libvirt/src/qemu/qemu_command.h

234 lines
9.6 KiB
C
Raw Normal View History

/*
* qemu_command.h: QEMU command generation
*
build: use correct type for pid and similar types No thanks to 64-bit windows, with 64-bit pid_t, we have to avoid constructs like 'int pid'. Our API in libvirt-qemu cannot be changed without breaking ABI; but then again, libvirt-qemu can only be used on systems that support UNIX sockets, which rules out Windows (even if qemu could be compiled there) - so for all points on the call chain that interact with this API decision, we require a different variable name to make it clear that we audited the use for safety. Adding a syntax-check rule only solves half the battle; anywhere that uses printf on a pid_t still needs to be converted, but that will be a separate patch. * cfg.mk (sc_correct_id_types): New syntax check. * src/libvirt-qemu.c (virDomainQemuAttach): Document why we didn't use pid_t for pid, and validate for overflow. * include/libvirt/libvirt-qemu.h (virDomainQemuAttach): Tweak name for syntax check. * src/vmware/vmware_conf.c (vmwareExtractPid): Likewise. * src/driver.h (virDrvDomainQemuAttach): Likewise. * tools/virsh.c (cmdQemuAttach): Likewise. * src/remote/qemu_protocol.x (qemu_domain_attach_args): Likewise. * src/qemu_protocol-structs (qemu_domain_attach_args): Likewise. * src/util/cgroup.c (virCgroupPidCode, virCgroupKillInternal): Likewise. * src/qemu/qemu_command.c(qemuParseProcFileStrings): Likewise. (qemuParseCommandLinePid): Use pid_t for pid. * daemon/libvirtd.c (daemonForkIntoBackground): Likewise. * src/conf/domain_conf.h (_virDomainObj): Likewise. * src/probes.d (rpc_socket_new): Likewise. * src/qemu/qemu_command.h (qemuParseCommandLinePid): Likewise. * src/qemu/qemu_driver.c (qemudGetProcessInfo, qemuDomainAttach): Likewise. * src/qemu/qemu_process.c (qemuProcessAttach): Likewise. * src/qemu/qemu_process.h (qemuProcessAttach): Likewise. * src/uml/uml_driver.c (umlGetProcessInfo): Likewise. * src/util/virnetdev.h (virNetDevSetNamespace): Likewise. * src/util/virnetdev.c (virNetDevSetNamespace): Likewise. * tests/testutils.c (virtTestCaptureProgramOutput): Likewise. * src/conf/storage_conf.h (_virStoragePerms): Use mode_t, uid_t, and gid_t rather than int. * src/security/security_dac.c (virSecurityDACSetOwnership): Likewise. * src/conf/storage_conf.c (virStorageDefParsePerms): Avoid compiler warning.
2012-02-10 23:08:11 +00:00
* Copyright (C) 2006-2012 Red Hat, Inc.
* Copyright (C) 2006 Daniel P. Berrange
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
* Author: Daniel P. Berrange <berrange@redhat.com>
*/
#ifndef __QEMU_COMMAND_H__
# define __QEMU_COMMAND_H__
# include "domain_conf.h"
# include "command.h"
# include "capabilities.h"
# include "qemu_conf.h"
# include "qemu_domain.h"
# include "qemu_capabilities.h"
/* Config type for XML import/export conversions */
# define QEMU_CONFIG_FORMAT_ARGV "qemu-argv"
# define QEMU_DRIVE_HOST_PREFIX "drive-"
# define QEMU_VIRTIO_SERIAL_PREFIX "virtio-serial"
# define QEMU_FSDEV_HOST_PREFIX "fsdev-"
/* These are only defaults, they can be changed now in qemu.conf and
* explicitely specified port is checked against these two (makes
* sense to limit the values).
*
* This limitation is mentioned in qemu.conf, so bear in mind that the
* configuration file should reflect any changes made to these values.
