Commit Graph

29016 Commits

Author SHA1 Message Date
Collin Walling
c003041034 qemu: check for model-expansion cap before baselining
Hypervisor-cpu-baseline requires the cpu-model-expansion
capability when expanding CPU model features if the
--features flag is provided.

Signed-off-by: Collin Walling <walling@linux.ibm.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2020-11-24 21:04:07 +01:00
Laine Stump
b19863640d util: call iptables directly rather than via firewalld
When libvirt added support for firewalld, we were unable to use
firewalld's higher level rules, because they weren't detailed enough
and could not be applied to the iptables FORWARD or OUTPUT chains
(only to the INPUT chain). Instead we changed our code so that rather
than running the iptables/ip6tables/ebtables binaries ourselves, we
would send these commands to firewalld as "passthrough commands", and
firewalld would run the appropriate program on our behalf.

This was done under the assumption that firewalld was somehow tracking
all these rules, and that this tracking was benefitting proper
operation of firewalld and the system in general.

Several years later this came up in a discussion on IRC, and we
learned from the firewalld developers that, in fact, adding iptables
and ebtables rules with firewalld's passthrough commands actually has
*no* advantage; firewalld doesn't keep track of these rules in any
way, and doesn't use them to tailor the construction of its own rules.

Meanwhile, users have been complaining for some time that whenever
firewalld is restarted on a system with libvirt virtual networks
and/or nwfilter rules active, the system logs would be flooded with
warning messages whining that [lots of different rules] could not be
deleted because they didn't exist. For example:

firewalld[3536040]: WARNING: COMMAND_FAILED:
  '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT
  --out-interface virbr4 --protocol udp --destination-port 68
  --jump ACCEPT' failed: iptables: Bad rule
  (does a matching rule exist in that chain?).

(See https://bugzilla.redhat.com/1790837 for many more examples and a
discussion)

Note that these messages are created by iptables, but are logged by
firewalld - when an iptables/ebtables command fails, firewalld grabs
whatever is in stderr of the program, and spits it out to the system
log as a warning. We've requested that firewalld not do this (and
instead leave it up to the calling application to do the appropriate
logging), but this request has been respectfully denied.

But combining the two problems above ( 1) firewalld doesn't do
anything useful when you use it as a proxy to add/remove iptables
rules, 2) firewalld often insists on logging lots of
annoying/misleading/useless "error" messages when you use it as a
proxy to remove iptables rules that don't already exist), leads to a
solution - simply stop using firewalld to add and remove iptables
rules. Instead, exec iptables/ip6tables/ebtables directly in the same
way we do when firewalld isn't active.

We still need to keep track of whether or not firewalld is active, as
there are some things that must be done, e.g. we need to add some
actual firewalld rules in the firewalld "libvirt" zone, and we need to
take notice when firewalld restarts, so that we can reload all our
rules.

This patch doesn't remove the infrastructure that allows having
different firewall backends that perform their functions in different
ways, as that will very possibly come in handy in the future when we
want to have an nftables direct backend, and possibly a "pure"
firewalld backend (now that firewalld supports more complex rules, and
can add those rules to the FORWARD and OUTPUT chains). Instead, it
just changes the action when the selected backend is "firewalld" so
that it adds rules directly rather than through firewalld, while
leaving as much of the existing code intact as possible.

In order for tests to still pass, virfirewalltest also had to be
modified to behave in a different way (i.e. by capturing the generated
commandline as it does for the DIRECT backend, rather than capturing
dbus messages using a mocked dbus API).

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:22:06 -05:00
Laine Stump
070690538a util: synchronize with firewalld before we start calling iptables directly
When it is starting up, firewalld will delete all existing iptables
rules and chains before adding its own rules. If libvirtd were to try
to directly add iptables rules during the time before firewalld has
finished initializing, firewalld would end up deleting the rules that
libvirtd has just added.

Currently this isn't a problem, since libvirtd only adds iptables
rules via the firewalld "passthrough command" API, and so firewalld is
able to properly serialize everything. However, we will soon be
changing libvirtd to add its iptables and ebtables rules by directly
calling iptables/ebtables rather than via firewalld, thus removing the
serialization of libvirtd adding rules vs. firewalld deleting rules.

This will especially apparent (if we don't fix it in advance, as this
patch does) when libvirtd is responding to the dbus NameOwnerChanged
event, which is used to learn when firewalld has been restarted. In
that case, dbus sends the event before firewalld has been able to
complete its initialization, so when libvirt responds to the event by
adding back its iptables rules (with direct calls to
/usr/bin/iptables), some of those rules are added before firewalld has
a chance to do its "remove everything" startup protocol. The usual
result of this is that libvirt will successfully add its private
chains (e.g. LIBVIRT_INP, etc), but then fail when it tries to add a
rule jumping to one of those chains (because in the interim, firewalld
has deleted the new chains).

The solution is for libvirt to preface it's direct calling to iptables
with a iptables command sent via firewalld's passthrough command
API. Since commands sent to firewalld are completed synchronously, and
since firewalld won't service them until it has completed its own
initialization, this will assure that by the time libvirt starts
calling iptables to add rules, that firewalld will not be following up
by deleting any of those rules.

