1. 09 5月, 2013 7 次提交
  2. 08 5月, 2013 14 次提交
    • J
      lxc: Coverity false positive USE_AFTER_FREE · 649ecb70
      John Ferlan 提交于
      649ecb70
    • D
      Unmerge attach/update/modify device APIs in drivers · a605b7e0
      Daniel P. Berrange 提交于
      The LXC, QEMU, and LibXL drivers have all merged their handling of
      the attach/update/modify device APIs into one large
      
        'xxxxDomainModifyDeviceFlags'
      
      which then does a 'switch()' based on the actual API being invoked.
      While this saves some lines of code, it is not really all that
      significant in the context of the driver API impls as a whole.
      
      This merger of the handling of different APIs creates pain when
      wanting to automated analysis of the code and do things which
      are specific to individual APIs. The slight duplication of code
      from unmerged the API impls, is preferrable to allow for easier
      automated analysis.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      a605b7e0
    • D
      Pull parsing of migration xml up into QEMU driver APIs · 449e6b1b
      Daniel P. Berrange 提交于
      Currently the parsing of XML is pushed down into the various
      migration helper APIs. This makes it difficult to insert the
      correct access control checks, since one helper API services
      many public APIs. Pull the parsing of XML up to the top level
      of the QEMU driver APIs
      449e6b1b
    • D
      Don't allow renaming of domains by the backdoor · 03a60036
      Daniel P. Berrange 提交于
      Several APIs allow for custom XML to be passed in. This is
      checked for ABI stability, which will ensure the UUID is
      not being changed. There isn't validation that the name
      did not change though. This could allow renaming of guests
      via the backdoor, which in turn could allow for bypassing
      access control restrictions based on names.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      03a60036
    • D
      Fix naming of some node device APIs · 142e6e27
      Daniel P. Berrange 提交于
      In renaming driver API implementations to match the
      public API naming scheme, a few cases in the node
      device driver were missed.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      142e6e27
    • D
      Separate internal node suspend APIs from public API · 4a044d02
      Daniel P. Berrange 提交于
      The individual hypervisor drivers were directly referencing
      APIs in virnodesuspend.c in their virDriverPtr struct. Separate
      these methods, so there is always a wrapper in the hypervisor
      driver. This allows the unused virConnectPtr args to be removed
      from the virnodesuspend.c file. Again this will ensure that
      ACL checks will only be performed on invocations that are
      directly associated with public API usage.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      4a044d02
    • D
      Separate internal node device APIs from public API · 1c6d4ca5
      Daniel P. Berrange 提交于
      The individual hypervisor drivers were directly referencing
      APIs in src/nodeinfo.c in their virDriverPtr struct. Separate
      these methods, so there is always a wrapper in the hypervisor
      driver. This allows the unused virConnectPtr args to be
      removed from the nodeinfo.c file. Again this will ensure that
      ACL checks will only be performed on invocations that are
      directly associated with public API usage.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      1c6d4ca5
    • D
      Separate virGetHostname() API contract from driver APIs · ead63031
      Daniel P. Berrange 提交于
      Currently the virGetHostname() API has a bogus virConnectPtr
      parameter. This is because virtualization drivers directly
      reference this API in their virDriverPtr tables, tieing its
      API design to the public virConnectGetHostname API design.
      
      This also causes problems for access control checks since
      these must only be done for invocations from the public
      API, not internal invocation.
      
      Remove the bogus virConnectPtr parameter, and make each
      hypervisor driver provide a dedicated function for the
      driver API impl. This will allow access control checks
      to be easily inserted later.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      ead63031
    • D
      Include process start time when doing polkit checks · 979e9c56
      Daniel P. Berrange 提交于
      Since PIDs can be reused, polkit prefers to be given
      a (PID,start time) pair. If given a PID on its own,
      it will attempt to lookup the start time in /proc/pid/stat,
      though this is subject to races.
      
      It is safer if the client app resolves the PID start
      time itself, because as long as the app has the client
      socket open, the client PID won't be reused.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      979e9c56
    • D
      Rename "security context" to "selinux context" · b1d753fe
      Daniel P. Berrange 提交于
      There are various methods named "virXXXXSecurityContext",
      which are specific to SELinux. Rename them all to
      "virXXXXSELinuxContext". They will still raise errors at
      runtime if SELinux is not compiled in
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      b1d753fe
    • D
      Fix possible undefined value in check-symsorting.pl · 8f7a1ac8
      Daniel P. Berrange 提交于
      It is possible for $line to be undefined at first used, if
      the symfile doesn't have a section prefix (which is the case
      for auto-generated symfiles).
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      8f7a1ac8
    • O
      storage: Skip inactive lv volumes · 59750ed6
      Osier Yang 提交于
      If the volume is of a clustered volume group, and not active, the
      related pool APIs fails on opening /dev/vg/lv. If the volume is
      suspended, it hangs on open(2) the volume.
      
