Commit Graph

5189 Commits

Author SHA1 Message Date
Daniel P. Berrange
021251bd7d Remove inappropriate use of VIR_ERR_NO_SUPPORT
The VIR_ERR_NO_SUPPORT refers to an API which is not implemented.
There is a separate VIR_ERR_CONFIG_UNSUPPORTED for XML config
options that are not available with the current hypervisor.

* src/qemu/qemu_conf.c, src/qemu/qemu_driver.c: Remove
  many VIR_ERR_NO_SUPPORT replace with VIR_ERR_CONFIG_UNSUPPORTED
2010-07-21 11:30:26 +01:00
Chris Lalancette
cd35e8927f Fix a NULL dereference in the case that the arg in question
didn't exist.

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-20 12:51:12 -04:00
Daniel P. Berrange
4d13418890 Remove bogus free of static strings
Remove bogus free of statically allocated strings introduced
in 03ca42046a

* src/conf/capabilities.c: Don't free static strings for
  default disk driver type/name
2010-07-20 17:09:41 +01:00
Chris Lalancette
f0c8e1cb37 Fix a deadlock in bi-directional p2p concurrent migration.
If you try to execute two concurrent migrations p2p
from A->B and B->A, the two libvirtd's will deadlock
trying to perform the migrations.  The reason for this is
that in p2p migration, the libvirtd's are responsible for
making the RPC Prepare, Migrate, and Finish calls.  However,
they are currently holding the driver lock while doing so,
which basically guarantees deadlock in this scenario.

This patch fixes the situation by adding
qemuDomainObjEnterRemoteWithDriver and
qemuDomainObjExitRemoteWithDriver helper methods.  The Enter
take an additional object reference, then drops both the
domain object lock and the driver lock.  The Exit takes
both the driver and domain object lock, then drops the
reference.  Adding calls to these Enter and Exit helpers
around remote calls in the various migration methods
seems to fix the problem for me in testing.

This should make the situation safe. The additional domain
object reference ensures that the domain object won't disappear
while this operation is happening.  The BeginJob that is called
inside of qemudDomainMigratePerform ensures that we can't execute a
second migrate (or shutdown, or save, etc) job while the
migration is active.  Finally, the additional check on the state
of the vm after we reacquire the locks ensures that we can't
be surprised by an external event (domain crash, etc).

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-20 09:52:52 -04:00
Chris Lalancette
963a5b7a08 Make virsh setmaxmem balloon only when successful.
After playing around with virsh setmaxmem for a bit,
I ran into some surprising behavior; if a hypervisor does
not support the virDomainSetMaxMemory() API, but the value
specified for setmaxmem is less than the current amount
of memory in the domain, the domain would be ballooned
down *before* an error was reported.

To make this more consistent, run virDomainSetMaxMemory()
before trying to shrink; that way, if an error is thrown,
no changes to the running domain are made.

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-20 09:44:14 -04:00
Chris Lalancette
4af1817d1d Use unsigned long in cmdSetmem.
The virsh command "setmem" takes as input a number that
should represent an unsigned long number of kilobytes.  Fix
cmdSetmem to properly parse this as an unsigned long instead
of an int.

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-20 09:35:29 -04:00
Laine Stump
e0f26c46ae fsync new storage volumes even if new volume was copied.
Originally the storage volume files were opened with O_DSYNC to make
sure they were flushed to disk immediately. It turned out that this
was extremely slow in some cases, so the O_DSYNC was removed in favor
of just calling fsync() after all the data had been written. However,
this call to fsync was inside the block that is executed to zero-fill
the end of the volume file. In cases where the new volume is copied
from an old volume, and they are the same length, this fsync would
never take place.

