Commit Graph

347 Commits

Author SHA1 Message Date
Peter Krempa
f0803dae93 (log|lock)daemon: Don't spam logs with IO error messages after client disconnects
The log and lock protocol don't have an extra handshake to close the
connection. Instead they just close the socket. Unfortunately that
resulted into a lot of spurious garbage logged to the system log files:

2017-03-17 14:00:09.730+0000: 4714: error : virNetSocketReadWire:1800 : End of file while reading data: Input/output error

or in the journal as:

Mar 13 16:19:33 xxxx virtlogd[32360]: End of file while reading data: Input/output error

Use the new facility in the netserverclient to suppress the IO error
report from the virNetSocket layer.
2017-03-17 17:20:22 +01:00
Daniel P. Berrange
27cd763500 Increase default file handle limits for daemons
Linux still defaults to a 1024 open file handle limit. This causes
scalability problems for libvirtd / virtlockd / virtlogd on large
hosts which might want > 1024 guest to be running. In fact if each
guest needs > 1 FD, we can't even get to 500 guests. This is not
good enough when we see machines with 100's of physical cores and
TBs of RAM.

In comparison to other memory requirements of libvirtd & related
daemons, the resource usage associated with open file handles
is essentially line noise. It is thus reasonable to increase the
limits unconditionally for all installs.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-03-16 10:48:09 +00:00
Daniel P. Berrange
aed0850e39 virtlockd: fix systemd unit file dependancies
After deploying virtlogd by default we identified a number of
mistakes in the systemd unit file. virtlockd's relationship
to libvirtd is the same as virtlogd, so we must apply the
same unit file fixes to virtlockd

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-02-03 16:40:08 +00:00
Peter Krempa
9ab36bc233 locking: Fix documentation on how automatic sanlock leases are stored
s/MD5 checkout/MD5 hash/
2016-12-19 17:28:41 +01:00
Erik Skultety
94c465d0eb daemon: Hook up the virLog{Get,Set}DefaultOutput to the daemon's init routine
Now that virLog{Get,Set}DefaultOutput routines are introduced we can wire them
up to the daemon's logging initialization code. Also, change the order of
operations a bit so that we still strictly honor our precedence of settings:
cmdline > env > config now that outputs and filters are not appended anymore.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-12-15 10:36:23 +01:00
Erik Skultety
0d6cf32721 admin: Allow passing NULL to virLogSetOutputs
Along with an empty string, it should also be possible for users to pass
NULL to the public APIs which in turn would trigger a routine(future
work) responsible for defining an appropriate default logging output
given the current circumstances.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-12-15 10:36:23 +01:00
Peter Krempa
e98b30909b lock: Fix loading of config file for the lock daemon
'log_outputs' would be read into the variable for log_filters
2016-12-14 07:24:24 +01:00
Michal Privoznik
b7d2d4af2b src: Treat PID as signed
This initially started as a fix of some debug printing in
virCgroupDetect. However it turned out that other places suffer
from the similar problem. While dealing with pids, esp. in cases
where we cannot use pid_t for ABI stability reasons, we often
chose an unsigned integer type. This makes no sense as pid_t is
signed.
Also, new syntax-check rule is introduced so we won't repeat this
mistake.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-10-13 17:58:56 +08:00
Erik Skultety
30b650b2ba daemon: Split filter parsing and filter defining
Similar to outputs, parser should do parsing only, thus the 'define' logic
is going to be stripped from virLogParseAndDefineFilters by replacing calls to
this method to virLogSetFilters instead.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-10-10 08:27:25 +02:00
Erik Skultety
c9279169a1 daemon: Split output parsing and output defining
Since virLogParseAndDefineOutputs is going to be stripped from 'output defining'
logic, replace all relevant occurrences with virLogSetOutputs call to make the
change transparent to all original callers (daemons mostly).

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-10-10 08:27:25 +02:00
Erik Skultety
b8c370a96e virlog: Rename virLogParse* to virLogParseAndDefine*
Right now virLogParse* functions are doing both parsing and defining of filters
and outputs which should be two separate operations. Since the naming is
apparently a bit poor this patch renames these functions to
virLogParseAndDefine* which eventually will be replaced by virLogSet*.
Additionally, virLogParse{Filter,Output} will be later (after the split) reused,
so that these functions do exactly what the their name suggests.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-10-10 08:27:24 +02:00
Michal Privoznik
5fe66ea3bf sanlock: Properly init io_timeout
https://bugzilla.redhat.com/show_bug.cgi?id=1292984

Hold on to your hats, because this is gonna be wild.

In bd3e16a3 I've tried to expose sanlock io_timeout. What I had
not realized (because there is like no documentation for sanlock
at all) was very unusual way their APIs work. Basically, what we
do currently is:

    sanlock_add_lockspace_timeout(&ls, io_timeout);

which adds a lockspace to sanlock daemon. One would expect that
io_timeout sets the io_timeout for it. Nah! That's where you are
completely off the tracks. It sets timeout for next lockspace you
will probably add later. Therefore:

   sanlock_add_lockspace_timeout(&ls, io_timeout = 10);
   /* adds new lockspace with default io_timeout */

   sanlock_add_lockspace_timeout(&ls, io_timeout = 20);
   /* adds new lockspace with io_timeout = 10 */

   sanlock_add_lockspace_timeout(&ls, io_timeout = 40);
   /* adds new lockspace with io_timeout = 20 */

And so on. You get the picture.
Fortunately, we don't allow setting io_timeout per domain or per
domain disk. So we just need to set the default used in the very
first step and hope for the best (as all the io_timeout-s used
later will have the same value).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-09-29 16:59:11 +02:00
Michal Privoznik
2bca7cec0b m4: Check for sanlock_write_lockspace
Currently, we are checking for sanlock_add_lockspace_timeout
which is good for now. But in a subsequent patch we are going to
use sanlock_write_lockspace (which sets an initial value for io
timeout for sanlock). Now, there is no reason to check for both
functions in sanlock library as the sanlock_write_lockspace was
introduced in 2.7 release and the one we are currently checking
for in the 2.5 release. Therefore it is safe to assume presence
of sanlock_add_lockspace_timeout when sanlock_write_lockspace
is detected.

Moreover, the macro for conditional compilation is renamed to
HAVE_SANLOCK_IO_TIMEOUT (as it now encapsulates two functions).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-09-29 16:59:11 +02:00
Michal Privoznik
78da4296a6 lock_driver_sanlock: Avoid global driver variable whenever possible
Global variables are bad, we should avoid using them.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-09-29 16:59:11 +02:00
Daniel P. Berrange
544f087e41 sanlock: convert to typesafe virConf accessors
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-12 09:58:22 +01:00
Daniel P. Berrange
b474952eb7 lockd: convert to typesafe virConf accessors
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-12 09:58:22 +01:00
Daniel P. Berrange
2666b2905f virtlockd: convert to typesafe virConf accessors
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-12 09:58:21 +01:00
Jaroslav Suchanek
c59b9e1483 logging: fixing log level initialization from cmdline
Reorder code for setting default log level from cmdline prior
initialization of log outputs. Thus the --verbose option is reflected.

This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1325072
2016-06-28 13:52:34 +02:00
Jovanka Gulicoska
b29e08dbe3 More usage of virGetLastErrorMessage
Convert to virGetLastErrorMessage() in the rest of the code
2016-05-19 15:17:03 -04:00
Erik Skultety
5841d64d25 rpc: virnetserverclient: Identify clients by an integer ID
Admin API needs a way of addressing specific clients. Unlike servers, which we
are happy to address by names both because its name reflects its purpose (to
some extent) and we only have two of them (so far), naming clients doesn't make
any sense, since a) each client is an anonymous, i.e. not recognized after a
disconnect followed by a reconnect, b) we can't predict what kind of requests
it's going to send to daemon, and c) the are loads of them comming and going,
so the only viable option is to use an ID which is of a reasonably wide data
type.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-05-02 22:25:51 +02:00
Andrea Bolognani
92b2c047d6 man: Fix SYNOPSIS section
Format the text properly.
2016-04-25 15:40:44 +02:00
Andrea Bolognani
5b479f3b5b build: Standardize on .pod -> .x.in -> .x
After this commit, all man pages are generated using the same two
steps:

  1. Process a source $command.pod file with pod2man(1) to obtain
     a valid man page in $command.$section.in

  2. Process $command.$section.in with sed(1) to obtain the final
     man page in $command.$section
2016-04-25 15:40:44 +02:00
Cole Robinson
e7db227810 util: Add virGettextInitialize, convert the code
Take setlocale/gettext error handling pattern from tools/virsh-*
and use it for all standalone binaries via a new shared
virGettextInitialize routine. The virsh* pattern differed slightly
from other callers. All users now consistently:

* Ignore setlocale errors. virsh has done this forever, presumably for
  good reason. This has been partially responsible for some bug reports:

  https://bugzilla.redhat.com/show_bug.cgi?id=1312688
  https://bugzilla.redhat.com/show_bug.cgi?id=1026514
  https://bugzilla.redhat.com/show_bug.cgi?id=1016158

* Report the failed function name
* Report strerror
2016-04-14 13:22:40 -04:00
Martin Kletzander
fd4f278e1a daemon: Get server name from the server itself
Since servers know their name, there is no need to supply such
information twice.  Also defeats inconsistencies.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-03-11 12:58:41 +01:00
Martin Kletzander
dad3b07814 server: Store server name in server object
At first I did not want to do this, but after trying to implement some
newer feaures in the admin API I realized we need that to make our lives
easier.  On the other hand they are not saved redundantly and the
virNetServer objects are still kept in a hash table.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-03-11 12:58:41 +01:00
John Ferlan
0e3e00a183 locking: Use bit shift for flag values not constant values.
So far it hasn't bitten us, but if the next value wasn't 4, then
the logic used to check flag bits would have issues.
2016-03-07 15:48:19 -05:00
Erik Skultety
252610f7dd virnetdaemon: Store servers in a hash table
Since the daemon can manage and add (at fresh start) multiple servers,
we also should be able to add them from a JSON state file in case of a
daemon restart, so post exec restart support for multiple servers is also
provided. Patch also updates virnetdaemontest accordingly.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-02-17 12:46:34 +01:00
Erik Skultety
cc48d3a122 util: Add a return value to void hash iterators
Our existing virHashForEach method iterates through all items disregarding the
fact, that some of the iterators might have actually failed. Errors are usually
dispatched through an error element in opaque data which then causes the
original caller of virHashForEach to return -1. In that case, virHashForEach
could return as soon as one of the iterators fail. This patch changes the
iterator return type and adjusts all of its instances accordingly, so the
actual refactor of virHashForEach method can be dealt with later.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-02-17 12:46:34 +01:00
Martin Kletzander
4b47f9b82c Fix make check with gcc version 5
When building with gcc-5 (particularly gcc-5.3.0 now) and having pdwtags
installed (package dwarves) make check fails with the following error:

  $ make lock_protocol-struct
  GEN      lock_protocol-struct
  --- lock_protocol-structs	2016-01-13 15:04:59.318809607 +0100
  +++ lock_protocol-struct-t3	2016-01-13 15:05:17.703501234 +0100
  @@ -26,10 +26,6 @@
           virLockSpaceProtocolNonNullString name;
           u_int                      flags;
   };
  -enum virLockSpaceProtocolAcquireResourceFlags {
  -        VIR_LOCK_SPACE_PROTOCOL_ACQUIRE_RESOURCE_SHARED = 1,
  -        VIR_LOCK_SPACE_PROTOCOL_ACQUIRE_RESOURCE_AUTOCREATE = 2,
  -};
   struct virLockSpaceProtocolAcquireResourceArgs {
           virLockSpaceProtocolNonNullString path;
           virLockSpaceProtocolNonNullString name;
  Makefile:10415: recipe for target 'lock_protocol-struct' failed
  make: *** [lock_protocol-struct] Error 1

That happens because without any specific options gcc doesn't keep enum
information in the resulting binary object.  I managed to isolate the
parameters of gcc that caused this issue to disappear, however I
remember that they influenced the resulting binaries quite a bit and
were definitely not something we would want to add as mandatory to the
build process.

