Commit Graph

31017 Commits

Author SHA1 Message Date
Jiri Denemark
602ecdf2ab Drop \n at the end of VIR_DEBUG messages
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2018-09-19 14:05:59 +02:00
Michal Privoznik
8e8a9dc3fa virsh: Honour user locale in cmdList
In 2e97450425 we've mistakenly removed gettext macro for
translating static strings. This results in table header being
printed in English regardless of user locale.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-19 10:44:08 +02:00
Michal Privoznik
6d855abc14 security_selinux: Lock metadata when running transaction
Lock all the paths we want to relabel to mutually exclude other
libvirt daemons.

The only hitch here is that directories can't be locked.
Therefore, when relabeling a directory do not lock it (this
happens only when setting up some domain private paths anyway,
e.g. huge pages directory).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
62fd05194a security_selinux: Move transaction handling up one level
So far the whole transaction handling is done
virSecuritySELinuxSetFileconHelper(). This needs to change for
the sake of security label remembering and locking. Otherwise we
would be locking a path when only appending it to transaction
list and not when actually relabelling it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
4a7a7808dc virSecuritySELinuxRestoreFileLabel: Adjust code pattern
Firstly, the following code pattern is harder to follow:

  if (func() < 0) {
      error();
  } else {
      /* success */
  }

We should put 'goto cleanup' into the error branch and move the
else branch one level up.
Secondly, 'rc' should really be named 'ret' because it holds
return value of the function. Not some intermediate value.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
c9318499a7 virSecuritySELinuxRestoreFileLabel: Rename 'err' label
This label is used in both successful and error paths. Therefore
it should be named 'cleanup' and not 'err'.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
7a9ca0fae9 security_dac: Lock metadata when running transaction
Lock all the paths we want to relabel to mutually exclude other
libvirt daemons.

The only hitch here is that directories can't be locked.
Therefore, when relabeling a directory do not lock it (this
happens only when setting up some domain private paths anyway,
e.g. huge pages directory).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
6e22ab2701 security_dac: Fix info messages when chown()-ing
Firstly, the message that says we're setting uid:gid shouldn't be
called from virSecurityDACSetOwnershipInternal() because
virSecurityDACRestoreFileLabelInternal() is calling it too.
Secondly, there are places between us reporting label restore and
us actually doing it where we can quit. Don't say we're doing
something until we are actually about to do it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
c0b68c6e19 security_dac: Move transaction handling up one level
So far the whole transaction handling is done
virSecurityDACSetOwnershipInternal(). This needs to change for
the sake of security label remembering and locking. Otherwise we
would be locking a path when only appending it to transaction
list and not when actually relabeling it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
c34f11998e security_manager: Introduce metadata locking APIs
Two new APIs are added so that security driver can lock and
unlock paths it wishes to touch. These APIs are not for other
drivers to call but security drivers (DAC and SELinux). That is
the reason these APIs are not exposed through our
libvirt_private.syms file.

Three interesting things happen in this commit. The first is the
global @lockManagerMutex. Unfortunately, this has to exist so that
there is only one thread talking to virtlockd at a time. If there
were more threads and one of them closed the connection
prematurely, it would cause virtlockd killing libvirtd. Instead
of complicated code that would handle that, let's have a mutex
and keep the code simple.

The second interesting thing is keeping connection open between
lock and unlock API calls. This is achieved by duplicating client
FD and keeping it open until unlock is called. This trick is used
by regular disk content locking code when the FD is leaked to
qemu.

Finally, the third thing is polling implemented at client side.
Since virtlockd has only one thread that handles locking
requests, all it can do is either acquire lock or error out.
Therefore, the polling has to be implemented in client. The
polling is capped at 60 second timeout, which should be plenty
since the metadata lock is held only for a fraction of a second.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
3e26b476b5 security_manager: Load lock plugin on init
Now that we know what metadata lock manager user wishes to use we
can load it when initializing security driver. This is achieved
by adding new argument to virSecurityManagerNewDriver() and
subsequently to all functions that end up calling it.

