Commit Graph

20322 Commits

Author SHA1 Message Date
Cole Robinson
53347378e6 Prep for release 1.2.18.4 2016-07-18 18:35:23 -04:00
Jiri Denemark
caa4c280cd qemu: Let empty default VNC password work as documented
CVE-2016-5008

Setting an empty graphics password is documented as a way to disable
VNC/SPICE access, but QEMU does not always behaves like that. VNC would
happily accept the empty password. Let's enforce the behavior by setting
password expiration to "now".

https://bugzilla.redhat.com/show_bug.cgi?id=1180092

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
(cherry picked from commit bb848feec0)
2016-06-30 12:11:07 +01:00
Cole Robinson
ff4c47a9f4 spec: Fix error in last backport 2016-06-23 16:23:11 -04:00
Cole Robinson
ea02b58400 spec: Advertise nvram paths of official fedora edk2 builds
Fedora now ships edk2 firmware in its official repos, so adapt
the nvram path list to match. Eventually we can remove the nightly
links as well once some integration kinks have been worked out,
and documentation updated.

Move the macro building into the %build target, which lets us
build up a shell variable and make things a bit more readable

https://bugzilla.redhat.com/show_bug.cgi?id=1335395
(cherry picked from commit e9ef4dfac8)
2016-06-23 16:20:00 -04:00
Cole Robinson
99f80c55e1 Prep for release 1.2.18.3 2016-05-04 19:50:48 -04:00
Andrea Bolognani
7b2ebecb6b spec: Use proper indentation
Commit 1d4400082a added some code that was not indented properly
and broke syntax-check. Fix it.

(cherry picked from commit a528ae7fb7)
2016-05-04 19:31:46 -04:00
Cole Robinson
4df52fea7e spec: If installing default network, restart libvirtd
If libvirt-daemon-config-network is installed while libvirtd is already
running, the daemon doesn't notice the network. Users then have to
manually restart libvirtd (or reboot) to pick up the network.

Instead let's trigger a daemon restart when the package is first installed.
Then the default network is available immediately if libvirtd was already
running.

https://bugzilla.redhat.com/show_bug.cgi?id=867546
(cherry picked from commit 1d4400082a)
2016-05-04 18:38:46 -04:00
Ben Gray
5c3be42813 rpc: Don't leak fd via CreateXMLWithFiles
FD passing APIs like CreateXMLWithFiles or OpenGraphicsFD will leak
file descriptors. The user passes in an fd, which is dup()'d in
virNetClientProgramCall. The new fd is what is transfered to the
server virNetClientIOWriteMessage.

Once all the fds have been written though, the parent msg->fds list
is immediately free'd, so the individual fds are never closed.

This closes each FD as its send to the server, so all fds have been
closed by the time msg->fds is free'd.

https://bugzilla.redhat.com/show_bug.cgi?id=1159766
(cherry picked from commit 5ba48584fb)
2016-05-04 18:37:38 -04:00
Daniel P. Berrange
99edd11a00 libvirt.spec: remove duplicate files from -docs package
Previous commit moved some lists out of the -devel package
and into the -docs package

  commit feffcc03a0
  Author: Cole Robinson <crobinso@redhat.com>
  Date:   Wed Apr 13 10:37:42 2016 -0400

    spec: Only pull in API docs with -devel package

What was not realized is that the rule 'libvirt-docs/*'
and ' docs/*.html docs/html docs/*.gif' actually point
to the exact same content. ie, we had previously included
the website HTML in *both* the -docs and -devel packages.

