Commit Graph

961 Commits

Author SHA1 Message Date
Daniel P. Berrange
fc8c1787d8 Enable full RELRO mode
By passing the flags -z relro -z now to the linker, we can force
it to resolve all library symbols at startup, instead of on-demand.
This allows it to then make the global offset table (GOT) read-only,
which makes some security attacks harder.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-03 16:19:35 +01:00
Daniel P. Berrange
1150999ca4 Build all binaries with PIE
PIE (position independent executable) adds security to executables
by composing them entirely of position-independent code (PIC. The
.so libraries already build with -fPIC. This adds -fPIE which is
the equivalent to -fPIC, but for executables. This for allows Exec
Shield to use address space layout randomization to prevent attackers
from knowing where existing executable code is during a security
attack using exploits that rely on knowing the offset of the
executable code in the binary, such as return-to-libc attacks.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-03 16:19:35 +01:00
Peter Krempa
f006f19561 virsh: Fix typo in docs
s/persitent/persistent/
2013-04-03 11:38:57 +02:00
Martin Kletzander
e7cd2844ca Allow multiple parameters for schedinfo
virsh schedinfo was able to set only one parameter at a time (not
counting the deprecated options), but it is useful to set more at
once, so this patch adds the possibility to do stuff like this:

virsh schedinfo <domain> cpu_shares=0 vcpu_period=0 vcpu_quota=0 \
emulator_period=0 emulator_quota=0

Invalid scheduler options are reported as well.  These were previously
reported only if the command hadn't updated any values (when
cmdSchedInfoUpdate returned 0).

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=810078
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=919372
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=919375
2013-04-03 08:49:30 +02:00
Michal Privoznik
deb86ee912 virsh: Call virDomainFree in cmdDomFSTrim
https://bugzilla.redhat.com/show_bug.cgi?id=928197

The virsh domfstrim command was not freeing allocated domain,
leaving leaked references behind.
2013-04-02 17:36:06 +02:00
Martin Kletzander
11e295705a manual: Fix copy-paste errors
Descriptions for vol-download and vol-upload didn't make much sense.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=923613
2013-04-02 17:06:40 +02:00
Martin Kletzander
d1d2acd7f2 manual: Add info about migrateuri in virsh manual
The virsh(1) man page wasn't saying anything about the 'migrateuri'
parameter other than it can be usually omitted.  A patched version of
docs/migrate.html.in is taken in this patch to fix that up in the man
page.
2013-04-02 17:06:40 +02:00
Peter Krempa
b685a73ed9 virsh-domain: Add --live, --config, --current logic to cmdDetachDisk
Use the established approach to improve this function too.
2013-04-02 16:18:38 +02:00
Peter Krempa
d87f721073 virsh-domain: Add --live, --config, --current logic to cmdDetachDevice
Use the established approach to improve this function too.
2013-04-02 16:18:32 +02:00
Peter Krempa
c3d9f399b5 virsh-domain: Add --live, --config, --current logic to cmdDetachInterface
Use the established approach to improve this function too.
2013-04-02 16:18:05 +02:00
Peter Krempa
69ce3ffa8d virsh: Fix semantics of --config for "update-device" command
The man page states that with --config the next boot is affected. This
can be understood as if _only_ the next boot was affected. This isn't
true if the machine is running.

This patch adds the full --live, --config, --current infrastructure and
tweaks stuff to correctly support the obsolete --persistent flag.

Note that this patch changes the the behavior of the --config flag to match the
use of this flag in rest of libvirt. This flag was mistakenly renamed from
--persistent that originaly had different semantics.
2013-04-02 16:14:14 +02:00
Peter Krempa
cc0cc6b714 virsh-domain: Fix declarations of flag variables in cmdChangeMedia
The parameter options can be declared directly.

