Commit Graph

208 Commits

Author SHA1 Message Date
Jiri Denemark
4864e377c9 sanlock: Use VIR_ERR_RESOURCE_BUSY if sanlock_acquire fails
When acquiring resource via sanlock fails, we would report it as
VIR_ERR_INTERNAL_ERROR, which is not very friendly to applications using
libvirt. Moreover, the lockd driver would report the same failure as
VIR_ERR_RESOURCE_BUSY, which looks better.

Unfortunately, in sanlock driver we don't really know if acquiring the
resource failed because it was already locked or there was another
reason behind. But the end result is the same and I think using
VIR_ERR_RESOURCE_BUSY reason for all acquire failures is still better
than what we have now.

https://bugzilla.redhat.com/show_bug.cgi?id=1165119
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-04-15 09:40:42 +02:00
Ján Tomko
a0482396d7 Remove unused macros
In the order of appearance:

* MAX_LISTEN - never used
  added by 23ad665c (qemud) and addec57 (lock daemon)

* NEXT_FREE_CLASS_ID - never used, added by 07d1b6b

* virLockError - never used, added by eb8268a4

* OPENVZ_MAX_ARG, CMDBUF_LEN, CMDOP_LEN
  unused since the removal of ADD_ARG_LIT in d8b31306

* QEMU_NB_PER_CPU_STAT_PARAM - unused since 897808e

* QEMU_CMD_PROMPT, QEMU_PASSWD_PROMPT - unused since 1dc10a7

* TEST_MODEL_WORDSIZE - unused since c25c18f7

* TEMPDIR - never used, added by 714bef5

* NSIG - workaround around old headers
  added by commit 60ed1d2
  unused since virExec was moved by commit 02e8691

* DO_TEST_PARSE - never used, added by 9afa006

* DIFF_MSEC, GETTIMEOFDAY - unused since eee6eb6
2015-04-02 10:27:56 +02:00
Jiri Denemark
667cce7b60 Set thread job for every RPC call
Since all APIs are also RPC calls, we automatically get all APIs covered
with thread jobs.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-03-25 10:00:54 +01:00
Jiri Denemark
54972be843 sanlock: Don't spam logs with "target pid not found"
Commit v1.2.4-52-gda879e5 fixed issues with domains started before
sanlock driver was enabled by checking whether a running domain is
registered with sanlock and if it's not, sanlock driver is basically
ignored for the domain.

However, it was checking this even for domain which has just been
started and no sanlock_* API was called for them yet. This results in

    cmd 9 target pid 2135544 not found

error messages to appear in sanlock.log whenever we start a new domain.

This patch avoids this useless check for freshly started domains.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-03-09 13:36:40 +01:00
Jiri Denemark
6beb75d96d locking: Fix flags in virLockManagerLockDaemonNew
virLockManager*New APIs are never called with
VIR_LOCK_MANAGER_USES_STATE. Moreover, lockd driver does not maintain
any state that would need to be transferred during migration and thus it
should not mention VIR_LOCK_MANAGER_USES_STATE at all.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-03-09 13:36:39 +01:00
Jiri Denemark
bc6e206322 Search for schemas and cpu_map.xml in source tree
Not all files we want to find using virFileFindResource{,Full} are
generated when libvirt is built, some of them (such as RNG schemas) are
distributed with sources. The current API was not able to find source
files if libvirt was built in VPATH.

Both RNG schemas and cpu_map.xml are distributed in source tarball.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-02-19 15:25:04 +01:00
Ján Tomko
1390c26847 safezero: fall back to writing zeroes even when resizing
Remove the resize flag and use the same code path for all callers.
This flag was added by commit 18f0316 to allow virStorageFileResize
use 'safezero' while preserving the behavior.

Explicitly return -2 when a fallback to a different method should
be done, to make the code path more obvious.

Fail immediately when ftruncate fails in the mmap method,
as we did before commit 18f0316.
2015-01-09 13:48:23 +01:00
John Ferlan
18f03166fd virstoragefile: Have virStorageFileResize use safezero
Currently virStorageFileResize() function uses build conditionals to
choose either the posix_fallocate() or syscall(SYS_fallocate) with no
fallback in order to preallocate the space in the newly resized file.

Since the safezero code has a similar set of conditionals modify the
resize and safezero code in order to allow the resize logic to make use
of safezero to unify the look/feel of the code paths.

Add a new boolean (resize) to safezero() to make the optional decision
whether to try syscall(SYS_fallocate) if the posix_fallocate fails because
HAVE_POSIX_FALLOCATE is not defined (eg, return -1 and errno == 0).

Create a local safezero_sys_fallocate in order to handle the resize
code paths that support that.  If not present, the set errno = ENOSYS
in order to allow the caller to handle the failure scenarios.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2014-12-16 13:11:35 -05:00
Daniel P. Berrange
ac1ce21550 fix typo in sanlock driver s/VIR_CONF_UONG/VIR_CONF_ULONG/
fix typo introduced in previous commit
2014-12-15 10:08:06 +00:00
Michal Privoznik
ca4f9518b8 virconf: Introduce VIR_CONF_ULONG
https://bugzilla.redhat.com/show_bug.cgi?id=1160995

