Commit Graph

1271 Commits

Author SHA1 Message Date
John Ferlan
11a1181260 commandtest: Resolve some coverity resource leaks 2013-02-16 07:44:35 -05:00
John Ferlan
e2f1fc5220 drivermodule: Ignore coverity warning about leaked_storage 2013-02-16 07:44:34 -05:00
Eric Blake
a18452d0d2 storage: test backing chain traversal
Testing our backing chain handling will make it much easier to
ensure that we avoid issues in the future.  If only I had written
this test before I first caused several regressions...

* tests/virstoragetest.c: New test.
* tests/Makefile.am (test_programs): Build it.
* .gitignore: Ignore new files.
2013-02-15 16:07:01 -07:00
Eric Blake
ec8a2d0327 regex: gnulib guarantees that we have regex support
No need to use HAVE_REGEX_H - our use of gnulib guarantees that
the header exists and works, regardless of platform.  Similarly,
we can unconditionally assume a compiling <sys/wait.h> (although
the mingw version of this header is not full-featured).

* src/storage/storage_backend.c: Drop useless conditional.
* tests/testutils.c: Likewise.
2013-02-15 13:01:23 -07:00
Eric Blake
c6f1060ca7 util: add virendian.h macros
We have several cases where we need to read endian-dependent
data regardless of host endianness; rather than open-coding
these call sites, it will be nicer to funnel things through
a macro.

The virendian.h file can be expanded to add writer functions,
and/or 16-bit access patterns, if needed.  Also, if we need
to turn things into a function to avoid multiple evaluations
of buf, that can be done later.  But for now, a macro worked.

* src/util/virendian.h: New file.
* src/Makefile.am (UTIL_SOURCES): Ship it.
* tests/virendiantest.c: New test.
* tests/Makefile.am (test_programs, virendiantest_SOURCES): Run
the test.
* .gitignore: Ignore built file.
2013-02-12 09:00:15 -07:00
Eric Blake
ca7cc85245 build: fix VPATH testsuite
'make check' has been failing on VPATH builds since commit
907a39e7.  The tests already had magic for munging path names,
but were munging to the wrong location, thus working only on
an in-tree build.

* tests/securityselinuxlabeltest.c (testSELinuxMungePath): Munge
to correct path.
2013-02-11 15:59:42 -07:00
Daniel P. Berrange
11d926659b Turn virSecurityManager into a virObjectLockable
To enable locking to be introduced to the security manager
objects later, turn virSecurityManager into a virObjectLockable
class

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-11 12:33:41 +00:00
Daniel P. Berrange
32803ba409 Rename 'qemuCapsXXX' to 'virQEMUCapsXXX'
To avoid confusion between 'virCapsPtr' and 'qemuCapsPtr'
do some renaming of various fucntions/variables. All
instances of 'qemuCapsPtr' are renamed to 'qemuCaps'. To
avoid that clashing with the 'qemuCaps' typedef though,
rename the latter to virQEMUCaps.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-08 11:49:14 +00:00
Daniel P. Berrange
fed92f08db Turn virCapabilities into a virObject
To enable virCapabilities instances to be reference counted,
turn it into a virObject. All cases of virCapabilitiesFree
turn into virObjectUnref

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-08 11:34:26 +00:00
Daniel P. Berrange
9cceb0fc35 Fix PKI directory used for QEMU test suite
The data files for testing QEMU command line generation are
hardcoded to use /etc/pki, so we should explicitly set that
in the test case, avoiding the dynamic SYSCONFDIR value.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-08 11:34:25 +00:00
John Ferlan
1d8b4f0592 valgrind: Adjust the suppression file 2013-02-07 14:08:14 -05:00
John Ferlan
9442d03c48 qemumonitortestutils: Resolve resource leaks found by Valgrind
When Valgrind runs the 'qemumonitorjsontest' it would claim that the
thread created is leaked. That's because the virThreadJoin won't get
called due to the 'running' flag being cleared.  In order to avoid that,
call virThreadJoin unconditionally at cleanup time.  Also noted that the
qemuMonitorTestWorker() didn't get the test mutex lock on the failure path.

The incoming and outgoing buffers allocated by qemuMonitorTestIO() and
qemuMonitorTestAddReponse() were never VIR_FREE()'d in qemuMonitorTestFree().
2013-02-07 14:08:14 -05:00
John Ferlan
3f5250ff8e qemumonitorjsontest: Resolve resource leaks found by Valgrind
The 'package' string returned by qemuMonitorGetVersion() needs to
be VIR_FREE()'d.

testQemuMonitorJSONGetMachines(), testQemuMonitorJSONGetCPUDefinitions(),
and testQemuMonitorJSONGetCommands() did not VIR_FREE() the array and
array elements allocated by their respective qemuMonitorGet* routines.
2013-02-07 14:08:14 -05:00
John Ferlan
785d6bc58a qemuxml2argvtest: Resolve resource leaks found by Valgrind
Valgrind deterimined that fakeSecretGetValue() was using the secret
value without checking validity.  Returning NULL causes the caller
to emit a message and results in failure.

Additionally commit 'b090aa7d' changes leaked vncSASLdir and vncTLSx509certdir
2013-02-07 14:08:14 -05:00
John Ferlan
0eb62708a7 virnettlscontexttest: Resolve memory leak found by Valgrind
testTLSDerEncode() will allocate memory for der.data, it wasn't VIR_FREE()'d.
also don't initialized der to use static buffer.
2013-02-07 14:08:13 -05:00
Eric Blake
98fc0137f1 bitmap: add way to find next clear bit
We had an easy way to iterate set bits, but not for iterating
cleared bits.