To minimize the amount of extra overhead, we request the simplest
iptables command possible: "iptables -V" (and aside from logging a
debug message, we ignore the result, for good measure).

(This patch is being done *before* the patch that switches to calling
iptables directly, so that everything will function properly with any
fractional part of the series applied).

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:21:58 -05:00
Laine Stump
56dd128bd0 util: always check for ebtables/iptables binaries, even when using firewalld
Even though *we* don't call ebtables/iptables/ip6tables (yet) when the
firewalld backend is selected, firewalld does, so these binaries need
to be there; let's check for them. (Also, the patch after this one is
going to start execing those binaries directly rather than via
firewalld).

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:21:53 -05:00
Laine Stump
c102bbd3ef network: be more verbose about the reason for a firewall reload
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:21:47 -05:00
Laine Stump
0a867cd895 util/tests: enable locking on iptables/ebtables commandlines by default
iptables and ip6tables have had a "-w" commandline option to grab a
systemwide lock that prevents two iptables invocations from modifying
the iptables chains since 2013 (upstream commit 93587a04 in
iptables-1.4.20).  Similarly, ebtables has had a "--concurrent"
commandline option for the same purpose since 2011 (in the upstream
ebtables commit f9b4bcb93, which was present in ebtables-2.0.10.4).

Libvirt added code to conditionally use the commandline option for
iptables/ip6tables in upstream commit ba95426d6f (libvirt-1.2.0,
November 2013), and for ebtables in upstream commit dc33e6e4a5
(libvirt-1.2.11, November 2014) (the latter actually *re*-added the
locking for iptables/ip6tables, as it had accidentally been removed
during a refactor of firewall code in the interim).

I say "conditionally" because a check was made during firewall module
initialization that tried executing a test command with the
-w/--concurrent option, and only continued using it for actual
commands if that test command completed successfully. At the time the
code was added this was a reasonable thing to do, as it had been less
than a year since introduction of -w to iptables, so many distros
supported by libvirt were still using iptables (and possibly even
ebtables) versions too old to have the new commandline options.

It is now 2020, and as far as I can discern from repology.org (and
manually examining a RHEL7.9 system), every version of every distro
that is supported by libvirt now uses new enough versions of both
iptables and ebtables that they all have support for -w/--concurrent.
That means we can finally remove the conditional code and simply
always use them.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:21:29 -05:00
Laine Stump
e66451f685 util/tests: enable locking on iptables/ebtables commandlines in unit tests
All the unit tests that use iptables/ip6tables/ebtables have been
written to omit the locking/exclusive use primitive on the generated
commandlines. Even though none of the tests actually execute those
commands (and so it doesn't matter for purposes of the test whether or
not the commands support these options), it still made sense when some
systems had these locking options and some didn't.

We are now at a point where every supported Linux distro has supported
the locking options on these commands for quite a long time, and are
going to make their use non-optional. As a first step, this patch uses
the virFirewallSetLockOverride() function, which is called at the
beginning of all firewall-related tests, to set all the bools
controlling whether or not the locking options are used to true. This
means that all the test cases must be updated to include the proper
locking option in their commandlines.

The change to make actual execs of the commands unconditionally use
the locking option will be in an upcoming patch - this one affects
only the unit tests.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:21:08 -05:00
Jiri Denemark
a32cc82793 cpu_map: Drop 'monitor' from modern x86 CPU models
The feature is never enabled by default on KVM and QEMU dropped it from
the models long ago.

https://bugzilla.redhat.com/show_bug.cgi?id=1798004

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2020-11-24 20:13:23 +01:00
Jiri Denemark
7e0a310498 cpu_x86: Make sure removed features are always mentioned in CPU def
For backward compatibility with older versions of libvirt CPU models in
our CPU map are mostly immutable. We only changed them in a few specific
cases after showing it was safe. Sometimes QEMU developers realize a
specific feature should not be part of a particular (or any) CPU model
because it can never be enabled automatically without further
configuration. But we couldn't follow them because doing so would break
migration to older libvirt.

If QEMU drops feature F from CPU model M because F could not be enabled
automatically anyway, asking for M would never enable F. Even with older
QEMU versions. Naively removing F from libvirt's definition of M would
seem to work nicely on a single host. Libvirt would consider M to be
compatible with hosts CPU that do not support F. However, trying to
migrate domains using M without explicitly enabling or disabling F could
fail, because older libvirt would think F was enabled (it is part of M
there), but QEMU reports it as disabled once started.

Thus we can remove such feature from a libvirt's CPU model, but we have
to make sure any CPU definition using the affected model will always
explicitly mention the state of the removed feature.