In our config files users are expected to pass several integer values
for different configuration knobs. However, majority of them expect a
nonnegative number and only a few of them accept a negative number too
(notably keepalive_interval in libvirtd.conf).
Therefore, a new type to config value is introduced: VIR_CONF_ULONG
that is set whenever an integer is positive or zero. With this
approach knobs accepting VIR_CONF_LONG should accept VIR_CONF_ULONG
too.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-12-15 10:34:18 +01:00
Michal Privoznik
f81a702180 virConfType: switch to VIR_ENUM_{DECL,IMPL}
There's no need to implement ToString() function like we do if we
can use our shiny macros.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-12-15 10:34:18 +01:00
John Ferlan
8fb3aee2f8 Replace virDomainFree with virObjectUnref
Since virDomainFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.
2014-12-02 11:03:40 -05:00
Martin Kletzander
138c2aee01 Remove unnecessary curly brackets in rest of src/[a-n]*/
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-11-14 17:13:36 +01:00
Eric Blake
ff99c79195 maint: avoid static zero init in helpers
C guarantees that static variables are zero-initialized.  Some older
compilers (and also gcc -fno-zero-initialized-in-bss) create larger
binaries if you explicitly zero-initialize a static variable.

* src/conf/nwfilter_conf.c: Fix initialization.
* src/cpu/cpu_x86.c: Likewise.
* src/interface/interface_backend_netcf.c: Likewise.
* src/locking/lock_daemon.c: Likewise.
* src/locking/lock_driver_lockd.c: Likewise.
* src/locking/lock_driver_sanlock.c: Likewise.
* src/network/bridge_driver.c: Likewise.
* src/node_device/node_device_udev.c: Likewise.
* src/nwfilter/nwfilter_learnipaddr.c: Likewise.
* src/rpc/virnetserver.c: Likewise.
* src/security/security_selinux.c
(virSecuritySELinuxGenSecurityLabel): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-10-29 09:55:09 -06:00
Martin Kletzander
8035f2e6f2 remove redundant pidfile path constructions
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-09-15 09:49:34 +02:00
Jiri Denemark
760cf5d30e sanlock: Avoid freeing uninitialized value
https://bugzilla.redhat.com/show_bug.cgi?id=1136788
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-09-03 15:22:10 +02:00
Michal Privoznik
66eaa887e9 Fix spacing around commas
On some places in the libvirt code we have:

  f(a,z)

instead of

  f(a, z)

This trivial patch fixes couple of such occurrences.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-08-22 15:03:39 +02:00
Martin Kletzander
e1f2ec67c2 rpc: set listen backlog on FDs as well as on other sockets
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-08-22 09:12:13 +02:00
Martin Kletzander
8989597cd9 util: abstract parsing of passed FDs into virGetListenFDs()
Since not only systemd can do this (we'll be doing it as well few
patches later), change 'systemd' to 'caller' and fix LISTEN_FDS to
LISTEN_PID where applicable.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-08-22 09:12:13 +02:00
Michal Privoznik
607806f87f Fix const correctness
In many places we define a variable as a 'const char *' when in fact
we modify it just a few lines below. Or even free it. We should not do
that.

There's one exception though, in xenSessionFree() xenapi_utils.c. We
are freeing the xen_session structure which is defined in
xen/api/xen_common.h public header. The structure contains session_id
which is type of 'const char *' when in fact it should have been just
'char *'. So I'm leaving this unmodified, just noticing the fact in
comment.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-07-16 12:07:24 +02:00
Peter Krempa
68f0deb0dc locking: Add APIs to lock individual image files
Add helper APIs to manage individual image files rather than disks. To
simplify the addition some parts of the code were refactored in this
patch.
2014-07-09 10:38:56 +02:00
Peter Krempa
63834faadb storage: Move readonly and shared flags to disk source from disk def
In the future we might need to track state of individual images. Move
the readonly and shared flags to the virStorageSource struct so that we
can keep them in a per-image basis.
2014-07-08 14:27:19 +02:00
Ján Tomko
f1e192e92e Free the return value of virFileFindResource
Commits e18a80a and 57e5c3c switched from a getenv wrapper which
does not allocate a string to virFileFindResource which does not,
without freeing it.

https://bugzilla.redhat.com/show_bug.cgi?id=1116427
2014-07-07 08:32:11 +02:00
Ján Tomko
92a8e72f9d Use virBufferCheckError everywhere we report OOM error
Replace:
if (virBufferError(&buf)) {
    virBufferFreeAndReset(&buf);
    virReportOOMError();
    ...
}

with:
if (virBufferCheckError(&buf) < 0)
    ...

This should not be a functional change (unless some callers
misused the virBuffer APIs - a different error would be reported
then)
2014-07-03 10:48:14 +02:00
Martin Kletzander
3de462fe9a Remove unnecessary empty first lines
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-06-06 10:52:05 +02:00
Martin Kletzander
5884adc28a sanlock: avoid leak in acquire()
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-05-13 13:50:57 +02:00
Martin Kletzander
da879e5921 sanlock: don't fail with unregistered domains
When a domain was started without registration in sanlock, but libvirt
was restarted after that, most of the operations failed due to
contacting sanlock about that process.  E.g. migration could not be
performed because the locks couldn't be released (or inquired before a
release).