So this change ended up listing the files twice, which
caused RPM to print a load of warnings:

warning: File listed twice: /usr/share/doc/libvirt-docs/html
warning: File listed twice: /usr/share/doc/libvirt-docs/html/32favicon.png
warning: File listed twice: /usr/share/doc/libvirt-docs/html/404.html
warning: File listed twice: /usr/share/doc/libvirt-docs/html/acl.html
warning: File listed twice: /usr/share/doc/libvirt-docs/html/aclpolkit.html

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit d6c25c34ef)
2016-05-04 18:36:52 -04:00
Michal Privoznik
44681b7ae6 wireshark: Fix header of get_message_len()
In wireshark commit ceb8d954 (v1.99.2) they have changed the
signature of a function that determines how long a libvirt packet
is. Now it accepts a void pointer for passing data into the
function. Well, this is nice, but we don't need it right now.
Anyway, we have to change our code.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 4f47778591)
2016-04-20 10:55:25 -04:00
Michal Privoznik
81367d3642 wireshark: Replace WIRESHARK_COMPAT with actual version comparison
In the upcoming patch we will need yet another #ifdef code block
depending on wireshark version. Instead of defining
WIRESHARK_COMPAT2 or something lets just compare the version
right at the place so that we can clearly see what version broke
API.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 7bcbcd1d93)
2016-04-20 10:55:18 -04:00
Michal Privoznik
662b9afee9 wireshark: s/tvb_length/tvb_captured_length/
In wireshak commit 22149c55 (v.1.11.3) the API was renamed.
Follow the change in our code too. Since the wireshark change was
made in the very same version that we require at least we are
good to go.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit fcbae1017a)
2016-04-20 10:55:13 -04:00
Michal Privoznik
f8f58f32f6 wireshark: s/ep_alloc/wmem_alloc/
In wireshark, they have introduced their own memory allocator
wmem. This means that we need to adapt our code to that change
too. Notably 0ad15f88ccf434e8210ca is the wireshark commit you
want to look at. It's the one where they dropped the old API. The
new allocator has been introduced in 84cc3daa (v1.10.0), however,
was not exposed until 5c05c9e0 (v1.10.0). Since we already are
requiring 1.11.3 or higher no other change is needed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 0bfdb9cb24)
2016-04-20 10:55:06 -04:00
Michal Privoznik
6744541e97 wireshark: s/proto_tree_add_text/proto_tree_add_item/
In the wireshark commit e2735ecfdd7a96c they dropped
proto_tree_add_text in favor of proto_tree_add_item. Adapt to
this change.

Moreover, the proto_tree_add_item API is around for ages and we
are already using it anyway. Therefore we don't need to change
required version of wireshark.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit d3ede96d6f)
2016-04-20 10:55:01 -04:00
Cole Robinson
68ef4ec5c1 spec: Only pull in API docs with -devel package
Move some API specific documentation out of -docs package and into
-devel, and some end user docs out of -devel and into -docs, then
drop the -devel dep on -docs. This is more in line with the suggested
Fedora guidelines.

https://bugzilla.redhat.com/show_bug.cgi?id=1310155
(cherry picked from commit feffcc03a0)
2016-04-20 09:05:47 -04:00
Eric Blake
f4067eef11 build: accomodate selinux 2.5 header API change
Yet again, selinux has been adding const-correctness; this change
is ABI-compatible, but breaks API, which affects us when we try to
override things in our testsuite:

../../tests/securityselinuxhelper.c:307:24: error: conflicting types for 'selabel_open'
 struct selabel_handle *selabel_open(unsigned int backend,
                        ^~~~~~~~~~~~
In file included from ../../tests/securityselinuxhelper.c:32:0:
/usr/include/selinux/label.h:73:24: note: previous declaration of 'selabel_open' was here

The problem is a new 'const' prior to the second parameter.

Fix it the same way we did in commit 292d3f2d: check for the new
const at configure time.

Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 5ea3a690a2)
2016-04-13 19:09:58 -04:00
Pavel Hrdina
2cd6df52da build: add GCC 6.0 -Wlogical-op workaround
fdstream.c: In function 'virFDStreamWrite':
fdstream.c:390:29: error: logical 'or' of equal expressions [-Werror=logical-op]
        if (errno == EAGAIN || errno == EWOULDBLOCK) {
                            ^~

Fedora rawhide now uses gcc 6.0 and there is a bug with -Wlogical-op
producing false warnings.