Now the fsync is *always* done, unless there is an error (in which
case it isn't important, and is most likely inappropriate.
2010-07-19 21:01:28 -04:00
Laine Stump
35bebb5782 Don't skip zero'ing end of volume file when inputvol is shorter than newvol
A missing set of braces around an error condition caused us to skip
zero'ing out the remainder of a new volume file if the new volume was
longer than the original (the goto was supposed to be taken only in
the case of error, but was always being taken).
2010-07-19 21:01:12 -04:00
Chris Lalancette
4487d33f67 Always clear out the last_error in virshReportError.
Otherwise you can get bogus "unknown error" printouts on
subsequent commands.

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-19 14:56:29 -04:00
Chris Lalancette
0cdff7b5e7 Fix up inconsistent virsh option error reporting.
The virsh option error reporting was not being used
consistently; some commands would spit out errors on
missing required options while others would just silently fail.
However, vshCommandOptString knows which ones are required
and which ones aren't, so make it spit out an error where
appropriate.  The rest of the patch is just cleaning up
the uses of vshCommandOptString to deal with the new error
reporting.

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-19 14:51:00 -04:00
Daniel P. Berrange
187da82fea Use the extract backing store format in storage volume lookup
The storage volume lookup code was probing for the backing store
format, instead of using the format extracted from the file
itself. This meant it could report in accurate information. If
a format is included in the file, then use that in preference,
with probing as a fallback.

* src/storage/storage_backend_fs.c: Use extracted backing store
  format
2010-07-19 18:25:14 +01:00
Daniel P. Berrange
27f45438c8 Rewrite qemu-img backing store format handling
When creating qcow2 files with a backing store, it is important
to set an explicit format to prevent QEMU probing. The storage
backend was only doing this if it found a 'kvm-img' binary. This
is wrong because plenty of kvm-img binaries don't support an
explicit format, and plenty of 'qemu-img' binaries do support
a format. The result was that most qcow2 files were not getting
a backing store format.

This patch runs 'qemu-img -h' to check for the two support
argument formats

  '-o backing_format=raw'
  '-F raw'

and use whichever option it finds

* src/storage/storage_backend.c: Query binary to determine
  how to set the backing store format
2010-07-19 18:25:14 +01:00
Daniel P. Berrange
03ca42046a Add ability to set a default driver name/type when parsing disks
Record a default driver name/type in capabilities struct. Use this
when parsing disks if value is not set in XML config.

* src/conf/capabilities.h: Record default driver name/type for disks
* src/conf/domain_conf.c: Fallback to default driver name/type
  when parsing disks
* src/qemu/qemu_driver.c: Set default driver name/type to raw
2010-07-19 18:25:14 +01:00
Daniel P. Berrange
68719c4bdd Disable all disk probing in QEMU driver & add config option to re-enable
Disk format probing is now disabled by default. A new config
option in /etc/qemu/qemu.conf will re-enable it for existing
deployments where this causes trouble
2010-07-19 18:25:13 +01:00
Daniel P. Berrange
f70e080962 Pass security driver object into all security driver callbacks
The implementation of security driver callbacks often needs
to access the security driver object. Currently only a handful
of callbacks include the driver object as a parameter. Later
patches require this is many more places.

* src/qemu/qemu_driver.c: Pass in the security driver object
  to all callbacks
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
  src/security/security_apparmor.c, src/security/security_driver.h,
  src/security/security_selinux.c: Add a virSecurityDriverPtr
  param to all security callbacks
2010-07-19 18:25:13 +01:00
Daniel P. Berrange
a885334499 Convert all disk backing store loops to shared helper API
Update the QEMU cgroups code, QEMU DAC security driver, SELinux
and AppArmour security drivers over to use the shared helper API
virDomainDiskDefForeachPath().

