Commit Graph

15476 Commits

Author SHA1 Message Date
Eric Blake
27553573f2 maint: clean up error reporting in migration
The choice of error message and category was not consistent
in the migration code; furthermore, the use of virLibConnError
is no longer necessary now that we have a generic virReportError.

* src/qemu/qemu_migration.c (virDomainMigrate*): Prefer
virReportError over virLibConnError.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-16 12:28:17 -07:00
Eric Blake
c8ed177af4 maint: don't lose error on canceled migration
While auditing the error reporting, I noticed that migration
had some issues.  Some of the static helper functions tried
to call virDispatchError(), even though their caller will also
report the error.  Also, if a migration is cancelled early
because a uri was not set, we did not guarantee that the finish
stage would not overwrite the first error message.

* src/qemu/qemu_migration.c (doPeer2PeerMigrate2)
(doPeer2PeerMigrate3): Preserve first error when cancelling.
* src/libvirt.c (virDomainMigrateVersion3Full): Likewise.
(virDomainMigrateVersion1, virDomainMigrateVersion2)
(virDomainMigrateDirect): Avoid redundant error dispatch.
(virDomainMigrateFinish2, virDomainMigrateFinish3)
(virDomainMigrateFinish3Params): Don't report error on cleanup
path.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-16 12:26:54 -07:00
Eric Blake
25221a1b21 maint: avoid nested use of virConnect{Ref,Close}
The public virConnectRef and virConnectClose API are just thin
wrappers around virObjectRef/virObjectRef, with added object
validation and an error reset.  Within our backend drivers, use
of the object validation is just an inefficiency since we always
pass valid objects.  More important to think about is what
happens with the error reset; our uses of virConnectRef happened
to be safe (since we hadn't encountered any earlier errors), but
in several cases the use of virConnectClose could lose a real
error.

Ideally, we should also avoid calling virConnectOpen() from
within backend drivers - but that is a known situation that
needs much more design work.

* src/qemu/qemu_process.c (qemuProcessReconnectHelper)
(qemuProcessReconnect): Avoid nested public API call.
* src/qemu/qemu_driver.c (qemuAutostartDomains)
(qemuStateInitialize, qemuStateStop): Likewise.
* src/qemu/qemu_migration.c (doPeer2PeerMigrate): Likewise.
* src/storage/storage_driver.c (storageDriverAutostart):
Likewise.
* src/uml/uml_driver.c (umlAutostartConfigs): Likewise.
* src/lxc/lxc_process.c (virLXCProcessAutostartAll): Likewise.
(virLXCProcessReboot): Likewise, and avoid leaking conn on error.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-16 12:25:45 -07:00
Eric Blake
c05aebfd65 maint: don't leave garbage on early API exit
Several APIs clear out a user input buffer before attempting to
populate it; but in a few cases we missed this memset if we
detect a reason for an early exit.  Note that these APIs
check for non-NULL arguments, and exit early with an error
message when NULL is passed in; which means that we must be
careful to avoid a NULL deref in order to get to that error
message.  Also, we were inconsistent on the use of
sizeof(virType) vs. sizeof(expression); the latter is more
robust if we ever change the type of the expression (although
such action is unlikely since these types are part of our
public API).

* src/libvirt.c (virDomainGetInfo, virDomainGetBlockInfo)
(virStoragePoolGetInfo, virStorageVolGetInfo)
(virDomainGetJobInfo, virDomainGetBlockJobInfo): Move memset
before any returns.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-16 10:45:15 -07:00
Martin Kletzander
fe89b687a0 qemu: Change the default unix monitor timeout
There is a number of reported issues when we fail starting a domain.
Turns out that, in some scenarios like high load, 3 second timeout is
not enough for qemu to start up to the phase where the socket is
created.  Since there is no downside of waiting longer, raise the
timeout right to 30 seconds.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-01-16 17:20:08 +01:00
Pavel Hrdina
84f0ddaf19 Add Pavel Hrdina to the committers list
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2014-01-16 14:47:02 +01:00
Pavel Hrdina
bb22de2e3e Fix possible memory leak in virsh-domain-monitor.c in cmdDomblklist
In a "for" loop there are created two new strings and they may not
be freed if a "target" string cannot be obtained. We have to free
the two created strings to prevent the memory leak.

This has been found by coverity.