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1088034

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-05-13 10:51:43 +02:00
Martin Kletzander
d99057423c sanlock: code movement in virLockManagerSanlockAcquire
Just move some code around for future patches to ease the review.
With this patch there is no need for drastic cleanup path later.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-05-13 10:51:43 +02:00
Daniel P. Berrange
727efb9696 Make autostart of virtlockd actually work
The virnetsocket.c API is hardcoded to pass --timeout=30 to
any daemon it auto-starts. For inexplicable reasons the virtlockd
daemon did not implement the --timeout option, so it would
immediately exit on autostart with an error.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-28 13:30:41 +01:00
Daniel P. Berrange
e18a80a3a0 Use virFileFindResource to locate virtlockd daemon
Make the lock plugin use virFileFindResource to find the
virtlockd daemon path, so that it executes the in-builddir
daemon if run from source tree.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-28 13:30:41 +01:00
Daniel P. Berrange
d3c7684220 Use virFileFindResource to locate lock manager plugins
Replace virLockManagerSetPluginDir with virFileFindResource
usage.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:46 +01:00
Daniel P. Berrange
391ac4d990 Activate build dir overrides in libvirtd, virtlockd, virsh & tests
Add calls to virFileActivateDirOverride so that the build dir
overrides are activated.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 11:59:32 +01:00
Nehal J Wani
3d5c29a17c Fix typos in src/*
Fix minor typos in source comments

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-04-21 16:49:08 -06:00
Eric Blake
16ac4c9d64 conf: move host disk type to util/
A continuation of the migration of disk details to virstoragefile.
This patch moves a single enum, but converting the name has quite
a bit of fallout.

* src/conf/domain_conf.h (virDomainDiskType): Move...
* src/util/virstoragefile.h (virStorageType): ...and rename.
* src/bhyve/bhyve_command.c (bhyveBuildDiskArgStr)
(virBhyveProcessBuildLoadCmd): Update clients.
* src/conf/domain_conf.c (virDomainDiskSourceDefParse)
(virDomainDiskDefParseXML, virDomainDiskSourceDefFormatInternal)
(virDomainDiskDefFormat, virDomainDiskGetActualType)
(virDomainDiskDefForeachPath, virDomainDiskSourceIsBlockType):
Likewise.
* src/conf/snapshot_conf.h (_virDomainSnapshotDiskDef): Likewise.
* src/conf/snapshot_conf.c (virDomainSnapshotDiskDefParseXML)
(virDomainSnapshotAlignDisks, virDomainSnapshotDiskDefFormat):
Likewise.
* src/esx/esx_driver.c (esxAutodetectSCSIControllerModel)
(esxDomainDefineXML): Likewise.
* src/locking/domain_lock.c (virDomainLockManagerAddDisk):
Likewise.
* src/lxc/lxc_controller.c
(virLXCControllerSetupLoopDeviceDisk)
(virLXCControllerSetupNBDDeviceDisk)
(virLXCControllerSetupLoopDevices, virLXCControllerSetupDisk):
Likewise.
* src/parallels/parallels_driver.c (parallelsGetHddInfo):
Likewise.
* src/phyp/phyp_driver.c (phypDiskType): Likewise.
* src/qemu/qemu_command.c (qemuGetDriveSourceString)
(qemuDomainDiskGetSourceString, qemuBuildDriveStr)
(qemuBuildCommandLine, qemuParseCommandLineDisk)
(qemuParseCommandLine): Likewise.
* src/qemu/qemu_conf.c (qemuCheckSharedDevice)
(qemuTranslateDiskSourcePool)
(qemuTranslateSnapshotDiskSourcePool): Likewise.
* src/qemu/qemu_domain.c (qemuDomainDeviceDefPostParse)
(qemuDomainDetermineDiskChain): Likewise.
* src/qemu/qemu_driver.c (qemuDomainGetBlockInfo)
(qemuDomainSnapshotPrepareDiskExternalBackingInactive)
(qemuDomainSnapshotPrepareDiskExternalBackingActive)
(qemuDomainSnapshotPrepareDiskExternalOverlayActive)
(qemuDomainSnapshotPrepareDiskExternalOverlayInactive)
(qemuDomainSnapshotPrepareDiskInternal)
(qemuDomainSnapshotPrepare)
(qemuDomainSnapshotCreateSingleDiskActive): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia):
Likewise.
* src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
* src/security/security_apparmor.c
(AppArmorRestoreSecurityImageLabel)
(AppArmorSetSecurityImageLabel): Likewise.
* src/security/security_dac.c (virSecurityDACSetSecurityImageLabel)
(virSecurityDACRestoreSecurityImageLabelInt)
(virSecurityDACSetSecurityAllLabel): Likewise.
* src/security/security_selinux.c
(virSecuritySELinuxRestoreSecurityImageLabelInt)
(virSecuritySELinuxSetSecurityImageLabel)
(virSecuritySELinuxSetSecurityAllLabel): Likewise.
* src/storage/storage_backend.c (virStorageFileBackendForType):
Likewise.
* src/storage/storage_backend_fs.c (virStorageFileBackendFile)
(virStorageFileBackendBlock): Likewise.
* src/storage/storage_backend_gluster.c
(virStorageFileBackendGluster): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc, vboxAttachDrives)
(vboxDomainAttachDeviceImpl, vboxDomainDetachDevice): Likewise.
* src/vmware/vmware_conf.c (vmwareVmxPath): Likewise.
* src/vmx/vmx.c (virVMXParseDisk, virVMXFormatDisk)
(virVMXFormatFloppy): Likewise.
* src/xenxs/xen_sxpr.c (xenParseSxprDisks, xenParseSxpr)
(xenFormatSxprDisk): Likewise.
* src/xenxs/xen_xm.c (xenParseXM, xenFormatXMDisk): Likewise.
* tests/securityselinuxlabeltest.c (testSELinuxLoadDef):
Likewise.
* src/libvirt_private.syms (domain_conf.h): Move symbols...
(virstoragefile.h): ...as appropriate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-04-01 10:38:13 -06:00
Ján Tomko
40cc610a9d Indent top-level labels by one space in src/locking/ 2014-03-25 14:58:39 +01:00
Jiri Denemark
2cc27c34be sanlock: Forbid VIR_DOMAIN_LOCK_FAILURE_RESTART
https://bugzilla.redhat.com/show_bug.cgi?id=905282
https://bugzilla.redhat.com/show_bug.cgi?id=967494

