Commit Graph

43617 Commits

Author SHA1 Message Date
Michal Privoznik
c63955ab0f qemu_monitor_json: Use g_autoptr() for virCPUData
We have g_autoptr() for virCPUData struct defined already. Let's
use it in qemu_monitor_json.c and drop explicit free calls.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2021-10-25 13:42:32 +02:00
Michal Privoznik
3dfc47c1fd qemu_monitor: Declare and use g_autoptr for qemuMonitorEventPanicInfo
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2021-10-25 13:42:27 +02:00
Michal Privoznik
4b1b14170a qemuMonitorJSONQueryRxFilterParse: Set *filter only on success
The qemuMonitorJSONQueryRxFilterParse() function is called to
parse the output of 'query-rx-filter' and store results into
passed virNetDevRxFilter structure. However, it is doing so in a
bit clumsy way - the return pointer is set in all cases (i.e.
even in case of error) and thus the cleanup label is more
complicated than it needs to be. With a help of g_autoptr() and
g_steal_pointer() the return pointer can be set only in case of
success - which is what callers expect anyway.

The same applies to qemuMonitorJSONQueryRxFilter().

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2021-10-25 13:42:22 +02:00
Michal Privoznik
4e8bb57859 qemuMonitorJSONGetMigrationStats: Don't clear @stats on failure
In the qemuMonitorJSONGetMigrationStats() there's a code under
cleanup label that's clearing returned @stats if the function
returns with an error. However, transitively there's just one
caller - qemuMigrationAnyFetchStats() - and it doesn't care for
this behaviour. Drop the code to simplify the cleanup label.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2021-10-25 13:42:19 +02:00
Michal Privoznik
a70ae22cfd qemuMonitorJSONHumanCommand: Require @reply_str
All callers of qemuMonitorJSONHumanCommand() pass a non-NULL pointer
as @reply_str therefore there's no need to check whether it is NULL.
NB, the sister function (qemuMonitorJSONArbitraryCommand()) doesn't
check for NULL either.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2021-10-25 13:42:14 +02:00
Michal Privoznik
2d7257d528 qemu_monitor_json: Don't transfer ownership to @msg
In qemuMonitorJSONCommandWithFd() given command (represented by
virJSONValue struct) is translated to string (represented by
virBuffer). The ownership of the string is then transferred to
the message which is then sent. The downside of this approach is
we have to have an explicit call to free the string from the
message. But if the message just "borrowed" the string (which it
can safely do because it is just reading from the string) then
automatic free of the buffer takes care of freeing the string.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2021-10-25 13:42:00 +02:00
Michal Privoznik
139338ab33 qemu_monitor_json: Don't check for qemuMonitorNextCommandID() retval
The qemuMonitorNextCommandID() function can never fail. There's
no need to check for its retval then. Moreover, the temporary
variable used to hold the retval can be declared in the inner
most block.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Tim Wiederhake <twiederh@redhat.com>
2021-10-25 13:41:25 +02:00
Michal Privoznik
857df2fe50 lib: Drop intermediary return variables
In a few places we declare a variable (which is optionally
followed by a code not touching it) then set the variable to a
value and return the variable immediately. It's obvious that the
variable is needless and the value can be returned directly
instead.

This patch was generated using this semantic patch:

  @@
  type T;
  identifier ret;
  expression E;
  @@
  - T ret;
  ... when != ret
      when strict
  - ret = E;
  - return ret;
  + return E;

