Commit Graph

12844 Commits

Author SHA1 Message Date
Peter Krempa
8ad126e695 rpc: Fix connection close callback race condition and memory corruption/crash
The last Viktor's effort to fix the race and memory corruption unfortunately
wasn't complete in the case the close callback was not registered in an
connection. At that time, the trail of event's that I'll describe later could
still happen and corrupt the memory or cause a crash of the client (including
the daemon in case of a p2p migration).

Consider the following prerequisities and trail of events:
Let's have a remote connection to a hypervisor that doesn't have a close
callback registered and the client is using the event loop. The crash happens in
cooperation of 2 threads. Thread E is the event loop and thread W is the worker
that does some stuff. R denotes the remote client.

1.) W - The client finishes everything and sheds the last reference on the client
2.) W - The virObject stuff invokes virConnectDispose that invokes doRemoteClose
3.) W - the remote close method invokes the REMOTE_PROC_CLOSE RPC method.
4.) W - The thread is preempted at this point.
5.) R - The remote side receives the close and closes the socket.
6.) E - poll() wakes up due to the closed socket and invokes the close callback
7.) E - The event loop is preempted right before remoteClientCloseFunc is called
8.) W - The worker now finishes, and frees the conn object.
9.) E - The remoteClientCloseFunc accesses the now-freed conn object in the
        attempt to retrieve pointer for the real close callback.
10.) Kaboom, corrupted memory/segfault.

This patch tries to fix this by introducing a new object that survives the
freeing of the connection object. We can't increase the reference count on the
connection object itself or the connection would never be closed, as the
connection is closed only when the reference count reaches zero.

The new object - virConnectCloseCallbackData - is a lockable object that keeps
the pointers to the real user registered callback and ensures that the
connection callback is either not called if the connection was already freed or
that the connection isn't freed while this is being called.
2013-04-05 10:36:03 +02:00
Peter Krempa
69ab07560a virsh: Register and unregister the close callback also in cmdConnect
This patch improves the error message after disconnecting from the
hypervisor and adds the close callback operations required not to leak
the callback reference.
2013-04-05 10:36:03 +02:00
Peter Krempa
ca9e73ebb6 virsh: Move cmdConnect from virsh-host.c to virsh.c
The function is used to establish connection so it should be in the main
virsh file. This movement also enables further improvements done in next
patches.

Note that the "connect" command has moved from the host section of virsh to the
main section. It is now listed by 'virsh help virsh' instead of 'virsh help
host'.
2013-04-05 10:36:03 +02:00
Viktor Mihajlovski
e964ba2786 virsh: Unregister the connection close notifier upon termination
Before closing the connection we unregister the close callback
to prevent a reference leak.

Further, the messages on virConnectClose != 0 are a bit more specific
now.

Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
2013-04-05 10:36:03 +02:00
Viktor Mihajlovski
03a43efa86 libvirt: Increase connection reference count for callbacks
By adjusting the reference count of the connection object we
prevent races between callback function and virConnectClose.

Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
2013-04-05 10:36:02 +02:00
Peter Krempa
482e5f159c virCaps: get rid of defaultConsoleTargetType callback
This patch refactors various places to allow removing of the
defaultConsoleTargetType callback from the virCaps structure.

A new console character device target type is introduced -
VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_NONE - to mark that no type was
specified in the XML. This type is at the end converted to the standard
VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL. Other types that are
different from this default have to be processed separately in the
device post parse callback.
2013-04-04 22:42:39 +02:00
Peter Krempa
46becc18ba virCaps: get rid of macPrefix field
Use the virDomainXMLConf structure to hold this data and tweak the code
to avoid semantic change.

Without configuration the KVM mac prefix is used by default. I chose it
as it's in the privately administered segment so it should be usable for
any purposes.
2013-04-04 22:42:38 +02:00
Peter Krempa
8960d65674 virCaps: get rid of hasWideScsiBus
Use the virDomainXMLConf structure to hold this data.
2013-04-04 22:42:38 +02:00
Peter Krempa
b299084988 virCaps: get rid of defaultDiskDriverType
Use the qemu specific callback to fill this data in the qemu driver as
it's the only place where it was used and fix tests as the qemu test
capability object didn't configure the defaults for the tests.
2013-04-04 22:42:38 +02:00
Peter Krempa
b5def001cc virCaps: get rid of emulatorRequired
This patch removes the emulatorRequired field and associated
infrastructure from the virCaps object. Instead the driver specific
callbacks are used as this field isn't enforced by all drivers.

