Commit Graph

30786 Commits

Author SHA1 Message Date
Christian Ehrhardt
aa9e3354ef
apparmor: allow expected /tmp access patterns
Several cases were found needing /tmp, for example ceph will try to list /tmp
This is a compromise of security and usability:
 - we only allow generally enumerating the base dir
 - enumerating anything deeper in the dir is at least guarded by the
   "owner" restriction, but while that protects files of other services
   it won't protect qemu instances against each other as they usually run
   with the same user.
 - even with the owner restriction we only allow read for the wildcard
   path

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-08-16 13:07:37 +02:00
Christian Ehrhardt
a2028ae716
apparmor: add mediation rules for unconfined guests
If a guest runs unconfined <seclabel type='none'>, but libvirtd is
confined then the peer for signal can only be detected as
'unconfined'. That triggers issues like:
   apparmor="DENIED" operation="signal"
   profile="/usr/sbin/libvirtd" pid=22395 comm="libvirtd"
   requested_mask="send" denied_mask="send" signal=term peer="unconfined"

To fix this add unconfined as an allowed peer for those operations.

I discussed with the apparmor folks, right now there is no better
separation to be made in this case. But there might be further down the
road with "policy namespaces with scope and view control + stacking"

This is more a use-case addition than a fix to the following two changes:
- 3b1d19e6 AppArmor: add rules needed with additional mediation features
- b482925c apparmor: support ptrace checks

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: intrigeri <intrigeri+libvirt@boum.org>
2018-08-16 12:58:56 +02:00
Christian Ehrhardt
1262cbf3a0
apparmor: allow openGraphicsFD for virt manager >1.4
virt-manager's UI connection will need socket access for openGraphicsFD
to work - otherwise users will face a failed connection error when
opening the UI view.

Depending on the exact versions of libvirt and qemu involved this needs
either a rule from qemu to libvirt or vice versa.

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-08-16 12:58:56 +02:00
John Ferlan
f951277716 rpc: Don't overwrite virAuthGet{Username|Password}Path errors
Now that the virAuthGet*Path API's generate all the error messages
we can remove them from the callers.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:42:37 -04:00
John Ferlan
a9a476e3fb test: Don't overwrite virAuthGet{Username|Password} errors
Now that the virAuthGet*Path API's generate all the error messages
we can remove them from the callers.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:42:31 -04:00
John Ferlan
e456575e6f xenapi: Don't overwrite virAuthGet{Username|Password} errors
Now that the virAuthGet*Path API's generate all the error messages
we can remove them from the callers. This means that we will no
longer overwrite the error from the API.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:42:25 -04:00
John Ferlan
62b04f698c phyp: Don't overwrite virAuthGet{Username|Password} errors
Now that the virAuthGet*Path API's generate all the error messages
we can remove them from the callers. This means that we will no
longer overwrite the error from the API.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:42:21 -04:00
John Ferlan
56a06e5089 hyperv: Don't overwrite virAuthGet{Username|Password} errors
Now that the virAuthGet*Path API's generate all the error messages
we can remove them from the callers. This means that we will no
longer overwrite the error from the API.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:42:17 -04:00
John Ferlan
359c6365b9 esx: Don't overwrite virAuthGet{Username|Password} errors
Now that the virAuthGet*Path API's generate all the error messages
we can remove them from the callers. This means that we will no
longer overwrite the error from the API.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:42:13 -04:00
John Ferlan
39f0f3ae65 util: Alter virAuthGet*Path API to generate auth->cb error
Rather than forcing the caller to generate an error, let's
generate the Username or Password error message failure if
the auth->cb fails. This is the last error path that needs
a specific message for various callers.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:42:08 -04:00
John Ferlan
5f0a9c45b3 util: Alter virAuthGet*Path API return processing
If we never find the valid credtype in the list, then we'd return
NULL without an error signaled forcing the caller to generate one
that will probably be incorrect. Let's be specific.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:42:03 -04:00
John Ferlan
efd8261541 util: Remove invalid parameter checks from virAuthGet{Username|Password}
Now that the virAuthGet*Path helpers make the checks, we can remove
them from here.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:41:55 -04:00
John Ferlan
3dc6b00f0d util: Alter virAuthGet*Path API to check valid callback
Before trying to call @auth->cb, let's ensure it exists.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:41:49 -04:00
John Ferlan
f707935abf util: Alter virAuthGet*Path API to check valid parameters
Before trying to dereference @auth, let's ensure it's valid.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-15 15:41:34 -04:00
Michal Privoznik
bfd91dc0c4 storage: Properly terminate secrets
The virSecretGetSecretString() helper looks up a secret for given
pool and returns its value in @secret_value and its length in
@secret_value_size. However, the trailing '\0' is not included in
either of the variables. This is because usually the value of the
secret is passed to some encoder (usually base64 encoder) where
the trailing zero must not be accounted for.

