With Eric Blake's suggestions applied.
The following rule for direction 'in'
<rule direction='in' action='drop'>
<mac srcmacaddr='1:2:3:4:5:6'/>
</rule>
drops all traffic from the given mac address.
The following rule for direction 'out'
<rule direction='out' action='drop'>
<mac dstmacaddr='1:2:3:4:5:6'/>
</rule>
drops all traffic to the given mac address.
The following rule in direction 'inout'
<rule direction='inout' action='drop'>
<mac srcmacaddr='1:2:3:4:5:6'/>
</rule>
now drops all traffic from and to the given MAC address.
So far it would have dropped traffic from the given MAC address
and outgoing traffic with the given source MAC address, which is not useful
since the packets will always have the VM's MAC address as source
MAC address. The attached patch fixes this.
This is the last bug I currently know of and want to fix.
When starting up qemu VNC autoport guests, we were
only looking through ports 5900 to 6000, meaning we
were limited to 100 total clients. Increase that
limit to 65535 (the last available port), so we can
have up to 59635 VNC autoport guests.
Signed-off-by: Chris Lalancette <clalance@redhat.com>
While playing around with def/newDef with the qemu code,
I noticed that newDef was *always* getting set to a value,
even when I didn't redefine the domain. I think the problem
is the virDomainLoadConfig is always doing virDomainAssignDef
regardless of whether the domain already exists in the hashtable.
In turn, virDomainAssignDef is assigning the definition (which
is actually a duplicate) to newDef. Fix this so that newDef stays
NULL until we actually have a new def.
Signed-off-by: Chris Lalancette <clalance@redhat.com>
values. Rather use the strspn() function. Along with this cleanup the
initialization function for the code that used the regular expression
can also be removed.
The images are saved in /var/lib/libvirt/qemu/save/
and named $domainname.save . The directory is created appropriately
at daemon startup. When a domain is started while a saved image is
available, libvirt will try to load this saved image, and start the
domain as usual in case of failure. In any case the saved image is
discarded once the domain is created.
* src/qemu/qemu_conf.h: adds an extra save path to the driver config
* src/qemu/qemu_driver.c: implement the 3 new operations and handling
of the image directory
* src/remote/remote_protocol.x src/remote/remote_protocol.h
src/remote/remote_protocol.c src/remote/remote_driver.c: add the entry
points in the remote driver
* daemon/remote.c daemon/remote_dispatch_args.h
daemon/remote_dispatch_prototypes.h daemon/remote_dispatch_table.h:
and implement the daemon counterpart
virDomainManagedSave() is to be run on a running domain. Once the call
complete, as in virDomainSave() the domain is stopped upon completion,
but there is no restore counterpart as any order to start the domain
from the API would load the state from the managed file, similary if
the domain is autostarted when libvirtd starts.
Once a domain has restarted his managed save image is destroyed,
basically managed save image can only exist for a stopped domain,
for a running domain that would be by definition outdated data.
* include/libvirt/libvirt.h.in src/libvirt.c src/libvirt_public.syms:
adds the new entry points virDomainManagedSave(),
virDomainHasManagedSaveImage() and virDomainManagedSaveRemove()
* src/driver.h src/esx/esx_driver.c src/lxc/lxc_driver.c
src/opennebula/one_driver.c src/openvz/openvz_driver.c
src/phyp/phyp_driver.c src/qemu/qemu_driver.c src/vbox/vbox_tmpl.c
src/remote/remote_driver.c src/test/test_driver.c src/uml/uml_driver.c
src/xen/xen_driver.c: add corresponding new internal drivers entry
points
- ebtables requires that some of the command line parameters are passed as hex numbers; so have those attributes call a function that prints 16 and 8 bit integers as hex nunbers.
