Currently, we put no strains on escape sequence possibly leaving users
with console that cannot be terminated. However, not all ASCII
characters can be used as escape sequence. Only those falling in
@ - _ can be; implement and document this constraint.
The code is splattered with a mix of
sizeof foo
sizeof (foo)
sizeof(foo)
Standardize on sizeof(foo) and add a syntax check rule to
enforce it
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Leaks are introduced in commit 1cf0e3d and fe383bb.
Fixing memory leaks, in addition, the patch also fixes a potential missing
return value issue in 'if (from)' statement, without the fixing, although
the programming met a error, the subsequent codes will be executed
continually.
* tools/virsh.c (cmdSnapshotList): fix memory leaks and missing return value.
* How to reproduce?
% virsh snapshot-list <domain> --parent --roots
% virsh snapshot-list <domain> --parent --tree
% virsh snapshot-list <domain> --roots --tree
actual result:
error: --parent and --roots are mutually exclusive
error: Failed to disconnect from the hypervisor, 1 leaked reference(s)
error: --parent and --tree are mutually exclusive
error: Failed to disconnect from the hypervisor, 1 leaked reference(s)
error: --roots and --tree are mutually exclusive
error: Failed to disconnect from the hypervisor, 1 leaked reference(s)
% virsh snapshot-create-as <domain> --name "hello"
% virsh snapshot-create-as <domain> --name "libvirt"
% virsh snapshot-list <domain> --roots --from "hello"
actual result:
error: --roots and --from are mutually exclusive
Name Creation Time State
------------------------------------------------------------
libvirt 2012-03-28 13:46:51 +0800 running
Signed-off-by: Alex Jia <ajia@redhat.com>
Found when attempting to build on Fedora 17 alpha with:
./autogen.sh --system --enable-compile-warnings=error
(this same build command works without problem on Fedora 16). All
other struct initializers for this struct have the extra field filled
in (almost always to 0), so the two errant ones were fixed by adding
in the extra 0 field.
Return statements with parameter enclosed in parentheses were modified
and parentheses were removed. The whole change was scripted, here is how:
List of files was obtained using this command:
git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' | \
grep -e '\.[ch]$' -e '\.py$'
Found files were modified with this command:
sed -i -e \
's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \
-e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'
Then checked for nonsense.
The whole command looks like this:
git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' | \
grep -e '\.[ch]$' -e '\.py$' | xargs sed -i -e \
's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \
-e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'
Right now, it is appallingly easy to cause qemu disk snapshots
to alter a domain then fail; for example, by requesting a two-disk
snapshot where the second disk name resides on read-only storage.
In this failure scenario, libvirt reports failure, but modifies
the live domain XML in-place to record that the first disk snapshot
was taken; and places a difficult burden on the management app
to grab the XML and reparse it to see which disks, if any, were
altered by the partial snapshot.
This patch adds a new flag where implementations can request that
the hypervisor make snapshots atomically; either no changes to
XML occur, or all disks were altered as a group. If you request
the flag, you either get outright failure up front, or you take
advantage of hypervisor abilities to make an atomic snapshot. Of
course, drivers should prefer the atomic means even without the
flag explicitly requested.
There's no way to make snapshots 100% bulletproof - even if the
hypervisor does it perfectly atomic, we could run out of memory
during the followup tasks of updating our in-memory XML, and report
a failure. However, these sorts of catastrophic failures are rare
and unlikely, and it is still nicer to know that either all
snapshots happened or none of them, as that is an easier state to
recover from.
* include/libvirt/libvirt.h.in
(VIR_DOMAIN_SNAPSHOT_CREATE_ATOMIC): New flag.
* src/libvirt.c (virDomainSnapshotCreateXML): Document it.
* tools/virsh.c (cmdSnapshotCreate, cmdSnapshotCreateAs): Expose it.
* tools/virsh.pod (snapshot-create, snapshot-create-as): Document
it.
This introduces a new running reason VIR_DOMAIN_RUNNING_WAKEUP,
and new suspend event type VIR_DOMAIN_EVENT_STARTED_WAKEUP.
While a wakeup event is emitted, the domain which entered into
VIR_DOMAIN_PMSUSPENDED will be transferred to "running"
with reason VIR_DOMAIN_RUNNING_WAKEUP, and a new domain lifecycle
event emitted with type VIR_DOMAIN_EVENT_STARTED_WAKEUP.
