Add dtrace static probes in libvirtd

Adds initial support for dtrace static probes in libvirtd
daemon, assuming use of systemtap dtrace compat shim on
Linux. The probes are inserted for network client connect,
disconnect, TLS handshake states and authentication protocol
states.

This can be tested by running the xample program and then
attempting to connect with any libvirt client (virsh,
virt-manager, etc).

 # stap examples/systemtap/client.stp
  Client fd=44 connected readonly=0
  Client fd=44 auth polkit deny pid:24997,uid:500
  Client fd=44 disconnected
  Client fd=46 connected readonly=1
  Client fd=46 auth sasl allow test
  Client fd=46 disconnected

The libvirtd.stp file should also really not be required,
since it is duplicated info that is already available in
the main probes.d definition file. A script to autogenerate
the .stp file is needed, either in libvirtd tree, or better
as part of systemtap itself.

* Makefile.am: Add examples/systemtap subdir
* autobuild.sh: Disable dtrace for mingw32
* configure.ac: Add check for dtrace
* daemon/.gitignore: Ignore generated dtrace probe file
* daemon/Makefile.am: Build dtrace probe header & object
  files
* daemon/libvirtd.stp: SystemTAP convenience probeset
* daemon/libvirtd.c: Add connect/disconnect & TLS probes
* daemon/remote.c: Add SASL and PolicyKit auth probes
* daemon/probes.d: Master probe definition
* daemon/libvirtd.h: Add convenience macro for probes
  so that compilation is a no-op when dtrace is not available
* examples/systemtap/Makefile.am, examples/systemtap/client.stp
  Example systemtap script using dtrace probe markers
* libvirt.spec.in: Enable dtrace on F13/RHEL6
* mingw32-libvirt.spec.in: Force disable dtrace

Makefile.am

@@ -6,7 +6,7 @@ GENHTML = genhtml
 SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
   python tests po examples/domain-events/events-c examples/hellolibvirt \
   examples/dominfo examples/domsuspend examples/python examples/apparmor \
-  examples/xml/nwfilter examples/openauth
+  examples/xml/nwfilter examples/openauth examples/systemtap
 
 ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4
 

autobuild.sh

@@ -86,6 +86,7 @@ if [ -x /usr/bin/i686-pc-mingw32-gcc ]; then
     --without-phyp \
     --without-netcf \
     --without-audit \
+    --without-dtrace \
     --without-libvirtd
 
   make

configure.ac

@@ -1107,6 +1107,29 @@ fi
 AM_CONDITIONAL([WITH_SECDRIVER_APPARMOR], [test "$with_secdriver_apparmor" != "no"])
 
 
+dnl DTrace static probes
+AC_ARG_WITH([dtrace],
+  AC_HELP_STRING([--with-dtrace], [use dtrace for static probing @<:@default=check@:>@]),
+  [],
+  [with_dtrace=check])
+
+if test "$with_dtrace" != "no" ; then
+  AC_PATH_PROG([DTRACE], [dtrace], [], [/bin:/usr/bin])
+  if test -z "$DTRACE" ; then
+    if test "$with_dtrace" = "check"; then
+      with_dtrace=no
+    else
+      AC_MSG_ERROR([You must install the 'dtrace' binary to enable libvirt static probes])
+    fi
+  else
+    with_dtrace=yes
+  fi
+  if test "$with_dtrace" = "yes"; then
+    AC_DEFINE_UNQUOTED([WITH_DTRACE], 1, [whether DTrace static probes are available])
+  fi
+fi
+AM_CONDITIONAL([WITH_DTRACE], [test "$with_dtrace" != "no"])
+
 
 dnl NUMA lib
 AC_ARG_WITH([numactl],
@@ -2230,6 +2253,7 @@ AC_OUTPUT(Makefile src/Makefile include/Makefile docs/Makefile \
           examples/openauth/Makefile \
           examples/python/Makefile \
           examples/hellolibvirt/Makefile \
+          examples/systemtap/Makefile \
           examples/xml/nwfilter/Makefile)
 
