Commit Graph

23718 Commits

Author SHA1 Message Date
Ján Tomko
e322b6f73d api: disallow virConnectGetDomainCapabilities on read-only connections
This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.

Fixes: CVE-2019-10167
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8afa68bac0)
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-24 10:03:12 +02:00
Ján Tomko
dea40b4218 api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032ce)
Signed-off-by: Ján Tomko <jtomko@redhat.com>

Conflicts:
  src/libvirt-domain.c
  src/remote/remote_protocol.x

Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-24 10:03:12 +02:00
Martin Kletzander
f398d4b423 qemu: Only use memory-backend-file with NUMA if needed
If this reminds you of a commit message from around a year ago, it's
41c2aa729f and yes, we're dealing with
"the same thing" again.  Or f309db1f4d and
it's similar.

There is a logic in place that if there is no real need for
memory-backend-file, qemuBuildMemoryBackendStr() returns 0.  However
that wasn't the case with hugepage backing.  The reason for that was
that we abused the 'pagesize' variable for storing that information, but
we should rather have a separate one that specifies whether we really
need the new object for hugepage backing.  And that variable should be
set only if this particular NUMA cell needs special treatment WRT
hugepages.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1372153

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 4372a7845acbc6974f6027ef68e7dd3eeb47f425)
2016-10-04 08:38:35 +02:00
Daniel Veillard
1fa8fd1a9b Release of libvirt-2.1.0
* docs/news.html.in: updated for release
* po/*.po*: regenerated
2016-08-02 12:35:06 +02:00
Daniel Veillard
f9243229fd Revert "Fix unbalanced quotation marks"
This reverts commit 6a40801186.
release of 2.1.0 need to go first
2016-08-02 12:34:18 +02:00
Yuri Chornoivan
6a40801186 Fix unbalanced quotation marks 2016-08-02 09:04:39 +02:00
Erik Skultety
5289e21f31 daemon: sasl: Don't forget to save SASL username to client's identity
Once the SASL authentication process has successfully passed, we should also
save the SASL username used to client's identity, so that when a client like
virt-admin tries to obtain it, the server will actually format the username to
the response data.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-08-02 08:25:42 +02:00
Erik Skultety
385ec6280f admin: Retrieve the SASL context for both local and remote connection
When commit 4a0e9108 added a support for client information retrieval, it made
the API return SASL identity info only for clients connected remotely, yet SASL
can be happily used with UNIX sockets as well.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-08-02 08:25:42 +02:00
Martin Kletzander
fa4eea8063 storage: Document wiping formatted volume types
When wiping a volume we just rewrite all the data of the volume, not
only the content.  Since format gets overridden, we need to recreate the
volume.  However we can't do that for every possible format out there.
Since it was only coded for the ploop volume type, let's document what
might be the consequences instead of forbidding it for every other
format out there.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=868771

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-08-02 07:01:57 +02:00
Boris Fiuczynski
230c631917 qemu: remove panic dev models s390 and pseries when migrating
The panic devices with models s390 and pseries are autogenerated.
For backwards compatibility reasons the devices are to be removed
when migrating.

Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2016-08-01 14:15:08 +02:00
Michal Privoznik
1045c56c0f wireshark: Drop glib dependency
The only function that we currently use from glib is g_sprintf().
That's a very big gun for such small target. Not only that, but
we've silently relied on wireshark dragging in the glib. Replace
the g_sprintf() with plain sprinf() so that we can drop the glib
dependency.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-08-01 12:02:51 +02:00
Nikolay Shirokovskiy
03c1e0f38f schema: fix resolved interfaces of network type
This patch reflects cases when <interface> element and its <source>
subelement for network type are formated based on actual type resolved
from referenced network instead of original one. networkAllocateActualDevice
and virDomainActualNetDefContentsFormat are taken as reference.
2016-08-01 11:30:51 +02:00
Nikolay Shirokovskiy
0e8083da3b schema: add missed alias element to memory device 2016-08-01 11:30:51 +02:00
Sascha Silbe
a5c420471b qemu: fix domain id after domainCreateWithFlags()
Ever since virDomainCreateWithFlags() was introduced by de3aadaa
[drivers: add virDomainCreateWithFlags if virDomainCreate exists], the
domain ID retrieved with virDomainGetID() was incorrect for several
drivers after virDomainCreateWithFlags() was called. The API consumer
had to look up the domain anew to retrieve the correct ID.