After that I fixed couple of formatting issues because coccinelle
formatted some lines differently than our coding style.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-25 12:48:46 +02:00
Michal Privoznik
945942ebba qemuMonitorJSONGetMigrationCapabilities: Don't return early on CommandNotFound
The qemuMonitorJSONGetMigrationCapabilities() command executes
'query-migrate-capabilities' command and returns early if QEMU
doesn't know the command. Well, the command was introduced in
QEMU release 1.2 (specifically in commit v1.2.0-rc0~29^2~11) and
since the minimum required version is 2.11.0 we can be sure that
command will always exist.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-22 07:00:44 +02:00
Michal Privoznik
4c1d40915a qemuMonitorJSONGetMemoryDeviceInfo: Don't return early on CommandNotFound
The qemuMonitorJSONGetMemoryDeviceInfo() command executes
'query-memory-devices' command and returns early if QEMU
doesn't know the command. Well, the command was introduced in
QEMU release 2.1 (specifically in commit v2.1.0-rc0~41^2~9) and
since the minimum required version is 2.11.0 we can be sure that
command will always exist.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-22 07:00:44 +02:00
Michal Privoznik
dea2dcea72 qemuMonitorJSONGetKVMState: Don't return early on CommandNotFound
The qemuMonitorJSONGetKVMState() command executes 'query-kvm'
command and returns early if QEMU doesn't know the command. Well,
the command was introduced in QEMU release 0.14 and since the
minimum required version is 2.11.0 we can be sure that command
will always exist.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-22 07:00:44 +02:00
Michal Privoznik
432ff3166e qemuMonitorJSONGetDumpGuestMemoryCapability: Don't return early on CommandNotFound
The qemuMonitorJSONGetDumpGuestMemoryCapability() command
executes 'query-dump-guest-memory-capability' command and returns
early if QEMU doesn't know the command. Well, the command was
introduced in QEMU release 2.0 (specifically in commit
v2.0.0-rc0~43^2~16) and since the minimum required version is
2.11.0 we can be sure that command will always exist.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-22 07:00:44 +02:00
Michal Privoznik
8534008c36 qemuMonitorJSONGetMigrationParams: Don't return early on CommandNotFound
The qemuMonitorJSONGetMigrationParams() function executes
'query-migrate-parameters' command and returns early if QEMU
doesn't know the command. Well, the command was introduced in
QEMU release 2.4 (specifically in commit v2.4.0-rc0~147^2~3) and
since the minimum required version is 2.11.0 we can be sure that
the command will always exist.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-22 07:00:44 +02:00
Michal Privoznik
7ce6a2f30e qemumigparamstest: Drop "unsupported" test case
The aim of "unsupported" test case is to check whether our code
handles 'CommandNotFound' error returned for
'query-migrate-parameters' monitor command. Well, the command is
pretty old and every QEMU that we are dealing with supports it.
Thus this test case is useless. Drop it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-22 07:00:44 +02:00
Dmitrii Shcherbakov
a2c40900ed news: Add PCI VPD parser & capability notes
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
2021-10-21 17:34:15 +01:00
Dmitrii Shcherbakov
fab3513bf0 Add PCI VPD Capability Documentation
Describes the format of the newly added VPD capability and gives and
example for a real-world device.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
2021-10-21 17:34:04 +01:00
Dmitrii Shcherbakov
3954378d06 Add PCI VPD Capability Support
* XML serialization and deserialization of PCI VPD;
* PCI VPD capability flags added and used in relevant places;
* XML to XML tests for the added capability.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
2021-10-21 17:34:04 +01:00
Dmitrii Shcherbakov
38003e7551 Add PCI VPD-related helper functions to virpci
Add helper functions to virpci to provide means of checking for a VPD
file presence and for VPD resource retrieval using the PCI VPD parser.

The added test assesses the basic functionality of VPD retrieval while
the full parser is tested by virpcivpdtest.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
2021-10-21 17:34:04 +01:00
Dmitrii Shcherbakov
59c1bc3a0e Add a PCI/PCIe device VPD Parser
Add support for deserializing the binary PCI/PCIe VPD format and storing
results in memory.

The VPD format is specified in "I.3. VPD Definitions" in PCI specs
(2.2+) and "6.28.1 VPD Format" PCIe 4.0. As section 6.28 in PCIe 4.0
notes, the PCI Local Bus and PCIe VPD formats are binary compatible
and PCIe 4.0 merely started incorporating what was already present in
PCI specs.

Linux kernel exposes a binary blob in the VPD format via sysfs since
v2.6.26 (commit 94e6108803469a37ee1e3c92dafdd1d59298602f) which requires
a parser to interpret.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
2021-10-21 17:34:04 +01:00
Ján Tomko
deb4971e96 NEWS: document virtiofs hotplug
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-21 18:15:20 +02:00
Andrea Bolognani
2772162316 conf: Add new/free functions for virDomainIOMMUDef
This will make it possible to limit changes to a single spot
later on, and is also just an overall nicer way to create and
destroy objects.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-20 16:53:09 +02:00
Andrea Bolognani
1fb84247b6 conf: Add IOMMU support to virDomainDeviceDefCopy()
There doesn't seem to be a reason for IOMMUs not to be handled
by this function.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-20 16:53:07 +02:00
Andrea Bolognani
1cb48b00b5 qemu: Make qemuBuildVirtioDevProps() const correct
This involves a bit of a hack, but is overall preferable to
forcing callers to pass non-const devdata as argument.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-20 16:53:05 +02:00
Andrea Bolognani
8e3d58f245 qemu: Make qemuBuildDeviceAddressProps() const correct
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-20 16:53:04 +02:00
Andrea Bolognani
ea1a436cb5 conf: Make virDomainDeviceInfoFormat() const correct
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-20 16:53:01 +02:00
Andrea Bolognani
d2872fc47f tests: Add replies for QEMU 6.2.0 on aarch64
These were generated using a QEMU binary built from commit
v6.1.0-1552-g362534a643

