Eric Blake [Wed, 18 Sep 2013 22:11:25 +0000 (16:11 -0600)]
build: ensure 'make check' sees up-to-date config.h
Nehal J. Wani reported on IRC a rather interesting build failure:
In file included from util/virnetdevbridge.c:53:0:
/usr/include/linux/in6.h:30:8: error: redefinition of 'struct in6_addr'
struct in6_addr {
^
I traced it to the fact that he ran 'git pull; make check' across
commit e62e0094. What happened is that the configure changes
result in a new variable that was set to be defined on his system,
but config.h was not regenerated to contain the value of that
variable. Running 'make' instead of 'make check' cleaned up the
problem. A bit more investigation, and I see that in Makefile.am,
automake sticks rules that rebuild config.h as part of 'make all',
and that we also had a dependency 'check-local: all'; BUT the
rule for check-local is run only at the point when the top-level
directory is visited. Automake documents that SUBDIRS should
contain an explicit '.' at the point the top-level should be
visited (defaulting to last, if it doesn't appear). Sure enough,
with this patch, 'make check' now does the top-level 'all' rules,
which regenerates 'config.h' BEFORE compiling any code that might
depend on changed content of that file.
This had a typo which caused the group ID to overwrite the
user ID string. This meant any checks using this would have
the wrong ID value. This only affected the ACL code, not the
initial polkit auth. It also leaked memory.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
LXC: Check the existence of dir before resolving symlinks
If a dir does not exist, raise an immediate error in logs
rather than letting virFileResolveAllLinks fail, since this
gives better error reporting to the user.
When FUSE is enabled, the LXC container is setup with
a custom /proc/meminfo file. This file uses "KB" as a
suffix, rather than "kB" which is the kernel's style.
Fix this inconsistency to avoid confusing apps.
Since the wait is done during migration (still inside
QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such
in order to prohibit all other jobs from interfering in the meantime.
This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was
waiting on the monitor condition and after GetSpiceMigrationStatus
mangled its internal data, the daemon crashed.
VMware: Make version parsing testable and add tests
This splits up the version parsing code into a callable API like QEMU
help/version string parsing so that we can test it as we need to add
additional patterns for newer versions/products.
Rather than looking up the path to vmrun each time we call it, look it
up once and save it. This sets up the ability for us to detect where the
path is on Mac OS X and not have to look it up each time we execute it.
The VMware driver supports multiple backends for the VMware Player and
VMware Workstation, convert this logic into enum and use VIR_ENUM_IMPL()
to provide conversions to and from strings.
Laine Stump [Fri, 20 Sep 2013 10:00:48 +0000 (06:00 -0400)]
qemu: use "ide" as device name for implicit SATA controller on Q35
This resolves https://bugzilla.redhat.com/show_bug.cgi?id=1008903
The Q35 machinetype has an implicit SATA controller at 00:1F.2 which
isn't given the "expected" id of ahci0 by qemu when it's created. The
original suggested solution to this problem was to not specify any
controller for the disks that use the default controller and just
specify "unit=n" instead; qemu should then use the first IDE or SATA
controller for the disk.
Unfortunately, this "solution" is ignorant of the fact that in the
case of SATA disks, the "unit" attribute in the disk XML is actually
*not* being used for the unit, but is instead used to specify the
"bus" number; each SATA controller has 6 buses, and each bus only
allows a single unit. This makes it nonsensical to specify unit='n'
where n is anything other than 0. It also means that the only way to
connect more than a single device to the implicit SATA controller is
to explicitly give the bus names, which happen to be "ide.$n", where
$n can be replaced by the disk's "unit" number.
Michal Privoznik [Wed, 18 Sep 2013 15:28:31 +0000 (17:28 +0200)]
qemumonitorjsontest: Introduce DO_TEST_SIMPLE
This macro is there to test the simplest monitor functions we have,
those in the form of: int ( *func) (qemuMonitorPtr). So far, we have
seven such functions.
daemon: Remove more hardcoded paths from help output
A previous patch used existing #define for the various files in /etc/pki
instead of hardcoding them in the help output. However I missed that
remote_driver.h contains #define for more paths that are present
in the daemon help output.
