- 03 2月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Curently security labels can be of type 'dynamic' or 'static'. If no security label is given, then 'dynamic' is assumed. The current code takes advantage of this default, and avoids even saving <seclabel> elements with type='dynamic' to disk. This means if you temporarily change security driver, the guests can all still start. With the introduction of sVirt to LXC though, there needs to be a new default of 'none' to allow unconfined LXC containers. This patch introduces two new security label types - default: the host configuration decides whether to run the guest with type 'none' or 'dynamic' at guest start - none: the guest will run unconfined by security policy The 'none' label type will obviously be undesirable for some deployments, so a new qemu.conf option allows a host admin to mandate confined guests. It is also possible to turn off default confinement security_default_confined = 1|0 (default == 1) security_require_confined = 1|0 (default == 0) * src/conf/domain_conf.c, src/conf/domain_conf.h: Add new seclabel types * src/security/security_manager.c, src/security/security_manager.h: Set default sec label types * src/security/security_selinux.c: Handle 'none' seclabel type * src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h, src/qemu/libvirtd_qemu.aug: New security config options * src/qemu/qemu_driver.c: Tell security driver about default config
-
- 02 2月, 2012 1 次提交
-
-
由 Peter Krempa 提交于
This patch adds a new element <title> to the domain XML. This attribute can hold a short title defined by the user to ease the identification of domains. The title may not contain newlines and should be reasonably short. *docs/formatdomain.html.in *docs/schemas/domaincommon.rng - add schema grammar for the new element and documentation *src/conf/domain_conf.c *src/conf/domain_conf.h - add field to hold the new attribute - add code to parse and create XML with the new attribute
-
- 01 2月, 2012 2 次提交
-
-
由 Eric Blake 提交于
Commit 8a09ee41 tickles a bug in libxml2-2.7.6 on RHEL 6.2, where libxml2 treats the pattern [^\n] as excluding literal backslash and n, instead of the intended newline, thus failing to validate any domain name containing 'n'. * docs/schemas/domaincommon.rng: Use literal newline instead.
-
由 Taku Izumi 提交于
This patch adds a new attribute "rawio" to the "disk" element of domain XML. Valid values of "rawio" attribute are "yes" and "no". rawio='yes' indicates the disk is desirous of CAP_SYS_RAWIO. If you specify the following XML: <disk type='block' device='lun' rawio='yes'> ... </disk> the domain will be granted CAP_SYS_RAWIO. (of course, the domain have to be executed with root privilege) NOTE: - "rawio" attribute is only valid when device='lun' - At the moment, any other disks you won't use rawio can use rawio. Signed-off-by: NTaku Izumi <izumi.taku@jp.fujitsu.com>
-
- 31 1月, 2012 2 次提交
-
-
由 Laine Stump 提交于
This patch addresses: https://bugzilla.redhat.com/show_bug.cgi?id=781562 Along with the "rombar" option that controls whether or not a boot rom is made visible to the guest, qemu also has a "romfile" option that allows specifying a binary file to present as the ROM BIOS of any emulated or passthrough PCI device. This patch adds support for specifying romfile to both passthrough PCI devices, and emulated network devices that attach to the guest's PCI bus (just about everything other than ne2k_isa). One example of the usefulness of this option is described in the bugzilla report: 82576 sriov network adapters don't provide a ROM BIOS for the cards virtual functions (VF), but an image of such a ROM is available, and with this ROM visible to the guest, it can PXE boot. In libvirt's xml, the new option is configured like this: <hostdev> ... <rom file='/etc/fake/boot.bin'/> ... </hostdev (similarly for <interface>).
-
由 Laine Stump 提交于
When support for the rombar option was added, it was only added for PCI passthrough devices, configured with <hostdev>. The same option is available for any network device that is attached to the guest's PCI bus. This patch allows setting rombar for any PCI network device type. After adding cases to test this to qemuxml2argv-hostdev-pci-rombar.*, I decided to rename those files (to qemuxml2argv-pci-rom.*) to more accurately reflect the additional tests, and also noticed that up to now we've only been performing a domainschematest for that case, so I added the "pci-rom" test to both qemuxml2argv and qemuxml2xml (and in the process found some bugs whose fixes I squashed into previous commits of this series).