So to deal with this cleanly, let's take that enum and separate it out
to its own header file.  Since it is only used in the lockd driver and
the protocol, lock_driver_lockd.h feels like a suitable name.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-01-18 15:19:21 +01:00
Martin Kletzander
6dc0e4f171 Fix LSB requirements in service script and sync them
Commit b22344f328 mistakenly reordered
Default-* lines.  Thanks to that I noticed that we are very inconsistent
with our init scripts, so I took the liberty of synchronizing them,
updating them and making them all look shiny and new.  So apart from
fixing the LSB requirements, I also fixed the ordering, specified
runlevels and fix the link to the reference specification.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-01-11 15:49:13 +01:00
Daniel P. Berrange
c32d977e0f virtlockd: fix misc memory leaks and other bugs
Fix memory leaks, failure to restore umask and missing man
page docs.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-11-26 14:30:26 +00:00
Michal Privoznik
bd3e16a3cf locking: Add io_timeout to sanlock
https://bugzilla.redhat.com/show_bug.cgi?id=1251190

So, if domain loses access to storage, sanlock tries to kill it
after some timeout. So far, the default is 80 seconds. But for
some scenarios this might not be enough. We should allow users to
adjust the timeout according to their needs.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-11-18 10:56:56 +01:00
Michal Privoznik
4f3d15479a lock_daemon: Switch to wrapper locking functions
Lets use wrapper functions virLockDaemonLock and
virLockDaemonUnlock instead of virMutexLock and virMutexUnlock.
This has no functional impact, but it's easier to read (at least
for me).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-27 09:49:23 +01:00
Michal Privoznik
499e302f96 virtlockd: Don't SIGSEGV on SIGUSR1
So we have this mechanism that on SIGUSR1 the virtlockd dumps its
internal state into a JSON file, reexec itself and the reloads
the internal state back. However, there's a bug in our
implementation:

  (gdb) signal SIGUSR1
  Continuing with signal SIGUSR1.
  [Thread 0x7fd094f7b700 (LWP 10602) exited]
  process 10600 is executing new program: /home/zippy/work/libvirt/libvirt.git/src/virtlockd
  warning: Could not load shared library symbols for linux-vdso.so.1.
  Do you need "set solib-search-path" or "set sysroot"?
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib64/libthread_db.so.1".
  [New Thread 0x7fb28bc3c700 (LWP 14501)]

  Program received signal SIGSEGV, Segmentation fault.
  0x00007fb29133d530 in virExpandN (ptrptr=0x70, size=8, countptr=0x68, add=1, report=true, domcode=7, filename=0x7fb29138aeab "rpc/virnetserver.c", funcname=0x7fb29138b680 <__FUNCTION__.15821> "virNetServerAddProgram", linenr=661) at util/viralloc.c:288
  288         if (*countptr + add < *countptr) {
  (gdb) bt
  #0  0x00007fb29133d530 in virExpandN (ptrptr=0x70, size=8, countptr=0x68, add=1, report=true, domcode=7, filename=0x7fb29138aeab "rpc/virnetserver.c", funcname=0x7fb29138b680 <__FUNCTION__.15821> "virNetServerAddProgram", linenr=661) at util/viralloc.c:288
  #1  0x00007fb29132a267 in virNetServerAddProgram (srv=0x0, prog=0x7fb2915d08b0) at rpc/virnetserver.c:661
  #2  0x00007fb29131f27f in main (argc=1, argv=0x7fff8f771298) at locking/lock_daemon.c:1445

Notice the NULL @srv passed to frame 2? Usually, the @srv
variable is initialized on fresh start. However, in case of
daemon reload, the code path that is responsible for initializing
the value was not triggered and therefore we crashed immediately.
Fix this by always setting the variable.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
4f77c48cba virJSONValueArraySize: return ssize_t
The internal representation of a JSON array counts the items in
size_t. However, for some reason, when asking for the count it's
reported as int. Firstly, we need the function to return a signed
type as it's returning -1 on an error. But, not every system has
integer the same size as size_t. Therefore, lets return ssize_t.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-09 15:25:08 +02:00
Erik Skultety
f08b1c58f3 locking: Remove redundant 'srv' element from virLockDaemon
Now that we have virNetDaemon object holding all the data and being
capable of referencing multiple servers, having a duplicate reference to
a single server stored in virLockDaemon isn't necessary anymore. This
patch removes the above described element.
2015-08-24 10:37:12 +02:00
Martin Kletzander
a8743c3938 rpc: Remove keepalive_required option
Since its introduction in 2011 (particularly in commit f4324e3292),
the option doesn't work.  It just effectively disables all incoming
connections.  That's because the client private data that contain the
'keepalive_supported' boolean, are initialized to zeroes so the bool is
false and the only other place where the bool is used is when checking
whether the client supports keepalive.  Thus, according to the server,
no client supports keepalive.

Removing this instead of fixing it is better because a) apparently
nobody ever tried it since 2011 (4 years without one month) and b) we
cannot know whether the client supports keepalive until we get a ping or
pong keepalive packet.  And that won't happen until after we dispatched
the ConnectOpen call.

Another two reasons would be c) the keepalive_required was tracked on
the server level, but keepalive_supported was in private data of the
client as well as the check that was made in the remote layer, thus
making all other instances of virNetServer miss this feature unless they
all implemented it for themselves and d) we can always add it back in
case there is a request and a use-case for it.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-08-10 13:15:56 +02:00
Martin Kletzander
fa14207368 Move daemon-related parts of virNetServer to virNetDaemon
This allows to have more servers in one daemon which helps isolating
some resources.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-06-16 13:46:19 +02:00
Jim Fehlig
ee3eddb332 locking: relax PID requirement
Some hypervisors like Xen do not have PIDs associated with domains.
Relax the requirement for PID != 0 in the locking code so it can
be used by hypervisors that do not represent domains as a process
running on the host.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2015-04-22 14:16:44 -06:00
Jiri Denemark
4864e377c9 sanlock: Use VIR_ERR_RESOURCE_BUSY if sanlock_acquire fails
When acquiring resource via sanlock fails, we would report it as
VIR_ERR_INTERNAL_ERROR, which is not very friendly to applications using
libvirt. Moreover, the lockd driver would report the same failure as
VIR_ERR_RESOURCE_BUSY, which looks better.

Unfortunately, in sanlock driver we don't really know if acquiring the
resource failed because it was already locked or there was another
reason behind. But the end result is the same and I think using
VIR_ERR_RESOURCE_BUSY reason for all acquire failures is still better
than what we have now.

https://bugzilla.redhat.com/show_bug.cgi?id=1165119
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-04-15 09:40:42 +02:00
Ján Tomko
a0482396d7 Remove unused macros
In the order of appearance:

* MAX_LISTEN - never used
  added by 23ad665c (qemud) and addec57 (lock daemon)

* NEXT_FREE_CLASS_ID - never used, added by 07d1b6b

* virLockError - never used, added by eb8268a4

* OPENVZ_MAX_ARG, CMDBUF_LEN, CMDOP_LEN
  unused since the removal of ADD_ARG_LIT in d8b31306

* QEMU_NB_PER_CPU_STAT_PARAM - unused since 897808e

* QEMU_CMD_PROMPT, QEMU_PASSWD_PROMPT - unused since 1dc10a7

* TEST_MODEL_WORDSIZE - unused since c25c18f7

* TEMPDIR - never used, added by 714bef5

* NSIG - workaround around old headers
  added by commit 60ed1d2
  unused since virExec was moved by commit 02e8691

* DO_TEST_PARSE - never used, added by 9afa006

* DIFF_MSEC, GETTIMEOFDAY - unused since eee6eb6
2015-04-02 10:27:56 +02:00
Jiri Denemark
667cce7b60 Set thread job for every RPC call
Since all APIs are also RPC calls, we automatically get all APIs covered
with thread jobs.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-03-25 10:00:54 +01:00
Jiri Denemark
54972be843 sanlock: Don't spam logs with "target pid not found"
Commit v1.2.4-52-gda879e5 fixed issues with domains started before
sanlock driver was enabled by checking whether a running domain is
registered with sanlock and if it's not, sanlock driver is basically
ignored for the domain.

However, it was checking this even for domain which has just been
started and no sanlock_* API was called for them yet. This results in

    cmd 9 target pid 2135544 not found

error messages to appear in sanlock.log whenever we start a new domain.

This patch avoids this useless check for freshly started domains.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-03-09 13:36:40 +01:00
Jiri Denemark
6beb75d96d locking: Fix flags in virLockManagerLockDaemonNew
virLockManager*New APIs are never called with
VIR_LOCK_MANAGER_USES_STATE. Moreover, lockd driver does not maintain
any state that would need to be transferred during migration and thus it
should not mention VIR_LOCK_MANAGER_USES_STATE at all.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-03-09 13:36:39 +01:00
Jiri Denemark
bc6e206322 Search for schemas and cpu_map.xml in source tree
Not all files we want to find using virFileFindResource{,Full} are
generated when libvirt is built, some of them (such as RNG schemas) are
distributed with sources. The current API was not able to find source
files if libvirt was built in VPATH.

Both RNG schemas and cpu_map.xml are distributed in source tarball.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-02-19 15:25:04 +01:00
Ján Tomko
1390c26847 safezero: fall back to writing zeroes even when resizing
Remove the resize flag and use the same code path for all callers.
This flag was added by commit 18f0316 to allow virStorageFileResize
use 'safezero' while preserving the behavior.

Explicitly return -2 when a fallback to a different method should
be done, to make the code path more obvious.

Fail immediately when ftruncate fails in the mmap method,
as we did before commit 18f0316.
2015-01-09 13:48:23 +01:00
John Ferlan
18f03166fd virstoragefile: Have virStorageFileResize use safezero
Currently virStorageFileResize() function uses build conditionals to
choose either the posix_fallocate() or syscall(SYS_fallocate) with no
fallback in order to preallocate the space in the newly resized file.

