Commit Graph

88 Commits

Author SHA1 Message Date
Guannan Ren
8329c56e3a rpc:fix sasl session relocking intead of unlocking it
When trying to use any SASL authentication for TCP sockets by
setting auth_tls = "sasl" in libvirtd.conf on server side, the
client will hang because of the sasl session relocking other than
dropping the lock when exiting virNetSASLSessionExtKeySize()
* src/rpc/virnetsaslcontext.c: virNetSASLSessionExtKeySize drop the
  lock on exit
2011-08-04 21:27:52 +08:00
Osier Yang
ae0dcbc413 daemon: Unlink unix socket paths on shutdown
This patch introduces a internal RPC API "virNetServerClose", which
is standalone with "virNetServerFree".  it closes all the socket fds,
and unlinks the unix socket paths, regardless of whether the socket
is still referenced or not.

This is to address regression bug:
https://bugzilla.redhat.com/show_bug.cgi?id=725702
2011-08-04 16:54:58 +08:00
Eric Blake
0634b62336 rpc: silence coverity false positives
In virNetServerNew, Coverity didn't realize that srv->mdsnGroupName
can only be non-NULL if mdsnGroupName was non-NULL.

In virNetServerRun, Coverity didn't realize that the array is non-NULL
if the array count is non-zero.

* src/rpc/virnetserver.c (virNetServerNew): Use alternate pointer.
(virNetServerRun): Give coverity a hint.
2011-08-02 16:39:01 -06:00
Eric Blake
8d0be8fd57 rpc: avoid null deref
Detected by Coverity.

* src/rpc/virnetserverclient.c (virNetServerClientDispatchRead):
Avoid null deref on OOM.
2011-08-02 16:39:01 -06:00
Eric Blake
ed246fbb79 rpc: avoid crash on error
Detected by Coverity.  Freeing the wrong variable results in both
a memory leak and the likelihood of the caller dereferencing through
a freed pointer.

* src/rpc/virnettlscontext.c (virNetTLSSessionNew): Free correct
variable.
2011-08-02 15:04:36 -06:00
Eric Blake
94b5dae479 rpc: correctly process sasl whitelist globs
Detected by Coverity.  We want to compare the result of fnmatch 'rv',
not our pre-set return value 'ret'.

* src/rpc/virnetsaslcontext.c (virNetSASLContextCheckIdentity):
Check correct variable.
2011-08-02 15:01:33 -06:00
Eric Blake
3157d78f52 rpc: avoid uninitialized memory use
Spotted by Coverity.  Gnutls documents that buffer must be NULL
if gnutls_x509_crt_get_key_purpose_oid is to be used to determine
the correct size needed for allocating a buffer.

* src/rpc/virnettlscontext.c
(virNetTLSContextCheckCertKeyPurpose): Initialize buffer.
2011-08-02 11:57:06 -06:00
Eric Blake
50ae1de27c rpc: avoid double close on error
Spotted by coverity.  If pipe2 fails, then we attempt to close
uninitialized fds, which may result in a double-close.

* src/rpc/virnetserver.c (virNetServerSignalSetup): Initialize fds.
2011-08-02 11:43:36 -06:00
Eric Blake
4e006b844f rpc: avoid libvirtd crash on unexpected client close
Steps to reproduce this problem (vm1 is not running):
for i in `seq 50`; do virsh managedsave vm1& done; killall virsh

Pre-patch, virNetServerClientClose could end up setting client->sock
to NULL prior to other cleanup functions trying to use client->sock.
This fixes things by checking for NULL in more places, and by deferring
the cleanup until after all queued messages have been served.

* src/rpc/virnetserverclient.c (virNetServerClientRegisterEvent)
(virNetServerClientGetFD, virNetServerClientIsSecure)
(virNetServerClientLocalAddrString)
(virNetServerClientRemoteAddrString): Check for closed socket.
(virNetServerClientClose): Rearrange close sequence.
Analysis from Wen Congyang.
2011-08-02 07:46:37 -06:00
Eric Blake
c5b6537b1f build: fix include path for cygwin
Without this, cygwin failed to compile:

In file included from ../src/rpc/virnetmessage.h:24,
                 from ../src/rpc/virnetclient.h:27,
                 from remote/remote_driver.c:31:
../src/rpc/virnetprotocol.h:9:21: error: rpc/rpc.h: No such file or directory

With that fixed, compilation warned:

rpc/virnetsocket.c: In function 'virNetSocketNewListenUNIX':
rpc/virnetsocket.c:347: warning: format '%d' expects type 'int', but argument 8 has type 'gid_t' [-Wformat]
rpc/virnetsocket.c: In function 'virNetSocketGetLocalIdentity':
rpc/virnetsocket.c:743: warning: pointer targets in passing argument 5 of 'getsockopt' differ in signedness