-
- 27 1月, 2012 1 次提交
-
-
由 Paolo Bonzini 提交于
Add kvmclock timer to documentation, schema and parsers. Keep the platform timer first since it is kind of special, and alphabetize the others when possible (i.e. when it does not change the ABI). Reviewed-by: NJiri Denemark <jdenemar@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 26 1月, 2012 2 次提交
-
-
由 Daniel P. Berrange 提交于
-
由 Peter Krempa 提交于
The domain schema enforced restrictions on the domain name string that the code doesn't. This patch relaxes the check, leaving the restrictions on the driver or hypervisor. The only invalid character is a newline.
-
- 25 1月, 2012 1 次提交
-
-
由 Zeeshan Ali (Khattak) 提交于
Applications can now insert custom nodes and hierarchies into domain configuration XML. Although currently not enforced, applications are required to use their own namespaces on every custom node they insert, with only one top-level element per namespace.
-
- 18 1月, 2012 1 次提交
-
-
由 Deepak C Shetty 提交于
This introduces new attribute wrpolicy with only supported value as immediate. This will be an optional attribute with no defaults. This helps specify whether to skip the host page cache. When wrpolicy is specified, meaning when wrpolicy=immediate a writeback is explicitly initiated for the dirty pages in the host page cache as part of the guest file write operation. Usage: <filesystem type='mount' accessmode='passthrough'> <driver type='path' wrpolicy='immediate'/> <source dir='/export/to/guest'/> <target dir='mount_tag'/> </filesystem> Currently this only works with type='mount' for the QEMU/KVM driver. Signed-off-by: NDeepak C Shetty <deepakcs@linux.vnet.ibm.com>
-
- 17 1月, 2012 3 次提交
-
-
由 Jiri Denemark 提交于
The mode can be either of "custom" (default), "host-model", "host-passthrough". The semantics of each mode is described in the following examples: - guest CPU is a default model with specified topology: <cpu> <topology sockets='1' cores='2' threads='1'/> </cpu> - guest CPU matches selected model: <cpu mode='custom' match='exact'> <model>core2duo</model> </cpu> - guest CPU should be a copy of host CPU as advertised by capabilities XML (this is a short cut for manually copying host CPU specification from capabilities to domain XML): <cpu mode='host-model'/> In case a hypervisor does not support the exact host model, libvirt automatically falls back to a closest supported CPU model and removes/adds features to match host. This behavior can be disabled by <cpu mode='host-model'> <model fallback='forbid'/> </cpu> - the same as previous returned by virDomainGetXMLDesc with VIR_DOMAIN_XML_UPDATE_CPU flag: <cpu mode='host-model' match='exact'> <model fallback='allow'>Penryn</model> --+ <vendor>Intel</vendor> | <topology sockets='2' cores='4' threads='1'/> + copied from <feature policy='require' name='dca'/> | capabilities XML <feature policy='require' name='xtpr'/> | ... --+ </cpu> - guest CPU should be exactly the same as host CPU even in the aspects libvirt doesn't model (such domain cannot be migrated unless both hosts contain exactly the same CPUs): <cpu mode='host-passthrough'/> - the same as previous returned by virDomainGetXMLDesc with VIR_DOMAIN_XML_UPDATE_CPU flag: <cpu mode='host-passthrough' match='minimal'> <model>Penryn</model> --+ copied from caps <vendor>Intel</vendor> | XML but doesn't <topology sockets='2' cores='4' threads='1'/> | describe all <feature policy='require' name='dca'/> | aspects of the <feature policy='require' name='xtpr'/> | actual guest CPU ... --+ </cpu>
-
由 Jiri Denemark 提交于
In case a hypervisor doesn't support the exact CPU model requested by a domain XML, we automatically fallback to a closest CPU model the hypervisor supports (and make sure we add/remove any additional features if needed). This patch adds 'fallback' attribute to model element, which can be used to disable this automatic fallback.
-
由 Osier Yang 提交于
We support <interface> of type "mcast", "server", and "client", but the RNG schema for them are missed. Attribute "address" is optional for "server" type. And these 3 types support <mac address='MAC'/>, too.
-
- 16 1月, 2012 2 次提交
-
-
由 Osier Yang 提交于
Though <alias> is ignored when defining a domain, it can cause failure if one validates (e.g. virt-xml-validate) the XML dumped from a running domain. This patch expose it in domain RNG schema for all the devices which support it.