https://bugzilla.redhat.com/show_bug.cgi?id=1798004

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2020-11-24 20:13:23 +01:00
Jiri Denemark
52cbfb2186 cpu_x86: Add support for marking features as removed from a CPU model
The patch adds a new attribute for the 'feature' element in CPU model
specification to indicate that a given feature was removed from a CPU
model. In other words, older versions of libvirt would consider such
feature to be included in the CPU model.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2020-11-24 20:13:23 +01:00
Jiri Denemark
eefc839f0a cpu_x86: Change the flow in virCPUx86Update
This is just a preparation for adding new functionality to
virCPUx86Update.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2020-11-24 20:13:23 +01:00
Jiri Denemark
8a04e76610 cpu: Run arch specific code for virCPUUpdate for all custom CPUs
Until now, the function returned immediately when the guest CPU
definition did not use optional features or minimum match. Clearly,
there's nothing to be updated according to the host CPU in this case,
but the arch specific code may still want to do some compatibility
updates based on the model and features used in the guest CPU
definition.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2020-11-24 20:13:23 +01:00
Jiri Denemark
d7756a67bb conf: Add virCPUDefAddFeatureIfMissing
This new function adds a feature to a CPU definition only if it is not
present there yet.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2020-11-24 20:13:23 +01:00
Jiri Denemark
f5782579aa conf: Use enum in virCPUDefAddFeatureInternal
Replace the 'update' bool parameter with an enum so that we can have
more than two possible values.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2020-11-24 20:13:23 +01:00
Jiri Denemark
f06bb04549 conf: Rename virCPUDefUpdateFeatureInternal
The function is supposed to add a feature to a CPU definition, let's
name it virCPUDefAddFeatureInternal. The behavior in case the feature is
already present in the CPU def is configurable and we will soon add a
new option to not do anything in that case, which wouldn't really work
well with the current *Update* name.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2020-11-24 20:13:23 +01:00
Matt Coleman
a7a1d1f59e hyperv: XML parsing of storage volumes
dumpxml can now serialize:
* floppy drives
* file-backed and device-backed disk drives
* images mounted to virtual CD/DVD drives
* IDE and SCSI controllers

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Co-authored-by: Sri Ramanujam <sramanujam@datto.com>
Signed-off-by: Matt Coleman <matt@datto.com>
2020-11-24 18:45:07 +00:00
Peter Krempa
4a3c80a668 qemu: conf: Introduce "migrate_tls_force" qemu.conf option
Forgetting to use the VIR_MIGRATE_TLS flag with migration can lead to
leak of sensitive information. Add an administrative knob to force use
of the flag.

Note that without VIR_MIGRATE_PEER2PEER, the migration is driven by an
instance of the client library which doesn't necessarily run on either
of the hosts so the flag can't be used to assume VIR_MIGRATE_TLS even
if it wasn't provided by the user instead of rejecting if it's not.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/67
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
f8867ddb05 qemu: migration: Forbid tunnelled non-shared storage migration with -blockdev
qemu's internals were not prepared for switching to -blockdev for the
legacy storage migration. Add a proper error message since qemu is
unlikely to attempt fixing the old protocol.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/65
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
b907b90e67 qemu: migration: Aggregate logic depending on tunnelled migration
Move and aggregate all the logic which is switched based on whether the
migration is tunnelled or not before other checks. Further checks will
be added later.

While the code is being moved the error message is put on a single line
per new coding style.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
45a84971fb qemu: migration: Remove TODO about implementing NBD for TUNNELLED migration
Our streams are not the best transport for migration data and we support
TLS for security now. It's unlikely that there will be enough motivation
to add a new migration protocol to tunnel NBD too.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
07620a0371 qemu: checkpoint: Write metadata of previously-'current' checkpoint on update
Similarly to previous commit dealing with snapshots we must rewrite the
metadata of the previously-'current' checkpoint when changing which
checkpoint is considered 'current'.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
5d8acaa8bc qemu: snapshot: Write metadata of previously-'current' snapshot on update
Whether a snapshot definition is considered 'current' or active is
stored in the metadata XML libvirt writes when we create metadata.

This means that if we are changing the 'current' snapshot we must
re-write the metadata of the previously 'current' snapshot to update the
field to prevent having multiple active snapshots.

Unfortunately the snapshot creation code didn't do this properly, which
resulted in the following error:

error : qemuDomainSnapshotLoad:430 : internal error: Too many snapshots claiming to be current for domain snapshot-test

being printed if libvirtd was terminated and restarted.

Introduce qemuSnapshotSetCurrent which writes out the old snapshot's
metadata when updating the current snapshot.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
926563dc3a qemuDomainSnapshotForEachQcow2: Pass in 'def' rather than selecting it internally
In some cases such as when creating an internal inactive snapshot we
know that the domain definition in the snapshot is equivalent to the
current definition. Additionally we set up the current definition for
the snapshotting but not the one contained in the snapshot. Thus in some
cases the caller knows better which def to use.

Make qemuDomainSnapshotForEachQcow2 take the definition by the caller
and copy the logic for selecting the definition to callers where we
don't know for sure that the above claim applies.

This fixes internal inactive snapshots when <disk type='volume'> is used
as we translate the pool/vol combo only in the current def.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/97
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
d3c6c80c79 qemuDomainSnapshotForEachQcow2Raw: Lock out operation on unsupported storage
Don't try to manipulate snapshots on network or unresolved volume backed
storage.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
c15ff50da0 qemuDomainSnapshotForEachQcow2Raw: Avoid a level of indentation
'continue' the loop if the device is not a disk. Saving the level makes
one of the error messages fit on a single line.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
74ea12da1a virDomainDiskTranslateSourcePool: Don't break error message in half
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Peter Krempa
6a252ab4d1 virCommandAddArg: Don't abort on invalid input
Commit 912c6b22fc added abort() when the
'val' parameter is NULL along with setting the error variable for the
command. We don't want to abort in this case, just set the error.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:59:26 +01:00
Michal Privoznik
a42b46dd7d virnetdaemon: Wait for "daemon-stop" thread to finish before quitting
When the host is shutting down then we get PrepareForShutdown
signal on DBus to which we react by creating a thread which
runs virStateStop() and thus qemuStateStop(). But if scheduling
the thread is delayed just a but it may happen that we receive
SIGTERM (sent by systemd) to which we respond by quitting our
event loop and cleaning up everything (including drivers). And
only after that the thread gets to run only to find qemu_driver
being NULL.