John also pointed out that we should somehow care about the "type"
and "device" and Osier agreed to exit with error message if one of
them is set to NULL.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2014-01-16 14:47:02 +01:00
Peter Krempa
362da8209d storage: Introduce internal pool support
To allow using the storage driver APIs to do operation on generic domain
disks we will need to introduce internal storage pools that will give is
a base to support this stuff even on files that weren't originally
defined as a part of the pool.

This patch introduces the 'internal' flag for a storage pool that will
prevent it from being listed along with the user defined storage pools.
2014-01-16 11:39:53 +01:00
Peter Krempa
b3c1a25df8 storage: Sheepdog: Separate creating of the volume from building
Separate the steps to create libvirt's volume metadata from the actual
volume building process.
2014-01-16 11:39:53 +01:00
Peter Krempa
e103acba23 storage: RBD: Separate creating of the volume from building
Separate the steps to create libvirt's volume metadata from the actual
volume building process.
2014-01-16 11:39:53 +01:00
Peter Krempa
67ccf91bf2 storage: disk: Separate creating of the volume from building
Separate the steps to create libvirt's volume metadata from the actual
volume building process.
2014-01-16 11:39:53 +01:00
Peter Krempa
af1fb38f55 storage: lvm: Separate creating of the volume from building
Separate the steps to create libvirt's volume metadata from the actual
volume building process. This is already done for regular file based
pools to allow job support for storage APIs.
2014-01-16 11:39:53 +01:00
Peter Krempa
7de048829a storage: Support deletion of volumes on gluster pools
Implement the "deleteVol" storage backend function for gluster volumes.
2014-01-16 11:39:53 +01:00
Christophe Fergeau
9b73290f46 conf: Always use VIR_ERR_CONFIG_UNSUPPORTED on enumFromString() failures
Currently, during XML parsing, when a call to a FromString() function to
get an enum value fails, the error which is reported is either
VIR_ERR_CONFIG_UNSUPPORTED, VIR_ERR_INTERNAL_ERROR or VIR_ERR_XML_ERROR.

This commit makes such conversion failures consistently return
VIR_ERR_CONFIG_UNSUPPORTED.
2014-01-16 11:09:43 +01:00
Christophe Fergeau
f902734bd7 Bump version to 1.2.2 for new dev cycle 2014-01-16 11:09:43 +01:00
Daniel Veillard
7b84b1673a Release of libvirt-1.2.1
* docs/news.html.in libvirt.spec.in: updated for the release
* po/*.po*: updated localization from transifex and regenerated
2014-01-16 17:25:58 +08:00
Eric Blake
f9f5634053 event: filter global events by domain:getattr ACL [CVE-2014-0028]
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends.  We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.

Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration.  But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access.  The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global.  Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.

Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.

* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-15 13:55:21 -07:00
Eric Blake
8d9d098b6d event: wire up RPC for server-side network event filtering
We haven't had a release with network events yet, so we are free
to fix the RPC so that it actually does what we want.  Doing
client-side filtering of per-network events is inefficient if a
connection is only interested in events on a single network out
of hundreds available on the server.  But to do server-side
per-network filtering, the server needs to know which network
to filter on - so we need to pass an optional network over on
registration.  Furthermore, it is possible to have a client with
both a global and per-network filter; in the existing code, the
server sends only one event and the client replicates to both
callbacks.  But with server-side filtering, the server will send
the event twice, so we need a way for the client to know which
callbackID is sending an event, to ensure that the client can
filter out events from a registration that does not match the
callbackID from the server.  Likewise, the existing style of
deregistering by eventID alone is fine; but in the new style,
we have to remember which callbackID to delete.

This patch fixes the RPC wire definition to contain all the
needed pieces of information, and hooks into the server and
client side improvements of the previous patches, in order to
switch over to full server-side filtering of network events.
Also, since we fixed this in time, all released versions of
libvirtd that support network events also support per-network
filtering, so we can hard-code that assumption into
network_event.c.

Converting domain events to server-side filtering will require
the introduction of new RPC numbers, as well as a server
feature bit that the client can use to tell whether to use
old-style (server only supports global events) or new-style
(server supports filtered events), so that is deferred to a
later set of patches.

