Commit Graph

432 Commits

Author SHA1 Message Date
Radostin Stoyanov
e9476e1035 cfg.mk: check ctype_macros only on *.[c|h] files
The functions like isalnum(), isalpha(), isdigit(), etc. are also
available in Python, however `make syntax-check` do not intend to
prohibit them.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
2018-03-20 12:13:35 +00:00
Daniel P. Berrangé
a32600f3ce cfg.mak: ignore trailing whitespace in gnulib local patches
The diff files in gnulib/local may well contain trailing whitespace.
They are simply diff's of gnulib code which should not be modified to
follow libvirt style rules.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-03-05 18:46:24 +00:00
Daniel P. Berrangé
91fd3dc932 daemon: move libvirtd code into src/remote/ directory
Having a daemon/ directory makes little sense from a code structure
point of view, as 90% of the code that is built into libvirtd already
lives in the src/ directory. The virtlockd and virlogd daemons also live
entirely in src/{locking,logging} directories. This moves the source
code for libvirtd into src/remote/, alongside the client code.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-02-22 12:21:08 +00:00
Daniel P. Berrangé
6d394819ab daemon: remove obsolete doc describing daemon threading
The THREADS.txt describes the way threading worked in libvirtd many many
years ago, long before even the RPC code was modularized. Things have
evolved significantly since then, so delete this potentially misleading doc.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-02-22 11:31:30 +00:00
Daniel P. Berrangé
c2dc6698c8 log: fix deadlock obtaining hostname (related CVE-2018-6764)
The fix for CVE-2018-6764 introduced a potential deadlock scenario
that gets triggered by the NSS module when virGetHostname() calls
getaddrinfo to resolve the hostname:

 #0  0x00007f6e714b57e7 in futex_wait
 #1  futex_wait_simple
 #2  __pthread_once_slow
 #3  0x00007f6e71d16e7d in virOnce
 #4  0x00007f6e71d0997c in virLogInitialize
 #5  0x00007f6e71d0a09a in virLogVMessage
 #6  0x00007f6e71d09ffd in virLogMessage
 #7  0x00007f6e71d0db22 in virObjectNew
 #8  0x00007f6e71d0dbf1 in virObjectLockableNew
 #9  0x00007f6e71d0d3e5 in virMacMapNew
 #10 0x00007f6e71cdc50a in findLease
 #11 0x00007f6e71cdcc56 in _nss_libvirt_gethostbyname4_r
 #12 0x00007f6e724631fc in gaih_inet
 #13 0x00007f6e72464697 in __GI_getaddrinfo
 #14 0x00007f6e71d19e81 in virGetHostnameImpl
 #15 0x00007f6e71d1a057 in virGetHostnameQuiet
 #16 0x00007f6e71d09936 in virLogOnceInit
 #17 0x00007f6e71d09952 in virLogOnce
 #18 0x00007f6e714b5829 in __pthread_once_slow
 #19 0x00007f6e71d16e7d in virOnce
 #20 0x00007f6e71d0997c in virLogInitialize
 #21 0x00007f6e71d0a09a in virLogVMessage
 #22 0x00007f6e71d09ffd in virLogMessage
 #23 0x00007f6e71d0db22 in virObjectNew
 #24 0x00007f6e71d0dbf1 in virObjectLockableNew
 #25 0x00007f6e71d0d3e5 in virMacMapNew
 #26 0x00007f6e71cdc50a in findLease
 #27 0x00007f6e71cdc839 in _nss_libvirt_gethostbyname3_r
 #28 0x00007f6e71cdc724 in _nss_libvirt_gethostbyname2_r
 #29 0x00007f6e7248f72f in __gethostbyname2_r
 #30 0x00007f6e7248f494 in gethostbyname2
 #31 0x000056348c30c36d in hosts_keys
 #32 0x000056348c30b7d2 in main