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69602

Use GCC pragma push/pop and ignore -Wlogical-op for GCC that supports
push/pop pragma and also has this bug.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit d713a6b120)
2016-04-13 19:00:22 -04:00
Pavel Hrdina
9fb6aff0f0 build: cleanup GCC < 4.6 -Wlogical-op workaround
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 7fb81831fc)
2016-04-13 19:00:16 -04:00
Daniel P. Berrange
b4a32e5103 lxc: don't try to hide parent cgroups inside container
On the host when we start a container, it will be
placed in a cgroup path of

   /machine.slice/machine-lxc\x2ddemo.scope

under /sys/fs/cgroup/*

Inside the containers' namespace we need to setup
/sys/fs/cgroup mounts, and currently will bind
mount /machine.slice/machine-lxc\x2ddemo.scope on
the host to appear as / in the container.

While this may sound nice, it confuses applications
dealing with cgroups, because /proc/$PID/cgroup
now does not match the directory in /sys/fs/cgroup

This particularly causes problems for systems and
will make it create repeated path components in
the cgroup for apps run in the container eg

  /machine.slice/machine-lxc\x2ddemo.scope/machine.slice/machine-lxc\x2ddemo.scope/user.slice/user-0.slice/session-61.scope

This also causes any systemd service that uses
sd-notify to fail to start, because when systemd
receives the notification it won't be able to
identify the corresponding unit it came from.
In particular this break rabbitmq-server startup

Future kernels will provide proper cgroup namespacing
which will handle this problem, but until that time
we should not try to play games with hiding parent
cgroups.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit dc576025c3)
2016-04-07 16:52:49 +01:00
Jovanka Gulicoska
586eeca178 driver: log missing modules as INFO, not WARN
Missing modules is a common expected scenario for most libvirt usage on
RPM distributions like Fedora, so it doesn't really warrant logging at
WARN level. Use INFO instead

https://bugzilla.redhat.com/show_bug.cgi?id=1274849
(cherry picked from commit 9a0c7f5f83)
2016-03-17 17:09:34 -04:00
Cole Robinson
f945ae0efe rpc: wait longer for session daemon to start up
https://bugzilla.redhat.com/show_bug.cgi?id=1271183

We only wait 0.5 seconds for the session daemon to start up and present
its socket, which isn't sufficient for many users. Bump up the sleep
interval and retry amount so we wait for a total of 5.0 seconds.

(cherry picked from commit ca0c06f400)
2016-03-17 16:25:09 -04:00
Cole Robinson
6c3c5c099c util: virfile: Only setuid for virFileRemove if on NFS
NFS with root-squash is the only reason we need to do setuid/setgid
crazyness in virFileRemove, so limit that behavior to the NFS case.

(cherry picked from commit adefc561cc)
2016-03-17 16:23:10 -04:00
Cole Robinson
cb3de69f0d util: virfile: Clarify setuid usage for virFileRemove
Break these checks out into their own function, and clearly document
each one. This shouldn't change behavior

(cherry picked from commit 7cf5343709)
2016-03-17 16:22:01 -04:00
Cole Robinson
34a7476f00 lxc: fuse: Stub out Slab bits in /proc/meminfo
'free' on fedora23 wants to use the Slab field for calculated used
memory. The equation is:

used = MemTotal - MemFree - (Cached + Slab) - Buffers

We already set Cached and Buffers to 0, do the same for Slab and its
related values

https://bugzilla.redhat.com/show_bug.cgi?id=1300781
(cherry picked from commit 81da8bc73b)
2016-03-17 15:58:54 -04:00
Cole Robinson
cd199c9bf7 lxc: fuse: Fill in MemAvailable for /proc/meminfo
'free' on Fedora 23 will use MemAvailable to calculate its 'available'
field, but we are passing through the host's value. Set it to match
MemFree, which is what 'free' will do for older linux that don't have
MemAvailable

https://bugzilla.redhat.com/show_bug.cgi?id=1300781
(cherry picked from commit c7be484d11)
2016-03-17 15:58:49 -04:00
Cole Robinson
a6e4fe019f lxc: fuse: Fix /proc/meminfo size calculation
We virtualize bits of /proc/meminfo by replacing host values with
values specific to the container.