* src/conf/network_event.c (virNetworkEventStateRegisterClient):
Assume server-side filtering.
* src/remote/remote_protocol.x
(remote_connect_network_event_register_any_args): Add network
argument.
(remote_connect_network_event_register_any_ret): Return callbackID
instead of count.
(remote_connect_network_event_deregister_any_args): Pass
callbackID instead of eventID.
(remote_connect_network_event_deregister_any_ret): Drop unused
type.
(remote_network_event_lifecycle_msg): Add callbackID.
* daemon/remote.c
(remoteDispatchConnectNetworkEventDeregisterAny): Drop unused arg,
and deal with callbackID from client.
(remoteRelayNetworkEventLifecycle): Pass callbackID.
(remoteDispatchConnectNetworkEventRegisterAny): Likewise, and
recognize non-NULL network.
* src/remote/remote_driver.c
(remoteConnectNetworkEventRegisterAny): Pass network, and track
server side id.
(remoteConnectNetworkEventDeregisterAny): Deregister by callback id.
(remoteNetworkBuildEventLifecycle): Pass remote id to event queue.
* src/remote_protocol-structs: Regenerate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-15 13:55:21 -07:00
Eric Blake
a59097e569 event: add notion of remoteID for filtering client network events
In order to mirror a server with per-object filtering, the client
needs to track which server callbackID is servicing the client
callback.  This patch introduces the notion of a serverID, as
well as the plumbing to use it for network events, although the
actual complexity of using per-object filtering in the remote
driver is deferred to a later patch.

* src/conf/object_event.h (virObjectEventStateEventID): Add parameter.
(virObjectEventStateQueueRemote, virObjectEventStateSetRemote):
New prototypes.
(virObjectEventStateRegisterID): Move...
* src/conf/object_event_private.h: ...here, and add parameter.
(_virObjectEvent): Add field.
* src/conf/network_event.h (virNetworkEventStateRegisterClient): New
prototype.
* src/conf/object_event.c (_virObjectEventCallback): Add field.
(virObjectEventStateSetRemote): New function.
(virObjectEventStateQueue): Make wrapper around...
(virObjectEventStateQueueRemote): New function.
(virObjectEventCallbackListCount): Tweak return count when remote
id matching is used.
(virObjectEventCallbackLookup, virObjectEventStateRegisterID):
Tweak registration when remote id matching will be used.
(virObjectEventNew): Default to no remote id.
(virObjectEventCallbackListAddID): Likewise, but set remote id
when one is available.
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Adjust return value when
remote id was set.
(virObjectEventStateEventID): Query existing id.
(virObjectEventDispatchMatchCallback): Require matching event id.
(virObjectEventStateCallbackID): Adjust caller.
* src/conf/network_event.c (virNetworkEventStateRegisterClient): New
function.
(virNetworkEventStateRegisterID): Update caller.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Update callers.
* src/remote/remote_driver.c
(remoteConnectNetworkEventRegisterAny)
(remoteConnectNetworkEventDeregisterAny)
(remoteConnectDomainEventDeregisterAny): Likewise.
(remoteEventQueue): Hoist earlier to avoid forward declaration,
and add parameter.  Adjust all callers.
* src/libvirt_private.syms (conf/object_event.h): Drop function.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-15 13:55:21 -07:00
Eric Blake
b9d14ef03b event: track callbackID on daemon side of RPC
Right now, the daemon side of RPC events is hard-coded to at most
one callback per eventID.  But when there are hundreds of domains
or networks coupled and multiple conections, then sending every
event to every connection that wants an event, even for the
connections that only care about events for a particular object,
is inefficient.  In order to track more than one callback in the
server, we need to store callbacks by more than just their
eventID.  This patch rearranges the daemon side to store network
callbacks in a dynamic array, which can eventually be used for
multiple callbacks of the same eventID, although actual behavior
is unchanged without further patches to the RPC protocol.  For
ease of review, domain events are saved for a later patch, as
they touch more code.

While at it, fix a bug where a malicious client could send a
negative eventID to cause network event registration to access
outside of array bounds (thankfully not a CVE, since domain
events were already doing the bounds check, and since network
events have not been released).

* daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of
network events.
* daemon/remote.c (daemonClientEventCallback): New struct.
(remoteEventCallbackFree): New function.
(remoteClientInitHook, remoteRelayNetworkEventLifecycle)
(remoteClientFreeFunc)
(remoteDispatchConnectNetworkEventRegisterAny): Track network
callbacks differently.
(remoteDispatchConnectNetworkEventDeregisterAny): Enforce bounds.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-15 13:55:20 -07:00
Peter Krempa
b952cbbcca qemu: Avoid operations on NULL monitor if VM fails early
https://bugzilla.redhat.com/show_bug.cgi?id=1047659

If a VM dies very early during an attempted connect to the guest agent
while the locks are down the domain monitor object will be freed. The
object is then accessed later as any failure during guest agent startup
isn't considered fatal.