What we can do is to delay exiting event loop and join the thread
that's executing virStateStop(). If the join doesn't happen in
given timeout (currently 30 seconds) then libvirtd shuts down
forcefully anyways (see virNetDaemonRun()).

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1895359
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1739564

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 17:52:54 +01:00
Barrett Schonefeld
b67080b345 util: secret: remove cleanup labels
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:08 +01:00
Barrett Schonefeld
2ef7602685 util: storageencryption: remove cleanup labels
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:08 +01:00
Barrett Schonefeld
f3522af454 util: uri: remove cleanup label
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:08 +01:00
Barrett Schonefeld
32ec462fd9 util: cgroupv1: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:08 +01:00
Barrett Schonefeld
20aee6203b util: dnsmasq: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:08 +01:00
Barrett Schonefeld
e943f7ddee util: hostcpu: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Barrett Schonefeld
a93413c4d5 util: lockspace: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Barrett Schonefeld
8e9598dcad util: log: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Barrett Schonefeld
cf751a5feb util: macmap: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Barrett Schonefeld
5290d1000e util: secret: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Barrett Schonefeld
005aeb3936 util: storageencryption: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Barrett Schonefeld
266df90f5e util: storagefilebackend: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Barrett Schonefeld
47cd3d9298 util: uri: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Barrett Schonefeld
344415a306 util: xml: convert pointers to use g_autofree
Signed-off-by: Barrett Schonefeld <bschoney@utexas.edu>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-24 14:17:07 +01:00
Daniel P. Berrangé
24ce5a6cd2 qemu: fix setting of scsi-id for ESP SCSI controllers
The ESP SCSI controllers (NCR53C90, DC390, AM53C974) have the same
requirement as the LSI Logic controller for each disk to be set via
the scsi-id=NNN property, not the lun=NNN property.

Switching the code to use an enum will force authors to pay attention
to this difference when adding future SCSI controllers.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-23 12:43:23 +00:00
Michal Privoznik
cbf33fbaf6 virDomainAuthorizedSSHKeysSet: Use uint for @nkeys
When introducing the API I've mistakenly used 'int' type for
@nkeys argument which does nothing more than tells the API how
many items there are in @keys array. Obviously, negative values
are not expected and therefore 'unsigned int' should have been
used.

Reported-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-23 13:35:16 +01:00
Daniel P. Berrangé
d2d737551a qemu: enable support for ESP SCSI controller family
The NCR53C90 is the built-in SCSI controller on all sparc machine types,
but not sparc64. Note that it has the fixed alias "scsi", which differs
from our normal naming convention of "scsi0".

The DC390 and AM53C974 are PCI SCSI controllers that can be added to any
PCI machine.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-20 12:09:51 +00:00
Daniel P. Berrangé
98caef4a55 qemu: add capabilities for the three ESP family SCSI controllers
Probing for the NCR53C90 controller is a little unusual. The
qom-list-types QMP command returns a list of all types known to
the QEMU binary. It does not distinguish devices which are user
creatable from those which are built-in.

Any QEMU target that supports PCI will have the DC390 / AM53C974
devices because they are PCI based. Due to code dependencies
in QEMU though, existence of these two devices will also pull in
the NCR53C90 device (called just 'esp' in QEMU). The NCR53C90 is
not user-creatable and can only be used when built-in to the
machine type.

This is only the case on sparc machines, and certain mips64 and
m68k machines.  IOW, we don't rely on qom-list-types as a guide
for existence of NCR53C90, as it shouldn't really exist in most
QEMU binaries.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-20 12:09:51 +00:00
Daniel P. Berrangé
19264c706b conf: add support for ESP SCSI controller family
The NCR53C90 is the built-in SCSI controller on all sparc machine types,
and some mips and m68k machine types.

The DC390 and AM53C974 are PCI SCSI controllers that can be added to any
PCI machine.

These are only interesting for emulating obsolete hardware platforms.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-20 12:09:51 +00:00
Daniel P. Berrangé
044eed3f94 qemu: add helper method for checking if ESP SCSI is builtin
The NCR53C90 ESP SCSI controller is only usable when built-in to the
machine type. This method will facilitate checking that restriction
across many places.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-20 12:09:51 +00:00
Daniel P. Berrangé
51a391d879 qemu: fix default devices on sparc machines
The sparc machines have little in common with sparc64 machines.