Since the safezero code has a similar set of conditionals modify the
resize and safezero code in order to allow the resize logic to make use
of safezero to unify the look/feel of the code paths.

Add a new boolean (resize) to safezero() to make the optional decision
whether to try syscall(SYS_fallocate) if the posix_fallocate fails because
HAVE_POSIX_FALLOCATE is not defined (eg, return -1 and errno == 0).

Create a local safezero_sys_fallocate in order to handle the resize
code paths that support that.  If not present, the set errno = ENOSYS
in order to allow the caller to handle the failure scenarios.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2014-12-16 13:11:35 -05:00
Daniel P. Berrange
ac1ce21550 fix typo in sanlock driver s/VIR_CONF_UONG/VIR_CONF_ULONG/
fix typo introduced in previous commit
2014-12-15 10:08:06 +00:00
Michal Privoznik
ca4f9518b8 virconf: Introduce VIR_CONF_ULONG
https://bugzilla.redhat.com/show_bug.cgi?id=1160995

In our config files users are expected to pass several integer values
for different configuration knobs. However, majority of them expect a
nonnegative number and only a few of them accept a negative number too
(notably keepalive_interval in libvirtd.conf).
Therefore, a new type to config value is introduced: VIR_CONF_ULONG
that is set whenever an integer is positive or zero. With this
approach knobs accepting VIR_CONF_LONG should accept VIR_CONF_ULONG
too.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-12-15 10:34:18 +01:00
Michal Privoznik
f81a702180 virConfType: switch to VIR_ENUM_{DECL,IMPL}
There's no need to implement ToString() function like we do if we
can use our shiny macros.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-12-15 10:34:18 +01:00
John Ferlan
8fb3aee2f8 Replace virDomainFree with virObjectUnref
Since virDomainFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.
2014-12-02 11:03:40 -05:00
Martin Kletzander
138c2aee01 Remove unnecessary curly brackets in rest of src/[a-n]*/
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-11-14 17:13:36 +01:00
Eric Blake
ff99c79195 maint: avoid static zero init in helpers
C guarantees that static variables are zero-initialized.  Some older
compilers (and also gcc -fno-zero-initialized-in-bss) create larger
binaries if you explicitly zero-initialize a static variable.

* src/conf/nwfilter_conf.c: Fix initialization.
* src/cpu/cpu_x86.c: Likewise.
* src/interface/interface_backend_netcf.c: Likewise.
* src/locking/lock_daemon.c: Likewise.
* src/locking/lock_driver_lockd.c: Likewise.
* src/locking/lock_driver_sanlock.c: Likewise.
* src/network/bridge_driver.c: Likewise.
* src/node_device/node_device_udev.c: Likewise.
* src/nwfilter/nwfilter_learnipaddr.c: Likewise.
* src/rpc/virnetserver.c: Likewise.
* src/security/security_selinux.c
(virSecuritySELinuxGenSecurityLabel): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-10-29 09:55:09 -06:00
Martin Kletzander
8035f2e6f2 remove redundant pidfile path constructions
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-09-15 09:49:34 +02:00
Jiri Denemark
760cf5d30e sanlock: Avoid freeing uninitialized value
https://bugzilla.redhat.com/show_bug.cgi?id=1136788
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-09-03 15:22:10 +02:00
Michal Privoznik
66eaa887e9 Fix spacing around commas
On some places in the libvirt code we have:

  f(a,z)

instead of

  f(a, z)

This trivial patch fixes couple of such occurrences.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-08-22 15:03:39 +02:00
Martin Kletzander
e1f2ec67c2 rpc: set listen backlog on FDs as well as on other sockets
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-08-22 09:12:13 +02:00
Martin Kletzander
8989597cd9 util: abstract parsing of passed FDs into virGetListenFDs()
Since not only systemd can do this (we'll be doing it as well few
patches later), change 'systemd' to 'caller' and fix LISTEN_FDS to
LISTEN_PID where applicable.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-08-22 09:12:13 +02:00
Michal Privoznik
607806f87f Fix const correctness
In many places we define a variable as a 'const char *' when in fact
we modify it just a few lines below. Or even free it. We should not do
that.

There's one exception though, in xenSessionFree() xenapi_utils.c. We
are freeing the xen_session structure which is defined in
xen/api/xen_common.h public header. The structure contains session_id
which is type of 'const char *' when in fact it should have been just
'char *'. So I'm leaving this unmodified, just noticing the fact in
comment.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-07-16 12:07:24 +02:00
Peter Krempa
68f0deb0dc locking: Add APIs to lock individual image files
Add helper APIs to manage individual image files rather than disks. To
simplify the addition some parts of the code were refactored in this
patch.
2014-07-09 10:38:56 +02:00
Peter Krempa
63834faadb storage: Move readonly and shared flags to disk source from disk def
In the future we might need to track state of individual images. Move
the readonly and shared flags to the virStorageSource struct so that we
can keep them in a per-image basis.
2014-07-08 14:27:19 +02:00
Ján Tomko
f1e192e92e Free the return value of virFileFindResource
Commits e18a80a and 57e5c3c switched from a getenv wrapper which
does not allocate a string to virFileFindResource which does not,
without freeing it.

https://bugzilla.redhat.com/show_bug.cgi?id=1116427
2014-07-07 08:32:11 +02:00
Ján Tomko
92a8e72f9d Use virBufferCheckError everywhere we report OOM error
Replace:
if (virBufferError(&buf)) {
    virBufferFreeAndReset(&buf);
    virReportOOMError();
    ...
}

with:
if (virBufferCheckError(&buf) < 0)
    ...

This should not be a functional change (unless some callers
misused the virBuffer APIs - a different error would be reported
then)
2014-07-03 10:48:14 +02:00
Martin Kletzander
3de462fe9a Remove unnecessary empty first lines
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-06-06 10:52:05 +02:00
Martin Kletzander
5884adc28a sanlock: avoid leak in acquire()
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-05-13 13:50:57 +02:00
Martin Kletzander
da879e5921 sanlock: don't fail with unregistered domains
When a domain was started without registration in sanlock, but libvirt
was restarted after that, most of the operations failed due to
contacting sanlock about that process.  E.g. migration could not be
performed because the locks couldn't be released (or inquired before a
release).

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1088034

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-05-13 10:51:43 +02:00
Martin Kletzander
d99057423c sanlock: code movement in virLockManagerSanlockAcquire
Just move some code around for future patches to ease the review.
With this patch there is no need for drastic cleanup path later.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-05-13 10:51:43 +02:00
Daniel P. Berrange
727efb9696 Make autostart of virtlockd actually work
The virnetsocket.c API is hardcoded to pass --timeout=30 to
any daemon it auto-starts. For inexplicable reasons the virtlockd
daemon did not implement the --timeout option, so it would
immediately exit on autostart with an error.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-28 13:30:41 +01:00
Daniel P. Berrange
e18a80a3a0 Use virFileFindResource to locate virtlockd daemon
Make the lock plugin use virFileFindResource to find the
virtlockd daemon path, so that it executes the in-builddir
daemon if run from source tree.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-28 13:30:41 +01:00
Daniel P. Berrange
d3c7684220 Use virFileFindResource to locate lock manager plugins
Replace virLockManagerSetPluginDir with virFileFindResource
usage.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Daniel P. Berrange
391ac4d990 Activate build dir overrides in libvirtd, virtlockd, virsh & tests
Add calls to virFileActivateDirOverride so that the build dir
overrides are activated.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:32 +01:00
Nehal J Wani
3d5c29a17c Fix typos in src/*
Fix minor typos in source comments

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-04-21 16:49:08 -06:00
Eric Blake
16ac4c9d64 conf: move host disk type to util/
A continuation of the migration of disk details to virstoragefile.
This patch moves a single enum, but converting the name has quite
a bit of fallout.

* src/conf/domain_conf.h (virDomainDiskType): Move...
* src/util/virstoragefile.h (virStorageType): ...and rename.
* src/bhyve/bhyve_command.c (bhyveBuildDiskArgStr)
(virBhyveProcessBuildLoadCmd): Update clients.
* src/conf/domain_conf.c (virDomainDiskSourceDefParse)
(virDomainDiskDefParseXML, virDomainDiskSourceDefFormatInternal)
(virDomainDiskDefFormat, virDomainDiskGetActualType)
(virDomainDiskDefForeachPath, virDomainDiskSourceIsBlockType):
Likewise.
* src/conf/snapshot_conf.h (_virDomainSnapshotDiskDef): Likewise.
* src/conf/snapshot_conf.c (virDomainSnapshotDiskDefParseXML)
(virDomainSnapshotAlignDisks, virDomainSnapshotDiskDefFormat):
Likewise.
* src/esx/esx_driver.c (esxAutodetectSCSIControllerModel)
(esxDomainDefineXML): Likewise.
* src/locking/domain_lock.c (virDomainLockManagerAddDisk):
Likewise.
* src/lxc/lxc_controller.c
(virLXCControllerSetupLoopDeviceDisk)
(virLXCControllerSetupNBDDeviceDisk)
(virLXCControllerSetupLoopDevices, virLXCControllerSetupDisk):
Likewise.
* src/parallels/parallels_driver.c (parallelsGetHddInfo):
Likewise.
* src/phyp/phyp_driver.c (phypDiskType): Likewise.
* src/qemu/qemu_command.c (qemuGetDriveSourceString)
(qemuDomainDiskGetSourceString, qemuBuildDriveStr)
(qemuBuildCommandLine, qemuParseCommandLineDisk)
(qemuParseCommandLine): Likewise.
* src/qemu/qemu_conf.c (qemuCheckSharedDevice)
(qemuTranslateDiskSourcePool)
(qemuTranslateSnapshotDiskSourcePool): Likewise.
* src/qemu/qemu_domain.c (qemuDomainDeviceDefPostParse)
(qemuDomainDetermineDiskChain): Likewise.
* src/qemu/qemu_driver.c (qemuDomainGetBlockInfo)
(qemuDomainSnapshotPrepareDiskExternalBackingInactive)
(qemuDomainSnapshotPrepareDiskExternalBackingActive)
(qemuDomainSnapshotPrepareDiskExternalOverlayActive)
(qemuDomainSnapshotPrepareDiskExternalOverlayInactive)
(qemuDomainSnapshotPrepareDiskInternal)
(qemuDomainSnapshotPrepare)
(qemuDomainSnapshotCreateSingleDiskActive): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia):
Likewise.
* src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
* src/security/security_apparmor.c
(AppArmorRestoreSecurityImageLabel)
(AppArmorSetSecurityImageLabel): Likewise.
* src/security/security_dac.c (virSecurityDACSetSecurityImageLabel)
(virSecurityDACRestoreSecurityImageLabelInt)
(virSecurityDACSetSecurityAllLabel): Likewise.
* src/security/security_selinux.c
(virSecuritySELinuxRestoreSecurityImageLabelInt)
(virSecuritySELinuxSetSecurityImageLabel)
(virSecuritySELinuxSetSecurityAllLabel): Likewise.
* src/storage/storage_backend.c (virStorageFileBackendForType):
Likewise.
* src/storage/storage_backend_fs.c (virStorageFileBackendFile)
(virStorageFileBackendBlock): Likewise.
* src/storage/storage_backend_gluster.c
(virStorageFileBackendGluster): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc, vboxAttachDrives)
(vboxDomainAttachDeviceImpl, vboxDomainDetachDevice): Likewise.
* src/vmware/vmware_conf.c (vmwareVmxPath): Likewise.
* src/vmx/vmx.c (virVMXParseDisk, virVMXFormatDisk)
(virVMXFormatFloppy): Likewise.
* src/xenxs/xen_sxpr.c (xenParseSxprDisks, xenParseSxpr)
(xenFormatSxprDisk): Likewise.
* src/xenxs/xen_xm.c (xenParseXM, xenFormatXMDisk): Likewise.
* tests/securityselinuxlabeltest.c (testSELinuxLoadDef):
Likewise.
* src/libvirt_private.syms (domain_conf.h): Move symbols...
(virstoragefile.h): ...as appropriate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-04-01 10:38:13 -06:00
Ján Tomko
40cc610a9d Indent top-level labels by one space in src/locking/ 2014-03-25 14:58:39 +01:00
Jiri Denemark
2cc27c34be sanlock: Forbid VIR_DOMAIN_LOCK_FAILURE_RESTART
https://bugzilla.redhat.com/show_bug.cgi?id=905282
https://bugzilla.redhat.com/show_bug.cgi?id=967494