Fortunately the extra stuff virGetHostname does is totally irrelevant to
the needs of the logging code, so we can just inline a call to the
native hostname() syscall directly.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-02-12 12:29:13 +00:00
Daniel P. Berrangé
5529b057e7 cfg: forbid includes of headers in network and storage drivers again
Loadable drivers must never depend on each other. Over time some usage
mistakenly crept in for the storage and network drivers, but now this is
eliminated the syntax-check rules can enforce this separation once more.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-02-09 11:05:10 +00:00
Daniel P. Berrangé
12ba706d6d Check for tabs in augeas files
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-01-31 15:19:26 +00:00
Daniel P. Berrange
ce7ae55ea1 lockd: add support for admin protocol in virtlockd
Add a virtlockd-admin-sock can serves the admin protocol for the virtlockd
daemon and define a virtlockd:///{system,session}  URI scheme for
connecting to it.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2018-01-31 15:18:36 +00:00
Daniel P. Berrange
b1e03dad86 admin: move admins server impl/dispatch into src/admin directory
The admin server functionality is a generic concept that should be wired
up into all libvirt daemons, but is currently integrated with the
libvirtd code. Move it all into the src/admin directory to prepare for
broader reuse.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2018-01-31 15:12:30 +00:00
Andrea Bolognani
f131dacf68 cfg.mk: Simplify backslash alignment check
The use of [[:blank:]] was intended to cover tabs as well, but
it couldn't possibly work in its current form, so the regex was
tweaked in d09429abe8.

With the original reason for using [[:blank:]] now gone, we can
replace its usage with plain spaces. A comment about the purpose
of the check is added as well.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-12-15 13:38:39 +01:00
Martin Kletzander
d09429abe8 Adjust backslash alignment syntax-check
We have a check for backslash alignment that checks for two blanks preceding a
backslash.  However there can be alignment done using a tabulator and in some
cases one might be enough.  There are none currently, but I found out that was
the case before. at some point.  so let's check for \t preceding the final
backslash as well.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2017-11-23 11:31:52 +01:00
Andrea Bolognani
b5ce8bd034 cfg.mk: Prohibit backspace alignment attempts
Now that our codebase is clean, we can add a syntax-check rule
to ensure it will remain so.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-11-03 13:24:13 +01:00
Andrea Bolognani
3e7db8d3e8 Remove backslash alignment attempts
Right-aligning backslashes when defining macros or using complex
commands in Makefiles looks cute, but as soon as any changes is
required to the code you end up with either distractingly broken
alignment or unnecessarily big diffs where most of the changes
are just pushing all backslashes a few characters to one side.

Generated using

  $ git grep -El '[[:blank:]][[:blank:]]\\$' | \
    grep -E '*\.([chx]|am|mk)$$' | \
    while read f; do \
      sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \
    done

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-11-03 13:24:12 +01:00
Daniel P. Berrange
e371b3bf41 Use https:// links for most sites
This adds a rule to require https links for the libvirt, qemu
and kvm websites.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-10-16 10:22:34 +01:00
Daniel P. Berrange
32d6c7386d Print hex values with '0x' prefix and octal with '0' in debug messages
Seeing a log message saying 'flags=93' is ambiguous & confusing unless
you happen to know that libvirt always prints flags as hex.  Change our
debug messages so that they always add a '0x' prefix when printing flags,
and '0' prefix when printing mode. A few other misc places gain a '0x'
prefix in error messages too.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-25 13:34:53 +01:00
Daniel P. Berrange
eae746b2d7 Stop linking tests/commandhelper to libvirt code
The commandhelper binary is a helper for commandtest that
validates what file handles were inherited. For this to
work reliably we must not have any libraries that leak
file descriptors into commandhelper. Unfortunately some
versions of gnutls will intentionally open file handles
at library load time via a constructor function.

We previously hacked around this in

  commit 4cbc15d037
  Author: Martin Kletzander <mkletzan@redhat.com>
  Date:   Fri May 2 09:55:52 2014 +0200

    tests: don't fail with newer gnutls

    gnutls-3.3.0 and newer leaves 2 FDs open in order to be backwards
    compatible when it comes to chrooted binaries [1].  Linking
    commandhelper with gnutls then leaves these two FDs open and
    commandtest fails thanks to that.  This patch does not link
    commandhelper with libvirt.la, but rather only the utilities making
    the test pass.

    Based on suggestion from Daniel [2].

    [1] http://lists.gnutls.org/pipermail/gnutls-help/2014-April/003429.html
    [2] https://www.redhat.com/archives/libvir-list/2014-April/msg01119.html

That fix relied on fact that while libvirt.so linked with
gnutls, libvirt_util.la did not link to it.  With the
introduction of the util/vircrypto.c file that assumption
is no longer valid. We must not link to libvirt_util.la
at all - only gnulib and libc can (hopefully) be relied
on not to open random file descriptors in constructors.

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-20 14:32:12 +01:00
Andrea Bolognani
d672551816 HACKING: Drop from the git repository
Despite being a generated file, HACKING has been tracked in
the git repository along with actual source files. As far as
I'm aware, it's the only generated file for which that happens.