No sparc machine type includes a PCI bus, so we should not be adding one
to the XML. This further means that we should not be adding a memory
balloon device, nor USB controller as these are both PCI based.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-20 12:09:51 +00:00
Daniel P. Berrangé
05734471bb util: add ARCH_IS_MIPS64 helper macro
In most cases logic for MIPS64 and MIPS64EL will be identical.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-20 12:09:51 +00:00
Andrea Bolognani
6e8f28dc25 network: Drop UUID handling for default network
We are generating a fresh UUID and storing it in the XML for the
default network, but this is unnecessary because the network
driver will automatically generate one if it's missing from the
XML; the fact that we only do this if the uuidgen command happens
to be available on the build machine is further proof that we can
safely skip this step.

This patch is best viewed with 'git show -w'.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
2020-11-20 11:44:05 +01:00
Andrea Bolognani
f69e5ea9f7 conf: Write network config to disk after generating UUID
While we generally expect libvirt objects to be defined using the
appropriate APIs, there are cases where it's reasonable for an
external entity, usually a package manager, to drop a valid
configuration file under /etc/libvirt and have libvirt take over
from there: notably, this is exactly how the default network is
handled.

For the most part, whether the configuration is saved back to disk
after being parsed by libvirt doesn't matter, because we'll end up
with the same values anyway, but an obvious exception to this is
data that gets randomly generated when not present, namely MAC
address and UUID.

Historically, both were handled by our build system, but commit
a47ae7c004 moved handling of the former inside libvirt proper;
this commit extends such behavior to the latter as well.

Proper error handling for the virNetworkSaveConfig() call, which
was missing until now, is introduced in the process.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
2020-11-20 11:43:56 +01:00
Matt Coleman
8ce8d591b0 domain_conf: use g_free() in virDomainPostParseCheckISCSIPath()
Signed-off-by: Matt Coleman <matt@datto.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-19 15:22:31 +01:00
Ján Tomko
e15244a3c1 openvzDomainMigratePrepare3Params: use g_auto
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2020-11-19 15:21:59 +01:00
Ján Tomko
674b961d77 openvzDomainMigratePrepare3Params: remove else after goto
We jump to the error label if the 'if' condition is true.
Remove the explicit else to make it more obvious that 'hostname'
is filled on both branches of 'if (!uri_in)'.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2020-11-19 15:21:59 +01:00
Ján Tomko
f070334425 openvzDomainMigratePrepare3Params: correctly use hostname
In case no uri_in was supplied, we forgot to set the hostname
to the current hostname and formatted a useless uri_out.

src/util/glibcompat.h:57:26: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
  57 | # define g_strdup_printf vir_g_strdup_printf
src/openvz/openvz_driver.c:2136:16: note: in expansion of macro ‘g_strdup_printf’
2136 |     *uri_out = g_strdup_printf("ssh://%s", hostname);

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reported-by: Jaroslav Suchanek <jsuchane@redhat.com>
Fixes: e3c626a61d
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2020-11-19 15:21:59 +01:00
Pavel Hrdina
3f2b7d3fe2 src: rework static analysis detection
Inspired by QEMU code.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-19 14:38:13 +01:00
Michal Privoznik
912421e7b6 domain_capabilities: Assert enums fit into unsigned int bitmask
The way our domain capabilities work currently, is that we have
virDomainCapsEnum struct which contains 'unsigned int values'
member which serves as a bitmask. More complicated structs are
composed from this struct, giving us whole virDomainCaps
eventually.

Whenever we want to report that a certain value is supported, the
'1 << value' bit is set in the corresponding unsigned int member.
This works as long as the resulting value after bitshift does not
overflow unsigned int. There is a check inside
virDomainCapsEnumSet() which ensures exactly this, but no caller
really checks whether virDomainCapsEnumSet() succeeded. Also,
checking at runtime is a bit too late.

Fortunately, we know the largest value we want to store in each
member, because each enum of ours ends with _LAST member.
Therefore, we can check at build time whether an overflow can
occur.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2020-11-19 14:31:12 +01:00
Shaojun Yang
1fdbd4047e cpu_map: Add Phytium FT-2000+ and Tengyun-S2500
Signed-off-by: Shaojun Yang <yangshaojun@phytium.com.cn>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2020-11-19 11:33:52 +01:00
Ján Tomko
0a8d561433 cgroup: add stub for virCgroupNew
The previous commit exported the function but forgot to add
a non-Linux stub.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Fixes: 126cb34a20
2020-11-19 11:31:32 +01:00
Pavel Hrdina
126cb34a20 virt-host-validate: fix detection with cgroups v2
Using virtCgroupNewSelf() is not correct with cgroups v2 because the
the virt-host-validate process is executed from from the same cgroup
context as the terminal and usually not all controllers are enabled
by default.

To do a proper check we need to use the root cgroup to see what
controllers are actually available. Libvirt or systemd ensures that
all controllers are available for VMs as well.

This still doesn't solve the devices controller with cgroups v2 where
there is no controller as it was replaced by eBPF. Currently libvirt
tries to query eBPF programs which usually works only for root as
regular users will get permission denied for that operation.

