Commit Graph

43246 Commits

Author SHA1 Message Date
Peng Liang
c4f3c955d5 qemu: don't change ownership of cache directory
Commit 6bcf25017b ("virDomainMemoryPeek API") introduced memory peek
and commit 9936aecfd1 ("qemu: Implement the driver methods")
introduced screenshot.  Both of them will put temporary files in
/var/cache/libvirt/qemu, and the temporary files are created by QEMU.
Therefore, the ownership of /var/cache/libvirt/qemu should be changed to
user and group configured in qemu.conf to make sure that QEMU process
can create and write files in the cache directory.

Libvirt will only put the temporary files in /var/cache/libvirt/qemu
until commit cbde35899b ("Cache result of QEMU capabilities
extraction"), which will put the cache of QEMU capabilities in
'capabilities' subdir of the cache directory.  Because the capabilities
is used by libvirt, the ownership of both 'capabilities' subdir and
capabilities files are root.  However, when QEMU process runs as a
regular user (e.g. qemu user), the ownership of /var/cache/libvirt/qemu
will be changed to qemu:qemu while that of
/var/cache/libvirt/qemu/capabilities will be still root:root.  Then the
regular user could spoof different capabilities, which maybe lead to
denial of service.

Since the previous patch has move the temp files of screenshot and
memory peek to per-domain directory, no one except domain capabilities
uses cacheDir currently.  And since domain capabilities are used by
libvirtd instead of QEMU, no need to change the ownership of cacheDir to
qemu:qemu explicitly.

Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-09-23 12:42:26 +02:00
Peng Liang
a50c473ad6 qemu: move temp file of screenshot and memorypeek to per-domain dir
The temp files of screenshot and memory peek, which are created by QEMU,
are put in the cache directory.  However, the caches of domain
capabilities, which are created and used by libvirtd, are also put in
the cache directory.  In order to make the cache directory more secure,
move the temp files of screenshot and memory peek to per-domain
directory.

Since the temp files are just temporary files and are only used by
libvirtd (libvirtd will delete them after use), the use of screenshot
and memory peek will be affected.

Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-09-23 12:42:26 +02:00
Tim Wiederhake
ddbbbcd969 virDomainDefParseXML: Use automatic memory management
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-09-23 11:09:22 +02:00
Peter Krempa
f147634a38 qemu: command: Remove qemuBuildRBDSecinfoURI
Merge the code into the only caller.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:56 +02:00
Peter Krempa
0151c092fb qemu: domain: Rename secrets setup function
Since there's just one type left, we can change the name to a more
generic one.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:56 +02:00
Peter Krempa
db66d0247a qemu: Simplify qemuDomainSecretInfo
Now that we've removed support for plaintext secrets qemuDomainSecretInfo
can be simplified by removing the 'type' field and merging in all the
fields from 'qemuDomainSecretAES'.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:56 +02:00
Peter Krempa
c4d4b10826 qemuBuildSCSIiSCSIHostdevDrvStr: Don't call qemuDiskSourceNeedsProps
It always returns true for iSCSI, so we can remove the fallback logic.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:56 +02:00
Peter Krempa
928bc19399 qemu: command: Remove qemuBuildGeneralSecinfoURI
After removal of plaintext secrets this function is a noop.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:56 +02:00
Peter Krempa
ed98e8ec99 qemu: Remove VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN and associated code
There's no code which could set it any more so we can remove the
generators.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:56 +02:00
Peter Krempa
09466e1f62 qemu: capabilities: Retire QEMU_CAPS_ISCSI_PASSWORD_SECRET
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:56 +02:00
Peter Krempa
900270a24f qemu: domain: Always assume QEMU_CAPS_ISCSI_PASSWORD_SECRET
QEMU supports the 'password-secret' parameter to pass a QCryptoSecret
since 2.9. Remove the alternate plaintext logic.

Unfortunately this had a ripple effect of removing qemuCaps from a lot
of functions.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:55 +02:00
Peter Krempa
3d13acc3bc qemu: domain: Remove qemuDomainSupportsEncryptedSecret
The answer is now always 'true', so we can remove the function and
simplify the logic in places where it's called.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:55 +02:00
Peter Krempa
b5411ce535 qemu: capabilities: Retire QEMU_CAPS_OBJECT_SECRET
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:55 +02:00
Peter Krempa
0ae3e1313f qemu: Always assume presence of QEMU_CAPS_OBJECT_SECRET
The secret object is supported since qemu-2.6 and can't be compiled out.
Assume the presence to simplify the code.

This enables the use of the secret key for most tests not using real
caps.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:55 +02:00
Peter Krempa
acfce77201 util: Remove use of virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC)
It always returns true. Make the logic a bit simpler to see through.