Also use macros for mutual exclusion on some of the incompatible
parameter variables.
2013-04-02 16:02:43 +02:00
Peter Krempa
803e467080 virsh-domain: Simplify usage of --current, --live and --config flags
This patch uses the new helper to avoid the more complex check for
domain state modification flags.
2013-04-02 16:02:43 +02:00
Peter Krempa
1f0cac3543 virsh-domain-monitor: Refactor cmdDomIfGetLink
The domif-getlink command did not terminate successfully when the
interface state was found. As the code used old and too complex approach
to do the job, this patch refactors it and fixes the bug.
2013-04-02 15:53:43 +02:00
Osier Yang
8893df388e virsh: Add a helper to parse cpulist
The 'virsh vcpupin' and 'virsh emulatorpin' commands use the same
code to parse the cpulist. This patch abstracts the same code as
a helper. Along with various code style fixes, and error improvement
(only error "Physical CPU %d doesn't exist" if the specified CPU
exceed the range, no "cpulist: Invalid format", see the following
for an example of the error prior to this patch).

% virsh vcpupin 4 0 0-8
error: Physical CPU 4 doesn't exist.
error: cpulist: Invalid format.
2013-04-02 12:37:24 +08:00
Ján Tomko
bfb4b82257 virsh: don't call virSecretFree on NULL
Since the refactoring in fbe2d49 we call virSecretFree even if
virSecretDefineXML fails, which leads to overwriting the error
message with:
error: Invalid secret: virSecretFree

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=929045
2013-03-29 13:00:49 +01:00
Yanbing Du
4faf435cbd virsh: Correct DESCRIPTION for virsh help blockcopy
Signed-off-by: Yanbing Du <ydu@redhat.com>
2013-03-26 20:23:30 +01:00
Ján Tomko
41db895f9e virsh: error out on non-numeric timeout values
Some block commands and migrate ignored incorrect values.

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=927495
2013-03-26 17:28:36 +01:00
Peter Krempa
6af9c564c0 virsh: Let the compiler check usage of all fields in vshCmdOptType enum
Get rid of the "default" labels to do so.
2013-03-26 09:12:26 +01:00
Yanbing Du
5c925a4d82 Remove the redundant parentheses in migrate help
Signed-off-by: Yanbing Du <ydu@redhat.com>
2013-03-26 11:32:36 +08:00
Eric Blake
7c12055def libvirt-guests: newline between output sentences
Right now, libvirt-guests gives awkward output.  It's possible to
force faster failure by setting /etc/sysconfig/libvirt-guests to use:

ON_SHUTDOWN=shutdown
PARALLEL_SHUTDOWN=0
SHUTDOWN_TIMEOUT=1
ON_BOOT=ignore

at which point, we see:

$ service libvirt-guests restart
Running guests on default URI: a, b, d, c
Shutting down guests on default URI...
Starting shutdown on guest: a
Shutdown of guest a failed to complete in time.Starting shutdown on guest: b
Shutdown of guest b failed to complete in time.Starting shutdown on guest: d
Shutdown of guest d failed to complete in time.Starting shutdown on guest: c
Shutdown of guest c failed to complete in time.libvirt-guests is configured not to start any guests on boot

* tools/libvirt-guests.sh.in (shutdown_guest): Add missing newline.
Reported by Xuesong Zhang.
2013-03-25 08:38:35 -06:00
Osier Yang
652a2ec630 nodedev: Introduce two new flags for listAll API
VIR_CONNECT_LIST_NODE_DEVICES_CAP_FC_HOST to filter the FC HBA,
and VIR_CONNECT_LIST_NODE_DEVICES_CAP_VPORTS to filter the FC HBA
which supports vport.
2013-03-25 20:46:05 +08:00
Peter Krempa
b88831f751 virsh: Fix docs for "virsh setmaxmem"
The docs assumed the command works always for QEMU and other
hypervisors. As this is done using the balloon mechainism live increase
of the maximum memory limit isn't supported. Fix the docs to mention
this limitation.
2013-03-25 12:19:10 +01:00
Ján Tomko
7f913c8254 virsh: don't print --(null) in vol-name and vol-pool
Don't print the pool option name if it's null.