In the current upstream version this doesn't lead to a crash as
virObjectLock called when entering the monitor in
qemuProcessDetectVcpuPIDs checks the pointer before attempting to
dereference (lock) it. The NULL pointer is then caught in the monitor
helper code.

Before the introduction of virObjectLockable - observed on 0.10.2 - the
pointer is locked directly via virMutexLock leading to a crash.

To avoid this problem we need to differentiate between the guest agent
not being present and the VM quitting when the locks were down. The fix
reorganizes the code in qemuConnectAgent to add the check and then adds
special handling to the callers.
2014-01-15 18:04:25 +01:00
Eric Blake
974e591452 tests: be more explicit on qcow2 versions in virstoragetest
While working on v1.0.5-maint (the branch in use on Fedora 19)
with the host at Fedora 20, I got a failure in virstoragetest.
I traced it to the fact that we were using qemu-img to create a
qcow2 file, but qemu-img changed from creating v2 files by
default in F19 to creating v3 files in F20.  Rather than leaving
it up to qemu-img, it is better to write the test to force
testing of BOTH file formats (better code coverage and all).

This patch alone does not fix all the failures in v1.0.5-maint;
for that, we must decide to either teach the older branch to
understand v3 files, or to reject them outright as unsupported.
But for upstream, making the test less dependent on changing
qemu-img defaults is always a good thing.

* tests/virstoragetest.c (testPrepImages): Simplify creation of
raw file; check if qemu supports compat and if so use it.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-15 09:19:14 -07:00
Eric Blake
908903b317 docs: mention maintenance branches
Mitre tried to assign us two separate CVEs for the fix for
https://bugzilla.redhat.com/show_bug.cgi?id=1047577, on the
grounds that the fixes were separated by more than an hour
and thus triggered different hourly snapshots.  But we
explicitly do NOT want to treat transient security bugs as
CVEs if they can only be triggered by patches in libvirt.git
but where the problem is cleaned up before a formal release.

Meanwhile, I noticed that while our wiki mentioned maintenance
branches and releases, our formal documentation did not.

* docs/downloads.html.in: Contrast hourly snapshots with
maintenance branches.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-15 09:12:25 -07:00
Claudio Bley
e8eb8d8497 Fix docs for PMWakeup/PMSuspend callback types
s/is waken up/is woken up/

A registered PMSuspendCallback is called when the domain is suspended, not
when it is woken up.
2014-01-15 17:00:18 +01:00
Pavel Hrdina
ab8692b639 Fix coverity complain in commandtest.c
For a "newfd1" the coverity tools thinks that the fd is closed in
a "virCommandPassFD", but with "flags == 0" it cannot be closed.

The code itself is ok, but coverity tool thinks that there is
"double_close" of the "newfd1" and to prevent showing this error
we simply add a comment before the proper close.

This has been found by coverity.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2014-01-15 11:18:23 +01:00
Pavel Hrdina
7a0e744399 Fix memory leak in securityselinuxlabeltest.c
Strings "file" and "context" may not be freed if "VIR_EXPAND_N" fails
and it leads into memory leak.

This has been found by coverity.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2014-01-15 11:18:23 +01:00
Pavel Hrdina
67fbf129fc Fix possible memory leak in util/virxml.c
A "xmlstr" string may not be assigned into a "doc" pointer and it
could cause memory leak. To fix it if the "doc" pointer is NULL and
the "xmlstr" string is not assigned we should free it.

This has been found by coverity.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2014-01-15 11:11:34 +01:00
Pavel Hrdina
788e6cb25b Fix possible memory leak in phyp_driver.c
There could be a memory leak caused by "managed_system" string, if any
error occurs before "managed_system" is assigned into
"phyp_driver->managed_system". The "managed_system" string wouldn't be
freed at all. The better way is to free the "managed_system" instead
of the one assigned in the "phyp_driver".

This has been found by coverity.