*/
# define QEMU_REMOTE_PORT_MIN 5900
# define QEMU_REMOTE_PORT_MAX 65535
virCommandPtr qemuBuildCommandLine(virConnectPtr conn,
struct qemud_driver *driver,
virDomainDefPtr def,
virDomainChrSourceDefPtr monitor_chr,
bool monitor_json,
qemuCapsPtr caps,
const char *migrateFrom,
int migrateFd,
virDomainSnapshotObjPtr current_snapshot,
enum virNetDevVPortProfileOp vmop)
ATTRIBUTE_NONNULL(1);
/* Generate string for arch-specific '-device' parameter */
char *
qemuBuildChrDeviceStr (virDomainChrDefPtr serial,
qemuCapsPtr caps,
char *os_arch,
char *machine);
/* With vlan == -1, use netdev syntax, else old hostnet */
char * qemuBuildHostNetStr(virDomainNetDefPtr net,
struct qemud_driver *driver,
qemuCapsPtr caps,
char type_sep,
int vlan,
const char *tapfd,
const char *vhostfd);
/* Legacy, pre device support */
char * qemuBuildNicStr(virDomainNetDefPtr net,
const char *prefix,
int vlan);
/* Current, best practice */
char * qemuBuildNicDevStr(virDomainNetDefPtr net,
int vlan,
int bootindex,
qemuCapsPtr caps);
char *qemuDeviceDriveHostAlias(virDomainDiskDefPtr disk,
qemuCapsPtr caps);
/* Both legacy & current support */
char *qemuBuildDriveStr(virConnectPtr conn,
virDomainDiskDefPtr disk,
bool bootable,
qemuCapsPtr caps);
char *qemuBuildFSStr(virDomainFSDefPtr fs,
qemuCapsPtr caps);
/* Current, best practice */
char * qemuBuildDriveDevStr(virDomainDefPtr def,
virDomainDiskDefPtr disk,
int bootindex,
qemuCapsPtr caps);
char * qemuBuildFSDevStr(virDomainFSDefPtr fs,
qemuCapsPtr caps);
/* Current, best practice */
char * qemuBuildControllerDevStr(virDomainDefPtr domainDef,
virDomainControllerDefPtr def,
qemuCapsPtr caps,
int *nusbcontroller);
char * qemuBuildWatchdogDevStr(virDomainWatchdogDefPtr dev,
qemuCapsPtr caps);
char * qemuBuildMemballoonDevStr(virDomainMemballoonDefPtr dev,
qemuCapsPtr caps);
char * qemuBuildUSBInputDevStr(virDomainInputDefPtr dev,
qemuCapsPtr caps);
char * qemuBuildSoundDevStr(virDomainSoundDefPtr sound,
qemuCapsPtr caps);
/* Legacy, pre device support */
char * qemuBuildPCIHostdevPCIDevStr(virDomainHostdevDefPtr dev);
/* Current, best practice */
char * qemuBuildPCIHostdevDevStr(virDomainHostdevDefPtr dev,
const char *configfd,
qemuCapsPtr caps);
int qemuOpenPCIConfig(virDomainHostdevDefPtr dev);
/* Legacy, pre device support */
char * qemuBuildUSBHostdevUsbDevStr(virDomainHostdevDefPtr dev);
/* Current, best practice */
char * qemuBuildUSBHostdevDevStr(virDomainHostdevDefPtr dev,
qemuCapsPtr caps);
char * qemuBuildHubDevStr(virDomainHubDefPtr dev, qemuCapsPtr caps);
char * qemuBuildRedirdevDevStr(virDomainDefPtr def,
virDomainRedirdevDefPtr dev,
qemuCapsPtr caps);
audit: audit use of /dev/net/tun, /dev/tapN, /dev/vhost-net Opening raw network devices with the intent of passing those fds to qemu is worth an audit point. This makes a multi-part audit: first, we audit the device(s) that libvirt opens on behalf of the MAC address of a to-be-created interface (which can independently succeed or fail), then we audit whether qemu actually started the network device with the same MAC (so searching backwards for successful audits with the same MAC will show which fd(s) qemu is actually using). Note that it is possible for the fd to be successfully opened but no attempt made to pass the fd to qemu (for example, because intermediate nwfilter operations failed) - no interface start audit will occur in that case; so the audit for a successful opened fd does not imply rights given to qemu unless there is a followup audit about the attempt to start a new interface. Likewise, when a network device is hot-unplugged, there is only one audit message about the MAC being discontinued; again, searching back to the earlier device open audits will show which fds that qemu quits using (and yes, I checked via /proc/<qemu-pid>/fd that qemu _does_ close out the fds associated with an interface on hot-unplug). The code would require much more refactoring to be able to definitively