When lock failure is detected by sanlock, our sanlock_helper kill script
will try to restart (shutdown followed by start) the affected domain
when RESTART action is configured for it. While shutting down kills QEMU
and removes all its leases (which is what sanlock wants to happen),
trying to start it again just hangs because libvirt tries reacquire the
locks in the failed lock space. Hence, this action cannot be supported
by sanlock driver.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-03-25 09:08:39 +01:00
Jiri Denemark
e3dd35e881 sanlock: Forbid VIR_DOMAIN_LOCK_FAILURE_IGNORE
https://bugzilla.redhat.com/show_bug.cgi?id=905280
https://bugzilla.redhat.com/show_bug.cgi?id=967493

Sanlock expects that the configured kill script either kills the PID on
lock failure or removes all locks the PID owns. If none of the two
options happen, sanlock will reboot the host. Although IGNORE action is
supposed to ignore the request to kill the PID or remove all leases,
it's certainly not designed to cause the host to be rebooted. That said,
IGNORE action is incompatible with sanlock and should be forbidden by
libvirt.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-03-25 09:08:39 +01:00
Eric Blake
6b44ccf7fe conf: use disk source accessors in locking/
Part of a series of cleanups to use new accessor methods.

* src/locking/domain_lock.c (virDomainLockManagerAddDisk): Use
accessors.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-03-24 11:59:50 -06:00
Daniel P. Berrange
c0c8c1d7bb Remove global log buffer feature entirely
A earlier commit changed the global log buffer so that it only
records messages that are explicitly requested via the log
filters setting. This removes the performance burden, and
improves the signal/noise ratio for messages in the global
buffer. At the same time though, it is somewhat pointless, since
all the recorded log messages are already going to be sent to an
explicit log output like syslog, stderr or the journal. The
global log buffer is thus just duplicating this data on stderr
upon crash.

The log_buffer_size config parameter is left in the augeas
lens to prevent breakage for users on upgrade. It is however
completely ignored hereafter.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-18 14:29:22 +00:00
Daniel P. Berrange
2835c1e730 Add virLogSource variables to all source files
Any source file which calls the logging APIs now needs
to have a VIR_LOG_INIT("source.name") declaration at
the start of the file. This provides a static variable
of the virLogSource type.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-18 14:29:22 +00:00
Martin Kletzander
cc9c62fef9 Require spaces around equality comparisons
Commit a1cbe4b5 added a check for spaces around assignments and this
patch extends it to checks for spaces around '=='.  One exception is
virAssertCmpInt where comma after '==' is acceptable (since it is a
macro and '==' is its argument).

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-03-18 11:29:44 +01:00
Michal Privoznik
68f60f669c daemon: Introduce max_anonymous_clients
https://bugzilla.redhat.com/show_bug.cgi?id=992980

This config tunable allows users to determine the maximum number of
accepted but yet not authenticated users.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-03-17 17:45:13 +01:00
Nehal J Wani
2250a2b5d2 Add parameter to wait for lock in file locking APIs
Our current pidfile acquire APis (virPidFileAcquire) simply return -1 upon
failure to acquire a lock. This patch adds a parameter 'bool waitForLock'
which instructs the APIs if we want to make it block and wait for the lock
or not.
2014-03-17 10:04:47 -06:00
Daniel P. Berrange
ed839f9aef Convert lock driver plugins to use new crypto APIs
Convert the sanlock and lockd lock driver plugins over to use
the new virCryptoHashString APIs instead of having their own
duplicated code.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-10 16:44:14 +00:00
Ján Tomko
9b9d7704b5 Change file names in comments to match the files they are in
Some of these are leftovers from renaming the files, others
are just typos.

Also introduce an ugly awk script to enforce this.
2014-03-10 14:26:04 +01:00
Jiri Denemark
8f10c1e77f sanlock: Truncate domain names longer than SANLK_NAME_LEN
Libvirt uses a domain name to fill in owner_name in sanlock_options in
virLockManagerSanlockAcquire. Unfortunately, owner_name is limited to
SANLK_NAME_LEN characters (including trailing '\0'), which means domains
with longer names fail to start when sanlock is enabled. However, we can
truncate the name when setting owner_name as explained by sanlock's
author:

Setting sanlk_options or the owner_name is unnecessary, and has very
little to no benefit.  If you do provide something in owner_name, it can
be anything, sanlock doesn't care or use it.

If you run the command "sanlock status", the output will display a list
of clients connected to the sanlock daemon.  This client list is
displayed as "pid owner_name" if the client has provided an owner_name
via sanlk_options. This debugging output is the only usage of
owner_name, so its only benefit is to potentially provide a more human
friendly output for debugging purposes.
2014-02-27 09:32:41 +01:00
Michael Chapman
881a2cff0d virtlockd: make re-exec more robust
- Use $XDG_RUNTIME_DIR for re-exec state file when running unprivileged.

- argv[0] may not contain a full path to the binary, however it should
  contain something that can be looked up in the PATH. Use execvp() to
  do path lookup on re-exec.

- As per list discussion [1], ignore --daemon on re-exec.

[1] https://www.redhat.com/archives/libvir-list/2013-December/msg00514.html

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
2014-01-22 10:44:41 +01:00
Guido Günther
1b9f5aa7fe Add Documentation fields to systemd service files
We point to the manpages where available and redirect to libvirt's
homepage as a last resort.
2014-01-09 09:32:55 +01:00
Eric Blake
d219826c65 maint: improve VIR_ERR_OPERATION_DENIED usage
Some of our operation denied messages are outright stupid; for
example, if virIdentitySetAttr fails:

error: operation Identity attribute is already set forbidden for read only access

This patch fixes things to a saner:

error: operation forbidden: Identity attribute is already set

It also consolidates the most common usage pattern for operation
denied errors: read-only connections preventing a public API.  In
this case, 'virsh -r -c test:///default destroy test' changes from:

error: operation virDomainDestroy forbidden for read only access

to:

error: operation forbidden: read only access prevents virDomainDestroy

Note that we were previously inconsistent on which APIs used
VIR_FROM_DOM (such as virDomainDestroy) vs. VIR_FROM_NONE (such as
virDomainPMSuspendForDuration).  After this patch, all uses
consistently use VIR_FROM_NONE, on the grounds that it is unlikely
that a caller learning that a call is denied can do anything in
particular with extra knowledge which error domain the call belongs
to (similar to what we did in commit baa7244).

* src/util/virerror.c (virErrorMsg): Rework OPERATION_DENIED error
message.
* src/internal.h (virCheckReadOnlyGoto): New macro.
* src/util/virerror.h (virReportRestrictedError): New macro.
* src/libvirt-lxc.c: Use new macros.
* src/libvirt-qemu.c: Likewise.
* src/libvirt.c: Likewise.
* src/locking/lock_daemon.c (virLockDaemonClientNew): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-06 08:29:29 -07:00
Michal Privoznik
d10a6506b0 Revert "virtlockd: treat SIGHUP like SIGUSR1"
This reverts commit 8355d42dd3.

After some discussion upstream [1] this patch turns out to be spurious.
It better gets reverted prior to a release.

1: https://www.redhat.com/archives/libvir-list/2013-December/msg00563.html

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2013-12-10 15:49:06 +01:00
Michael Chapman
f1b1752537 virtlockd: use common exit path when out-of-memory
Also use a distinct, valid exit status for daemon re-execution failure.

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
2013-12-10 12:02:37 +01:00
Michael Chapman
8355d42dd3 virtlockd: treat SIGHUP like SIGUSR1
SIGHUP is commonly used to instruct a daemon to reload its config. For
now we should handle it in virtlockd just like SIGUSR1, rather than
having it kill the process.

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2013-12-10 12:02:37 +01:00
Michael Chapman
59d6e65d6c virtlockd: improve initscripts
- Use SIGUSR1, not SIGHUP, on reload. At present, virtlockd only
  responds to the former.

- Fix PID file for virtlockd.

- Do not start virtlockd in any runlevels by default. It needs to be
  explicitly selected in libvirt's qemu.conf anyway, so there is no
  need to have it running on all systems regardless.

- Fix chkconfig priorities to ensure virtlockd is started before
  libvirtd is started, and stopped after libvirtd is stopped.

- Add "Should-Start: virtlockd" to the libvirtd initscript's LSB header,
  for the same reason.

- Add "Default-Stop" to both libvirtd and virtlockd initscripts. LSB
  does not guarantee that this defaults to the inverse of
  "Default-Start".

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2013-12-10 12:02:37 +01:00
Michael Chapman
1163fa36b7 virtlockd: improve systemd units
- Pass VIRTLOCKD_ARGS through to virtlockd.

- Use SIGUSR1, not SIGHUP, in ExecReload. At present, virtlockd only
  responds to the former.

- Have "systemctl enable virtlockd.service" enable virtlockd.socket,
  rather than throw an error.

- Make virtlockd.socket wanted by sockets.target, rather than
  multi-user.target. This is consistent with other socket units in
  Fedora, and it ensures that the socket is available before libvirtd is
  started.

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
2013-12-10 12:02:37 +01:00
Guido Günther
3c9e40a1e8 Don't depend on syslog.service
Syslog is socket activated since at least systemd v35 so we can drop
this dependency. Debian's linitian otherwise complains about it.