Pointed out by John, that the "phyp_driver->xmlopt" needs to be
unreferenced as well.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Signed-off-by: John Ferlan <jferlan@redhat.com>
2014-01-15 11:11:34 +01:00
Pavel Hrdina
7ed02a0003 Fix memory leak in openvz_conf.c
If there is no error while executing a function "openvzParseBarrierLimit"
a "str" string where is duplicate of a "value" string isn't freed and it
leads into memory leak.

This has been found by coverity.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2014-01-15 11:11:34 +01:00
Gao feng
ba906a3d58 Add Gao feng to the committers list
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2014-01-15 08:49:44 +08:00
Eric Blake
31d43dc578 maint: ignore transient files during tests
I ran 'git add .' for a patch in progress, while in the middle
of running 'make check' to test my work, and was surprised when
it picked up some files I wasn't expecting.

* .gitignore: Ignore *.pem.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-14 14:31:13 -07:00
Nehal J Wani
b22f772610 Fix memory leak in testDomainCreateXMLMixed()
While running objecteventtest, it was found that valgrind pointed out the
following memory leak:

==125== 538 (56 direct, 482 indirect) bytes in 1 blocks are definitely lost in loss record 216 of 226
==125==    at 0x4A06B6F: calloc (vg_replace_malloc.c:593)
==125==    by 0x4C65D8D: virAllocVar (viralloc.c:558)
==125==    by 0x4C9F055: virObjectNew (virobject.c:190)
==125==    by 0x4D2B2E8: virGetDomain (datatypes.c:220)
==125==    by 0x4D79180: testDomainDefineXML (test_driver.c:2962)
==125==    by 0x4D4977D: virDomainDefineXML (libvirt.c:8512)
==125==    by 0x4029C2: testDomainCreateXMLMixed (objecteventtest.c:226)
==125==    by 0x403A21: virtTestRun (testutils.c:138)
==125==    by 0x4021C2: mymain (objecteventtest.c:549)
==125==    by 0x4040C2: virtTestMain (testutils.c:593)
==125==    by 0x341F421A04: (below main) (libc-start.c:225)

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2014-01-14 14:49:07 +01:00
Jiri Denemark
066c8ef6c1 Really don't crash if a connection closes early
https://bugzilla.redhat.com/show_bug.cgi?id=1047577

When writing commit 173c291, I missed the fact virNetServerClientClose
unlocks the client object before actually clearing client->sock and thus
it is possible to hit a window when client->keepalive is NULL while
client->sock is not NULL. I was thinking client->sock == NULL was a
better check for a closed connection but apparently we have to go with
client->keepalive == NULL to actually fix the crash.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-01-13 21:45:48 +01:00
Peter Krempa
fbe472d583 storage: FS: Tweak some comments and fix typos 2014-01-13 21:24:03 +01:00
Eric Blake
c91d13bd0f build: fix build on mingw with winpthreads
On my Fedora 20 box with mingw cross-compiler, the build failed with:

../../src/rpc/virnetclient.c: In function 'virNetClientSetTLSSession':
../../src/rpc/virnetclient.c:745:14: error: unused variable 'oldmask' [-Werror=unused-variable]
     sigset_t oldmask, blockedsigs;
              ^

I traced it to the fact that mingw64-winpthreads installs a header
that does #define pthread_sigmask(...) 0, which means any argument
only ever passed to pthread_sigmask is reported as unused.  This
patch works around the compilation failure, with behavior no worse
than what mingw already gives us regarding the function being a
no-op.

* configure.ac (pthread_sigmask): Probe for broken mingw macro.
* src/util/virutil.h (pthread_sigmask): Rewrite to something that
avoids unused variables.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-13 09:14:11 -07:00
Peter Krempa
d952619894 storage: Break long lines and clean up spaces in storage backend header 2014-01-13 11:21:33 +01:00
Jiri Denemark
173c291473 Don't crash if a connection closes early
https://bugzilla.redhat.com/show_bug.cgi?id=1047577

When a client closes its connection to libvirtd early during
virConnectOpen, more specifically just after making
REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call to check if
VIR_DRV_FEATURE_PROGRAM_KEEPALIVE is supported without even waiting for
the result, libvirtd may crash due to a race in keep-alive
initialization. Once receiving the REMOTE_PROC_CONNECT_SUPPORTS_FEATURE
call, the daemon's event loop delegates it to a worker thread. In case
the event loop detects EOF on the connection and calls
virNetServerClientClose before the worker thread starts to handle
REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call, client->keepalive will be
disposed by the time virNetServerClientStartKeepAlive gets called from
remoteDispatchConnectSupportsFeature. Because the flow is common for
both authenticated and read-only connections, even unprivileged clients
may cause the daemon to crash.