- ip6tables requires '--icmpv6-type' rather than '--icmp-type'
- ebtables complains about protocol identifiers lower than 0x600, so already discard anything lower than 0x600 in the parser
- make the protocol entry types more readable using a #define for its entries
- continue parsing a filtering rule even if a faulty entry is encountered; return an error value at the end and let the caller decide what to do with the rule's object
- fix an error message
The clock timer XML is being updated in the following ways (based on
further off-list discussion that was missed during the initial
implementation):
1) 'wallclock' is changed to 'track', and the possible values are 'boot'
(corresponds to old 'host'), 'guest', and 'wall'.
2) 'mode' has an additional value 'smpsafe'
3) when tickpolicy='catchup', there can be an optional sub-element of
timer called 'catchup':
<catchup threshold=123 slew=120 limit=10000/>
Those three values are all longs, always optional, and if they are present,
they are positive. Internally, 0 indicates "unspecified".
* docs/schemas/domain.rng: updated RNG definition to account for changes
* src/conf/domain_conf.h: change the C struct and enums to match changes.
* src/conf/domain_conf.c: timer parse and format functions changed to
handle the new selections and new element.
* src/libvirt_private.syms: *TimerWallclock* changes to *TimerTrack*
* src/qemu/qemu_conf.c: again, account for Wallclock --> Track change.
(suggested by Daniel Berrange, tested by Dan Kenigsberg)
virStorageFileGetMetadata will fail for disk images that are stored on
a root-squash NFS share that isn't world-readable.
SELinuxSetSecurityImageLabel is called during the startup of every
domain (as long as security_driver != "none"), and it will propogate
the error from virStorageFileGetMetadata, causing the domain startup
to fail. This is, however, a common scenario when qemu is run as a
non-root user and the disk image is stored on NFS.
Ignoring this failure (which doesn't matter in this case, since the
next thing done by SELinuxSetSecurityImageLabel - setting the file
context - will also fail (and that function already ignores failures
due to root-squash NFS) will allow us to continue bringing up the
domain. The result is that we don't need to disable the entire
security driver just because a domain's disk image is stored on
root-squashed NFS.
virFileReadLimFD is a poor fit for reading the header
of the restore file. The problem is that virFileReadLimFD
returns an error when there is more data after the amount
you ask to read, but that is *expected* in this case.
This patch is essentially a revert of
1a4d5c9543, but I don't think
that commit does what it says anyway. It purports to prevent
an unwarranted OOM error, but since virFileReadLimFD will
allocate memory up to the maximum anyway, the upper limit
on the total amount of memory allocated is the same for either
the old version or the new version. Since the old saferead
actually works and virFileReadLimFD does not, revert to
using saferead.
Signed-off-by: Chris Lalancette <clalance@redhat.com>
Received report of user crashing libvirtd with
virsh capabilities > capabilities.xml
virsh cpu-compare capabilities.xml
While user has been informed about proper usage of cpu-compare,
segfaulting libvirt should be avoided.
Do not parse CPU definition in virCPUDefParseXML() if XML is not
a 'cpu' node.
When a watchdog/IO error occurs, one of the possible actions that
QEMU might take is to pause the guest. In this scenario libvirt
needs to update its internal state for the VM, and emit a
lifecycle event:
VIR_DOMAIN_EVENT_SUSPENDED
with a detail being one of:
VIR_DOMAIN_EVENT_SUSPENDED_IOERROR
VIR_DOMAIN_EVENT_SUSPENDED_WATCHDOG
To future proof against possible QEMU support for multiple monitor
consoles, this patch also hooks into the 'STOPPED' event in QEMU
and emits a generic VIR_DOMAIN_EVENT_SUSPENDED_PAUSED event
* include/libvirt/libvirt.h.in: Add VIR_DOMAIN_EVENT_SUSPENDED_IOERROR
* src/qemu/qemu_driver.c: Update VM state to paused when IO error
or watchdog events occurrs
* src/qemu/qemu_monitor_json.c: Fix typo in disk IO event name