state which device(s) were discontinued at that point, since we currently don't record anywhere in the XML whether /dev/vhost-net was opened for a given interface. * src/qemu/qemu_audit.h (qemuAuditNetDevice): New prototype. * src/qemu/qemu_audit.c (qemuAuditNetDevice): New function. * src/qemu/qemu_command.h (qemuNetworkIfaceConnect) (qemuPhysIfaceConnect, qemuOpenVhostNet): Adjust prototype. * src/qemu/qemu_command.c (qemuNetworkIfaceConnect) (qemuPhysIfaceConnect, qemuOpenVhostNet): Add audit points and adjust parameters. (qemuBuildCommandLine): Adjust caller. * src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
2011-03-08 18:00:59 +00:00
int qemuNetworkIfaceConnect(virDomainDefPtr def,
virConnectPtr conn,
struct qemud_driver *driver,
virDomainNetDefPtr net,
qemuCapsPtr caps)
audit: audit use of /dev/net/tun, /dev/tapN, /dev/vhost-net Opening raw network devices with the intent of passing those fds to qemu is worth an audit point. This makes a multi-part audit: first, we audit the device(s) that libvirt opens on behalf of the MAC address of a to-be-created interface (which can independently succeed or fail), then we audit whether qemu actually started the network device with the same MAC (so searching backwards for successful audits with the same MAC will show which fd(s) qemu is actually using). Note that it is possible for the fd to be successfully opened but no attempt made to pass the fd to qemu (for example, because intermediate nwfilter operations failed) - no interface start audit will occur in that case; so the audit for a successful opened fd does not imply rights given to qemu unless there is a followup audit about the attempt to start a new interface. Likewise, when a network device is hot-unplugged, there is only one audit message about the MAC being discontinued; again, searching back to the earlier device open audits will show which fds that qemu quits using (and yes, I checked via /proc/<qemu-pid>/fd that qemu _does_ close out the fds associated with an interface on hot-unplug). The code would require much more refactoring to be able to definitively state which device(s) were discontinued at that point, since we currently don't record anywhere in the XML whether /dev/vhost-net was opened for a given interface. * src/qemu/qemu_audit.h (qemuAuditNetDevice): New prototype. * src/qemu/qemu_audit.c (qemuAuditNetDevice): New function. * src/qemu/qemu_command.h (qemuNetworkIfaceConnect) (qemuPhysIfaceConnect, qemuOpenVhostNet): Adjust prototype. * src/qemu/qemu_command.c (qemuNetworkIfaceConnect) (qemuPhysIfaceConnect, qemuOpenVhostNet): Add audit points and adjust parameters. (qemuBuildCommandLine): Adjust caller. * src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
2011-03-08 18:00:59 +00:00
ATTRIBUTE_NONNULL(2);
audit: audit use of /dev/net/tun, /dev/tapN, /dev/vhost-net Opening raw network devices with the intent of passing those fds to qemu is worth an audit point. This makes a multi-part audit: first, we audit the device(s) that libvirt opens on behalf of the MAC address of a to-be-created interface (which can independently succeed or fail), then we audit whether qemu actually started the network device with the same MAC (so searching backwards for successful audits with the same MAC will show which fd(s) qemu is actually using). Note that it is possible for the fd to be successfully opened but no attempt made to pass the fd to qemu (for example, because intermediate nwfilter operations failed) - no interface start audit will occur in that case; so the audit for a successful opened fd does not imply rights given to qemu unless there is a followup audit about the attempt to start a new interface. Likewise, when a network device is hot-unplugged, there is only one audit message about the MAC being discontinued; again, searching back to the earlier device open audits will show which fds that qemu quits using (and yes, I checked via /proc/<qemu-pid>/fd