For the ESX driver, this was fixed in 6139b274 [esx: Update ID after
starting a domain]. For the openvz driver, it was fixed in fd81a097
[openvzDomainCreateWithFlags: set domain id to the correct value]. The
test driver, the OpenNebula driver (removed in the meantime) and the
vbox driver were already updating the domain ID correctly in
domainCreate().

Copy over the ID in qemuDomainCreateWithFlags() to fix this for the qemu
driver, too.

Fixes: de3aadaa ("drivers: add virDomainCreateWithFlags if virDomainCreate exists")
Reported-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
Signed-off-by: Sascha Silbe <silbe@linux.vnet.ibm.com>
Tested-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
2016-08-01 11:28:20 +02:00
Peter Krempa
71d341e7c6 tests: qemu: Don't leak security manager object
==2064442== 200 (88 direct, 112 indirect) bytes in 1 blocks are definitely lost in loss record 54 of 73
==2064442==    at 0x4C2E0F0: calloc (vg_replace_malloc.c:711)
==2064442==    by 0x18E75B80: virAllocVar (viralloc.c:560)
==2064442==    by 0x18EC43B0: virObjectNew (virobject.c:193)
==2064442==    by 0x18EC476E: virObjectLockableNew (virobject.c:219)
==2064442==    by 0x1906BC73: virSecurityManagerNewDriver (security_manager.c:93)
==2064442==    by 0x1906C076: virSecurityManagerNewStack (security_manager.c:115)
==2064442==    by 0x43CC39: qemuTestDriverInit (testutilsqemu.c:548)
==2064442==    by 0x4337ED: mymain (qemumonitorjsontest.c:2440)
==2064442==    by 0x43BABE: virTestMain (testutils.c:982)
==2064442==    by 0x43A490: main (qemumonitorjsontest.c:2558)
2016-08-01 06:38:52 +02:00
Michal Privoznik
1e05846373 conf: Catch invalid memory model earlier
Consider the following XML snippet:

    <memory model=''>
      <target>
        <size unit='KiB'>523264</size>
        <node>0</node>
      </target>
    </memory>

Whats wrong you ask? The @model attribute. This should result in
an error thrown into users faces during virDomainDefine phase.
Except it doesn't. The XML validation catches this error, but if
users chose to ignore that, they will end up with invalid XML.
Well, they won't be able to start the machine - that's when error
is produced currently. But it would be nice if we could catch the
error like this earlier.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-29 11:03:24 +02:00
Erik Skultety
f5f32bcd1b admin: Fix default uri config option name s/admin_uri_default/uri_default
The original name 'admin_uri_default' was introduced to our code by commit
dbecb87f. However, at that time we already had a separate config file for
admin library but the commit mentioned above didn't properly adjust the
config's option name. The result is that when we're loading the config, we
check a non-existent config option (there's not much to do with the URIs
anyway, since we only allow local connection). Additionally, virt-admin's man
page documents, that the default URI can be altered by setting
admin_uri_default option. So the fix proposed by this patch leaves the
libvirt-admin.conf as is and adjusts the naming in the code as well as in the
virt-admin's man page.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-07-29 09:21:09 +02:00
Michal Privoznik
98aefa813d wireshark: Adapt to dissector function header change
In wireshark commit bbdd89b9 (contained in 2.1.0 release) they
have changed prototype of dissector function. Now it returns
number of bytes consumed by the dissector, and can get a pointer
to user specified data (which we don't use).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-28 17:39:03 +02:00
John Ferlan
8ad7eceb20 qemu: Need to free fileprops in error path
The virJSONValueObjectCreate only consumes the object on success, so on
failure we must free - from commit id 'f4441017' (found by Coverity).
2016-07-28 09:25:40 -04:00
John Ferlan
5d8c31c6b2 iscsi: Establish connection to target via static target login
https://bugzilla.redhat.com/show_bug.cgi?id=1356436

Commit id '56057900' altered the discovery of iSCSI node targets by
using the "--op nonpersistent". This caused issues for clean environments
or if by chance a "-m node -o delete" was executed.