* src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c,
  src/security/security_selinux.c, src/security/virt-aa-helper.c:
  Convert over to use virDomainDiskDefForeachPath()
2010-07-19 18:25:13 +01:00
Daniel P. Berrange
9d0a630f51 Add an API for iterating over disk paths
There is duplicated code which iterates over disk backing stores
performing some action. Provide a convenient helper for doing
this to eliminate duplication & risk of mistakes with disk format
probing

* src/conf/domain_conf.c, src/conf/domain_conf.h,
  src/libvirt_private.syms: Add virDomainDiskDefForeachPath()
2010-07-19 18:25:13 +01:00
Daniel P. Berrange
bf80fc68ca Require format to be passed into virStorageFileGetMetadata
Require the disk image to be passed into virStorageFileGetMetadata.
If this is set to VIR_STORAGE_FILE_AUTO, then the format will be
resolved using probing. This makes it easier to control when
probing will be used

* src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c,
  src/security/security_selinux.c, src/security/virt-aa-helper.c:
  Set VIR_STORAGE_FILE_AUTO when calling virStorageFileGetMetadata.
* src/storage/storage_backend_fs.c: Probe for disk format before
  calling virStorageFileGetMetadata.
* src/util/storage_file.h, src/util/storage_file.c: Remove format
  from virStorageFileMeta struct & require it to be passed into
  method.
2010-07-19 18:25:04 +01:00
Daniel P. Berrange
c70cb0f49b Refactor virStorageFileGetMetadataFromFD to separate functionality
The virStorageFileGetMetadataFromFD did two jobs in one. First
it probed for storage type, then it extracted metadata for the
type. It is desirable to be able to separate these jobs, allowing
probing without querying metadata, and querying metadata without
probing.

To prepare for this, split out probing code into a new pair of
methods

  virStorageFileProbeFormatFromFD
  virStorageFileProbeFormat

* src/util/storage_file.c, src/util/storage_file.h,
  src/libvirt_private.syms: Introduce virStorageFileProbeFormat
  and virStorageFileProbeFormatFromFD
2010-07-19 16:29:07 +01:00
Daniel P. Berrange
779b6ea7c4 Remove 'type' field from FileTypeInfo struct
Instead of including a field in FileTypeInfo struct for the
disk format, rely on the array index matching the format.
Use verify() to assert the correct number of elements in the
array.

* src/util/storage_file.c: remove type field from FileTypeInfo
2010-07-19 15:51:02 +01:00
Daniel P. Berrange
a93402d48b Extract the backing store format as well as name, if available
When QEMU opens a backing store for a QCow2 file, it will
normally auto-probe for the format of the backing store,
rather than assuming it has the same format as the referencing
file. There is a QCow2 extension that allows an explicit format
for the backing store to be embedded in the referencing file.
This closes the auto-probing security hole in QEMU.

This backing store format can be useful for libvirt users
of virStorageFileGetMetadata, so extract this data and report
it.

QEMU does not require disk image backing store files to be in
the same format the file linkee. It will auto-probe the disk
format for the backing store when opening it. If the backing
store was intended to be a raw file this could be a security
hole, because a guest may have written data into its disk that
then makes the backing store look like a qcow2 file. If it can
trick QEMU into thinking the raw file is a qcow2 file, it can
access arbitrary files on the host by adding further backing
store links.

To address this, callers of virStorageFileGetMeta need to be
told of the backing store format. If no format is declared,
they can make a decision whether to allow format probing or
not.
2010-07-19 15:51:02 +01:00
Daniel P. Berrange
c567853089 CVE-2010-2242 Apply a source port mapping to virtual network masquerading
IPtables will seek to preserve the source port unchanged when
doing masquerading, if possible. NFS has a pseudo-security
option where it checks for the source port <= 1023 before
allowing a mount request. If an admin has used this to make the
host OS trusted for mounts, the default iptables behaviour will
potentially allow NAT'd guests access too. This needs to be
stopped.

With this change, the iptables -t nat -L -n -v rules for the
default network will be

Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes)
 pkts bytes target     prot opt in     out     source               destination
   14   840 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
   75  5752 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

* src/network/bridge_driver.c: Add masquerade rules for TCP
  and UDP protocols
* src/util/iptables.c, src/util/iptables.c: Add source port
  mappings for TCP & UDP protocols when masquerading.
2010-07-19 15:50:27 +01:00
Justin Clift
de7d4c6ae7 man pages: update authors and copyright notice for libvirtd and virsh
This patch removes the individual author names from the libvirtd and virsh
man pages, instead referring to the main AUTHORS file distributed with
libvirt.  This approach is needed, as we can't guarantee unicode support
across all versions of pod2man used with libvirt.

