- 07 2月, 2014 1 次提交
-
-
由 Matthieu Coudron 提交于
This commit allows to attach/detach a <filesystem> device in qemu. For this purpose I'm introducing two new functions: virDomainFSInsert() and virDomainFSRemove() and adding necessary code in the qemu driver. It compares filesystems based on their "destination" folder. So if two filesystems share the same destination, they are considered equal and the qemu driver would reject the insertion. Signed-off-by: NMatthieu Coudron <mattator@gmail.com>
-
- 06 2月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
When attempting a blockcommit from the top layer, the base argument passed is NULL. This will be dereferenced when attempting a commit with an empty image chain. Output the real volume path instead: virsh blockcommit --verbose --path vda --domain DOMNAME --wait error: invalid argument: top '/path/somefile' in chain for 'vda' has no backing file instead of: error: invalid argument: top '(null)' in chain for 'vda' has no backing file
-
- 05 2月, 2014 1 次提交
-
-
由 Eric Blake 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1058839 Commit f9f56340 for CVE-2014-0028 almost had the right idea - we need to check the ACL rules to filter which events to send. But it overlooked one thing: the event dispatch queue is running in the main loop thread, and therefore does not normally have a current virIdentityPtr. But filter checks can be based on current identity, so when libvirtd.conf contains access_drivers=["polkit"], we ended up rejecting access for EVERY event due to failure to look up the current identity, even if it should have been allowed. Furthermore, even for events that are triggered by API calls, it is important to remember that the point of events is that they can be copied across multiple connections, which may have separate identities and permissions. So even if events were dispatched from a context where we have an identity, we must change to the correct identity of the connection that will be receiving the event, rather than basing a decision on the context that triggered the event, when deciding whether to filter an event to a particular connection. If there were an easy way to get from virConnectPtr to the appropriate virIdentityPtr, then object_event.c could adjust the identity prior to checking whether to dispatch an event. But setting up that back-reference is a bit invasive. Instead, it is easier to delay the filtering check until lower down the stack, at the point where we have direct access to the RPC client object that owns an identity. As such, this patch ends up reverting a large portion of the framework of commit f9f56340. We also have to teach 'make check' to special-case the fact that the event registration filtering is done at the point of dispatch, rather than the point of registration. Note that even though we don't actually use virConnectDomainEventRegisterCheckACL (because the RegisterAny variant is sufficient), we still generate the function for the purposes of documenting that the filtering takes place. Also note that I did not entirely delete the notion of a filter from object_event.c; I still plan on using that for my upcoming patch series for qemu monitor events in libvirt-qemu.so. In other words, while this patch changes ACL filtering to live in remote.c and therefore we have no current client of the filtering in object_event.c, the notion of filtering in object_event.c is still useful down the road. * src/check-aclrules.pl: Exempt event registration from having to pass checkACL filter down call stack. * daemon/remote.c (remoteRelayDomainEventCheckACL) (remoteRelayNetworkEventCheckACL): New functions. (remoteRelay*Event*): Use new functions. * src/conf/domain_event.h (virDomainEventStateRegister) (virDomainEventStateRegisterID): Drop unused parameter. * src/conf/network_event.h (virNetworkEventStateRegisterID): Likewise. * src/conf/domain_event.c (virDomainEventFilter): Delete unused function. * src/conf/network_event.c (virNetworkEventFilter): Likewise. * src/libxl/libxl_driver.c: Adjust caller. * src/lxc/lxc_driver.c: Likewise. * src/network/bridge_driver.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/remote/remote_driver.c: Likewise. * src/test/test_driver.c: Likewise. * src/uml/uml_driver.c: Likewise. * src/vbox/vbox_tmpl.c: Likewise. * src/xen/xen_driver.c: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 31 1月, 2014 1 次提交
-
-
由 Daniel P. Berrange 提交于
The NWFilter code has as a deadlock race condition between the virNWFilter{Define,Undefine} APIs and starting of guest VMs due to mis-matched lock ordering. In the virNWFilter{Define,Undefine} codepaths the lock ordering is 1. nwfilter driver lock 2. virt driver lock 3. nwfilter update lock 4. domain object lock In the VM guest startup paths the lock ordering is 1. virt driver lock 2. domain object lock 3. nwfilter update lock As can be seen the domain object and nwfilter update locks are not acquired in a consistent order. The fix used is to push the nwfilter update lock upto the top level resulting in a lock ordering for virNWFilter{Define,Undefine} of 1. nwfilter driver lock 2. nwfilter update lock 3. virt driver lock 4. domain object lock and VM start using 1. nwfilter update lock 2. virt driver lock 3. domain object lock This has the effect of serializing VM startup once again, even if no nwfilters are applied to the guest. There is also the possibility of deadlock due to a call graph loop via virNWFilterInstantiate and virNWFilterInstantiateFilterLate. These two problems mean the lock must be turned into a read/write lock instead of a plain mutex at the same time. The lock is used to serialize changes to the "driver->nwfilters" hash, so the write lock only needs to be held by the define/undefine methods. All other methods can rely on a read lock which allows good concurrency. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 29 1月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
Add support for specifying various types when doing snapshots. This will later allow to do snapshots on network backed volumes. Disks of type 'volume' are not supported by snapshots (yet). Also amend the test suite to check parsing of the various new disk types that can now be specified.