This commit uses the existing constants for the path to the
configuration file and to the libvirt sockets.
Jonathan Lebon [Wed, 18 Sep 2013 18:56:01 +0000 (14:56 -0400)]
docs: fix virEventAddHandle return details
In commit 6d41cb8, the interface for virEventAddHandleFunc was changed.
This patch updates the documentation for virEventAddHandle to reflect
the new significance of the return value. Also, both functions now
mention -1 for failure.
Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.
Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.
To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.
This fix requires that libvirt is re-built against a version of
polkit that has the fix for its CVE-2013-4288, so that libvirt
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
Signed-off-by: Colin Walters <walters@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
qemu: Avoid dangling job in qemuDomainSetBlockIoTune
virDomainSetBlockIoTuneEnsureACL was incorrectly called after we already
started a job. As a result of this, the job was not cleaned up when an
access driver had forbidden the action.
Tomas Meszaros [Tue, 10 Sep 2013 15:54:26 +0000 (17:54 +0200)]
virsh: Add vshCompleter to each option
completer and completer_flags added to the _vshCmdOptDef
structure so it will be possible for completion generators to
conveniently call option completer functions with desired flags.
Diego Woitasen [Fri, 13 Sep 2013 16:31:07 +0000 (13:31 -0300)]
Add forwarder attribute to <dns/> element
Useful to set custom forwarders instead of using the contents of
/etc/resolv.conf. It helps me to setup dnsmasq as local nameserver to
resolve VM domain names from domain 0, when domain option is used.
Signed-off-by: Diego Woitasen <diego.woitasen@vhgroup.net> Signed-off-by: Eric Blake <eblake@redhat.com>
Doug Goldstein [Tue, 13 Aug 2013 15:56:56 +0000 (10:56 -0500)]
VMX: Add a VMWare Fusion 5 configuration for tests
A user was having an issue with this specific VMWare Fusion config and
he gave me permission to add it as part of our test suite to further
expand our VMX test coverage. Unfortunately our VMX parser and
generator does not support many features contained within and just
silently ignores fields it does not understand so they had to
be removed out in the xml2vmx test. The original unmodified version
exists in the vmx2xml test.
Doug Goldstein [Tue, 13 Aug 2013 15:56:01 +0000 (10:56 -0500)]
VMX: Add support for 'auto detect' fileNames
VMWare Fusion 5 can set the CD-ROM's device name to be 'auto detect' when
using the physical drive via 'cdrom-raw' device type. VMWare will then
connect to first available host CD-ROM to the virtual machine upon start
up according to VMWare documentation. If no device is available, it
appears that the device will remain disconnected.
To better model this a CD-ROM that is marked as "auto detect" when in
the off state would be modeled as the following with this patch:
<disk type='block' device='lun'>
<source startupPolicy='optional'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
Once the domain transitions to the powered on state, libvirt can
populate the remaining source data with what is connected, if anything.
However future power cycles, the domain may not always start with that
device attached.
Currently the XML parser already allows the following syntax:
<disk type='block' device='cdrom'>
<source startupPolicy='optional'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
But it if the dev value is NULL then it would not have the leading
"<source ", resulting in invalid XML.
Eric Blake [Tue, 17 Sep 2013 17:11:25 +0000 (11:11 -0600)]
build: skip ld_preload tests on non-Linux systems
A cross build to mingw fails with:
CC virsystemdtest-virsystemdtest.o
../../tests/virsystemdtest.c: In function 'testCreateNoSystemd':
../../tests/virsystemdtest.c:97:9: error: implicit declaration of function 'unsetenv' [-Werror=implicit-function-declaration]
unsetenv("FAIL_NO_SERVICE");
^
../../tests/virsystemdtest.c:97:9: error: nested extern declaration of 'unsetenv' [-Werror=nested-externs]
We could cop out and pull in the gnulib unsetenv module. But when
you stop and think about it, this test requires LD_PRELOAD to work,
and systemd is a Linux-only concept anyways, both of which mean
the test could never work on mingw in the first place. Simpler is
to just fix the test to behave like our other LD_PRELOAD tests.