However, in two places we actually want the string as we don't
process it any further.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-08-15 17:11:16 +02:00
Michal Privoznik
e3e48d7cb8 virtestmock: Track action
As advertised in the previous commit, we need the list of
accessed files to also contain action that caused the $path to
appear on the list. Not only this enables us to fine tune our
white list rules it also helps us to see why $path is reported.
For instance:

  /run/user/1000/libvirt/libvirt-sock: connect: qemuxml2argvtest: QEMU XML-2-ARGV net-vhostuser-multiq

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-15 10:16:16 +02:00
Michal Privoznik
7135cee755 check-file-access: Allow specifying action
The check-file-access.pl script is used to match access list
generated by virtestmock against whitelisted rules stored in
file_access_whitelist.txt. So far the rules are in form:

  $path: $progname: $testname

This is not sufficient because the rule does not take into
account 'action' that caused $path to appear in the list of
accessed files. After this commit the rule can be in new form:

  $path: $action: $progname: $testname

where $action is one from ("open", "fopen", "access", "stat",
"lstat", "connect"). This way the white list can be fine tuned to
allow say access() but not connect().

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-15 10:15:29 +02:00
Michal Privoznik
5c9277b6dd qemuxml2argvtest: Set more fake drivers
So far we are setting only fake secret and storage drivers.
Therefore if the code wants to call a public NWFilter API (like
qemuBuildInterfaceCommandLine() and qemuBuildNetCommandLine() are
doing) the virGetConnectNWFilter() function will try to actually
spawn session daemon because there's no connection object set to
handle NWFilter driver.

Even though I haven't experienced the same problem with the rest
of the drivers (interface, network and node dev), the reasoning
above can be applied to them as well.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-15 10:13:17 +02:00
Peter Krempa
1315be9936 tests: qemucapabilities: Update capability data for qemu 3.0.0
Update for the release of qemu 3.0.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-08-15 10:02:24 +02:00
Bing Niu
7c2035ff33 news: Add support for MBA (Memory Bandwidth Allocation)
Signed-off-by: Bing Niu <bing.niu@intel.com>
2018-08-14 17:55:37 -04:00
Marc Hartmayer
7330d0918e rpc: Initialize a worker pool for max_workers=0 as well
Semantically, there is no difference between an uninitialized worker
pool and an initialized worker pool with zero workers. Let's allow the
worker pool to be initialized for max_workers=0 as well then which
makes the API more symmetric and simplifies code. Validity of the
worker pool is delegated to virThreadPoolGetMaxWorkers instead.

This patch fixes segmentation faults in
virNetServerGetThreadPoolParameters and
virNetServerSetThreadPoolParameters for the case when no worker pool
is actually initialized (max_workers=0).

Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
2018-08-14 12:16:42 -04:00
Marcos Paulo de Souza
97f4a1044c xenapi: Drop check for auth
Since they are done inside virAuthGetPassword and virAuthGetUsername
when needed. Also, only auth is checked, but auth->cb, which that could
lead to a crash if the callback is NULL.

Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-14 16:16:31 +02:00
Marcos Paulo de Souza
93db97ee40 phyp: Drop check for auth and auth->cb
Since they are done inside virAuthGetPassword and virAuthGetUsername
when needed.

Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-14 16:11:15 +02:00
Marcos Paulo de Souza
dd2a6cc80b hyperv: Drop check for auth and auth->cb
Since they are done inside virAuthGetPassword and virAuthGetUsername
when needed.

Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-14 16:11:08 +02:00
Marcos Paulo de Souza
d16f4795ef esx: Drop check for auth and auth->cb
Since they are done inside virAuthGetPassword and virAuthGetUsername
when needed.

Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-14 16:08:45 +02:00
Marcos Paulo de Souza
69f4e093d0 virauth.c: Check for valid auth callback
Instead of adding the same check for every drivers, execute the checks
in virAuthGetUsername and virAuthGetPassword. These funtions are called
when user is not set in the URI.

Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
2018-08-14 16:03:04 +02:00
xinhua.Cao
b0c3e93180 libvirt_iohelper: record the libvirt_iohelper's error message at virFileWrapperFdFree
Currently iohelper's error log is recorded in virFileWrapperFdClose.
However, if something goes wrong the caller might not even get to
calling virFileWrapperFdClose and call virFileWrapperFdFree
directly. Therefore the error reporting should happen there.