-
- 25 1月, 2014 1 次提交
-
-
由 John Ferlan 提交于
Currently the qemuDomainGetBlockInfo will return allocation == physical for most backing stores. For a qcow2 block backed device it's possible to return the highest lv extent allocated from qemu for an active guest. That is a value where allocation != physical and one would hope be less. However, if the guest is not running, then the code falls back to returning allocation == physical. This turns out to be problematic for rhev which monitors the size of the backing store. During a migration, before the VM has been started on the target and while it is deemed inactive on the source, there's a small window of time where the allocation is returned as physical triggering the code to extend the file unnecessarily. Since rhev uses transient domains and this is edge condition for a transient domain, rather than returning good status and allocation == physical when this "window of opportunity" exists, this patch will check for a transient (or non persistent) domain and return a failure to the caller rather than returning the defaults. For a persistent domain, the defaults will be returned. The description for the virDomainGetBlockInfo has been updated to describe the phenomena.
-
- 24 1月, 2014 1 次提交
-
-
由 Gao feng 提交于
the array params is allocated by VIR_ALLOC_N in remoteDispatchDomainGetCPUStats. it had been set to zero. No need to reset it to zero again, and this reset here is incorrect too, nparams * ncpus is the array length not the size of params array. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
- 23 1月, 2014 1 次提交
-
-
由 Eric Blake 提交于
I noticed that we allow virDomainGetVcpusFlags even for read-only connections, but that with a flag, it can require guest agent interaction. It is feasible that a malicious guest could intentionally abuse the replies it sends over the guest agent connection to possibly trigger a bug in libvirt's JSON parser, or withhold an answer so as to prevent the use of the agent in a later command such as a shutdown request. Although we don't know of any such exploits now (and therefore don't mind posting this patch publicly without trying to get a CVE assigned), it is better to err on the side of caution and explicitly require full access to any domain where the API requires guest interaction to operate correctly. I audited all commands that are marked as conditionally using a guest agent. Note that at least virDomainFSTrim is documented as needing a guest agent, but that such use is unconditional depending on the hypervisor (so the existing domain:fs_trim ACL should be sufficient there, rather than also requirng domain:write). But when designing future APIs, such as the plans for obtaining a domain's IP addresses, we should copy the approach of this patch in making interaction with the guest be specified via a flag, and use that flag to also require stricter access checks. * src/libvirt.c (virDomainGetVcpusFlags): Forbid guest interaction on read-only connection. (virDomainShutdownFlags, virDomainReboot): Improve docs on agent interaction. * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_SNAPSHOT_CREATE_XML) (REMOTE_PROC_DOMAIN_SET_VCPUS_FLAGS) (REMOTE_PROC_DOMAIN_GET_VCPUS_FLAGS, REMOTE_PROC_DOMAIN_REBOOT) (REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS): Require domain:write for any conditional use of a guest agent. * src/xen/xen_driver.c: Fix clients. * src/libxl/libxl_driver.c: Likewise. * src/uml/uml_driver.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/lxc/lxc_driver.c: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 22 1月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1034993 SCSI passthrough disks (<disk .. device="lun">) can't be used as backing for snapshots. Currently with upstream qemu the vm crashes on such attempt. This patch adds a early check to catch an attempt to do such a snapshot and rejects it right away. qemu will fix the issue but this will let us control the error message.