The cfg.mk change is needed in order to allow lock_manager.h
inclusion in security driver without 'syntax-check' complaining.
This is safe thing to do as locking APIs will always exist (it's
only backend implementation that changes). However, instead of
allowing the include for all other drivers (like cpu, network,
and so on) allow it only for security driver. This will still
trigger the error if including from other drivers.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
8b8aefb3d6 qemu_conf: Introduce metadata_lock_manager
This config option allows users to set and enable lock manager
for domain metadata. The lock manager is going to be used by
security drivers to serialize each other when changing a file
ownership or changing the SELinux label. The only supported lock
manager is 'lockd' for now.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
35b5b244da lock_manager: Allow disabling configFile for virLockManagerPluginNew
In some cases we might want to not load the lock driver config.
Alter virLockManagerPluginNew() and the lock drivers to cope with
this fact.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
385eb8399b lock_driver: Introduce VIR_LOCK_MANAGER_ACQUIRE_ROLLBACK
Soon there will be a virtlockd client that wants to either lock
all the resources or none (in order to avoid virtlockd killing
the client on connection close). Because on the RPC layer we can
only acquire one resource at a time, we have to perform a
rollback once we hit a resource that can't be acquired.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
997283b54b lock_driver: Introduce VIR_LOCK_MANAGER_RESOURCE_TYPE_METADATA
This is a new type of object that lock drivers can handle.
Currently, it is supported by lockd driver only.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
aaf34cb901 _virLockManagerLockDaemonPrivate: Move @hasRWDisks into dom union
The fact whether domain has or doesn't have RW disks is specific
to VIR_LOCK_MANAGER_OBJECT_TYPE_DOMAIN and therefore should
reside in union specific to it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
22baf6e08c lock_driver: Introduce new VIR_LOCK_MANAGER_OBJECT_TYPE_DAEMON
We will want virtlockd to lock files on behalf of libvirtd and
not qemu process, because it is libvirtd that needs an exclusive
access not qemu. This requires new lock context.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
21c34b86be lock_driver_lockd: Introduce VIR_LOCK_SPACE_PROTOCOL_ACQUIRE_RESOURCE_METADATA flag
This flag causes virtlockd to use different offset when locking
the file.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
afd5a27575 virlockspace: Allow caller to specify start and length offset in virLockSpaceAcquireResource
So far the virLockSpaceAcquireResource() locks the first byte in
the underlying file. But caller might want to lock other range.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2018-09-18 17:12:53 +02:00
Erik Skultety
b916a25e8a ctags: Generate tags for headers, i.e. function prototypes
From time to time it's handy to jump directly to a function prototype in
a header. However, generating tags for headers is disabled by default in
ctags, let's enable it by using --c-kinds=+p.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2018-09-18 14:21:33 +02:00
Andrea Bolognani
d52dd5911b tests: Follow up on qemucaps2xmldata rename
The directory has been renamed in 562990849a, but a
reference to it was not updated at the same time, causing
'make dist' to fail ever since. Fix it.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-09-17 17:03:56 +02:00
Andrea Bolognani
2f8b91ee74 qemu: Don't check for /dev/kvm presence
The file being present doesn't necessarily mean anything these
days, as it's created independently of whether the kvm module
has been loaded[1]; moreover, we're already gathering all the
information we need through QMP, so poking the filesystem at
all is entirely unnecessary.

[1] https://github.com/systemd/systemd/commit/d35d6249d5a7ed3228

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2018-09-17 15:08:48 +02:00
Andrea Bolognani
c3be8bb423 qemu: Clarify QEMU_CAPS_KVM
This capability is documented as having one meaning (whether
KVM is enabled by default) but is actually assigned two other
meanings over its life: whether the query-kvm QMP command is
available at first, and later on whether KVM is usable / was
used during probing.

Since the query-kvm QMP command was available in 1.5.0, we
can avoid probing for it; additionally, we can simplify the
logic by setting the flag when it applies instead of initially
setting it and then clearing it when it doesn't.

The flag's description is also updated to reflect reality.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2018-09-17 14:52:41 +02:00
Andrea Bolognani
55e5eb9478 qemu: Avoid probing non-native binaries all the time
A side effect of recent changes is that we would always try
to regenerate the capabilities cache for non-native QEMU
binaries based on /dev/kvm availability, which is of course
complete nonsense. Make sure that doesn't happen.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2018-09-17 14:52:38 +02:00
Andrea Bolognani
88983855d5 qemu: Drop QEMU_CAPS_ENABLE_KVM
It was already available in 1.5.0.

Moreover, we're not even formatting it on the QEMU command
line, ever: we just use it as part of some logic that decides
whether KVM support should be advertised, and as it turns out
that logic is actually buggy and dropping this capability
fixes it.

https://bugzilla.redhat.com/show_bug.cgi?id=1628469

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2018-09-17 14:52:34 +02:00
Andrea Bolognani
a3676f3763 tests: Add more tests to qemucaps2xml
More specifically, everything that's tested by qemucapabilities
now goes through qemucaps2xml as well.