-
由 Osier Yang 提交于
"<readonly/>" is supported by filesystem XML, and also documented.
-
- 14 1月, 2012 3 次提交
-
-
由 Michael Ellerman 提交于
The "unit" attribute of a drive address is optional in the code, so should also be in the XML schema. Signed-off-by: NMichael Ellerman <michael@ellerman.id.au>
-
由 Paolo Bonzini 提交于
Adding a new model for virtio-scsi roughly follows the same scheme as the previous patch. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
KVM will be able to use a PCI SCSI controller even on POWER. Let the user specify the vSCSI controller by other means than a default. After this patch, the QEMU driver will actually look at the model and reject anything but auto, lsilogic and ibmvscsi. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 13 1月, 2012 1 次提交
-
-
由 Osier Yang 提交于
The new introduced optional attribute "copy_on_read</code> controls whether to copy read backing file into the image file. The value can be either "on" or "off". Copy-on-read avoids accessing the same backing file sectors repeatedly and is useful when the backing file is over a slow network. By default copy-on-read is off.
-
- 12 1月, 2012 1 次提交
-
-
由 Shradha Shah 提交于
This element will help the user to just specify the SR-IOV physical function in order to access all the Virtual functions attached to it.
-
- 11 1月, 2012 1 次提交
-
-
由 Stefan Berger 提交于
This patch introduces the capability to use a different iterator per variable. The currently supported notation of variables in a filtering rule like <rule action='accept' direction='out'> <tcp srcipaddr='$A' srcportstart='$B'/> </rule> processes the two lists 'A' and 'B' in parallel. This means that A and B must have the same number of 'N' elements and that 'N' rules will be instantiated (assuming all tuples from A and B are unique). In this patch we now introduce the assignment of variables to different iterators. Therefore a rule like <rule action='accept' direction='out'> <tcp srcipaddr='$A[@1]' srcportstart='$B[@2]'/> </rule> will now create every combination of elements in A with elements in B since A has been assigned to an iterator with Id '1' and B has been assigned to an iterator with Id '2', thus processing their value independently. The first rule has an equivalent notation of <rule action='accept' direction='out'> <tcp srcipaddr='$A[@0]' srcportstart='$B[@0]'/> </rule>
-
- 09 1月, 2012 1 次提交
-
-
由 Laine Stump 提交于
In the past, generic SCSI commands issued from a guest to a virtio disk were always passed through to the underlying disk by qemu, and the kernel would also pass them on. As a result of CVE-2011-4127 (see: http://seclists.org/oss-sec/2011/q4/536), qemu now honors its scsi=on|off device option for virtio-blk-pci (which enables/disables passthrough of generic SCSI commands), and the kernel will only allow the commands for physical devices (not for partitions or logical volumes). The default behavior of qemu is still to allow sending generic SCSI commands to physical disks that are presented to a guest as virtio-blk-pci devices, but libvirt prefers to disable those commands in the standard virtio block devices, enabling it only when specifically requested (hopefully indicating that the requester understands what they're asking for). For this purpose, a new libvirt disk device type (device='lun') has been created. device='lun' is identical to the default device='disk', except that: 1) It is only allowed if bus='virtio', type='block', and the qemu version is "new enough" to support it ("new enough" == qemu 0.11 or better), otherwise the domain will fail to start and a CONFIG_UNSUPPORTED error will be logged). 2) The option "scsi=on" will be added to the -device arg to allow SG_IO commands (if device !='lun', "scsi=off" will be added to the -device arg so that SG_IO commands are specifically forbidden). Guests which continue to use disk device='disk' (the default) will no longer be able to use SG_IO commands on the disk; those that have their disk device changed to device='lun' will still be able to use SG_IO commands. *docs/formatdomain.html.in - document the new device attribute value. *docs/schemas/domaincommon.rng - allow it in the RNG *tests/* - update the args of several existing tests to add scsi=off, and add one new test that will test scsi=on. *src/conf/domain_conf.c - update domain XML parser and formatter *src/qemu/qemu_(command|driver|hotplug).c - treat VIR_DOMAIN_DISK_DEVICE_LUN *almost* identically to VIR_DOMAIN_DISK_DEVICE_DISK, except as indicated above. Note that no support for this new device value was added to any hypervisor drivers other than qemu, because it's unclear what it might mean (if anything) to those drivers.