-
- 21 1月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
We shouldn't access the domain definition while we are in the monitor section as the domain is unlocked. Additionally after we exit from the monitor we need to check if the VM is still alive. Not doing so resulted in a crash if qemu exits while attempting to do an external VM snapshot.
-
- 20 1月, 2014 2 次提交
-
-
由 Jincheng Miao 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1046919 If none (KVM, VFIO) of the supported PCI passthrough methods is known to work on a host, it's better to fail right away with a nice error message rather than letting attachment fail with a more cryptic message such as Failed to bind PCI device '0000:07:05.0' to vfio-pci: No such device Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
由 Gao feng 提交于
With this patch, user can setup throttle blkio cgroup through virsh for qemu domain. Signed-off-by: NGuan Qiang <hzguanqiang@corp.netease.com> Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
- 17 1月, 2014 1 次提交
-
-
由 Eric Blake 提交于
The public virConnectRef and virConnectClose API are just thin wrappers around virObjectRef/virObjectRef, with added object validation and an error reset. Within our backend drivers, use of the object validation is just an inefficiency since we always pass valid objects. More important to think about is what happens with the error reset; our uses of virConnectRef happened to be safe (since we hadn't encountered any earlier errors), but in several cases the use of virConnectClose could lose a real error. Ideally, we should also avoid calling virConnectOpen() from within backend drivers - but that is a known situation that needs much more design work. * src/qemu/qemu_process.c (qemuProcessReconnectHelper) (qemuProcessReconnect): Avoid nested public API call. * src/qemu/qemu_driver.c (qemuAutostartDomains) (qemuStateInitialize, qemuStateStop): Likewise. * src/qemu/qemu_migration.c (doPeer2PeerMigrate): Likewise. * src/storage/storage_driver.c (storageDriverAutostart): Likewise. * src/uml/uml_driver.c (umlAutostartConfigs): Likewise. * src/lxc/lxc_process.c (virLXCProcessAutostartAll): Likewise. (virLXCProcessReboot): Likewise, and avoid leaking conn on error. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 16 1月, 2014 1 次提交
-
-
由 Eric Blake 提交于
Ever since ACL filtering was added in commit 76397360 (v1.1.1), a user could still use event registration to obtain access to a domain that they could not normally access via virDomainLookup* or virConnectListAllDomains and friends. We already have the framework in the RPC generator for creating the filter, and previous cleanup patches got us to the point that we can now wire the filter through the entire object event stack. Furthermore, whether or not domain:getattr is honored, use of global events is a form of obtaining a list of networks, which is covered by connect:search_domains added in a93cd08f (v1.1.0). Ideally, we'd have a way to enforce connect:search_domains when doing global registrations while omitting that check on a per-domain registration. But this patch just unconditionally requires connect:search_domains, even when no list could be obtained, based on the following observations: 1. Administrators are unlikely to grant domain:getattr for one or all domains while still denying connect:search_domains - a user that is able to manage domains will want to be able to manage them efficiently, but efficient management includes being able to list the domains they can access. The idea of denying connect:search_domains while still granting access to individual domains is therefore not adding any real security, but just serves as a layer of obscurity to annoy the end user. 2. In the current implementation, domain events are filtered on the client; the server has no idea if a domain filter was requested, and must therefore assume that all domain event requests are global. Even if we fix the RPC protocol to allow for server-side filtering for newer client/server combos, making the connect:serach_domains ACL check conditional on whether the domain argument was NULL won't benefit older clients. Therefore, we choose to document that connect:search_domains is a pre-requisite to any domain event management. Network events need the same treatment, with the obvious change of using connect:search_networks and network:getattr. * src/access/viraccessperm.h (VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS) (VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional effect of the permission. * src/conf/domain_event.h (virDomainEventStateRegister) (virDomainEventStateRegisterID): Add new parameter. * src/conf/network_event.h (virNetworkEventStateRegisterID): Likewise. * src/conf/object_event_private.h (virObjectEventStateRegisterID): Likewise. * src/conf/object_event.c (_virObjectEventCallback): Track a filter. (virObjectEventDispatchMatchCallback): Use