      Though the best solution is to expose the volume status in volume
      XML, and even better to provide API to activate/deactivate the volume,
      but it's not the work I want to touch currently. Volume status in
      other status is just fine to skip.
      
      About the 5th field of lv_attr (from man lvs[8])
      <quote>
       5 State: (a)ctive, (s)uspended, (I)nvalid snapshot, invalid
         (S)uspended snapshot, snapshot (m)erge failed,suspended
         snapshot (M)erge failed, mapped (d)evice present without
         tables,  mapped device present with (i)nactive table
      </quote>
      59750ed6
    • E
      string: make VIR_STRDUP easier to use · 6b74a9f5
      Eric Blake 提交于
      While reviewing proposed VIR_STRDUP conversions, I've already noticed
      several places that do:
      
      if (str && VIR_STRDUP(dest, str) < 0)
      
      which can be simplified by allowing str to be NULL (something that
      strdup() doesn't allow).  Meanwhile, code that wants to ensure a
      non-NULL dest regardless of the source can check for <= 0.
      
      Also, make it part of the VIR_STRDUP contract that macro arguments
      are evaluated exactly once.
      
      * src/util/virstring.h (VIR_STRDUP, VIR_STRDUP_QUIET, VIR_STRNDUP)
      (VIR_STRNDUP_QUIET): Improve contract.
      * src/util/virstring.c (virStrdup, virStrndup): Change return
      conventions.
      * docs/hacking.html.in: Document this.
      * HACKING: Regenerate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      6b74a9f5
    • E
      alloc: make VIR_APPEND_ELEMENT safer · ddcfc549
      Eric Blake 提交于
      VIR_APPEND_ELEMENT(array, size, elem) was not safe if the expression
      for 'size' had side effects.  While no one in the current code base
      was trying to pass side effects, we might as well be robust and
      explicitly document our intentions.
      
      * src/util/viralloc.c (virInsertElementsN): Add special case.
      * src/util/viralloc.h (VIR_APPEND_ELEMENT): Use it.
      (VIR_ALLOC, VIR_ALLOC_N, VIR_REALLOC_N, VIR_EXPAND_N)
      (VIR_RESIZE_N, VIR_SHRINK_N, VIR_INSERT_ELEMENT)
      (VIR_DELETE_ELEMENT, VIR_ALLOC_VAR, VIR_FREE): Document
      which macros are safe in the presence of side effects.
      * docs/hacking.html.in: Document this.
      * HACKING: Regenerate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      ddcfc549
  3. 07 5月, 2013 6 次提交
    • J
      get rid of virBufferAsprintf where possible · dcea5a49
      Ján Tomko 提交于
      Use virBufferAddLit or virBufferAddChar instead.
      dcea5a49
    • L
      qemu: allocate network connections sooner during domain startup · 8cd40e7e
      Laine Stump 提交于
      VFIO device assignment requires a cgroup ACL to be setup for access to
      the /dev/vfio/nn "group" device for any devices that will be assigned
      to a guest. In the case of a host device that is allocated from a
      pool, it was being allocated during qemuBuildCommandLine(), which is
      called by qemuProcessStart() *after* the all-encompassing
      qemuSetupCgroup() was called, meaning that the standard Cgroup ACL
      setup wasn't creating ACLs for these devices allocated from pools.
      
      One possible solution was to manually add a single ACL down inside
      qemuBuildCommandLine() when networkAllocateActualDevice() is called,
      but that has two problems: 1) the function that adds the cgroup ACL
      requires a virDomainObjPtr, which isn't available in
      qemuBuildCommandLine(), and 2) we really shouldn't be doing network
      device setup inside qemuBuildCommandLine() anyway.
      
      Instead, I've created a new function called
      qemuNetworkPrepareDevices() which is called just before
      qemuPrepareHostDevices() during qemuProcessStart() (explanation of
      ordering in the comments), i.e. well before the call to
      qemuSetupCgroup(). To minimize code churn in a patch that will be
      backported to 1.0.5-maint, qemuNetworkPrepareDevices only does
      networkAllocateActualDevice() and the bare amount of setup required
      for type='hostdev network devices, but it eventually should do *all*
      device setup for guest network devices.
      
      Note that some of the code that was previously needed in
      qemuBuildCommandLine() is no longer required when
      networkAllocateActualDevice() is called earlier:
      
       * qemuAssignDeviceHostdevAlias() is already done further down in
         qemuProcessStart().
      
       * qemuPrepareHostdevPCIDevices() is called by
         qemuPrepareHostDevices() which is called after
         qemuNetworkPrepareDevices() in qemuProcessStart().
      