* src/util/virbitmap.h (virBitmapNextClearBit): New prototype.
* src/util/virbitmap.c (virBitmapNextClearBit): Implement it.
* src/libvirt_private.syms (bitmap.h): Export it.
* tests/virbitmaptest.c (test4): Test it.
2013-02-05 16:23:14 -07:00
Eric Blake
3a9382ca2a tests: reserve more fds for commandtest
Commit 39c77fe triggered random failures, depending on the platform
and what other fds leak into the testsuite (for me, it passed on
RHEL 6 but failed on Fedora 18).  The reason was that we were
expecting an fd that fell outside of our reserved range.  By reserving
a larger range, the test once again passes on all platforms.

* tests/commandtest.c (mymain): Reserve enough fds.
2013-02-05 10:47:00 -07:00
Daniel P. Berrange
b090aa7d55 Introduce a virQEMUDriverConfigPtr object
Currently the virQEMUDriverPtr struct contains an wide variety
of data with varying access needs. Move all the static config
data into a dedicated virQEMUDriverConfigPtr object. The only
locking requirement is to hold the driver lock, while obtaining
an instance of virQEMUDriverConfigPtr. Once a reference is held
on the config object, it can be used completely lockless since
it is immutable.

NB, not all APIs correctly hold the driver lock while getting
a reference to the config object in this patch. This is safe
for now since the config is never updated on the fly. Later
patches will address this fully.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-05 15:49:25 +00:00
Michal Privoznik
f0154959b3 tests: Create test for virCommandDoAsyncIO
This is just a basic test, so we don't break virCommand in the
future. A "Hello world\n" string is written to commanhelper,
which copies input to stdout and stderr where we read it from.
Then the read strings are compared with expected values.
2013-02-05 15:45:21 +01:00
Michal Privoznik
39c77fe586 Introduce event loop to commandtest
This is just preparing environment for the next patch, which is
going to need an event loop.
2013-02-05 15:45:21 +01:00
Eric Blake
949ebc3022 tests: add a comment about our fake qmp
While testing QMP, I used a simple qemu session of
'qemu-kvm -M none -nodefaults -nographic -qmp stdio'
for some experiments.  But it took me far too long to remember
the magic invocation to unlock QMP into accepting normal commands.
While I was able to grep libvirt sources and easily find where
libvirt expects the normal "QMP" greeting, I could not find the
proper reply to that greeting nearby.

Reading the testsuite didn't help either, since there we don't
emulate the mandatory handshake.  But since my grep hit the
testsuite, adding a bit of documentation will make it much easier
to jog my memory in the future.

* tests/qemumonitortestutils.c (QEMU_JSON_GREETING): Mention that
the normal counterpart reply is skipped.
2013-01-31 10:15:33 -07:00
Jiri Denemark
d6c8597046 tests: Don't build securityselinuxlabeltest without qemu
Sources for securityselinuxlabeltest are only defined if qemu driver is
enabled so we should not try to build the test if qemu driver is
disabled.
2013-01-31 10:32:43 +01:00
John Ferlan
46b1d8cf7a Enforce return check on virAsprintf() calls
Way back when I started making changes for Coverity messages my first set
were to a bunch of CHECKED_RETURN errors.  In particular virAsprintf() had
a few callers that Coverity noted didn't check their return (although some
did check if the buffer being printed to was NULL or not).

It was suggested at the time as a further patch an ATTRIBUTE_RETURN_CHECK
should be added to virAsprintf(), see:

https://www.redhat.com/archives/libvir-list/2013-January/msg00120.html

This patch does that and fixes a few more instances not found by Coverity
that failed the check.
2013-01-30 14:42:22 -07:00
Josh Durgin
c1509ab47e qemu: escape ipv6 for rbd network disk hosts
Hosts for rbd are ceph monitor daemons. These have fixed IP addresses,
so they are often referenced by IP rather than hostname for
convenience, or to avoid relying on DNS. Using IPv4 addresses as the
host name works already, but IPv6 addresses require rbd-specific
escaping because the colon is used as an option separator in the
string passed to qemu.

Escape these colons, and enclose the IPv6 address in square brackets
so it is distinguished from the port, which is currently mandatory.

Acked-by: Osier Yang <jyang@redhat.com>
Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
2013-01-25 11:48:24 +08:00
John Ferlan
9ff3876cc8 virbitmaptest: Resolve Coverity errors
test1: Need to check for bitmap before using as well as free it properly
test2: need to check for bitsString2 before using it.
2013-01-23 15:02:06 +01:00
John Ferlan
31e0de1a85 tests: Remove VIR_FREE() on static/stack buffer (der.data) 2013-01-23 15:02:06 +01:00
Alon Levy
55bfd020d8 qemu: Support ram bar size for qxl devices
Adds a "ram" attribute globally to the video.model element, that changes
the resulting qemu command line only if video.type == "qxl".

<video>
  <model type='qxl' ram='65536' vram='65536' heads='1'/>
</video>

That attribute gets a default value of 64*1024. The schema is unchanged
for other video element types.