References:

    http://www.freedesktop.org/wiki/Software/systemd/syslog/
    http://lintian.debian.org/tags/systemd-service-file-refers-to-obsolete-target.html
2013-11-19 21:49:53 +01:00
Daniel P. Berrange
9b0af09240 Remove (nearly) all use of getuid()/getgid()
Most of the usage of getuid()/getgid() is in cases where we are
considering what privileges we have. As such the code should be
using the effective IDs, not real IDs.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-10-21 14:03:52 +01:00
Daniel P. Berrange
1e4a02bdfe Remove all direct use of getenv
Unconditional use of getenv is not secure in setuid env.
While not all libvirt code runs in a setuid env (since
much of it only exists inside libvirtd) this is not always
clear to developers. So make all the code paranoid, even
if it only ever runs inside libvirtd.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-10-21 14:03:52 +01:00
Michal Privoznik
4471ecf669 test_virtlockd.aug.in: Use the correct file
The test should refer to Virtlockd.lns, which is the name of
the module + lens in virtlockd.aug.
2013-09-03 17:03:30 +02:00
Guido Günther
3e32544854 Process virtlockd.conf instead of libvirtd.conf 2013-08-30 17:37:12 +02:00
David Weber
9f5b4b1f62 Make max_clients in virtlockd configurable
Each new VM requires a new connection from libvirtd to virtlockd.
The default max clients limit in virtlockd of 20 is thus woefully
insufficient. virtlockd sockets are only accessible to matching
users, so there is no security need for such a tight limit. Make
it configurable and default to 1024.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-19 12:40:26 +01:00
Daniel P. Berrange
63ba687f2b Properly handle -h / -V for --help/--version aliases in virtlockd/libvirtd
The virtlockd/libvirtd daemons had listed '?' as the short option
for --help. getopt_long uses '?' for any unknown option. We want
to be able to distinguish unknown options (which use EXIT_FAILURE)
from correct usage of help (which should use EXIT_SUCCESS). Thus
we should use 'h' as a short option for --help. Also add this to
the man page docs

The virtlockd/libvirtd daemons did not list any short option
for the --version arg. Add -V as a valid short option, since
-v is already used for --verbose.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-13 14:06:01 +01:00
Daniel P. Berrange
38550ae809 Add an example config file for virtlockd
The virtlockd daemon supports an /etc/libvirt/virtlockd.conf
config file, but we never installed a default config, nor
created any augeas scripts. This change addresses that omission.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-09 15:03:04 +01:00
Daniel P. Berrange
6ff0cffd55 Add a man page for virtlockd daemon
Create a virtlockd.pod.in file containing the man page
content for virtlockd.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-09 11:56:34 +01:00
Michal Privoznik
1199edb1d4 Introduce max_queued_clients
This configuration knob lets user to set the length of queue of
connection requests waiting to be accept()-ed by the daemon. IOW, it
just controls the @backlog passed to listen:

  int listen(int sockfd, int backlog);
2013-08-05 11:03:01 +02:00
Daniel P. Berrange
88e4e9c6b2 Convert 'int i' to 'size_t i' in src/locking/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-10 17:55:16 +01:00
Michal Privoznik
35048f314a Adapt to VIR_ALLOC and virAsprintf in src/locking/* 2013-07-10 11:07:32 +02:00
Daniel P. Berrange
e341435e50 Add ACL annotations to all RPC messages
Introduce annotations to all RPC messages to declare what
access control checks are required. There are two new
annotations defined:

 @acl: <object>:<permission>
 @acl: <object>:<permission>:<flagname>

  Declare the access control requirements for the API. May be repeated
  multiple times, if multiple rules are required.

    <object> is one of 'connect', 'domain', 'network', 'storagepool',
             'interface', 'nodedev', 'secret'.
    <permission> is one of the permissions in access/viraccessperm.h
    <flagname> indicates the rule only applies if the named flag
    is set in the API call

 @aclfilter: <object>:<permission>

  Declare an access control filter that will be applied to a list
  of objects being returned by an API. This allows the returned
  list to be filtered to only show those the user has permissions
  against

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:24:36 +01:00
Ján Tomko
70fe129546 virtlockd: fix socket path
Change the socket path to match the one used by lockd driver.

https://bugzilla.redhat.com/show_bug.cgi?id=968128
2013-06-05 10:17:28 +02:00
Osier Yang
45ca0b8785 src/locking: Remove the whitespace before ";" 2013-05-21 23:41:45 +08:00
Michal Privoznik
f75ed996e7 Adapt to VIR_STRDUP and VIR_STRNDUP in src/locking/* 2013-05-09 14:00:45 +02:00
Daniel P. Berrange
979e9c56a7 Include process start time when doing polkit checks
Since PIDs can be reused, polkit prefers to be given
a (PID,start time) pair. If given a PID on its own,
it will attempt to lookup the start time in /proc/pid/stat,
though this is subject to races.

It is safer if the client app resolves the PID start
time itself, because as long as the app has the client
socket open, the client PID won't be reused.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-08 10:47:45 +01:00
Daniel P. Berrange
d80b5b7f86 Ignore 'uri' parameter in lockd driver
A 'uri' parameter was added for the benefit of sanlock. This
causes a warning in the lockd driver though

2013-05-03 13:20:35.347+0000: 28403: error : virLockManagerLockDaemonNew:482 : internal error Unexpected parameter uri for object

Ignore this parameter, since lockd does not require it and it
is harmless if not used.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-03 15:36:15 +01:00
Daniel P. Berrange
8dc93ffadc Fix release of resources with lockd plugin
The lockd plugin for the lock manager was not correctly
handling the release of resource locks. This meant that
during migration, or when pausing a VM, the locks would
not get released. This in turn made it impossible to
resume the domain, or finish migration
2013-05-03 14:06:15 +01:00
Laine Stump
cc8f9e677c util: fix compile errors caused by moving string functions
commit 7c9a2d8 missed adding in a few #include "virstring.h"s, causing
builds to fail.
2013-05-02 13:27:19 -04:00
Michal Privoznik
7c9a2d88cd virutil: Move string related functions to virstring.c
The source code base needs to be adapted as well. Some files
include virutil.h just for the string related functions (here,
the include is substituted to match the new file), some include
virutil.h without any need (here, the include is removed), and
some require both.
2013-05-02 16:56:55 +02:00
Daniel P. Berrange
a98541bfb4 Switch to a more extensible annotation system for RPC protocols
Currently the RPC protocol files can contain annotations after
the protocol enum eg

   REMOTE_PROC_DOMAIN_SNAPSHOT_LIST_CHILDREN_NAMES = 247, /* autogen autogen priority:high */

This is not very extensible as the number of annotations grows.
Change it to use

    /**
     * @generate: both
     * @priority: high
     */
   REMOTE_PROC_DOMAIN_SNAPSHOT_LIST_CHILDREN_NAMES = 247,

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-23 11:24:17 +01:00
Martin Kletzander
901f4b6b86 docs: aesthetical cleanups
Adding dots inside "exempli gratia" where missing.  While on that, I
took the liberty of changing it where found with simple grep.
2013-01-30 09:37:03 +01:00
John Ferlan
678e891380 locking: use virStrcpyStatic instead of memcpy 2013-01-24 22:45:54 +01:00
Peter Krempa
0e620e6669 lock_daemon: Simplify error handling
No need to check the run_dir variable twice for NULL.
2013-01-17 16:39:29 +01:00
John Ferlan
687554cd50 locking: Resolve resource leaks on non error path
Both 'dir' and 'path' were not free'd on successful return
2013-01-16 17:51:30 +01:00
John Ferlan
e8cd571b2c locking: Remove unnecessary setting of lockspace
In virLockSpaceProtocolDispatchNew() the returned value of lockspace from
virLockDaemonFindLockSpace() is overwritten by the virLockSpaceNew() return.
Coverity complains that it's unused.

In virLockSpaceProtocolDispatchCreateLockSpace() lockspace is also overwritten
in a similar manner resulting in the same Coverity message.
2013-01-15 23:43:10 +01:00
Daniel P. Berrange
bccd4a8cbc Rename HAVE_GNUTLS to WITH_GNUTLS 2013-01-14 13:26:47 +00:00
Daniel P. Berrange
f587c27768 Make TLS support conditional
Add checks for existence of GNUTLS and automatically disable
it if not found.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-08 20:57:31 +00:00
Eric Blake
798ff66790 maint: avoid potential promotion issues with [ug]id_t
POSIX does not guarantee whether uid_t and gid_t are signed or
unsigned, nor does it guarantee whether they are smaller, same
size, or larger than int (or even the same size as one another).
Therefore, it is possible to have platforms where '(uid_t)-1==-1'
is false or where 'uid = gid = -1' sets uid to the wrong value,
thanks to integer promotion rules.  The only portable way to use
the placeholder value of these two types is to always use a cast.
Thankfully, the issue is mostly theoretical - sanlock only
compiles on Linux for now, and on Linux, these types do not
suffer from strange promotion problems.

* src/locking/lock_driver_sanlock.c
(virLockManagerSanlockSetupLockspace, virLockManagerSanlockInit)
(virLockManagerSanlockCreateLease): Cast -1 to proper type before
comparing with uid_t or gid_t.
2013-01-08 08:45:39 -07:00
Eric Blake
cb854b8f61 build: properly substitute virtlockd.socket
virtlockd.service could be installed to a configurable root,
but virtlockd.socket was hardcoded to installation into a
distro.

* src/Makefile.am (virtlockd.service, virtlockd.socket): Drop
unused substitutions.
* src/locking/virtlockd.socket.in (ListenStream): Don't hard-code
/var.
2013-01-07 08:56:36 -07:00
Eric Blake
462a69621e build: use common .in replacement mechanism
We had several different styles of .in conversion in our Makefiles:
ALLCAPS, @ALLCAPS@, @lower@, ::lower::
Canonicalize on one form, to make it easier to copy and paste
between .in files.

Also, we were using some non-portable sed constructs: \@ is an
undefined escape sequence (it happens to be @ itself in GNU sed,
but POSIX allows it to mean something else), as well as risky
behavior (failure to consistently quote things means a space
in $(sysconfdir) could throw things off; also, Autoconf recommends
using | rather than , or ! in the s||| operator, because | has to
be quoted in shell and is therefore less likely to appear in file
names than , or !).

Fix all of these uses to follow the same syntax.