This introduces a new domain state pmsuspended to represent
the domain which has been suspended by guest power management,
e.g. (entered itno s3 state). Because a "running" state could
be confused in this case, one will see the guest is paused
actually while playing. And state "paused" is for the domain
which was paused by virDomainSuspend.
Thanks to cgroups, providing user vs. system time of the overall
guest is easy to add to our existing API.
* include/libvirt/libvirt.h.in (VIR_DOMAIN_CPU_STATS_USERTIME)
(VIR_DOMAIN_CPU_STATS_SYSTEMTIME): New constants.
* src/util/virtypedparam.h (virTypedParameterArrayValidate)
(virTypedParameterAssign): Enforce checking the result.
* src/qemu/qemu_driver.c (qemuDomainGetPercpuStats): Fix offender.
(qemuDomainGetTotalcpuStats): Implement new parameters.
* tools/virsh.c (cmdCPUStats): Tweak output accordingly.
Since VIR_DOMAIN_AFFECT_{LIVE,CONFIG,CURRENT} was created,
all new virsh commands use "--config" to represents the
persistent changing. This patch add "--config" option
for the old commands which still use "--persistent",
and "--persistent" is now alias of "--config".
tools/virsh.c: (use "--config", and "--persistent" is
alias of "--config" now).
cmdDomIfSetLink, cmdDomIfGetLink, cmdAttachDevice,
cmdDetachDevice, cmdUpdateDevice, cmdAttachInterface,
cmdDetachInterface, cmdAttachDisk, cmdDetachDisk
toos/virsh.pod: Update docs of the changed commands, and
add some missed docs for "--config" (detach-interface,
detach-disk, and detach-device).
The last vestige of the inaccurate 'kilobytes' when we meant 1024 is
now gone. And virsh is now useful for setting memory in units other
than KiB.
* tools/virsh.c (cmdSetmem, cmdSetmaxmem): Use new helper routine,
allow passing bogus arguments on to hypervisor to test driver
sanity checking, and fix leak on parse error.
(vshMemtuneGetSize): New helper.
(cmdMemtune): Use it.
* tools/virsh.pod (setmem, setmaxmem, memtune): Document this.
Now can now do:
virsh vol-resize $vol 10M
virsh blockresize $dom $vol 10M
to get both interfaces to resize to 10MiB. The remaining wart
is that vol-resize defaults to bytes, but blockresize defaults
to KiB, but we can't break existing scripts; oh well, it's no
worse than the same wart of the underlying virDomainBlockResize.
The API for virStorageVolResize states that capacity must always
be positive, and that the presence of shrink and delta flags is
what implies a negative change.
* tools/virsh.c (vshCommandOptScaledInt): New function.
(cmdVolResize): Don't pass negative size.
(cmdVolSize): Rename...
(vshVolSize): ...and use new helper routine.
(cmdBlockResize): Use new helper routine, and support new bytes
flag.
* tools/virsh.pod (NOTES): Document suffixes.
(blockresize, vol-create-as, vol-resize): Point to notes.
Just because our public API has a typo doesn't mean that virsh
has to keep the typo.
* tools/virsh.c (VSH_CMD_FLAG_ALIAS): New flag.
(nodedevCmds): Use it.
(cmdHelp): Omit alias commands.
(cmdNodeDeviceDettach): Rename...
(cmdNodeDeviceDetach): ...to this.
* tools/virsh.pod (nodedev-detach): Document it.
Command line interfaces should use dash, not underscore, as many
keyboard layouts allow that to be typed with fewer shift key presses.
Also, the US spelling of --tunneled gets more google hits than the
UK spelling of --tunnelled.
* tools/virsh.c (opts_migrate): Allow US variant.
(opts_blkdeviotune): Prefer - over _.
* tools/virsh.pod (blkdeviotune): Fix spelling.
In the past, we have created some virsh options with less-than-stellar
names. For back-compat reasons, those names must continue to parse,
but we don't want to document them in help output. This introduces
a new option type, an alias, which points to a canonical option name
later in the option list.
I'm actually quite impressed that our code has already been factored
to do all option parsing through common entry points, such that I
got this added in relatively few lines of code!
* tools/virsh.c (VSH_OT_ALIAS): New option type.
(opts_echo): Hook up an alias, for easy testing.