Ideally we'll rewrite both so that listing all test cases is
unnecessary and they get picked up automatically by listing the
contents of the input directory instead, but that's a refactor
for another day :)

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2018-09-17 14:52:31 +02:00
Andrea Bolognani
562990849a tests: Reuse qemucapabilities data for qemucaps2xml
While qemucaps2xml has a meager two test cases to its name, we
have plenty of data from qemucapabilities which is taken from
actual QEMU binaries, covers pretty much all supported QEMU
versions and architectures and is even in the right format already!

Rewrite qemucaps2xml so that it uses qemucapabilities data as
input. Right now we have a single test case, but we're going to
add a lot more next.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2018-09-17 14:52:12 +02:00
Shi Lei
11e1f11dd3 syntax-check: Check for incorrect indentation in function body
This patch add syntax-check rule for incorrect indentation and blank
first line in function body by changing check-spacing.pl.
For efficiency, it only checks the first line of function body.
But it's enough for most cases.

Signed-off-by: Shi Lei <shi_lei@massclouds.com>
2018-09-17 13:29:01 +02:00
Shi Lei
eaa765ef6b tools: remove blank first line in function body
Signed-off-by: Shi Lei <shi_lei@massclouds.com>
2018-09-17 13:29:01 +02:00
Shi Lei
311a8097f9 tests: remove blank first line in function body
Signed-off-by: Shi Lei <shi_lei@massclouds.com>
2018-09-17 13:29:01 +02:00
Shi Lei
c9ed87a610 src: remove blank first line in function body
Signed-off-by: Shi Lei <shi_lei@massclouds.com>
2018-09-17 13:29:01 +02:00
Shi Lei
a618b06493 tests: fix incorrect indentation in function body by checking first line
Signed-off-by: Shi Lei <shi_lei@massclouds.com>
2018-09-17 13:29:01 +02:00
Shi Lei
ab9a145926 src: fix incorrect indentation in function body by checking first line
Signed-off-by: Shi Lei <shi_lei@massclouds.com>
2018-09-17 13:29:00 +02:00
Michal Privoznik
37131adada qemu_security: Run transactions more frequently
Now that committing transactions using pid == -1 means that we're
not fork()-ing to run the transaction in a specific namespace, we
can utilize the transaction processing semantics in order to
start, run a or multiple commands, and then commit the
transaction without being concerned with other interactions or
transactions interrupting the processing.  This will eventually
allow us to have a single place where all the paths can be
locked, followed by relabeling and unlocking again.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-17 10:58:17 +02:00
Michal Privoznik
d41c162177 virSecurityManagerTransactionCommit: Accept pid == -1
It will be desirable to run transactions more often than we
currently do. Even if the domain we're relabeling the paths for
does not run in a namespace. If that's the case, there is no need
to fork() as we are already running in the right namespace. To
differentiate whether transaction code should fork() or not the
@pid argument now accepts -1 (which means do not fork).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-17 10:58:17 +02:00
Michal Privoznik
ccafaacd61 qemu_security: Require full wrappers for APIs that might touch a file
In the future, the transactions are not going to be optional and
they will be run regardless of domain using namespace to collect
list of paths to be relabeled.

To make sure there won't be an API that goes behind transaction
code back update the comment that serves as decision manual
whether an API must be fully implemented or plain #define is
sufficient.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-17 10:58:17 +02:00
Michal Privoznik
e2c23982dd qemu_security: Fully implement qemuSecurity{Set,Restore}SavedStateLabel
Even though the current use of the functions does not require full
implementation with transactions (none of the callers passes a path
somewhere under /dev), it doesn't hurt either. Moreover, in
future patches the paradigm is going to shift so that any API
that touches a file is required to use transactions.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-17 10:58:17 +02:00
Michal Privoznik
da24db2d30 qemu_security: Fully implement qemuSecurityDomainSetPathLabel
Even though the current use of the function does not require full
implementation with transactions (none of the callers pass a path
somewhere under /dev), it doesn't hurt either. Moreover, in
future patches the paradigm is going to shift so that any API
that touches a file is required to use transactions.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-17 10:58:17 +02:00
Andrea Bolognani
679895eb5d conf: Move more PCI functions out of device_conf
Functions that deal with virPCIDeviceAddress exclusively
belong to util/virpci.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-09-17 09:23:04 +02:00
Jim Fehlig
16858439de news: Announce dropping support for Xen 4.4 and 4.5
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-09-14 11:47:08 -06:00
Jim Fehlig
5bdcef13d1 libxl: drop support for Xen < 4.6
Currently the libxl driver claims support for Xen >= 4.4, but
Xen 4.4 and 4.5 are no longer supported upstream. Let's increase
the minimum supported Xen version to 4.6 and change the defined
LIBXL_API_VERSION to 0x040500, which is the API version defined
when Xen 4.6 was released.