* src/Makefile.am (libvirt_driver_remote_la_CFLAGS)
(libvirt_net_rpc_client_la_CFLAGS)
(libvirt_net_rpc_server_la_CFLAGS): Include XDR_CFLAGS, for rpc
headers on cygwin.
* src/rpc/virnetsocket.c (virNetSocketNewListenUNIX)
(virNetSocketGetLocalIdentity): Avoid compiler warnings.
2011-07-29 13:31:53 -06:00
Eric Blake
b240f966d9 build: avoid type-punning compiler warning
On RHEL 5, with gcc 4.1.2:

rpc/virnetsaslcontext.c: In function 'virNetSASLSessionUpdateBufSize':
rpc/virnetsaslcontext.c:396: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]

* src/rpc/virnetsaslcontext.c (virNetSASLSessionUpdateBufSize):
Use a union to work around gcc warning.
2011-07-28 08:16:07 -06:00
Matthias Bolte
8d2319cb90 rpc: Fix memory leak in remoteDomainSet*Parameters functions
Add a new helper remoteFreeTypedParameters and teach the generator
to add it to the cleanup section.

https://bugzilla.redhat.com/show_bug.cgi?id=725322
2011-07-27 21:09:23 +02:00
Stefan Berger
f63930a7cc Build: fix build if HAVE_AVAHI is not defined
Fix the build if HAVE_AVAHI is not defined.
2011-07-26 11:42:00 -04:00
Daniel P. Berrange
0302391ee6 Fix race in ref counting when handling RPC jobs
When an incoming RPC message is ready for processing,

  virNetServerClientDispatchRead()

will invoke the 'dispatchFunc' callback. This is set to

  virNetServerDispatchNewMessage

This function puts the message + client in a queue for processing by the thread
pool. The thread pool worker function is

  virNetServerHandleJob

The first thing this does is acquire an extra reference on the 'client'.

Unfortunately, between the time the message+client are put on the thread pool
queue, and the time the worker runs, the client object may have had its last
reference removed.

We clearly need to add the reference to the client object before putting the
client on the processing queue

* src/rpc/virnetserverclient.c: Add a reference to the client when
  invoking the dispatch function
* src/rpc/virnetserver.c: Don't acquire a reference to the client
  when in the worker thread
2011-07-26 16:22:32 +01:00
Daniel P. Berrange
4d349ef7be Fix build with gnutls 1.0.x branch 2011-07-26 14:51:03 +01:00
Daniel P. Berrange
5622830c53 Add mutex protection to SASL and TLS modules
The virNetSASLContext, virNetSASLSession, virNetTLSContext and
virNetTLSSession classes previously relied in their owners
(virNetClient / virNetServer / virNetServerClient) to provide
locking protection for concurrent usage. When virNetSocket
gained its own locking code, this invalidated the implicit
safety the SASL/TLS modules relied on. Thus we need to give
them all explicit locking of their own via new mutexes.

* src/rpc/virnetsaslcontext.c, src/rpc/virnettlscontext.c: Add
  a mutex per object
2011-07-26 08:21:32 +08:00
Daniel P. Berrange
a44585972a Report error if unable to bind to any socket
When setting up a server socket, we must skip EADDRINUSE errors
from bind, since the IPv6 socket bind may have already bound to
the IPv4 socket too. If we don't manage to bind to any sockets
at all though, we should then report the EADDRINUSE error as
normal.

This fixes the case where libvirtd would not exit if some other
program was listening on its TCP/TLS ports.

* src/rpc/virnetsocket.c: Report EADDRINUSE
2011-07-26 08:14:02 +08:00
Daniel P. Berrange
4bfd0cf700 Fix leak of mDNS object in virNetServer
* src/rpc/virnetserver.c: Free mDNS object
2011-07-26 08:12:41 +08:00
Daniel P. Berrange
268cc6e9d1 Fix memory leaks in MDNS code
* src/rpc/virnetservermdns.c: Fix leaks
2011-07-26 08:09:18 +08:00
Daniel P. Berrange
07f9b6f019 Allow certificate sanity checking to be disabled
When libvirtd starts it it will sanity check its own certs,
and before libvirt clients connect to a remote server they
will sanity check their own certs. This patch allows such
sanity checking to be skipped. There is no strong reason to
need to do this, other than to bypass possible libvirt bugs
in sanity checking, or for testing purposes.