When lock failure is detected by sanlock, our sanlock_helper kill script
will try to restart (shutdown followed by start) the affected domain
when RESTART action is configured for it. While shutting down kills QEMU
and removes all its leases (which is what sanlock wants to happen),
trying to start it again just hangs because libvirt tries reacquire the
locks in the failed lock space. Hence, this action cannot be supported
by sanlock driver.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-03-25 09:08:39 +01:00
Jiri Denemark
e3dd35e881 sanlock: Forbid VIR_DOMAIN_LOCK_FAILURE_IGNORE
https://bugzilla.redhat.com/show_bug.cgi?id=905280
https://bugzilla.redhat.com/show_bug.cgi?id=967493

Sanlock expects that the configured kill script either kills the PID on
lock failure or removes all locks the PID owns. If none of the two
options happen, sanlock will reboot the host. Although IGNORE action is
supposed to ignore the request to kill the PID or remove all leases,
it's certainly not designed to cause the host to be rebooted. That said,
IGNORE action is incompatible with sanlock and should be forbidden by
libvirt.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2014-03-25 09:08:39 +01:00
Eric Blake
6b44ccf7fe conf: use disk source accessors in locking/
Part of a series of cleanups to use new accessor methods.

* src/locking/domain_lock.c (virDomainLockManagerAddDisk): Use
accessors.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-03-24 11:59:50 -06:00
Daniel P. Berrange
c0c8c1d7bb Remove global log buffer feature entirely
A earlier commit changed the global log buffer so that it only
records messages that are explicitly requested via the log
filters setting. This removes the performance burden, and
improves the signal/noise ratio for messages in the global
buffer. At the same time though, it is somewhat pointless, since
all the recorded log messages are already going to be sent to an
explicit log output like syslog, stderr or the journal. The
global log buffer is thus just duplicating this data on stderr
upon crash.

The log_buffer_size config parameter is left in the augeas
lens to prevent breakage for users on upgrade. It is however
completely ignored hereafter.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-18 14:29:22 +00:00
Daniel P. Berrange
2835c1e730 Add virLogSource variables to all source files
Any source file which calls the logging APIs now needs
to have a VIR_LOG_INIT("source.name") declaration at
the start of the file. This provides a static variable
of the virLogSource type.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-18 14:29:22 +00:00
Martin Kletzander
cc9c62fef9 Require spaces around equality comparisons
Commit a1cbe4b5 added a check for spaces around assignments and this
patch extends it to checks for spaces around '=='.  One exception is
virAssertCmpInt where comma after '==' is acceptable (since it is a
macro and '==' is its argument).

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-03-18 11:29:44 +01:00
Michal Privoznik
68f60f669c daemon: Introduce max_anonymous_clients
https://bugzilla.redhat.com/show_bug.cgi?id=992980

This config tunable allows users to determine the maximum number of
accepted but yet not authenticated users.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-03-17 17:45:13 +01:00
Nehal J Wani
2250a2b5d2 Add parameter to wait for lock in file locking APIs
Our current pidfile acquire APis (virPidFileAcquire) simply return -1 upon
failure to acquire a lock. This patch adds a parameter 'bool waitForLock'
which instructs the APIs if we want to make it block and wait for the lock
or not.
2014-03-17 10:04:47 -06:00
Daniel P. Berrange
ed839f9aef Convert lock driver plugins to use new crypto APIs
Convert the sanlock and lockd lock driver plugins over to use
the new virCryptoHashString APIs instead of having their own
duplicated code.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-10 16:44:14 +00:00
Ján Tomko
9b9d7704b5 Change file names in comments to match the files they are in
Some of these are leftovers from renaming the files, others
are just typos.

Also introduce an ugly awk script to enforce this.
2014-03-10 14:26:04 +01:00
Jiri Denemark
8f10c1e77f sanlock: Truncate domain names longer than SANLK_NAME_LEN
Libvirt uses a domain name to fill in owner_name in sanlock_options in
virLockManagerSanlockAcquire. Unfortunately, owner_name is limited to
SANLK_NAME_LEN characters (including trailing '\0'), which means domains
with longer names fail to start when sanlock is enabled. However, we can
truncate the name when setting owner_name as explained by sanlock's
author:

Setting sanlk_options or the owner_name is unnecessary, and has very
little to no benefit.  If you do provide something in owner_name, it can
be anything, sanlock doesn't care or use it.

If you run the command "sanlock status", the output will display a list
of clients connected to the sanlock daemon.  This client list is
displayed as "pid owner_name" if the client has provided an owner_name
via sanlk_options. This debugging output is the only usage of
owner_name, so its only benefit is to potentially provide a more human
friendly output for debugging purposes.
2014-02-27 09:32:41 +01:00
Michael Chapman
881a2cff0d virtlockd: make re-exec more robust
- Use $XDG_RUNTIME_DIR for re-exec state file when running unprivileged.

