Commit Graph

364 Commits

Author SHA1 Message Date
Mark McLoughlin
3b3305d859 remove all traces of lokkit support
Long ago we tried to use Fedora's lokkit utility in order to register
our iptables rules so that 'service iptables restart' would
automatically load our rules.

There was one fatal flaw - if the user had configured iptables without
lokkit, then we would clobber that configuration by running lokkit.

We quickly disabled lokkit support, but never removed it. Let's do
that now.

The 'my virtual network stops working when I restart iptables' still
remains. For all the background on this saga, see:

  https://bugzilla.redhat.com/227011

* src/util/iptables.c: remove lokkit support

* configure.in: remove --enable-lokkit

* libvirt.spec.in: remove the dirs used only for saving rules for lokkit

* src/Makefile.am: ditto

* src/libvirt_private.syms, src/network/bridge_driver.c,
  src/util/iptables.h: remove references to iptablesSaveRules
2009-12-10 11:27:17 +00:00
Mark McLoughlin
534664c372 reload iptables rules on libvirtd restart
This is the expected behaviour, I think - reloading libvirtd should
be a subset of restarting it.

Note, we reload the rules after we've determined which networks
are active (because we only add the rules for active networks)
and before we start autostart networks (to avoid re-adding the
rules).

* src/network/bridge_driver.c: reload iptables rules on startup
2009-12-10 11:27:17 +00:00
Mark McLoughlin
98895e9386 reload iptables rules simply by re-adding them
Currently, when we add iptables rules, we keep them on a list so that
we can easily reload them on e.g. 'service libvirtd reload'.

However, we don't save this list to disk, so if libvirtd is restarted
we lose the ability to reload the rules.

The fix is simple - just re-add the damn things on reload.

Note, we delete the rules before re-adding them, just like the current
behaviour of iptRulesReload().

* src/network/bridge_driver.c: re-add the iptables rules on reload.
2009-12-10 11:27:17 +00:00
Guido Günther
91f9157e5b only remove masquerade roles for VIR_NETWORK_FORWARD_NAT
Fixes http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549949
2009-11-16 13:32:00 +01:00
Daniel P. Berrange
cabc2cc98f Implmentation of new APIs to checking state/persistence of objects
This implements the virConnectIsSecure, virConnectIsEncrypted,
virDomainIsPersistent, virDomainIsActive, virNetworkIsActive,
virNetworkIsPersistent, virStoragePoolIsActive,
virStoragePoolIsPersistent, virInterfaceIsActive APIs in
(nearly) all drivers. Exceptions are:

 phyp: missing domainIsActive/Persistent
 esx: missing domainIsPersistent
 opennebula: missing domainIsActive/Persistent

* src/remote/remote_protocol.x: Define remote wire ABI for newly
  added APIs.
* daemon/remote_dispatch*.h: Re-generated from remote_protocol.x
* src/esx/esx_driver.c, src/lxc/lxc_driver.c, src/network/bridge_driver.c,
  src/opennebula/one_driver.c, src/openvz/openvz_conf.c,
  src/openvz/openvz_driver.c, src/phyp/phyp_driver.c,
  src/remote/remote_driver.c, src/storage/storage_driver.c,
  src/test/test_driver.c, src/uml/uml_driver.c, src/vbox/vbox_tmpl.c,
  src/xen/xen_driver.c, src/xen/xen_driver.h, src/xen/xen_inotify.c,
  src/xen/xen_inotify.h: Implement all the new APIs where possible
2009-11-10 17:00:27 +00:00
Daniel P. Berrange
c04498b305 New APIs for checking some object properties
Introduce a number of new APIs to  expose some boolean properties
of objects, which cannot otherwise reliably determined, nor are
aspects of the XML configuration.

 * virDomainIsActive: Checking virDomainGetID is not reliable
   since it is not possible to distinguish between error condition
   and inactive domain for ID of -1.
 * virDomainIsPersistent: Check whether a persistent config exists
   for the domain

 * virNetworkIsActive: Check whether the network is active
 * virNetworkIsPersistent: Check whether a persistent config exists
   for the network

 * virStoragePoolIsActive: Check whether the storage pool is active
 * virStoragePoolIsPersistent: Check whether a persistent config exists
   for the storage pool

 * virInterfaceIsActive: Check whether the host interface is active

 * virConnectIsSecure: whether the communication channel to the
   hypervisor is secure
 * virConnectIsEncrypted: whether any network based commnunication
   channels are encrypted

NB, a channel can be secure, even if not encrypted, eg if it does
not involve the network, like a UNIX socket, or pipe.