This completely removes 'virCryptoHaveCipher' as it's pointless in the
current form.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-22 14:53:55 +02:00
Ján Tomko
c066cb6dc1 scripts: apibuild: fix spacing
Syntax check reports:
E226 missing whitespace around arithmetic operator

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 18:04:00 +02:00
Daniel P. Berrangé
81b63c3d78 scripts: fix API parsing of *** pointers
The currrent generated API contains *** pointer types with bogus
whitespace in the middle:

  <arg name='keys' type='char ** *' info='pointer to a variable to store authorized keys'/>

because the tokenizer only tries to merge 2 distinct '*' together.
This refactors the code to merge an arbitrary number, resulting
in

  <arg name='keys' type='char ***' info='pointer to a variable to store authorized keys'/>

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-09-21 16:22:30 +01:00
Peter Krempa
675c222a58 virDevMapperGetTargets: Fix non-linux implementation
s/GSlist/GSList/

Fixes: 6c49c2ee9f
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2021-09-21 14:30:19 +02:00
Michal Privoznik
7bfb102ce4 schemas: Allow <unique_id/> to be zero
The value of zero is valid <unique_id/> (see
virNodeDeviceGetSCSIHostCaps()) but our RNG does not think so.
Switching the type to 'unsignedInt' does allow value of zero.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 14:12:34 +02:00
Michal Privoznik
0ef02498ee schemas: Provide grammar for scsi_generic capabilities
A nodedev can have 'scsi_generic' capabilities but corresponding
RNG is missing. Fortunately, it's very simple - there's only one
mandatory child element <char/>.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 14:12:30 +02:00
Michal Privoznik
3134555955 schemas: Make <type/> for capscsi type optional
The <type/> element for <capability type='scsi'> part of nodedev
XML is optional (see udevProcessSCSIDevice()) and as such might
not be formatted into nodedev XML (see
virNodeDeviceCapSCSIDefFormat()). Reflect this in our RNG.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 14:12:17 +02:00
Michal Privoznik
73a2ff3616 meson: Enable ZFS storage backend more often
Currently, the ZFS storage backend is enabled only if both zfs
and zpool binaries were found during configure phase. This is not
consistent with our attempts to move dependencies on binaries
from compile to runtime. And also it is inconsistent with other
backends, e.g. vstorage.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 14:10:03 +02:00
Michal Privoznik
4775613527 meson: Don't set $PROG_PATH macros
Now, that there is no user of $PROG_PATH macros the meson script
can be changed so that it doesn't set those macros. It's
redundant as $PROG macro contains the same value.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 14:09:56 +02:00
Michal Privoznik
2731717a73 lib: Use $PROG instead of $PROG_PATH
Due to the way we detect programs at runtime there's no
difference between $PROG and $PROG_PATH macros that come from
meson-config.h. Either both are set to the path found during
configure or both are set to just "$prog", e.g.:

  #define EBTABLES "/sbin/ebtables"
  #define EBTABLES_PATH "/sbin/ebtables"
  #define FLAKE8 "flake8"
  #define FLAKE8_PATH "flake8"

Change those few places which use _PATH.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 14:09:44 +02:00
Peter Krempa
4bf603a52c qemu: capabilities: Retire QEMU_CAPS_FW_CFG
The code assumes that all supported qemu versions have this capability
so we can retire it.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:08 +02:00
Peter Krempa
22c681256b qemu: Assume QEMU_CAPS_FW_CFG
qemu supports this since 81b2b81062 ("fw_cfg: insert fw_cfg file blobs
via qemu cmdline") released in qemu-v2.4.0 and it can't be compiled out.

Assume that the option always works and remove the corresponding check.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:08 +02:00
Peter Krempa
04e5b3134f qemu: capabilities: Assume QEMU_CAPS_LOADPARM for s390 only
Added to 'query-command-line-options' in qemu commit 5559716c98
("util/qemu-config: Add loadparm to qemu machine_opts") released in
qemu-v2.10.0 but makes sense for s390 only. Treat it the same as the
keywrap capabilities in previous commit.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:08 +02:00
Peter Krempa
da20199762 qemu: capabilities: Assume QEMU_CAPS_AES_KEY_WRAP and QEMU_CAPS_DEA_KEY_WRAP for s390 only
qemu introduced these options in 2eb1cd0768 ("s390x: CPACF: Handle key
wrap machine options") released in qemu-v2.3.0 but was exposed in
query-command-line-options only in 5bcfa0c543 ("util/qemu-config: fix
missing machine command line options").

The problem is that they are exposed even for architectures which don't
actually in fact support those.

Make the two capabilities a bit more useful by assuming them only on
s390 and thus removing them from other arches.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:08 +02:00
Peter Krempa
e9badd8ac2 qemu: capabilities: QEMU_CAPS_MEM_MERGE
The code assumes that the feature tracked by this capability always
exists.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:08 +02:00
Peter Krempa
db817385e8 qemu: Always assume QEMU_CAPS_MEM_MERGE
Supported since qemu commit 8490fc78e7 ("add -machine mem-merge=on|off
option") released in qemu-v1.3.0 and can't be compiled out.