This patch implements the appropriate callbacks in the qemu and lxc
driver and moves to check to that location.
2013-04-04 22:42:38 +02:00
Peter Krempa
9ea249e7d9 virCaps: get rid of defaultDiskDriverName
This patch removes the defaultDiskDriverName from the virCaps
structure. This particular default value is used only in the qemu driver
so this patch uses the recently added callback to fill the driver name
if it's needed instead of propagating it through virCaps.
2013-04-04 22:42:38 +02:00
Peter Krempa
4750c848e9 virCaps: get rid of "defaultInitPath" value in the virCaps struct
This gets rid of the parameter in favor of using the new callback
infrastructure to do the same stuff.

This patch implements the domain adjustment callback in the openVZ
driver and moves the check from the parser to a new validation method in
the callback infrastructure.
2013-04-04 22:42:37 +02:00
Peter Krempa
a68d672667 qemu: Record the default NIC model in the domain XML
This patch implements the devices post parse callback and uses it to fill
the default qemu network card model into the XML if none is specified.

Libvirt assumes that the network card model for qemu is the "rtl8139".
Record this in the XML using the new callback to avoid user
confusion.
2013-04-04 22:41:20 +02:00
Peter Krempa
ad0d10b2b1 conf callback: Rearrange function parameters
Move the xmlopt and caps arguments to the end of the argument list.
2013-04-04 22:41:19 +02:00
Peter Krempa
43b99fc4c0 conf: Add post XML parse callbacks and prepare for cleaning of virCaps
This patch adds instrumentation that will allow hypervisor drivers to
fill and validate domain and device definitions after parsed by the XML
parser.

With this patch, after the XML is parsed, a callback to the driver is
issued requesting to fill and validate driver specific details of the
configuration. This allows to use sensible defaults and checks on a per
driver basis at the time the XML is parsed.

Two callback pointers are stored in the new virDomainXMLConf object:
* virDomainDeviceDefPostParseCallback (devicesPostParseCallback)
  - called for a single device parsed and for every single device in a
    domain config. A virDomainDeviceDefPtr is passed along with the
    domain definition and virCaps.

* virDomainDefPostParseCallback, (domainPostParseCallback)
  - A callback that is meant to process the domain config after it's
  parsed.  A virDomainDefPtr is passed along with virCaps.

Both types of callbacks support arbitrary opaque data passed for the
callback functions.

Errors may be reported in those callbacks resulting in a XML parsing
failure.
2013-04-04 22:29:48 +02:00
Peter Krempa
e84b19316a maint: Rename xmlconf to xmlopt and virDomainXMLConfig to virDomainXMLOption
This patch is the result of running:

for i in $(git ls-files | grep -v html | grep -v \.po$ ); do
  sed -i -e "s/virDomainXMLConf/virDomainXMLOption/g" -e "s/xmlconf/xmlopt/g" $i
done

and a few manual tweaks.
2013-04-04 22:18:56 +02:00
Daniel P. Berrange
8d3d05d3c1 Create fake NUMA info if libnuma isn't available
If libnuma is not compiled in, or numa_available() returns an
error, stub out fake NUMA info consisting of one NUMA cell
containing all CPUs and memory.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 11:07:32 +01:00
Daniel P. Berrange
4a2891510b Cope with missing /sys/devices/system/cpu/cpu0/topology files
Not all kernel builds have any entries under the location
/sys/devices/system/cpu/cpu0/topology. We already cope with
that being missing in some cases, but not all. Update the
code which looks for thread_siblings to cope with the missing
file

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 11:07:32 +01:00
Daniel P. Berrange
9c29c52c5a Add armv6l architecture to list of valid arches
The Raspberry Pi runs the armv6l architecture and apparently
people are trying to run libvirt LXC on it. So we should allow
that as a valid arch

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 11:07:32 +01:00
Daniel P. Berrange
347081effa Implement minimal sysinfo for ARM platforms
Implement the bare minimal sysinfo for ARM platforms by
reading the CPU models from /proc/cpuinfo

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 11:07:31 +01:00
Daniel P. Berrange
0464ab183d Disable of unused sysinfotest functions
Certain functions in the sysinfotest.c are not used unless
a whitelisted architecture is being built. Disable those
functions unless required to avoid warnings about unused
functions.

sysinfotest.c:93:1: warning: 'sysinfotest_run' defined but not used [-Wunused-function]
 sysinfotest_run(const char *test,

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 11:07:00 +01:00
Daniel P. Berrange
6263fc5a5b Wire up sysinfo for LXC driver
The sysinfo code used by QEMU is trivially portable to the
LXC driver
2013-04-04 11:07:00 +01:00
Daniel P. Berrange
e2b373e6d6 Add support for SD cards in nodedev driver
The nodedev driver currently only detects harddisk, cdrom
and floppy devices. This adds support for SD cards, which
are common storage for ARM devices, eg the Google ChromeBook