filter. (virObjectEventCallbackListAddID): Register filter. * src/conf/domain_event.c (virDomainEventFilter): New function. (virDomainEventStateRegister, virDomainEventStateRegisterID): Adjust callers. * src/conf/network_event.c (virNetworkEventFilter): New function. (virNetworkEventStateRegisterID): Adjust caller. * src/remote/remote_protocol.x (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER) (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY) (REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a filter, and require connect:search_domains instead of weaker connect:read. * src/test/test_driver.c (testConnectDomainEventRegister) (testConnectDomainEventRegisterAny) (testConnectNetworkEventRegisterAny): Update callers. * src/remote/remote_driver.c (remoteConnectDomainEventRegister) (remoteConnectDomainEventRegisterAny): Likewise. * src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister) (xenUnifiedConnectDomainEventRegisterAny): Likewise. * src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise. * src/libxl/libxl_driver.c (libxlConnectDomainEventRegister) (libxlConnectDomainEventRegisterAny): Likewise. * src/qemu/qemu_driver.c (qemuConnectDomainEventRegister) (qemuConnectDomainEventRegisterAny): Likewise. * src/uml/uml_driver.c (umlConnectDomainEventRegister) (umlConnectDomainEventRegisterAny): Likewise. * src/network/bridge_driver.c (networkConnectNetworkEventRegisterAny): Likewise. * src/lxc/lxc_driver.c (lxcConnectDomainEventRegister) (lxcConnectDomainEventRegisterAny): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 07 1月, 2014 6 次提交
-
-
由 Jiri Denemark 提交于
CVE-2013-6458 Every API that is going to begin a job should do that before fetching data from vm->def.
-
由 Jiri Denemark 提交于
Every API that is going to begin a job should do that before fetching data from vm->def.
-
由 Jiri Denemark 提交于
CVE-2013-6458 Every API that is going to begin a job should do that before fetching data from vm->def.
-
由 Jiri Denemark 提交于
CVE-2013-6458 Generally, every API that is going to begin a job should do that before fetching data from vm->def. However, qemuDomainGetBlockInfo does not know whether it will have to start a job or not before checking vm->def. To avoid using disk alias that might have been freed while we were waiting for a job, we use its copy. In case the disk was removed in the meantime, we will fail with "cannot find statistics for device '...'" error message.
-
由 Jiri Denemark 提交于
CVE-2013-6458 https://bugzilla.redhat.com/show_bug.cgi?id=1043069 When virDomainDetachDeviceFlags is called concurrently to virDomainBlockStats: libvirtd may crash because qemuDomainBlockStats finds a disk in vm->def before getting a job on a domain and uses the disk pointer after getting the job. However, the domain in unlocked while waiting on a job condition and thus data behind the disk pointer may disappear. This happens when thread 1 runs virDomainDetachDeviceFlags and enters monitor to actually remove the disk. Then another thread starts running virDomainBlockStats, finds the disk in vm->def, and while it's waiting on the job condition (owned by the first thread), the first thread finishes the disk removal. When the second thread gets the job, the memory pointed to be the disk pointer is already gone. That said, every API that is going to begin a job should do that before fetching data from vm->def.
-
由 Eric Blake 提交于
Introduced in commit 81fae6b9. * src/qemu/qemu_driver.c (qemuDomainSetNumaParamsLive): Fix typos. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 06 1月, 2014 2 次提交
-
-
由 Peter Krempa 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1047234 Add a range check for supported numa memory placement modes provided by the user before setting them in the domain definition. Without the check the user is able to provide a (yet) unknown mode which is then stored in the domain definition. This potentially causes a NULL dereference when the defintion is formatted into the XML. To reproduce run: virsh numatune DOMNAME --mode 6 --nodeset 0 The XML will then contain: <numatune> <memory mode='(null)' nodeset='0'/> </numatune> With this fix, the command fails: error: Unable to change numa parameters error: invalid argument: unsupported numa_mode: '6'
-
由 Peter Krempa 提交于
Add whitespace to separate logical code blocks, reformat error messages and clean up code flow. This patch changes error handling in some cases where the the loop would be continued to jump to cleanup instead and error out rather than modify the domain any further.
-
- 12 12月, 2013 2 次提交
-
-
由 Gao feng 提交于
The throttle blkio cgroup will reuse this struct. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
- 10 12月, 2013 6 次提交
-
-
由 Cédric Bosdonnat 提交于
The virDomainEvent class is kept as it indicates what meta informations are valid for the children classes. This may be useful in the future.