-
- 04 1月, 2012 1 次提交
-
-
由 Jiri Denemark 提交于
We already support CPU features with '.' in their name (e.g., sse4.1) so we should not forbid that in the schema.
-
- 02 1月, 2012 1 次提交
-
-
由 Michal Novotny 提交于
Hi, this is the fifth version of my SRV record for DNSMasq patch rebased for the current codebase to the bridge driver and libvirt XML file to include support for the SRV records in the DNS. The syntax is based on DNSMasq man page and tests for both xml2xml and xml2argv were added as well. There are some things written a better way in comparison with version 4, mainly there's no hack in tests/networkxml2argvtest.c and also the xPath context is changed to use a simpler query using the virXPathInt() function relative to the current node. Also, the patch is also fixing the networkxml2argv test to pass both checks, i.e. both unit tests and also syntax check. Please review, Michal Signed-off-by: NMichal Novotny <minovotn@redhat.com>
-
- 30 12月, 2011 2 次提交
-
-
由 Eric Blake 提交于
When doing security relabeling, there are cases where a per-file override might be appropriate. For example, with a static label and relabeling, it might be appropriate to skip relabeling on a particular disk, where the backing file lives on NFS that lacks the ability to track labeling. Or with dynamic labeling, it might be appropriate to use a custom (non-dynamic) label for a disk specifically intended to be shared across domains. The new XML resembles the top-level <seclabel>, but with fewer options (basically relabel='no', or <label>text</label>): <domain ...> ... <devices> <disk type='file' device='disk'> <source file='/path/to/image1'> <seclabel relabel='no'/> <!-- override for just this disk --> </source> ... </disk> <disk type='file' device='disk'> <source file='/path/to/image1'> <seclabel relabel='yes'> <!-- override for just this disk --> <label>system_u:object_r:shared_content_t:s0</label> </seclabel> </source> ... </disk> ... </devices> <seclabel type='dynamic' model='selinux'> <baselabel>text</baselabel> <!-- used for all devices without override --> </seclabel> </domain> This patch only introduces the XML and documentation; future patches will actually parse and make use of it. The intent is that we can further extend things as needed, adding a per-device <seclabel> in more places (such as the source of a console device), and possibly allowing a <baselabel> instead of <label> for labeling where we want to reuse the cNNN,cNNN pair of a dynamically labeled domain but a different base label. First suggested by Daniel P. Berrange here: https://www.redhat.com/archives/libvir-list/2011-December/msg00258.html * docs/schemas/domaincommon.rng (devSeclabel): New define. (disk): Use it. * docs/formatdomain.html.in (elementsDisks, seclabel): Document the new XML. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml: New test, to validate RNG.
-
由 Eric Blake 提交于
The RNG for <seclabel> was too strict - if it was present, then it had to have sub-elements, even if those didn't make sense for the given attributes. Also, we didn't have any tests of <seclabel> parsing or XML output. In this patch, I added more parsing tests than output tests (since the output populates and/or reorders fields not present in certain inputs). Making the RNG reliable is a precursor to using <seclabel> variants in more places in the XML in later patches. See also: http://berrange.com/posts/2011/09/29/two-small-improvements-to-svirt-guest-configuration-flexibility-with-kvmlibvirt/ * docs/schemas/domaincommon.rng (seclabel): Tighten rules. * tests/qemuxml2argvtest.c (mymain): New tests. * tests/qemuxml2xmltest.c (mymain): Likewise. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-*.*: New files.
-
- 21 12月, 2011 1 次提交
-
-
由 Bharata B Rao 提交于
Original patch by Bharata. Updated to use {1,16} in spaprvioReg based on example from Eric Blake. Signed-off-by: NBharata B Rao <bharata@linux.vnet.ibm.com> Signed-off-by: NPrerna Saxena <prerna@linux.vnet.ibm.com> Signed-off-by: NMichael Ellerman <michael@ellerman.id.au>
-
- 10 12月, 2011 1 次提交
-
-
由 Eric Blake 提交于
In QEMU PPC64 we have a network device called "spapr-vlan". We can specify this using the existing syntax for network devices, however libvirt currently rejects "spapr-vlan" in virDomainNetDefParseXML() because of the "-". Fix the code to accept "-". * src/conf/domain_conf.c (virDomainNetDefParseXML): Allow '-' in model name, and be more efficient. * docs/schemas/domaincommon.rng: Limit valid model names to match code. Based on a patch by Michael Ellerman.
