Currently we only describe setting the CN field for server certs. This leads
to inevitable pain for users who set it to the fully qualified hostname and
then use a unqualified hostname or IP address to connect in the URI. Describe
the usage of Subject Alt Name extensions, to provide multiple hostnames and
IP addresses. This will help users avoid the classic mistake and is important
future proofing, since at least in browsers, TLS libraries no longer use the
CN field for validation, mandating use of SAN info instead.
Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Various example XML documents for arp/rarp filtering have a protocolid
XML attribute defined. This is never parsed or output by the libvirt XML
handling code, so shouldn't be present in example XML files either
Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
The contents of a <rule> are a choice of exactly one union member. The
RNG schema, however, was allowing an arbitrary number of instances of every
union member at once.
Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Adding an IDE controller for a machinetype that has no built-in IDE
controller, libvirt will log an error. Currently the machinetype list
which returns by qemuDomainMachineHasBuiltinIDE only includes 440fx,
malta, sun4u and g3beige.
Signed-off-by: Lin Ma <lma@suse.com>
Signed-off-by: John Ferlan <jferlan@redhat.com>
Adding an IDE controller for a machinetype that has no built-in IDE
controller, libvirt will log an error. Currently the machinetype list
which returns by qemuDomainMachineHasBuiltinIDE only includes 440fx,
malta, sun4u and g3beige.
Remove the disk and the .args file since the expectation is the test
will fail in qemuxml2argvtest because floppy is not supported on pseries
and thus no disk is necessary and no .args file would be created to
compare against.
Signed-off-by: Lin Ma <lma@suse.com>
Signed-off-by: John Ferlan <jferlan@redhat.com>
Separate the logic of creating devices from their gathering.
Use this new function in qemuDomainNamespaceSetupHostdev and
qemuDomainNamespaceSetupDisk.
This patch pass event error up to the place where we can
use it. Error is passed only for sync blockjob event mode
as we can't use the error in async mode. In async mode we
just pass the event details to the client thru event API
but current blockjob event API can not carry extra parameter.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
The unprivileged libvirtd does not support nwfilter config, by leaves the
driver active. It is supposed to result in all APIs being an effective
no-op, but several APIs rely on driver->nwfilters being non-NULL, or they
will reference a NULL pointer. Rather than adding checks for NULL in many
places, just make sure driver->nwfilters is always initialized.
Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
There's no reason for the files to have generic- prefix
since they all live under genericxml2xmlindata and
genericxml2xmloutdata directories.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
There's no reason for the files to have qemuxml2xmlout- prefix
since they all live under qemuxml2xmloutdata directory.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
There's no reason for the files to have qemuargv2xml- prefix
since they all live under qemuargv2xmldata directory.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
There's no reason for the files to have qemuagent- prefix
since they all live under qemuagentdata directory.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
SELinux and DAC drivers already have both functions but they were not
exported as public API of security manager.
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
gettext, gnutls and libgcrypt are already installed on the
system, so we don't need to request their installation.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Installed packages might be outdated by the time the build
runs, so we should update them.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
The manual page clearly states that
gettid() is Linux-specific and should not be used in programs
that are intended to be portable.
Unfortunately, it looks like macOS implemented the functionality
and defined SYS_gettid accordingly, only to deprecate syscall()
altogether with 10.12 (Sierra), released last late year.
To avoid compilation errors, call gettid() on Linux only.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Similarly to the previous commit, rename .args files.
The files were renamed using the following commands. From
qemuxml2argvdata:
for i in qemuxml2argv-*.args; do mv $i ${i#qemuxml2argv-}; done
and then (to fix broken symlinks) from qemuxml2argvdata and
qemuxml2xmloutdata:
for i in $(find . -xtype l); do \
ln -sf $(readlink $i | sed 's/qemuxml2argv-//') $i;
done
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
These XMLs live in a separate directory, there's no need for them
to have a special prefix in addition. It also doesn't play nicely
with ':e' completion in Vim, finding proper file based on
qemuxml2argvtest.c is also needlessly complicated.