-
由 Cédric Bosdonnat 提交于
This aims at providing some consistency with other domain events
-
由 Cédric Bosdonnat 提交于
Added a parent class virObjectEvent for future event types
-
由 Cédric Bosdonnat 提交于
Leave virDomainEventRegister and its Deregister brother as these are legacy functions only for domain lifecycle events.
-
由 Martin Kletzander 提交于
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Martin Kletzander 提交于
For dead domains that have no memtune limits, we return 0 instead of "unlimited", this patch fixes it to return PARAM_UNLIMITED. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 06 12月, 2013 1 次提交
-
-
由 Peter Krempa 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1035108 When attempting to enable more vCPUs in the guest than is currently enabled in the guest but less than the maximum count for the VM we currently reported an unhelpful message: error: internal error: guest agent reports less cpu than requested This patch changes it to: error: invalid argument: requested vcpu count is greater than the count of enabled vcpus in the domain: 3 > 2
-
- 04 12月, 2013 1 次提交
-
-
由 Shivaprasad G Bhat 提交于
Ever since the subcpusets(vcpu,emulator) were introduced, the parent cpuset cannot be modified to remove the nodes that are in use by the subcpusets. The fix is to break the memory node modification into three steps: 1. assign new nodes into the parent, 2. change the nodes in the child nodes, 3. remove the old nodes on the parent node. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009880Signed-off-by: NShivaprasad G Bhat <sbhat@linux.vnet.ibm.com> Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 03 12月, 2013 2 次提交
-
-
由 Laine Stump 提交于
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1035188 Commit f094aaac changed the PCI device assignment in qemu domains to default to using VFIO rather than legacy KVM device assignment (when VFIO is available). It didn't change which driver was used by default for virNodeDeviceDetachFlags(), though, so that API (and the virsh nodedev-detach command) was still binding to the pci-stub driver, used by legacy KVM assignment, by default. This patch publicizes (only within the qemu module, though, so no additions to the symbol exports are needed) the functions that check for presence of KVM and VFIO device assignment, then uses those functions to decide what to do when no driver is specified for virNodeDeviceDetachFlags(); if the vfio driver is loaded, the device will be bound to vfio-pci, or if legacy KVM assignment is supported on this system, the device will be bound to pci-stub; if neither method is available, the detach will fail.
-
由 Peter Krempa 提交于
Currently the snapshot code did not check if it actually supports snapshots on various disk backends for domains. To avoid future problems add checkers that whitelist the supported configurations.
-
- 02 12月, 2013 2 次提交
-
-
由 Peter Krempa 提交于
-
由 Peter Krempa 提交于
When doing an internal snapshot on a VM with sheepdog or RBD disks we would not set a flag to mark the domain is using internal snapshots and might end up creating a mixed snapshot. Move the setting of the variable to avoid this problem.
-
- 27 11月, 2013 1 次提交
-
-
由 Bing Bu Cao 提交于
The virsh command 'domxml-to-native' (virConnectDomainXMLToNative()) converts all network devices to "type='ethernet'" in order to make it more likely that the generated command could be run directly from a shell (other libvirt network device types end up referencing file descriptors for tap devices assumed to have been created by libvirt, which can't be done in this case). During this conversion, all of the netdev parameters are cleared out, then specific items are filled in after changing the type. The MAC address was not one of these preserved items, and the result was that mac addresses in the generated commandlines were always 00:00:00:00:00:00. This patch saves the mac address before the conversion, then repopulates it afterwards, so the proper mac addresses show up in the commandline. Signed-off-by: NBing Bu Cao <mars@linux.vnet.ibm.com> Signed-off-by: NLaine Stump <laine@laine.org>
-
- 21 11月, 2013 2 次提交
-
-
由 Eric Farman 提交于
For attach/detach of controller devices, we rename the functions to remove 'PCI' from their title. The actual separation of PCI-specific operations will be handled in the next patch. Signed-off-by: NEric Farman <farman@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
Most of our code base uses space after comma but not before; fix the remaining uses before adding a syntax check. * src/qemu/qemu_cgroup.c: Consistently use commas. * src/qemu/qemu_command.c: Likewise. * src/qemu/qemu_conf.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/qemu/qemu_monitor.c: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 18 11月, 2013 1 次提交
-
-
由 Ján Tomko 提交于
This allows its error messages to be more specific.
-