Since each iSCSI Storage Pool has the required iSCSI target path, use
that and the virISCSINodeNew API in order to generate the iSCSI node record.
2016-07-28 08:27:13 -04:00
John Ferlan
ae65c908b7 util: Introduce virISCSINodeNew
https://bugzilla.redhat.com/show_bug.cgi?id=1356436

According to RFC 3721 (https://www.ietf.org/rfc/rfc3721.txt), there are
two ways to "discover" targets in/for the iSCSI environment. Discovery
is the process which allows the initiator to find the targets to which
it has access and at least one address at which each target may be
accessed.

The method currently implemented in libvirt using the virISCSIScanTargets
API is known as "SendTargets" discovery. This method is more useful when
the target IP Address and TCP port information are available, e.g. in
libvirt terms the "portal". It returns a list of targets for the portal.
From that list, the target can be found. This operation can also fill an
iSCSI node table into which iSCSI logins may occur. Commit id '56057900'
altered that filling by adding the "--op nonpersistent" since it was
not necessarily desired to perform that for non libvirt related targets.

The second method is "Static Configuration". This method not only needs
the IP Address and TCP port (e.g. portal), but also the iSCSI target name.
In libvirt terms this would be the device path field from the iSCSI pool
<source> XML. This patch implements the second methodology using that
required device path as the targetname.
2016-07-28 08:27:13 -04:00
Erik Skultety
d02ef33451 tools: Make use of the correct environment variables
Since commit 834c5720 which extracted the generic functionality out of virsh
and made it available for other clients like virt-admin to make use of it, it
also introduced a bug when it renamed the original VIRSH_ environment variables
to VSH_ variables. Virt-admin of course suffers from the same bug, so this
patch modifies the generic module vsh.c to construct the correct name for
environment variables of each client from information it has.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1357363

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-07-28 13:54:06 +02:00
Erik Skultety
0ef07e19c7 vsh: Make vshInitDebug return int instead of void
Well, the reason behind this change is that if the function is extended in some
way that e.g. would involve allocation we do not have a way of telling it to
the caller. More specifically, vshInitDebug only relies on some hardcoded
environment variables (by a mistake) that aren't documented anywhere so neither
virsh's nor virt-admin's documented environment variables take effect. One
possible solution would be duplicate the code for each CLI client or leave the
method be generic and provide means that it could figure out, which client
called it, thus initializing the proper environment variables but that could
involve operations that might as well fail in certain circumstances and the
caller should know that an error occurred.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-07-28 13:54:06 +02:00
Daniel P. Berrange
1db6908a1c Refresh translations from zanata
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-28 12:25:21 +01:00
Michal Privoznik
ea2ad17112 vshReadlineParse: Drop some unused variables
My compiler identified some variables that were set, but never
actually used. For instance, opts_required, and data_acomplete.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-28 13:01:54 +02:00
Michal Privoznik
2bc97f2708 vshCmddefGetOption: Change type of opt_index
This function tries to look up desired option for a given parsed
command. Upon successful return it also stores option position
into passed *opt_index. Now, this variable is type of int, even
though it is never ever used to store negative value. Moreover,
the variable is set from a local variable which is type of
size_t.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-28 13:01:54 +02:00
Daniel P. Berrange
dcd5f59c5f libvirt.spec.in: fix indentation in previous commit
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-28 11:48:00 +01:00
Daniel P. Berrange
8035bf718a Fix RPM spec for wireshark on Fedora < 24
This previous commit

  commit cd9fcc8be7
  Author: Michal Privoznik <mprivozn@redhat.com>
  Date:   Wed Jul 27 16:58:32 2016 +0200

    libvirt.spec.in: Adapt to newest wireshark plugindir

Adapted the libvirt spec for wireshark >= 2.1.0 but
this ignored the fact that we enable wireshark from
Fedora 21 and 2.1.0 was only added in Fedora 24

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-28 11:02:02 +01:00
Daniel P. Berrange
a48c714115 storage: remove "luks" storage volume type
The current LUKS support has a "luks" volume type which has
a "luks" encryption format.