<device>
  <name>block_mmcblk0_0xb1c7c08b</name>
  <parent>computer</parent>
  <capability type='storage'>
    <block>/dev/mmcblk0</block>
    <drive_type>sd</drive_type>
    <serial>0xb1c7c08b</serial>
    <size>15758000128</size>
    <logical_block_size>512</logical_block_size>
    <num_blocks>30777344</num_blocks>
  </capability>
</device>

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 11:07:00 +01:00
Daniel P. Berrange
edd87fa2ea Revert "lxc: Prevent shutting down the host"
This reverts commit c9c87376f2.

Now that we force all containers to have a root filesystem,
there is no way the host's /dev is ever exposed

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 10:51:59 +01:00
Daniel P. Berrange
c131525bec Auto-add a root <filesystem> element to LXC containers on startup
Currently the LXC container code has two codepaths, depending on
whether there is a <filesystem> element with a target path of '/'.
If we automatically add a <filesystem> device with src=/ and dst=/,
for any container which has not specified a root filesystem, then
we only need one codepath for setting up the filesystem.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 10:51:59 +01:00
Daniel P. Berrange
f7e8653f7e Remove support for old kernels lacking private devpts
Early on kernel support for private devpts was not widespread,
so we had compatibiltiy codepaths. Such old kernels are not
seriously used for LXC these days, so the compat code can go
away

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-04 10:51:59 +01:00
Atsushi Kumagai
d369e50825 storage: Fix volume cloning for logical volume.
When creating a logical volume with virStorageVolCreateXMLFrom,
"qemu-img convert" is called internally if clonevol is a file volume.
Then, vol->target.format is used as output_fmt parameter but the
target.format of logical volumes is always 0 because logical volumes
haven't the volume format type element.

Fortunately, 0 was treated as RAW file format before commit f772b3d9,
so there was no problem. But now, 0 is treated as the type of none,
qemu-img fails with "Unknown file format 'none'".

This patch fixes this issue by treating output block devices as RAW
file format like for input block devices.

Signed-off-by: Atsushi Kumagai <kumagai-atsushi@mxc.nes.nec.co.jp>
2013-04-04 10:52:07 +02:00
Guido Günther
ea151935bb security_manager: fix comparison
otherwise we crash later on if we don't find a match like:

 #0  0xb72c2b4f in virSecurityManagerGenLabel (mgr=0xb8e42d20, vm=0xb8ef40c0) at security/security_manager.c:424
 #1  0xb18811f3 in qemuProcessStart (conn=conn@entry=0xb8eed880, driver=driver@entry=0xb8e3b1e0, vm=vm@entry=0xb8ef58f0,
     migrateFrom=migrateFrom@entry=0xb18f6088 "stdio", stdin_fd=18,
     stdin_path=stdin_path@entry=0xb8ea7798 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img", snapshot=snapshot@entry=0x0,
     vmop=vmop@entry=VIR_NETDEV_VPORT_PROFILE_OP_RESTORE, flags=flags@entry=2) at qemu/qemu_process.c:3364
 #2  0xb18d6cb2 in qemuDomainSaveImageStartVM (conn=conn@entry=0xb8eed880, driver=driver@entry=0xb8e3b1e0, vm=0xb8ef58f0, fd=fd@entry=0xb6bf3f98,
     header=header@entry=0xb6bf3fa0, path=path@entry=0xb8ea7798 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img",
     start_paused=start_paused@entry=false) at qemu/qemu_driver.c:4843
 #3  0xb18d7eeb in qemuDomainRestoreFlags (conn=conn@entry=0xb8eed880,
     path=path@entry=0xb8ea7798 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img", dxml=dxml@entry=0x0, flags=flags@entry=0)
     at qemu/qemu_driver.c:4962
 #4  0xb18d8123 in qemuDomainRestore (conn=0xb8eed880, path=0xb8ea7798 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img")
     at qemu/qemu_driver.c:4987
 #5  0xb718d186 in virDomainRestore (conn=0xb8eed880, from=0xb8ea87d8 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img") at libvirt.c:2768
 #6  0xb7736363 in remoteDispatchDomainRestore (args=<optimized out>, rerr=0xb6bf41f0, client=0xb8eedaf0, server=<optimized out>, msg=<optimized out>)
     at remote_dispatch.h:4679
 #7  remoteDispatchDomainRestoreHelper (server=0xb8e1a3e0, client=0xb8eedaf0, msg=0xb8ee72c8, rerr=0xb6bf41f0, args=0xb8ea8968, ret=0xb8ef5330)
     at remote_dispatch.h:4661
 #8  0xb720db01 in virNetServerProgramDispatchCall (msg=0xb8ee72c8, client=0xb8eedaf0, server=0xb8e1a3e0, prog=0xb8e216b0)
     at rpc/virnetserverprogram.c:439
 #9  virNetServerProgramDispatch (prog=0xb8e216b0, server=server@entry=0xb8e1a3e0, client=0xb8eedaf0, msg=0xb8ee72c8) at rpc/virnetserverprogram.c:305
 #10 0xb7206e97 in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0xb8e1a3e0) at rpc/virnetserver.c:162
 #11 virNetServerHandleJob (jobOpaque=0xb8ea7720, opaque=0xb8e1a3e0) at rpc/virnetserver.c:183
 #12 0xb70f9f78 in virThreadPoolWorker (opaque=opaque@entry=0xb8e1a540) at util/virthreadpool.c:144
 #13 0xb70f94a5 in virThreadHelper (data=0xb8e0e558) at util/virthreadpthread.c:161
 #14 0xb705d954 in start_thread (arg=0xb6bf4b70) at pthread_create.c:304
 #15 0xb6fd595e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

