Commit Graph

35806 Commits

Author SHA1 Message Date
Huaqiang
1d0c3c3a62 cachetune schema: a looser check for the order of <cache> and <monitor> element
Originally, inside <cputune/cachetune>, it requires the <cache> element to
be in the position before <monitor>, and following configuration is not
permitted by schema, but it is better to let it be valid.

  <cputune>
    <cachetune vcpus='0-1'>
      <monitor level='3' vcpus='0-1'/>
            ^
            |__ Not permitted originally because it is in the place
                before <cache> element.

      <cache id='0' level='3' type='both' size='3' unit='MiB'/>
      <cache id='1' level='3' type='both' size='3' unit='MiB'/>
    </cachetune>
    ...
  </cputune>

And, let schema do more strict check by identifying following configuration to
be invalid, due to <cachetune> should contain at least one <cache> or <monitor>
element.

  <cputune>
    <cachetune vcpus='0-1'>
        ^
        |__ a <cachetune> SHOULD contain at least one <cache> or <monitor>

    </cachetune>
    ...
  </cputune>

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Huaqiang <huaqiang.wang@intel.com>
2019-12-13 15:31:26 +00:00
Huaqiang
d0431255aa conf: showing cache/memoryBW monitor features in capabilities
We learned that the hardware features of CAT, CMT, MBA and MBM
are orthogonal ones, if CAT or MBA is not supported in system,
but CMT or MBM are supported, then the cache monitor or
memoryBW monitor features may not be correctly displayed in
host capabilities through command 'virsh capabilites'.

Showing the cache/memoryBW monitor capabilities even there is
no support of cache allocation or memoryBW allocation features.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Huaqiang <huaqiang.wang@intel.com>
2019-12-13 15:27:07 +00:00
Ján Tomko
20071c9f99 Remove redundant usage of WITH_YAJL
As of commit 2a00ef6e71 which
was released in v5.2.0, we require YAJL to build the QEMU driver.

Remove the checks from code that requires the QEMU driver
or checks that also check for WITH_QEMU.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-13 14:57:32 +01:00
Daniel P. Berrangé
1100931f8d docs: remove link to virsh cmd ref & app dev guide
Both the application developer guide and virsh command
reference are unmaintained for best part of 8 years, and
so horrifically out of date. This does not give a good
impression to people reading the docs. Now that we are
publishing the man pages online, those are a better
doc to read for virsh.  We can also highlight the API
reference instead of the app dev guide.

The virsh command reference & app dev guide will
still exist on the web root, but will not be linked
to.

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-13 13:55:35 +00:00
Yingle Hou
153fcfd8d7 cputest: Add CPUID data for Hygon Dhyana 7185 32-core Processor
Add Hygon Dhyana CPU data test case related files.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Yingle Hou <houyingle@hygon.cn>
2019-12-13 13:05:01 +00:00
Yingle Hou
7a53afcd10 cpu: Add new Dhyana CPU model
Add Hygon Dhyana CPU model to the processor model.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Yingle Hou <houyingle@hygon.cn>
2019-12-13 13:05:00 +00:00
Yingle Hou
528356f46b cpu: Remove the verification conditions of the model in the x86 signatures
The x86ModelParseSignatures function makes an assumption that CPU signature
model equals 0 as an invalid case. While in Hygon processor definition, A1
version (model 0, stepping 1) is mass production version, to support Hygon
Dhyana A1 version, we have removed CPU signature model zero checking condition.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Yingle Hou <houyingle@hygon.cn>
2019-12-13 13:05:00 +00:00
Jiri Denemark
f411b7ef68 cpu_map: Add TSX_CTRL bit for IA32_ARCH_CAPABILITIES MSR
CVE-2019-11135

When TSX_CTRL bit of IA32_ARCH_CAPABILITIES MSR is set to 1, the CPU
supports IA32_TSX_CTRL MSR which can be used to disable and/or mask TSX.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-12-13 13:25:27 +01:00
Jiri Denemark
07aaced4e6 cpu_map: Add TAA_NO bit for IA32_ARCH_CAPABILITIES MSR
CVE-2019-11135

CPUs with TAA_NO bit of IA32_ARCH_CAPABILITIES MSR set to 1 are not
vulnerable to TSX Asynchronous Abort and passing this bit to a guest
may avoid unnecessary mitigations.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-12-13 13:25:27 +01:00
Peter Krempa
9851a0f390 tests: qemublock: Add tests for cross-snapshot incremental backups
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
450888d96b qemu: backup: Merge bitmaps accross the backing chain
To allow backups work across external snapshots we need to improve the
algorithm which calculates which bitmaps to merge.