libvirt.conf gains tls_no_sanity_certificate parameter to
go along with tls_no_verify_certificate. The remote driver
client URIs gain a no_sanity URI parameter

* daemon/test_libvirtd.aug, daemon/libvirtd.conf,
  daemon/libvirtd.c, daemon/libvirtd.aug: Add parameter to
  allow cert sanity checks to be skipped
* src/remote/remote_driver.c: Add no_sanity parameter to
  skip cert checks
* src/rpc/virnettlscontext.c, src/rpc/virnettlscontext.h:
  Add new parameter for skipping sanity checks independantly
  of skipping session cert validation checks
2011-07-22 15:18:32 +01:00
Oskari Saarenmaa
6b01c83a63 remote/ssh: optional "keyfile" parameter.
New optional parameter "keyfile" for ssh transport allows the user to select
the private key to be used to authenticate to the remote host.
2011-07-22 07:49:49 -06:00
Daniel P. Berrange
637711cbdf Refactor the certification validation code
There is some commonality between the code for sanity checking
certs when initializing libvirt and the code for validating
certs during a live TLS session handshake. This patchset splits
up the sanity checking function into several smaller functions
each doing a specific type of check. The cert validation code
is then updated to also call into these functions

* src/rpc/virnettlscontext.c: Refactor cert validation code
2011-07-22 12:04:47 +01:00
Daniel P. Berrange
3b8061c759 Remove call to deprecated gnutls_certificate_type_set_priority (again)
The gnutls_certificate_type_set_priority method is deprecated.
Since we already set the default gnutls priority, it was not
serving any useful purpose and can be removed

* src/rpc/virnettlscontext.c: Remove gnutls_certificate_type_set_priority
  call
2011-07-22 11:39:44 +01:00
Daniel P. Berrange
92509413e2 Ensure that libvirtd shuts down if initialization fails
If the virStateInitialize call fails we must shutdown libvirtd
since drivers will not be available. Just free'ing the virNetServer
is not sufficient, we must send a SIGTERM to ourselves so that
we interrupt the event loop and trigger a orderly shutdown

* daemon/libvirtd.c: Kill ourselves if state init fails
* src/rpc/virnetserver.c: Add some debugging to event loop
2011-07-22 11:39:39 +01:00
Adam Litke
4daeefac60 Add virDomainBlockPull support to the remote driver
The generator can handle everything except virDomainGetBlockJobInfo().

* src/remote/remote_protocol.x: provide defines for the new entry points
* src/remote/remote_driver.c daemon/remote.c: implement the client and
  server side for virDomainGetBlockJobInfo.
* src/remote_protocol-structs: structure definitions for protocol verification
* src/rpc/gendispatch.pl: Permit some unsigned long parameters
2011-07-22 13:31:16 +08:00
Eric Blake
8e22e08935 build: rename files.h to virfile.h
In preparation for a future patch adding new virFile APIs.

* src/util/files.h, src/util/files.c: Move...
* src/util/virfile.h, src/util/virfile.c: ...here, and rename
functions to virFile prefix.  Macro names are intentionally
left alone.
* *.c: All '#include "files.h"' uses changed.
* src/Makefile.am (UTIL_SOURCES): Reflect rename.
* cfg.mk (exclude_file_name_regexp--sc_prohibit_close): Likewise.
* src/libvirt_private.syms: Likewise.
* docs/hacking.html.in: Likewise.
* HACKING: Regenerate.
2011-07-21 10:34:51 -06:00
Matthias Bolte
fbd5465a5b rpc: Make the dispatch generator handle 'void name(void)' style procedures
The only 'void name(void)' style procedure in the protocol is 'close' that
is handled special, but also programming errors like a missing _args or
_ret suffix on the structs in the .x files can create such a situation by
accident. Making the generator aware of this avoids bogus errors from the
generator such as:

  Use of uninitialized value in exists at ./rpc/gendispatch.pl line 967.

Also this allows to get rid of the -c option and the special case code for
the 'close' procedure, as the generator handles it now correctly.