* daemon/libvirtd.8.in: Switch to @var@.
* tools/virt-xml-validate.in: Likewise.
* tools/virt-pki-validate.in: Likewise.
* src/locking/virtlockd.init.in: Likewise.
* daemon/Makefile.am: Prefer | over ! in sed.
(libvirtd.8): Prefer consistent substitution.
(libvirtd.init, libvirtd.service): Avoid non-portable sed.
* tools/Makefile.am (libvirt-guests.sh, libvirt-guests.init)
(libvirt-guests.service): Likewise.
(virt-xml-validate, virt-pki-validate, virt-sanlock-cleanup):
Prefer consistent capitalization.
* src/Makefile.am (virtlockd.init, virtlockd.service)
(virtlockd.socket): Prefer consistent substitution.
2013-01-07 08:56:36 -07:00
Michal Privoznik
ce753ec5d6 sanlock: Chown lease files as well
Since sanlock doesn't run under root:root, we have chown()'ed the
__LIBVIRT__DISKS__ lease file to the user:group defined in the
sanlock config. However, when writing the patch I've forgot about
lease files for each disk (this is the
/var/lib/libvirt/sanlock/<md5>) file.
2012-12-28 16:42:38 +01:00
Daniel P. Berrange
f24404a324 Rename virterror.c virterror_internal.h to virerror.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
e861b31275 Rename uuid.{c,h} to viruuid.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
44f6ae27fe Rename util.{c,h} to virutil.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
404174cad3 Rename threads.{c,h} to virthread.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
ab9b7ec2f6 Rename memory.{c,h} to viralloc.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
936d95d347 Rename logging.{c,h} to virlog.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
0f8454101d Rename conf.{c,h} to virconf.{c,h} 2012-12-21 11:17:13 +00:00
Michal Privoznik
11cfa28850 sanlock: Re-add lockspace unconditionally
Currently, if sanlock is already registering a lockspace other
libvirtd instances (from other hosts) obtain -EINPROGRESS. On
sufficiently new sanlock, sanlock_inq_lockspace() is called,
which suspend execution until lockspace state is changed. With
current libvirt implementation, we fail to retry adding the
lockspace again but continue in error path. Therefore we produce
meaningless error message:

virLockManagerSanlockSetupLockspace:363 : Unable to add lockspace
/var/lib/libvirt/sanlock/__LIBVIRT__DISKS__: Success
qemudLoadDriverConfig:558 : Failed to load lock manager sanlock

We should try to re-add the lockspace after its state change to
be sure it was added successfully. In fact, with sufficiently new
sanlock we can just avoid dummy usleep() which is used if there's
no inquire API.
2012-12-14 15:01:03 +01:00
Daniel P. Berrange
64f0e145c1 Add support for locking based on SCSI volume ID 2012-12-13 15:26:58 +00:00
Daniel P. Berrange
565d040f43 Add support for locking based on LVM volume uuid 2012-12-13 15:26:58 +00:00
Daniel P. Berrange
f14fdae368 Add ability to maintain disk leases indirectly
The default lockd driver behavour is to acquire leases
directly on the disk files. This introduces an alternative
mode, where leases are acquire indirectly on a file that
is based on a SHA256 hash of the disk filename.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
eb8268a4f6 Add a virtlockd client as a lock driver impl
This adds a 'lockd' lock driver which is just a client which
talks to the lockd daemon to perform all locking. This will
be the default lock driver for any hypervisor which needs one.

* src/Makefile.am: Add lockd.so plugin
* src/locking/lock_driver_lockd.c: Lockd driver impl

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
f234dc9366 Add support for re-exec() of virtlockd upon SIGUSR1
The virtlockd daemon maintains file locks on behalf of libvirtd
and any VMs it is running. These file locks must be held for as
long as any VM is running. If virtlockd itself ever quits, then
it is expected that a node would be fenced/rebooted. Thus to
allow for software upgrads on live systemd, virtlockd needs the
ability to re-exec() itself.

Upon receipt of SIGUSR1, virtlockd will save its current live
state out to a file /var/run/virtlockd-restart-exec.json
It then re-exec()'s itself with exactly the same argv as it
originally had, and loads the state file, reconstructing any
objects as appropriate.

The state file contains information about all locks held and
all network services and clients currently active. An example
state document is

 {
    "server": {
        "min_workers": 1,
        "max_workers": 20,
        "priority_workers": 0,
        "max_clients": 20,
        "keepaliveInterval": 4294967295,
        "keepaliveCount": 0,
        "keepaliveRequired": false,
        "services": [
            {
                "auth": 0,
                "readonly": false,
                "nrequests_client_max": 1,
                "socks": [
                    {
                        "fd": 6,
                        "errfd": -1,
                        "pid": 0,
                        "isClient": false
                    }
                ]
            }
        ],
        "clients": [
            {
                "auth": 0,
                "readonly": false,
                "nrequests_max": 1,
                "sock": {
                    "fd": 9,
                    "errfd": -1,
                    "pid": 0,
                    "isClient": true
                },
                "privateData": {
                    "restricted": true,
                    "ownerPid": 1722,
                    "ownerId": 6,
                    "ownerName": "f18x86_64",
                    "ownerUUID": "97586ba9-df27-9459-c806-f016c8bbd224"
                }
            },
            {
                "auth": 0,
                "readonly": false,
                "nrequests_max": 1,
                "sock": {
                    "fd": 10,
                    "errfd": -1,
                    "pid": 0,
                    "isClient": true
                },
                "privateData": {
                    "restricted": true,
                    "ownerPid": 1784,
                    "ownerId": 7,
                    "ownerName": "f16x86_64",
                    "ownerUUID": "7b8e5e42-b875-61e9-b981-91ad8fa46979"
                }
            }
        ]
    },
    "defaultLockspace": {
        "resources": [
            {
                "name": "/var/lib/libvirt/images/f16x86_64.raw",
                "path": "/var/lib/libvirt/images/f16x86_64.raw",
                "fd": 14,
                "lockHeld": true,
                "flags": 0,
                "owners": [
                    1784
                ]
            },
            {
                "name": "/var/lib/libvirt/images/shared.img",
                "path": "/var/lib/libvirt/images/shared.img",
                "fd": 12,
                "lockHeld": true,
                "flags": 1,
                "owners": [
                    1722,
                    1784
                ]
            },
            {
                "name": "/var/lib/libvirt/images/f18x86_64.img",
                "path": "/var/lib/libvirt/images/f18x86_64.img",
                "fd": 11,
                "lockHeld": true,
                "flags": 0,
                "owners": [
                    1722
                ]
            }
        ]
    },
    "lockspaces": [

    ],
    "magic": "30199"
 }

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
74c0353e4f Enable systemd socket activation with virtlockd
This enhancement virtlockd so that it can receive a pre-opened
UNIX domain socket from systemd at launch time, and adds the
systemd service/socket unit files

* daemon/libvirtd.service.in: Require virtlockd to be running
* libvirt.spec.in: Add virtlockd systemd files
* src/Makefile.am: Install systemd files
* src/locking/lock_daemon.c: Support socket activation
* src/locking/virtlockd.service.in, src/locking/virtlockd.socket.in:
  systemd unit files
* src/rpc/virnetserverservice.c, src/rpc/virnetserverservice.h:
  Add virNetServerServiceNewFD() method
* src/rpc/virnetsocket.c, src/rpc/virnetsocket.h: Add virNetSocketNewListenFD
  method

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
0e49b83912 Implement dispatch functions for lock protocol in virtlockd
Introduce a lock_daemon_dispatch.c file which implements the
server side dispatcher the RPC APIs previously defined in the
lock protocol.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
ad39fd83a8 Define a wire protocol for talking to the virtlockd daemon
The virtlockd daemon will be responsible for managing locks
on virtual machines. Communication will be via the standard
RPC infrastructure. This provides the XDR protocol definition

* src/locking/lock_protocol.x: Wire protocol for virtlockd
* src/Makefile.am: Include lock_protocol.[ch] in virtlockd

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
c57e3d8994 Introduce basic infrastructure for virtlockd daemon
The virtlockd daemon will maintain locks on behalf of libvirtd.
There are two reasons for it to be separate

 - Avoid risk of other libvirtd threads accidentally
   releasing fcntl() locks by opening + closing a file
   that is locked
 - Ensure locks can be preserved across libvirtd restarts.
   virtlockd will need to be able to re-exec itself while
   maintaining locks. This is simpler to achieve if its
   sole job is maintaining locks

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
f199f75e9b Refactor creation of lock manager plugins
Refactor virLockManagerPluginNew() so that the caller does
not need to pass in the config file path itself - just the
config directory and driver name.

Fix QEMU to actually pass in a config file when creating the
default lock manager plugin, rather than NULL.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Michal Privoznik
96a02703da sanlock: Retry after EINPROGRESS
It may take some time for sanlock to add a lockspace. And if user
restart libvirtd service meanwhile, the fresh daemon can fail adding
the same lockspace with EINPROGRESS. Recent sanlock has
sanlock_inq_lockspace() function which should block until lockspace
changes state. If we are building against older sanlock we should
retry a few times before claiming an error. This issue can be easily
reproduced:

for i in {1..1000} ; do echo $i; service libvirtd restart; sleep 2; done
20
Stopping libvirtd daemon:                                  [FAILED]
Starting libvirtd daemon:                                  [  OK  ]
21
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]
22
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]

 error : virLockManagerSanlockSetupLockspace:334 : Unable to add
 lockspace /var/lib/libvirt/sanlock/__LIBVIRT__DISKS__: Operation now in
 progress
2012-11-16 08:00:11 +01:00
Daniel P. Berrange
1c04f99970 Remove spurious whitespace between function name & open brackets
The libvirt coding standard is to use 'function(...args...)'
instead of 'function (...args...)'. A non-trivial number of
places did not follow this rule and are fixed in this patch.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-11-02 13:36:49 +00:00
Michal Privoznik
9af1b30da3 sanlock: Introduce 'user' and 'group' conf variables
through which user set under what permissions does sanlock
daemon run so libvirt will set the same permissions for
files exposed to it.
2012-10-30 10:12:10 +01:00
Jiri Denemark
5ce6d95eed locking: Fix build with sanlock < 2.4
libvirt started using sanlock_killpath to implement on_lockfailure
action. Since sanlock_killpath was introduced in sanlock 2.4, libvirt
fails to build with older sanlock.
2012-10-16 21:32:05 +02:00
Jiri Denemark
893647671b locking: Implement lock failure action in sanlock driver
While the changes to sanlock driver should be stable, the actual
implementation of sanlock_helper is supposed to be replaced in the
future. However, before we can implement a better sanlock_helper, we
need an administrative interface to libvirtd so that the helper can just
pass a "leases lost" event to the particular libvirt driver and
everything else will be taken care of internally. This approach will
also allow libvirt to pass such event to applications and use
appropriate reasons when changing domain states.

The temporary implementation handles all actions directly by calling
appropriate libvirt APIs (which among other things means that it needs
to know the credentials required to connect to libvirtd).
2012-10-11 14:41:42 +02:00
Jiri Denemark
297c704a1c locking: Add support for lock failure action 2012-10-11 14:41:42 +02:00
Jiri Denemark
d236f3fc38 locking: Pass hypervisor driver name when acquiring locks
This is required in case a lock manager needs to contact libvirtd in
case of an unexpected event.
2012-10-11 14:41:42 +02:00
Jiri Denemark
e55ff49cbc locking: Add const char * parameter to avoid ugly typecasts 2012-10-11 14:41:41 +02:00
Jiri Denemark
98be861b4d locking: Remove README file in favor of internals/locking.html
The README file seems to be a leftover from some previous version of
locking driver. It is not consistent with what the code does nor is it
consistent with existing documentation in internals/locking.html.
2012-09-21 12:23:01 +02:00
Eric Blake
4ecb723b9e maint: fix up copyright notice inconsistencies
https://www.gnu.org/licenses/gpl-howto.html recommends that
the 'If not, see <url>.' phrase be a separate sentence.