Notably, this causes the arguments of -device to be generated
in JSON format.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-20 16:52:45 +02:00
Michal Privoznik
f3ab818984 rpc: Temporarily stop accept()-ing new clients on EMFILE
This commit is related to 5de203f879 which I pushed a few days
ago. While that commit prioritized closing clients socket over
the rest of I/O process, this one goes one step further and
temporarily suspends processing new connection requests.

A brief recapitulation of the problem:

1) assume that libvirt is at the top of RLIMIT_NOFILE (that is no
   new FDs can be opened).

2) we have a client trying to connect to a UNIX/TCP socket

Because of 2) our event loop sees POLLIN on the socket and thus
calls virNetServerServiceAccept(). But since no new FDs can be
opened (because of 1)) the request is not handled and we will get
the same event on next iteration. The poll() will exit
immediately because there is an event on the socket.  Thus we end
up in an endless loop.

To break the loop and stop burning CPU cycles we can stop
listening for events on the socket and set up a timer tho enable
listening again after some time (I chose 5 seconds because of no
obvious reason).

There's another area where we play with temporarily suspending
accept() of new clients - when a client disconnects and we check
max_clients against number of current clients. Problem here is
that max_clients can be orders of magnitude larger than
RLIMIT_NOFILE but more importantly, what this code considers
client disconnect is not equal to closing client's FD.
A client disconnecting means that the corresponding client
structure is removed from the internal list of clients. Closing
of the client's FD is done from event loop - asynchronously.

To avoid this part stepping on the toes of my fix, let's make the
code NOP if socket timer (as described above) is active.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 16:25:22 +02:00
Daniel P. Berrangé
0d9097afe5 Switch to new GitHub repo-lockdown configuration
The repo-lockdown service used to run as a bot outside GitHub, but has
now switched to using the GitHub Actions workflow framework. This
requires use of a new configuration file.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 14:27:20 +01:00
Daniel P. Berrangé
f18592adb1 qemu: remove use of implicit boolean syntax for guest features
Some guest features that map to the -cpu arg are still added using
implicit syntax "feature" which is a deprecated shorthand for
"feature=on".

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 13:19:49 +01:00
Daniel P. Berrangé
e28ce3885d qemu: inline the qemuBuildCpuFeature code
With the previous refactorings, there's no real benefit from the
qemuBuildCpuFeature helper method. Only one of the callers really
needs the CPU feature name re-writing logic, the others can just
use the right name directly.

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 13:19:37 +01:00
Daniel P. Berrangé
ff3e93a26b qemu: remove use of (+|-)name syntax for -cpu featres
The -cpu arg gained support for feature=on|off syntax for the x86
emulator in 2.4.0

  commit 38e5c119c2925812bd441450ab9e5e00fc79e662
  Author: Eduardo Habkost <ehabkost@redhat.com>
  Date:   Mon Mar 23 17:29:32 2015 -0300

    target-i386: Register QOM properties for feature flags

Most other targets gained this syntax even earlier in 1.4.1

  commit 1590bbcb02921dfe8e3cf66e3a3aafd31193babf
  Author: Andreas Färber <afaerber@suse.de>
  Date:   Mon Mar 3 23:33:51 2014 +0100

    cpu: Implement CPUClass::parse_features() for the rest of CPUs

    CPUs who do not provide their own implementation of feature parsing
    will treat each option as a QOM property and set it to the supplied
    value.

There appears no reason to keep supporting "+|-feature" syntax,
given the current minimum QEMU version.