Additionally, this patch includes the libvirtd man page in the spec file
used with "make rpm".  Without this patch "make rpm" is broken.
2010-07-17 04:51:01 +10:00
Chris Lalancette
ee41ba665b Fix compile on i686.
When printing out size_t, we need to use %zu to make sure it
will continue to compile on both 32-bit and 64-bit platforms.

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-16 09:14:53 -04:00
Chris Lalancette
ac475b9f83 Remove unused and bitrotting vshCommandOptStringList
Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-16 09:07:21 -04:00
Chris Lalancette
9aa236e19f Remove error checking after using vshMalloc.
vshMalloc and friends always exit() on allocation failure,
so there is no reason to do checking for NULL in the code
that uses it.

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-16 09:07:00 -04:00
Chris Lalancette
de6380726b Remove the "showerror" parameter from vshConnectionUsability.
Nobody was using it anyway.

Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-16 09:06:43 -04:00
David Allan
ae3275c0bb RFC: Canonicalize block device paths
There are many naming conventions for partitions associated with a
block device.  Some of the major ones are:

/dev/foo -> /dev/foo1
/dev/foo1 -> /dev/foo1p1
/dev/mapper/foo -> /dev/mapper/foop1
/dev/disk/by-path/foo -> /dev/disk/by-path/foo-part1

The universe of possible conventions isn't clear.  Rather than trying
to understand all possible conventions, this patch divides devices
into two groups, device mapper devices and everything else.  Device
mapper devices seem always to follow the convention of device ->
devicep1; everything else is canonicalized.
2010-07-15 12:57:01 -04:00
Ryota Ozaki
a3fc67a12c daemon: dispatch.c should include stdio.h (and stdarg.h)
dispatch.c requires stdio.h (and stdarg.h), however, currently
dispatch.c implicitly relys on rpc/xdr.h to include stdio.h.
If rpc/xdr.h unxpectedly does not include stdio.h, the compilation
of dispatch.c fails.

This can happen, for example, when portablexdr is installed
under /usr/local; because portablexdr's rpc/xdr.h does not
include stdio.h and gcc looks up it not /usr/include/rpc/xdr.h.

Note that stdarg.h is also included according to man va_start,
although stdio.h seems including it anyway.
2010-07-15 09:27:47 +02:00
Jim Meyering
60ef6d6322 uml_driver: correct logic error in umlMonitorCommand
* src/uml/uml_driver.c (umlMonitorCommand): Correct flaw that would
cause unconditional "incomplete reply ..." failure, since "nbytes"
was always 0 or 1.
2010-07-14 12:42:59 -05:00
Jim Meyering
c1fd7d7b3e qemuConnectMonitor: fix a bug that would have masked SELinux failure
* src/qemu/qemu_driver.c (qemuConnectMonitor): Correct erroneous
parenthesization in two expressions.  Without this fix, failure
to set or clear SELinux security context in the monitor would go
undiagnosed.  Also correct a diagnostic and split some long lines.
2010-07-14 12:42:59 -05:00
Cole Robinson
f9abc44ad5 python: Fix IOErrorReasonCallback bindings
A copy and paste error was causing us to dispatch the incorrect
routine. Spotted by Dan Kenigsberg.
2010-07-14 10:52:18 -04:00
Cole Robinson
f1f8bec486 .gitignore: Ignore generated libvirtd docs 2010-07-13 18:10:49 -04:00
Matthias Bolte
8aa08ea873 esx: Make esxVI_*_Deserialize dynamically dispatched
This will be used to deserialize the response from a call
to esxVI_SearchDatastore_Task properly.
2010-07-13 18:44:14 +02:00
Matthias Bolte
9af989fabc Add openauth example to demonstrate a custom auth callback 2010-07-13 13:50:27 +02:00
Laine Stump
73b9dfeb31 Eliminate compiler warning due to gettext string with no format args 2010-07-12 23:35:43 -04:00
Justin Clift
7327604177 docs: fix so generated .html files are removed with make clean 2010-07-13 05:34:25 +10:00
Jiri Denemark
f5055f2310 cpuCompare: Fix crash on unexpected CPU XML
When comparing a CPU without <model> element, such as

