Commit Graph

27363 Commits

Author SHA1 Message Date
Nikolay Shirokovskiy
3b8a0f6ac2 iohelper: drop unused operation length limit 2017-09-19 11:37:15 +02:00
Guido Günther
3faf3ca60a apparmor: cater for new AAVMF image location
Things moved again, sigh.

Reviewed-By: Jamie Strandboge <jamie@canonical.com>
Michal Privoznik <mprivozn@redhat.com>
2017-09-18 19:06:53 +02:00
Guido Günther
f305d8a191 apparmor: add attach_disconnected
Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
like

    [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0

Reviewed-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Michal Privoznik <mprivozn@redhat.com>
2017-09-18 19:06:52 +02:00
Jiri Denemark
848b72421f cpu: Add new Skylake-Server CPU model
Available since QEMU 2.10.0 (specifically commit
v2.9.0-2233-g53f9a6f45f).

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2017-09-18 15:10:46 +02:00
Jiri Denemark
78d177df67 cpu: Add clwb/pcommit CPU features
The features were added to QEMU by commit v2.4.0-1690-gf7fda28094 as
Skylake Server features.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2017-09-18 15:10:46 +02:00
Jiri Denemark
1c65bd1402 tests: Add CPUID data for Intel(R) Xeon(R) Gold 6148 CPU
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2017-09-18 15:10:46 +02:00
John Ferlan
4b314f9ba5 docs: Update news.xml to describe switchdev offloading 2017-09-18 08:32:24 -04:00
Edan David
8708ca01c0 nodedev: add switchdev to NIC capabilities
Adding functionality to libvirt that will allow querying the interface
for the availability of switchdev Offloading NIC capabilities.

The switchdev mode was introduced in kernel 4.8, the iproute2-devlink
command to retrieve the switchdev NIC feature with command example:

    devlink dev eswitch show pci/0000:03:00.0

This feature is needed for Openstack so we can do a scheduling decision
if the NIC is in Hardware Offload (switchdev) or regular SR-IOV (legacy) mode.
And select the appropriate hypervisors with the requested capability see [1].

[1] - https://specs.openstack.org/openstack/nova-specs/specs/pike/approved/enable-sriov-nic-features.html

Reviewed-by: Laine Stump <laine@laine.org>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2017-09-18 08:32:24 -04:00
Michal Privoznik
8703813aae qemu: Implement usernet address
https://bugzilla.redhat.com/show_bug.cgi?id=1075520

Apart from generic checks, we need to constrain netmask/prefix
length a bit. Thing is, with current implementation QEMU needs to
be able to 'assign' some IP addresses to the virtual network. For
instance, the default gateway is at x.x.x.2, dns is at x.x.x.3,
the default DHCP range is x.x.x.15-x.x.x.30. Since we don't
expose these settings yet, it's safer to require shorter prefix
to have room for the defaults.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: laine@laine.org
2017-09-18 13:54:27 +02:00
Michal Privoznik
d1dbb30782 conf: Allow usernet to have an address
https://bugzilla.redhat.com/show_bug.cgi?id=1075520

Currently, all that users can specify for an interface type of
'user' is the common attributes: PCI address, NIC model (and
that's basically it). However, some need to configure other
address range than the default one.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: laine@laine.org
2017-09-18 13:54:27 +02:00
Jiri Denemark
ea9741f600 cpu_x86: Implement virCPUValidateFeatures
The function checks whether all CPU features used in a CPU definition
are specified in cpu_map.xml.