 * include/libvirt/libvirt.h.in: Define public API
 * src/driver.h: Define internal driver API
 * src/libvirt.c: Implement public API entry point
 * src/libvirt_public.syms: Export API symbols
 * src/esx/esx_driver.c, src/lxc/lxc_driver.c,
   src/interface/netcf_driver.c, src/network/bridge_driver.c,
   src/opennebula/one_driver.c, src/openvz/openvz_driver.c,
   src/phyp/phyp_driver.c, src/qemu/qemu_driver.c,
   src/remote/remote_driver.c, src/test/test_driver.c,
   src/uml/uml_driver.c, src/vbox/vbox_tmpl.c,
   src/xen/xen_driver.c: Stub out driver tables
2009-11-10 17:00:26 +00:00
Daniel Veillard
f0006d9792 524280 pass max lease option to dnsmasq
* src/network/bridge_driver.c: when exec'ing dnsmaq, if there are
  DHCP ranges defined, then compute and pass the --dhcp-lease-max
  deriving the maximum number of leases
2009-11-06 18:07:24 +01:00
Daniel P. Berrange
979218cdd9 Fix return value in virStateInitialize impl for LXC
The LXC driver was mistakenly returning -1 for lxcStartup()
in scenarios that are not an error. This caused the libvirtd
to quit for unprivileged users. This fixes the return code
of LXC driver, and also adds a "name" field to the virStateDriver
struct and logging to make it easier to find these problems
in the future

* src/driver.h: Add a 'name' field to state driver to allow
  easy identification during failures
* src/libvirt.c: Log name of failed driver for virStateInit
  failures
* src/lxc/lxc_driver.c: Don't return a failure code for
  lxcStartup() if LXC is not available on this host, simply
  disable the driver.
* src/network/bridge_driver.c, src/node_device/node_device_devkit.c,
  src/node_device/node_device_hal.c, src/opennebula/one_driver.c,
  src/qemu/qemu_driver.c, src/remote/remote_driver.c,
  src/secret/secret_driver.c, src/storage/storage_driver.c,
  src/uml/uml_driver.c, src/xen/xen_driver.c: Fill in name
  field in virStateDriver struct
2009-11-02 18:20:14 -05:00
Daniel P. Berrange
fc8d199188 Rename internal APis
Rename virDomainIsActive to virDomainObjIsActive, and
virInterfaceIsActive to virInterfaceObjIsActive and finally
virNetworkIsActive to virNetworkObjIsActive.

* src/conf/domain_conf.c, src/conf/domain_conf.h,
  src/conf/interface_conf.h, src/conf/network_conf.c,
  src/conf/network_conf.h, src/lxc/lxc_driver.c,
  src/network/bridge_driver.c, src/opennebula/one_driver.c,
  src/openvz/openvz_driver.c, src/qemu/qemu_driver.c,
  src/test/test_driver.c, src/uml/uml_driver.c: Update for
  renamed APIs.
2009-11-02 11:58:55 -05:00
Daniel P. Berrange
46992453b9 Annotate many methods with ATTRIBUTE_RETURN_CHECK & fix problems
Nearly all of the methods in src/util/util.h have error codes that
must be checked by the caller to correct detect & report failure.
Add ATTRIBUTE_RETURN_CHECK to ensure compile time validation of
this

* daemon/libvirtd.c: Add explicit check on return value of virAsprintf
* src/conf/domain_conf.c: Add missing check on virParseMacAddr return
  value status & report error
* src/network/bridge_driver.c: Add missing OOM check on virAsprintf
  and report error
* src/qemu/qemu_conf.c: Add missing check on virParseMacAddr return
  value status & report error
* src/security/security_selinux.c: Remove call to virRandomInitialize
  that's done in libvirt.c already
* src/storage/storage_backend_logical.c: Add check & log on virRun
  return status
* src/util/util.c: Add missing checks on virAsprintf/Run status
* src/util/util.h: Annotate all methods with ATTRIBUTE_RETURN_CHECK
  if they return an error status code
* src/vbox/vbox_tmpl.c: Add missing check on virParseMacAddr
* src/xen/xm_internal.c: Add missing checks on virAsprintf
* tests/qemuargv2xmltest.c: Remove bogus call to virRandomInitialize()
2009-11-02 11:09:03 -05:00
Paolo Bonzini
936565c701 Add support for an external TFTP boot server
This patch adds an optional attribute to the <bootp> tag, that
allows to specify a TFTP server address other than the address of
the DHCP server itself.