However for calculating the final size of the returned data, we are
using the size of the original file and not the altered copy, which
could give garbelled output.

(cherry picked from commit 8418245a7e)
2016-03-17 15:58:42 -04:00
Cole Robinson
4dc06610fc lxc: fuse: Unindent meminfo logic
Reverse the conditional at the start so we aren't stuffing all the logic
in an 'if' block

(cherry picked from commit f65dcfcd14)
2016-03-17 15:58:28 -04:00
John Ferlan
58e916ffaf virfile: Fix error path for forked virFileRemove
As it turns out the caller in this case expects a return < 0 for failure
and to get/use "errno" rather than using the negative of returned status.
Again different than the create path.

If someone "deleted" a file from the pool without using virsh vol-delete,
then the unlink/rmdir would return an error (-1) and set errno to ENOENT.
The caller checks errno for ENOENT when determining whether to throw an
error message indicating the failure.  Without the change, the error
message is:

error: Failed to delete vol $vol
error: cannot unlink file '/$pathto/$vol': Success

This patch thus allows the fork path to follow the non-fork path
where unlink/rmdir return -1 and errno.

(cherry picked from commit cb19cff468)
2016-02-11 14:37:28 -05:00
Jiri Denemark
74909e9648 security: Do not restore kernel and initrd labels
Kernel/initrd files are essentially read-only shareable images and thus
should be handled in the same way. We already use the appropriate label
for kernel/initrd files when starting a domain, but when a domain gets
destroyed we would remove the labels which would make other running
domains using the same files very unhappy.

https://bugzilla.redhat.com/show_bug.cgi?id=921135

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
(cherry picked from commit 68acc701bd)
2016-01-20 19:14:06 -05:00
Cole Robinson
40df40f35a rpc: socket: Don't repeatedly attempt to launch daemon
On every socket connect(2) attempt we were re-launching session
libvirtd, up to 100 times in 5 seconds.

This understandably caused some weird load races and intermittent
qemu:///session startup failures

https://bugzilla.redhat.com/show_bug.cgi?id=1271183
(cherry picked from commit 2eb7a97575)
2016-01-20 19:13:32 -05:00
Cole Robinson
2e4d173b49 rpc: socket: Explicitly error if we exceed retry count
When we autolaunch libvirtd for session URIs, we spin in a retry
loop waiting for the daemon to start and the connect(2) to succeed.

However if we exceed the retry count, we don't explicitly raise an
error, which can yield a slew of different error messages elsewhere
in the code.

Explicitly raise the last connect(2) failure if we run out of retries.

(cherry picked from commit 8da02d5280)
2016-01-20 19:13:25 -05:00
Cole Robinson
4a4c73d217 rpc: socket: Minor cleanups
- Add some debugging
- Make the loop dependent only on retries
- Make it explicit that connect(2) success exits the loop
- Invert the error checking logic

(cherry picked from commit f102c7146e)
2016-01-20 19:13:21 -05:00
Cole Robinson
39953c18d1 build: predictably generate systemtap tapsets (bz 1173641)
The generated output is dependent on perl hashtable ordering, which
gives different results for i686 and x86_64. Fix this by sorting
the hash keys before iterating over them

https://bugzilla.redhat.com/show_bug.cgi?id=1173641
(cherry picked from commit a1edb05c60)
2016-01-20 19:12:18 -05:00
Ján Tomko
d5ef3cbb2c leaseshelper: fix crash when no mac is specified
If dnsmasq specified DNSMASQ_IAID (so we're dealing with an IPv6
lease) but no DNSMASQ_MAC, we skip creation of the new lease object.