* tests/securityselinuxhelper.c: Remove doubled line.
* tests/securityselinuxtest.c: Likewise.
* globally: s/;  If/.  If/
2012-09-20 16:30:55 -06:00
Jiri Denemark
2560a51ef3 sanlock: Provide better error if lockspace directory is missing
Generating "Unable to add lockspace /lock/space/dir/__LIBVIRT__DISKS__:
No such file or directory" is correct but not exactly clear. This patch
changes the error message to "Unable to create lockspace
/lock/space/dir/__LIBVIRT__DISKS__: parent directory does not exist or
is not a directory".
2012-08-21 18:09:09 +02:00
Jiri Denemark
15f5e16f4e daemon: Autodetect lock driver directory
When running libvirtd from a build directory, libvirtd would load lock
drivers from system directory unless explicitly overridden by setting
LIBVIRT_LOCK_MANAGER_PLUGIN_DIR environment variable. Since we already
autodetect driver directory if libvirt is build with driver modules, we
can use the same trick to automagically set lock driver directory.
2012-08-21 18:05:19 +02:00
Daniel P. Berrange
07143d84ba Add further debugging lines to domain lock manager
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-15 10:58:45 +01:00
Daniel P. Berrange
4ee8672146 Change function signature for creating new lock manager instances
To allow a virLockManagerPtr to be created directly from a
driver table struct, replace the virLockManagerPluginPtr parameter
with a virLockDriverPtr parameter.

* src/locking/domain_lock.c, src/locking/lock_manager.c,
  src/locking/lock_manager.h: Replace plugin param with
  a driver in virLockManagerNew

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-15 10:55:50 +01:00
Asad Saeed
ff73c6d3bc sanlock: don't unlink lockspace if registration fails
This is a patch for bug 847848
If registering an existing lockspace with the sanlock daemon
returns an error, libvirt should not proceed to unlink the lockspace.

Signed-off-by: Asad Saeed <asad.saeed@acidseed.com>
2012-08-13 17:11:30 -06:00
Frido Roose
a58cb1ac40 Release only specific sanlock resource
This is a patch for bug 826704
All sanlock resources get released when hot-dettaching a disk from the domain
because virLockManagerSanlockRelease uses the wrong function parameters/flags.
With the patch only the resources that should be released are cleaned up.

Signed-off-by: Frido Roose <frido.roose@gmail.com>
2012-08-13 10:29:12 -06:00
Osier Yang
f9ce7dad60 Desert the FSF address in copyright
Per the FSF address could be changed from time to time, and GNU
recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html)

  You should have received a copy of the GNU General Public License
  along with Foobar.  If not, see <http://www.gnu.org/licenses/>.

This patch removes the explicit FSF address, and uses above instead
(of course, with inserting 'Lesser' before 'General').

Except a bunch of files for security driver, all others are changed
automatically, the copyright for securify files are not complete,
that's why to do it manually:

  src/security/security_selinux.h
  src/security/security_driver.h
  src/security/security_selinux.c
  src/security/security_apparmor.h
  src/security/security_apparmor.c
  src/security/security_driver.c
2012-07-23 10:50:50 +08:00
Daniel P. Berrange
7f4ed3ec99 Replace use of virLockError with virReportError
Update the lock manager drivers to use virReportError instead
of the virLockError custom macro

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-07-20 13:18:49 +01:00
Jiri Denemark
73a5c94e50 Add missing "%s" format string to constant error messages in lock manager
Updates the lock manager code so that it passes "%s" as the format
string whenever raising an error message with a const string.
2012-07-20 13:18:47 +01:00
Daniel P. Berrange
db582fa25f Fix parameter passed with VIR_ERR_INVALID_ARG in sanlock driver
The VIR_ERR_INVALID_ARG is typically given the function name
via __FUNCTION__

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-07-18 16:37:48 +01:00
Michal Privoznik
85ce98250e sanlock: Properly indent
One of latest patches (0fce94fe) didn't properly indented #define
making syntax-check fail.
2012-06-25 12:46:21 +02:00
Daniel Veillard
0fce94fe1b Fix compilation on older sanlock
Temporary fix since compilation broke with older version of
sanlock following acbd4965c4
2012-06-25 18:36:28 +08:00
Daniel P. Berrange
acbd4965c4 Add support for shared sanlock leases
A sanlock lease can be marked as shared (rather
than exclusive)  using SANLK_RES_SHARED flag. This
adds support for that flag and ensures that in auto
disk mode, any shared disks use shared leases. This
also makes any read-only disks be completely
ignored.

These changes remove the need for the option

  ignore_readonly_and_shared_disks

so that is removed

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-06-25 10:17:56 +01:00
Daniel P. Berrange
de9758ae9b Autogenerate augeas test case from default config files
When adding new config file parameters, the corresponding
additions to the augeas lens' are constantly forgotten.
Also there are augeas test cases, these don't catch the
error, since they too are never updated.

To address this, the augeas test cases need to be auto-generated
from the example config files.

* build-aux/augeas-gentest.pl: Helper to generate an
  augeas test file, substituting in elements from the
  example config files
* src/Makefile.am, daemon/Makefile.am: Switch to
  auto-generated augeas test cases
* daemon/test_libvirtd.aug, daemon/test_libvirtd.aug.in,
  src/locking/test_libvirt_sanlock.aug,
  src/locking/test_libvirt_sanlock.aug.in,
  src/lxc/test_libvirtd_lxc.aug,
  src/lxc/test_libvirtd_lxc.aug.in,
  src/qemu/test_libvirtd_qemu.aug,
  src/qemu/test_libvirtd_qemu.aug.in: Remove example
  config file data, replacing with a ::CONFIG:: placeholder

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-05-28 11:07:12 +01:00
David Weber
b8012ce931 sanlock: fix locking for readonly devices
Add ignore param for readonly and shared disk in sanlock
2012-05-14 16:44:09 -06:00
Peter Krempa
96b41f639d sanlock: Use STREQ_NULLABLE instead of STREQ on strings that may be null
The function sanlock_inquire can return NULL in the state string if the
message consists only of a header. The return value is arbitrary and
sent by the server. We should proceed carefully while touching such
pointers.
2012-03-08 11:49:32 +01:00
Peter Krempa
3bf5f0427a sanlock: Fix condition left crippled while debugging 2012-03-08 11:49:32 +01:00
Michal Privoznik
62cb8ad7ff virLockManagerNopInit: Rename flags to unused_flags
As these might be not used and make syntax-check complains about checking
them via virCheckFlags.
2011-09-27 11:11:14 +02:00
Michal Privoznik
45ad3d6962 debug: Annotate some variables as unused
as they are not used with debugging turned off.
2011-09-27 10:16:46 +02:00
Eric Blake
a55f18929b sanlock: fix memory leak
Detected by Coverity.  The only way to get to error_unlink is if
path was successfully assigned, so the if was useless.  Meanwhile,
there was a return statement that did not free path.

* src/locking/lock_driver_sanlock.c
(virLockManagerSanlockSetupLockspace): Fix mem-leak, and drop
useless if.
2011-09-22 13:32:20 +08:00
Daniel P. Berrange
19ff0ddfbb Update to require sanlock 1.8 for license compliance
Inexplicably the sanlock code all got placed under the GPLv2-only,
so libvirt's use of sanlock introduces a license incompatibility.
The sanlock developers have now rearranged the code such that there
is a 'sanlock_client.so' which is LGPLv2+ while their daemon remains
GPLv2-only. To use the new client library we need to call the new
sanlock_init and sanlock_align APIs instead of sanlock_direct_init
and sanlock_direct_align. These APIs calls are now routed via the
sanlock daemon, instead of doing direct I/O calls to disk.

For all this we require sanlock >= 1.8

* configure.ac: Check for sanlock_client.so instead of sanlock.so
  and fix various comments
* libvirt.spec.in: Mandate sanlock >= 1.8
* src/Makefile.am: Link to -lsanlock_client
* src/locking/lock_driver_sanlock.c: Use sanlock_init and
  sanlock_align
2011-09-20 11:18:54 +08:00
Daniel P. Berrange
2223b1f71f Fix incorrect path length check in sanlock lockspace setup
The code for creating a sanlock lockspace accidentally used
SANLK_NAME_LEN instead of SANLK_PATH_LEN for a size check.
This meant disk paths were limited to 48 bytes !

* src/locking/lock_driver_sanlock.c: Fix disk path length
  check
2011-08-31 11:07:31 +01:00
Eric Blake
8e22e08935 build: rename files.h to virfile.h
In preparation for a future patch adding new virFile APIs.

* src/util/files.h, src/util/files.c: Move...
* src/util/virfile.h, src/util/virfile.c: ...here, and rename
functions to virFile prefix.  Macro names are intentionally
left alone.
* *.c: All '#include "files.h"' uses changed.
* src/Makefile.am (UTIL_SOURCES): Reflect rename.
* cfg.mk (exclude_file_name_regexp--sc_prohibit_close): Likewise.
* src/libvirt_private.syms: Likewise.
* docs/hacking.html.in: Likewise.
* HACKING: Regenerate.
2011-07-21 10:34:51 -06:00
Eric Blake
761bbb17c7 build: add syntax check for proper flags use
Enforce the recent flags cleanups - we want to use 'unsigned int flags'
in any of our APIs (except where backwards compatibility is important,
in the public migration APIs), and that all flags are checked for
validity (except when there are stub functions that completely
ignore the flags argument).

There are a few minor tweaks done here to avoid false positives:
signed arguments passed to open() are renamed oflags, and flags
arguments that are legitimately ignored are renamed flags_unused.

* cfg.mk (sc_flags_usage): New rule.
(exclude_file_name_regexp--sc_flags_usage): And a few exemptions.
(sc_flags_debug): Tweak wording.
* src/util/iohelper.c (runIO, main): Rename variable.
* src/util/util.c (virSetInherit): Likewise.
* src/fdstream.h (virFDStreamOpenFile, virFDStreamCreateFile):
Likewise.
* src/fdstream.c (virFDStreamOpenFileInternal)
(virFDStreamOpenFile, virFDStreamCreateFile): Likewise.
* src/util/command.c (virExecWithHook) [WIN32]: Likewise.
* src/util/util.c (virFileOpenAs, virDirCreate) [WIN32]: Likewise.
* src/locking/lock_manager.c (virLockManagerPluginNew)
[!HAVE_DLFCN_H]: Likewise.
* src/locking/lock_driver_nop.c (virLockManagerNopNew)
(virLockManagerNopAddResource, virLockManagerNopAcquire)
(virLockManagerNopRelease, virLockManagerNopInquire): Likewise.
2011-07-15 16:37:30 -06:00
Eric Blake
37754a74bb maint: fix typos
Our XML prefers "shareable" over "sharable".

* docs/internals/locking.html.in: s/sharable/shareable/
* src/locking/lock_driver_sanlock.c
(virLockManagerSanlockAddResource): Likewise.
2011-07-15 12:15:04 -06:00
Eric Blake
06dbfa6d21 maint: print flags in hex during debug
Continuation of commit 313ac7fd, and enforce things with a syntax
check.

Technically, virNetServerClientCalculateHandleMode is not printing
a mode_t, but rather a collection of VIR_EVENT_HANDLE_* bits;
however, these bits are < 8, so there is no different in the
output, and that was the easiest way to silence the new syntax check.