Before:
virsh # vol-name vol
error: failed to get vol 'vol', specifying --(null) might help
error: Storage volume not found: no storage vol with matching path vol

After:

virsh # vol-name vol
error: failed to get vol 'vol'
error: Storage volume not found: no storage vol with matching path vol

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=924571
2013-03-22 13:05:46 +01:00
Peter Krempa
03122d7baf virsh-snapshot: Simplify cleanup path in cmdSnapshotEdit 2013-03-21 12:32:04 +01:00
Peter Krempa
29882a054e virsh-snapshot: Use the mutually exclusive params macro in cmdSnapshotEdit 2013-03-21 12:32:03 +01:00
Peter Krempa
4baf00fc30 virsh-snapshot: Refactor cmdSnapshotCurrent
Use the exclusive parameter checker and touch up some parts to simplify
code.
2013-03-21 12:32:03 +01:00
Peter Krempa
020e210387 virsh-domain: Fix flag name in error message to match the check
The check is done on the "--paused" flag but the error message stated
"--saved"
2013-03-21 12:32:03 +01:00
Peter Krempa
ccb692102a virsh-host: Refactor cmdFreecell
Use the new helpers to determine mutually exclusive options and touch up
some parts to simplify the code.
2013-03-21 12:32:03 +01:00
Peter Krempa
55b3b15cd0 virsh-snapshot: Refactor virsh snapshot-list
Simplify error handling and mutually exclusive option checking.
2013-03-21 12:32:03 +01:00
Peter Krempa
7e437ee78f virsh: Introduce macros to reject mutually exclusive arguments
This patch adds three macros to the virsh source tree that help to
easily check for mutually exclusive parameters.

VSH_EXCLUSIVE_OPTIONS_EXPR has four arguments, two expressions to check
and two names of the parameters to print in the message.

VSH_EXCLUSIVE_OPTIONS is more specific and check the command structure
for the parameters using vshCommandOptBool.

VSH_EXCLUSIVE_OPTIONS_VAR is meant to check boolean variables with the
same name as the parameters.
2013-03-21 12:32:03 +01:00
Gene Czarcinski
2e1cd8900f clarify virsh net commands
Clarify that net-create deals with a transient virtual
network whereas net-define defines a persistent virtual
network definition and will create the network (xml)
definition file.

Clarify that net-destroy works with both transient and
persistent virtual networks.

Signed-off-by: Gene Czarcinski <gene@czarc.net>
2013-03-20 13:55:17 -06:00
Martin Kletzander
73cc87d161 Cleanup useless flags specifications
After we switched to C99 initialization, I noticed there were many
places where the specification of .flags parameter differed.  After
going through many options and deciding whether to unify the
initialization to be '.flags = 0' or '.flags = VSH_OFLAG_NONE', I
realized both can be removed and it makes the code easier to go
through.
2013-03-15 15:05:45 +01:00
Martin Kletzander
66f1bbc350 Fix snapshot-create-as syntax in help output
According to the man page, the memspec parameter should have the
'--memspec' option mandatory and this is as close as we can get to
that.  What this change does is explained below.

man virsh:

snapshot-create-as ... [[--live] [--memspec memspec]]

virsh help snapshot-create-as before this patch:

  SYNOPSIS
    snapshot-create-as ... [<memspec>] ...
...
  OPTIONS
    [--memspec] <string> ...

virsh help snapshot-create-as after this patch:

  SYNOPSIS
    snapshot-create-as ... [--memspec <string>] ...
...
  OPTIONS
    --memspec <string> ...
2013-03-15 15:05:44 +01:00
Martin Kletzander
abfff21006 Make vshDebug work when parsing parameters
The vshInit initializes ctl->debug by which vshDebug (which is also
called in vshParseArgv) decides whether to print out the message or
not.
2013-03-15 15:05:44 +01:00
Yanbing Du
8bf8a89ac1 Fix a copy & paste error for virsh dump help
Signed-off-by: Yanbing Du <ydu@redhat.com>
2013-03-15 16:22:49 +08:00
Daniel P. Berrange
e4e69e899e Apply security label when entering LXC namespaces
Add a new virDomainLxcEnterSecurityLabel() function as a
counterpart to virDomainLxcEnterNamespaces(), which can
change the current calling process to have a new security
context. This call runs client side, not in libvirtd
so we can't use the security driver infrastructure.