This can be used to forward the BOOTP settings of the host down to the
guest.  This is something that configurations such as Xen's default
network achieve naturally, but must be done manually for NAT.

* docs/formatnetwork.html.in: Document new attribute.
* docs/schemas/network.rng: Add it to schema.
* src/conf/network_conf.h: Add it to struct.
* src/conf/network_conf.c: Add it to parser and pretty printer.
* src/network/bridge_driver.c: Put it in the dnsmasq command line.
* tests/networkxml2xmlin/netboot-proxy-network.xml
  tests/networkxml2xmlout/netboot-proxy-network.xml
  tests/networkxml2xmltest.c: add new tests
2009-10-28 15:57:49 +01:00
Paolo Bonzini
738ee810b4 network: add 'bootp' and 'tftp' config
Currently, libvirtd will start a dnsmasq process for the virtual
network, but (aside from killing the dnsmasq process and replacing it),
there's no way to define tftp boot options.

This change introduces the appropriate tags to the dhcp configuration:

 <network>
   <name>default</name>
   <bridge name="virbr%d" />
   <forward/>
   <ip address="192.168.122.1" netmask="255.255.255.0">
     <tftp root="/var/lib/tftproot" />
     <dhcp>
       <range start="192.168.122.2" end="192.168.122.254" />
       <bootp file="pxeboot.img"/>
     </dhcp>
   </ip>
 </network>

When the attributes are present, these are passed to the
arguments to dnsmasq:

 dnsmasq [...] --enable-tftp --tftp-root /srv/tftp --dhcp-boot pxeboot.img
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^
                      from <tftp />                     from <bootp />

At present, only local tftp servers are supported (ie, dnsmasq runs as
the tftp server), but we could improve this in future by adding a
server= attribute.

Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

2009-09-21  Paolo Bonzini  <pbonzini@redhat.com>
            Jeremy Kerr  <jk@ozlabs.org>

	* docs/formatnetwork.html.in: Document new tags.
	* docs/formatnetwork.html: Regenerate.
	* docs/schemas/network.rng: Update.
	* src/network_conf.c (virNetworkDefFree): Free new fields.
	(virNetworkDHCPRangeDefParseXML): Parse <bootp>.
	(virNetworkIPParseXML): New, parsing <dhcp> and <tftp>.
	(virNetworkDefParseXML): Use virNetworkIPParseXML instead of
	virNetworkDHCPRangeDefParseXML.
	(virNetworkDefFormat): Pretty print new fields.
	* src/network_conf.h (struct _virNetworkDef): Add netboot fields.
	* src/network_driver.c (networkBuildDnsmasqArgv): Add
	TFTP and BOOTP arguments.

	* tests/Makefile.am (EXTRA_DIST): Add networkschemadata.
	* tests/networkschematest: Look in networkschemadata.
	* tests/networkschemadata/netboot-network.xml: New.
2009-09-23 09:47:10 +02:00
Daniel P. Berrange
ec171c529a Move config files to align with driver sources
* daemon/default-network.xml: Move to src/network/default.xml
* daemon/libvirtd_qemu.aug, daemon/test_libvirtd_qemu.aug: Move
  to src/qemu/
* src/qemu.conf: Move to src/qemu/qemu.conf
* daemon/Makefile.am: Remove rules for default-nmetwork.xml and
  libvirtd_qemu.aug and test_libvirtd_qemu.aug. Fix typo in
  uninstall-local that would install polkit again.
* src/Makefile.am: Add rules for installing network/default.xml
  and the qemu/*.aug files. Add test case for QEMU augeas files.
  Add uninstall-local rule for files/directories created during
  install. Rename install-exec-local to install-data-local.
  Only install qemu.conf if WITH_QEMU is set.
* tests/networkschematest: Update for XML location move
2009-09-21 14:41:45 +01:00
Daniel P. Berrange
acfe3f2664 Move network driver into src/network
* daemon/qemud.c, src/Makefile.am: Adapt for changed paths
* src/network_driver.c: Rename to src/network/bridge_driver.c
* src/network_driver.h: Rename to src/network/bridge_driver.h
2009-09-21 14:41:44 +01:00