- 06 6月, 2018 18 次提交
-
-
由 Stefan Berger 提交于
In this patch we label the swtpm process with SELinux labels. We give it the same label as the QEMU process has. We label its state directory and files as well. We restore the old security labels once the swtpm has terminated. The file and process labels now look as follows: Directory: /var/lib/libvirt/swtpm [root@localhost swtpm]# ls -lZ total 4 rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm [root@localhost testvm]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall The log in /var/log/swtpm/libvirt/qemu is labeled as follows: -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
This patch adds support for an external swtpm TPM emulator. The XML for this type of TPM looks as follows: <tpm model='tpm-tis'> <backend type='emulator'/> </tpm> The XML will currently only start a TPM 1.2. Upon first start, libvirt will run `swtpm_setup`, which will simulate the manufacturing of a TPM and create certificates for it and write them into NVRAM locations of the emulated TPM. After that libvirt starts the swtpm TPM emulator using the `swtpm` executable. Once the VM terminates, libvirt uses the swtpm_ioctl executable to gracefully shut down the `swtpm` in case it is still running (QEMU did not send shutdown) or clean up the socket file. The above mentioned executables must be found in the PATH. The executables can either be run as root or started as root and switch to the tss user. The requirement for the tss user comes through 'tcsd', which is used for the simulation of the manufacturing. Which user is used can be configured through qemu.conf. By default 'tss' is used. The swtpm writes out state into files. The state is kept in /var/lib/libvirt/swtpm: [root@localhost libvirt]# ls -lZ | grep swtpm drwx--x--x. 7 root root unconfined_u:object_r:virt_var_lib_t:s0 4096 Apr 5 16:22 swtpm The directory /var/lib/libvirt/swtpm maintains per-TPM state directories. (Using the uuid of the VM for that since the name can change per VM renaming but we need a stable directory name.) [root@localhost swtpm]# ls -lZ total 4 drwx------. 2 tss tss system_u:object_r:virt_var_lib_t:s0 4096 Apr 5 16:46 485d0004-a48f-436a-8457-8a3b73e28568 [root@localhost 485d0004-a48f-436a-8457-8a3b73e28568]# ls -lZ total 4 drwx------. 2 tss tss system_u:object_r:virt_var_lib_t:s0 4096 Apr 10 21:34 tpm1.2 [root@localhost tpm1.2]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:virt_var_lib_t:s0 3648 Apr 5 16:46 tpm-00.permall The directory /var/run/libvirt/qemu/swtpm/ hosts the swtpm.sock that QEMU uses to communicate with the swtpm: root@localhost domain-1-testvm]# ls -lZ total 0 srw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c597,c632 0 Apr 6 10:24 1-testvm-swtpm.sock The logfile for the swtpm is in /var/log/swtpm/libvirt/qemu: [root@localhost-3 qemu]# ls -lZ total 4 -rw-------. 1 tss tss unconfined_u:object_r:var_log_t:s0 2199 Apr 6 14:01 testvm-swtpm.log The processes are labeled as follows: [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep socket | grep -v grep system_u:system_r:virtd_t:s0-s0:c0.c1023 tss 18697 0.0 0.0 28172 3892 ? Ss 16:46 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/1-testvm-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/485d0004-a48f-436a-8457-8a3b73e28568/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c413,c430 qemu 18702 2.5 0.0 3036052 48676 ? Sl 16:46 0:08 /bin/qemu-system-x86_64 [...] Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
Implement functions for managing the storage of the external swtpm as well as starting and stopping it. Also implement functions to use swtpm_setup, which simulates the manufacturing of a TPM, which includes creation of certificates for the device. Further, the external TPM needs storage on the host that we need to set up before it can be run. We can clean up the host once the domain is undefined. This patch also implements a small layer for external device support that calls into the TPM device layer if a domain has an attached TPM. This is the layer we will wire up later on. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
Extend qemu_conf with user and group for running the tpm-emulator and add directories to the configuration for the locations of the log, state, and socket of the tpm-emulator. Also add these new directories to the QEMU Makefile.inc.am and the RPM spec file libvirt.spec.in. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
Extend the DAC and SELinux modules with support for the tpm-emulator. We label the Unix socket that QEMU connects to after starting swtmp with DAC and SELinux labels. We do not have to restore the labels in this case since the tpm-emulator will remove the Unix socket when it terminates. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
Implement virFileChownFiles() which changes file ownership of all files in a given directory. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
Extend the QEMU capabilities with tpm-emulator support. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
This patch adds support for an external swtpm TPM emulator. The XML for this type of TPM looks as follows: <tpm model='tpm-tis'> <backend type='emulator'/> </tpm> The XML will currently only define a TPM 1.2. Extend the documentation. Add a test case testing the XML parser and formatter. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 John Ferlan 提交于
Commit id 02b031a4 added a secondary path from which the incoming @secinfo would not be free'd until the private data was freed in qemuDomainStorageSourcePrivateDispose. However, by doing this the original intention to free @*secinfo afterwards is lost and thus the pass by value of the secinfo->s.aes (or secinfo->s.plain for its method) results in not keeping the NULL setting in the various secret.{username|iv|ciphertext} fields upon return to qemuDomainSecretInfoClear and eventually will result in a double free at domain destroy: raise () abort () __libc_message () malloc_printerr () _int_free () virFree qemuDomainSecretAESClear qemuDomainSecretInfoClear qemuDomainSecretInfoFree qemuDomainStorageSourcePrivateDispose virObjectUnref virStorageSourceClear virStorageSourceFree virDomainDiskDefFree virDomainDefFree virDomainObjRemoveTransientDef qemuProcessStop qemuDomainDestroyFlags virDomainDestroy Signed-off-by: NJohn Ferlan <jferlan@redhat.com> ACKed-by: NPeter Krempa <pkrempa@redhat.com>