The files were renamed using the following commands. From
qemuxml2argvdata:
for i in qemuxml2argv-*.xml; do mv $i ${i#qemuxml2argv-}; done
and then (to fix broken symlinks) from qemuxml2argvdata and
qemuxml2xmloutdata:
for i in $(find . -xtype l); do \
ln -sf $(readlink $i | sed 's/qemuxml2argv-//') $i;
done
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Noticed the following denial in audit.log when shutting down
an apparmor confined domain
type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=469 ouid=0
Squelch the denial by allowing read access to /proc/<pid>/cmdline.
Clean up the style a bit w/r/t to not using a unary operator on an
integer value that could be zero - compare vs. zero instead.
Set the def->mem_nodes[*].distances to rdist or ldist inside the
if condition - no need to set outside since the value being set
to is what was fetched.
During cleanup, be sure to initialize the ndistances on error and
use the < 0 comparison not the unary one.
==899== 39 bytes in 1 blocks are definitely lost in loss record 732 of 1,003
==899== at 0x4C2AEDF: malloc (vg_replace_malloc.c:299)
==899== by 0x8B68CE7: vasprintf (in /lib64/libc-2.25.so)
==899== by 0x55498D2: virVasprintfInternal (virstring.c:708)
==899== by 0x55499E7: virAsprintfInternal (virstring.c:729)
==899== by 0x2BECFFF0: qemuGetMemoryBackingBasePath (qemu_conf.c:1757)
==899== by 0x2BF23225: qemuStateInitialize (qemu_driver.c:893)
==899== by 0x563073D: virStateInitialize (libvirt.c:770)
==899== by 0x124CC4: daemonRunStateInit (libvirtd.c:834)
==899== by 0x55521CD: virThreadHelper (virthread.c:206)
==899== by 0x88D9686: start_thread (in /lib64/libpthread-2.25.so)
==899== by 0x8BEAEFE: clone (in /lib64/libc-2.25.so)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
==1277== 8 bytes in 4 blocks are definitely lost in loss record 39 of 131
==1277== at 0x4C2AEDF: malloc (vg_replace_malloc.c:299)
==1277== by 0x68BBBC8: xmlStrndup (in /usr/lib64/libxml2.so.2.9.4)
==1277== by 0x53B1DC2: virXMLPropString (virxml.c:510)
==1277== by 0x53D696A: virDomainDiskBackingStoreParse (domain_conf.c:8639)
==1277== by 0x53DA684: virDomainDiskDefParseXML (domain_conf.c:9590)
==1277== by 0x53F619F: virDomainDefParseXML (domain_conf.c:19233)
==1277== by 0x53F96EE: virDomainDefParseNode (domain_conf.c:20083)
==1277== by 0x53F9540: virDomainDefParse (domain_conf.c:20027)
==1277== by 0x53F95E6: virDomainDefParseFile (domain_conf.c:20053)
==1277== by 0x44D1D4: testCompareDomXML2XMLFiles (testutils.c:1265)
==1277== by 0x42FC7C: testXML2XMLActive (qemuxml2xmltest.c:71)
==1277== by 0x44AD20: virTestRun (testutils.c:180)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
==861== 3 bytes in 1 blocks are definitely lost in loss record 3 of 168
==861== at 0x4C2AEDF: malloc (vg_replace_malloc.c:299)
==861== by 0x8C7FBC8: xmlStrndup (in /usr/lib64/libxml2.so.2.9.4)
==861== by 0x5DCCDC2: virXMLPropString (virxml.c:510)
==861== by 0x5DF1232: virDomainDiskSourceNetworkParse (domain_conf.c:8445)
==861== by 0x5DF1728: virDomainDiskSourceParse (domain_conf.c:8576)
==861== by 0x5DF41A5: virDomainDiskDefParseXML (domain_conf.c:9238)
==861== by 0x5E1119F: virDomainDefParseXML (domain_conf.c:19233)
==861== by 0x5E146EE: virDomainDefParseNode (domain_conf.c:20083)
==861== by 0x5E14540: virDomainDefParse (domain_conf.c:20027)
==861== by 0x5E145E6: virDomainDefParseFile (domain_conf.c:20053)
==861== by 0x4053CC: testCompareXMLToArgv (qemuxml2argvtest.c:455)
==861== by 0x41F135: virTestRun (testutils.c:180)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Raw local files do not pass through the backing store detector and thus
the code did not allocate the required backing store terminator for
them. Previously the terminating element would be formatted into the XML
since the default values used for the metadata allowed that. This is a
regression since a693fdba01 which was not detected in the review.