-
- 08 12月, 2011 1 次提交
-
-
由 Bharata B Rao 提交于
ppc64 as new arch type and pseries as new machine type are added under <os> ... </os>. Signed-off-by: NBharata B Rao <bharata@linux.vnet.ibm.com> Signed-off-by: NPrerna Saxena <prerna@linux.vnet.ibm.com>
-
- 07 12月, 2011 1 次提交
-
-
由 Osier Yang 提交于
This patch is to expose the fabric_name of fc_host class, which might be useful for users who wants to known which fabric the (v)HBA connects to. The patch also adds the missed capabilities' XML schema of scsi_host, (of course, with fabric_wwn added), and update the documents (docs/formatnode.html.in)
-
- 01 12月, 2011 1 次提交
-
-
由 Lei Li 提交于
Enable block I/O throttle for per-disk in XML, as the first per-disk IO tuning parameter. Signed-off-by: NLei Li <lilei@linux.vnet.ibm.com> Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com> Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 30 11月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
The capabilities XML uses the x86 specific terms 'S3', 'S4' and 'Hybrid-Syspend'. Switch it to use the same terminology as the API constants and virsh options, eg 'suspend_mem' 'suspend_disk' and 'suspend_hybrid' * docs/formatcaps.html.in, docs/schemas/capability.rng, src/conf/capabilities.c: Rename suspend constants
-
由 Hu Tao 提交于
This adds per-device weights to <blkiotune>. Note that the cgroups implementation only supports weights per block device, and not per-file within the device; hence this option must be global to the domain definition rather than tied to individual <devices>/<disk> entries: <domain ...> <blkiotune> <device> <path>/path/to/block</path> <weight>1000</weight> </device> </blkiotune> .. This patch also adds a parameter --device-weights to virsh command blkiotune for setting/getting blkiotune.weight_device for any hypervisor that supports it. All <device> entries under <blkiotune> are concatenated into a single string attribute under virDomain{Get,Set}BlkioParameters, named "device_weight". Signed-off-by: NHu Tao <hutao@cn.fujitsu.com> Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 29 11月, 2011 2 次提交
-
-
由 Srivatsa S. Bhat 提交于
Some systems support a feature known as 'Hybrid-Suspend', apart from the usual system-wide sleep states such as Suspend-to-RAM (S3) or Suspend-to-Disk (S4). Add the functionality to discover this power management feature and export it in the capabilities XML under the <power_management> tag.
-
由 Lorin Hochstein 提交于
virt-xml-validate fails when run on a domain XML file of type 'vbox'. For failing test case, see https://bugzilla.redhat.com/show_bug.cgi?id=757097 This patch updates the XML schema to accept all valid hypervisor types, as well as dropping hypervisor types that are not in use by the current code base. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 23 11月, 2011 2 次提交
-
-
由 Stefan Berger 提交于
This patch adds support for filtering of STP (spanning tree protocol) traffic to the parser and makes us of the ebtables support for STP filtering. This code now enables the filtering of traffic in chains with prefix 'stp'. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
由 Stefan Berger 提交于
With hunks borrowed from one of David Steven's previous patches, we now add the capability of having a 'mac' chain which is useful to filter for multiple valid MAC addresses. Signed-off-by: NDavid L Stevens <dlstevens@us.ibm.com> Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
- 22 11月, 2011 1 次提交
-
-
由 Srivatsa S. Bhat 提交于
This patch exports KVM Host Power Management capabilities as XML so that higher-level systems management software can make use of these features available in the host. The script "pm-is-supported" (from pm-utils package) is run to discover if Suspend-to-RAM (S3) or Suspend-to-Disk (S4) is supported by the host. If either of them are supported, then a new tag "<power_management>" is introduced in the XML under the <host> tag. However in case the query to check for power management features succeeded, but the host does not support any such feature, then the XML will contain an empty <power_management/> tag. In the event that the PM query itself failed, the XML will not contain any "power_management" tag. To use this, new APIs could be implemented in libvirt to exploit power management features such as S3/S4.
-
- 19 11月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
This patch adds support for filtering of VLAN (802.1Q) traffic to the parser and makes us of the ebtables support for VLAN filtering. This code now enables the filtering of traffic in chains with prefix 'vlan'. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-