Reported by Michal Privoznik
2011-07-21 17:00:59 +02:00
Cole Robinson
e0a21dfef4 rpc: Pass through DISPLAY so ssh can launch askpass
Though we prefer users to have SSH keys setup, virt-manager users still
depend on remote SSH connections to launch a password dialog. This fixes
launch ssh-askpass

Fix suggested by danpb
2011-07-20 14:14:23 -04:00
Guannan Ren
b14800af14 Don't try to close a NULL virNetClientPtr
* src/rpc/virnetclient.c: Skip close attempt if virNetClientPtr
  is NULL
2011-07-20 15:24:31 +01:00
Daniel P. Berrange
14800d49cb Honour key usage/purpose criticality flag
If a key purpose or usage field is marked as non-critical in the
certificate, then a data mismatch is not (ordinarily) a cause for
rejecting the connection

* src/rpc/virnettlscontext.c: Honour key usage/purpose criticality
2011-07-20 15:23:33 +01:00
Daniel P. Berrange
f53cc36fe8 Fix checking of key usage/purpose data
If key usage or purpose data is not present in the cert, the
RFC recommends that access be allowed. Also fix checking of
key usage to include requirements for client/server certs,
and fix key purpose checking to treat data as a list of bits
2011-07-20 15:19:35 +01:00
Daniel P. Berrange
3ea043254c Fix mixed up error messages when reporting TLS certificate problems
* src/rpc/virnettlscontext.c: Fix mixed up error messages
2011-07-20 15:19:35 +01:00
Daniel P. Berrange
79591d4fbf Add sanity checking of basic constraints, key purpose & key usage
Gnutls requires that certificates have basic constraints present
to be used as a CA certificate. OpenSSL doesn't add this data
by default, so add a sanity check to catch this situation. Also
validate that the key usage and key purpose constraints contain
correct data

* src/rpc/virnettlscontext.c: Add sanity checking of certificate
  constraints
2011-07-19 16:25:01 +01:00
Daniel P. Berrange
543c266d2d Add some basic sanity checking of certificates before use
If the libvirt daemon or libvirt client is configured with bogus
certificates, it is very unhelpful to only find out about this
when a TLS connection is actually attempted. Not least because
the error messages you get back for failures are incredibly
obscure.

This adds some basic sanity checking of certificates at the
time the virNetTLSContext object is created. This is at libvirt
startup, or when creating a virNetClient instance.

This checks that the certificate expiry/start dates are valid
and that the certificate is actually signed by the CA that is
loaded.

* src/rpc/virnettlscontext.c: Add certificate sanity checks
2011-07-19 16:24:57 +01:00
Daniel P. Berrange
e06c8ede42 Add an explicit virNetClientClose method
Since the I/O callback registered against virNetSocket will
hold a reference on the virNetClient, we can't rely on the
virNetClientFree to be able to close the network connection.
The last reference will only go away when the event callback
fires (likely due to EOF from the server).

This is sub-optimal and can potentially cause a leak of the
virNetClient object if the server were to not explicitly
close the socket itself

* src/remote/remote_driver.c: Explicitly close the client
  object when disconnecting
* src/rpc/virnetclient.c, src/rpc/virnetclient.h: Add a
  virNetClientClose method
2011-07-19 11:20:34 -04:00
Daniel P. Berrange
7ea2ef4ce8 Use a virFreeCallback on virNetSocket to ensure safe release
When unregistering an I/O callback from a virNetSocket object,
there is still a chance that an event may come in on the callback.
In this case it is possible that the virNetSocket might have been
freed already. Make use of a virFreeCallback when registering
the I/O callbacks and hold a reference for the entire time the
callback is set.

* src/rpc/virnetsocket.c: Register a free function for the
  file handle watch
* src/rpc/virnetsocket.h, src/rpc/virnetserverservice.c,
  src/rpc/virnetserverclient.c, src/rpc/virnetclient.c: Add
  a free function for the socket I/O watches
2011-07-19 11:20:27 -04:00
Daniel P. Berrange
6198f3a1d7 Add mutex locking and reference counting to virNetSocket
Remove the need for a virNetSocket object to be protected by
locks from the object using it, by introducing its own native
locking and reference counting

* src/rpc/virnetsocket.c: Add locking & reference counting
2011-07-19 11:19:34 -04:00
Daniel P. Berrange
06c0d1841c Add some debugging for virNetClient reference counting
* src/rpc/virnetclient.c: Add debugging of ref counts
2011-07-19 11:18:50 -04:00
Daniel P. Berrange
07b39a9418 Unregister event callback if a fatal error occurs during dispatch
If we get an I/O error in the async event callback for an RPC
client, we might not have consumed all pending data off the
wire. This could result in the callback being immediately
invoked again. At which point the same I/O might occur. And
we're invoked again. And again...And again...