* tests/virsystemdtest.c: Provide non-Linux implementation.
Eric Blake [Tue, 17 Sep 2013 16:25:42 +0000 (10:25 -0600)]
build: hoist system-specific checks before library checks
Commit f92c7e3 fixed a regression for native builds, but introduced
a regression for cross-compilation builds; in particular,
./autobuild.sh on a Fedora system with mingw cross-compiler fails
with:
checking for qemu-kvm... /usr/bin/qemu-kvm
checking for yajl_parse_complete in -lyajl... no
checking for yajl_tree_parse in -lyajl... no
configure: error: You must install the libyajl library & headers to compile libvirt
Since we default $with_qemu to 'yes' rather than 'check', and then
flip that default based on platform-specific checks, those platform
specifics need to come prior to any library checks that depend on
the value of $with_qemu.
* configure.ac: Ensure system defaults are sane before checking
for things that make decisions based on system default.
Peter Krempa [Tue, 17 Sep 2013 13:20:24 +0000 (15:20 +0200)]
test: Refactor setting of dummy error handlers
Multiple tests need to register a function to quiesce errors from
libvirt when using a connection and doing negative tests. Each of those
tests had a static function to do so. This can be replaced by a utility
function that enables the errors when debug is enabled.
This patch adds virtTestQuiesceLibvirtErrors() and refactors test that
use private handlers.
Peter Krempa [Tue, 17 Sep 2013 11:27:58 +0000 (13:27 +0200)]
conf: Avoid false positive of uninitialized variable use
GCC 4.8.0+ whines about variable "new" being uninitialized since
commit 73bfac0e7182a3abd. This is a false positive as the
xmlFreeNode(new) statement can be only reached if new was actually
allocated successfully.
CC conf/libvirt_conf_la-domain_conf.lo
conf/domain_conf.c: In function 'virDomainDefSetMetadata':
conf/domain_conf.c:18650:24: error: 'new' may be used uninitialized in this function [-Werror=maybe-uninitialized]
xmlFreeNode(new);
Reported independently by John Ferlan and Michal Privoznik.
Eric Blake [Tue, 17 Sep 2013 11:29:23 +0000 (05:29 -0600)]
build: fix VPATH build of remote driver
Commit 073e1575 tried to set things up so that 1) generated files
to be shipped in the tarball always live in srcdir, and 2) we have
no files in SOURCES that depend on any other files with a literal
$(srcdir) in the name, because that situation can cause confusing
results for the make expansion of $@ depending on whether the file
is found locally or via VPATH. But all my testing for that patch
was done incrementally, where all the protocol.[ch] files had
already been generated prior to the patch and were up-to-date in
the srcdir, and thus I missed one case where $@ causes grief in a
VPATH build from a fresh checkout:
We have a pattern rule for generating remote_protocol.[ch], and
what's more, the rule for protocol.c depends on protocol.h AND
on the protocol.x file. The pattern for protocol.c is only
satisfied via the VPATH lookup for protocol.x, and if protocol.h
doesn't yet exist, the VPATH rule kicks in and we end up with a
dependency on a file with $(srcdir) in the name. Based on make's
rules for $@, this resulted in make building remote_protocol.h
into srcdir (where we want it), then remote_protocol.c into
builddir (oops, not so good for the tarball), and also causes
the build to fail (the compiler can't find the .h if it lives
in a different directory than the .c):
CC remote/libvirt_driver_remote_la-remote_protocol.lo
remote/remote_protocol.c:7:29: fatal error: remote_protocol.h: No such file or directory
#include "remote_protocol.h"
^
compilation terminated.