(vshCmddefOptParse, vshCmddefHelp, vshCmddefGetOption): Allow for
aliases.
* tools/virsh.pod (NOTES): Document promise of back-compat.
* tests/virshtest.c (mymain): Test new feature.
No thanks to 64-bit windows, with 64-bit pid_t, we have to avoid
constructs like 'int pid'. Our API in libvirt-qemu cannot be
changed without breaking ABI; but then again, libvirt-qemu can
only be used on systems that support UNIX sockets, which rules
out Windows (even if qemu could be compiled there) - so for all
points on the call chain that interact with this API decision,
we require a different variable name to make it clear that we
audited the use for safety.
Adding a syntax-check rule only solves half the battle; anywhere
that uses printf on a pid_t still needs to be converted, but that
will be a separate patch.
* cfg.mk (sc_correct_id_types): New syntax check.
* src/libvirt-qemu.c (virDomainQemuAttach): Document why we didn't
use pid_t for pid, and validate for overflow.
* include/libvirt/libvirt-qemu.h (virDomainQemuAttach): Tweak name
for syntax check.
* src/vmware/vmware_conf.c (vmwareExtractPid): Likewise.
* src/driver.h (virDrvDomainQemuAttach): Likewise.
* tools/virsh.c (cmdQemuAttach): Likewise.
* src/remote/qemu_protocol.x (qemu_domain_attach_args): Likewise.
* src/qemu_protocol-structs (qemu_domain_attach_args): Likewise.
* src/util/cgroup.c (virCgroupPidCode, virCgroupKillInternal):
Likewise.
* src/qemu/qemu_command.c(qemuParseProcFileStrings): Likewise.
(qemuParseCommandLinePid): Use pid_t for pid.
* daemon/libvirtd.c (daemonForkIntoBackground): Likewise.
* src/conf/domain_conf.h (_virDomainObj): Likewise.
* src/probes.d (rpc_socket_new): Likewise.
* src/qemu/qemu_command.h (qemuParseCommandLinePid): Likewise.
* src/qemu/qemu_driver.c (qemudGetProcessInfo, qemuDomainAttach):
Likewise.
* src/qemu/qemu_process.c (qemuProcessAttach): Likewise.
* src/qemu/qemu_process.h (qemuProcessAttach): Likewise.
* src/uml/uml_driver.c (umlGetProcessInfo): Likewise.
* src/util/virnetdev.h (virNetDevSetNamespace): Likewise.
* src/util/virnetdev.c (virNetDevSetNamespace): Likewise.
* tests/testutils.c (virtTestCaptureProgramOutput): Likewise.
* src/conf/storage_conf.h (_virStoragePerms): Use mode_t, uid_t,
and gid_t rather than int.
* src/security/security_dac.c (virSecurityDACSetOwnership): Likewise.
* src/conf/storage_conf.c (virStorageDefParsePerms): Avoid
compiler warning.
Now virsh can call virDomainBlockRebase.
* tools/virsh.c (cmdBlockPull): Add --base parameter.
(blockJobImpl): Use it to expose BlockRebase API.
* tools/virsh.pod (blockpull): Document it.
vshFindDisk is to find the disk node in xml doc with given source
path or target of disk device, and type (indicates disk type,
normal disk or changeable disk).
vshPrepareDiskXML is to make changes on the disk node (e.g. create
and insert the new <source> node for inserting media of CDROM drive).
They are marked as unused temporarily.
This patch adds support for the newly introduced
VIR_DOMAIN_CONSOLE_FORCE and VIR_DOMAIN_CONSOLE_SAFE flags. The console
command now has an optional parameter --force that specifies that the
user wants to forcibly interrupt an ongoing console session and create
a new one. Flag --safe requests that the console should be opened only
if the hypervisor driver supports safe console handling.
The behaviour to this point was that the daemon opened two streams to
the console, that competed for data from the pipe, and the result was
that both of the consoles ended up scrambled.
This patch doesn't modify operation of other commands dealing with
console connections (start, create) as those open connections to newly
started domains making it virtually impossible for another client to race
for the console and steal it.
* tools/console.c:
- add support for flag passthrough
* tools/console.h:
- modify function prototypes to match impl.