This unbreaks libvirt-tck's domain/100-transient-save-restore.t with
qemu:///session and selinux compiled in but disabled.

Introduced by 8d68cbeaa8
2013-04-03 22:57:31 +02:00
Eric Blake
e52a31d166 qemu: fix memory leak on -machine usage error
Commit f84b92ea introduced a memory leak on error; John Ferlan reported
that valgrind caught it during 'make check'.

* src/qemu/qemu_command.c (qemuBuildMachineArgStr): Plug leak.
2013-04-03 11:55:18 -06:00
Daniel P. Berrange
fc8c1787d8 Enable full RELRO mode
By passing the flags -z relro -z now to the linker, we can force
it to resolve all library symbols at startup, instead of on-demand.
This allows it to then make the global offset table (GOT) read-only,
which makes some security attacks harder.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-03 16:19:35 +01:00
Daniel P. Berrange
1150999ca4 Build all binaries with PIE
PIE (position independent executable) adds security to executables
by composing them entirely of position-independent code (PIC. The
.so libraries already build with -fPIC. This adds -fPIE which is
the equivalent to -fPIC, but for executables. This for allows Exec
Shield to use address space layout randomization to prevent attackers
from knowing where existing executable code is during a security
attack using exploits that rely on knowing the offset of the
executable code in the binary, such as return-to-libc attacks.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-03 16:19:35 +01:00
Peter Krempa
24ca8fae64 qemu-blockjob: Fix limit of bandwidth for block jobs to supported value
The JSON generator is able to represent only values less than LLONG_MAX, fix the
bandwidth limit checks when converting to value to catch overflows before they
reach the generator.
2013-04-03 16:38:51 +02:00
Osier Yang
ad5298e177 rng: Add definition for network disk source
It's long enough to have a independant definition.
2013-04-03 20:14:05 +08:00
Daniel P. Berrange
ad42b34b1b Disable static libraries by default
Every source file is currently built twice by libtool, once for
the shared library and once for the static library. Static libs
are not commonly packaged by distros and slow down compilation
time by more than 50% compared to a shared-only build time.

Time for 'make -j 4':

      shared only: 2 mins  9 secs
  shared + static: 3 mins 26 secs

Time for non-parallel make

      shared only: 3 mins 32 secs
  shared + static: 5 mins 41 secs

Those few people who really want them, can pass --enable-static
to configure

Disabling them by default requires use of LT_INIT, but for
compat with RHEL5 we can't rely on that. So we conditionally
use LT_INIT, but fallback to AM_PROG_LIBTOOL if not present.
2013-04-03 11:02:27 +01:00
Peter Krempa
f006f19561 virsh: Fix typo in docs
s/persitent/persistent/
2013-04-03 11:38:57 +02:00
Michal Privoznik
8d68cbeaa8 sec_manager: Refuse to start domain with unsupported seclabel
https://bugzilla.redhat.com/show_bug.cgi?id=947387

If a user configures a domain to use a seclabel of a specific type,
but the appropriate driver is not accessible, we should refuse to
start the domain. For instance, if user requires selinux, but it is
either non present in the system, or is just disabled, we should not
start the domain. Moreover, since we are touching only those labels we
have a security driver for, the other labels may confuse libvirt when
reconnecting to a domain on libvirtd restart. In our selinux example,
when starting up a domain, missing security label is okay, as we
auto-generate one. But later, when libvirt is re-connecting to a live
qemu instance, we parse a state XML, where security label is required
and it is an error if missing:

  error : virSecurityLabelDefParseXML:3228 : XML error: security label
  is missing

