virDomainSetMetadata when operating on the metadata element was
requesting the @key argument to be passed even if @metadata was NULL
used to delete the corresponding metadata element. This is not needed as
the key is only used when adding the element and matching is done via
the XML namespace.

The functionality wasn't originally implemented. This patch adds the
ability to modify domain's XML metadata using the API.

The virDomainGetMetadata function was designed to support also retrieval
of app specific metadata from the <metadata> element. This functionality
was never implemented originally.

The metadata modification functions will support modification of the XML
metadata. Add a virsh command to allow using this approach.

The code to set the metadata in a domain definition is common to live
and inactive domains. Factor it out into a common func.

The function implemented common behavior that can be reused for other
hypervisor drivers that use the virDomainObj data structures. Factor out
the core into a separate helper func.

The function implemented common behavior that can be reused for other
hypervisor drivers that use the virDomainObj data structures. Factor out
the core into a separate helper func.

Line up the array so that the grid is visible.

The "cmd" variable is actually used so remove the attribute.

In the original implementation of external checkpoints I've mistakenly
used the live definition to be stored in the save image. The normal
approach is to use the "migratable" definition. This was discovered when
commit 07966f6a changed the behavior to
use a converted XML from the user to do the compatibility check to fix
problem when using the regular machine saving.

As the previous patch added a compatibility layer, we can now change the
type of the XML in the image.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1008340

External checkpoints have a bug in the implementation where they use the
normal definition instead of the "migratable" one. This causes errors
when the snapshot is being reverted using the workaround method via
qemuDomainRestoreFlags() with a custom XML. This issue was introduced
when commit 07966f6a changed the code to
compare "migratable" XMLs from the user as we should have used
migratable in the image too.

This patch adds a compatibility layer, so that fixing the snapshot code
won't make existing snapshots fail to load.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1008340

What should be checked here is xmlbuf rather than buf.

CD-ROMs and Floppies are allowed to have no source to imply they are
empty or disconnected. Since the LUN type is used for raw CD-ROM access
with QEMU (and VMWare in the future), it also needs to allow an empty
source when the raw CD-ROM device is disconnected from the domain.

qemuMigrationEatCookie has flags to control if these should
be parsed, but it does not fill mig->flags. These cookies might
get leaked if these flags are not set by qemuMigrationBakeCookie.

42 (32 direct, 10 indirect) bytes in 1 blocks are definitely lost in
loss record 361 of 662
==123== by 0x1BA33FCA: qemuMigrationEatCookie (qemu_migration.c:678)
==123== by 0x1BA34A1E: qemuMigrationRun (qemu_migration.c:3108)
==123== by 0x1BA3622B: doNativeMigrate (qemu_migration.c:3343)
==123== by 0x1BA3B408: qemuMigrationPerform (qemu_migration.c:4138)

https://bugzilla.redhat.com/show_bug.cgi?id=1008619

1,003 bytes in 1 blocks are definitely lost in loss record 599 of 635
==404== by 0x50728A7: virBufferAddChar (virbuffer.c:185)
==404== by 0x50BC466: virSystemdEscapeName (virsystemd.c:67)
==404== by 0x50BC6B2: virSystemdMakeSliceName (virsystemd.c:108)
==404== by 0x50BC870: virSystemdCreateMachine (virsystemd.c:169)
==404== by 0x5078267: virCgroupNewMachine (vircgroup.c:1498)

I spent far too long on a new machine trying to figure out why
./autobuild.sh failed due to an rpm build failure (complaining
that libvirt_parthelper was supposed to be packaged but was not
built), and finally traced it to a missing parted-devel
installation.  I learned that --nodeps is in place for
autobuilder setups, but for developers, removing it would make
rpmbuild error out much sooner for a less cryptic failure.

* autobuild.sh: Conditionally drop --nodeps from rpmbuild lines.
Signed-off-by: NEric Blake <eblake@redhat.com>

Bother those kernel developers.  In the latest rawhide, kernel
and glibc have now been unified so that <netinet/in.h> and
<linux/in6.h> no longer clash; but <linux/if_bridge.h> is still
not self-contained.  Because of the latest header change, the
build is failing with:

checking for linux/param.h... no
configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support

with details:

In file included from conftest.c:561:0:
/usr/include/linux/in6.h:71:18: error: field 'flr_dst' has incomplete type
  struct in6_addr flr_dst;

We need a workaround to avoid our workaround :)

* configure.ac (NETINET_LINUX_WORKAROUND): New test.
* src/util/virnetdevbridge.c (includes): Use it.
Signed-off-by: NEric Blake <eblake@redhat.com>

The function existed in two identical instances in lxc and qemu. Move it
to vircgroup.c and simplify it. Refactor the callers too.

Semantics of the libvirt helper are more clear. This change also allows
to clean up some pieces of code.

Explicitly state that some parts of the code may require virFileExists
to set or preserve a correct errno so that future modifications don't
break.