Times and times again, people[1] have committed changes to
the source file without refreshing the generated copy at the
same time.

The rationale for tracking the generated file is to help out
people who just cloned the git repository looking to contribue;
however, README-hacking already contains enough information to
get perspective contributors to a place where they can simply
look at docs/hacking.html instead.

[1] Mostly me, to be honest

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-06-26 14:25:54 +02:00
Martin Kletzander
ae60ea48bc tests: Add virfilewrapper -- the new super "mock"
This mock (which is actually not mock at all, see later) can redirect
all accesses to a path into another path.  There is no need to
create mocks for particular directories, you just create a directory
with all the data a redirect the test there.

In the future, this should also be able to register callbacks for
calls/paths, e.g. when the test is going to write into anything under
"/sys/devices", call function fce();  Then in the open() call we would
add information about the fd into some structure and in write() we
would call fce() with parameters like @path to write to, @data to
be written and pointer to optional return value, so that fce() itself
could stop the call from happening or change its behaviour.  But
that's an idea for a latter day.

This is not a mock because it will not be preloaded, but compiled in
the test itself.  See future patches for usage.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2017-05-09 13:12:40 +02:00
Wim ten Have
8659e7ffe3 xenconfig: add conversions for xen-xl
Per xen-xl conversions from and to native under host-passthrough
mode we take care for Xen (nestedhvm = mode) applied and inherited
settings generating or processing correct feature policy:

[On Intel (VT-x) architectures]
<feature policy='disable' name='vmx'/>

or

[On AMD (AMD-V) architectures]
<feature policy='disable' name='svm'/>

It will then generate (or parse) for nestedhvm=1 in/from xl format.

Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
Signed-off-by: Wim ten Have <wim.ten.have@oracle.com>
2017-04-27 15:05:44 -06:00
Andrea Bolognani
6d53255377 autogen.sh: Improve and generalize
The goal is twofold: firstly, we want to extend the script so
that it can deal with more than a single git submodule, and
secondly we'd like to reduce the amount of duplicated code.
Moreover, since we're making heavy changes to the code anyway,
we might as well make sure it follows a somewhat consistent
coding style too.

To reduce code duplication, we introduce a new --dry-run
option, which can be used by third parties to figure out
whether calling autogen.sh is necessary or not: this allows
us to get rid of the reimplementation of part of the logic
in cfg.mk and guarantee they'll never get out of sync.

Other changes include: making dirty submodules checking and
cleaning entirely independent of other operations; removing
the use of 'set -e' and handling errors explicitly instead;
better parsing of command line arguments.
2017-04-25 09:52:37 +02:00
Daniel P. Berrange
728cacc8ab annotate all mocked functions with noinline
CLang's optimizer is more aggressive at inlining functions than
gcc and so will often inline functions that our tests want to
mock-override. This causes the test to fail in bizarre ways.

We don't want to disable inlining completely, but we must at
least prevent inlining of mocked functions. Fortunately there
is a 'noinline' attribute that lets us control this per function.

A syntax check rule is added that parses tests/*mock.c to extract
the list of functions that are mocked (restricted to names starting
with 'vir' prefix). It then checks that src/*.h header file to
ensure it has a 'ATTRIBUTE_NOINLINE' annotation. This should prevent
use from bit-rotting in future.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-04-19 10:51:51 +01:00
Peter Krempa
010c8f0f26 virsh: Add wrapper for virDomainSnapshotFree
Similarly to virshDomainFree add a wrapper for the snapshot object
freeing function.
2017-04-12 14:11:39 +02:00
Peter Krempa
3a344d55d9 virsh-util: Add wrapper for virDomainFree
virDomainFree has it's quirks (does not like NULL pointers, resets
libvirt errors). Replace it by a virsh helper which will allow us to
centrally fix issues with it.

The syntax-check rule will prohibit new uses of virDomainFree.
2017-04-12 14:08:37 +02:00
Boris Fiuczynski
ff483133fe qemu: Fix VPATH syntax-check for qemuSecurity wrappers enforcment
Fixing make syntax-check broken by commit 4da534c0b9.

Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com>
2017-04-05 18:30:55 +02:00
Jiri Denemark
eeeaaa0b73 build: Fix syntax check in VPATH
Matching the beginning of a path in syntax check does not work because
each path is enriched with a prefix of the source tree.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-03-27 16:53:18 +02:00
Jiri Denemark
88a185960d build: Fix sc_prohibit_exit_in_tests syntax check
This check makes sense only in *.c files.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2017-03-27 16:52:29 +02:00
Martin Kletzander
bdcb199532 Move src/fdstream to src/util/virfdstream
There is no reason for it not to be in the utils, all global symbols
under that file already have prefix vir* and there is no reason for it
to be part of DRIVER_SOURCES because that is just a leftover from
older days (pre-driver modules era, I believe).

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2017-03-27 13:13:29 +02:00
Michal Privoznik
4da534c0b9 qemu: Enforce qemuSecurity wrappers
Now that we have some qemuSecurity wrappers over
virSecurityManager APIs, lets make sure everybody sticks with
them. We have them for a reason and calling virSecurityManager
API directly instead of wrapper may lead into accidentally
labelling a file on the host instead of namespace.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-03-06 08:54:28 +01:00
Peter Krempa
b4c7310633 Disallow inclusion of files from src/conf into src/utils
The utils code should stay separated from other code (except for very
well justified cases). Unfortunately commit 272769becc
made it trivial to break the separation (and not get slapped by the
syntax-check rule) by adding -I src/conf to the CFLAGS for utils.

Remove this shortcut and except the two offenders from the syntax check
so that the codebase can be kept separated.
2017-02-20 15:12:07 +01:00
Michal Privoznik
1ef3ac82a3 nssmock: Prefer free() over VIR_FREE()
Problem with VIR_FREE() is that we are not linking
libvirt-utils.so to our mock libs therefore there will be an
unresolved symbol. Fortunately, nsstest that eventually links
with the nssmock links also with libvirt-utils.so and thus the
symbol is resolved after all. However, if one wants to run the
test binary under valgrind it is impossible to do so. Because of
the unresolved symbol.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-12-06 13:33:18 +01:00
Daniel P. Berrange
b17a97f223 docs: rewrite content on front page to be more useful
The front page contains a bunch of content that is either
outdated (eg links to libvirt qpid) or not particularly
useful (links to vendor hypervisor sites).

This rewrites it to be more directly useful to visitors,
providing a updated intro to libvirt project, direct
links to key pieces of website content (new contributors
guide, security process, bug reporting, XML formats), and
feed showing recent 5 blog posts on the virt tools planet.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-11-11 12:15:05 +00:00
Daniel P. Berrange
fb2236f9f7 Revert "syntax-check: Enforce <code> inside <dt> elements"
This reverts commit 1f29f3da06.

Assuming <dt> is always used to document symbols is way too
broad, requiring far too many exemptions to be marked to
avoid syntax check rules.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-11-11 12:15:05 +00:00
Daniel P. Berrange
628e343e79 docs: use overpass font for website
The original libvirt logo was built using what appears to be
either Overpass font, or one stylistically very similar (the
slanted top of letters like 'l', 't', etc). The newly recreated
libvirt logo will use Overpass. Use this font for the website
text too, to provide a consistent style.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-11-11 09:31:10 +00:00
Daniel P. Berrange
ac9bf93941 docs: remove obsolete library.xen file
The library.xen file contains a braindump of thoughts dating
from the very first days of libvirt, when it was briefly
called libxen. This is not useful and potentially misleading
or confusing for people.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-11-01 11:49:56 +00:00
Michal Privoznik
b7d2d4af2b src: Treat PID as signed
This initially started as a fix of some debug printing in
virCgroupDetect. However it turned out that other places suffer
from the similar problem. While dealing with pids, esp. in cases
where we cannot use pid_t for ABI stability reasons, we often
chose an unsigned integer type. This makes no sense as pid_t is
signed.
Also, new syntax-check rule is introduced so we won't repeat this
mistake.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-10-13 17:58:56 +08:00
Martin Kletzander
1827f2ac5d Change virDomainEventState to virObjectLockable
This way we get reference counting and we can get rid of locking
function.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-10-12 12:54:47 +02:00
Ján Tomko
f9785569de cfg.mk: join not_streq and not_strneq tests
The marginally nicer error message is not worth the extra lines in
cfg.mk.