The algorithm must look for appropriately named bitmaps in the image and
possibly descend into a backing image if the current image does not have
the bitmap.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
b7f2cd4652 qemu: block: Introduce qemuBlockNamedNodeDataGetBitmapByName
This function looks up a named bitmap for a virStorageSource in the data
returned from query-named-block-nodes.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
7dfd5d8d81 tests: qemublock: Add testing of bitmap merging for incremental backups
Add test code which will crawl a fake internal list of checkpoints and
generate the list of bitmaps for merging to gather the final bitmap for
the backup.

The initial tests cover the basic case of all bitmaps being present in
the top layer of the backing chain.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
59999670f2 qemu: backup: Export qemuBackupDiskPrepareOneBitmapsChain for tests
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
775228dccf qemu: backup: Propagate bitmap metadata into qemuBackupDiskPrepareOneBitmapsChain
The function will require the bitmap topology for the full
implementation. To facilitate testing, add the propagation of the
necessary data beforehand so that the test code can stay unchanged
during the changes.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
3323e85bf6 qemu: backup: Extract calculations of bitmaps to merge for incremental backup
Separate the for now incomplete code that collects the bitmaps to be
merged for an incremental backup into a separate function. This will
allow adding testing prior to the improvement of the algorithm to
include snapshots.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
d0e829e232 qemu: backup: Return 'def' instead of 'obj' from qemuBackupBeginCollectIncrementalCheckpoints
The object itself has no extra value and it would make testing the code
harder. Refactor it to remove just the definition pointer.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
0b27b655b1 tests: qemublock: Add test case for detecting bitmaps as we create snapshots
Add test data gathered from a run of qemu after creating bitmaps and
snapshots together in various combinations.

The following sequence of commands was used to achieve the
configuration:

virsh checkpoint-create-as VM --name a
virsh snapshot-create-as VM --disk-only
virsh snapshot-create-as VM --disk-only
virsh checkpoint-create-as VM --name b
virsh checkpoint-create-as VM --name c
virsh snapshot-create-as VM --disk-only
virsh checkpoint-create-as VM --name d
virsh snapshot-create-as VM --disk-only
virsh checkpoint-create-as VM --name current

Note that VM was restarted after these operations to allow renumbering
of the bitmaps in a more human-readable way.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
3283445212 qemu: snapshot: Propagate active bitmaps through external snapshots
Re-create any active persistent bitmap in the snapshot overlay image so
that tracking for a checkpoint is persisted. While this basically
duplicates data in the allocation map it's currently the only possible
way as qemu can't mirror the allocation map into a dirty bitmap if we'd
ever want to do a backup.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
f1bc1f0fe5 qemu: monitor: Add 'granularity' parameter for block-dirty-bitmap-add
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
1946485207 qemu: snapshot: Fold formatting of snapshot transaction into prepare func
qemuDomainSnapshotDiskPrepareOne is already called for each disk which
is member of the snapshot so we don't need to iterate through the
snapshot list again to generate members of the 'transaction' command for
each snapshot.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
4258eba6ed qemu: Check for explicit failure of qemuBlockSnapshotAddBlockdev
Check that the value is less than 0.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
1326fd1ce6 tests: qemublocktest: Add a synthetic test case for bitmap detection
The real data gathered for the 'basic' test case don't exercise some
fields. Add a copy with a few values modified manually.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
9aac9d5bda tests: qemublock: Add test for bitmap detection
Test the extraction of data about changed block tracking bitmaps. The
first test case adds a simple scenario of multiple bitmaps in one layer.

The test data will be also later reused for testing the code that
determines which bitmaps to merge for an incremental backup.

The sequence of bitmaps was created by the libvirt checkpoint API with
the following sequence of commands:

virsh checkpoint-create-as VM --name a
virsh checkpoint-create-as VM --name b
virsh checkpoint-create-as VM --name c
virsh checkpoint-create-as VM --name d
virsh checkpoint-create-as VM --name current

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
7a185d2f6e qemu: monitor: Extract internals of qemuMonitorJSONBlockGetNamedNodeData
For testing purposes it will be beneficial to be able to parse the data
from JSON directly rather than trying to simulate the monitor. Extract
the worker bits and export them.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Peter Krempa
fdb22e4e43 qemu: monitor: Extract data about dirty-bimaps in qemuMonitorBlockGetNamedNodeData
We will need to inspect the presence and attributes for dirty bitmaps.
Extract them when processing reply of query-named-block-nodes.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2019-12-13 13:22:55 +01:00
Andrea Bolognani
2ecb855b83 gitlab: Move mips job to Debian 9
Support for the mips architecture has been dropped from Debian
sid. Move the mipsel job from Debian 9 to Debian sid at the same
time to keep things balanced.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-13 13:12:13 +01:00
Daniel P. Berrangé
8d157c13cc qemu: honour parseOpaque instead of refetching caps
The use of the parseOpaque parameter was mistakenly removed in

  commit 4a4132b462
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Tue Dec 3 10:49:49 2019 +0000

    conf: don't use passed in caps in post parse method

causing the method to re-fetch qemuCaps that were already just
fetched and put into parseOpaque.