Fixes: https://gitlab.com/libvirt/libvirt/-/issues/94

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-11-19 01:18:35 +01:00
Michal Privoznik
2500b5ed9d qemu: Implement OpenSSH authorized key file mgmt APIs
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1888537

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-18 16:18:25 +01:00
Marc-André Lureau
9770578904 qemu_agent: add qemuAgentSSH{Add,Remove,Get}AuthorizedKeys
In QEMU 5.2, the guest agent learned to manipulate a user
~/.ssh/authorized_keys. Bind the JSON API to libvirt.

https://wiki.qemu.org/ChangeLog/5.2#Guest_agent

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-18 16:18:25 +01:00
Michal Privoznik
40c35dfa1f remote: Implement OpenSSH authorized key file mgmt APIs
Since both APIs accept/return an array of strings we can't have
client/server dispatch code generated. But implementation is
fairly trivial, although verbose.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-18 16:18:25 +01:00
Michal Privoznik
de0b6dd63e Introduce OpenSSH authorized key file mgmt APIs
When setting up a new guest or when a management software wants
to allow access to an existing guest the
virDomainSetUserPassword() API can be used, but that might be not
good enough if user want to ssh into the guest. Not only sshd has
to be configured to accept password authentication (which is
usually not the case for root), user have to type in their
password. Using SSH keys is more convenient. Therefore, two new
APIs are introduced:

virDomainAuthorizedSSHKeysGet() which lists authorized keys for
given user, and

virDomainAuthorizedSSHKeysSet() which modifies the authorized
keys file for given user (append, set or remove keys from the
file).

It's worth nothing that while authorized_keys file entries have
some structure (as defined by sshd(8)), expressing that structure
goes beyond libvirt's focus and thus "keys" are nothing but an
opaque string to libvirt.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-18 16:18:25 +01:00
Ján Tomko
7dc12ac2f8 qemu_conf: fix a typo in comment
Ceci n'est pas un objet.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Fixes: 7db61843b0
2020-11-18 15:03:11 +01:00
Martin Kletzander
65491a2dfe Do not disable incompatible-pointer-types-discards-qualifiers
This reverts commit b3710e9a2a.

That check is very valuable for our code, but it causes issue with glib >=
2.67.0 when building with clang.

The reason is a combination of two commits in glib, firstly fdda405b6b1b which
adds a g_atomic_pointer_{set,get} variants that enforce stricter type
checking (by removing an extra cast) for compilers that support __typeof__, and
commit dce24dc4492d which effectively enabled the new variant of glib's atomic
code for clang.  This will not be necessary when glib's issue #600 [0] (8 years
old) is fixed.  Thankfully, MR #1719 [1], which is supposed to deal with this
issue was opened 3 weeks ago, so there is a slight sliver of hope.

[0] https://gitlab.gnome.org/GNOME/glib/-/issues/600
[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1719

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2020-11-18 11:01:50 +01:00
Michal Privoznik
318658b36b qemu_validate: Deduplicate code for graphics type check
Similarly to previous commits, we can utilize domCaps to check if
graphics type is supported.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2020-11-18 09:42:19 +01:00
Michal Privoznik
919ff9debf domcaps: Report egl-headless graphics type
QEMU supports egl-headless if QEMU_CAPS_EGL_HEADLESS capability
is present. There are some additional requirements but those are
checked for in qemuValidateDomainDeviceDefGraphics() and depend
on domain configuration and thus are not representable in domain
capabilities. Let's stick with plain qemuCaps check then.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2020-11-18 09:42:16 +01:00
Michal Privoznik
5ea08a33bf qemu_validate: Deduplicate code for RNG model check
In my recent commit of 5216304bfe I've moved RNG model check
from domain capabilities validator into qemu validator. During
that I had to basically duplicate RNG model to qemuCaps checks.
Problem with this approach is that after my commit qemu validator
and domCaps are disconnected and thus domCaps might report (in
general) different set of supported RNG models.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2020-11-18 09:42:14 +01:00
Michal Privoznik
d009f5b400 qemu_validate: Deduplicate code for video model check
In my recent commit of a33279daa8 I've moved video model check
from domain capabilities validator into qemu validator. During
that I had to basically duplicate video model to qemuCaps checks.
Problem with this approach is that after my commit qemu validator
and domCaps are disconnected and thus domCaps might report (in
general) different set of supported video models.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2020-11-18 09:42:11 +01:00
Michal Privoznik
4f8677cee2 domain_capabilities: Introduce VIR_DOMAIN_CAPS_ENUM_IS_SET
This is a convenient macro for querying whether particular domain
caps enum value is set or not.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2020-11-18 09:41:57 +01:00
Daniel P. Berrangé
3fba30fc82 nodedev: report errors about missing integer properties
The helper methods for getting integer properties ignore a missing
property setting its value to zero. This lack of error reporting
resulted in missing the regression handling hotplug of USB devices
with the vendor and model IDs getting set to zero silently.