* tools/virsh.c:
- add flag --force for the console command
If attempting to run
ssh root@somehost virsh console someguest
You'll get an error
2012-02-15 13:11:47.683+0000: 4765: info : libvirt version: 0.9.10, package: 1.fc18 (Unknown, 2012-02-15-11:48:57, lettuce.camlab.fab.redhat.com)
2012-02-15 13:11:47.683+0000: 4765: error : vshRunConsole:320 : unable to get tty attributes: Invalid argument
Connected to domain f16x86_64
Escape character is ^]
There are several problems here
- The actual error message is bad for users
- We shouldn't rely on VIR_ERROR for this case
- The prompt makes it look like we still connected
because we didn't flush stdout.
* virsh.c: Flush stdout before starting console and check
for a valid tty
This patch adds new options to the "virsh list" command enabling
filtering of persistent and transient domains along with the option to
print only UUIDs or names of domains instead of printing the table.
Option --name prints domain names (one per line) instead of the default
table. Similarly --uuid prints domain's UUID. The option --table is
an alias for the default behavior.
Aditionally --persistent and/or --transient may be specified to filter
the output of domains.
Any device XML doesn't use the same order as libvirt generates, or
uses decimal for attributes like "slot" of "<address>" will cause
device detaching to fail, as virsh compares the XML simply earlier
in strict manner before internal parsing.
This is regression introduced by ea7182c.
Commit fad5cd2108 introduces a new flag
that allows to show domain's title with domains. This commit introduced
resource leak while listing inactive domains with titles.
Detected by valgrind. the codes are allocating 0 bytes memory to variable
cpumap by vshCalloc function, and then the function VIR_USE_CPU will access
it later, a invalid read error will be hit.
* tools/virsh.c(cmdVcpuPin): fix invalid read error.
* How to reproduce?
% valgrind -v --read-var-info=yes virsh vcpupin <domain> 0 0
* Actual result:
==27271== ERROR SUMMARY: 5 errors from 2 contexts (suppressed: 8 from 6)
==27271==
==27271== 1 errors in context 1 of 2:
==27271== Invalid read of size 1
==27271== at 0x39CF087E2E: __GI_memcpy (in /lib64/libc-2.12.so)
==27271== by 0x39CF114FDC: xdrmem_putbytes (in /lib64/libc-2.12.so)
==27271== by 0x39CF114707: xdr_opaque (in /lib64/libc-2.12.so)
==27271== by 0x4D56194: xdr_remote_domain_pin_vcpu_args (remote_protocol.c:1844)
==27271== by 0x4D6CCE1: virNetMessageEncodePayload (virnetmessage.c:341)
==27271== by 0x4D5A44B: virNetClientProgramCall (virnetclientprogram.c:327)
==27271== by 0x4D36EDB: callWithFD (remote_driver.c:4546)
==27271== by 0x4D36F7B: call (remote_driver.c:4567)
==27271== by 0x4D3B2C1: remoteDomainPinVcpu (remote_client_bodies.h:1566)
==27271== by 0x4D199D3: virDomainPinVcpu (libvirt.c:8585)
==27271== by 0x4241F4: cmdVcpuPin (virsh.c:5262)
==27271== by 0x4150A6: vshCommandRun (virsh.c:17712)
==27271== Address 0x5602b80 is 0 bytes after a block of size 0 alloc'd
==27271== at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==27271== by 0x4C89BDF: virAllocN (memory.c:129)
==27271== by 0x423868: _vshCalloc.clone.2 (virsh.c:454)
==27271== by 0x423EF9: cmdVcpuPin (virsh.c:5190)
==27271== by 0x4150A6: vshCommandRun (virsh.c:17712)
==27271== by 0x426583: main (virsh.c:19289)
==27271==
==27271==
==27271== 4 errors in context 2 of 2:
==27271== Invalid read of size 1
==27271== at 0x424133: cmdVcpuPin (virsh.c:5245)
==27271== by 0x4150A6: vshCommandRun (virsh.c:17712)
==27271== by 0x426583: main (virsh.c:19289)
==27271== Address 0x5602b80 is 0 bytes after a block of size 0 alloc'd
==27271== at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==27271== by 0x4C89BDF: virAllocN (memory.c:129)
==27271== by 0x423868: _vshCalloc.clone.2 (virsh.c:454)
==27271== by 0x423EF9: cmdVcpuPin (virsh.c:5190)
==27271== by 0x4150A6: vshCommandRun (virsh.c:17712)
==27271== by 0x426583: main (virsh.c:19289)
Signed-off-by: Alex Jia <ajia@redhat.com>
Our HACKING discourages use of malloc and free, for at least
a couple of years now. But we weren't enforcing it, until now :)
For now, I've exempted python and tests, and will clean those up
in subsequent patches. Examples should be permanently exempt,
since anyone copying our examples won't have use of our
internal-only memory.h via libvirt_util.la.