The resulting qemu command line change is the addition of

-global qxl-vga.ram_size=<ram>*1024

or

-global qxl.ram_size=<ram>*1024

For the main and secondary qxl devices respectively.

The default for the qxl ram bar is 64*1024 kilobytes (the same as the
default qxl vram bar size).
2013-01-22 10:40:45 -07:00
John Ferlan
35c30522a5 tests: Need to initialize 'test' properly on error path
In the error path, the test buffer is free'd, but due to how the free
routine is written the 'test' buffer pointer does not return to the caller
as NULL and then the free'd buffer address is returned to the caller.
2013-01-22 17:29:26 +01:00
John Ferlan
3e8502165f commandtest: Need to initialize 'errbuf'
It was possible to call VIR_FREE in cleanup prior to initialization
2013-01-22 17:29:25 +01:00
John Ferlan
ff4eac595f virnetsockettest: Need to initialize 'path'
It was possible to call VIR_FREE in cleanup prior to initialization
2013-01-22 17:29:25 +01:00
Eric Blake
f403bdc189 build: fix build on BSD
A build on FreeBSD failed with:
util/virportallocator.c:108: error: storage size of 'addr' isn't known
util/virportallocator.c:123: error: 'INADDR_ANY' undeclared (first use in this function)

It turns out that while POSIX allows sockaddr_in to leak in through
<arpa/inet.h> (the way Linux does it), it is not mandatory, and
conforming applications are required to get it through <netinet/in.h>.

* src/util/virportallocator.c: Include header for struct
sockaddr_in.
* tests/virportallocatortest.c: Likewise.
2013-01-17 16:39:10 -07:00
Daniel P. Berrange
da5a8aee2b Avoid integer wrap on remotePortMax in QEMU driver
The QEMU driver default max port is 65535, but it then increments
this by 1 to 65536. This maps to 0 in an unsigned short :-( This
was apparently done so that for() loops could use "< max" instead
of "<= max". Remove this insanity and just make the loop do the
right thing.
2013-01-17 13:52:33 +00:00
Daniel P. Berrange
9c9d4d32d3 Add a port allocator class
Introduce a virPortAllocator for managing TCP port allocations.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-16 11:02:58 +00:00
Daniel P. Berrange
325b02b5a3 Convert virDomainObj, qemuAgent, qemuMonitor, lxcMonitor to virObjectLockable
The  virDomainObj, qemuAgent, qemuMonitor, lxcMonitor classes
all require a mutex, so can be switched to use virObjectLockable

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-16 11:02:58 +00:00
John Ferlan
7ae3f2d53d securityselinuxhelper.c: Don't try to include xattr.h if not available
Commit 907a39e7 missed adding the WITH_ATTR around #include <attr/xattr.h>
resulting in a build failure:

  CC     libsecurityselinuxhelper_la-securityselinuxhelper.lo
  securityselinuxhelper.c:27:24: fatal error: attr/xattr.h: No such file or directory
  compilation terminated.
  make[2]: *** [libsecurityselinuxhelper_la-securityselinuxhelper.lo] Error 1
  make[2]: Leaving directory `/home/jferlan/libvirt.work/tests'
  make[1]: *** [all-recursive] Error 1
  make[1]: Leaving directory `/home/jferlan/libvirt.work'
  make: *** [all] Error 2
2013-01-14 21:00:51 +01:00
Daniel P. Berrange
7184af1364 Add missing stubs to securityselinuxhelper.c
Make sure we override both the raw and non-raw stubs in
securityselinuxhelper.c. Also add diagnostics if
securityselinuxlabeltest fails a test item
2013-01-14 18:34:49 +00:00
Daniel P. Berrange
907a39e735 Add a test suite for validating SELinux labelling
There are many aspects of the guest XML which result in the
SELinux driver applying file labelling. With the increasing
configuration options it is desirable to test this behaviour.
It is not possible to assume that the test suite has the
ability to set SELinux labels. Most filesystems though will
support extended attributes. Thus for the purpose of testing,
it is possible to extend the existing LD_PRELOAD hack to
override setfilecon() and getfilecon() to simply use the
'user.libvirt.selinux' attribute for the sake of testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-14 13:40:04 +00:00
Daniel P. Berrange
bccd4a8cbc Rename HAVE_GNUTLS to WITH_GNUTLS 2013-01-14 13:26:47 +00:00
Daniel P. Berrange
321a7d53f3 Convert HAVE_SASL to WITH_SASL
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-11 11:03:23 +00:00
Daniel P. Berrange
49a1c16027 Convert HAVE_YAJL into WITH_YAJL
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-11 11:03:22 +00:00
Guannan Ren
fc66c1603c qemu: add usb-net caps flag
QEMU_CAPS_DEVICE_USB_NET /* -device usb-net */
2013-01-10 21:56:31 +08:00
Guannan Ren
f8d478b6df qemu: add usb-serial caps flag
QEMU_CAPS_DEVICE_USB_SERIAL /* -device usb-serial */
2013-01-10 21:26:50 +08:00
John Ferlan
5a4af2a7d6 tests: Remove remnants of removing the fake emulator output
Coverity determined that 'emulator' could no longer be set and determined the
code was dead.  Looking through the history, I discovered commit-id ed769e18
removed code originally added by commit-id 9237e955 and further modified by
commit-id 6a7e7c4f.
2013-01-08 17:19:32 -07:00
Daniel P. Berrange
f587c27768 Make TLS support conditional
Add checks for existence of GNUTLS and automatically disable
it if not found.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-08 20:57:31 +00:00
John Ferlan
51811e4161 Resolve COPY_PASTE error found by Coverity
Fix copy-paste error doing handshake.