The few callers which relied on this silent defaulting have been fixed,
so now we can report fatal errors immediately.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-17 16:55:07 +00:00
Daniel P. Berrangé
b3a2395313 nodedev: drop DKD_MEDIA_AVAILABLE property check
The access of DKD_MEDIA_AVAILABLE for floppy disks, is mistakenly
protected by a check for ID_CDROM_MEDIA, introduced in:

  commit 10427db779
  Author: Ján Tomko <jtomko@redhat.com>
  Date:   Fri Jun 3 16:10:21 2016 +0200

    Only return two values in udevGetUintProperty

Thus the check of DKD_MEDIA_AVAILABLE never run. In practice this didn't
matter since this property is set by the DeviceKit-Disks daemon which
was only around for 3 Fedora releases before being killed off around
F13. Thus we can just remove this legacy property.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-17 16:55:04 +00:00
Daniel P. Berrangé
032394856b nodedev: dont rely on ignoring errors on missing properties
The udevProcessStorage method relies on udevGetIntProperty ignoring
errors about non-existant properties and instead setting the value to
zero. In theory when seeing ID_CDROM=1, you might expect that devices
which are not CDs will get ID_CDROM=0, but that's not what happens in
practice. Instead the property simply won't get set at all.

IOW, the code does not need to care about the value of the property,
merely whether it exists or not.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-17 16:54:57 +00:00
Daniel P. Berrangé
f4b4bfdf41 nodedev: improve debugging logs from udev device/event processing
Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-17 16:54:45 +00:00
Christian Ehrhardt
1441ce83fe
apparmor: allow kvm-spice compat wrapper
'kvm-spice' is a binary name used to call 'kvm' which actually is a wrapper
around qemu-system-x86_64 enabling kvm acceleration. This isn't in use
for quite a while anymore, but required to work for compatibility e.g.
when migrating in old guests.

For years this was a symlink kvm-spice->kvm and therefore covered
apparmor-wise by the existing entry:
   /usr/bin/kvm rmix,
But due to a recent change [1] in qemu packaging this now is no symlink,
but a wrapper on its own and therefore needs an own entry that allows it
to be executed.

[1]: https://salsa.debian.org/qemu-team/qemu/-/commit/9944836d3

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn redhat com>
2020-11-17 15:56:43 +01:00
Tim Wiederhake
3fc4412c6f qemu: support kvm-poll-control performance hint
QEMU version 4.2 introduced a performance feature under commit
d645e13287 ("kvm: i386: halt poll control MSR support").

This patch adds a new KVM feature 'poll-control' to set this performance
hint for KVM guests. The feature is off by default.

To enable this hint and have libvirt add "-cpu host,kvm-poll-control=on"
to the QEMU command line, the following XML code needs to be added to the
guest's domain description:

  <features>
    <kvm>
      <poll-control state='on'/>
    </kvm>
  </features>

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-11-17 14:40:46 +01:00
Michal Privoznik
7e67a136da node_device: Use "udev" monitor source
In v6.3.0-rc1~67 I've made a switch: instead of listening on udev
events the nodedev driver started listening for kernel events.
This was because when a device changes its name (e.g. NICs) we
will get "move" event with DEVPATH_OLD property set, which we can
then use to remove the old device and thus keep our internal list
up to date. The switch to "kernel" source was made because if the
old NICs naming (eth0, eth1, ...) is enabled (e.g. via
net.ifnames=0 on the kernel cmd line) then udev overwrites the
property with the new name making our internal list go out of
sync. Interestingly, when the od NICs naming is not enabled then
the DEVPATH_OLD contains the correct value.

But as it turns out, "kernel" source might be missing some other
important properties, e.g. USB vendor/product IDs. Therefore,
switch back to "udev" source and wish the best of luck to users
using the old NICs naming.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1897625
Fixes: 9a13704818
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2020-11-17 14:28:47 +01:00
Michal Privoznik
19c4c6f8fd qemu: Remove virQEMUDomainCapsCache code
Now that the domCaps cache is history, this code is no longer
used and thus can be removed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-16 18:27:00 +01:00
Michal Privoznik
7db61843b0 qemu: Don't cache domCaps in virQEMUDriverGetDomainCapabilities()
Currently, whenever a domain capabilities is needed (fortunately,
after cleanup done by previous commits it is now only in
virConnectGetDomainCapabilities()), the object is stored in a
cache. But there is no invalidation mechanism for the cache
(except the implicit one - the cache is part of qemuCaps and thus
share its lifetime, but that is not enough). Therefore, if
something changes - for instance new firmware files are
installed, or old are removed these changes are not reflected in
the virConnectGetDomainCapabilities() output.

Originally, the caching was there because domCaps were used
during device XML validation and they were used a lot from our
test suite. But this is no longer the case. And therefore, we
don't need the cache and can construct fresh domCaps on each
virConnectGetDomainCapabilities() call.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1807198

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-16 18:26:50 +01:00
Michal Privoznik
4b487e1052 conf: Drop virDomainCapsDeviceDefValidate()
Now that nothing uses virDomainCapsDeviceDefValidate() it can be
removed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-16 18:26:49 +01:00
Michal Privoznik
a33279daa8 qemu: Validate video model
The aim is to eliminate virDomainCapsDeviceDefValidate(). And in
order to do so, the domain video model has to be validated in
qemuValidateDomainDeviceDefVideo().

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-16 18:26:46 +01:00
Michal Privoznik
5216304bfe qemu: Validate RNG model
The aim is to eliminate virDomainCapsDeviceDefValidate(). And in
order to do so, the domain RNG model has to be validated in
qemuValidateDomainRNGDef().

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-16 18:26:41 +01:00
Daniel Henrique Barboza
904e59f43a qemu_tpm.c: fix 'shortName' leak
This is a Coverity fix pointed out by John in IRC. This code
was introduced in 19d74fdf0e, when the TPM Proxy device for
for ppc64 was introduced.