This partially makes sense if you consider the QEMU shorthand
syntax only requires you to specify a format=luks, and it'll
automagically uses "raw" as the next level driver. QEMU will
however let you override the "raw" with any other driver it
supports (vmdk, qcow, rbd, iscsi, etc, etc)

IOW the intention though is that the "luks" encryption format
is applied to all disk formats (whether raw, qcow2, rbd, gluster
or whatever). As such it doesn't make much sense for libvirt
to say the volume type is "luks" - we should be saying that it
is a "raw" file, but with "luks" encryption applied.

IOW, when creating a storage volume we should use this XML

  <volume>
    <name>demo.raw</name>
    <capacity>5368709120</capacity>
    <target>
      <format type='raw'/>
      <encryption format='luks'>
        <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccd2f80d6f'/>
      </encryption>
    </target>
  </volume>

and when configuring a guest disk we should use

  <disk type='file' device='disk'>
    <driver name='qemu' type='raw'/>
    <source file='/home/berrange/VirtualMachines/demo.raw'/>
    <target dev='sda' bus='scsi'/>
    <encryption format='luks'>
      <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccd2f80d6f'/>
    </encryption>
  </disk>

This commit thus removes the "luks" storage volume type added
in

  commit 318ebb36f1
  Author: John Ferlan <jferlan@redhat.com>
  Date:   Tue Jun 21 12:59:54 2016 -0400

    util: Add 'luks' to the FileTypeInfo

The storage file probing code is modified so that it can probe
the actual encryption formats explicitly, rather than merely
probing existance of encryption and letting the storage driver
guess the format.

The rest of the code is then adapted to deal with
VIR_STORAGE_FILE_RAW w/ VIR_STORAGE_ENCRYPTION_FORMAT_LUKS
instead of just VIR_STORAGE_FILE_LUKS.

The commit mentioned above was included in libvirt v2.0.0.
So when querying volume XML this will be a change in behaviour
vs the 2.0.0 release - it'll report 'raw' instead of 'luks'
for the volume format, but still report 'luks' for encryption
format.  I think this change is OK because the storage driver
did not include any support for creating volumes, nor starting
guets with luks volumes in v2.0.0 - that only since then.
Clearly if we change this we must do it before v2.1.0 though.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-27 18:59:15 +01:00
Daniel P. Berrange
970f42ab42 virstoragefile: refactor virStorageFileMatchesNNN methods
Refactor the virStorageFileMatchesNNN methods so that
they don't take a struct FileFormatInfo parameter, but
instead get the actual raw dat items they needs. This
will facilitate reuse in other contexts.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-27 18:55:33 +01:00
Michal Privoznik
cd9fcc8be7 libvirt.spec.in: Adapt to newest wireshark plugindir
In the old days, when wireshark plugin was introduced it was
installed under /usr/lib64/wireshark/plugins/$VERSION/ while with
wireshark-2.1.0 this path has changed just to
/usr/lib64/wireshark/plugins. We should teach our spec file about
this change.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-27 17:01:18 +02:00
Michal Privoznik
5c2bc001a2 virt-wireshark: Properly substract wireshark prefix
So, when building wireshark plugin, we get the plugindir variable
from the wireshark.pc as well as prefix. Then we replace the
prefix in the plugindir with our own prefix where libvirt is
building to:

  plugindir="${prefix}${plugindir#ws_prefix}"

However, as you can see, there's '$' missing in front of the
ws_prefix variable. This results in the mangled plugindir, for
instance like this:

  plugindir='/usr/usr/lib64/wireshark/plugins'

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-27 17:01:18 +02:00
Derbyshev Dmitry
438c204763 qemu: return balloon statistics when all domain statistics reported
To collect all balloon statistics for all guests it was necessary to make
several libvirt requests. Now it's possible to get all balloon statiscs via
single connectGetAllDomainStats call.

Signed-off-by: Derbyshev Dmitry <dderbyshev@virtuozzo.com>
2016-07-27 15:39:47 +02:00
Derbyshev Dmitry
c3e3227ac8 qemu: split qemuDomainMemoryStats into internal and external functions
Is necessary to call it from other contexts, such as qemuDomainGetStatsBalloon.