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 13:01:41 +01:00
Daniel P. Berrangé
a81784ea3a qemu: always use hyphens in hyperv feature names
QEMU switched from using underscores in x86 CPU features to hyphens
in the 2.8.0 series with two commits

  commit fc7dfd205f3287893c436d932a167bffa30579c8 (HEAD, refs/bisect/bad)
  Author: Eduardo Habkost <ehabkost@redhat.com>
  Date:   Fri Sep 30 15:49:40 2016 -0300

    target-i386: Remove underscores from feat_names arrays

  commit 54b8dc7c19cd781e96f1e9b001ca6001d804eb19
  Author: Eduardo Habkost <ehabkost@redhat.com>
  Date:   Fri Sep 30 15:49:38 2016 -0300

    target-i386: Register aliases for feature names with underscores

Libvirt names use underscores so we conditionally tranlate the
names when talking to new QEMU. Since the min QEMU was raised to
version 2.11.0, all QEMU versions we talk to expect hypens, so
the translation can be done unconditionally.

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 13:01:33 +01:00
Daniel P. Berrangé
7bf6292fb3 qemu: always translate underscores to hyphens in CPU features
QEMU switched from using underscores in x86 CPU features to hyphens
in the 2.8.0 series with two commits

  commit fc7dfd205f3287893c436d932a167bffa30579c8 (HEAD, refs/bisect/bad)
  Author: Eduardo Habkost <ehabkost@redhat.com>
  Date:   Fri Sep 30 15:49:40 2016 -0300

    target-i386: Remove underscores from feat_names arrays

  commit 54b8dc7c19cd781e96f1e9b001ca6001d804eb19
  Author: Eduardo Habkost <ehabkost@redhat.com>
  Date:   Fri Sep 30 15:49:38 2016 -0300

    target-i386: Register aliases for feature names with underscores

Libvirt names use underscores so we conditionally tranlate the
names when talking to new QEMU. Since the min QEMU was raised to
version 2.11.0, all QEMU versions we talk to expect hypens, so
the translation can be done unconditionally.

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 13:01:22 +01:00
Daniel P. Berrangé
28a1059ddd ci: switch all non-released distros to be non-gating
The non-released distros have reasonably frequent package installation
failures that can last for days at a time. This makes them unsuitable
for use as gating CI jobs.

This ensures all of the jobs in Debian Sid, Fedora Rawhide, openSUSE
Tumbleweed and FreeBSD Current are marked "allow-failure: true".

This means the jobs still run, but any failure will not be considered
fatal to the pipeline.

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 12:57:56 +01:00
Daniel P. Berrangé
13eab52429 ci: refresh configuration from manifest
The layering of the cross containers is fixed to move arch specific
ccache setup out of the common base layer.

A missing Cirrus CI variable substitution is added, though this is
irrelevant given libvirt's package list.

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-10-20 12:57:16 +01:00
Peter Krempa
ab8d520eb5 qemuMonitorBlockStatsUpdateCapacity: Remove 'backingChain' argument
Always fetch the stats for all backing chain members. Callers from
qemu_driver.c already always passed 'true' and the caller from the
migration code won't mind when we fetch all stats.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-20 13:43:37 +02:00
Peter Krempa
5f5631707f qemuMonitorGetAllBlockStatsInfo: Remove 'backingChain' argument
All (proper) callers pass true so we can remove the argument.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-20 13:43:37 +02:00
Peter Krempa
4e950ba4b4 qemuMonitorJSONQueryBlockstats: Refactor cleanup
Use automatic memory clearing and remove the cleanup label.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-20 13:43:37 +02:00
Peter Krempa
d7050b0d08 qemuDomainGetStatsBlock: Refactor cleanup
Use automatic memory clearing for the temporary variables and remove the
cleanup section.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-20 13:43:37 +02:00
Peter Krempa
c93bf61647 qemuMonitorJSONBlockStatsUpdateCapacityOne: Refactor cleanup
Use automatic memory clearing for the temporary variable and remove the
cleanup section.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-20 13:43:37 +02:00
Peter Krempa
3beb56f3e8 qemuMonitorJSONBlockStatsUpdateCapacity: Refactor cleanup
Use automatic memory clearing for the temporary variable and remove the
cleanup section.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-20 13:43:37 +02:00
Peter Krempa
65ff87c51c qemuDomainGetStatsBlock: Always fetch stats for the full backing chain
Similarly to the fix to 'qemuDomainBlocksStatsGather' we should be
always fetching the full backing chain so that we can avoid any
automatic filter notes which would prevent us from fetching the stats
for the correct nodename.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-20 13:43:37 +02:00
Peter Krempa
579e05536b qemuDomainBlocksStatsGather: Always fetch stats for the full backing chain
In certain cases such as when running a backup blockjob qemu installs a
filter node between the frontend and the top node of the backend of the
disk. The stats gathering code didn't instruct the monitor code to fetch
the stats for all the layers, so since the top layer now doesn't have
stats we were reporting wrong stats such as allocation.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2015281
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-20 13:43:37 +02:00
Stefan Berger
c66115b6e8 qemu: tpm: Run swtpm_setup --create-config-files in session mode
Using swtpm v0.7.0 we can run swtpm_setup to create default config files
for swtpm_setup and swtpm-localca in session mode. Now a user can start
a VM with an attached TPM without having to run this program on the
command line before. This program needs to run once.