Also skip adding it to the leases array.

https://bugzilla.redhat.com/show_bug.cgi?id=1202350
(cherry picked from commit df9fe124d6)
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2016-01-20 11:12:36 +01:00
Ján Tomko
fa3eb97fdc schema: interleave domain name and uuid with other elements
Allow <name> and <uuid> anywhere under <domain>, not just at the top:

error:XML document failed to validate against schema: Unable to validate
doc against /usr/share/libvirt/schemas/domain.rng
Expecting an element name, got nothing
Invalid sequence in interleave
Element domain failed to validate content

Introduced with the first RelaxNG schema in commit c642103.

https://bugzilla.redhat.com/show_bug.cgi?id=1292131
(cherry picked from commit b4e0549feb)
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2016-01-05 13:54:28 +01:00
Cole Robinson
1ab886e4fa Prep for release 1.2.18.2 2015-12-23 19:14:59 -05:00
Daniel Veillard
9528a72494 Fix a trailing space in spec file
(cherry picked from commit bd311d3a8a)
2015-12-23 18:34:25 -05:00
Ján Tomko
3e6e96f09a virsh: report errors for empty strings
Several callers were using vshCommandOptString without setting an error.
Use vshCommandOptStringReq which sets the error.

https://bugzilla.redhat.com/show_bug.cgi?id=1281707
(cherry picked from commit 45138725cf)
2015-12-23 18:31:03 -05:00
Ján Tomko
7b977a87a7 bridge: check for invalid MAC in networkGetDHCPLeases
Instead of comparing garbage strings against real MAC addresses,
introduce an error mesage for unparsable ones:

$ virsh net-dhcp-leases default  --mac t12
error: Failed to get leases info for default
error: invalid MAC address: t12

https://bugzilla.redhat.com/show_bug.cgi?id=1261432
(cherry picked from commit 1e6d87bdfc)
2015-12-23 18:31:03 -05:00
Jiri Denemark
c0063662e2 Enhance documentation of virDomainDetachDevice
Link it to virDomainDetachDeviceFlags.

https://bugzilla.redhat.com/show_bug.cgi?id=1257280

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
(cherry picked from commit 63fd27cfa3)
2015-12-23 18:31:03 -05:00
Guido Günther
1ba74670cb apparmor: add missing qemu binaries
This adds the qemu binaries as of 1.2.4 in Debian. It also removes a
duplicate sparc64 entry.

(cherry picked from commit d8ca0cbd4b)
2015-12-23 18:31:03 -05:00
Luyao Huang
d1f13a90a5 qemu: Use live autoNodeset when numatune placement is auto
https://bugzilla.redhat.com/show_bug.cgi?id=1270715

Commit id '9deb96f' removed the code to fetch the nodeset from the
CpusetMems cgroup for a running vm in favor of using the return from
virDomainNumatuneFormatNodeset introduced by commit id '43b67f2e7'.
However, that API will return the value of the passed 'auto_nodeset'
when placement is VIR_DOMAIN_NUMATUNE_PLACEMENT_AUTO, which happens
to be NULL.

Since commit id 'c74d58ad' started using priv->autoNodeset in order
to manage the auto placement value during qemuProcessStart, it should
be passed along in order to return the correct value if the domain
requests the auto placement.

Signed-off-by: Luyao Huang <lhuang@redhat.com>
(cherry picked from commit 4eac55238f)
2015-12-23 18:31:03 -05:00
Shivaprasad G Bhat
76e51193e3 Close the source fd if the destination qemu exits during tunnelled migration
Tunnelled migration can hang if the destination qemu exits despite all the
ABI checks. This happens whenever the destination qemu exits before the
complete transfer is noticed by source qemu. The savevm state checks at
runtime can fail at destination and cause qemu to error out.
The source qemu cant notice it as the EPIPE is not propogated to it.
The qemuMigrationIOFunc() notices the stream being broken from virStreamSend()
and it cleans up the stream alone. The qemuMigrationWaitForCompletion() would
never get to 100% transfer completion.
The qemuMigrationWaitForCompletion() never breaks out as well since
the ssh connection to destination is healthy, and the source qemu also thinks
the migration is ongoing as the Fd to which it transfers, is never
closed or broken. So, the migration will hang forever. Even Ctrl-C on the
virsh migrate wouldn't be honoured. Close the source side FD when there is
an error in the stream. That way, the source qemu updates itself and
qemuMigrationWaitForCompletion() notices the failure.

Close the FD for all kinds of errors to be sure. The error message is not
copied for EPIPE so that the destination error is copied instead later.