https://bugzilla.redhat.com/show_bug.cgi?id=1460086

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
20edbad776 cpu_s390: Implement virCPUValidateFeatures
Only feature policy is checked on s390, which was previously done in
virCPUUpdate, but that's not the correct place for the check once we
have virCPUValidateFeatures.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
3f0193f7e5 qemu: Validate guest CPU features before starting a domain
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
6ef9c202f2 cpu: Introduce virCPUValidateFeatures
This new API may be used to check whether all features used in a CPU
definition are valid (e.g., libvirt knows their name, their policy is
supported, etc.). Leaving this API unimplemented in an arch subdriver
means libvirt does not restrict CPU features usable on the associated
architectures.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
2ba32a86dd qemu: Filter CPU features returned by qemuConnectBaselineCPU
The host CPU definitions reported in the capabilities XML may contain
CPU features unknown to QEMU, but the result of virConnectBaselineCPU is
supposed to be directly usable as a guest CPU definition and thus it
should only contain features QEMU knows about.

https://bugzilla.redhat.com/show_bug.cgi?id=1450317

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
399f91694f qemu: Publish virQEMUCapsCPUFilterFeatures
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
b0b5c9c620 qemu: Pass virArch * to virQEMUCapsCPUFilterFeatures
The filter only needs to know the CPU architecture. Passing
virQEMUCapsPtr as opaque is a bit overkill.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
abec725ab1 cpu: Drop cpuBaselineXML
The implementation of virConnectBaselineCPU may be different for each
hypervisor. Thus it shouldn't really be implmented in the cpu code.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
7816de498b cpu: Don't log CPU models in cpuBaselineXML
They are logged in cpuBaseline anyway.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
50234e4eaf cpu: Use virCPUDefListParse in cpuBaselineXML
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
57f3999d72 cpu_conf: Introduce virCPUDefList{Parse,Free}
For parsing a list of CPU XMLs into a NULL-terminated list of CPU defs.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-09-18 10:40:12 +02:00
Jiri Denemark
440838472d virsh: Enhance documentation of --rdma-pin-all option
https://bugzilla.redhat.com/show_bug.cgi?id=1373783

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2017-09-18 10:30:47 +02:00
Cole Robinson
11b0e889b5 spec: Fix %license compat on RHEL6
The macro needs to be defined closer to its usage
2017-09-15 13:04:18 -04:00
Cole Robinson
6cf1475a1c spec: Use %license when available
This is required by the fedora packaging guidelines:

https://fedoraproject.org/wiki/Packaging:LicensingGuidelines

This macro isn't available on stock RHEL6 so provide a backcompat
definition

https://bugzilla.redhat.com/show_bug.cgi?id=1483293

Reported-by: Ville Skyttä <ville.skytta@iki.fi>
2017-09-15 08:43:54 -04:00
Ville Skyttä
6966a8cd18 spec: Own %{_libdir}/libvirt{,/connection-driver} dirs
Owning all created directories is a requirement of the Fedora
packaging guidelines

https://bugzilla.redhat.com/show_bug.cgi?id=1483293
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2017-09-15 08:43:54 -04:00
John Ferlan
1f8528c2b8 qemu: Fix return check on virHashAddEntry call
Luckily it only returns 0 or -1
2017-09-15 08:34:57 -04:00
John Ferlan
304e0f6d16 conf: Use virXMLFormatElement to format disk source network
Commit id 'e02ff020cac' neglected to use the attrBuf and childBuf
in the virDomainDiskSourceFormatNetwork call.

So make the necessary alterations to allow usage.
2017-09-15 08:17:32 -04:00
John Ferlan
fae7a7354c conf: Move <disk> encryption validation
Rather than checking during XML processing, move the check for
valid <encryption> into virDomainDiskDefParseValidate and alter
the text of the message slightly to be a bit more correct.
2017-09-15 08:12:26 -04:00
John Ferlan
411cdb6150 conf: Add invalid domain disk encryption test
Add a test to prove checking for invalid luks disk formatting check.
The error message will indicate supplying the <cipher> element is
unnecessary.
2017-09-15 08:07:42 -04:00
John Ferlan
c09c93cf57 conf: Move <disk> authdef validation
Rather than checking during XML processing, move the checks for correct
and valid auth into virDomainDiskDefParseValidate. This will introduce
virDomainDiskSourceDefParseAuthValidate to validate that the authdef
stored for the virStorageSource is valid. This can then be expanded
to service backingStore sources as well.