 AC_MSG_NOTICE([])
@@ -2396,6 +2420,7 @@ AC_MSG_NOTICE([     Debug: $enable_debug])
 AC_MSG_NOTICE([  Warnings: $enable_compile_warnings])
 AC_MSG_NOTICE([  Readline: $lv_use_readline])
 AC_MSG_NOTICE([    Python: $with_python])
+AC_MSG_NOTICE([    DTrace: $with_dtrace])
 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([Privileges])
 AC_MSG_NOTICE([])

daemon/.gitignore

@@ -10,3 +10,4 @@ libvirtd.init
 libvirtd*.logrotate
 libvirtd.pod
 libvirtd.8
+probes.h

daemon/Makefile.am

 ## Process this file with automake to produce Makefile.in
 
+CLEANFILES =
+
 DAEMON_SOURCES =					\
 		event.c event.h				\
 		libvirtd.c libvirtd.h			\
@@ -36,6 +38,7 @@ EXTRA_DIST =						\
 	test_libvirtd.aug                               \
 	THREADING.txt					\
 	libvirtd.pod.in					\
+	libvirtd.stp					\
 	$(AVAHI_SOURCES)				\
 	$(DAEMON_SOURCES)
 
@@ -161,6 +164,25 @@ libvirtd_CFLAGS += $(AVAHI_CFLAGS)
 libvirtd_LDADD += $(AVAHI_LIBS)
 endif
 
+EXTRA_DIST += probes.d libvirtd.stp
+
+if WITH_DTRACE
+libvirtd_LDADD += probes.o
+libvirtd_SOURCES += probes.h
+
+BUILT_SOURCES += probes.h
+
+tapsetdir = $(datadir)/systemtap/tapsets
+tapset_DATA = libvirtd.stp
+
+probes.h: probes.d
+	$(AM_V_GEN)$(DTRACE) -o $@ -h -s $<
+
+probes.o: probes.d
+	$(AM_V_GEN)$(DTRACE) -o $@ -G -s $<
+
+CLEANFILES += probes.h probes.o
+endif
 
 install-data-local: install-init install-data-sasl install-data-polkit \
                     install-logrotate
@@ -317,5 +339,5 @@ uninstall-data-sasl:
 endif
 
 
-CLEANFILES = $(BUILT_SOURCES) $(man_MANS) libvirtd.pod
+CLEANFILES += $(BUILT_SOURCES) $(man_MANS) libvirtd.pod
 CLEANFILES += *.cov *.gcov .libs/*.gcda .libs/*.gcno *.gcno *.gcda

daemon/libvirtd.c

@@ -1240,12 +1240,15 @@ remoteCheckCertificate(struct qemud_client *client)
         }
     }
 
+    PROBE(CLIENT_TLS_ALLOW, "fd=%d, name=%s", client->fd, name);
     return 0;
 
 authdeny:
+    PROBE(CLIENT_TLS_DENY, "fd=%d, name=%s", client->fd, name);
     return -1;
 
 authfail:
+    PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd);
     return -1;
 }
 
@@ -1327,6 +1330,8 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket
         return -1;
     }
 
+    PROBE(CLIENT_CONNECT, "fd=%d, readonly=%d", fd, sock->readonly);
+
     if (server->nclients >= max_clients) {
         VIR_ERROR(_("Too many active clients (%d), dropping connection"), max_clients);
         goto error;
@@ -1445,6 +1450,7 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket
             if (qemudRegisterClientEvent (server, client) < 0)
                 goto error;
         } else {
+            PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd);
             VIR_ERROR(_("TLS handshake failed: %s"),
                       gnutls_strerror (ret));
             goto error;
@@ -1476,6 +1482,7 @@ error:
         VIR_FREE(client);
     }
     close (fd);
+    PROBE(CLIENT_DISCONNECT, "fd=%d", fd);
     return -1;
 }
 