The clientShake was not set to true, thus we'd potentially never leave
the handshake while loop.
2013-01-08 16:21:46 +01:00
J.B. Joret
db2b6861dc S390: Enable SCLP Console in QEMU driver
This is the QEMU backend code for the SCLP console support.
It includes SCLP capability detection, QEMU command line generation
and a test case.

Signed-off-by: J.B. Joret <jb@linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
2013-01-08 11:37:52 +01:00
Osier Yang
535aed56a2 conf: Parse and format the new XML
Like "rawio", "sgio" is only allowed for block disk of device
type "lun".

It doesn't default disk->sgio to "filtered" when parsing, as
it won't be able to distinguish explicitly requested "filtered"
and a default "filtered" in driver then. We have to error out for
explicit request when the kernel doesn't support the new sysfs
knob "unpriv_sgio", however, for defaulted "filtered", we can
just ignore it if the kernel doesn't support "unpriv_sgio".
2013-01-07 21:38:43 +08:00
John Ferlan
7ac12d84d0 tests: check and handle error for virAsprintf() calls 2013-01-04 10:57:20 -07:00
John Ferlan
0c6e95fe78 Check return on mkdir for LOCKSPACE_DIR 2013-01-04 10:57:09 -07:00
Daniel P. Berrange
f24404a324 Rename virterror.c virterror_internal.h to virerror.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
556cf5f617 Rename xml.{c,h} to virxml.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
44f6ae27fe Rename util.{c,h} to virutil.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
404174cad3 Rename threads.{c,h} to virthread.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
88ba722c12 Rename sysinfo.{c,h} to virsysinfo.{c,h} 2012-12-21 11:19:48 +00:00
Daniel P. Berrange
fde9df8dcc Rename stats_linux.{c,h} to virstatslinux.{c,h} 2012-12-21 11:19:48 +00:00
Daniel P. Berrange
ab9b7ec2f6 Rename memory.{c,h} to viralloc.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
936d95d347 Rename logging.{c,h} to virlog.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
6a095d0851 Rename json.{c,h} to virjson.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
4d6050a8eb Rename event_poll.{c,h} to vireventpoll.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
4857b9c3a9 Rename event.{c,h} to virevent.{c,h}
Since the event APIs are now in the public header, no internal
code should include virevent.h
2012-12-21 11:17:13 +00:00
Daniel P. Berrange
0f8454101d Rename conf.{c,h} to virconf.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
04d9510f50 Rename command.{c,h} to vircommand.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
2005f7b552 Rename buf.{c,h} to virbuffer.{c,h}
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-21 11:17:12 +00:00
Daniel P. Berrange
a27e4fbb72 Rename bitmap.{c,h} to virbitmap.{c,h}
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-21 11:17:12 +00:00
Li Zhang
99c5545693 Add sysinfo data and enable virSysinfoRead test case for POWER
This patch is to enable virSysinfoRead test case for POWER,
and provide sysinfo data on POWER.

Signed-off-by: Li Zhang <zhlcindy@linux.vnet.ibm.com>
Reviewed-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
2012-12-20 14:49:20 -07:00
Daniel P. Berrange
32df483f1d Fix SELinux security label test
If securityselinuxtest was run on a system with newer SELinux
policy it would fail, due to using svirt_tcg_t instead of
svirt_t. Fixing the domain type to be KVM avoids this issue.
2012-12-19 10:05:17 +00:00
Daniel P. Berrange
392c192240 Fix test cases for virArch changes 2012-12-18 19:32:23 +00:00
Daniel P. Berrange
aae0fc2a92 Add support for <hostdev mode="capabilities">
The <hostdev> device type has long had a redundant "mode"
attribute, which has always been "subsys". This finally
introduces a new mode "capabilities", which will be used
by the LXC driver for device assignment. Since container
based virtualization uses a single kernel, the idea of
assigning physical PCI devices doesn't make sense. It is
still reasonable to assign USB devices, but for assigning
arbitrary nodes in /dev, the new 'capabilities' mode is
to be used.

The first capability support is 'storage', which is for
assignment of block devices. Functionally this is really
pretty similar to the <disk> support. The only difference
is the device node name is identical in both host and
container namespaces.

    <hostdev mode='capabilities' type='storage'>
      <source>
        <block>/dev/sdf1</block>
      </source>
    </hostdev>

The second capability support is 'misc', which is for
assignment of character devices. There is no existing
parallel to this. Again the device node is the same
inside & outside the container.

    <hostdev mode='capabilities' type='misc'>
      <source>
        <char>/dev/input/event3</char>
      </source>
    </hostdev>

The reason for keeping the char & storage devices
separate in the domain XML, is to mirror the split
in the node device XML. NB the node device XML does
not yet report character devices, but that's another
new patch to come

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:50 +00:00
Viktor Mihajlovski
347a712ab1 tests: Add tests for sysinfo
Test cases for virSysinfoRead. Initially, there are tests for
x86 (DMI based) and s390 (/proc/... based).
In lack of PPC data, I have stubbed out the test for it, but it
can be added with a minimal effort.

Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
2012-12-17 17:37:17 +00:00
Guannan Ren
ed6fc41b9c tests: add one -device video device testcase
The testcase is for testing non-fixed PCI address for primary
video device and using video args to -deivce qemu option.
2012-12-17 14:02:58 +08:00
Guannan Ren
aa51202b72 qemu: use newer -device video device in qemu commandline
'-device VGA' maps to '-vga std'
'-device cirrus-vga' maps to '-vga cirrus'
'-device qxl-vga' maps to '-vga qxl'
             (there is also '-device qxl' for secondary devices)
'-device vmware-svga' maps to '-vga vmware'

For qemu(>=1.2), we can use -device to replace -vga for video
device. For the primary video device, the patch tries to use 0x2
slot for matching old qemu. If the 0x2 slot is allocated already,
the addr property could help for using any available slot.
For qemu(< 1.2), we keep using -vga for primary device.
2012-12-17 14:02:50 +08:00
Guannan Ren
4c993d8ab5 qemu: add qemu vga devices caps and one cap to mark them usable
QEMU_CAPS_DEVICE_QXL          -device qxl
QEMU_CAPS_DEVICE_VGA          -device VGA
QEMU_CAPS_DEVICE_CIRRUS_VGA   -device cirrus-vga
QEMU_CAPS_DEVICE_VMWARE_SVGA  -device vmware-svga

QEMU_CAPS_DEVICE_VIDEO_PRIMARY  /* safe to use -device XXX
                                 for primary video device */

Fix a typo in qemuCapsObjectTypes, the string 'qxl' here
should be -device qxl rather than -vga [...|qxl|..]
2012-12-17 13:55:50 +08:00
Laine Stump
d66eb78667 network: prevent dnsmasq from listening on localhost
This patch resolves the problem reported in:

   https://bugzilla.redhat.com/show_bug.cgi?id=886663

The source of the problem was the fix for CVE 2011-3411:

   https://bugzilla.redhat.com/show_bug.cgi?id=833033

which was originally committed upstream in commit
753ff83a50. That commit improperly
removed the "--except-interface lo" from dnsmasq commandlines when
--bind-dynamic was used (based on comments in the latter bug).

It turns out that the problem reported in the CVE could be eliminated
without removing "--except-interface lo", and removing it actually
caused each instance of dnsmasq to listen on localhost on port 53,
which created a new problem:

If another instance of dnsmasq using "bind-interfaces" (instead of
"bind-dynamic") had already been started (or if another instance
started later used "bind-dynamic"), this wouldn't have any immediately
visible ill effects, but if you tried to start another dnsmasq
instance using "bind-interfaces" *after* starting any libvirt
networks, the new dnsmasq would fail to start, because there was
already another process listening on port 53.

(Subsequent to the CVE fix, another patch changed the network driver
to put dnsmasq options in a conf file rather than directly on the
dnsmasq commandline, but preserved the same options.)

This patch changes the network driver to *always* add
"except-interface=lo" to dnsmasq conf files, regardless of whether we use
bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
are listening on localhost (and the CVE is still fixed).

The actual code change is miniscule, but must be propogated through all
of the test files as well.
2012-12-13 12:15:03 -05:00
Eric Blake
7339bc4ced network: match xml warning message
I noticed that /var/lib/libvirt/dnsmasq/*.conf used the wrong word;
it was intended to match the wording in src/util/xml.c.

* src/network/bridge_driver.c (networkDnsmasqConfContents): Fix typo.
* tests/networkxml2confdata/*.conf: Update accordingly.
2012-12-12 15:12:58 -07:00
Serge Hallyn
a4e44e674e add vnc unix sockets to apparmor policy
When using vnc gaphics over a unix socket, virt-aa-helper needs to provide
access for the qemu domain to access the sockfile.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2012-12-11 14:32:39 -07:00
Serge Hallyn
88bd1a644b add security hook for permitting hugetlbfs access
When a qemu domain is backed by huge pages, apparmor needs to grant the domain
rw access to files under the hugetlbfs mount point.  Add a hook, called in
qemu_process.c, which ends up adding the read-write access through
virt-aa-helper.  Qemu will be creating a randomly named file under the
mountpoint and unlinking it as soon as it has mmap()d it, therefore we
cannot predict the full pathname, but for the same reason it is generally
safe to provide access to $path/**.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2012-12-11 14:27:20 -07:00
Gene Czarcinski
8b32c80df0 network: put dnsmasq parameters in conf-file instead of command line
This patch changes how parameters are passed to dnsmasq.  Instead of
being on the command line, the parameters are put into a file (one
parameter per line) and a commandline --conf-file= specifies the
location of the file.  The file is located in the same directory as
the leases file.

Putting the dnsmasq parameters into a configuration file
allows them to be examined and more easily understood than
examining the command lines displayed by "ps ax".  This is
especially true when a number of networks have been started.

When the use of dnsmasq was originally done, the required command line
was simple, but it has gotten more complicated over time and will
likely become even more complicated in the future.

Note: The test conf files have all been renamed .conf instead of
.argv, and tests/networkxml2xmlargvdata was moved to
tests/networkxml2xmlconfdata.
2012-12-11 05:49:45 -05:00
Gene Czarcinski
2d5cd1d724 network: add support for DHCPv6
The DHCPv6 support includes IPV6 dhcp-range and dhcp-host for one
IPv6 subnetwork on one interface.  This support will only work
if dnsmasq version >= 2.64; otherwise an error occurs if
dhcp-range or dhcp-host is specified for an IPv6 address.