To avoid the crash, virNetServerClientStartKeepAlive needs to check if
the connection is still open before starting keep-alive protocol.

Every libvirt release since 0.9.8 is affected by this bug.
2014-01-13 11:09:59 +01:00
Daniel P. Berrange
53a699a07b Exercise the ABI stability check code in test suite
Any test suite which involves a virDomainDefPtr should
call virDomainDefCheckABIStability with itself just as
a basic sanity check that the identity-comparison always
succeeds. This would have caught the recent NULL pointer
access crash.

Make sure we cope with def->name being NULL since the
VMWare config parser produces NULL names.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-01-10 20:32:48 +00:00
Eric Blake
dd0dda2e4a schema: fix idmap validation
When idmap was added to LXC, we forgot to cover it in the testsuite.
The schema was missing an <element> layer, and as a result,
virt-xml-validate was failing on valid dumpxml output.

Reported by Eduard - Gabriel Munteanu on IRC.

* docs/schemas/domaincommon.rng (idmap): Include <idmap> element,
and support interleaves.
* tests/lxcxml2xmldata/lxc-idmap.xml: New file.
* tests/lxcxml2xmltest.c (mymain): Test it.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-10 10:54:14 -07:00
Peter Krempa
558ffad55e storage: Improve error message when a storage backend is missing
Include the name of the storage backend in the error message instead of
just the number.
2014-01-10 09:39:57 +01:00
Peter Krempa
af38f83074 storage: lvm: Avoid forward decl of virStorageBackendLogicalDeleteVol
Change code ordering to avoid the need for a forward declaration.
2014-01-10 09:39:57 +01:00
Peter Krempa
1c0e2b6099 storage: fs: Fix comment for virStorageBackendFileSystemDelete
The comment was talking about creating the pool while the function is
deleting it. Fix the mismatch.
2014-01-10 09:35:30 +01:00
Claudio Bley
c4dadf2393 Clarify documentation on possible return values in case of errors 2014-01-10 09:30:57 +01:00
Eric Blake
f86e463040 event: don't queue NULL event on OOM
Ever since commit 61ac8ce, Coverity complained about
remoteNetworkBuildEventLifecycle not checking for NULL failure
to build an event, compared to other calls in the code base.
But the problem is latent from copy and paste; all 17 of our
remote*BuildEvent* functions in remote_driver.c have the same
issue - if an OOM causes an event to not be built, we happily
pass NULL to remoteEventQueue(), but that function has marked
event as a nonnull parameter.  We were getting lucky (the
event queue's first use of the event happened to be a call to
virIsObjectClass(), which acts gracefully on NULL, so there
was no way to crash); but this is a latent bug waiting to bite
us due to the disregard for the nonnull attribute, as well as
a waste of resources in the event queue.  Better is to just
refuse to queue NULL.  The discard is silent, since the problem
only happens on OOM, and since events are already best effort -
if we fail to get an event, it's not like we have any memory
left to report the issue, nor any idea of who would benefit
from knowing we couldn't create or queue the event.

* src/remote/remote_driver.c (remoteEventQueue): Ignore NULL event.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-09 20:21:38 -07:00
Eric Blake
3d007cb5f8 virt-login-shell: fix regressions in behavior
Our fixes for CVE-2013-4400 were so effective at "fixing" bugs
in virt-login-shell that we ended up fixing it into a useless
do-nothing program.

Commit 3e2f27e1 picked the name LIBVIRT_SETUID_RPC_CLIENT for
the witness macro when we are doing secure compilation.  But
commit 9cd6a57d checked whether the name IN_VIRT_LOGIN_SHELL,
from an earlier version of the patch series, was defined; with
the net result that virt-login-shell invariably detected that
it was setuid and failed virInitialize.

Commit b7fcc799 closed all fds larger than stderr, but in the
wrong place.  Looking at the larger context, we mistakenly did
the close in between obtaining the set of namespace fds, then
actually using those fds to switch namespace, which means that
virt-login-shell will ALWAYS fail.

This is the minimal patch to fix the regressions, although
further patches are also worth having to clean up poor
semantics of the resulting program (for example, it is rude to
not pass on the exit status of the wrapped program back to the
invoking shell).