- argv[0] may not contain a full path to the binary, however it should
  contain something that can be looked up in the PATH. Use execvp() to
  do path lookup on re-exec.

- As per list discussion [1], ignore --daemon on re-exec.

[1] https://www.redhat.com/archives/libvir-list/2013-December/msg00514.html

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
2014-01-22 10:44:41 +01:00
Guido Günther
1b9f5aa7fe Add Documentation fields to systemd service files
We point to the manpages where available and redirect to libvirt's
homepage as a last resort.
2014-01-09 09:32:55 +01:00
Eric Blake
d219826c65 maint: improve VIR_ERR_OPERATION_DENIED usage
Some of our operation denied messages are outright stupid; for
example, if virIdentitySetAttr fails:

error: operation Identity attribute is already set forbidden for read only access

This patch fixes things to a saner:

error: operation forbidden: Identity attribute is already set

It also consolidates the most common usage pattern for operation
denied errors: read-only connections preventing a public API.  In
this case, 'virsh -r -c test:///default destroy test' changes from:

error: operation virDomainDestroy forbidden for read only access

to:

error: operation forbidden: read only access prevents virDomainDestroy

Note that we were previously inconsistent on which APIs used
VIR_FROM_DOM (such as virDomainDestroy) vs. VIR_FROM_NONE (such as
virDomainPMSuspendForDuration).  After this patch, all uses
consistently use VIR_FROM_NONE, on the grounds that it is unlikely
that a caller learning that a call is denied can do anything in
particular with extra knowledge which error domain the call belongs
to (similar to what we did in commit baa7244).

* src/util/virerror.c (virErrorMsg): Rework OPERATION_DENIED error
message.
* src/internal.h (virCheckReadOnlyGoto): New macro.
* src/util/virerror.h (virReportRestrictedError): New macro.
* src/libvirt-lxc.c: Use new macros.
* src/libvirt-qemu.c: Likewise.
* src/libvirt.c: Likewise.
* src/locking/lock_daemon.c (virLockDaemonClientNew): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-06 08:29:29 -07:00
Michal Privoznik
d10a6506b0 Revert "virtlockd: treat SIGHUP like SIGUSR1"
This reverts commit 8355d42dd3.

After some discussion upstream [1] this patch turns out to be spurious.
It better gets reverted prior to a release.

1: https://www.redhat.com/archives/libvir-list/2013-December/msg00563.html

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2013-12-10 15:49:06 +01:00
Michael Chapman
f1b1752537 virtlockd: use common exit path when out-of-memory
Also use a distinct, valid exit status for daemon re-execution failure.

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
2013-12-10 12:02:37 +01:00
Michael Chapman
8355d42dd3 virtlockd: treat SIGHUP like SIGUSR1
SIGHUP is commonly used to instruct a daemon to reload its config. For
now we should handle it in virtlockd just like SIGUSR1, rather than
having it kill the process.

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2013-12-10 12:02:37 +01:00
Michael Chapman
59d6e65d6c virtlockd: improve initscripts
- Use SIGUSR1, not SIGHUP, on reload. At present, virtlockd only
  responds to the former.

- Fix PID file for virtlockd.

- Do not start virtlockd in any runlevels by default. It needs to be
  explicitly selected in libvirt's qemu.conf anyway, so there is no
  need to have it running on all systems regardless.

- Fix chkconfig priorities to ensure virtlockd is started before
  libvirtd is started, and stopped after libvirtd is stopped.

- Add "Should-Start: virtlockd" to the libvirtd initscript's LSB header,
  for the same reason.

- Add "Default-Stop" to both libvirtd and virtlockd initscripts. LSB
  does not guarantee that this defaults to the inverse of
  "Default-Start".

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2013-12-10 12:02:37 +01:00
Michael Chapman
1163fa36b7 virtlockd: improve systemd units
- Pass VIRTLOCKD_ARGS through to virtlockd.

- Use SIGUSR1, not SIGHUP, in ExecReload. At present, virtlockd only
  responds to the former.

- Have "systemctl enable virtlockd.service" enable virtlockd.socket,
  rather than throw an error.

- Make virtlockd.socket wanted by sockets.target, rather than
  multi-user.target. This is consistent with other socket units in
  Fedora, and it ensures that the socket is available before libvirtd is
  started.

Signed-off-by: Michael Chapman <mike@very.puzzling.org>
2013-12-10 12:02:37 +01:00
Guido Günther
3c9e40a1e8 Don't depend on syslog.service
Syslog is socket activated since at least systemd v35 so we can drop
this dependency. Debian's linitian otherwise complains about it.

References:

    http://www.freedesktop.org/wiki/Software/systemd/syslog/
    http://lintian.debian.org/tags/systemd-service-file-refers-to-obsolete-target.html
2013-11-19 21:49:53 +01:00
Daniel P. Berrange
9b0af09240 Remove (nearly) all use of getuid()/getgid()
Most of the usage of getuid()/getgid() is in cases where we are
considering what privileges we have. As such the code should be
using the effective IDs, not real IDs.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-10-21 14:03:52 +01:00
Daniel P. Berrange
1e4a02bdfe Remove all direct use of getenv
Unconditional use of getenv is not secure in setuid env.
While not all libvirt code runs in a setuid env (since
much of it only exists inside libvirtd) this is not always
clear to developers. So make all the code paranoid, even
if it only ever runs inside libvirtd.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-10-21 14:03:52 +01:00
Michal Privoznik
4471ecf669 test_virtlockd.aug.in: Use the correct file
The test should refer to Virtlockd.lns, which is the name of
the module + lens in virtlockd.aug.
2013-09-03 17:03:30 +02:00
Guido Günther
3e32544854 Process virtlockd.conf instead of libvirtd.conf 2013-08-30 17:37:12 +02:00
David Weber
9f5b4b1f62 Make max_clients in virtlockd configurable
Each new VM requires a new connection from libvirtd to virtlockd.
The default max clients limit in virtlockd of 20 is thus woefully
insufficient. virtlockd sockets are only accessible to matching
users, so there is no security need for such a tight limit. Make
it configurable and default to 1024.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-19 12:40:26 +01:00
Daniel P. Berrange
63ba687f2b Properly handle -h / -V for --help/--version aliases in virtlockd/libvirtd
The virtlockd/libvirtd daemons had listed '?' as the short option
for --help. getopt_long uses '?' for any unknown option. We want
to be able to distinguish unknown options (which use EXIT_FAILURE)
from correct usage of help (which should use EXIT_SUCCESS). Thus
we should use 'h' as a short option for --help. Also add this to
the man page docs

The virtlockd/libvirtd daemons did not list any short option
for the --version arg. Add -V as a valid short option, since
-v is already used for --verbose.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-13 14:06:01 +01:00
Daniel P. Berrange
38550ae809 Add an example config file for virtlockd
The virtlockd daemon supports an /etc/libvirt/virtlockd.conf
config file, but we never installed a default config, nor
created any augeas scripts. This change addresses that omission.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-09 15:03:04 +01:00
Daniel P. Berrange
6ff0cffd55 Add a man page for virtlockd daemon
Create a virtlockd.pod.in file containing the man page
content for virtlockd.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-09 11:56:34 +01:00
Michal Privoznik
1199edb1d4 Introduce max_queued_clients
This configuration knob lets user to set the length of queue of
connection requests waiting to be accept()-ed by the daemon. IOW, it
just controls the @backlog passed to listen:

  int listen(int sockfd, int backlog);
2013-08-05 11:03:01 +02:00
Daniel P. Berrange
88e4e9c6b2 Convert 'int i' to 'size_t i' in src/locking/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-10 17:55:16 +01:00
Michal Privoznik
35048f314a Adapt to VIR_ALLOC and virAsprintf in src/locking/* 2013-07-10 11:07:32 +02:00
Daniel P. Berrange
e341435e50 Add ACL annotations to all RPC messages
Introduce annotations to all RPC messages to declare what
access control checks are required. There are two new
annotations defined:

 @acl: <object>:<permission>
 @acl: <object>:<permission>:<flagname>

  Declare the access control requirements for the API. May be repeated
  multiple times, if multiple rules are required.

    <object> is one of 'connect', 'domain', 'network', 'storagepool',
             'interface', 'nodedev', 'secret'.
    <permission> is one of the permissions in access/viraccessperm.h
    <flagname> indicates the rule only applies if the named flag
    is set in the API call

 @aclfilter: <object>:<permission>

  Declare an access control filter that will be applied to a list
  of objects being returned by an API. This allows the returned
  list to be filtered to only show those the user has permissions
  against

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:24:36 +01:00
Ján Tomko
70fe129546 virtlockd: fix socket path
Change the socket path to match the one used by lockd driver.

https://bugzilla.redhat.com/show_bug.cgi?id=968128
2013-06-05 10:17:28 +02:00
Osier Yang
45ca0b8785 src/locking: Remove the whitespace before ";" 2013-05-21 23:41:45 +08:00
Michal Privoznik
f75ed996e7 Adapt to VIR_STRDUP and VIR_STRNDUP in src/locking/* 2013-05-09 14:00:45 +02:00
Daniel P. Berrange
979e9c56a7 Include process start time when doing polkit checks
Since PIDs can be reused, polkit prefers to be given
a (PID,start time) pair. If given a PID on its own,
it will attempt to lookup the start time in /proc/pid/stat,
though this is subject to races.

It is safer if the client app resolves the PID start
time itself, because as long as the app has the client
socket open, the client PID won't be reused.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-08 10:47:45 +01:00
Daniel P. Berrange
d80b5b7f86 Ignore 'uri' parameter in lockd driver
A 'uri' parameter was added for the benefit of sanlock. This
causes a warning in the lockd driver though

2013-05-03 13:20:35.347+0000: 28403: error : virLockManagerLockDaemonNew:482 : internal error Unexpected parameter uri for object

Ignore this parameter, since lockd does not require it and it
is harmless if not used.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-03 15:36:15 +01:00
Daniel P. Berrange
8dc93ffadc Fix release of resources with lockd plugin
The lockd plugin for the lock manager was not correctly
handling the release of resource locks. This meant that
during migration, or when pausing a VM, the locks would
not get released. This in turn made it impossible to
resume the domain, or finish migration
2013-05-03 14:06:15 +01:00
Laine Stump
cc8f9e677c util: fix compile errors caused by moving string functions
commit 7c9a2d8 missed adding in a few #include "virstring.h"s, causing
builds to fail.
2013-05-02 13:27:19 -04:00
Michal Privoznik
7c9a2d88cd virutil: Move string related functions to virstring.c
The source code base needs to be adapted as well. Some files
include virutil.h just for the string related functions (here,
the include is substituted to match the new file), some include
virutil.h without any need (here, the include is removed), and
some require both.
2013-05-02 16:56:55 +02:00
Daniel P. Berrange
a98541bfb4 Switch to a more extensible annotation system for RPC protocols
Currently the RPC protocol files can contain annotations after
the protocol enum eg