This is inefficient when parsing incoming XML, but for live
XML this is more serious as it means we use the capabilities
for the current QEMU binary on disk, rather than the running
QEMU.

That commit, however, did have a useful side effect of fixing
a crasher bug in the qemu post parse callback introduced by

  commit 5e939cea89
  Author: Jiri Denemark <jdenemar@redhat.com>
  Date:   Thu Sep 26 18:42:02 2019 +0200

    qemu: Store default CPU in domain XML

The qemuDomainDefSetDefaultCPU() method in that patch did not
allow for the possibility that qemuCaps would be NULL and thus
resulted in a SEGV.

This shows a risk in letting each check in the post parse
callback look for qemuCaps == NULL. The safer option is to
check once upfront and immediately stop (postpone) further
validation.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-12 16:30:02 +00:00
Daniel P. Berrangé
87a8b81d40 qemu: check os type / virt type / arch in validate callback
Don't check os type / virt type / arch in the post-parse callback
because we can't assume qemuCaps is non-NULL at this point. It
also conceptually belongs to the validation callback.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-12 16:30:02 +00:00
Daniel P. Berrangé
62e4a75ef4 tests: add a domain ID to live status XML doc
The status XML represents a running VM, so we should always have an
ID present for the domain.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-12 16:30:02 +00:00
Jonathon Jongsma
ffa5066a49 qemu: remove use of qemuDomainObjBeginJobWithAgent()
This function will be removed in a future commit because it allows the
caller to acquire both monitor and agent jobs at the same time. Holding
both job types creates a vulnerability to denial of service from a
malicious guest agent.

qemuDomainSetVcpusFlags() always passes NONE for either the monitor job
or the agent job (and thus is not vulnerable to the DoS), so we can
simply replace this function with the functions for acquiring the
appropriate type of job.

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 15:43:58 +01:00
Jonathon Jongsma
e005c95f56 qemu: don't hold monitor and agent job when setting time
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding
a monitor job while we're querying the agent, we open ourselves up to a
DoS.

Split the function so that the portion issuing the agent command only
holds an agent job and the portion issuing the monitor command holds
only a monitor job.

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 15:43:58 +01:00
Jonathon Jongsma
a663a86081 qemu: don't hold both jobs for suspend
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding a
monitor job while we're querying the agent, we open ourselves up to a
DoS.

So split the function up a bit to only hold the monitor job while
querying qemu for whether the domain supports suspend. Then acquire only
an agent job while issuing the agent suspend command.

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 15:43:58 +01:00
Jonathon Jongsma
0a98931211 qemu: don't hold a monitor and agent job for reboot
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding
a monitor job while we're querying the agent, we open ourselves up to a
DoS.

Split the function so that we only hold the appropriate type of job
while rebooting.

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 15:43:58 +01:00
Jonathon Jongsma
1cb8bc52c1 qemu: don't take agent and monitor job for shutdown
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding
a monitor job while we're querying the agent, we open ourselves up to a
DoS.  So split the function into separate parts: one that does the agent
shutdown and one that does the monitor shutdown. Each part holds only a
job of the appropriate type.

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 15:43:58 +01:00
Ján Tomko
cae955eba2 docs: hacking: document removal of VIR_STR(N)DUP
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 14:24:35 +01:00
Ján Tomko
610963cd04 util: remove VIR_STRDUP and VIR_STRNDUP
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 14:24:35 +01:00
Ján Tomko
ca4c90b435 tests: delete tests for VIR_STR(N)DUP
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 14:24:35 +01:00
Ján Tomko
93de3025b4 Remove the rest of VIR_STRNDUP
Replace all the uses passing a single parameter as the length.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 14:24:35 +01:00
Ján Tomko
b315a2873b Remove all the uses that use subtraction in their length argument
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 14:24:35 +01:00
Ján Tomko
7318bff551 Remove VIR_STRNDUP usage with checked pointers
Remove the usage where sanity of the length argument is verified
by other conditions not matching the previous patches.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 14:24:34 +01:00
Ján Tomko
997340588b vsh: remove vshErrorOOM
We abort on allocation errors now so there is no need to
have a function for it.