This patch also reverts all the changes in the test files.
Until now we would skip loading of the backing chain for files which
don't support backing chains only when starting up the VM. Move the
check from qemuProcessPrepareHostStorage with some adaptations so that's
always applied.
The graphics code is complex and there are a lot of exceptions and
backward compatible combinations. One of them is the possibility
to configure "spice_auto_unix_socket" in qemu.conf which will convert
all spice graphics with listen type "address" without any address
specified to listen type "socket" when the guest is started.
We don't format this generated socket into migratable XML to make
migration work with older libvirt. However, spice has another
exception that if autoport='no' and there is no port configured
it is converted to listen type "none". Because of this we need
to format autoport='yes' to make sure that the listen type will
be the same as the offline XML.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511407
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
In status XML, we do not store the QEMU version information, we only
format all the capabilities. We dropped QEMU_CAPS_PCI_MULTIBUS
in commit 5b783379 which was released in libvirt 3.2.0.
Therefore the only way of telling if the already running domain
at the time of daemon restart has been started with a QEMU that does
use 'pci.0' or not on PPC is to look at the pci-root controller's
alias. This is not an option if the domain has a user-specified alias
for the pci-root.
Instead of reintroducing the capability, assume 'pci.0' when we have
no version information. That way the only left broken use case would
be the combination of user aliases and very old QEMU.
Partially reverts commit 3a37af1e4.
https://bugzilla.redhat.com/show_bug.cgi?id=1518148
We do not fill out qemuCaps->arch when parsing status XML.
Use def->os.arch like we do for PPC.
This fixes hotplug after daemon restart for domains that use
a user alias for the implicit pci-root on x86.
https://bugzilla.redhat.com/show_bug.cgi?id=1518148
For some corner cases, virQEMUCapsHasPCIMultiBus depends on the QEMU
version, which is by design not stored in the status XML and therefore
it cannot be fixed for all existing running domains.
Prefer the controller alias read from the status XML when formatting
PCI addresses and only fall back to using virQEMUCapsHasPCIMultiBus
if the alias is a user alias.
This fixes hotplug after daemon restart for domains not using user
aliases.
Partially reverts commit 937f3195.
https://bugzilla.redhat.com/show_bug.cgi?id=1518148
The 'wiremode' attribute exists in a couple of Xen XML files, but no code has
ever parsed that value. It was later added to the RNG schema too, again despite
there not being any code which parses it.
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
The libxlxml2domconfigdata directory was not covered in the RNG schema
tests. This hid a few bugs in both the libxl XML files and the RNG
schema itself.
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Adjust function descriptions of virQEMUCapsInitCPUModelS390 and
virQEMUCapsInitCPUModel to the changes introduced with
commitID 74fc32a955.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
If the spec file applies a patch which touches any file in the API XMLs
dependency tree, we need to regenerate the XMLs and consequently
recreate hvsupport.html. The file will contain a time stamp in a comment
which means it will be different every time the package is built. The
commit a54c962286 which added the time stamp also added support for
SOURCE_DATE_EPOCH environment variable. Let's set it to the time stamp
of the spec file itself to make the build reproducible.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Pino Toscano <ptoscano@redhat.com>