   REMOTE_PROC_DOMAIN_SNAPSHOT_LIST_CHILDREN_NAMES = 247, /* autogen autogen priority:high */

This is not very extensible as the number of annotations grows.
Change it to use

    /**
     * @generate: both
     * @priority: high
     */
   REMOTE_PROC_DOMAIN_SNAPSHOT_LIST_CHILDREN_NAMES = 247,

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-23 11:24:17 +01:00
Martin Kletzander
901f4b6b86 docs: aesthetical cleanups
Adding dots inside "exempli gratia" where missing.  While on that, I
took the liberty of changing it where found with simple grep.
2013-01-30 09:37:03 +01:00
John Ferlan
678e891380 locking: use virStrcpyStatic instead of memcpy 2013-01-24 22:45:54 +01:00
Peter Krempa
0e620e6669 lock_daemon: Simplify error handling
No need to check the run_dir variable twice for NULL.
2013-01-17 16:39:29 +01:00
John Ferlan
687554cd50 locking: Resolve resource leaks on non error path
Both 'dir' and 'path' were not free'd on successful return
2013-01-16 17:51:30 +01:00
John Ferlan
e8cd571b2c locking: Remove unnecessary setting of lockspace
In virLockSpaceProtocolDispatchNew() the returned value of lockspace from
virLockDaemonFindLockSpace() is overwritten by the virLockSpaceNew() return.
Coverity complains that it's unused.

In virLockSpaceProtocolDispatchCreateLockSpace() lockspace is also overwritten
in a similar manner resulting in the same Coverity message.
2013-01-15 23:43:10 +01:00
Daniel P. Berrange
bccd4a8cbc Rename HAVE_GNUTLS to WITH_GNUTLS 2013-01-14 13:26:47 +00:00
Daniel P. Berrange
f587c27768 Make TLS support conditional
Add checks for existence of GNUTLS and automatically disable
it if not found.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-08 20:57:31 +00:00
Eric Blake
798ff66790 maint: avoid potential promotion issues with [ug]id_t
POSIX does not guarantee whether uid_t and gid_t are signed or
unsigned, nor does it guarantee whether they are smaller, same
size, or larger than int (or even the same size as one another).
Therefore, it is possible to have platforms where '(uid_t)-1==-1'
is false or where 'uid = gid = -1' sets uid to the wrong value,
thanks to integer promotion rules.  The only portable way to use
the placeholder value of these two types is to always use a cast.
Thankfully, the issue is mostly theoretical - sanlock only
compiles on Linux for now, and on Linux, these types do not
suffer from strange promotion problems.

* src/locking/lock_driver_sanlock.c
(virLockManagerSanlockSetupLockspace, virLockManagerSanlockInit)
(virLockManagerSanlockCreateLease): Cast -1 to proper type before
comparing with uid_t or gid_t.
2013-01-08 08:45:39 -07:00
Eric Blake
cb854b8f61 build: properly substitute virtlockd.socket
virtlockd.service could be installed to a configurable root,
but virtlockd.socket was hardcoded to installation into a
distro.

* src/Makefile.am (virtlockd.service, virtlockd.socket): Drop
unused substitutions.
* src/locking/virtlockd.socket.in (ListenStream): Don't hard-code
/var.
2013-01-07 08:56:36 -07:00
Eric Blake
462a69621e build: use common .in replacement mechanism
We had several different styles of .in conversion in our Makefiles:
ALLCAPS, @ALLCAPS@, @lower@, ::lower::
Canonicalize on one form, to make it easier to copy and paste
between .in files.

Also, we were using some non-portable sed constructs: \@ is an
undefined escape sequence (it happens to be @ itself in GNU sed,
but POSIX allows it to mean something else), as well as risky
behavior (failure to consistently quote things means a space
in $(sysconfdir) could throw things off; also, Autoconf recommends
using | rather than , or ! in the s||| operator, because | has to
be quoted in shell and is therefore less likely to appear in file
names than , or !).

Fix all of these uses to follow the same syntax.

* daemon/libvirtd.8.in: Switch to @var@.
* tools/virt-xml-validate.in: Likewise.
* tools/virt-pki-validate.in: Likewise.
* src/locking/virtlockd.init.in: Likewise.
* daemon/Makefile.am: Prefer | over ! in sed.
(libvirtd.8): Prefer consistent substitution.
(libvirtd.init, libvirtd.service): Avoid non-portable sed.
* tools/Makefile.am (libvirt-guests.sh, libvirt-guests.init)
(libvirt-guests.service): Likewise.
(virt-xml-validate, virt-pki-validate, virt-sanlock-cleanup):
Prefer consistent capitalization.
* src/Makefile.am (virtlockd.init, virtlockd.service)
(virtlockd.socket): Prefer consistent substitution.
2013-01-07 08:56:36 -07:00
Michal Privoznik
ce753ec5d6 sanlock: Chown lease files as well
Since sanlock doesn't run under root:root, we have chown()'ed the
__LIBVIRT__DISKS__ lease file to the user:group defined in the
sanlock config. However, when writing the patch I've forgot about
lease files for each disk (this is the
/var/lib/libvirt/sanlock/<md5>) file.
2012-12-28 16:42:38 +01:00
Daniel P. Berrange
f24404a324 Rename virterror.c virterror_internal.h to virerror.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
e861b31275 Rename uuid.{c,h} to viruuid.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
44f6ae27fe Rename util.{c,h} to virutil.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
404174cad3 Rename threads.{c,h} to virthread.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
ab9b7ec2f6 Rename memory.{c,h} to viralloc.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
936d95d347 Rename logging.{c,h} to virlog.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
0f8454101d Rename conf.{c,h} to virconf.{c,h} 2012-12-21 11:17:13 +00:00
Michal Privoznik
11cfa28850 sanlock: Re-add lockspace unconditionally
Currently, if sanlock is already registering a lockspace other
libvirtd instances (from other hosts) obtain -EINPROGRESS. On
sufficiently new sanlock, sanlock_inq_lockspace() is called,
which suspend execution until lockspace state is changed. With
current libvirt implementation, we fail to retry adding the
lockspace again but continue in error path. Therefore we produce
meaningless error message:

virLockManagerSanlockSetupLockspace:363 : Unable to add lockspace
/var/lib/libvirt/sanlock/__LIBVIRT__DISKS__: Success
qemudLoadDriverConfig:558 : Failed to load lock manager sanlock

We should try to re-add the lockspace after its state change to
be sure it was added successfully. In fact, with sufficiently new
sanlock we can just avoid dummy usleep() which is used if there's
no inquire API.
2012-12-14 15:01:03 +01:00
Daniel P. Berrange
64f0e145c1 Add support for locking based on SCSI volume ID 2012-12-13 15:26:58 +00:00
Daniel P. Berrange
565d040f43 Add support for locking based on LVM volume uuid 2012-12-13 15:26:58 +00:00
Daniel P. Berrange
f14fdae368 Add ability to maintain disk leases indirectly
The default lockd driver behavour is to acquire leases
directly on the disk files. This introduces an alternative
mode, where leases are acquire indirectly on a file that
is based on a SHA256 hash of the disk filename.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
eb8268a4f6 Add a virtlockd client as a lock driver impl
This adds a 'lockd' lock driver which is just a client which
talks to the lockd daemon to perform all locking. This will
be the default lock driver for any hypervisor which needs one.

* src/Makefile.am: Add lockd.so plugin
* src/locking/lock_driver_lockd.c: Lockd driver impl

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00
Daniel P. Berrange
f234dc9366 Add support for re-exec() of virtlockd upon SIGUSR1
The virtlockd daemon maintains file locks on behalf of libvirtd
and any VMs it is running. These file locks must be held for as
long as any VM is running. If virtlockd itself ever quits, then
it is expected that a node would be fenced/rebooted. Thus to
allow for software upgrads on live systemd, virtlockd needs the
ability to re-exec() itself.

Upon receipt of SIGUSR1, virtlockd will save its current live
state out to a file /var/run/virtlockd-restart-exec.json
It then re-exec()'s itself with exactly the same argv as it
originally had, and loads the state file, reconstructing any
objects as appropriate.

The state file contains information about all locks held and
all network services and clients currently active. An example
state document is

 {
    "server": {
        "min_workers": 1,
        "max_workers": 20,
        "priority_workers": 0,
        "max_clients": 20,
        "keepaliveInterval": 4294967295,
        "keepaliveCount": 0,
        "keepaliveRequired": false,
        "services": [
            {
                "auth": 0,
                "readonly": false,
                "nrequests_client_max": 1,
                "socks": [
                    {
                        "fd": 6,
                        "errfd": -1,
                        "pid": 0,
                        "isClient": false
                    }
                ]
            }
        ],
        "clients": [
            {
                "auth": 0,
                "readonly": false,
                "nrequests_max": 1,
                "sock": {
                    "fd": 9,
                    "errfd": -1,
                    "pid": 0,
                    "isClient": true
                },
                "privateData": {
                    "restricted": true,
                    "ownerPid": 1722,
                    "ownerId": 6,
                    "ownerName": "f18x86_64",
                    "ownerUUID": "97586ba9-df27-9459-c806-f016c8bbd224"
                }
            },
            {
                "auth": 0,
                "readonly": false,
                "nrequests_max": 1,
                "sock": {
                    "fd": 10,
                    "errfd": -1,
                    "pid": 0,
                    "isClient": true
                },
                "privateData": {
                    "restricted": true,
                    "ownerPid": 1784,
                    "ownerId": 7,
                    "ownerName": "f16x86_64",
                    "ownerUUID": "7b8e5e42-b875-61e9-b981-91ad8fa46979"
                }
            }
        ]
    },
    "defaultLockspace": {
        "resources": [
            {
                "name": "/var/lib/libvirt/images/f16x86_64.raw",
                "path": "/var/lib/libvirt/images/f16x86_64.raw",
                "fd": 14,
                "lockHeld": true,
                "flags": 0,
                "owners": [
                    1784
                ]
            },
            {
                "name": "/var/lib/libvirt/images/shared.img",
                "path": "/var/lib/libvirt/images/shared.img",
                "fd": 12,
                "lockHeld": true,
                "flags": 1,
                "owners": [
                    1722,
                    1784
                ]
            },
            {
                "name": "/var/lib/libvirt/images/f18x86_64.img",
                "path": "/var/lib/libvirt/images/f18x86_64.img",
                "fd": 11,
                "lockHeld": true,
                "flags": 0,
                "owners": [
                    1722
                ]
            }
        ]
    },
    "lockspaces": [

    ],
    "magic": "30199"
 }

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-13 15:26:57 +00:00