Similarly to other error codes that notify the user that the object does
not exist lower the priority of VIR_ERR_NO_DOMAIN_METADATA to
VIR_LOG_DEBUG when writing the log entry.

Extend it to a universal helper used for clearing lists of any objects.
Note that the argument type is specifically void * to allow implicit
typecasting.

Additionally add a helper that works on non-NULL terminated arrays once
we know the length.

Add logrotate config for log files in /var/log/libvirt/libxl.

Many users, who admin their own machines, want to be able to access
system libvirtd via tools like virt-manager without having to enter
a root password. Just google 'virt-manager without password' and
you'll find many hits. I've read at least 5 blog posts over the years
describing slightly different ways of achieving this goal.

Let's finally add official support for this.

Install a polkit-1 rules file granting password-less auth for any user
in the new 'libvirt' group. Create the group on RPM install

https://bugzilla.redhat.com/show_bug.cgi?id=957300

In a lot places we use path like this:

  $(srcdir)/../src/....

when in fact it can be:

  $(top_srcdir)/src/
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Apparently, files in /usr/lib/sysctl.d are usually prefixed with numbers
for easier ordering. Let's be consistent with this. I chose 60 for
libvirtd so that it goes after 50-default.conf.

https://bugzilla.redhat.com/show_bug.cgi?id=1084876Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

The counterpart to VIR_DOMAIN_EVENT_ID_DEVICE_REMOVED.

https://bugzilla.redhat.com/show_bug.cgi?id=1206114

No longer needed after commit dd477238

In the order of appearance:

* MAX_LISTEN - never used
  added by 23ad665c (qemud) and addec57 (lock daemon)

* NEXT_FREE_CLASS_ID - never used, added by 07d1b6b5

* virLockError - never used, added by eb8268a4

* OPENVZ_MAX_ARG, CMDBUF_LEN, CMDOP_LEN
  unused since the removal of ADD_ARG_LIT in d8b31306

* QEMU_NB_PER_CPU_STAT_PARAM - unused since 897808e7

* QEMU_CMD_PROMPT, QEMU_PASSWD_PROMPT - unused since 1dc10a7b

* TEST_MODEL_WORDSIZE - unused since c25c18f7

* TEMPDIR - never used, added by 714bef5b

* NSIG - workaround around old headers
  added by commit 60ed1d2a
  unused since virExec was moved by commit 02e86910

* DO_TEST_PARSE - never used, added by 9afa0060

* DIFF_MSEC, GETTIMEOFDAY - unused since eee6eb66

While it returns info about multiple threads, the version
without the plural is easier to read.

This function only frees the info for one thread.

The fake object is used to pass the domain name and UUID to the ACL code
for events where we don't have the full domain def when dispatching
events. The rest of the entries would be left uninitialized. While this
is not a problem code-wise as the used fields are initialized it looks
ugly in the debugger.

Since all APIs are also RPC calls, we automatically get all APIs covered
with thread jobs.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

Not all NICs (esp. the virtual ones like TUN) must have a hardware
address. Teach our RPC that it's possible.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

daemon/remote.c
   * Define remoteSerializeDomainInterface, remoteDispatchDomainInterfaceAddresses

src/remote/remote_driver.c
   * Define remoteDomainInterfaceAddresses

src/remote/remote_protocol.x
   * New RPC procedure: REMOTE_PROC_DOMAIN_INTERFACE_ADDRESSES
   * Define structs remote_domain_ip_addr, remote_domain_interface,
     remote_domain_interfaces_addresse_args, remote_domain_interface_addresses_ret
   * Introduce upper bounds (to handle DoS attacks):
     REMOTE_DOMAIN_INTERFACE_MAX = 2048
     REMOTE_DOMAIN_IP_ADDR_MAX = 2048
     Restrictions on the maximum number of aliases per interface were
     removed after kernel v2.0, and theoretically, at present, there
     are no upper limits on number of interfaces per virtual machine
     and on the number of IP addresses per interface.

src/remote_protocol-structs
   * New structs added
Signed-off-by: NNehal J Wani <nehaljw.kkd1@gmail.com>

Commit 4f25146b (v1.2.8) managed to silence Coverity, but at the
cost of a memory leak detected by valgrind:
==24129== 40 bytes in 5 blocks are definitely lost in loss record 355 of 637
==24129==    at 0x4A08B1C: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24129==    by 0x5084B8E: virReallocN (viralloc.c:245)
==24129==    by 0x514D5AA: virDomainObjListExport (domain_conf.c:22200)
==24129==    by 0x201227DB: qemuConnectListAllDomains (qemu_driver.c:18042)
==24129==    by 0x51CC1B6: virConnectListAllDomains (libvirt-domain.c:6797)
==24129==    by 0x14173D: remoteDispatchConnectListAllDomains (remote.c:1580)
==24129==    by 0x121BE1: remoteDispatchConnectListAllDomainsHelper (remote_dispatch.h:1072)

In short, every time a client calls a ListAll variant and asks
for the resulting list, but there are 0 elements to return, we
end up leaking the 1-entry array that holds the NULL terminator.