As before, the fix is to hard-code the output file to go into
srcdir in spite of $@; but since this is in a pattern rule, we
are forced to use $@ in the recipe, so the patch is a bit
trickier than what was done in commit 073e1575.
* src/Makefile.am (%protocol.c, %protocol.h): Force output to srcdir.
Peter Krempa [Tue, 17 Sep 2013 09:16:30 +0000 (11:16 +0200)]
conf: Don't corrupt metadata on OOM
Eric Blake suggested that we could do a little better in case copying of
the metadata to be set fails. With this patch, the old metadata is
discarded after the new string is copied successfuly.
If the ABI compatibility check with the "migratable" user XML is
successful, we would leak the originally parsed XML from the user that
would not be used in this case.
Peter Krempa [Tue, 10 Sep 2013 09:25:55 +0000 (11:25 +0200)]
lib: Don't force the key argument when deleting metadata
virDomainSetMetadata when operating on the metadata element was
requesting the @key argument to be passed even if @metadata was NULL
used to delete the corresponding metadata element. This is not needed as
the key is only used when adding the element and matching is done via
the XML namespace.
Peter Krempa [Fri, 6 Sep 2013 15:34:43 +0000 (17:34 +0200)]
conf: Add support for requesting of XML metadata via the API
The virDomainGetMetadata function was designed to support also retrieval
of app specific metadata from the <metadata> element. This functionality
was never implemented originally.
Peter Krempa [Tue, 11 Jun 2013 13:45:05 +0000 (15:45 +0200)]
qemu: Factor out body of qemuDomainSetMetadata for universal use
The function implemented common behavior that can be reused for other
hypervisor drivers that use the virDomainObj data structures. Factor out
the core into a separate helper func.
Peter Krempa [Tue, 11 Jun 2013 13:45:05 +0000 (15:45 +0200)]
qemu: Factor out body of qemuDomainGetMetadata for universal use
The function implemented common behavior that can be reused for other
hypervisor drivers that use the virDomainObj data structures. Factor out
the core into a separate helper func.
Peter Krempa [Mon, 16 Sep 2013 11:40:42 +0000 (13:40 +0200)]
qemu: Use "migratable" XML definition when doing external checkpoints
In the original implementation of external checkpoints I've mistakenly
used the live definition to be stored in the save image. The normal
approach is to use the "migratable" definition. This was discovered when
commit 07966f6a8b5ccb5bb4c716b25deb8ba2e572cc67 changed the behavior to
use a converted XML from the user to do the compatibility check to fix
problem when using the regular machine saving.
As the previous patch added a compatibility layer, we can now change the
type of the XML in the image.
Peter Krempa [Mon, 16 Sep 2013 11:37:34 +0000 (13:37 +0200)]
qemu: Fix checking of ABI stability when restoring external checkpoints
External checkpoints have a bug in the implementation where they use the
normal definition instead of the "migratable" one. This causes errors
when the snapshot is being reverted using the workaround method via
qemuDomainRestoreFlags() with a custom XML. This issue was introduced
when commit 07966f6a8b5ccb5bb4c716b25deb8ba2e572cc67 changed the code to
compare "migratable" XMLs from the user as we should have used
migratable in the image too.
This patch adds a compatibility layer, so that fixing the snapshot code
won't make existing snapshots fail to load.
CD-ROMs and Floppies are allowed to have no source to imply they are
empty or disconnected. Since the LUN type is used for raw CD-ROM access
with QEMU (and VMWare in the future), it also needs to allow an empty
source when the raw CD-ROM device is disconnected from the domain.
Ján Tomko [Mon, 16 Sep 2013 11:26:46 +0000 (13:26 +0200)]
Always free network and graphics cookies
qemuMigrationEatCookie has flags to control if these should
be parsed, but it does not fill mig->flags. These cookies might
get leaked if these flags are not set by qemuMigrationBakeCookie.