Unregistering the async event callback if an error occurs is
a good safety net. The real error will be seen when the next
RPC method is invoked

* src/rpc/virnetclient.c: Unregister event callback on error
2011-07-19 14:01:19 +01:00
Osier Yang
92f0a7f5af rpc: Fix typos in rpc generator scripts
These typos are introduced by file renaming in commit b17b4afaf.

src/remote/qemu_protocol.x \
src/remote/remote_protocol.x \
src/rpc/gendispatch.pl:
    s/remote_generator/gendispatch/

src/rpc/genprotocol.pl:
    s/remote\/remote_protocol/remote_protocol/
2011-07-17 12:41:39 +08:00
Daniel P. Berrange
c8771867b8 Fix error message for missing TLS write function
* src/rpc/virnettlscontext.c: s/read/write/
2011-07-15 16:26:11 +01:00
Daniel P. Berrange
f2845177e2 Fix reporting of cert validation failures
If the server succesfully validates the client cert, it will send
back a single byte, under TLS. If it fails, it will close the
connection. In this case, we were just reporting the standard
I/O error. The original RPC code had a special case hack for the
GNUTLS_E_UNEXPECTED_PACKET_LENGTH error code to make us report
a more useful error message

* src/rpc/virnetclient.c: Return ENOMSG if we get
  GNUTLS_E_UNEXPECTED_PACKET_LENGTH
* src/rpc/virnettlscontext.c: Report cert failure if we
  see ENOMSG
2011-07-15 16:26:07 +01:00
Eric Blake
a59a99f218 virnetsocket: use new API for uniform child cleanup
Rather than trying to clean up the ssh child ourselves, and risk
subtle differences from the socket creation error path, we can
just use the new APIs.

* src/rpc/virnetsocket.c (virNetSocketFree): Use new function.
2011-07-14 12:02:25 -06:00
Eric Blake
06dbfa6d21 maint: print flags in hex during debug
Continuation of commit 313ac7fd, and enforce things with a syntax
check.

Technically, virNetServerClientCalculateHandleMode is not printing
a mode_t, but rather a collection of VIR_EVENT_HANDLE_* bits;
however, these bits are < 8, so there is no different in the
output, and that was the easiest way to silence the new syntax check.

* cfg.mk (sc_flags_debug): New syntax check.
(exclude_file_name_regexp--sc_flags_debug): Add exemptions.
* src/fdstream.c (virFDStreamOpenFileInternal): Print flags in
hex, mode_t in octal.
* src/libvirt-qemu.c (virDomainQemuMonitorCommand)
(virDomainQemuAttach): Likewise.
* src/locking/lock_driver_nop.c (virLockManagerNopInit): Likewise.
* src/locking/lock_driver_sanlock.c (virLockManagerSanlockInit):
Likewise.
* src/locking/lock_manager.c: Likewise.
* src/qemu/qemu_migration.c: Likewise.
* src/qemu/qemu_monitor.c: Likewise.
* src/rpc/virnetserverclient.c
(virNetServerClientCalculateHandleMode): Print mode with %o.
2011-07-13 07:47:45 -06:00
Daniel P. Berrange
83d768fab8 Ensure signal handler propagates fatal signals to default handler
When replacing the default SEGV/ABORT/BUS signal handlers you
can't rely on the process being terminated after your custom
handler runs. It is neccessary to manually restore the default
handler and then re-raise the signal

* src/rpc/virnetserver.c: Restore default handler and raise
  signal
2011-07-13 11:47:12 +01:00
Daniel P. Berrange
1a81687ad2 Remove unused virNetServerProgramErrorHander typedef
* src/rpc/virnetserverprogram.h: Remove unused typedef for
  virNetServerProgramErrorHander function callback
* daemon/remote.h: Remove decl for non-existant variables
2011-07-13 11:47:01 +01:00
Matthias Bolte
b253452942 rpc: Fix compile error due to potentially unused parameter
connectDBus is only used if HAVE_DBUS is set. Therefore mark
it as potentially unused.
2011-07-12 17:06:16 +02:00
Jim Fehlig
b8adfcc60c Fix build when using polkit0
V2: Remove policy kit references from virNetServer and use DBus APIs
    directly, if available.
2011-07-12 08:44:55 -06:00
Daniel P. Berrange
4403646001 Define remote wire protocol & impls for virDomainQemuAttach
This tweaks the RPC generator to cope with some naming
conventions used for the QEMU specific APIs

* daemon/remote.c: Server side dispatcher
* src/remote/remote_driver.c: Client side dispatcher
* src/remote/qemu_protocol.x: Wire protocol definition
* src/rpc/gendispatch.pl: Use '$structprefix' in method
  names, fix QEMU flags and fix dispatcher method names
2011-07-12 15:39:03 +01:00
Oskari Saarenmaa
9a0e6a8fae remote/ssh: support for no_verify.
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified.  This won't disable host key
checking for already known hosts.  Includes a test and documentation.
2011-07-12 15:09:05 +02:00