Also drop the excludes since there was only one offender in the tests.
2016-08-18 13:37:08 +02:00
Ján Tomko
b3e3fc3257 cfg.mk: drop redundant sc_prohibit_gethostby
Both gethostbyaddr and gethostbyname* are already checked
by sc_prohibit_nonreentrant.
2016-08-18 13:37:08 +02:00
Ján Tomko
1fe77f9f7f cfg.mk: use subst instead of tr
GNU make is able to replace characters, no need to call tr.
2016-08-18 13:37:08 +02:00
Erik Skultety
fbb8205de3 examples: admin: Add some examples for the new admin APIs
Some of the examples make use of asprintf and strtol functions (to keep
things simple) which are prohibited to use within our code (enforced by
syntax-check). Therefore besides adding some examples, this patch also updates
cfg.mk to exclude examples directory from asprintf and strtol rules, as well as
updates .gitignore to exclude all the new admin binaries created in the
'examples' dir.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2016-06-26 00:21:06 +02:00
Ján Tomko
32d0a57812 Prohibit opendir in syntax-check
Prefer virDirOpen.
2016-06-24 14:20:57 +02:00
Ján Tomko
a4e6f1eb9c Introduce VIR_DIR_CLOSE
Introduce a helper that only calls closedir if DIR* is non-NULL
and sets it to NULL afterwards.
2016-06-23 21:58:33 +02:00
Ján Tomko
a9179d78bf syntax-check: rewrite prohibit-duplicate-header in perl
Invoke the script only once instead of once for every file.
2016-06-23 12:48:40 +02:00
Ján Tomko
c9c03ea24d test-wrap-argv: add --check parameter
This script can already operate on a list of files.
Add a --check parameter to check if multiple files are wrapped
correctly with a single invocation of the script.
2016-06-21 18:13:07 +02:00
Ján Tomko
3a9d1f3701 syntax-check: drop prohibit_undesirable_word_seq
This checks forbids using "can not" and checks the placement
of some texinfo tags.

Drop it since we do not use texinfo and the check takes almost
twice as much as the rest of the checks.
2016-06-16 07:57:53 +02:00
Ján Tomko
4e1a7dbb31 Rename bracket-spacing.pl to check-spacing.pl
We test whitespace with lots of other characters now.
2016-06-15 15:07:47 +02:00
Ján Tomko
e26098a1f4 cfg.mk: use a single regex for all non-reentrant functions
The prohibit_nonreentrant syntax-check rule spawns a new shell
for every non-reentrant function we know, to make it easier
to mention the function name in the error message, with the _r
appended.

Since the line with the offending function is already printed
and some of the functions on our list do not have a _r counterpart,
compile them into one big regex and use a more generic error message
to save time.
2016-06-15 15:00:56 +02:00
Daniel P. Berrange
eaf18f4c2b nodeinfo: move host CPU APIs out into virhostcpu.c file
Move all APIs with a virHostCPU name prefix out into new
util/virhostcpu.h & util/virhostcpu.c files

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-09 18:31:11 +01:00
Pavel Hrdina
a94efa50e2 maint: fix syntax-check sc_prohibit_int_ijk exclude rule
Fix the regex for excluding files for this syntax-rule.  The rule "include/"
will not work, because we are matching the whole line like this
"^(...|include/|...)$ so we need to use "include/libvirt/libvirt.+".  The second
issue is that we are using only one '$' but there should be two of those at the
end.  The last small adjustment is to escape dots '.' so it match only dot.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-05-24 13:36:11 +02:00
Michal Privoznik
49c1a078c2 virtestmock: Mock stat() properly
There is a lot to explain, but I try to make it as short as
possible. I'd start by pasting some parts of sys/stat.h:

extern int stat (const char *__restrict __file,
		 struct stat *__restrict __buf) __THROW __nonnull ((1, 2));

extern int __REDIRECT_NTH (stat, (const char *__restrict __file,
				  struct stat *__restrict __buf), stat64)
     __nonnull ((1, 2));

__extern_inline int
__NTH (stat (const char *__path, struct stat *__statbuf))
{
  return __xstat (_STAT_VER, __path, __statbuf);
}

Only one of these is effective at once, due to some usage of
the mess we are dealing with in here. So, basically, while
compiling or linking stat() in our code can be transformed into
some other func. Or a dragon.
Now, if you read stat(2) manpage, esp. "C library/kernel
differences" section, you'll learn that glibc uses some tricks
for older applications to work. I haven't gotten around actual
code that does this, but based on my observations, if 'stat'
symbol is found, glibc assumes it's dealing with ancient
application. Unfortunately, it can be just ours stat coming from
our mock. Therefore, calling stat() from a test will end up in
our mock. But since glibc is not exposing the symbol anymore, our
call of real_stat() will SIGSEGV immediately as the pointer to
function is NULL. Therefore, we should expose only those symbols
we know glibc has.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-05-20 17:16:21 +02:00