* cfg.mk (sc_prohibit_raw_allocation): New rule.
(exclude_file_name_regexp--sc_prohibit_raw_allocation): and
exemptions.
* src/cpu/cpu.c (cpuDataFree): Avoid false positive.
* src/conf/network_conf.c (virNetworkDNSSrvDefParseXML): Fix
offenders.
* src/libxl/libxl_conf.c (libxlMakeDomBuildInfo, libxlMakeVfb)
(libxlMakeDeviceModelInfo): Likewise.
* src/rpc/virnetmessage.c (virNetMessageSaveError): Likewise.
* tools/virsh.c (_vshMalloc, _vshCalloc): Likewise.
Detected by valgrind. Leak is introduced in commit 3bb6bcf.
Free 'vol' memory before allocating memory, the codes will miss one time
free when 'vol_i = nvolumes' in for loop, so plug memory leak.
* tools/virsh.c: fix memory leak on cmdUndefine.
* How to reproduce?
% dd if=/dev/null of=/var/lib/libvirt/images/foo bs=1 count=1 seek=10M
% virsh define foo.xml (disk source file points to '/var/lib/libvirt/images/foo')
% virsh vol-clone foo foo-clone default (the original guest name is 'foo')
% virsh pool-refresh default
% virsh vol-list default (make sure 'foo-clone' volume exists)
% virsh define foo-clone.xml (disk source file points to '/var/lib/libvirt/images/foo-clone')
% valgrind -v --leak-check=full virsh undefine foo-clone --remove-all-storage
* Actual results:
1. virsh output
Domain foo-clone has been undefined
Volume '/var/lib/libvirt/images/foo-clone' removed.
error: Failed to disconnect from the hypervisor, 1 leaked reference(s)
2. valgrind result
==6515== 92 (40 direct, 52 indirect) bytes in 1 blocks are definitely lost in loss record 46 of 69
==6515== at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==6515== by 0x4C89B71: virAlloc (memory.c:101)
==6515== by 0x4CFCACE: virGetStorageVol (datatypes.c:724)
==6515== by 0x4D4A8E0: remoteStorageVolLookupByPath (remote_driver.c:4664)
==6515== by 0x4D07153: virStorageVolLookupByPath (libvirt.c:12508)
==6515== by 0x4270E6: cmdUndefine (virsh.c:2828)
==6515== by 0x4151B6: vshCommandRun (virsh.c:17693)
==6515== by 0x4264D3: main (virsh.c:19270)
==6515==
==6515== LEAK SUMMARY:
==6515== definitely lost: 40 bytes in 1 blocks
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=786674
Signed-off-by: Alex Jia <ajia@redhat.com>
This patch adds a new command "desc" to show and modify titles and
description for the domains using the new API.
This patch also adds a new flag for the "list" command to show titles in
the domain list, to allow easy identification of VMs by storing a short
description.
Example:
virsh # list --title
Id Name State Title
-----------------------------------------------
0 Domain-0 running Mailserver 1
2 fedora paused
Add a new function to allow changing of capacity of storage volumes.
Plan out several flags, even if not all of them will be implemented
up front.
Expose the new command via 'virsh vol-resize'.
Signed-off-by: Eric Blake <eblake@redhat.com>
Currently, we support only filling a volume with zeroes on wiping.
However, it is not enough as data might still be readable by
experienced and equipped attacker. Many technical papers have been
written, therefore we should support other wiping algorithms.
Extend the 'shutdown' and 'reboot' methods so that they both
accept a new argument
--mode acpi|agent
* tools/virsh.c: New args for shutdown/reboot
* tools/virsh.pod: Document new args
Other virsh domifXXX commands can accept target name
as a parameter to specify interface. From viewpoint of
consistency, virsh domif-getlink command should accept
target name as a parameter. This patch achieves this.
Signed-off-by: Taku Izumi <izumi.taku@jp.fujitsu.com>