      As hinted above, this new function should be moved into a separate
      qemu_network.c (or similarly named) file along with
      qemuPhysIfaceConnect(), qemuNetworkIfaceConnect(), and
      qemuOpenVhostNet(), and expanded to call those functions as well, then
      the nnets loop in qemuBuildCommandLine() should be reduced to only
      build the commandline string (which itself can be in a separate
      qemuInterfaceBuilldCommandLine() function as suggested by
      Michal). However, this will require storing away an array of tapfd and
      vhostfd that are needed for the commandline, so I would rather do that
      in a separate patch and leave this patch at the minimum to fix the
      bug.
      8cd40e7e
    • B
      qemu: Enable the capability bit for -no-kvm-pit-reinjection on x86 only · bde17316
      Boris Fiuczynski 提交于
      On architectures not supporting the Intel specific programmable interval
      timer, like e.g. S390, starting a domain with a clock definition containing
      a pit timer results in the error "Option no-kvm-pit-reinjection not supported
      for this target".
      
      By moving the capability enablement for -no-kvm-pit-reinjection from the
      InitQMPBasic section into the x86_64 and i686 only enablement section all
      other architectures are no longer automatically enabled. In addition
      architecture related capabilities enablements have refactored into a new
      architecture bound capabilities initialization function.
      Signed-off-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
      Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
      bde17316
    • D
      rpc: message related sizes enlarged · e914dcfd
      Daniel Hansel 提交于
      We have seen an issue on s390x platform where domain XMLs larger than 1MB
      were used. The define command was finished successfully. The dumpxml command
      was not successful (i.e. could not encode message payload).
      
      Enlarged message related sizes (e.g. maximum string size, message size, etc.)
      to handle larger system configurations used on s390x platform.
      
      To improve handling of the RPC message size the allocation during encode process
      is changed to a dynamic one (i.e. starting with 64kB initial size and increasing
      that size in steps up to 16MB if the payload data is larger).
      Signed-off-by: NDaniel Hansel <daniel.hansel@linux.vnet.ibm.com>
      Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
      e914dcfd
    • P
      qemu: Do fake auto-allocation of ports when generating native command · 246d0068
      Peter Krempa 提交于
      When attempting to generate the native command line from an XML file
      that uses graphics port auto allocation, the generated commandline
      wouldn't be valid.
      
      This patch adds fake autoallocation of ports as done when starting the
      actual machine.
      246d0068
    • E
      build: always include libvirt_lxc.syms in tarball · ed11ab93
      Eric Blake 提交于
      On a mingw build, 'make distcheck' fails with:
      
        GEN      libvirt_qemu.def
      make[3]: *** No rule to make target `../../src/libvirt_lxc.syms', needed by `libvirt_lxc.def'.  Stop.
      
      I traced it to a missing entry in EXTRA_DIST.  But rather than keep
      the entire list in sync, it is easier to list the three syms files
      that drive .so files directly, and then reuse existing makefile
      variables for the remaining files (that is, I validated that all
      remaining files are added to SYM_FILES, possibly via USED_SYM_FILES,
      according to makefile conditionals).
      
      Problem introduced in commit 3d1596b0 (v1.0.2).
      
      * src/Makefile.am (EXTRA_DIST): Ensure all syms files are shipped.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      ed11ab93
  4. 05 5月, 2013 1 次提交
    • M
      virstring: Introduce VIR_STRDUP and VIR_STRNDUP · c3abb5c4
      Michal Privoznik 提交于
      The code adaptation is not done right now, but in subsequent patches.
      Hence I am not implementing syntax-check rule as it would break
      compilation. Developers are strongly advised to use these new macros.
      They are similar to VIR_ALLOC() logic: VIR_STRDUP(dst, src) returns zero
      on success, -1 otherwise. In case you don't want to report OOM error,
      use the _QUIET variant of a macro.
      c3abb5c4
  5. 04 5月, 2013 1 次提交
  6. 03 5月, 2013 11 次提交
    • G
      Make detect_scsi_host_caps a function on all architectures · 58662f44
      Guido Günther 提交于
      In the non linux case some callers like gather_scsi_host_caps needed the
      return code of -1 while others like update_caps needed an empty
      statement (to avoid a "statement without effect" warning). This is much
      simpler solved by using a function instead of a define.
      58662f44
    • G
      Fixup rpcgen code on kFreeBSD too · b562d7b7
      Guido Günther 提交于
      since it uses glibc's rpcgen.
      b562d7b7
    • D
      Ignore 'uri' parameter in lockd driver · d80b5b7f
      Daniel P. Berrange 提交于
      A 'uri' parameter was added for the benefit of sanlock. This
      causes a warning in the lockd driver though
      
      2013-05-03 13:20:35.347+0000: 28403: error : virLockManagerLockDaemonNew:482 : internal error Unexpected parameter uri for object
      
      Ignore this parameter, since lockd does not require it and it
      is harmless if not used.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d80b5b7f
    • L
      network: fix network driver startup for qemu:///session · 2ffd87d8
      Laine Stump 提交于
      This should resolve https://bugzilla.redhat.com/show_bug.cgi?id=958907
      
      Recent new addition of code to read/write active network state to the
      NETWORK_STATE_DIR in the network driver broke startup for
      qemu:///session. The network driver had several state file paths
      hardcoded to /var, which could never possibly work in session mode.
      
