Commit Graph

16444 Commits

Author SHA1 Message Date
Daniel P. Berrange
3ba789ccd5 Add a test suite for nwfilter ebiptables tech driver
Create a nwfilterxml2firewalltest to exercise the
ebiptables_driver.applyNewRules method with a variety of
different XML input files. The XML input files are taken
from the libvirt-tck nwfilter tests. While the nwfilter
tests verify the final state of the iptables chains, this
test verifies the set of commands invoked to create the
chains.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00
Daniel P. Berrange
4131bff5b7 Remove last trace of direct firewall command exection
Remove all the left over code related to the direct invocation
of firewall-cmd/iptables/ip6tables/ebtables. This is all handled
by the virFirewallPtr APIs now.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00
Daniel P. Berrange
70571ccc98 Convert ebiptablesDriverProbeStateMatch to virFirewall
Conver the ebiptablesDriverProbeStateMatch initialization
check to use the virFirewall APIs for querying iptables
version.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00
Daniel P. Berrange
001130c096 Convert nwfilter ebiptablesApplyNewRules to virFirewall
Convert the nwfilter ebtablesApplyNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00
Daniel P. Berrange
051eb0238a Convert nwfilter ebtablesApplyDropAllRules to virFirewall
Convert the nwfilter ebtablesApplyDropAllRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00
Daniel P. Berrange
423735d763 Convert nwfilter ebtablesApplyDHCPOnlyRules to virFirewall
Convert the nwfilter ebtablesApplyDHCPOnlyRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00
Daniel P. Berrange
d01eb15303 Convert nwfilter ebtablesApplyBasicRules to virFirewall
Convert the nwfilter ebtablesApplyBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00
Daniel P. Berrange
138ef25e99 Convert nwfilter ebiptablesTearNewRules to virFirewall
Convert the nwfilter ebiptablesTearNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00
Daniel P. Berrange
d7b83ab7c3 Convert nwfilter ebtablesRemoveBasicRules to virFirewall
Convert the nwfilter ebtablesRemoveBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
3010fae592 Convert nwfilter ebiptablesTearOldRules to virFirewall
Convert the nwfilter ebiptablesTearOldRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
8d55986427 Convert nwfilter ebiptablesAllTeardown to virFirewall
Convert the nwfilter ebiptablesAllTeardown method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
3bf346a124 Convert ebtables code over to use firewall APIs
Convert the virebtables.{c,h} files to use the new virFirewall
APIs for changing ebtables rules.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
20512b8436 Add test for converting network XML to iptables rules
Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
c13a952f69 Replace virNetworkObjPtr with virNetworkDefPtr in network platform APIs
The networkCheckRouteCollision, networkAddFirewallRules and
networkRemoveFirewallRules APIs all take a virNetworkObjPtr
instance, but only ever access the 'def' member. It thus
simplifies testing if the APIs are changed to just take a
virNetworkDefPtr instead

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
a66fc27d89 Convert bridge driver over to use new firewall APIs
Update the iptablesXXXX methods so that instead of directly
executing iptables commands, they populate rules in an
instance of virFirewallPtr. The bridge driver can thus
construct the ruleset and then invoke it in one operation
having rollback handled automatically.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
3a0ca7de51 Introduce an object for managing firewall rulesets
The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.

This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
89f244ba7c Preserve error when tearing down nwfilter rules
When a VM fails to launch due to error creating nwfilter
rules, we must avoid overwriting the original error when
tearing down the partially created rules.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
b1c1df05bf Remove two-stage construction of commands in nwfilter
The nwfilter ebiptables driver will build up commands to run in
two phases. The first phase contains all of the command, except
for the '-A' part. Instead it has a '%c' placeholder, along with
a '%s' placeholder for a position arg. The second phase than
substitutes these placeholders. The only values ever used for
these substitutions though is '-A' and '', so it is entirely
pointless. Remove the second phase entirely, since it will make
it harder to convert to the new firewall APIs

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
3f74b2eb2c Merge nwfilter createRuleInstance driver into applyNewRules
The current nwfilter tech driver API has a 'createRuleInstance' method
which populates virNWFilterRuleInstPtr with a command line string
containing variable placeholders. The 'applyNewRules' method then
expands the variables and executes the commands. This split of
responsibility won't work when switching to the virFirewallPtr
APIs, since we can't just build up command line strings. This patch
this merges the functionality of 'createRuleInstance' into the
applyNewRules method.