* cfg.mk (sc_flags_debug): New syntax check.
(exclude_file_name_regexp--sc_flags_debug): Add exemptions.
* src/fdstream.c (virFDStreamOpenFileInternal): Print flags in
hex, mode_t in octal.
* src/libvirt-qemu.c (virDomainQemuMonitorCommand)
(virDomainQemuAttach): Likewise.
* src/locking/lock_driver_nop.c (virLockManagerNopInit): Likewise.
* src/locking/lock_driver_sanlock.c (virLockManagerSanlockInit):
Likewise.
* src/locking/lock_manager.c: Likewise.
* src/qemu/qemu_migration.c: Likewise.
* src/qemu/qemu_monitor.c: Likewise.
* src/rpc/virnetserverclient.c
(virNetServerClientCalculateHandleMode): Print mode with %o.
2011-07-13 07:47:45 -06:00
Federico Simoncelli
de2aa6cfc7 sanlock: avoid lockspace setup when auto_disk_lease is off
When auto_disk_lease is off we should avoid the automatic lockspace
creation.

Signed-off-by: Federico Simoncelli <fsimonce@redhat.com>
2011-07-08 14:49:10 -06:00
Eric Blake
17da0669e0 util: drop unused safezero argument
No caller was using the flags argument, and this function is internal
only, so we might as well skip it.

* src/util/util.h (safezero): Update signature.
* src/util/util.c (safezero): Update function.
* src/locking/lock_driver_sanlock.c
(virLockManagerSanlockSetupLockspace)
(virLockManagerSanlockCreateLease): Update all callers.
* src/storage/storage_backend.c (createRawFile): Likewise.
2011-07-07 14:15:38 -06:00
Daniel P. Berrange
97e4f21782 Support automatic creation of leases for disks in sanlock
The current sanlock plugin requires a central management
application to manually add <lease> elements to each guest,
to protect resources that are assigned to it (eg writable
disks). This makes the sanlock plugin useless for usage
in more ad hoc deployment environments where there is no
central authority to associate disks with leases.

This patch adds a mode where the sanlock plugin will
automatically create leases for each assigned read-write
disk, using a md5 checksum of the fully qualified disk
path. This can work pretty well if guests are using
stable disk paths for block devices eg /dev/disk/by-path/XXXX
symlinks, or if all hosts have NFS volumes mounted in
a consistent pattern.

The plugin will create one lockspace for managing disks
with filename /var/lib/libvirt/sanlock/__LIBVIRT__DISKS__.
For each VM disks, there will be another file to hold
a lease /var/lib/libvirt/sanlock/5903e5d25e087e60a20fe4566fab41fd
Each VM disk lease is usually 1 MB in size. The script
virt-sanlock-cleanup should be run periodically to remove
unused lease files from the lockspace directory.

To make use of this capability the admin will need to do
several tasks:

 - Mount an NFS volume (or other shared filesystem)
   on /var/lib/libvirt/sanlock
 - Configure 'host_id' in /etc/libvirt/qemu-sanlock.conf
   with a unique value for each host with the same NFS
   mount
 - Toggle the 'auto_disk_leases' parameter in qemu-sanlock.conf

Technically the first step can be skipped, in which case
sanlock will only protect against 2 vms on the same host
using the same disk (or the same VM being started twice
due to error by libvirt).

* src/locking/libvirt_sanlock.aug,
  src/locking/sanlock.conf,
  src/locking/test_libvirt_sanlock.aug: Add config params
  for configuring auto lease setup
* libvirt.spec.in: Add virt-sanlock-cleanup program, man
  page
* tools/virt-sanlock-cleanup.in: Script to purge unused
  disk resource lease files
2011-06-28 18:18:06 +01:00
Daniel P. Berrange
58eb4f2cbb Support loading a configuration file for sanlock plugin
Introduce a configuration file with a single parameter
'require_lease_for_disks', which is used to decide whether
it is allowed to start a guest which has read/write disks,
but without any leases.

* libvirt.spec.in: Add sanlock config file and augeas
  lens
* src/Makefile.am: Install sanlock config file and
  augeas lens
* src/locking/libvirt_sanlock.aug: Augeas master lens
* src/locking/test_libvirt_sanlock.aug: Augeas test file
* src/locking/sanlock.conf: Example sanlock config
* src/locking/lock_driver_sanlock.c: Wire up loading
  of configuration file
2011-06-28 18:07:06 +01:00
Daniel P. Berrange
5df29ebc25 Allow per-driver config file for lock manager plugins
Allow a 'configFile' parameter to be passed into the lock
drivers to provide configuration. Wire up the QEMU driver
to pass in file names '/etc/libvirt/qemu-$NAME.conf
eg qemu-sanlock.conf

* src/locking/lock_driver.h, src/locking/lock_driver_nop.c,
  src/locking/lock_driver_sanlock.c, src/locking/lock_manager.c,
  src/locking/lock_manager.h: Add configFile parameter
* src/qemu/qemu_conf.c: Pass in configuration file path to
  lock driver plugins
2011-06-28 18:07:06 +01:00
Daniel P. Berrange
5247b0695a Ensure sanlock socket is labelled with the VM process label
The libvirt sanlock plugin is intentionally leaking a file
descriptor to QEMU. To enable QEMU to use this FD under
SELinux, it must be labelled correctly. We dont want to use
the svirt_image_t for this, since QEMU must not be allowed
to actually use the FD. So instead we label it with svirt_t
using virSecurityManagerSetProcessFDLabel

* src/locking/domain_lock.c, src/locking/domain_lock.h,
  src/locking/lock_driver.h, src/locking/lock_driver_nop.c,
  src/locking/lock_driver_sanlock.c, src/locking/lock_manager.c,
  src/locking/lock_manager.h: Optionally pass an FD back to
  the hypervisor for security driver labelling
* src/qemu/qemu_process.c: label the lock manager plugin
  FD with the process label
2011-06-28 16:41:46 +01:00
Eric Blake
89d994ad6b build: update gnulib for intprops
Done as a separate commit to make backporting the next patch easier.
We are already using "intprops.h", but this makes it explicit.

* .gnulib: Update, for syntax-check fix.
* bootstrap.conf (gnulib_modules): Make intprops use explicit.
* src/locking/domain_lock.c (includes): Drop unused header.
* src/nwfilter/nwfilter_learnipaddr.c (includes): Use "", not <>,
for gnulib.
2011-06-24 15:52:52 -06:00
Daniel P. Berrange
cc743e2314 Add missing checks for NULL in domain lock manager
The domain lock manager forgot to include a bunch of checks
for NULL which could occur on OOM

* src/locking/domain_lock.c: Add checks for NULL
2011-06-17 11:02:23 +01:00
Matthias Bolte
6b5c589d84 Make dlopen usage in lock manager conditional
This fixes a build failure on MinGW, due to MinGW not supporting dlopen.
2011-06-03 16:46:09 +02:00
Eric Blake
0a41733c13 lock: avoid leak on failure
Detected by Coverity.  Only possible on OOM situations.

* src/locking/lock_manager.c (virLockManagerPluginNew): Plug leak.
2011-06-03 08:11:43 -06:00
Daniel P. Berrange
eb661ce3ee Avoid crash on NULL pointer in lock driver impls during hotplug
When virLockDriverAcquire is invoked during hotplug the state
parameter will be left as NULL.

* src/locking/lock_driver_nop.c,
  src/locking/lock_driver_sanlock.c: Don't reference NULL state
  parameter
2011-06-02 17:23:45 +01:00
Daniel P. Berrange
09240ef13b Fix return value in lock manager hotplug methods
Refactoring of the lock manager hotplug methods lost the
ret = 0 assignment for successful return path

* src/locking/domain_lock.c: Add missing ret = 0 assignments
2011-06-02 17:23:44 +01:00
Daniel P. Berrange
ebfb8c4243 Add call to sanlock_restrict() in QEMU lock driver
In between fork and exec, a connection to sanlock is acquired
and the socket file descriptor is intionally leaked to the
child process. sanlock watches this FD for POLL_HANGUP to
detect when QEMU has exited. We don't want a rogus/compromised
QEMU from issuing sanlock RPC calls on the leaked FD though,
since that could be used to DOS other guests. By calling
sanlock_restrict() on the socket before exec() we can lock
it down.

* configure.ac: Check for sanlock_restrict API
* src/locking/domain_lock.c: Restrict lock acquired in
  process startup phase
* src/locking/lock_driver.h: Add VIR_LOCK_MANAGER_ACQUIRE_RESTRICT
* src/locking/lock_driver_sanlock.c: Add call to sanlock_restrict
  when requested by VIR_LOCK_MANAGER_ACQUIRE_RESTRICT flag
2011-06-02 17:23:44 +01:00
Daniel P. Berrange
9f135031ff Add a plugin for the 'sanlock' project
Sanlock is a project that implements a disk-paxos locking
algorithm. This is suitable for cluster deployments with
shared storage.

* src/Makefile.am: Add dlopen plugin for sanlock
* src/locking/lock_driver_sanlock.c: Sanlock driver
* configure.ac: Check for sanlock
* libvirt.spec.in: Add a libvirt-lock-sanlock RPM
2011-06-02 10:54:01 +01:00
Daniel P. Berrange
ad73a937ff Add higher level lock API for domain objects
To facilitate use of the locking plugins from hypervisor drivers,
introduce a higher level API for locking virDomainObjPtr instances.
In includes APIs targetted to VM startup, and hotplug/unplug

* src/Makefile.am: Add domain lock API
* src/locking/domain_lock.c, src/locking/domain_lock.h: High
  level API for domain locking
2011-06-02 10:54:01 +01:00
Daniel P. Berrange
db98851c24 Add a 'nop' lock driver implementation.
To allow hypervisor drivers to assume that a lock driver impl
will be guaranteed to exist, provide a 'nop' impl that is
compiled into the library

* src/Makefile.am: Add nop driver
* src/locking/lock_driver_nop.c, src/locking/lock_driver_nop.h:
  Nop lock driver implementation
* src/locking/lock_manager.c: Enable direct access of 'nop'
  driver, instead of dlopen()ing it.
2011-06-02 10:54:00 +01:00
Daniel P. Berrange
6a943419c5 Basic framework for lock manager plugins
Define the basic framework lock manager plugins. The
basic plugin API for 3rd parties to implemented is
defined in

  src/locking/lock_driver.h

This allows dlopen()able modules for alternative locking
schemes, however, we do not install the header. This
requires lock plugins to be in-tree allowing changing of
the lock manager plugin API in future.

The libvirt code for loading & calling into plugins
is in

  src/locking/lock_manager.{c,h}

* include/libvirt/virterror.h, src/util/virterror.c: Add
  VIR_FROM_LOCKING
* src/locking/lock_driver.h: API for lock driver plugins
  to implement
* src/locking/lock_manager.c, src/locking/lock_manager.h:
  Internal API for managing locking
* src/Makefile.am: Add locking code
2011-06-02 10:54:00 +01:00