      This patch modifies *all* state files to use a variable string that is
      set differently according to whether or not we're running
      privileged. (It turns out that logDir was never used, so it's been
      completely eliminated.)
      
      There are very definitely other problems preventing dnsmasq and radvd
      from running in non-privileged mode, but it's more consistent to have
      the directories used by them be determined in the same fashion.
      
      NB: I've noted before that the network driver is storing its state
      (including dnsmasq and radvd state) in /var/lib, while qemu stores its
      state in /var/run. It would probably have been better if the two
      matched, but it's been this way for a long time, and changing it would
      break running installations during an upgrade, so it's best to just
      leave it as it is.
      2ffd87d8
    • D
      Fix warning about unsupported cookie flags in QEMU driver · 848a08bc
      Daniel P. Berrange 提交于
      The QEMU migration code unconditionally sets the 'persistent'
      cookie flag on the source host. The dest host, however, only
      allows it during parsing if VIR_MIGRATE_PERSIST_DEST was
      set. Make the source host only set it if this flag is
      present.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      848a08bc
    • D
      Fix release of resources with lockd plugin · 8dc93ffa
      Daniel P. Berrange 提交于
      The lockd plugin for the lock manager was not correctly
      handling the release of resource locks. This meant that
      during migration, or when pausing a VM, the locks would
      not get released. This in turn made it impossible to
      resume the domain, or finish migration
      8dc93ffa
    • D
      Fix F_DUPFD_CLOEXEC operation args · d6670a64
      Daniel P. Berrange 提交于
      The F_DUPFD_CLOEXEC operation with fcntl() expects a single
      int argument, specifying the minimum FD number for the newly
      dup'd file descriptor. We were not specifying that causing
      random stack data to be accessed as the FD number. Sometimes
      that worked, sometimes it didn't.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d6670a64
    • E
      build: avoid non-portable cast of pthread_t · 22d12905
      Eric Blake 提交于
      POSIX says pthread_t is opaque.  We can't guarantee if it is scaler
      or a pointer, nor what size it is; and BSD differs from Linux.
      We've also had reports of gcc complaining on attempts to cast it,
      if we use a cast to the wrong type (for example, pointers have to be
      cast to void* or intptr_t before being narrowed; while casting a
      function return of scalar pthread_t to void* triggers a different
      warning).
      
      Give up on casts, and use unions to get at decent bits instead.  And
      rather than futz around with figuring which 32 bits of a potentially
      64-bit pointer are most likely to be unique, convert the rest of
      the code base to use 64-bit values when using a debug id.
      
      Based on a report by Guido Günther against kFreeBSD, but with a
      fix that doesn't regress commit 4d970fd2 for FreeBSD.
      
      * src/util/virthreadpthread.c (virThreadSelfID, virThreadID): Use
      union to get at a decent bit representation of thread_t bits.
      * src/util/virthread.h (virThreadSelfID, virThreadID): Alter
      signature.
      * src/util/virthreadwin32.c (virThreadSelfID, virThreadID):
      Likewise.
      * src/qemu/qemu_domain.h (qemuDomainJobObj): Alter type of owner.
      * src/qemu/qemu_domain.c (qemuDomainObjTransferJob)
      (qemuDomainObjSetJobPhase, qemuDomainObjReleaseAsyncJob)
      (qemuDomainObjBeginNestedJob, qemuDomainObjBeginJobInternal): Fix
      clients.
      * src/util/virlog.c (virLogFormatString): Likewise.
      * src/util/vireventpoll.c (virEventPollInterruptLocked):
      Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      22d12905
    • D
      Fix potential use of undefined variable in remote dispatch code · 31dbbb66
      Daniel P. Berrange 提交于
      If an early dispatch check caused a jump to the 'cleanup' branch
      then virTypeParamsFree() would be called with an uninitialized
      'nparams' variable. Fortunately 'params' is initialized to NULL,
      so the uninitialized 'nparams' variable would not be used.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      31dbbb66
    • D
      Remove redundant () in expression · 377ac10c
      Daniel P. Berrange 提交于
      The use of () in a simple boolean comparison was not
      required
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      377ac10c
    • D
      Fix format string handling in network driver · 5c1678ab
      Daniel P. Berrange 提交于
      The call to virReportError conditionally switched between
      two format strings, with different numbers of placeholders.
      This meant the format string with no placeholders was not
      protected by a "%s".
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      5c1678ab