This results in a qemu process left behind without any libvirt control.
2013-04-03 10:19:46 +02:00
Martin Kletzander
e7cd2844ca Allow multiple parameters for schedinfo
virsh schedinfo was able to set only one parameter at a time (not
counting the deprecated options), but it is useful to set more at
once, so this patch adds the possibility to do stuff like this:

virsh schedinfo <domain> cpu_shares=0 vcpu_period=0 vcpu_quota=0 \
emulator_period=0 emulator_quota=0

Invalid scheduler options are reported as well.  These were previously
reported only if the command hadn't updated any values (when
cmdSchedInfoUpdate returned 0).

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=810078
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=919372
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=919375
2013-04-03 08:49:30 +02:00
Peter Krempa
43b6f304bc qemu: Fix crash when updating media with shared device
Mimic the fix done in 02b9097274 to fix crash by
accessing an already freed structure. Also copy the explaining comment why the
pointer can't be accessed any more.
2013-04-02 23:15:00 +02:00
Michal Privoznik
deb86ee912 virsh: Call virDomainFree in cmdDomFSTrim
https://bugzilla.redhat.com/show_bug.cgi?id=928197

The virsh domfstrim command was not freeing allocated domain,
leaving leaked references behind.
2013-04-02 17:36:06 +02:00
Martin Kletzander
11e295705a manual: Fix copy-paste errors
Descriptions for vol-download and vol-upload didn't make much sense.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=923613
2013-04-02 17:06:40 +02:00
Martin Kletzander
d1d2acd7f2 manual: Add info about migrateuri in virsh manual
The virsh(1) man page wasn't saying anything about the 'migrateuri'
parameter other than it can be usually omitted.  A patched version of
docs/migrate.html.in is taken in this patch to fix that up in the man
page.
2013-04-02 17:06:40 +02:00
Peter Krempa
b685a73ed9 virsh-domain: Add --live, --config, --current logic to cmdDetachDisk
Use the established approach to improve this function too.
2013-04-02 16:18:38 +02:00
Peter Krempa
d87f721073 virsh-domain: Add --live, --config, --current logic to cmdDetachDevice
Use the established approach to improve this function too.
2013-04-02 16:18:32 +02:00
Peter Krempa
c3d9f399b5 virsh-domain: Add --live, --config, --current logic to cmdDetachInterface
Use the established approach to improve this function too.
2013-04-02 16:18:05 +02:00
Peter Krempa
69ce3ffa8d virsh: Fix semantics of --config for "update-device" command
The man page states that with --config the next boot is affected. This
can be understood as if _only_ the next boot was affected. This isn't
true if the machine is running.

This patch adds the full --live, --config, --current infrastructure and
tweaks stuff to correctly support the obsolete --persistent flag.

Note that this patch changes the the behavior of the --config flag to match the
use of this flag in rest of libvirt. This flag was mistakenly renamed from
--persistent that originaly had different semantics.
2013-04-02 16:14:14 +02:00
Peter Krempa
cc0cc6b714 virsh-domain: Fix declarations of flag variables in cmdChangeMedia
The parameter options can be declared directly.

Also use macros for mutual exclusion on some of the incompatible
parameter variables.
2013-04-02 16:02:43 +02:00
Peter Krempa
803e467080 virsh-domain: Simplify usage of --current, --live and --config flags
This patch uses the new helper to avoid the more complex check for
domain state modification flags.
2013-04-02 16:02:43 +02:00
Peter Krempa
1f0cac3543 virsh-domain-monitor: Refactor cmdDomIfGetLink
The domif-getlink command did not terminate successfully when the
interface state was found. As the code used old and too complex approach
to do the job, this patch refactors it and fixes the bug.
2013-04-02 15:53:43 +02:00
Peter Krempa
6bd94a1b59 Use virMacAddrFormat instead of manual mac address formatting
Format the address using the helper instead of having similar code in
multiple places.

This patch also fixes leak of the MAC address string in
ebtablesRemoveForwardAllowIn() and ebtablesAddForwardAllowIn() in
src/util/virebtables.c
2013-04-02 15:53:43 +02:00
Peter Krempa
ab4bf20ead util: Change virMacAddrFormat to lowercase hex characters
The domain XML generator creates the mac addres strings with lowercase
strings with a separate piece of code. This patch changes the formating
helper to do the same stuff to allow using it to normalize a string
provided by the user. After this change some of the tests that are
outputing the mac address will need to be changed.
2013-04-02 15:53:43 +02:00