that qemu _does_ close out the fds associated with an interface on hot-unplug). The code would require much more refactoring to be able to definitively state which device(s) were discontinued at that point, since we currently don't record anywhere in the XML whether /dev/vhost-net was opened for a given interface. * src/qemu/qemu_audit.h (qemuAuditNetDevice): New prototype. * src/qemu/qemu_audit.c (qemuAuditNetDevice): New function. * src/qemu/qemu_command.h (qemuNetworkIfaceConnect) (qemuPhysIfaceConnect, qemuOpenVhostNet): Adjust prototype. * src/qemu/qemu_command.c (qemuNetworkIfaceConnect) (qemuPhysIfaceConnect, qemuOpenVhostNet): Add audit points and adjust parameters. (qemuBuildCommandLine): Adjust caller. * src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
2011-03-08 18:00:59 +00:00
int qemuPhysIfaceConnect(virDomainDefPtr def,
struct qemud_driver *driver,
virDomainNetDefPtr net,
qemuCapsPtr caps,
enum virNetDevVPortProfileOp vmop);
audit: audit use of /dev/net/tun, /dev/tapN, /dev/vhost-net Opening raw network devices with the intent of passing those fds to qemu is worth an audit point. This makes a multi-part audit: first, we audit the device(s) that libvirt opens on behalf of the MAC address of a to-be-created interface (which can independently succeed or fail), then we audit whether qemu actually started the network device with the same MAC (so searching backwards for successful audits with the same MAC will show which fd(s) qemu is actually using). Note that it is possible for the fd to be successfully opened but no attempt made to pass the fd to qemu (for example, because intermediate nwfilter operations failed) - no interface start audit will occur in that case; so the audit for a successful opened fd does not imply rights given to qemu unless there is a followup audit about the attempt to start a new interface. Likewise, when a network device is hot-unplugged, there is only one audit message about the MAC being discontinued; again, searching back to the earlier device open audits will show which fds that qemu quits using (and yes, I checked via /proc/<qemu-pid>/fd that qemu _does_ close out the fds associated with an interface on hot-unplug). The code would require much more refactoring to be able to definitively state which device(s) were discontinued at that point, since we currently don't record anywhere in the XML whether /dev/vhost-net was opened for a given interface. * src/qemu/qemu_audit.h (qemuAuditNetDevice): New prototype. * src/qemu/qemu_audit.c (qemuAuditNetDevice): New function. * src/qemu/qemu_command.h (qemuNetworkIfaceConnect) (qemuPhysIfaceConnect, qemuOpenVhostNet): Adjust prototype. * src/qemu/qemu_command.c (qemuNetworkIfaceConnect) (qemuPhysIfaceConnect, qemuOpenVhostNet): Add audit points and adjust parameters. (qemuBuildCommandLine): Adjust caller. * src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
2011-03-08 18:00:59 +00:00
int qemuOpenVhostNet(virDomainDefPtr def,
virDomainNetDefPtr net,
qemuCapsPtr caps,
int *vhostfd);
/*
* NB: def->name can be NULL upon return and the caller
* *must* decide how to fill in a name in this case
*/
virDomainDefPtr qemuParseCommandLine(virCapsPtr caps,
const char **progenv,
const char **progargv,
char **pidfile,
virDomainChrSourceDefPtr *monConfig,
bool *monJSON);
virDomainDefPtr qemuParseCommandLineString(virCapsPtr caps,
const char *args,
char **pidfile,
virDomainChrSourceDefPtr *monConfig,
bool *monJSON);
virDomainDefPtr qemuParseCommandLinePid(virCapsPtr caps,