Alter the message text slightly as well to distinguish between an
unknown name and an incorrectly used name.  Since type is not a
mandatory field, add the NULLSTR() around the output of the unknown
error. NB, a config using unknown formatting would fail virschematest
since it only accepts 'iscsi' and 'ceph' as "valid" types.
2017-09-15 07:52:04 -04:00
John Ferlan
fbad3ed0fa conf: Add invalid secrettype checks
Add a couple of tests to "validate" checks in domain_conf that either
a missing secrettype (CONFIG_UNSUPPORTED) or an mismatched secrettype
of ceph for an iSCSI disk (INTERNAL_ERROR) will cause a parsing error.
2017-09-15 07:37:50 -04:00
John Ferlan
4775ca27e9 docs: Remove unnecessary <auth> example for iscsi disk type='volume'
Alter the example to remove the <auth> from:

  <disk type='volume' device='disk'>
    <driver name='qemu' type='raw'/>
    <source pool='iscsi-pool' volume='unit:0:0:1' mode='host'/>
    <auth username='myuser'>
      <secret type='iscsi' usage='libvirtiscsi'/>
    </auth>
    <target dev='vdb' bus='virtio'/>
  </disk>

and

  <disk type='volume' device='disk'>
    <driver name='qemu' type='raw'/>
    <source pool='iscsi-pool' volume='unit:0:0:2' mode='direct'/>
    <auth username='myuser'>
      <secret type='iscsi' usage='libvirtiscsi'/>
    </auth>
    <target dev='vdc' bus='virtio'/>
  </disk>

The reality is, it's not even used. For a <source pool> the authdef
from the storage source pool will supercede whatever is in the <disk>
definition during virStorageTranslateDiskSourcePool processing. In fact,
if the pool doesn't have/need authentication, then the authdef would
be removed anyway as the storage pool would be handling things.

The "proof" for this is in the adjustment to the test to add an
<auth> for a disk. The resulting .args file won't add what normally
would be added "myname:encodedpassword@" prior to the hostname in
the IQN (e.g. iscsi://myname:encodedpassword@iscsi.example.org:3260/...
2017-09-15 07:37:50 -04:00
Peter Krempa
a823d0a62e qemu: Restore errors when rolling back disk image state
Some operations done to rollback disk image labelling and locking might
overwrite (or clear) the actual error. Remember the original error when
tearing down disk access so that it's not obscured.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1461301
2017-09-15 05:28:21 +02:00
Peter Krempa
6f18150f7b qemu: hotplug: Use new helpers for storing libvirt errors
The helpers allow to simplify restoring original errors in most cases.
2017-09-15 05:28:21 +02:00
Peter Krempa
8333e7455e util: error: Add helpers for saving and restoring of last error
Some cleanup paths overwrite a usefull error message with a less useful
one and we then try to preserve the original message. The handlers added
in this patch will simplify the operations since they are designed right
for the purpose.
2017-09-15 05:28:21 +02:00
Cole Robinson
1f085acb81 news: document spice rendernode DAC changes
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2017-09-14 16:20:32 -04:00
Andrea Bolognani
8d56815ef1 travis: Shuffle sections around
Order them more logically and make sure that stuff that doesn't
need to be modified frequently if at all, such as the notification
settings, are out of the way.

Perform other very minor tweaks as well.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2017-09-14 17:34:08 +02:00
Andrea Bolognani
05ff29a7fd travis: Install more build dependencies
Since configure automatically picks up as many optional dependencies
as possible, installing more packages allows us to improve our test
coverage.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-14 16:59:24 +02:00
Andrea Bolognani
e5ae4fe929 travis: Improve test matrix
The default distribution is apparently ignored if an explicit test
matrix is provided, so we haven't actually been testing the precise
plus gcc combo.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-14 16:59:24 +02:00
Andrea Bolognani
fa6eea60f0 travis: Don't have a separate script definition for macOS
Make parts of the build command OS-dependent instead.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-14 16:59:24 +02:00
Andrea Bolognani
73b760c75a travis: Don't abort build due to -Wvariadic-macros
The openwsman header files are at fault here, but precise is entirely
unmaintained at this point so the issue will never be fixed.