Essentially, this change provides the same DHCP support for IPv6
that has been available for IPv4.

With dnsmasq >= 2.64, support for the RA service is also now provided
by dnsmasq (radvd is no longer used/started). (Although at least one
version of dnsmasq prior to 2.64 "supported" IPv6 Router
Advertisement, there were bugs (fixed in 2.64) that rendered it
unusable.)

Documentation and the network schema has been updated
to reflect the new support.
2012-12-11 05:49:45 -05:00
Osier Yang
b718ded39a qemu: Allow the user to specify vendor and product for disk
QEMU supports setting vendor and product strings for disk since
1.2.0 (only scsi-disk, scsi-hd, scsi-cd support it), this patch
exposes it with new XML elements <vendor> and <product> of disk
device.
2012-12-07 16:53:27 +08:00
Gene Czarcinski
705e67d40b network: allow guest to guest IPv6 without gateway definition
This patch adds the capability for virtual guests to do IPv6
communication via a virtual network interface with no IPv6 (gateway)
addresses specified.  This capability has always been enabled by
default for IPv4, but disabled for IPv6 for security concerns, and
because it requires the ip6tables command to be operational (which
isn't the case on a system with the ipv6 module completely disabled).

This patch adds a new attribute "ipv6" at the toplevel of a <network>
object.  If ipv6='yes', the extra ip6tables rules required to permite
inter-guest communications are added when the network is started. If
it is 'no', or not present, those rules will not be added; thus the
default behavior doesn't change, so there should be no compatibility
issues with any existing installations.

Note that virtual guests cannot communication with the virtualization
host via this interface, because the following kernel tunable has
been set:

   net.ipv6.conf.<bridge_interface_name>.disable_ipv6 = 1

This assures that the bridge interface will not have an IPv6
link-local (fe80::) address.

To control this behavior so that it is not enabled by default, the parameter
ipv6='yes' on the <network> statement has been added.

Documentation related to this patch has been updated.
The network schema has also been updated.
2012-12-05 14:58:32 -05:00
Daniel P. Berrange
76c1fd33c8 Introduce APIs for splitting/joining strings
This introduces a few new APIs for dealing with strings.
One to split a char * into a char **, another to join a
char ** into a char *, and finally one to free a char **

There is a simple test suite to validate the edge cases
too. No more need to use the horrible strtok_r() API,
or hand-written code for splitting strings.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-11-30 20:05:43 +00:00
Laine Stump
753ff83a50 network: use dnsmasq --bind-dynamic when available
This bug resolves CVE-2012-3411, which is described in the following
bugzilla report:

  https://bugzilla.redhat.com/show_bug.cgi?id=833033

The following report is specifically for libvirt on Fedora:

  https://bugzilla.redhat.com/show_bug.cgi?id=874702

In short, a dnsmasq instance run with the intention of listening for
DHCP/DNS requests only on a libvirt virtual network (which is
constructed using a Linux host bridge) would also answer queries sent
from outside the virtualization host.

This patch takes advantage of a new dnsmasq option "--bind-dynamic",
which will cause the listening socket to be setup such that it will
only receive those requests that actually come in via the bridge
interface. In order for this behavior to actually occur, not only must
"--bind-interfaces" be replaced with "--bind-dynamic", but also all
"--listen-address" options must be replaced with a single
"--interface" option. Fully:

   --bind-interfaces --except-interface lo --listen-address x.x.x.x ...

(with --listen-address possibly repeated) is replaced with:

   --bind-dynamic --interface virbrX

Of course libvirt can't use this new option if the host's dnsmasq
doesn't have it, but we still want libvirt to function (because the
great majority of libvirt installations, which only have mode='nat'
networks using RFC1918 private address ranges (e.g. 192.168.122.0/24),
are immune to this vulnerability from anywhere beyond the local subnet
of the host), so we use the new dnsmasqCaps API to check if dnsmasq
supports the new option and, if not, we use the "old" option style
instead. In order to assure that this permissiveness doesn't lead to a
vulnerable system, we do check for non-private addresses in this case,
and refuse to start the network if both a) we are using the old-style
options, and b) the network has a publicly routable IP
address. Hopefully this will provide the proper balance of not being
disruptive to those not practically affected, and making sure that
those who *are* affected get their dnsmasq upgraded.

(--bind-dynamic was added to dnsmasq in upstream commit
54dd393f3938fc0c19088fbd319b95e37d81a2b0, which was included in
dnsmasq-2.63)
2012-11-29 15:02:39 -05:00
Laine Stump
719c2c7665 util: capabilities detection for dnsmasq
In order to optionally take advantage of new features in dnsmasq when
the host's version of dnsmasq supports them, but still be able to run
on hosts that don't support the new features, we need to be able to
detect the version of dnsmasq running on the host, and possibly
determine from the help output what options are in this dnsmasq.