The virNWFilterRuleInstPtr struct is changed from holding an array
of opaque pointers, into holding generic metadata about the rules
to be processed. In essence this is the result of taking a linked
set of virNWFilterDefPtr's and flattening the tree to get a list
of virNWFilterRuleDefPtr's. At the same time we must keep track of
any nested virNWFilterObjPtr instances, so that the locks are held
for the duration of the 'applyNewRules' method.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
4dd7eaa36f Push virNWFilterRuleInstPtr out of (eb|ip)tablesCreateRuleInstance
Later refactoring will change use of the virNWFilterRuleInstPtr struct.
Prepare for this by pushing use of the virNWFilterRuleInstPtr parameter
out of the ebtablesCreateRuleInstance and iptablesCreateRuleInstance
methods. Instead they simply string(s) with the constructed rule data.
The ebiptablesCreateRuleInstance method will make use of the
virNWFilterRuleInstPtr struct instead.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
23b1d0c07d Add helper methods for determining what protocol layer is used
Add virNWFilterRuleIsProtocol{Ethernet,IPv4,IPv6} helper methods
to avoid having to write a giant switch statements with many cases.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
143a8a3038 Remove nwfilter tech driver 'displayRuleInstance' callback
The 'displayRuleInstance' callback in the nwfilter tech driver
is never invoked, so can be deleted.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
9b8aef1a02 Remove nwfilter tech driver 'removeRules' callback
The 'removeRules' callback in the nwfilter tech driver is never
invoked, so can be deleted.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
293d4fe2f1 Remove pointless storage of var names in virNWFilterHashTable
The virNWFilterHashTable struct contains a virHashTable and
then a 'char **names' field which keeps a copy of all the
hash keys. Presumably this was intended to record the ordering
of the hash keys. No code ever uses this and the ordering is
mangled whenever a variable is removed from the hash, because
the last element in the list is copied into the middle of the
list when shrinking the array.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
50859fc1dd Remove virDomainNetType parameter from nwfilter drivers
The 'virDomainNetType' is unused in every impl of the
virNWFilterRuleCreateInstance driver method. Remove it
from the code to avoid the dependancy on the external
enum.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
bc46c7fb92 Move virNWFilterTechDriver struct out of nwfilter_conf.h
The virNWFilterTechDriver struct is nothing to do with the nwfilter
XML configuration. It stores data specific to the driver implementation
so should be in a header in the driver directory instead.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Daniel P. Berrange
9b095625e4 Fix leak on OOM in virNWFilterVarValueCreateSimpleCopyValue
If virNWFilterVarValueCreateSimple fails with OOM, then
'val' will be leaked by virNWFilterVarValueCreateSimpleCopyValue

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00
Jiri Denemark
dff3ad004a qemu: Avoid overflow when setting migration speed on inactive domains
Commit c4206d7 fixed the overflow for running domains. However, we need
a similar check when setting migration speed on inactive domains.

At first look, it may seem the check in c4206d7 is now redundant but
qemuDomainMigrateSetMaxSpeed is not the only caller of
qemuMonitorSetMigrationSpeed so we need to check the bandwidth in both
places.