Replace the only use by return -1, chosen by fair dice roll.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 14:24:34 +01:00
Ján Tomko
99114a6259 Remove VIR_STRDUP usage that sneaked in in the meantime
My hesitation to remove VIR_STRDUP without VIR_STRNDUP resulted
in these being able to sneak in.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 14:24:34 +01:00
Daniel P. Berrangé
572ce352da docs: stop using syntax highlighting for man page code blocks
Some versions of the rst2man convertor are buggy failing to
cope with syntax highlighting in code blocks.

This isn't something we really need for the man page code
blocks, so we can just delete the highlighting directive.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-12 11:16:47 +00:00
Daniel P. Berrangé
766c8ae963 Revert "qemu: directly create virResctrlInfo ignoring capabilities"
This reverts commit 7be5fe66cd.

This commit broke resctrl, because it missed the fact that the
virResctrlInfoGetCache() has side-effects causing it to actually
change the virResctrlInfo parameter, not merely get data from
it.

This code will need some refactoring before we can try separating
it from virCapabilities again.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-12 11:16:44 +00:00
Andrea Bolognani
4af076f163 ci: Fix VPATH builds
The CI build machinery is intentionally not handled by autotools,
so for VPATH builds - which are mandatory now - we need to make
sure we're looking into $(srcdir).

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-12 11:42:34 +01:00
Pavel Mores
d75f865fb9 qemu: fix concurrency crash bug in snapshot revert
This commit aims to fix

https://bugzilla.redhat.com/show_bug.cgi?id=1610207

The cause was apparently incorrect handling of jobs in snapshot
revert code which allowed a thread executing snapshot delete to
begin job while snapshot revert was still running on another
thread. The snapshot delete thread then waited on a condition
variable in qemuMonitorSend() while the revert thread finished,
changing (and effectively corrupting) the qemuMonitor structure
under the delete thread which led to its crash.

The incorrect handling of jobs in revert code was due to the fact
that although qemuDomainRevertToSnapshot() correctly begins a job
at the start, the job was implicitly ended when qemuProcessStop()
was called because the job lives in the QEMU driver's private
data (qemuDomainObjPrivate) that was purged during
qemuProcessStop().

This fix prevents qemuProcessStop() from clearing jobs as the
idea of qemuProcessStop() clearing jobs seems wrong in the first
place. It was (inadvertently) introduced in commit
888aa4b6b9, which is effectively reverted by
the second hunk of this commit. To preserve the desired effects
of the faulty commit, the first hunk is included as suggested by
Michal.

Signed-off-by: Pavel Mores <pmores@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-12-12 11:26:19 +01:00
Marc-André Lureau
4bccb9965d doc: vtpm only support secrets by UUID at this point
Support by usage name can be considered separately (with a 'usage'
attribute?).

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Christophe de Dinechin <dinechin@redhat.com>
Cc: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2019-12-11 11:34:12 -05:00
Andrea Bolognani
5aab9413e2 travis: Update name for Ubuntu 18.04 image
The corresponding libvirt-jenkins-ci commit is f289e64a5fd9.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2019-12-11 17:17:21 +01:00
Daniel P. Berrangé
1902356231 qemu: keep capabilities when running QEMU as root
When QEMU uid/gid is set to non-root this is pointless as if we just
used a regular setuid/setgid call, the process will have all its
capabilities cleared anyway by the kernel.

When QEMU uid/gid is set to root, this is almost (always?) never
what people actually want. People make QEMU run as root in order
to access some privileged resource that libvirt doesn't support
yet and this often requires capabilities. As a result they have
to go find the qemu.conf param to turn this off. This is not
viable for libguestfs - they want to control everything via the
XML security label to request running as root regardless of the
qemu.conf settings for user/group.

Clearing capabilities was implemented originally because there
was a proposal in Fedora to change permissions such that root,
with no capabilities would not be able to compromise the system.
ie a locked down root account. This never went anywhere though,
and as a result clearing capabilities when running as root does
not really get us any security benefit AFAICT. The root user
can easily do something like create a cronjob, which will then
faithfully be run with full capabilities, trivially bypassing
the restriction we place.

IOW, our clearing of capabilities is both useless from a security
POV, and breaks valid use cases when people need to run as root.

This removes the clear_emulator_capabilities configuration
option from qemu.conf, and always runs QEMU with capabilities
when root.  The behaviour when non-root is unchanged.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-11 16:01:20 +00:00