This patch implements a greatly simplified version of the capabilities
code we already have for qemu. A dnsmasqCaps device can be created and
populated either from running a program on disk, reading a file with
the concatenated output of "dnsmasq --version; dnsmasq --help", or
examining a buffer in memory that contains the concatenated output of
those two commands. Simple functions to retrieve capabilities flags,
the version number, and the path of the binary are also included.

bridge_driver.c creates a single dnsmasqCaps object at driver startup,
and disposes of it at driver shutdown. Any time it must be used, the
dnsmasqCapsRefresh method is called - it checks the mtime of the
binary, and re-runs the checks if the binary has changed.

networkxml2argvtest.c creates 2 "artificial" dnsmasqCaps objects at
startup - one "restricted" (doesn't support --bind-dynamic) and one
"full" (does support --bind-dynamic). Some of the test cases use one
and some the other, to make sure both code pathes are tested.
2012-11-29 15:02:39 -05:00
Daniel P. Berrange
4738c2a7e7 Replace 'struct qemud_driver *' with virQEMUDriverPtr
Remove the obsolete 'qemud' naming prefix and underscore
based type name. Introduce virQEMUDriverPtr as the replacement,
in common with LXC driver naming style
2012-11-28 18:17:25 +00:00
Guannan Ren
237629d204 bitmap: fix typo to use UL type of integer constant in virBitmapIsAllSet
This bug leads to getting incorrect vcpupin information via
qemudDomainGetVcpuPinInfo() API when the number of maximum
cpu on a host falls into a range such as 31 < ncpus < 64.

gcc warning:
left shift count >= width of type

The following bug is such the case
https://bugzilla.redhat.com/show_bug.cgi?id=876415
2012-11-28 18:30:28 +08:00
Harsh Prateek Bora
f97a569944 tests: Add tests for gluster protocol based network disks support
Signed-off-by: Harsh Prateek Bora <harsh@linux.vnet.ibm.com>
2012-11-27 10:19:22 +01:00
Ján Tomko
5efacd7813 build: fix build --without-network
bridge_driver.h: silence gcc warnings:
statement with no effect [-Wunused-value]
unused variable 'net' [-Wunused-variable]

virdrivermoduletest.c: don't require network driver module
if it hasn't been built.
2012-11-26 14:01:23 +01:00
Michal Privoznik
a154f5f313 qemuhelpdata: Revert my 'fix'
I was convicted that space at EOL should no be there
even for qemu help data. Hence, I've removed one in
commit bb2f621611. However, it turns out we want
it exactly the way qemu produces it. So I should undo
my premature fix. A patch against qemu has been posted
as well.
2012-11-23 09:25:20 +01:00
Ján Tomko
bb2f621611 tests: update qemuhelptest data
Both generated with
qemu-system-x86_64 --help > qemu-1.2.0

qemu-system-x86_64 \
-device ? \
-device pci-assign,? \
-device virtio-blk-pci,? \
-device virtio-net-pci,? \
-device scsi-disk,? \
-device PIIX4_PM,? \
-device usb-redir,? \
-device ide-drive,? \
-device usb-host,? 2> qemu-1.2.0-device

It seems I missed a few -device flags when doing this last time and I
mixed up qemu and qemu-kvm.
2012-11-21 18:43:18 +01:00
Ján Tomko
c5834ec148 tests: add boot order for host and redirected USB to qemu argv test 2012-11-21 18:43:15 +01:00
Miloslav Trmač
37f7a1faf1 Add metadata to virLogOutputFunc
... and update all users.  No change in functionality, the parameter
will be used in the next patch.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2012-11-14 19:14:07 -07:00
Peter Krempa
e5aab47ab3 tests: Remove temporary directories in qemumonitorjsontest
qemumonitorjsontest creates a temporary directory to hold the socket
that is simulating the monitor socket. The directory containing the
socket wasn't disposed properly at the end of the test leaving garbage
in the temporary folder.
2012-11-13 09:32:15 +01:00
Peter Krempa
e25a32f3da tests: Fix qemumonitorjsontest deadlock when the machine is under load
When doing the qemumonitorjsontest on a machine under heavy load the
test tends to deadlock from time to time. This patch adds the hack to
break the event loop that is used in virsh.
2012-11-13 09:32:14 +01:00
Peter Krempa
7a791677b0 nodeinfotest: Add test data from a AMD bulldozer machine.
The AMD Bulldozer architecture uses so called "Clustered integer core
modules" that count both as threads and cores. This patch expects the
cpu to be detected using the new fallback condition otherwise twice the
number of processors would be detected.
2012-11-13 00:35:36 +01:00
Peter Krempa
86748976f1 nodeinfotest: Add test data for 2 processor host with broken NUMA
This test data was gathered on an AMD MagnyCours machine that reports it
has only one NUMA node although the hardware is consisting of 4. As
duplicate core id's are ignored the reported topology was bogous. This
should be fixed by the previous patch.

Reported and data provided by George-Cristian Bîrzan.
2012-11-13 00:35:36 +01:00
Viktor Mihajlovski
b1c88c1476 capabilities: defaultConsoleTargetType can depend on architecture
For S390, the default console target type cannot be of type 'serial'.
It is necessary to at least interpret the 'arch' attribute
value of the os/type element to produce the correct default type.

Therefore we need to extend the signature of defaultConsoleTargetType
to account for architecture. As a consequence all the drivers
supporting this capability function must be updated.

Despite the amount of changed files, the only change in behavior is
that for S390 the default console target type will be 'virtio'.

N.B.: A more future-proof approach could be to to use hypervisor
specific capabilities to determine the best possible console type.
For instance one could add an opaque private data pointer to the
virCaps structure (in case of QEMU to hold capsCache) which could
then be passed to the defaultConsoleTargetType callback to determine
the console target type.
Seems to be however a bit overengineered for the use case...

Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
2012-11-09 09:20:59 -07:00
Eric Blake
2cd4d8e506 virsh: add snapshot-create-as memspec support
External checkpoints could be created with snapshot-create, but
without libvirt supplying a default name for the memory file,
it is essential to add a new argument to snapshot-create-as to
allow the user to choose the memory file name.  This adds the
option --memspec [file=]name[,snapshot=type], where type can
be none, internal, or external.  For an example,

virsh snapshot-create-as $dom --memspec /path/to/file

is the shortest possible command line for creating an external
checkpoint, named after the current timestamp.

* tools/virsh-snapshot.c (vshParseSnapshotMemspec): New function.
(cmdSnapshotCreateAs): Use it.
* tests/virsh-optparse (test_url): Test it.
* tools/virsh.pod (snapshot-create-as): Document it.
2012-11-07 09:04:18 -07:00
Michal Privoznik
a95c9406a2 tests: Add test for controller order 2012-11-06 10:11:35 +01:00
Eric Blake
4201a7ea1c snapshot: new XML for external system checkpoint
Each <domainsnapshot> can now contain an optional <memory>
element that describes how the VM state was handled, similar
to disk snapshots.  The new element will always appear in
output; for back-compat, an input that lacks the element will
assume 'no' or 'internal' according to the domain state.

Along with this change, it is now possible to pass <disks> in
the XML for an offline snapshot; this also needs to be wired up
in a future patch, to make it possible to choose internal vs.
external on a per-disk basis for each disk in an offline domain.
At that point, using the --disk-only flag for an offline domain
will be able to work.

For some examples below, remember that qemu supports the
following snapshot actions:

qemu-img: offline external and internal disk
savevm: online internal VM and disk
migrate: online external VM
transaction: online external disk

=====
<domainsnapshot>
  <memory snapshot='no'/>
  ...
</domainsnapshot>

implies that there is no VM state saved (mandatory for
offline and disk-only snapshots, not possible otherwise);
using qemu-img for offline domains and transaction for online.

=====
<domainsnapshot>
  <memory snapshot='internal'/>
  ...
</domainsnapshot>

state is saved inside one of the disks (as in qemu's 'savevm'
system checkpoint implementation).  If needed in the future,
we can also add an attribute pointing out _which_ disk saved
the internal state; maybe disk='vda'.

=====
<domainsnapshot>
  <memory snapshot='external' file='/path/to/state'/>
  ...
</domainsnapshot>

This is not wired up yet, but future patches will allow this to
control a combination of 'virsh save /path/to/state' plus disk
snapshots from the same point in time.

=====

So for 1.0.1 (and later, as needed), I plan to implement this table
of combinations, with '*' designating new code and '+' designating
existing code reached through new combinations of xml and/or the
existing DISK_ONLY flag:

domain  memory  disk   disk-only | result
-----------------------------------------
offline omit    omit   any       | memory=no disk=int, via qemu-img
offline no      omit   any       |+memory=no disk=int, via qemu-img
offline omit/no no     any       | invalid combination (nothing to snapshot)
offline omit/no int    any       |+memory=no disk=int, via qemu-img
offline omit/no ext    any       |*memory=no disk=ext, via qemu-img
offline int/ext any    any       | invalid combination (no memory to save)
online  omit    omit   off       | memory=int disk=int, via savevm
online  omit    omit   on        | memory=no disk=default, via transaction
online  omit    no/ext off       | unsupported for now
online  omit    no     on        | invalid combination (nothing to snapshot)
online  omit    ext    on        | memory=no disk=ext, via transaction
online  omit    int    off       |+memory=int disk=int, via savevm
online  omit    int    on        | unsupported for now
online  no      omit   any       |+memory=no disk=default, via transaction
online  no      no     any       | invalid combination (nothing to snapshot)
online  no      int    any       | unsupported for now
online  no      ext    any       |+memory=no disk=ext, via transaction
online  int/ext any    on        | invalid combination (disk-only vs. memory)
online  int     omit   off       |+memory=int disk=int, via savevm
online  int     no/ext off       | unsupported for now
online  int     int    off       |+memory=int disk=int, via savevm
online  ext     omit   off       |*memory=ext disk=default, via migrate+trans
online  ext     no     off       |+memory=ext disk=no, via migrate
online  ext     int    off       | unsupported for now
online  ext     ext    off       |*memory=ext disk=ext, via migrate+transaction

* docs/schemas/domainsnapshot.rng (memory): New RNG element.
* docs/formatsnapshot.html.in: Document it.
* src/conf/snapshot_conf.h (virDomainSnapshotDef): New fields.
* src/conf/domain_conf.c (virDomainSnapshotDefFree)
(virDomainSnapshotDefParseString, virDomainSnapshotDefFormat):
Manage new fields.
* tests/domainsnapshotxml2xmltest.c: New test.
* tests/domainsnapshotxml2xmlin/*.xml: Update existing tests.
* tests/domainsnapshotxml2xmlout/*.xml: Likewise.
2012-11-02 09:56:23 -06:00
Daniel P. Berrange
1c04f99970 Remove spurious whitespace between function name & open brackets
The libvirt coding standard is to use 'function(...args...)'
instead of 'function (...args...)'. A non-trivial number of
places did not follow this rule and are fixed in this patch.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-11-02 13:36:49 +00:00