@@ -1519,6 +1526,7 @@ void qemudDispatchClientFailure(struct qemud_client *client) {
         client->tlssession = NULL;
     }
     if (client->fd != -1) {
+        PROBE(CLIENT_DISCONNECT, "fd=%d", client->fd);
         close(client->fd);
         client->fd = -1;
     }
@@ -2079,6 +2087,7 @@ qemudDispatchClientHandshake(struct qemud_client *client) {
            direction has changed */
         qemudUpdateClientEvent (client);
     } else {
+        PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd);
         /* Fatal error in handshake */
         VIR_ERROR(_("TLS handshake failed: %s"),
                   gnutls_strerror (ret));

daemon/libvirtd.h

@@ -49,6 +49,23 @@
 # include "logging.h"
 # include "threads.h"
 
+# if WITH_DTRACE
+#  ifndef LIBVIRTD_PROBES_H
+#   define LIBVIRTD_PROBES_H
+#   include "probes.h"
+#  endif /* LIBVIRTD_PROBES_H */
+#  define PROBE(NAME, FMT, ...)                              \
+    VIR_DEBUG_INT("trace." __FILE__ , __func__, __LINE__,    \
+                  #NAME ": " FMT, __VA_ARGS__);              \
+    if (LIBVIRTD_ ## NAME ## _ENABLED()) {                   \
+        LIBVIRTD_ ## NAME(__VA_ARGS__);                      \
+    }
+# else
+#  define PROBE(NAME, FMT, ...)                                 \
+    VIR_DEBUG_INT("trace." __FILE__, __func__, __LINE__,        \
+                  #NAME ": " FMT, __VA_ARGS__);
+# endif
+
 # ifdef __GNUC__
 #  ifdef HAVE_ANSIDECL_H
 #   include <ansidecl.h>

daemon/libvirtd.stp

+probe libvirt.daemon.client.connect = process("libvirtd").mark("client_connect")
+{
+  fd = $arg1;
+  readonly = $arg2;
+}
+
+probe libvirt.daemon.client.disconnect = process("libvirtd").mark("client_disconnect")
+{
+  fd = $arg1;
+}
+
+
+probe libvirt.daemon.client.tls_allow = process("libvirtd").mark("client_tls_allow")
+{
+  fd = $arg1;
+  x509dname = user_string($arg2);
+}
+
+probe libvirt.daemon.client.tls_deny = process("libvirtd").mark("client_tls_deny")
+{
+  fd = $arg1;
+  x509dname = user_string($arg2);
+}
+
+probe libvirt.daemon.client.tls_fail = process("libvirtd").mark("client_tls_fail")
+{
+  fd = $arg1;
+}
+
+
+function authtype_to_string(authtype) {
+  if (authtype == 0)
+    return "none"
+  if (authtype == 1)
+    return "sasl"
+  if (authtype == 2)
+    return "polkit"
+  return "unknown"
+}
+
+
+probe libvirt.daemon.client.auth_allow = process("libvirtd").mark("client_auth_allow")
+{
+  fd = $arg1;
+  authtype = $arg2;
+  authname = authtype_to_string($arg2);
+  identity = user_string($arg3);
+}
+
+probe libvirt.daemon.client.auth_deny = process("libvirtd").mark("client_auth_deny")
+{
+  fd = $arg1;
+  authtype = $arg2;
+  authname = authtype_to_string($arg2);
+  identity = user_string($arg3);
+}
+
+probe libvirt.daemon.client.auth_fail = process("libvirtd").mark("client_auth_fail")
+{
+  fd = $arg1;
+  authtype = $arg2;
+  authname = authtype_to_string($arg2);
+}

daemon/probes.d

+provider libvirtd {
+	 probe client_connect(int fd, int readonly);
+	 probe client_disconnect(int fd);
+
+	 probe client_auth_allow(int fd, int authtype, const char *identity);
+	 probe client_auth_deny(int fd, int authtype, const char *identity);
+	 probe client_auth_fail(int fd, int authtype);
+
+	 probe client_tls_allow(int fd, const char *x509dname);
+	 probe client_tls_deny(int fd, const char *x509dname);
+	 probe client_tls_fail(int fd);
+};

daemon/remote.c

@@ -3791,6 +3791,7 @@ remoteDispatchAuthSaslInit (struct qemud_server *server,
 authfail:
     remoteDispatchAuthError(rerr);
 error:
+    PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
     virMutexUnlock(&client->lock);
     return -1;
 }
@@ -3977,6 +3978,8 @@ remoteDispatchAuthSaslStart (struct qemud_server *server,
         }
 