Assume that it's present and remove the validation code.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:08 +02:00
Peter Krempa
0d41080701 qemu: capabilities: Retire QEMU_CAPS_SPLASH_TIMEOUT
The code assumes that the feature tracked by this capability always
exists.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:08 +02:00
Peter Krempa
9216090cf1 qemu: Always assume QEMU_CAPS_SPLASH_TIMEOUT
Supported since qemu commit 3d3b8303c6 ("showing a splash picture when
start") released in qemu-v1.0 and can't be compiled out.

Assume that it's present and remove the validation code.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:07 +02:00
Peter Krempa
c561268806 qemuxml2argvtest: Remove negative case for 'boot-menu-enable-with-timeout'
The feature is now always present. Remove the negative test case as the
upcomming commit will remove the checks.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:07 +02:00
Peter Krempa
81469b3d51 qemu: capabilities: Retire QEMU_CAPS_REBOOT_TIMEOUT
The code assumes that the feature tracked by this capability always
exists.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:07 +02:00
Peter Krempa
2b928f1c2d qemu: Always assume QEMU_CAPS_REBOOT_TIMEOUT
Supported since ac05f34924 ("add a boot parameter to set reboot
timeout") released in qemu-v1.3.0 and can't be compiled out.

Assume that it's present and remove the validation code.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:07 +02:00
Peter Krempa
2b0b0800bf tests: qemuxml2argv: Remove negative case for 'reboot-timeout-enabled'
All supported qemu versions now support this feature so this test is
pointless.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:07 +02:00
Peter Krempa
0a9052e03e qemu: capabilities: Retire QEMU_CAPS_BOOT_STRICT
It's not used since last commit.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:07 +02:00
Peter Krempa
e2aa0c3b5a qemu: command: Always assume 'QEMU_CAPS_BOOT_STRICT'
Added by c8a6ae8bb9 in qemu-v1.5.0 and can't be compiled out. Assume
that it's present and fix all fake-caps tests.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:26:06 +02:00
Peter Krempa
021015148b qemuMonitorJSONGetStatus: Refactor cleanup
Use g_autofree for the JSON values to remove cleanup label and ret
variable.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:25:42 +02:00
Peter Krempa
9d34136a52 util: virstring: Remove unused 'virStringListMerge'
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:25:42 +02:00
Peter Krempa
6c49c2ee9f virDevMapperGetTargets: Use a linked list as return type
Of the two callers one simply iterates over the returned paths and the
second one appends the returned paths to another linked list. Simplify
all of this by directly returning a linked list.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:25:42 +02:00
Peter Krempa
45ea6a9fcf util: virdevmapper: Sanitize use of macros for buffer size
There are two distinct uses of an arbitrary buffers size when querying
the device mapper. One is related to loading the /proc/devices file,
while the other is used as buffer for ioctls to the devmapper.

Split up the macros used here so that it's clear that they are not meant
for the same thing.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 12:25:41 +02:00
Hiroki Narukawa
2d6d67e154 qemu: Implement virtio-blk queue-size option
The option "queue-size" in virtio-blk was added in qemu-2.12.0, and
default value increased from qemu-5.0.0.

However, increasing this value may lead to drop of random access
performance.

Signed-off-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-09-21 12:22:49 +02:00
Hiroki Narukawa
ad209e7dbc qemu: add QEMU_CAPS_VIRTIO_BLK_QUEUE_SIZE capability
To support virtio-blk queue-size option, this commit adds capability
detection to the option.

Signed-off-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-09-21 12:22:49 +02:00
Hiroki Narukawa
36560f3551 conf: add queue_size option to disk
The option "queue-size" for virtio-blk was added in qemu-2.12.0, and
default value increased from qemu-5.0.0.

However, increasing this value may lead to drop of random access
performance.

Signed-off-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-09-21 12:22:48 +02:00
Hiroki Narukawa
240bdcbc93 virDomainDiskDefCheckABIStability: add disk queue count ABI stability check
virtio-blk num-queue is visible to guest OS, so this must be kept while
live migration.

Signed-off-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-09-21 12:22:48 +02:00
Hiroki Narukawa
32967b891e qemuxml2*test: Make disk-virtio-queues tests use DO_TEST_CAPS_LATEST
Currently disk-virtio-queues test is now using specifying a fake
capability.

By this commit this test will make use of DO_TEST_CAPS_LATEST.

Signed-off-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-09-21 12:22:48 +02:00
Michal Privoznik
b480a5cb5c vsh: Ensure that bool --options don't have completer
Let's check whether a boolean --option doesn't have completer or
completer_flags set. These options are just flags and don't
accept any value, thus they can't have any completer.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 10:20:41 +02:00
Michal Privoznik
a1a22b0b1c vsh: Extend checks for aliased commands
If a command is an alias, then it can only have .name, .flags and
.alias set and .flags should contain just VSH_CMD_FLAG_ALIAS.
Check if that's the case in self-test.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 10:20:41 +02:00
Michal Privoznik
520e858a8d virsh: Provide local path completer for vol-download --file
The vol-download command takes mandatory --file argument which
points to a local (possibly non-existent) path. If the file
exists then it's overwritten. Set the argument's completer so
that self-test doesn't report it as missing.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-09-21 10:20:41 +02:00