* tools/virt-login-shell.c (main): Don't close fds until after
namespace swap.
* src/libvirt.c (virGlobalInit): Use correct macro.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-09 15:05:04 -07:00
Eric Blake
dd0e04d9d0 maint: improve VIR_ERR_INVALID_DOMAIN_SNAPSHOT usage
The existing check of domain snapshots validated that they
point to a domain, but did not validate that the domain
points to a connection, even though any errors blindly assume
the connection is valid.  On the other hand, as mentioned in
commit 6e130ddc, any valid domain is already tied to a valid
connection, and VIR_IS_SNAPSHOT vs. VIR_IS_DOMAIN_SNAPSHOT
makes no real difference; it's best to just validate the chain
of all three.  For consistency with previous patches, continue
the trend of using a common macro.  For now, we don't need
virCheckDomainSnapshotGoto().

* src/datatypes.h (virCheckDomainSnapshotReturn): New macro.
(VIR_IS_SNAPSHOT, VIR_IS_DOMAIN_SNAPSHOT):
Drop unused macros.
* src/libvirt.c: Use macro throughout.
(virLibDomainSnapshotError): Drop unused macro.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-09 14:47:02 -07:00
Eric Blake
7d0a0ab7dd maint: improve VIR_ERR_INVALID_NWFILTER usage
While all errors related to invalid nwfilters appeared to be
consistent, we might as well continue the trend of using a
common macro.  As in commit 6e130ddc, the difference between
VIR_IS_NWFILTER and VIR_IS_CONNECTED_NWFILTER is moot, since
reference counting means any valid nwfilter is also tied to
a valid connection.  For now, we don't need virCheckNWFilterGoto().

* src/datatypes.h (virCheckNWFilterReturn): New macro.
(VIR_IS_NWFILTER, VIR_IS_CONNECTED_NWFILTER): Drop unused macros.
* src/libvirt.c: Use macro throughout.
(virLibNWFilterError): Drop unused macro.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-09 14:35:08 -07:00
Eric Blake
101f176ae4 maint: improve VIR_ERR_INVALID_STREAM usage
For streams validation, we weren't consistent on whether to
use VIR_FROM_NONE or VIR_FROM_STREAMS.  Furthermore, in many
API, we want to ensure that a stream is tied to the same
connection as the other object we are operating on; while
other API failed to validate the stream at all.  And the
difference between VIR_IS_STREAM and VIR_IS_CONNECTED_STREAM
is moot; as in commit 6e130ddc, we know that reference
counting means a valid stream will always be tied to a valid
connection.  Similar to previous patches, use a common macro
to make it nicer.

* src/datatypes.h (virCheckStreamReturn, virCheckStreamGoto):
New macros.
(VIR_IS_STREAM, VIR_IS_CONNECTED_STREAM): Drop unused macros.
* src/libvirt.c: Use macro throughout.
(virLibStreamError): Drop unused macro.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-09 14:13:01 -07:00
Eric Blake
916273eb94 maint: improve VIR_ERR_INVALID_SECRET usage
While all errors related to invalid secrets appeared to be
consistent, we might as well continue the trend of using a
common macro.  Just as in commit 6e130ddc, the difference
between VIR_IS_SECRET and VIR_IS_CONNECTED_SECRET is moot
(due to reference counting, any valid secret must be tied to
a valid domain).  For now, we don't need virCheckSecretGoto().

* src/datatypes.h (virCheckSecretReturn): New macro.
(VIR_IS_SECRET, VIR_IS_CONNECTED_SECRET): Drop unused macros.
* src/libvirt.c: Use macro throughout.
(virLibSecretError): Drop unused macro.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-09 13:55:20 -07:00
Eric Blake
9ec935d565 maint: improve VIR_ERR_INVALID_NODE_DEVICE usage
While all errors related to invalid node device appeared to be
consistent, we might as well continue the trend of using a
common macro.  For now, we don't need virCheckNodeDeviceGoto().

* src/datatypes.h (virCheckNodeDeviceReturn): New macro.
(VIR_IS_NODE_DEVICE, VIR_IS_CONNECTED_NODE_DEVICE): Drop
unused macros.
* src/libvirt.c: Use macro throughout.
(virLibNodeDeviceError): Drop unused macro.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-09 11:29:45 -07:00