         REMOTE_DEBUG("Authentication successful %d", client->fd);
+        PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s",
+              client->fd, REMOTE_AUTH_SASL, client->saslUsername);
         ret->complete = 1;
         client->auth = REMOTE_AUTH_NONE;
     }
@@ -3985,10 +3988,13 @@ remoteDispatchAuthSaslStart (struct qemud_server *server,
     return 0;
 
 authfail:
+    PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
     remoteDispatchAuthError(rerr);
     goto error;
 
 authdeny:
+    PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s",
+          client->fd, REMOTE_AUTH_SASL, client->saslUsername);
     goto error;
 
 error:
@@ -4073,6 +4079,8 @@ remoteDispatchAuthSaslStep (struct qemud_server *server,
         }
 
         REMOTE_DEBUG("Authentication successful %d", client->fd);
+        PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s",
+              client->fd, REMOTE_AUTH_SASL, client->saslUsername);
         ret->complete = 1;
         client->auth = REMOTE_AUTH_NONE;
     }
@@ -4081,10 +4089,13 @@ remoteDispatchAuthSaslStep (struct qemud_server *server,
     return 0;
 
 authfail:
+    PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
     remoteDispatchAuthError(rerr);
     goto error;
 
 authdeny:
+    PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s",
+          client->fd, REMOTE_AUTH_SASL, client->saslUsername);
     goto error;
 
 error:
@@ -4104,6 +4115,7 @@ remoteDispatchAuthSaslInit (struct qemud_server *server ATTRIBUTE_UNUSED,
                             remote_auth_sasl_init_ret *ret ATTRIBUTE_UNUSED)
 {
     VIR_ERROR0(_("client tried unsupported SASL init request"));
+    PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
     remoteDispatchAuthError(rerr);
     return -1;
 }
@@ -4118,6 +4130,7 @@ remoteDispatchAuthSaslStart (struct qemud_server *server ATTRIBUTE_UNUSED,
                              remote_auth_sasl_start_ret *ret ATTRIBUTE_UNUSED)
 {
     VIR_ERROR0(_("client tried unsupported SASL start request"));
+    PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
     remoteDispatchAuthError(rerr);
     return -1;
 }
@@ -4132,6 +4145,7 @@ remoteDispatchAuthSaslStep (struct qemud_server *server ATTRIBUTE_UNUSED,
                             remote_auth_sasl_step_ret *ret ATTRIBUTE_UNUSED)
 {
     VIR_ERROR0(_("client tried unsupported SASL step request"));
+    PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
     remoteDispatchAuthError(rerr);
     return -1;
 }
@@ -4208,6 +4222,8 @@ remoteDispatchAuthPolkit (struct qemud_server *server,
                   action, callerPid, callerUid, status);
         goto authdeny;
     }
+    PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s",
+          client->fd, REMOTE_AUTH_POLKIT, ident);
     VIR_INFO(_("Policy allowed action %s from pid %d, uid %d"),
              action, callerPid, callerUid);
     ret->complete = 1;
@@ -4217,9 +4233,12 @@ remoteDispatchAuthPolkit (struct qemud_server *server,
     return 0;
 
 authfail:
+    PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_POLKIT);
     goto error;
 
 authdeny:
+    PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s",
+          client->fd, REMOTE_AUTH_POLKIT, ident);
     goto error;
 
 error:
@@ -4333,6 +4352,8 @@ remoteDispatchAuthPolkit (struct qemud_server *server,
                   polkit_result_to_string_representation(pkresult));
         goto authdeny;
     }
+    PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s",
+          client->fd, REMOTE_AUTH_POLKIT, ident);
     VIR_INFO(_("Policy allowed action %s from pid %d, uid %d, result %s"),
              action, callerPid, callerUid,
              polkit_result_to_string_representation(pkresult));
@@ -4343,9 +4364,12 @@ remoteDispatchAuthPolkit (struct qemud_server *server,
     return 0;
 