Note:
Reproducible with repeated migrations between Power hosts running in different
subcores-per-core modes.

Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com>
(cherry picked from commit b39a1fe165)
2015-12-23 18:21:54 -05:00
John Ferlan
5c5ec4ca9e storage: Fix incorrect format for <disk> <auth> XML
https://bugzilla.redhat.com/show_bug.cgi?id=1256999

After creating a copy of the 'authdef' in a pool -> disk translation,
unconditionally clear the 'authType' in the resulting disk auth def
structure since that's used for a storage pool and not a disk.  This
ensures virStorageAuthDefFormat will properly format the <auth> XML
for a <disk> (e.g. it won't have a <auth type='%s'.../>).

(cherry picked from commit 5275c0f4a1)
2015-12-23 18:20:45 -05:00
Daniel P. Berrange
07518f77bd virt-host-validate: distinguish exists vs accessible for devices
Currently we just check that various devices are accessible.
This leads to inaccurate errors reported for /dev/kvm and
/dev/vhost-net if they exist but an unprivileged user lacks
access. Switch existing checks to look for file existance,
and add a separate check for accessibility of /dev/kvm
since some distros don't grant users access by default.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit fd6d506c50)
2015-12-23 18:20:31 -05:00
Cole Robinson
26295a0ea7 spec: Delete .git after applying patches
I'm hitting this little annoyance in fedora's package repo:

$ fedpkg prep
Downloading libvirt-1.2.20.tar.gz
...
+ /usr/bin/gzip -dc /home/crobinso/src/fedora/libvirt/libvirt-1.2.20.tar.gz
$ git clean -xdf
Removing libvirt-1.2.20.tar.gz
Skipping repository libvirt-1.2.20/

We git-ify the libvirt directory as part of applying patches in the spec
file, but 'git clean' will ignore subfolders that appear to be standalone
git repos.

Let's just delete the .git directory after we're done with it.

(cherry picked from commit 62ff210e5d)
2015-12-23 18:19:15 -05:00
Cédric Bosdonnat
079a8dc4e6 apparmor: differentiate between error and unconfined profiles
profile_status function was not making any difference between error
cases and unconfined profiles. The problem with this approach is that
dominfo was throwing an error on unconfined domains.

(cherry picked from commit a1bdf04b27)
2015-12-23 18:18:25 -05:00
John Ferlan
eb9aaa26a8 storage: Adjust calculation of alloc/capacity for disk
https://bugzilla.redhat.com/show_bug.cgi?id=1247987

Calculation of the extended and logical partition values for the disk
pool is complex. As the bz points out an extended partition should have
it's allocation initialized to 0 (zero) and keep the capacity as the size
dictated by the extents read.  Then for each logical partition found,
adjust the allocation of the extended partition.

Finally, previous logic tried to avoid recalculating things if a logical
partition was deleted; however, since we now have special logic to handle
the allocation of the extended partition, just make life easier by reading
the partition table again - rather than doing the reverse adjustment.

(cherry picked from commit 1895b42114)
2015-12-23 18:17:49 -05:00
Andrea Bolognani
770ffbf857 qemu: Add conditions for qemu-kvm use on ppc64
qemu-kvm can be used to run ppc64 guests on ppc64le hosts and vice
versa, since the hardware is actually the same and the endianness
is chosen by the guest kernel.

Up until now, however, libvirt didn't allow the use of qemu-kvm
to run guests if their endianness didn't match the host's.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1267882
(cherry picked from commit 938368f838)
2015-12-23 18:17:06 -05:00
Peter Krempa
f3ac5d6a6c rpc: libssh2: Fix regression in ssh host key verification
Commit 792f81a40e caused a regression in the libssh2 host key
verification code by changing the variable type of 'i' to unsigned.
Since one of the loops used -1 as a special value if the asking
callback was found the conversion made a subsequent test always fail.

The bug was stealth enough to pass review, compilers and coverity.

Refactor the condition to avoid problems.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1047861
(cherry picked from commit 9869f24d08)
2015-12-23 18:16:55 -05:00