This will leak in case we have 2 TPMs in the same domain, a
possible scenario with the protected Ultravisor execution in
PowerPC guests.

Fixes: 19d74fdf0e
Reported-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-16 13:55:06 -03:00
Pavel Hrdina
b04908319b vboxGetDriverConnection: unlock vbox_driver_lock before return
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:25:41 +01:00
Pavel Hrdina
f711fa9ad0 virdevmapper: fix stat comparison in virDMSanitizepath
Introduced by commit <22494556542c676d1b9e7f1c1f2ea13ac17e1e3e> which
fixed a CVE.

If the @path passed to virDMSanitizepath() is not a DM name or not a
path to DM name this function could return incorrect sanitized path as
it would always be the first device under /dev/mapper/.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:25:41 +01:00
Pavel Hrdina
caaf792eed remoteDomainGetFSInfo: remove unreachable cleanup code
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:25:41 +01:00
Pavel Hrdina
5ca76b9fbf remoteDomainGetIOThreadInfo: remove unreachable cleanup code
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:25:41 +01:00
Pavel Hrdina
82bda55e2f qemuProcessHandleGraphics: no need to check for NULL
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:25:41 +01:00
Pavel Hrdina
0e7549fe47 interface_backend_udev: refactor udevListInterfacesByStatus
Commit <2f3b7a5555c4cf4127ff3f8e00746eafcc91432c> replaced VIR_STRDUP
by g_strdup which made the error: path mostly useless.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:14:17 +01:00
Pavel Hrdina
2b58ce9155 hyperv_wmi: remove unreachable cleanup code
In the cleanup section @data will always be NULL.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:14:04 +01:00
Pavel Hrdina
b96174d9f2 domain_conf: fix NULL dereference on error in virDomainObjCopyPersistentDef
The issue was introduced together with the function itself by commit
<da1eba6bc8f58bfce34136710d1979a3a44adb17>.  Calling
`virDomainObjGetPersistentDef` may return NULL which is later passed
to `virDomainDefFormat` where the `def` attribute is marked as NONNULL
and later in `virDomainDefFormatInternalSetRootName` it is actually
defererenced without any other check.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:13:42 +01:00
Pavel Hrdina
ba6385c952 domain_conf: remove unused rc variable
Leftover after commit <479a8c1fa1e0f58d3165c0446cd1abd72160256e>.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2020-11-16 17:12:09 +01:00
Peter Krempa
0316c28a45 qemu: backup: Install bitmap for incremental backup to appropriate node only
Libvirt's backup code has two modes:

1) push - where qemu actively writes the difference since the checkpoint
          into the output file

2) pull - where we instruct qemu to expose a frozen disk state along
          with a bitmap of blocks which changed since the checkpoint

For push mode qemu needs the temporary bitmap we use where we calculate
the actual changes to be present on the block node backing the disk.

For pull mode where we expose the bitmap via NBD qemu actually wants the
bitmap to be present for the exported block node which is the scratch
file.

Until now we've calculated the bitmap twice and installed it both to the
scratch file and to the disk node, but we don't need to since we know
when it's needed.

Pass in the 'pull' flag and decide where to install the bitmap according
to it and also when to register the bitmap name with the blockjob.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2020-11-16 14:12:38 +01:00
Peter Krempa
0200fe42a0 qemu: conf: Enable 'backup_tls_x509_verify' by default
The NBD server used to export pull-mode backups doesn't have any other
form of client authentication on top of the TLS transport, so the only
way to authenticate clients is to verify their certificate.

Enable this option by defauilt when both 'backup_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2020-11-16 14:11:56 +01:00
Peter Krempa
930583149c qemu: conf: Enable 'migrate_tls_x509_verify' by default
The migration stream connection and also the NBD server for non-shared
storage migration don't have any other form of client authentication on
top of the TLS transport, so the only way to authenticate clients is to
verify their certificate.

Enable this option by defauilt when both 'migrate_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2020-11-16 14:11:56 +01:00
Peter Krempa
019f962c86 qemu: conf: Enable 'chardev_tls_x509_verify' by default
Chardevs don't have any other form of client authentication on top of
the TLS transport, so the only way to authenticate clients is to verify
their certificate.

Enable this option by defauilt when both 'chardev_tls_x509_verify' and
'default_tls_x509_verify' were not configured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1879477
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-11-16 14:11:56 +01:00
Peter Krempa
940ef34443 qemu: conf: Clarify default of "vnc_tls_x509_verify"
If both "vnc_tls_x509_verify" and "default_tls_x509_verify" are missing
from the config file the client certificate validation is disabled. VNC
provides a layer of authentication so client certificate validation is
not strictly required.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-11-16 14:11:56 +01:00
Peter Krempa
9ba2a06e47 qemu: conf: Allow individual control of default value for *_tls_x509_verify
Store whether "default_tls_x509_verify" was provided and enhance the
SET_TLS_VERIFY_DEFAULT macro so that indiviual users can provide their
own default if "default_tls_x509_verify" config option was not provided.

For now we keep setting it to 'false'.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-11-16 14:11:56 +01:00