What's worse, a read-only client can access these functions in a
tight loop to cause libvirtd to eventually run out of memory; and
this can be considered a denial of service attack against more
privileged clients.  Thankfully, the leak is so small (8 bytes per
call) that you would already have some other denial of service with
any guest calling the API that frequently, so an out-of-memory
crash is unlikely enough that this did not warrant a CVE.

* daemon/remote.c (remoteDispatchConnectListAllDomains)
(remoteDispatchDomainListAllSnapshots)
(remoteDispatchDomainSnapshotListAllChildren)
(remoteDispatchConnectListAllStoragePools)
(remoteDispatchStoragePoolListAllVolumes)
(remoteDispatchConnectListAllNetworks)
(remoteDispatchConnectListAllInterfaces)
(remoteDispatchConnectListAllNodeDevices)
(remoteDispatchConnectListAllNWFilters)
(remoteDispatchConnectListAllSecrets)
(remoteDispatchNetworkGetDHCPLeases): Plug leak.
Signed-off-by: NEric Blake <eblake@redhat.com>

Implement the remote plumbing for virDomainGetIOThreadsInfo
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>

Libvirt could crash with segfault if user issue "service reload" right
after "service start". One possible way to crash libvirt is to run reload
during initialization of QEMU driver.

It could happen when qemu driver will initialize qemu_driver_lock but
don't have a time to set it's "config" and the SIGHUP arrives. The
reload handler tries to get qemu_drv->config during "virStorageAutostart"
and dereference it which ends with segfault.

Let's ignore all reload requests until all drivers are initialized. In
addition set driversInitialized before we enter virStateCleanup to
ignore reload request while we are shutting down.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1179981Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

not yet not -> not yet.
Signed-off-by: NZhang Bo <oscar.zhangbo@huawei.com>

libvirtd.c: In function 'daemonSetupAccessManager':
libvirtd.c:730:18: error: declaration of 'driver' shadows
  a global declaration [-Werror=shadow]
     const char **driver = (const char **)config->access_drivers;
                  ^
In file included from libvirtd.c:95:0:
../src/node_device/node_device_driver.h:43:36: error: shadowed
  declaration is here [-Werror=shadow]
 extern virNodeDeviceDriverStatePtr driver;
                                    ^

For stateless, client side drivers, it is never correct to
probe for secondary drivers. It is only ever appropriate to
use the secondary driver that is associated with the
hypervisor in question. As a result the ESX & HyperV drivers
have both been forced to do hacks where they register no-op
drivers for the ones they don't implement.

For stateful, server side drivers, we always just want to
use the same built-in shared driver. The exception is
virtualbox which is really a stateless driver and so wants
to use its own server side secondary drivers. To deal with
this virtualbox has to be built as 3 separate loadable
modules to allow registration to work in the right order.

This can all be simplified by introducing a new struct
recording the precise set of secondary drivers each
hypervisor driver wants

struct _virConnectDriver {
    virHypervisorDriverPtr hypervisorDriver;
    virInterfaceDriverPtr interfaceDriver;
    virNetworkDriverPtr networkDriver;
    virNodeDeviceDriverPtr nodeDeviceDriver;
    virNWFilterDriverPtr nwfilterDriver;
    virSecretDriverPtr secretDriver;
    virStorageDriverPtr storageDriver;
};

Instead of registering the hypervisor driver, we now
just register a virConnectDriver instead. This allows
us to remove all probing of secondary drivers. Once we
have chosen the primary driver, we immediately know the
correct secondary drivers to use.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1160995

In our config files users are expected to pass several integer values
for different configuration knobs. However, majority of them expect a
nonnegative number and only a few of them accept a negative number too
(notably keepalive_interval in libvirtd.conf).
Therefore, a new type to config value is introduced: VIR_CONF_ULONG
that is set whenever an integer is positive or zero. With this
approach knobs accepting VIR_CONF_LONG should accept VIR_CONF_ULONG
too.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

There's no need to implement ToString() function like we do if we
can use our shiny macros.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Since virDomainSnapshotFree will call virObjectUnref anyway, let's just use
that directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virInterfaceFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virNWFilterFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virSecretFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virStreamFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virStoragePoolFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virStorageVolFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virNodeDeviceFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virNetworkFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Since virDomainFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

Add daemon and driver code to (de-)serialize virDomainFSInfo.
Signed-off-by: NTomoki Sekiyama <tomoki.sekiyama@hds.com>

As qemu is now able to notify us about change of the channel state used
for communication with the guest agent we now can more precisely track
the state of the guest agent.

To allow notifying management apps this patch implements a new event
that will be triggered on changes of the guest agent state.

Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

We weren't ever using the value for anything other than being non-zero.

* src/util/viraudit.h (virAuditLog): Change signature.
* src/util/viraudit.c (virAuditLog): Update user.
* daemon/libvirtd.c (main): Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

It would be nice to also print a params pointer and number of params in
the debug message and the previous limit for number of params in the rpc
message was too large. The 2048 params will be enough for future events.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

A long time ago in a galaxy far, far away it has been decided
that libvirt will manage not only domains but host as well. And
with my latest work on qemu driver supporting huge pages, we miss
the cherry on top: an API to allocate huge pages on the run.
Currently users are forced to log into the host and adjust the
huge pages pool themselves.  However, with this API the problem
is gone - they can both size up and size down the pool.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Convert the remote daemon auth check and the access control
code to use the common polkit API for checking auth.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>