When entering a namespace, the process spawned from virsh
will default to running with the security label of virsh.
The actual desired behaviour is to run with the security
label of the container most of the time. So this changes
virsh lxc-enter-namespace command to invoke the
virDomainLxcEnterSecurityLabel method.

The current behaviour is:

LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps

Note the ps command is running as unconfined_t,  After this patch,

The new behaviour is this:

virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps

The '--noseclabel' flag can be used to skip security labelling.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-13 15:16:37 +00:00
Ján Tomko
2fc5ff11ab virsh: fix snapshot-create with no xmlfile
Properly check the return value of vshCommandOptStringReq for xmlfile:
* error out on incorrect input (--xmlfile '')
* use default XML <domainsnapshot/> with no --xmlfile specified

(Broken by commit b2e8585)

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=919826
2013-03-11 13:39:11 +01:00
Peter Krempa
38cc07b7bc virsh-domain: Remove unused vshCompleteXMLFromDomain
The function is marked as unused and breaks compilation on RHEL4. Remove
it from the tree until a new use case can be found.
2013-03-10 10:18:23 +01:00
Peter Krempa
406dc47757 Revert "Ensure xmlSaveToBuffer is always defined"
The commit originally fixed code that isn't being used. Revert
it and remove the unused code as a real fix.

This reverts commit a66b32d929.
2013-03-10 10:18:23 +01:00
Daniel P. Berrange
a66b32d929 Ensure xmlSaveToBuffer is always defined
RHEL4 vintage libxml2 header files are missing xmlSaveToBuffer
despite the symbol existing in the binary

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-07 18:10:35 +00:00
Peter Krempa
0d00c7a3bd virsh-snapshot: Add ability to print only snapshot names
Help script creators by not having to parse the names from the table.
2013-03-05 08:34:48 +01:00
Jiri Denemark
e94aeb1428 virsh: Add migrate-compcache command
This is a command wrapping virDomainMigrateGetCompressionCache and
virDomainMigrateSetCompressionCache.
2013-02-22 17:35:59 +01:00
Jiri Denemark
38ab12251e virsh: Use virDomainGetJobStats in domjobinfo if available 2013-02-22 17:35:58 +01:00
Jiri Denemark
ecfff1dab3 Introduce VIR_MIGRATE_COMPRESSED flag
This flag may be used with migration APIs to request compression of
migration data.
2013-02-22 17:35:58 +01:00
Guannan Ren
dd71fa110a virsh: distinguish errors between missing argument and wrong option
Specifying ':' to suppress the error messages printed by getopt().
Then, distinguish the two types of errors.

Before:
 # virsh -c
   virsh: option requires an argument -- 'c'
   error: unsupported option '-?'. See --help.

After:
 # virsh -c
   error: option '-c' requires an argument

 # virsh -x
   error: unsupported option '-x'. See --help.
2013-02-20 10:14:25 +08:00
Jiri Denemark
ada9e157a2 virsh: Always print capacity unit
It doesn't make sense to print the unit (B) only with Ki, Mi, ...
prefixes. Even those poor bytes under 1 KiB are still bytes :-)
2013-02-19 10:52:37 +01:00
John Ferlan
1d816219eb virsh: Resolve possible NULL dereference
Coverity found that commit '41b5e845' had a possible NULL dereference on
arg->data processing
2013-02-16 07:44:35 -05:00
Michal Privoznik
bbd09adbe2 virsh-volume.c: Switch to c99 initialization of vshCmdInfo 2013-02-12 17:50:22 +01:00
Michal Privoznik
53b574812b virsh-snapshot.c: Switch to c99 initialization of vshCmdInfo 2013-02-12 17:50:22 +01:00