42 (32 direct, 10 indirect) bytes in 1 blocks are definitely lost in
loss record 361 of 662
==123== by 0x1BA33FCA: qemuMigrationEatCookie (qemu_migration.c:678)
==123== by 0x1BA34A1E: qemuMigrationRun (qemu_migration.c:3108)
==123== by 0x1BA3622B: doNativeMigrate (qemu_migration.c:3343)
==123== by 0x1BA3B408: qemuMigrationPerform (qemu_migration.c:4138)
1,003 bytes in 1 blocks are definitely lost in loss record 599 of 635
==404== by 0x50728A7: virBufferAddChar (virbuffer.c:185)
==404== by 0x50BC466: virSystemdEscapeName (virsystemd.c:67)
==404== by 0x50BC6B2: virSystemdMakeSliceName (virsystemd.c:108)
==404== by 0x50BC870: virSystemdCreateMachine (virsystemd.c:169)
==404== by 0x5078267: virCgroupNewMachine (vircgroup.c:1498)
Eric Blake [Sat, 14 Sep 2013 11:29:42 +0000 (05:29 -0600)]
build: make autobuild require rpm build deps
I spent far too long on a new machine trying to figure out why
./autobuild.sh failed due to an rpm build failure (complaining
that libvirt_parthelper was supposed to be packaged but was not
built), and finally traced it to a missing parted-devel
installation. I learned that --nodeps is in place for
autobuilder setups, but for developers, removing it would make
rpmbuild error out much sooner for a less cryptic failure.
* autobuild.sh: Conditionally drop --nodeps from rpmbuild lines.
Eric Blake [Fri, 13 Sep 2013 16:11:26 +0000 (10:11 -0600)]
build: fix build with latest rawhide kernel headers
Bother those kernel developers. In the latest rawhide, kernel
and glibc have now been unified so that <netinet/in.h> and
<linux/in6.h> no longer clash; but <linux/if_bridge.h> is still
not self-contained. Because of the latest header change, the
build is failing with:
checking for linux/param.h... no
configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support
with details:
In file included from conftest.c:561:0:
/usr/include/linux/in6.h:71:18: error: field 'flr_dst' has incomplete type
struct in6_addr flr_dst;
We need a workaround to avoid our workaround :)
* configure.ac (NETINET_LINUX_WORKAROUND): New test.
* src/util/virnetdevbridge.c (includes): Use it.
virsh: move command maxvcpus from domain group to host group.
Since the maxvcpus command query the maximum number of virtual
CPUs supported for a guest VM on this connection, it should be
in virsh-host.c but not virsh-domain.c.
Explicitly link libvirt_net_rpc against SELINUX_LIBS
Since virnetsocket conditionally uses selinux we need to link against it
otherwise the build fails with:
CCLD libvirtd
/usr/bin/ld: ../src/.libs/libvirt-lxc.so: undefined reference to symbol 'freecon'
/lib/i386-linux-gnu/libselinux.so.1: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
make[3]: *** [libvirtd] Error 1
Eric Blake [Thu, 12 Sep 2013 19:19:23 +0000 (13:19 -0600)]
docs: mention hostname subtlety
An off-list bug report mentioned some confusion where the public
documentation of libvirt.c:virConnectGetHostname did not match
the private documentation of util/virutil.c:virGetHostname.
Fix naming of permission for detecting storage pools
The VIR_ACCESS_PERM_CONNECT_DETECT_STORAGE_POOLS enum
constant had its string format be 'detect_storage_pool',
note the missing trailing 's'. This prevent the ACL
check from ever succeeding. Fix this and add a simple
test script to validate this problem of matching names.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
LXC: don't try to mount selinux filesystem when user namespace enabled
Right now we mount selinuxfs even user namespace is enabled and
ignore the error. But we shouldn't ignore these errors when user
namespace is not enabled.
This patch skips mounting selinuxfs when user namespace enabled.
