIN_DEF_PARSE_ALLOW_POST_PARSE_FAIL
which will allow the callbacks to report non-fatal failures by returning
a positive return value. In such case the field 'postParseFailed' in the
domain definition is set to true, to notify the drivers that the
callback failed and possibly needs to be re-run.
Peter Krempa [Tue, 15 Aug 2017 16:09:32 +0000 (18:09 +0200)]
conf: Return any non-zero value from virDomainDeviceInfoIterateInternal callback
Post parse callbacks will need to be able to signal that they failed
non-fatally. This means that we need to return the value returned by the
callback without modification.
Peter Krempa [Tue, 15 Aug 2017 13:25:23 +0000 (15:25 +0200)]
qemu: domain: Don't re-allocate qemuCaps in post parse callbacks
The domain post parse callback, domain address callback and the domain
device callback (for every single device) would each grab qemuCaps for
the current emulator. This is quite wasteful. Use the new callback to do
this just once.
Peter Krempa [Tue, 15 Aug 2017 13:18:51 +0000 (15:18 +0200)]
conf: Add callbacks that allocate per-def private data
Some drivers use def-specific private data across callbacks (e.g.
qemuCaps in the qemu driver). Currently it's mostly allocated in every
single callback. This is rather wasteful, given that every single call
to the device callback allocates it.
The new callback will allocate the data (if not provided externally) and
then use it for the VM, address and device post parse callbacks.
Peter Krempa [Tue, 15 Aug 2017 13:11:45 +0000 (15:11 +0200)]
conf: Add 'basic' post parse callback
Add yet another post parse callback, which is executed prior the real
one without @parseOpaque. This is meant to set basics before
@parseOpaque (in case of the qemu driver qemuCaps) can be allocated.
This callback will allow to optimize passing of custom parseOpaque
through the callbacks.
projects / libvirt.git / log