Better to ignore the error and have coverage over the Hyper-V driver
than disabling it: if code that would trigger the warning will be
added to libvirt, the CentOS CI will catch it.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-14 16:59:24 +02:00
Andrea Bolognani
2e2e44b6ac travis: Move variables to 'env' section
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-14 16:59:24 +02:00
Andrea Bolognani
2e975abdc9 travis: Limit git depth to 5 commits
We don't need 50 commits for our purposes, so might as well save some
bandwidth and possibly some time by making the clone shallower.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-14 16:59:18 +02:00
John Ferlan
3358bfb286 qemu: Add QEMU 2.10 x86_64 the generated capabilities
For reference, these were generated by updating a local qemu git
repository to the latest upstream, making sure the latest dependencies
were met via "dnf builddep qemu" from my sufficiently privileged root
account, checking out the v2.10.0 tag, and building in order to generate
an "x86_64-softmmu/qemu-system-x86_64" image.

Then using a clean libvirt tree updated to master and built, the image
was then provided as input:

    tests/qemucapsprobe /path/to/x86_64-softmmu/qemu-system-x86_64 > \
       tests/qemucapabilitiesdata/caps_2.10.0.x86_64.replies

With the .replies file in place and the DO_TEST line added and build,
then running the following commands:

    touch tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
    VIR_TEST_REGENERATE_OUTPUT=1 ./tests/qemucapabilitiestest

to generate tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml and both
were added to the commit.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2017-09-14 08:39:25 -04:00
Peter Krempa
1666d10793 qemu: caps: Deprecate QEMU_CAPS_BLOCKJOB_SYNC
Interestingly, none of the qemus we have caps for supported it ...

Reviewed-by: Eric Blake <eblake@redhat.com>
2017-09-14 10:03:47 +02:00
Peter Krempa
771a38609d qemu: monitor: Remove support for "legacy" block jobs
Drop all the monitor code necessary to do the downstream block jobs.

Reviewed-by: Eric Blake <eblake@redhat.com>
2017-09-14 10:03:38 +02:00
Peter Krempa
2350d10149 qemu: Remove support for legacy block jobs
Block job QMP commands with underscores rather than dashes were never
released in upstream qemu, (they were added, but modified in the same
release [1]), but a certain distro managed to backport the version in the
middle.

The change also slightly modified semantics for the abort command, which
made us have a lot of code which was only ever present in certain
downstream distros.

Clean the upstream code from the legacy cruft and support only the
upstream implementations.

[1] See qemu commit v1.0-2176-gdb58f9c060

Reviewed-by: Eric Blake <eblake@redhat.com>
2017-09-14 10:03:25 +02:00
John Ferlan
23706c1708 qemu: Clean up qemuDomainSecretPrepare
No need to pass a @driver parameter since all that's done is deref
the @cfg especially since the only caller can just pass an already
referenced @cfg.

Also, looks like commit id '0298531b' at one time had a different
name for the API, so I took the liberty of fixing the comments too
since I would already be updating them for the @cfg variable.
2017-09-13 06:22:52 -04:00
Michal Privoznik
13264dfd23 virsh.pod: Fix units for dommemstat and domstats
The documentation mistakenly states that the unit for returned
values is kB (multiple of 1000), while in fact we are returning
KiB (multiple of 1024).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-09-13 09:29:53 +02:00
Cole Robinson
98931187ee security: dac: relabel spice rendernode
For a logged in user this a path like /dev/dri/renderD128 will have
default ownership root:video which won't work for the qemu:qemu user,
so we need to chown it.

We only do this when mount namespaces are enabled in the qemu driver,
so the chown'ing doesn't interfere with other users of the shared
render node path

https://bugzilla.redhat.com/show_bug.cgi?id=1460804
2017-09-12 12:27:42 -04:00