-
由 Michal Privoznik 提交于
Instead of array of pointers to individual buffers it can be array of buffers directly. This also fixes the following memleak: ==22516== 96 bytes in 4 blocks are definitely lost in loss record 166 of 195 ==22516== at 0x4C2EF26: calloc (vg_replace_malloc.c:711) ==22516== by 0x5D2C7D5: virAlloc (viralloc.c:144) ==22516== by 0x56FAABD: qemuBuildNumaArgStr (qemu_command.c:7543) ==22516== by 0x5701835: qemuBuildCommandLine (qemu_command.c:10112) ==22516== by 0x575D794: qemuProcessCreatePretendCmd (qemu_process.c:6568) ==22516== by 0x113338: testCompareXMLToArgv (qemuxml2argvtest.c:549) ==22516== by 0x138CA3: virTestRun (testutils.c:180) ==22516== by 0x136CD1: mymain (qemuxml2argvtest.c:2825) ==22516== by 0x13AD58: virTestMain (testutils.c:1118) ==22516== by 0x137351: main (qemuxml2argvtest.c:2874) Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
This function exists because of 5276ec71. But it is missing initial check just like virQEMUCapsInitHostCPUModel() has. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 ramyelkest 提交于
Replace instances where we previously called virGetLastError just to either get the code or to check if an error exists with virGetLastErrorCode to avoid a validity pre-check. Signed-off-by: NRamy Elkest <ramyelkest@gmail.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
由 ramyelkest 提交于
Many places in the code call virGetLastError() just to check the raised error code, or domain. However virGetLastError() can return NULL, so the code has to check for that first. This patch therefore introduces virGetLasError{Code,Domain} functions which always return a valid error code or domain respectively, thus dropping the need to perform any checks on the error object. Signed-off-by: NRamy Elkest <ramyelkest@gmail.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
由 ramyelkest 提交于
Signed-off-by: NRamy Elkest <ramyelkest@gmail.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
由 Daniel P. Berrangé 提交于
When the agent code was first introduced back in commit c160ce33 Author: Daniel P. Berrange <berrange@redhat.com> Date: Wed Oct 5 18:31:54 2011 +0100 QEMU guest agent support there was code that would loop and retry the connection when opening the agent socket. At this time, the only thing done in between the opening of the monitor socket & opening of the agent socket was a call to set the monitor capabilities. This was a no-op on non-QMP versions, so in theory there could be a race which let us connect to the monitor while the agent socket was still not created by QEMU. In the modern world, however, we long ago mandated the use of QMP for managing QEMU, so we're guaranteed to have a set capabilities QMP call. Once we've seen a reply to this, we're guaranteed that QEMU has fully initialized all backends and is in its event loop. We can thus be sure the QEMU agent socket is present and don't need to retry connections to it, even without having the chardev FD passing feature. Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Since libvirt called bind() and listen() on the UNIX socket, it is guaranteed that connect() will immediately succeed, if QEMU is running normally. It will only fail if QEMU has closed the monitor socket by mistake or if QEMU has exited, letting the kernel close it. With this in mind we can remove the retry loop and timeout when connecting to the QEMU monitor if we are doing FD passing. Libvirt can go straight to sending the QMP greeting and will simply block waiting for a reply until QEMU is ready. Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
There is a race condition when spawning QEMU where libvirt has spawned QEMU but the monitor socket is not yet open. Libvirt has to repeatedly try to connect() to QEMU's monitor until eventually it succeeds, or times out. We use kill() to check if QEMU is still alive so we avoid waiting a long time if QEMU exited, but having a timeout at all is still unpleasant. With QEMU 2.12 we can pass in a pre-opened FD for UNIX domain or TCP sockets. If libvirt has called bind() and listen() on this FD, then we have a guarantee that libvirt can immediately call connect() and succeed without any race. Although we only really care about this for the monitor socket and agent socket, this patch does FD passing for all UNIX socket based character devices since there appears to be no downside to it. We don't do FD passing for TCP sockets, however, because it is only possible to pass a single FD, while some hostnames may require listening on multiple FDs to cover IPv4 and IPv6 concurrently. Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
QEMU >= 2.12 will support passing of pre-opened file descriptors for socket based character devices. Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 05 6月, 2018 22 次提交
-
-
由 Peter Krempa 提交于
The code that detaches the device from persistent definition copies the persistent definition first so that it can easily be rolled back. The actual detaching is then made in the copy which is assigned back on success (if the live operation succeeded as well). This is not the case in qemuDomainDetachDeviceAliasLiveAndConfig where the definition was copied and put back, but the detaching happened from the other object which was overwritten. Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
-
由 Michal Privoznik 提交于
Now that GnuTLS is a requirement, we can drop a lot of conditionally built code. However, not all ifdef-s can go because we still want libvirt_setuid to build without gnutls. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Michal Privoznik 提交于