Since Xen 4.6 contains a pkgconfig file, drop the now unused code
that falls back to using LIBVIRT_CHECK_LIB in the absence of
pkgconfig file. In addition, bumping the LIBXL_API_VERSION
required adjusting the calls to libxl_set_vcpuaffinity to account
for the extra parameter in the 0x040500 version of the API.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-09-14 11:47:08 -06:00
Lin Ma
317e3b2865 util: Return a virArpTablePtr when the nlmsghdr for loop is over
commit b00c9c39 removed the label end_of_netlink_messages and 'return
table' statement, It causes the function virArpTableGet doesn't return
a proper virArpTable pointer.

How to reproduce:
 # virsh domiflist sles12sp3
Interface  Type       Source     Model       MAC
-------------------------------------------------------
vnet0      network    default    virtio      52:54:00💿02:e6

 # virsh domifaddr sles12sp3 --source arp
error: Failed to query for interfaces addresses
error: An error occurred, but the cause is unknown

It seems that the "if (nh->nlmsg_type == NLMSG_DONE)" statement won't be
meted. So this patch adds 'return table' when the iterations of nlmsghdr
for loop is over.

Signed-off-by: Lin Ma <lma@suse.com>
Reviewed-by: Chen Hanxiao <chenhanxiao@gmail.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-14 11:18:28 -04:00
Martin Kletzander
b49a3ad799 util: Add stubs for virDoes{User,Group}Exist() without getpwuid_r
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2018-09-14 09:14:18 +02:00
Martin Kletzander
b907fd75fa qemu: Report less errors on driver startup
It is not a problem at all if the `tss` user/group does not exist, the code
fallbacks to the `root` user/group.  However we report a warning for no reason
on every start-up.  Fix this by checking if the user/group actually exists.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2018-09-13 16:19:25 +02:00
Martin Kletzander
b984bbcc0d Add functions for checking if user or group exists
Instead of duplicating the code from virGet{User,Group}IDByName(), which are
static anyway, extend those functions to accept NULL pointers for the result and
a boolean for controlling the error reporting.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2018-09-13 16:19:25 +02:00
Nikolay Shirokovskiy
d7bc6af648 qemu: keep websocketGenerated on libvirtd restarts
Otherwise after libvirtd restart we come back to issues fixed by
introducing this flag in [1].

[1] 61a0026a : qemu: Fix xml dump of autogenerated websocket

Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-13 14:06:04 +03:00
Nikolay Shirokovskiy
30f9a64cbd qemu: fix typo in vnc port releasing
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-13 14:05:17 +03:00
Ján Tomko
51c02bd4f9 qemu: remove unnecessary virQEMUCapsFreeHostCPUModel
After removing the host CPU model re-computation,
this function is no longer necessary.

This reverts commits:
commit d0498881a0
  virQEMUCapsFreeHostCPUModel: Don't always free host cpuData
commit 5276ec712a
  testUpdateQEMUCaps: Don't leak host cpuData

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-09-12 21:12:22 +02:00
Ján Tomko
4ed727a015 tests: turn skipLegacyCPUs into a flag
Make it obvious when it is used intentionally and error
out when used in combination with real capabilities.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-09-12 21:12:22 +02:00
Ján Tomko
c9e5be4e9c tests: do not mangle real qemu caps in xml2argvtest
None of the things testUpdateQEMUCaps adjusts are applicable
for tests that use the DO_TEST_CAPS macros, i.e.
real QEMU capabilities parsed from the XML files:

The architecture must be chosen before we even open the caps
file, CPU models are already present and the expensive HostModel
computation was already done in virQEMUCapsLoadCache.

Introduce FLAG_REAL_CAPS and skip the whole testUpdateQEMUCaps
function for DO_TEST_CAPS.

This speeds up the test by 25 %

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-09-12 21:12:22 +02:00