Peter Krempa [Thu, 12 Sep 2013 09:37:57 +0000 (11:37 +0200)]
qemu: Fix checking of guest ABI compatibility when reverting snapshots
When reverting a live internal snapshot with a live guest the ABI
compatiblity check was comparing a "migratable" definition with a normal
one. This resulted in the check failing with:
revert requires force: Target device address type none does not match source pci
This patch generates a "migratable" definition from the actual one to
check against the definition from the snapshot to avoid this problem.
Laine Stump [Wed, 28 Aug 2013 16:56:21 +0000 (12:56 -0400)]
netcf driver: use a single netcf handle for all connections
This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=983026
The netcf interface driver previously had no state driver associated
with it - as a connection was opened, it would create a new netcf
instance just for that connection, and close it when it was
finished. the problem with this is that each connection to libvirt
used up a netlink socket, and there is a per process maximum of ~1000
netlink sockets.
The solution is to create a state driver to go along with the netcf
driver. The state driver will opens a netcf instance, then all
connections share that same netcf instance, thus only a single
netlink socket will be used no matter how many connections are mde to
libvirtd.
This was rather simple to do - a new virObjectLockable class is
created for the single driverState object, which is created in
netcfStateInitialize and contains the single netcf handle; instead of
creating a new object for each client connection, netcfInterfaceOpen
now just increments the driverState object's reference count and puts
a pointer to it into the connection's privateData. Similarly,
netcfInterfaceClose() just un-refs the driverState object (as does
netcfStateCleanup()), and virNetcfInterfaceDriverStateDispose()
handles closing the netcf instance. Since all the functions already
have locking around them, the static lock functions used by all
functions just needed to be changed to call virObjectLock() and
virObjectUnlock() instead of directly calling the virMutex* functions.
Laine Stump [Tue, 27 Aug 2013 16:26:48 +0000 (12:26 -0400)]
rename "struct interface_driver" to virNetcfDriverState
This better fits the modern naming scheme in libvirt, and anticipates
an upcoming change where a single instance of this state will be
maintained by a separate state driver, and every instance of the netcf
driver will share the same state.
Then any submounts under / should also end up readonly, except
for those setup as basic mounts. eg if the user has /home on a
separate volume, they'd expect /home to be readonly, but we
should not touch the /sys, /proc, etc dirs we setup ourselves.
Users can selectively make sub-mounts read-write again by
simply listing them as new mounts without the <readonly>
flag set
Move array of mounts out of lxcContainerMountBasicFS
Move the array of basic mounts out of the lxcContainerMountBasicFS
function, to a global variable. This is to allow it to be referenced
by other methods wanting to know what the basic mount paths are.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Fix launching of VMs on when only logind part of systemd is present
Debian systems may run the 'systemd-logind' daemon, which causes the
/sys/fs/cgroup/systemd mount to be setup, but no other cgroup
controllers are created. While the LXC driver considers cgroups to
be mandatory, the QEMU driver is supposed to accept them as optional.
We detect whether they are present by looking in /proc/mounts for
any mounts of type 'cgroups', but this is not sufficient. We need to
skip any named mounts (as seen by a name=XXX string in the mount
options), so that we only detect actual resource controllers.
The polkit access driver used the wrong permission names for checks
on storage pools, volumes and node devices. This led to them always
being denied access.
The 'dettach' permission was also mis-spelt and should have been
'detach'. While permission names are ABI sensitive, the fact that
the code used the wrong object name for checking node device
permissions, means that no one could have used the mis-spelt
'dettach' permission.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Commit 38ab1225 changed the default value of ret from true to false but
forgot to set ret = true when job is NONE. Thus, virsh domjobinfo
returned 1 when there was no job running for a domain but it used to
(and should) return 0 in this case.
Daniel Veillard [Thu, 12 Sep 2013 09:18:32 +0000 (17:18 +0800)]
Repair the search on libvirt.org
First make sure that the input is xhtml as the stylesheets expect
namespaced element, then use a span element instead of a as a
is treated specially, finally adjust the makefile to check for
the new span element and replace it with the PHP code
projects / people / liuw / libxenctrl-split / libvirt.git / log