Split out the 'shallow' and 'reuse' flags as booleans rather than passing
in flags and constructing them in irrelevant APIs.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Split out the 'shallow' flag as a boolean argument rather than passing
in flags and constructing them in irrelevant APIs.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
The NBD migration code uses drive/blockdev-mirror internally. In those
APIs we pass around flags for the monitor commands which are based on
the flags for the virDomainBlockRebase API. Since there's only one flag
which changes, pass it around explicitly rather than obscuring it in a
bitfield.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
At the point when we want to modify the permissions for the 'mirror' we
know whether it is supposed to have a backing chain or no. Given that
mirror->backingStore is populated only when we'd need to touch it ayways
we can use qemuDomainStorageSourceChainAccessAllow even in place of
qemuDomainStorageSourceAccessAllow used for other cases to simplify the
code.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
One code path open-coded qemuDomainStorageSourceChainAccessAllow badly
and also did not integrate with the locking code.
Replace the separate calls with qemuDomainStorageSourceChainAccessAllow
which does everything internally.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Since 4e797f1a we parse backingStore of mirror which will later be used
with blockdev. Add some validation for the user passed mirror at the
current point to make sure it's not used improperly.
Validate that it's not used without blockdev and also that it's not
passed when not requesting a shallow copy. Also add a chain terminator
for a deep copy since we know the resulting mirror will not have chain.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Since 3decae00e9 qemuDomainStorageSourceAccessAllow revokes the
permissions it granted if it fails halfway, thus we can remove some
calls to qemuDomainStorageSourceAccessRevoke which tried to undo this
situation.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Since 3decae00e9 qemuDomainStorageSourceAccessRevoke keeps the libvirt
error which was set prior to the call around even after the call, thus
we don't need to do the same when reverting access in the block copy
code.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
When aborting or pivoting a block job we record which operation we do
for the mirror in the virDomainDiskDef structure. As everything is
synchronized by a job it's not necessary to modify the state prior to
calling the monitor and resetting the state on failure.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
All blockjobs get their status updated by events from qemu, so this code
no longer makes sense.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
When used with the new job handler the values will also include some of
the non-public values from qemuBlockjobState. Modify the comment to
clarify this.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
The virtlogd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The virtlockd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
In attempt to getting rid of errN labels let's start with the
most upper one and rename it to 'error'.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
This reverts commit dfd70ca1eb.
Pushed by a mistake, sorry. There's still some discussion going
on upstream.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
The libvirt-daemon-driver-qemu RPM has historically had a hard
dependency on the libvirt-daemon-driver-network and
libvirt-daemon-driver-storage-core packages. This was because the QEMU
driver would directly call into APIs that were part of these drivers.
The dependency to the storage driver was eliminated in
commit 064fec69be
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Thu Jan 25 09:35:46 2018 +0000
storage: move storage file backend framework into util directory
The dependency to the network driver was eliminated in
commit 5b13570ab8
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Thu Jan 25 09:35:47 2018 +0000
conf: introduce callback registration for domain net device allocation
commit 1438aea4ee
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Thu Jan 25 09:35:48 2018 +0000
conf: expand network device callbacks to cover bandwidth updates
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Qemu added reporting of virtio balloon new statistics stat-htlb-pgalloc and
stat-htlb-pgfail since qemu-3.0 commit b7b12644297. The value of
stat-htlb-pgalloc represents the number of successful hugetlb page allocations
while stat-htlb-pgfail represents the number of failed ones. Add this
statistics reporting to libvirt.
To enable this feature for vm, guest kenel >= 4.17 is required because
the exporting hugetlb page allocation for virtio balloon is introduced
since 6c64fe7f.
Signed-off-by: Han Han <hhan@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Snapshot create operation saves the live XML and uses it to replace the
domain definition in case of revert. But the VM config XML is not saved
and the revert operation does not address this issue. This commit
prevents the config XML from being overridden by snapshot definition.
An active domain stores both current and new definitions. The current
definition (vm->def) stores the live XML and the new definition
(vm->newDef) stores the config XML. In an inactive domain, only the
config XML is persistent, and it's saved in vm->def.
The revert operation uses the virDomainObjAssignDef() to set the
snapshot definition in vm->newDef, if domain is active, or in vm->def
otherwise. But before that, it saves the old value to return to
caller. This return is used here to restore the config XML after
all snapshot startup process finish.
Signed-off-by: Maxiwell S. Garcia <maxiwell@linux.ibm.com>
We can't rely on $(noinst_PROGRAMS) retaining its original
value, so let's use a separate $(EXAMPLES) variable instead.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
If an FD is passed into a child using:
virCommandPassFD(cmd, fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
then the parent should refrain from touching @fd thereafter. This
is even documented in virCommandPassFD() comment. The reason is
that either at virCommandRun()/virCommandRunAsync() or
virCommandFree() time the @fd will be closed. Closing it earlier,
e.g. right after virCommandPassFD() call might result in
undesired results. Another thread might open a file and receive
the same FD which is then unexpectedly closed by virCommandFree()
or virCommandRun().
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Various binaries are statically linking to libvirt_util.la and
other intermediate libraries we build. These intermediate libs
all get built into the main libvirt.so shared library eventually,
so we can dynamically link to that instead and reduce the on disk
footprint.
In libvirt-daemon RPM:
virtlockd: 1.6 MB -> 153 KB
virtlogd: 1.6 MB -> 157 KB
libvirt_iohelper: 937 KB -> 23 KB
In libvirt-daemon-driver-network RPM:
libvirt_leaseshelper: 940 KB -> 26 KB
In libvirt-daemon-driver-storage-core RPM:
libvirt_parthelper: 926 KB -> 21 KB
IOW, about 5.6 MB total space saving in a build done on Fedora 30
x86_64 architecture.