Now that GnuTLS is required these symbols are going to be present all the time. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Michal Privoznik 提交于
Since GnuTLS is required there is no way to go with !WITH_GNUTLS branch and just distribute these files. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 John Ferlan 提交于
Modify virStorageBackendLogicalLVCreate to ensure if encryption is requested that only type LUKS is supported; otherwise, error. Signed-off-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
由 Michal Privoznik 提交于
Now that virCryptoGenerateRandom() is plain wrapper over virRandomBytes() we can drop it in favour of the latter. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
If virRandomBytes() fails there is no point calling virRandomBits() because it uses virRandomBytes() internally again. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
Now that we have strong PRNG generator implemented in virRandomBytes() let's use that instead of gnulib's random_r. Problem with the latter is in way we seed it: current UNIX time and libvirtd's PID are not that random as one might think. Imagine two hosts booting at the same time. There's a fair chance that those hosts spawn libvirtds at the same time and with the same PID. This will result in both daemons generating the same sequence of say MAC addresses [1]. 1: https://www.redhat.com/archives/libvirt-users/2018-May/msg00097.htmlSigned-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
While /dev/urandom is not terrible source of random data gnutls_rnd is better. Prefer that one. Also, since nearly every platform we build on already has gnutls (if not all of them) this is going to be used by default. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
Instead of having each caller report error move it into the function. This way we can produce more accurate error messages too. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
To unify our vir*Random() functions we need to make virCryptoGenerateRandom NOT allocate return buffer. It should just fill given buffer with random data. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
When generating random stream using gnults fails an error is reported. However, the error is not helpful as it contains only an integer error code (a negative number). Use gnutls_strerror() to turn the error code into a string explaining what went wrong. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
This function allocates a buffer, fills it in with random bytes and then returns it. However, the buffer is held in @buf variable, therefore having @ret variable which does not hold return value of the function is misleading. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Michal Privoznik 提交于
In libvirt when a function wants to return an error code it should be a negative value. Returning a positive value (or zero) means success. But virRandomBytes() does not follow this rule. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Jiri Denemark 提交于
The files are not scripts and should not be executable. Broken by v4.0.0-294-g5f998681. Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
由 Jiri Denemark 提交于
Libvirt relies on being able to kill the destination domain and resume the source one during migration until we called "cont" on the destination. Unfortunately, QEMU automatically activates block devices at the end of migration even when it's called with -S. This wasn't a big issue in the past since the guest is not running and thus no data are written to the block devices. However, when QEMU introduced its internal block device locks, we can no longer resume the source domain once the destination domain already activated the block devices (and thus acquired all locks) unless the destination domain is killed first. Since it's impossible to synchronize the destination and the source libvirt daemons after a failed migration, QEMU introduced a new migration capability called "late-block-activate" which ensures QEMU won't activate block devices until it gets "cont". The only thing we need to do is to enable this capability whenever QEMU supports it. https://bugzilla.redhat.com/show_bug.cgi?id=1568407 QEMU commit implementing the capability: v2.12.0-952-g0f073f44df Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Michal Privoznik 提交于
When parsing domain XML the virCapsDomainData lookup is performed in order to fill in missing def->os.arch and def->os.machine strings. Well, when doing copy of already existing virDomainDef we don't want any automagic fill in of defaults (and those two strings are going to be provided at this point anyway by first parse of the domain XML). What is even worse is that we do not look up capabilities for parsed emulator path rather some generic capabilities for parsed arch. Therefore, if emulator points to qemu under non-default path (say $HOME/qemu-system-arm) but there's no such qemu under the default path (say /usr/bin/qemu-system-arm) the capabilities lookup fails and creating the copy is denied. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Radostin Stoyanov 提交于
The variable forkRet is not used after commit 25f87817Signed-off-by: NRadostin Stoyanov <rstoyanov1@gmail.com> Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Filip Alac 提交于
Signed-off-by: NFilip Alac <filipalac@gmail.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Filip Alac 提交于
Signed-off-by: NFilip Alac <filipalac@gmail.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Peter Krempa 提交于
Now that we have one place that sets up all disk-related objects to qemuBlockStorageSourceAttachDataPtr we can easily reuse the data in the command-line formatter by implementing a worker which will convert the data. A huge advantage is that it will be way easier to integrate this with -blockdev later on. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-