https://bugzilla.redhat.com/show_bug.cgi?id=1083483

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-25 16:13:25 +02:00
Daniel P. Berrange
dd477238bc Use virFileFindResource to locate CPU map XML
Replace use of cpuMapOverride with virFileFindResource
to locate CPU map from build dir.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Daniel P. Berrange
bc2f42a094 Use virFileFindResource to locate driver plugins
Replace virDriverModuleInitialize with virFileFindResource
usage.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Daniel P. Berrange
d3c7684220 Use virFileFindResource to locate lock manager plugins
Replace virLockManagerSetPluginDir with virFileFindResource
usage.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Nehal J Wani
c8e22a4c77 Use virFileFindResource to locate iohelper for fdstream
Instead of hardcoding LIBEXECDIR as the location of the libvirt_iohelper
binary, use virFileFindResource to optionally find it in the current
build directory.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Nehal J Wani
12b8290fa5 Use virFileFindResource to locate parthelper for storage backend
Instead of hardcoding LIBEXECDIR as the location of the libvirt_parthelper
binary, use virFileFindResource to optionally find it in the current
build directory.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Nehal J Wani
89de838f1b Use virFileFindResource to locate libvirt_lxc for capabilities
Instead of hardcoding LIBEXECDIR as the location of the libvirt_lxc
binary set in the LXC driver capabilities, use virFileFindResource
to optionally find it in the current build directory.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Nehal J Wani
7d84ca4649 Use virFileFindResource to locate iohelper for virFileWrapperFdNew
Instead of hardcoding LIBEXECDIR as the location of the libvirt_iohelper
binary, use virFileFindResource to optionally find it in the current
build directory.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Daniel P. Berrange
391ac4d990 Activate build dir overrides in libvirtd, virtlockd, virsh & tests
Add calls to virFileActivateDirOverride so that the build dir
overrides are activated.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:32 +01:00
Daniel P. Berrange
63a92e7220 Add helpers for resolving path to resources in build tree
Add virFileFindResource which will try to locate files
in the local build tree if the calling binary (eg libvirtd or
test suite) is being run from the build tree. The corresponding
virFileActivateDirOverride should be called at startup passing
in argv[0]. This will be examined for evidence of libtool magic
binary prefix / sub-directory in order to activate the override.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:42:28 +01:00
Daniel P. Berrange
18dc77d3b5 Add test suite for viralloc APIs
In debugging a crash on OOM, I thought that the virInsert APIs
might be at fault, but couldn't isolate them as a cause. While
the viralloc APIs are used in many test suites, this is as a
side-effect, they are not directly tested :-)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:29:55 +01:00
Jiri Denemark
f22b7899a8 Add support for addressing backing stores by index
Each backing store of a given disk is associated with a unique index
(which is also formatted in domain XML) for easier addressing of any
particular backing store. With this patch, any backing store can be
addressed by its disk target and the index. For example, "vdc[4]"
addresses the backing store with index equal to 4 of the disk identified
by "vdc" target. Such shorthand can be used in any API in place for a
backing file path:

    virsh blockcommit domain vda --base vda[3] --top vda[2]

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-25 11:11:03 +02:00
Jiri Denemark
f5869657c8 virStorageFileChainLookup: Return virStorageSourcePtr
Returning both virStorageSourcePtr and its path member does not make a
lot of sense.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-25 09:48:00 +02:00
Jiri Denemark
f33eb9c115 qemuDomainBlockCommit: Track virStorageSourcePtr for base
virStorageFileChainLookup is able to give use virStorageSourcePtr which
contains the pointer to its canonical path. Let's use a more general
virStorageSourcePtr instead of just canonical path.

Former base_canon maps to baseSource->path.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-25 09:46:11 +02:00
Jiri Denemark
ca979b0680 qemuDomainBlockCommit: Don't track top_canon path separately
virStorageFileChainLookup is able to give use virStorageSourcePtr which
contains the pointer to its canonical path. There's no need for the
caller to store both of them.