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
We provide default values for both MODPROBE and RMMOD and thus
there is no way that their paths can be empty strings.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
https://bugzilla.redhat.com/show_bug.cgi?id=1710575
It may happen that the system where libvirt is built at doesn't
have udevadm binary but the one where it runs does have it.
If we change how udevadm is run in virWaitForDevices() then we
can safely pass a default value in m4 macro.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
The udevsettle binary is no longer used anywhere as it was
replaced by 'udevadm settle'. There's no reason for us to even
check for it in configure.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
It's not true that there is a backup loop. There isn't. Drop this
part of the comment to not confuse anybody.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Since we know the full list of machine types supported
by the QEMU binary when probing machine type properties,
we can save some work (and eventually test suite churn,
as more architecture-specific machine types need to be
probed) by only probing machines that we know exist.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Now that we're probing machine type properties using the
latest machine type rather than the "spapr-machine" parent,
we can finally discover properties that are not available
on all machine types.
This commit refreshes replies for QEMU 4.0.0 as well as
3.1.0 to show not only that we're actually discovering new
machine type properties this way, but also that the number
of available machine type properties increases with each
subsequent QEMU release.
If qom-list-properties had been available in QEMU 2.10.0,
we could now drop the explicit version number checks for
the QEMU_CAPS_MACHINE_PSERIES_MAX_CPU_COMPAT and
QEMU_CAPS_MACHINE_PSERIES_RESIZE_HPT capabilities, but
unfortunately it wasn't, so we have to keep them around
still.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Now that we have the list of machine types available when
probing machine type properties, we can list properties for
the canonicalized version of the "pseries" machine type
instead of having to go through "spapr-machine", which we
know to be the parent type for all "pseries-*-machine"
types. By doing this, we'll be able to find even properties
that are only available from a certain versioned machine
type forward, and can't thus be obtained when looking at
the parent type only.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
The QOM type for machine types is the machine type name
followed by the -machine suffix. Since this is always the
case, we can make virQEMUCapsMachineProps more readable
and avoid repetition by not including the suffix there and
adding it automatically while processing the data; moreover,
when later on we will start figuring out which specific
versioned machine type to probe at runtime instead of doing
so statically, adding the suffix dynamically will become
necessary.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
We're going to need information about available machine types
when probing machine type properties soon, and that means we
have to change the order we call QMP commands.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Up until now we've probed machine type properties, along with
properties for other types, in virQEMUCapsProbeQMPDevices(), but
soon we're going to need some logic that is specific to machine
types and as such wouldn't quite fit into that function.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Commit c257352797 introduced a logic bug where we will never save the
inactive XML after a blockjob as the variable which was determining
whether to do so is cleared right before. Thus even if we correctly
modify the inactive state it will be rolled back when libvirtd is
restarted.
Reported-by: Thomas Stein <hello@himbee.re>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
It has been exported by systemd commit
commit a571c23e954cb88cdd5faa28593b19bd7c340130
libudev: export udev_monitor_set_receive_buffer_size()
released in v183.
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This is the version of systemd RHEL/CentOS 7 uses:
https://repology.org/project/systemd/versions
Oldest tracked openSUSE distros have 228,
Ubuntu 16.04 has 229 and Gentoo's alternative eudev
has bumped the version to 219 back in 2015.
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
When a vhost scsi device is hotplugged virt-aa-helper is called to
add the respective path.
For example the config:
<hostdev mode='subsystem' type='scsi_host' managed='no'>
<source protocol='vhost' wwpn='naa.50014059de6fba4f'/>
</hostdev>
Will call it to add:
/sys/kernel/config/target/vhost//naa.50014059de6fba4f
But in general /sys paths are filtered in virt-aa-helper.c:valid_path
To allow the path used for vhost-scsi we need to add it to the list of
known and accepted overrides.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1829223
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
The function was deprecated in udev 219 and all the supported OSes
don't have older version of udev or systemd.
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
CPU features that always were a no-op in qemu got removed there.
We no more specify them as that would trigger errors and fail to start
qemu. This test ensures that those features really are not rendered into
qemu command line.
Without the related fix this test will trigger and fail like:
In 'tests/qemuxml2argvdata/cpu-no-removed-features.args':
Offset 371
Expect [ ]
Actual [,-osxsave,-ospke ]
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Tested-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Qemu dropped cpu features for osxsave and ospke [1][2].
The reason for the instant removal is that those features were never
configurable as discussed in [3].
Fortunately the use cases adding those flags in the past are rare, but
they exist. One that I identified are e.g. older virt-install when used
with --cpu=host-model and there always could be the case of a user
adding it to the guest xml.
This triggers an issue like:
qemu-system-x86_64: can't apply global Broadwell-noTSX-x86_64-
cpu.osxsave=on: Property '.osxsave' not found
Ensure that this does no more break spawning newer qemu versions by
not rendering those features into the qemu command line.
Fixes: https://bugs.launchpad.net/fedora/+source/qemu/+bug/1825195
Resolves: https://bugzilla.redhat.com/1644848
[1]: https://git.qemu.org/?p=qemu.git;a=commit;h=f1a2352
[2]: https://git.qemu.org/?p=qemu.git;a=commit;h=9ccb978
[3]: https://www.mail-archive.com/qemu-devel@nongnu.org/msg561877.html
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Tested-by: Daniel Henrique Barboza <danielhb413@gmail.com>
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
The bit is set when microcode provides the mechanism to invoke a flush
of various exploitable CPU buffers by invoking the VERW instruction.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