Signed-off-by: xinhua.Cao <caoxinhua@huawei.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2018-08-14 16:00:25 +02:00
Andrea Bolognani
1df3fb7ccb tests: Add linux-high-ids test
This proves libvirt can now handle high socket_id and
core_id values correctly and ensures we won't introduce
regressions in this area.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 15:52:35 +02:00
Andrea Bolognani
ba35ac2ebb utils: Remove arbitrary limit on socket_id/core_id
While in most cases the values are going to be much
smaller than our arbitrary 4096 limit, there is really
no guarantee that would be the case: in fact, a few
aarch64 servers have been spotted in the wild with
core_id as high as 6216.

Take advantage of virBitmap's ability to automatically
alter its size at runtime to accomodate such values.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 15:52:34 +02:00
Andrea Bolognani
089849d3c4 tests: Drop core_siblings/thread_siblings files
The latter are no longer used by libvirt, and the former
never were; moreover, both have a corresponding *_list
file which we can manipulate very conveniently using our
bitmap APIs, so dropping them makes sure in the future
developers will look into that rather than trying to
parse the kernel binary bitmaps.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 15:52:33 +02:00
Andrea Bolognani
794513e89d util: Rewrite virHostCPUCountThreadSiblings()
We already have a function which parses
thread_siblings_list for a CPU and returns the
corresponding bitmap, and a bunch of utility functions
that perform operations on bitmaps such as counting
the number of set bits: use those to implement the
function instead of having an additional ad-hoc parser
for thread_siblings.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 15:52:32 +02:00
Andrea Bolognani
37e64f6508 tests: Add missing thread_siblings_list files
Some of the data dumps didn't include them; luckily,
we're not actually missing any information since we
can recreate them by looking at the corresponding
thread_sibilings files.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 15:52:31 +02:00
Andrea Bolognani
22461d6427 tests: Drop unused data
Added by mistake with commit a0fdd2f6f9.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 15:52:27 +02:00
Andrea Bolognani
95431c963e util: Drop VIR_HOST_CPU_MASK_LEN
Unused since commit c67e04e25f.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 15:52:25 +02:00
Andrea Bolognani
fe5b35c6b2 spec: Enable the iscsi-direct storage driver conditionally
Most distributions we build RPMs on don't ship a
recent enough version of libiscsi, so we can't enable
the driver unconditionally. Add an explicit dependency
on the runtime package while at it.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2018-08-14 15:01:40 +02:00
Andrea Bolognani
27bb9c944d spec: Require libiscsi-devel instead of libiscsi
Commit 34a6962c41 added a BuildRequires for the
iscsi-direct backend, but we need the headers rather
than the runtime package to be available in order to
link against the library.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2018-08-14 14:33:10 +02:00
John Ferlan
b0451117b3 virsh: Add missed fields to pool-define-as item entry
https://bugzilla.redhat.com/show_bug.cgi?id=1615680

Commit id d45bee449 updated the pool-define-as qualifier descriptions
to add some new fields, but neglected to modify the command item list
in order to add those fields as well.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2018-08-14 07:28:56 -04:00
Erik Skultety
ff7bd6a245 Fix build on non-linux platforms after another VIR_AUTOPTR patches
Caused by commit f7d0663d49. The problem is missing libnl library on
these platforms, so the VIR_DEFINE_AUTOPTR_FUNC has to be compiled in
conditionally.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2018-08-14 13:02:24 +02:00
Anya Harter
794080b486 conf: rename Match functions
name match functions to be the vir prefix and interface name followed by ObjMatch

    ex. for virNetworkObjListExport, the match function is named
        virNetworkObjMatch

Signed-off-by: Anya Harter <aharter@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 12:41:43 +02:00
Anya Harter
1d8721c480 conf: rename Export Callback functions
name functions to be the name of the export function followed by Callback

    ex. for virInterfaceObjListExport, the callback function is named
        virInterfaceObjListExportCallback

Signed-off-by: Anya Harter <aharter@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 12:41:40 +02:00
Anya Harter
5efc8d0caa conf: rename structs used by Export function
name structs to be the name of the Export function followed by Data
also tweak definitions to follow standard struct definition pattern

    ex. for virInterfaceObjListExport, the struct is defined as follows:

        typedef struct _virInterfaceObjListExportData virInterfaceObjListExportData;
        typedef virInterfaceObjListExportData *virInterfaceObjListExportDataPtr;
        struct _virInterfaceObjListExportData {...};

Signed-off-by: Anya Harter <aharter@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2018-08-14 12:41:26 +02:00
Marcos Paulo de Souza
d8826129fd esx: Fix build when libcurl debug is enabled
When building libvirt with libcurl debug enabled (with
ESX_VI__CURL__ENABLE_DEBUG_OUTPUT set), the message bellow pops up:

make[3]: Entering directory '/mnt/data/gitroot/libvirt/src'
  CC       esx/libvirt_driver_esx_la-esx_vi.lo
esx/esx_vi.c: In function 'esxVI_CURL_Debug':
esx/esx_vi.c:191:5: error: enumeration value 'CURLINFO_SSL_DATA_IN' not handled in switch [-Werror=switch-enum]
     switch (type) {
     ^~~~~~
esx/esx_vi.c:191:5: error: enumeration value 'CURLINFO_SSL_DATA_OUT' not handled in switch [-Werror=switch-enum]
esx/esx_vi.c:191:5: error: enumeration value 'CURLINFO_END' not handled in switch [-Werror=switch-enum]

Our build requires at least libcurl 7.18.0, which is pretty stable since
it was release in 2008. Fix this problem by handling the mentioned enums
in the code.

Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2018-08-13 21:44:33 +02:00
Bing Niu
7995fecc25 conf: Add memory bandwidth allocation capability of host
Add new XML section to report host's memory bandwidth allocation
capability. The format as below example:

 <host>
 .....
   <memory_bandwidth>
     <node id='0' cpus='0-19'>
       <control granularity='10' min ='10' maxAllocs='8'/>
     </node>
   </memory_bandwidth>
</host>

granularity   ---- granularity of memory bandwidth, unit percentage.
min           ---- minimum memory bandwidth allowed, unit percentage.
maxAllocs     ---- maximum memory bandwidth allocation group supported.

Signed-off-by: Bing Niu <bing.niu@intel.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-13 14:19:41 -04:00
Bing Niu
8d6f508e64 conf: Add return value check to virResctrlAllocForeachCache
Add return value check to virResctrlAllocForeachCache in
virDomainCachetuneDefFormat. The virResctrlAllocForeachCache does have
return value, so need check return value to make sure function executed
without error.

Signed-off-by: Bing Niu <bing.niu@intel.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-13 14:19:41 -04:00
Bing Niu
6956b7eedc conf: Add support for memorytune XML processing for resctrl MBA
Introduce a new section memorytune to support memory bandwidth allocation.
This is consistent with existing cachetune. As the example:
below:
  <cputune>
    ......
    <memorytune vcpus='0'>
      <node id='0' bandwidth='30'/>
    </memorytune>
  </cputune>

vpus      --- vpus subjected to this memory bandwidth.
id        --- on which node memory bandwidth to be set.
bandwidth --- the memory bandwidth percent to set.

Signed-off-by: Bing Niu <bing.niu@intel.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-13 14:19:41 -04:00
Bing Niu
72824f67cd conf: Factor out virDomainResctrlDef update from virDomainCachetuneDefParse
Factor out vcpus virDomainResctrlDef update from
virDomainCachetuneDefParse and introduce virDomainResctrlAppend.
virDomainResctrlAppend will format vcpus string and append a new
virDomainResctrlDef to virDomainDefPtr. So that this logic can
be reusable.

Signed-off-by: Bing Niu <bing.niu@intel.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-13 14:19:41 -04:00
Bing Niu
e5cc7c0a02 conf: Factor out vcpus overlapping from virDomainCachetuneDefParse
Factor out vcpus overlapping detecting part from
virDomainCachetuneDefParse and introduce virDomainResctrlVcpuMatch.
Instead of allocating virResctrlAllocPtr by default, allocating
virResctrlAllocPtr after confirm vcpus not overlap with existing ones.
And virDomainResctrlVcpuMatch can be reused by other resource control
technologies. virDomainResctrlVcpuMatch can clarify old vcpus overlap
error whether an overlap or a redefinition.

Signed-off-by: Bing Niu <bing.niu@intel.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-13 14:19:41 -04:00
Bing Niu
6021c3926b conf: Factor out vcpus parsing part from virDomainCachetuneDefParse
Extract vcpus parsing part from virDomainCachetuneDefParse into one
function called virDomainResctrlParseVcpus. So that vcpus parsing logic
can be reused by other resource control technologies. Adjust error
message and use node->name so that the error message can fit to all
technologies.

Signed-off-by: Bing Niu <bing.niu@intel.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-13 14:19:41 -04:00
Bing Niu
acc288d655 conf: Rename cachetune to resctrl
Resctrl not only supports cache tuning, but also memory bandwidth
tuning. Renaming cachetune to resctrl to reflect that. With resctrl,
all allocation for different resources (cache, memory bandwidth) are
aggregated and represented by a virResctrlAllocPtr inside
virDomainResctrlDef.

Signed-off-by: Bing Niu <bing.niu@intel.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-13 14:19:41 -04:00
Bing Niu
5b66c6cc85 util: Introduce virResctrlAllocSetMemoryBandwidth
Introduce an API to allow setting of the MBA from domain XML.

Signed-off-by: Bing Niu <bing.niu@intel.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-08-13 14:19:41 -04:00