build: use correct type for pid and similar types No thanks to 64-bit windows, with 64-bit pid_t, we have to avoid constructs like 'int pid'. Our API in libvirt-qemu cannot be changed without breaking ABI; but then again, libvirt-qemu can only be used on systems that support UNIX sockets, which rules out Windows (even if qemu could be compiled there) - so for all points on the call chain that interact with this API decision, we require a different variable name to make it clear that we audited the use for safety. Adding a syntax-check rule only solves half the battle; anywhere that uses printf on a pid_t still needs to be converted, but that will be a separate patch. * cfg.mk (sc_correct_id_types): New syntax check. * src/libvirt-qemu.c (virDomainQemuAttach): Document why we didn't use pid_t for pid, and validate for overflow. * include/libvirt/libvirt-qemu.h (virDomainQemuAttach): Tweak name for syntax check. * src/vmware/vmware_conf.c (vmwareExtractPid): Likewise. * src/driver.h (virDrvDomainQemuAttach): Likewise. * tools/virsh.c (cmdQemuAttach): Likewise. * src/remote/qemu_protocol.x (qemu_domain_attach_args): Likewise. * src/qemu_protocol-structs (qemu_domain_attach_args): Likewise. * src/util/cgroup.c (virCgroupPidCode, virCgroupKillInternal): Likewise. * src/qemu/qemu_command.c(qemuParseProcFileStrings): Likewise. (qemuParseCommandLinePid): Use pid_t for pid. * daemon/libvirtd.c (daemonForkIntoBackground): Likewise. * src/conf/domain_conf.h (_virDomainObj): Likewise. * src/probes.d (rpc_socket_new): Likewise. * src/qemu/qemu_command.h (qemuParseCommandLinePid): Likewise. * src/qemu/qemu_driver.c (qemudGetProcessInfo, qemuDomainAttach): Likewise. * src/qemu/qemu_process.c (qemuProcessAttach): Likewise. * src/qemu/qemu_process.h (qemuProcessAttach): Likewise. * src/uml/uml_driver.c (umlGetProcessInfo): Likewise. * src/util/virnetdev.h (virNetDevSetNamespace): Likewise. * src/util/virnetdev.c (virNetDevSetNamespace): Likewise. * tests/testutils.c (virtTestCaptureProgramOutput): Likewise. * src/conf/storage_conf.h (_virStoragePerms): Use mode_t, uid_t, and gid_t rather than int. * src/security/security_dac.c (virSecurityDACSetOwnership): Likewise. * src/conf/storage_conf.c (virStorageDefParsePerms): Avoid compiler warning.
2012-02-10 23:08:11 +00:00
pid_t pid,
char **pidfile,
virDomainChrSourceDefPtr *monConfig,
bool *monJSON);
int qemuDomainAssignAddresses(virDomainDefPtr def,
qemuCapsPtr caps,
virDomainObjPtr obj)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
int qemuDomainAssignSpaprVIOAddresses(virDomainDefPtr def,
qemuCapsPtr caps);
int qemuDomainAssignPCIAddresses(virDomainDefPtr def,
qemuCapsPtr caps,
virDomainObjPtr obj);
qemuDomainPCIAddressSetPtr qemuDomainPCIAddressSetCreate(virDomainDefPtr def);
int qemuDomainPCIAddressReserveFunction(qemuDomainPCIAddressSetPtr addrs,
int slot, int function);
int qemuDomainPCIAddressReserveSlot(qemuDomainPCIAddressSetPtr addrs,
int slot);
int qemuDomainPCIAddressReserveAddr(qemuDomainPCIAddressSetPtr addrs,
virDomainDeviceInfoPtr dev);
int qemuDomainPCIAddressSetNextAddr(qemuDomainPCIAddressSetPtr addrs,
virDomainDeviceInfoPtr dev);
int qemuDomainPCIAddressEnsureAddr(qemuDomainPCIAddressSetPtr addrs,
virDomainDeviceInfoPtr dev);
int qemuDomainPCIAddressReleaseAddr(qemuDomainPCIAddressSetPtr addrs,
virDomainDeviceInfoPtr dev);
int qemuDomainPCIAddressReleaseFunction(qemuDomainPCIAddressSetPtr addrs,
int slot, int function);
int qemuDomainPCIAddressReleaseSlot(qemuDomainPCIAddressSetPtr addrs, int slot);
void qemuDomainPCIAddressSetFree(qemuDomainPCIAddressSetPtr addrs);
int qemuAssignDevicePCISlots(virDomainDefPtr def, qemuDomainPCIAddressSetPtr addrs);
int qemuAssignDeviceAliases(virDomainDefPtr def, qemuCapsPtr caps);
int qemuDomainNetVLAN(virDomainNetDefPtr def);
int qemuAssignDeviceNetAlias(virDomainDefPtr def, virDomainNetDefPtr net, int idx);
int qemuAssignDeviceDiskAlias(virDomainDefPtr vmdef,
virDomainDiskDefPtr def,
qemuCapsPtr caps);
int qemuAssignDeviceHostdevAlias(virDomainDefPtr def, virDomainHostdevDefPtr hostdev, int idx);
int qemuAssignDeviceControllerAlias(virDomainControllerDefPtr controller);
int qemuAssignDeviceRedirdevAlias(virDomainDefPtr def, virDomainRedirdevDefPtr redirdev, int idx);
int
qemuParseKeywords(const char *str,
char ***retkeywords,
char ***retvalues,
int allowEmptyValue);
#endif /* __QEMU_COMMAND_H__*/