Since the maxvcpus command query the maximum number of virtual
CPUs supported for a guest VM on this connection, it should be
in virsh-host.c but not virsh-domain.c.
Signed-off-by: Nyangdongsheng <yangds.fnst@cn.fujitsu.com>

Since virnetsocket conditionally uses selinux we need to link against it
otherwise the build fails with:

CCLD     libvirtd
/usr/bin/ld: ../src/.libs/libvirt-lxc.so: undefined reference to symbol 'freecon'
/lib/i386-linux-gnu/libselinux.so.1: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
make[3]: *** [libvirtd] Error 1

An off-list bug report mentioned some confusion where the public
documentation of libvirt.c:virConnectGetHostname did not match
the private documentation of util/virutil.c:virGetHostname.

* src/libvirt.c (virConnectGetHostname): Tweak docs.
Signed-off-by: NEric Blake <eblake@redhat.com>

Signed-off-by: NAlex Jia <ajia@redhat.com>

The VIR_ACCESS_PERM_CONNECT_DETECT_STORAGE_POOLS enum
constant had its string format be 'detect_storage_pool',
note the missing trailing 's'. This prevent the ACL
check from ever succeeding. Fix this and add a simple
test script to validate this problem of matching names.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Right now we mount selinuxfs even user namespace is enabled and
ignore the error. But we shouldn't ignore these errors when user
namespace is not enabled.

This patch skips mounting selinuxfs when user namespace enabled.
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>

When reverting a live internal snapshot with a live guest the ABI
compatiblity check was comparing a "migratable" definition with a normal
one. This resulted in the check failing with:

revert requires force: Target device address type none does not match source pci

This patch generates a "migratable" definition from the actual one to
check against the definition from the snapshot to avoid this problem.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1006886

This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=983026

The netcf interface driver previously had no state driver associated
with it - as a connection was opened, it would create a new netcf
instance just for that connection, and close it when it was
finished. the problem with this is that each connection to libvirt
used up a netlink socket, and there is a per process maximum of ~1000
netlink sockets.

The solution is to create a state driver to go along with the netcf
driver. The state driver will opens a netcf instance, then all
connections share that same netcf instance, thus only a single
netlink socket will be used no matter how many connections are mde to
libvirtd.

This was rather simple to do - a new virObjectLockable class is
created for the single driverState object, which is created in
netcfStateInitialize and contains the single netcf handle; instead of
creating a new object for each client connection, netcfInterfaceOpen
now just increments the driverState object's reference count and puts
a pointer to it into the connection's privateData. Similarly,
netcfInterfaceClose() just un-refs the driverState object (as does
netcfStateCleanup()), and virNetcfInterfaceDriverStateDispose()
handles closing the netcf instance. Since all the functions already
have locking around them, the static lock functions used by all
functions just needed to be changed to call virObjectLock() and
virObjectUnlock() instead of directly calling the virMutex* functions.

This better fits the modern naming scheme in libvirt, and anticipates
an upcoming change where a single instance of this state will be
maintained by a separate state driver, and every instance of the netcf
driver will share the same state.

If the guest is configured with

    <filesystem type='mount'>
      <source dir='/'/>
      <target dir='/'/>
      <readonly/>
    </filesystem>

Then any submounts under / should also end up readonly, except
for those setup as basic mounts. eg if the user has /home on a
separate volume, they'd expect /home to be readonly, but we
should not touch the /sys, /proc, etc dirs we setup ourselves.

Users can selectively make sub-mounts read-write again by
simply listing them as new mounts without the <readonly>
flag set

    <filesystem type='mount'>
      <source dir='/home'/>
      <target dir='/home'/>
    </filesystem>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the array of basic mounts out of the lxcContainerMountBasicFS
function, to a global variable. This is to allow it to be referenced
by other methods wanting to know what the basic mount paths are.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Describe some of the issues to be aware of when configuring LXC
guests with security isolation as a goal.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Debian systems may run the 'systemd-logind' daemon, which causes the
/sys/fs/cgroup/systemd  mount to be setup, but no other cgroup
controllers are created. While the LXC driver considers cgroups to
be mandatory, the QEMU driver is supposed to accept them as optional.

We detect whether they are present by looking in /proc/mounts for
any mounts of type 'cgroups', but this is not sufficient. We need to
skip any named mounts (as seen by a name=XXX string in the mount
options), so that we only detect actual resource controllers.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721979Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The polkit access driver used the wrong permission names for checks
on storage pools, volumes and node devices. This led to them always
being denied access.

The 'dettach' permission was also mis-spelt and should have been
'detach'. While permission names are ABI sensitive, the fact that
the code used the wrong object name for checking node device
permissions, means that no one could have used the mis-spelt
'dettach' permission.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1006864

Commit 38ab1225 changed the default value of ret from true to false but
forgot to set ret = true when job is NONE. Thus, virsh domjobinfo
returned 1 when there was no job running for a domain but it used to
(and should) return 0 in this case.

First make sure that the input is xhtml as the stylesheets expect
namespaced element, then use a span element instead of a as a
is treated specially, finally adjust the makefile to check for
the new span element and replace it with the PHP code