 authfail:
+    PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_POLKIT);
     goto error;
 
 authdeny:
+    PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s",
+          client->fd, REMOTE_AUTH_POLKIT, ident);
     goto error;
 
 error:

examples/systemtap/Makefile.am

+
+EXTRA_DIST = client.stp

examples/systemtap/client.stp

+#!/usr/bin/stap
+
+probe libvirt.daemon.client.connect {
+      printf("Client fd=%d connected readonly=%d\n", fd, readonly);
+}
+probe libvirt.daemon.client.disconnect {
+      printf("Client fd=%d disconnected\n", fd);
+}
+
+probe libvirt.daemon.client.tls_allow {
+      printf("Client fd=%d tls allow %s\n", fd, x509dname);
+}
+probe libvirt.daemon.client.tls_deny {
+      printf("Client fd=%d tls deny %s\n", fd, x509dname);
+}
+probe libvirt.daemon.client.tls_fail {
+      printf("Client fd=%d tls fail\n", fd);
+}
+
+probe libvirt.daemon.client.auth_allow {
+      printf("Client fd=%d auth %s allow %s\n", fd, authname, identity);
+}
+probe libvirt.daemon.client.auth_deny {
+      printf("Client fd=%d auth %s deny %s\n", fd, authname, identity);
+}
+probe libvirt.daemon.client.auth_fail {
+      printf("Client fd=%d auth %s fail\n", fd, authname);
+}

libvirt.spec.in

@@ -67,6 +67,7 @@
 %define with_macvtap       0%{!?_without_macvtap:0}
 %define with_libnl         0%{!?_without_libnl:0}
 %define with_audit         0%{!?_without_audit:0}
+%define with_dtrace        0%{!?_without_dtrace:0}
 
 # Non-server/HV driver defaults which are always enabled
 %define with_python        0%{!?_without_python:1}
@@ -170,6 +171,10 @@
 %define with_audit    0%{!?_without_audit:1}
 %endif
 
+%if 0%{?fedora} >= 13 || 0%{?rhel} >= 6
+%define with_dtrace 1
+%endif
+
 # Force QEMU to run as non-root
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
 %define qemu_user  qemu
@@ -564,6 +569,10 @@ of recent versions of Linux (and other OSes).
 %define _without_audit --without-audit
 %endif
 
+%if ! %{with_dtrace}
+%define _without_dtrace --without-dtrace
+%endif
+
 %configure %{?_without_xen} \
            %{?_without_qemu} \
            %{?_without_openvz} \
@@ -596,6 +605,7 @@ of recent versions of Linux (and other OSes).
            %{?_without_libpcap} \
            %{?_without_macvtap} \
            %{?_without_audit} \
+           %{?_without_dtrace} \
            --with-qemu-user=%{qemu_user} \
            --with-qemu-group=%{qemu_group} \
            --with-init-script=redhat \
@@ -607,7 +617,7 @@ gzip -9 ChangeLog
 rm -fr %{buildroot}
 
 %makeinstall
-for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth python xml/nwfilter
+for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth python xml/nwfilter systemtap
 do
   (cd examples/$i ; make clean ; rm -rf .deps .libs Makefile Makefile.in)
 done
@@ -763,6 +773,9 @@ fi
 %{_sysconfdir}/rc.d/init.d/libvirtd
 %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
 %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
+%if %{with_dtrace}
+%{_datadir}/systemtap/tapsets/libvirtd.stp
+%endif
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
@@ -909,6 +922,7 @@ fi
 %doc examples/domsuspend
 %doc examples/openauth
 %doc examples/xml
+%doc examples/systemtap
 
 %if %{with_python}
 %files python

mingw32-libvirt.spec.in

@@ -58,6 +58,7 @@ MinGW Windows libvirt virtualization library.
   --without-phyp \
   --without-netcf \
   --without-audit \
+  --without-dtrace \
   --without-libvirtd
 make