The common messaging helpers will be reused in the new impl of the
virt-pki-validate tool.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Move the word 'Checking' into the appropriate formatting strings and
mark all outstanding ones for translation.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/637
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Error messages are exempt from the 80 columns rule. Move them
onto one line.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Make sure that more users understand that without HW virtualization you cannot
have KVM working.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2086677
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Historically, we declared pointer type to our types:
typedef struct _virXXX virXXX;
typedef virXXX *virXXXPtr;
But usefulness of such declaration is questionable, at best.
Unfortunately, we can't drop every such declaration - we have to
carry some over, because they are part of public API (e.g.
virDomainPtr). But for internal types - we can do drop them and
use what every other C project uses 'virXXX *'.
This change was generated by a very ugly shell script that
generated sed script which was then called over each file in the
repository. For the shell script refer to the cover letter:
https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
After the split of virsh to multiple files, and the subsequent
split to vsh/virt-admin, there are quite a few leftovers.
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Add checking in virt-host-validate for secure guest support
on s390 for IBM Secure Execution.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Tested-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Reviewed-by: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
POWER hosts does not implement CPU virtualization extensions like
x86 or s390x. Instead, all bare-metal POWER hosts are considered
to be virtualization ready.
For POWER, the validation is done by checking if the virtualization
module kvm_hv is loaded in the host. If not, we should warn the
user about it.
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This removes code duplication and simplifies cgroup detection.
As a drawback we will not have separate messages to enable cgroup
controller in kernel or to mount it. On the other side the rewrite
adds support for cgroup v2.
The kernel config support was wrong because it was parsing
'/proc/self/cgroup' instead of '/proc/cgroups/' file.
The mount suggestion is removed as well because it will not work
with cgroup v2.
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Cast away enum type in places where we don't wish to cover all cases.
Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Building with clang 3.8 triggers the following error:
CC virt_host_validate-virt-host-validate-qemu.o
virt-host-validate-qemu.c:36:11: error: initializing 'char *' with an expression of type 'const char *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
char *kvmhint = _("Check that CPU and firmware supports virtualization "
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
virt-host-validate-qemu.c:46:17: error: assigning to 'char *' from 'const char *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
kvmhint = _("Check that the 'kvm-intel' or 'kvm-amd' modules are "
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 errors generated.
Fix by using 'const' for kvmhint declaration.
ARM/Aarch64 /proc/cpuinfo has no virtualization related flags.
Refactor the Qemu/KVM test a bit:
1) run the "for hardware virtualization" test only on plaforms with known
cpuinfo flags (x86, s390)
2) test for /dev/kvm also on platforms where no cpu flags are set
Finally Add a more generic error hint message for non-x86 plaforms
when /dev/kvm is missing.
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
When virHostValidateCPUFlag returns NULL, that's more an unexpected
error than the sign of missing CPU flags. Let's react to this
appropriately.
Signed-off-by: Bjoern Walk <bwalk@linux.vnet.ibm.com>
Instead of relying on substring search, tokenize the input
and process each CPU flag separately. This ensures CPU flag
detection will continue to work correctly even if we start
looking for CPU flags whose name might appear as part of
other CPU flags' names.
The result of processing is stored in a virBitmap, which
means we don't have to parse /proc/cpuinfo in its entirety
for each single CPU flag we want to check.
Moreover, use of the newly-introduced virHostValidateCPUFlag
enumeration ensures we don't go looking for random CPU flags
which might actually be simple typos.
Since the introduction of virt-host-validate tool the set of
cgroup controllers we use has changed so the tool is checking for
some cgroups that we don't need (e.g. net_cls, although I doubt
we have ever used that one) and is not checking for those we
actually use (e.g. cpuset).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This looks for existance of DMAR (Intel) and IVRS (AMD)
files under /sys/firmware/acpi/tables/, as a sign that
the platform has IOMMU present & enabled in the BIOS.
If these are present and /sys/kernel/iommu_groups does
not contain any entries this is taken as a sign that
the kernel has not enabled the IOMMU currently.
If no ACPI tables are found we can't distinguish between
disabled in BIOS and not present in the hardware, so we
have to give the user a generic hint.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Extend the virt-host-validate checks to see if the required
cgroups are compiled into the kernel and that they are
mounted on the system. The cgroups are all optional except
for 3 that LXC mandates
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Currently we just check that various devices are accessible.
This leads to inaccurate errors reported for /dev/kvm and
/dev/vhost-net if they exist but an unprivileged user lacks
access. Switch existing checks to look for file existance,
and add a separate check for accessibility of /dev/kvm
since some distros don't grant users access by default.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
https://www.gnu.org/licenses/gpl-howto.html recommends that
the 'If not, see <url>.' phrase be a separate sentence.
* tests/securityselinuxhelper.c: Remove doubled line.
* tests/securityselinuxtest.c: Likewise.
* globally: s/; If/. If/
Per the FSF address could be changed from time to time, and GNU
recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html)
You should have received a copy of the GNU General Public License
along with Foobar. If not, see <http://www.gnu.org/licenses/>.
This patch removes the explicit FSF address, and uses above instead
(of course, with inserting 'Lesser' before 'General').
Except a bunch of files for security driver, all others are changed
automatically, the copyright for securify files are not complete,
that's why to do it manually:
src/security/security_selinux.h
src/security/security_driver.h
src/security/security_selinux.c
src/security/security_apparmor.h
src/security/security_apparmor.c
src/security/security_driver.c
To assist people in verifying that their host is operating in an
optimal manner, provide a 'virt-host-validate' command. For each
type of hypervisor, it will check any pre-requisites, or other
good recommendations and report what's working & what is not.
eg
# virt-host-validate
QEMU: Checking for device /dev/kvm : FAIL (Check that the 'kvm-intel' or 'kvm-amd' modules are loaded & the BIOS has enabled virtualization)
QEMU: Checking for device /dev/vhost : WARN (Load the 'vhost_net' module to improve performance of virtio networking)
QEMU: Checking for device /dev/net/tun : PASS
LXC: Checking for Linux >= 2.6.26 : PASS
This warns people if they have vmx/svm, but don't have /dev/kvm. It
also warns about missing /dev/vhost net.