qemu: allow turning off QEMU guest RAM dump globally

We already have the ability to turn off dumping of guest
RAM via the domain XML. This is not particularly useful
though, as it is under control of the management application.
What is needed is a way for the sysadmin to turn off guest
RAM defaults globally, regardless of whether the mgmt app
provides its own way to set this in the domain XML.

So this adds a 'dump_guest_core' option in /etc/libvirt/qemu.conf
which defaults to false. ie guest RAM will never be included in
the QEMU core dumps by default. This default is different from
historical practice, but is considered to be more suitable as
a default because

 a) guest RAM can be huge and so inflicts a DOS on the host
    I/O subsystem when dumping core for QEMU crashes

 b) guest RAM can contain alot of sensitive data belonging
    to the VM owner. This should not generally be copied
    around inside QEMU core dumps submitted to vendors for
    debugging

 c) guest RAM contents are rarely useful in diagnosing
    QEMU crashes

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2016-08-03 16:20:19 +01:00
parent fa1ce97917
commit 90e178f8bf
7 changed files with 35 additions and 9 deletions

View File

@ -76,6 +76,7 @@ module Libvirtd_qemu =
| int_entry "max_processes"
| int_entry "max_files"
| limits_entry "max_core"
| bool_entry "dump_guest_core"
| str_entry "stdio_handler"
let device_entry = bool_entry "mac_filter"

View File

@ -406,10 +406,10 @@
# RAM size is smaller than the limit set.
#
# Be warned that the core dump will include a full copy of the
# guest RAM, unless it has been disabled via the guest XML by
# setting:
# guest RAM, if the 'dump_guest_core' setting has been enabled,
# or if the guest XML contains
#
# <memory dumpcore="off">...guest ram...</memory>
# <memory dumpcore="on">...guest ram...</memory>
#
# If guest RAM is to be included, ensure the max_core limit
# is set to at least the size of the largest expected guest
@ -425,6 +425,16 @@
#
#max_core = "unlimited"
# Determine if guest RAM is included in QEMU core dumps. By
# default guest RAM will be excluded if a new enough QEMU is
# present. Setting this to '1' will force guest RAM to always
# be included in QEMU core dumps.
#
# This setting will be ignored if the guest XML has set the
# dumpcore attribute on the <memory> element.
#
#dump_guest_core = 1
# mac_filter enables MAC addressed based filtering on bridge ports.
# This currently requires ebtables to be installed.
#

View File

@ -6930,6 +6930,7 @@ qemuBuildNameCommandLine(virCommandPtr cmd,
static int
qemuBuildMachineCommandLine(virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
virQEMUCapsPtr qemuCaps)
{
@ -7014,16 +7015,21 @@ qemuBuildMachineCommandLine(virCommandPtr cmd,
virTristateSwitchTypeToString(smm));
}
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_DUMP_GUEST_CORE)) {
if (def->mem.dump_core) {
virBufferAsprintf(&buf, ",dump-guest-core=%s",
virTristateSwitchTypeToString(def->mem.dump_core));
} else {
virBufferAsprintf(&buf, ",dump-guest-core=%s",
cfg->dumpGuestCore ? "on" : "off");
}
} else {
if (def->mem.dump_core) {
if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_DUMP_GUEST_CORE)) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("dump-guest-core is not available "
"with this QEMU binary"));
goto cleanup;
}
virBufferAsprintf(&buf, ",dump-guest-core=%s",
virTristateSwitchTypeToString(def->mem.dump_core));
}
if (def->mem.nosharepages) {
@ -9396,7 +9402,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (enableFips)
virCommandAddArg(cmd, "-enable-fips");
if (qemuBuildMachineCommandLine(cmd, def, qemuCaps) < 0)
if (qemuBuildMachineCommandLine(cmd, cfg, def, qemuCaps) < 0)
goto error;
if (qemuBuildCpuCommandLine(cmd, driver, def, qemuCaps, !!migrateURI) < 0)

View File

@ -654,6 +654,9 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
goto cleanup;
}
if (virConfGetValueBool(conf, "dump_guest_core", &cfg->dumpGuestCore) < 0)
goto cleanup;
if (virConfGetValueString(conf, "lock_manager", &cfg->lockManagerName) < 0)
goto cleanup;
if (virConfGetValueString(conf, "stdio_handler", &stdioHandler) < 0)

View File

@ -149,6 +149,7 @@ struct _virQEMUDriverConfig {
unsigned int maxProcesses;
unsigned int maxFiles;
unsigned long long maxCore;
bool dumpGuestCore;
unsigned int maxQueuedJobs;

View File

@ -63,6 +63,7 @@ module Test_libvirtd_qemu =
{ "max_processes" = "0" }
{ "max_files" = "0" }
{ "max_core" = "unlimited" }
{ "dump_guest_core" = "1" }
{ "mac_filter" = "1" }
{ "relaxed_acs_check" = "1" }
{ "allow_disk_format_probing" = "1" }

View File

@ -614,8 +614,12 @@ mymain(void)
DO_TEST("machine-aliases2", QEMU_CAPS_KVM);
DO_TEST("machine-core-on", QEMU_CAPS_MACHINE_OPT,
QEMU_CAPS_DUMP_GUEST_CORE);
driver.config->dumpGuestCore = true;
DO_TEST("machine-core-off", QEMU_CAPS_MACHINE_OPT,
QEMU_CAPS_DUMP_GUEST_CORE);
driver.config->dumpGuestCore = false;
DO_TEST("machine-core-cfg-off", QEMU_CAPS_MACHINE_OPT,
QEMU_CAPS_DUMP_GUEST_CORE);
DO_TEST_FAILURE("machine-core-on", NONE);
DO_TEST_FAILURE("machine-core-on", QEMU_CAPS_MACHINE_OPT);
DO_TEST("machine-smm-opt",