Signed-off-by: Derbyshev Dmitry <dderbyshev@virtuozzo.com>
2016-07-27 15:39:47 +02:00
Pavel Hrdina
f57fbd6c4a qemu: fix domain memory 'last-update' timestamp
This fixes commit 200a40f9 which introduced 'last-update' timestamp.

Signed-off-by: Derbyshev Dmitry <dderbyshev@virtuozzo.com>
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-07-27 15:39:47 +02:00
Pavel Hrdina
29fca3994b qemu: fix domain memory 'usable' stat
This fixes commit 65bf0446 which introduced 'usable' stat.

Signed-off-by: Derbyshev Dmitry <dderbyshev@virtuozzo.com>
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-07-27 15:39:34 +02:00
Derbyshev Dmitry
d04bc2979e virsh: Add balloon stats description to .pod
Description for existing balloon stats was missing for dommemstat.

Signed-off-by: Derbyshev Dmitry <dderbyshev@virtuozzo.com>
2016-07-27 15:27:02 +02:00
Erik Skultety
4e930bb8be virt-admin.pod: Remove a statement about remote access to the daemon
There's been a forgotten fragment (copy-paste error probably) in the
virt-admin's man page referring the reader to our web page on how to construct
URIs in case of remote access, which sort of implies that we support it which
we don't at the moment, so better remove that.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-07-27 13:52:37 +02:00
Prasanna Kumar Kalever
7b7da9e283 qemu: command: Add support for multi-host gluster disks
To allow using failover with gluster it's necessary to specify multiple
volume hosts. Add support for starting qemu with such configurations.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2016-07-27 13:38:53 +02:00
Peter Krempa
f444101729 qemu: command: Add infrastructure for object specified disk sources
To allow richer definitions of disk sources add infrastructure that will
allow to register functionst generating a JSON object based definition.

This infrastructure will then convert the definition to the proper
command line syntax and use it in cases where it's necessary. This will
allow to keep legacy definitions for back-compat when possible and use
the new definitions for the configurations requiring them.
2016-07-27 13:33:10 +02:00
Peter Krempa
74df83a9eb util: qemu: Add support for numbered array members
Add support for converting objects nested in arrays with a numbering
discriminator on the command line. This syntax is used for the
object-based specification of disk source properties.
2016-07-27 13:33:10 +02:00
Peter Krempa
f1bbc7df4a storage: gluster: Support multiple hosts in backend functions
As gluster natively supports multiple hosts for failover reasons we can
easily add the support to the storage driver code in libvirt.

Extract the code setting an individual host into a separate function and
call them in a loop. The new code also tries to keep the debug log
entries sane.
2016-07-27 13:33:10 +02:00
Peter Krempa
1575f3e8d3 qemu: command: Refactor code extracted to qemuBuildDriveSourceStr
Avoid a large block by tweaking the condition skipping empty drives and
split up the switch containing two branches having different purpose.
2016-07-27 13:33:10 +02:00
Peter Krempa
3678d42705 qemu: command: Extract drive source command line formatter
The disk source formatting code grew rather ugly and complex and it will
get worse. Extract it into a separated function to contain the mess.
2016-07-27 13:33:10 +02:00
Peter Krempa
ccaaad62a8 qemu: command: Split out network disk URI building
Extract the code so that it can be called from multiple places. This
also removes a tricky fallthrough in the large switch in
qemuBuildNetworkDriveStr.
2016-07-27 13:33:10 +02:00
Peter Krempa
b8dc04a774 qemu: command: Rename qemuBuildNetworkDriveURI to qemuBuildNetworkDriveStr
The function builds also non-uri strings for the various protocols.
2016-07-27 13:33:10 +02:00
Peter Krempa
bc225b1b5f util: storage: Add JSON backing volume parser for 'ssh' protocol 2016-07-27 13:24:20 +02:00
Peter Krempa
29f06ff548 util: storage: Add 'ssh' network storage protocol
Allow using 'ssh' protocol in backing chains and later for disks
themselves.
2016-07-27 13:24:20 +02:00
Peter Krempa
ba8806c8cc util: storage: Add JSON backing store parser for 'sheepdog' protocol 2016-07-27 13:24:20 +02:00
Peter Krempa
a1674fd9d9 util: storage: Add JSON backing volume parser for 'nbd' protocol 2016-07-27 13:24:20 +02:00