Former top_meta maps to topSource and top_canon maps to topSource->path.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-25 09:43:20 +02:00
Eric Blake
fe19043485 build: avoid 'index' as variable name
Once again, gcc 4.4.7 (hello RHEL) rears its ugly head:

conf/domain_conf.c: In function 'virDomainDiskBackingStoreFormat':
conf/domain_conf.c:14940: error: declaration of 'index' shadows a global declaration [-Wshadow]
/usr/include/string.h:489: error: shadowed declaration is here [-Wshadow]

* src/conf/domain_conf.c (virDomainDiskBackingStoreFormat): Pacify
older gcc.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-04-24 15:46:56 -06:00
Roman Bogorodskiy
6d0a617568 docs: document nmdm type console
* Add nmdm type device to domain format documnetation
* Add a section about nmdm console usage to the bhyve driver
  documentation
2014-04-24 19:57:11 +04:00
Martin Kletzander
9556681388 qemu: don't check for backing chains for formats w/o snapshot support
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1019926
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=868673

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-04-24 16:48:23 +02:00
Jiri Denemark
1445f34b62 tests: Test backing store XML formatting and parsing
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-24 16:07:56 +02:00
Jiri Denemark
022ccd3d62 tests: More output options for xml2xml tests
So far, qemuxml2xml test was only able to check if the result matches
the original or the appropriate XML in qemuxml2xmloutdata regardless on
flags used to format the XML. Since the result can be different
depending on VIR_DOMAIN_XML_INACTIVE flag being used or not, this patch
adds support for qemuxml2xmlout-%s-active.xml and
qemuxml2xmlout-%s-inactive.xml output files. If the file specific to the
flag used exists, it is used in preference to the generic
qemuxml2xmlout-%s.xml file when reading the expected output.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-24 16:07:17 +02:00
Jiri Denemark
546154e3d4 conf: Format and parse backing chains in domain XML
This patch implements formating and parsing code for the backing store
schema defined and documented by the previous patch.

This patch does not aim at providing full persistent storage of disk
backing chains yet. The formatter is supposed to provide the backing
chain detected when starting a domain and thus it is not formatted into
an inactive domain XML. The parser is implemented mainly for the purpose
of testing the XML generated by the formatter and thus it does not
distinguish between no backingStore element and an empty backingStore
element. This will have to change once we fully implement support for
user-supplied backing chains.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-24 16:06:18 +02:00
Jiri Denemark
a2e369bc00 conf: Output disk backing store details in domain XML
The XML for quite a longish backing chain is shown below:

  <disk type='network' device='disk'>
    <driver name='qemu' type='qcow2'/>
    <source protocol='nbd' name='bar'>
      <host transport='unix' socket='/var/run/nbdsock'/>
    </source>
    <backingStore type='block' index='1'>
      <format type='qcow2'/>
      <source dev='/dev/HostVG/QEMUGuest1'/>
      <backingStore type='file' index='2'>
        <format type='qcow2'/>
        <source file='/tmp/image2.qcow'/>
        <backingStore type='file' index='3'>
          <format type='qcow2'/>
          <source file='/tmp/image3.qcow'/>
          <backingStore type='file' index='4'>
            <format type='qcow2'/>
            <source file='/tmp/image4.qcow'/>
            <backingStore type='file' index='5'>
              <format type='qcow2'/>
              <source file='/tmp/image5.qcow'/>
              <backingStore type='file' index='6'>
                <format type='raw'/>
                <source file='/tmp/Fedora-17-x86_64-Live-KDE.iso'/>
                <backingStore/>
              </backingStore>
            </backingStore>
          </backingStore>
        </backingStore>
      </backingStore>
    </backingStore>
    <target dev='vdb' bus='virtio'/>
  </disk>

Various disk types and formats can be mixed in one chain. The
<backingStore/> empty element marks the end of the backing chain and it
is there mostly for future support of parsing the chain provided by a
user. If it's missing, we are supposed to probe for the rest of the
chain ourselves, otherwise complete chain was provided by the user. The
index attributes of backingStore elements can be used to unambiguously
identify a specific part of the image chain.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-04-24 16:06:13 +02:00
Daniel P. Berrange
27b2b987bf Fix pci bus naming for PPC
Recent discussions around naming of 'pci' vs 'pci.0' for PPC
made me go back and look at the PPC emulator in every historical
version of QEMU since 1.0. The results were worse than I imagined.
This patch adds the logic required to make libvirt work with PPC
correctly with naming variations across all versions & machine
types.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-24 14:21:39 +01:00