This patch addresses the issue raised in
https://bugzilla.redhat.com/show_bug.cgi?id=2010649

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2021-10-20 13:31:26 +02:00
Peng Liang
e8b5c09a03 qemu: Move pid file of virtiofsd to stateDir
Libvirt will put the pid file of virtiofsd to per-domain directory.
However, the ownership of the per-domain directory is the user to run
the QEMU process and the user has the write permission of the directory.
If VM escape occurs, the attacker can
1. write arbitrary content to the pid file (if running QEMU using root),
   then the attacker can kill any process by writing appropriate pid to
   the pid file;
2. spoof the pid file (if running QEMU using a regular user), then the
   virtiofsd process will never be cleared even if the VM is destroyed.

So, move the pid file of virtiofsd from per-domain directory to
stateDir.

Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-19 09:12:31 +02:00
Peng Liang
74e1ebee7f qemu: Move pid file of pr-helper to stateDir
Libvirt will put the pid file of pr-helper to per-domain directory.
However, the ownership of the per-domain directory is the user to run
the QEMU process and the user has the write permission of the directory.
If VM escape occurs, the attacker can
1. write arbitrary content to the pid file (if running QEMU using root),
   then the attacker can kill any process by writing appropriate pid to
   the pid file;
2. spoof the pid file (if running QEMU using a regular user), then the
   pr-helper process will never be cleared even if the VM is destroyed.

So, move the pid file of pr-helper from per-domain directory to
stateDir.

Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-19 09:12:26 +02:00
Peter Krempa
8eb08e0fc5 virNodeDeviceDefParse: Don't call post-parse callbacks with NULL def
When parsing of the node device XML fails we'd still call the post-parse
and validation callbacks which makes no sense. Additionally the
callbacks were expecting a non-NULL pointer which leads to a crash.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2014139
Fixes: d5ae634ba2
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2021-10-18 17:40:46 +02:00
Peter Krempa
289aa4bc5b virsh: Add QMP command wrapping for 'qemu-monitor-command'
Issuing simple QMP commands is pain as they need to be wrapped by the
JSON wrapper:

 { "execute": "COMMAND" }

and optionally also:

 { "execute": "COMMAND", "arguments":...}

For simple commands without arguments we can add syntax sugar to virsh
which allows simple usage of QMP and additionally prepares also for
passing through of the 'arguments' section:

 virsh qemu-monitor-command $VM query-status

is equivalent to

 virsh qemu-monitor-command $VM '{"execute":"query-status"}'

and

 virsh qemu-monitor-command $VM query-named-block-nodes '{"flat":true}'
 or
 virsh qemu-monitor-command $VM query-named-block-nodes '"flat":true'

is equivalent to

 virsh qemu-monitor-command $VM '{"execute":"query-named-block-nodes", "arguments":{"flat":true}}'

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-18 16:04:17 +02:00
Peter Krempa
82c2196840 NEWS: Mention conversion of '-device' to JSON starting with QEMU-6.2
Normally this would be considered an internal detail which we don't
document in the news, but in this case I'd like to make people aware of
the change so that they preferrably report them ASAP.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-18 14:00:59 +02:00
Peter Krempa
6f34a991c7 testCompareXMLToArgvValidateSchemaCommand: Add validation for '-device'
Now that we use JSON with -device we can validate it at least partially
(since the schema for 'device_add' is for now incomplete) against the
QMP schema.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-10-18 14:00:59 +02:00