    <cpu>
        <topology sockets='1' cores='1' threads='1'/>
    </cpu>

libvirt would happily crash without warning.
2010-07-12 19:45:22 +02:00
Jiri Denemark
517aba9fac cpu: Fail when CPU type cannot be detected from XML
When autodetecting whether XML describes guest or host CPU, the presence
of <arch> element is checked. If it's present, we treat the XML as host
CPU definition. Which is right, since guest CPU definitions do not
contain <arch> element. However, if at the same time the root <cpu>
element contains `match' attribute, we would silently ignore it and
still treat the XML as host CPU. We should rather refuse such invalid
XML.
2010-07-12 19:45:22 +02:00
Jiri Denemark
ac3daf0899 cpuCompare: Fix comparison of two host CPUs
When a CPU to be compared with host CPU describes a host CPU instead of
a guest CPU, the result is incorrect. This is because instead of
treating additional features in host CPU description as required, they
were treated as if they were mentioned with all possible policies at the
same time.
2010-07-12 19:45:22 +02:00
Jiri Denemark
4677b06428 qemu: Use -nodefconfig when probing for CPU models
In case qemu supports -nodefconfig, libvirt adds uses it when launching
new guests. Since this option may affect CPU models supported by qemu,
we need to use it when probing for available models.
2010-07-12 19:45:22 +02:00
Jiri Denemark
2d14615a75 virsh: Fix man page syntax
pod2man prints the following warning when generating virsh.1:

    tools/virsh.pod:890: Unmatched =back
2010-07-12 19:45:22 +02:00
Daniel P. Berrange
8fa58ab348 Fix potential crash in QEMU monitor JSON impl
An indentation mistake meant that a check for return status
was not properly performed in all cases. This could result
in a crash on NULL pointer in a following line.

* src/qemu/qemu_monitor_json.c: Fix check for return status
  when processing JSON for blockstats
2010-07-12 18:34:18 +01:00
Daniel P. Berrange
69bf3535a7 Fix build by removing unknown pod2man flag
Some versions of pod2man do not support the -u flag, so this
can't be used

* daemon/Makefile.am: Remove -u flag from pod2man
2010-07-12 14:09:30 +01:00
Daniel P. Berrange
a6c539445e Ensure we return the callback ID in python events binding
A missing return statement in the python binding meant that
the callers could not get the callback ID, and thus not be
able to unregister event callbacks

* python/libvirt-override-virConnect.py: Add missing return
  statement
2010-07-12 13:41:52 +01:00
Justin Clift
8cc02e8627 html docs: added firewall explanation page by daniel berrange 2010-07-10 22:47:00 +10:00
Justin Clift
c6a6dc1d2d libvirtd: add man page for libvirtd
With gracious thanks to Chris Lalancette for helping knock the
description section into shape.

This addresses BZ #595350

  https://bugzilla.redhat.com/show_bug.cgi?id=595350
2010-07-10 00:10:55 +10:00
Justin Clift
f5271fc166 virsh: add new --details option to vol-list
This patch adds a new --details option to the virsh vol-list
command, making its output more useful when many luns are
present.

Addresses BZ # 605543

  https://bugzilla.redhat.com/show_bug.cgi?id=605543
2010-07-09 23:35:28 +10:00
Justin Clift
b3db32610d authors: update my authors details 2010-07-09 23:21:00 +10:00
Chris Lalancette
bfe2bef106 Fix a compile error in the previous commit.
Signed-off-by: Chris Lalancette <clalance@redhat.com>
2010-07-08 08:49:01 -04:00