- 14 3月, 2013 14 次提交
-
-
由 Daniel P. Berrange 提交于
The naming used in the RPC protocols for the LXC monitor and lock daemon confused the script used to generate systemtap helper functions. Rename the LXC monitor protocol symbols to reduce confusion. Adapt the gensystemtap.pl script to cope with the LXC monitor / lock daemon naming conversions. This has no functional impact on RPC wire protocol, since names are only used in the C layer Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
When converting to virObject, the probes on the 'Free' functions were removed on the basis that there is a probe on virObjectFree that suffices. This puts a burden on people writing probe scripts to identify which object is being dispose. This adds back probes in the 'Dispose' functions and updates the rpc monitor systemtap example to use them Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Normally libvirtd should run with a SELinux label system_u:system_r:virtd_t:s0-s0:c0.c1023 If a user manually runs libvirtd though, it is sometimes possible to get into a situation where it is running system_u:system_r:init_t:s0 The SELinux security driver isn't expecting this and can't parse the security label since it lacks the ':c0.c1023' part causing it to complain internal error Cannot parse sensitivity level in s0 This updates the parser to cope with this, so if no category is present, libvirtd will hardcode the equivalent of c0.c1023. Now this won't work if SELinux is in Enforcing mode, but that's not an issue, because the user can only get into this problem if in Permissive mode. This means they can now start VMs in Permissive mode without hitting that parsing error Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Pull the code which parses the current process MCS range out of virSecuritySELinuxMCSFind and into a new method virSecuritySELinuxMCSGetProcessRange. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The body of the loop in virSecuritySELinuxMCSFind would directly 'return NULL' on OOM, instead of jumping to the cleanup label. This caused a leak of several local vars. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
If an LXC domain failed to start because of a bogus SELinux label, virLXCProcessStart would call VIR_CLOSE(0) by mistake. This is because the code which initializes the member of the ttyFDs array to -1 got moved too far away from the place where the array is first allocated. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
When opening a stream to a device which is a TTY, that device may become the controlling TTY of libvirtd, if libvirtd was daemonized. This in turn means when the other end of the stream closes, libvirtd gets SIGHUP, causing it to reload its config. Prevent this by forcing O_NOCTTY on all streams that are opened Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Peter Krempa 提交于
Qemu's implementation of virtio RNG supports rate limiting of the entropy used. This patch exposes the option to tune this functionality. This patch is based on qemu commit 904d6f588063fb5ad2b61998acdf1e73fb4 The rate limiting is exported in the XML as: <devices> ... <rng model='virtio'> <rate bytes='123' period='1234'/> <backend model='random'/> </rng> ...
-
由 Guannan Ren 提交于
In debug mode, the bug failed to start vm error: Failed to start domain rhel5u9 error: internal error Out of space while reading console log output: ...
-
由 Viktor Mihajlovski 提交于
This adds and corrects testcases for virtio devices on s390 guests. Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
-
由 J.B. Joret 提交于
We didn't yet expose the virtio device attach and detach functionality for s390 domains as the device hotplug was very limited with the old virtio-s390 bus. With the CCW bus there's full hotplug support for virtio devices in QEMU, so we are adding this to libvirt too. Since the virtio hotplug isn't limited to PCI anymore, we change the function names from xxxPCIyyy to xxxVirtioyyy, where we handle all three virtio bus types. Signed-off-by: NJ.B. Joret <jb@linux.vnet.ibm.com> Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
-
由 Viktor Mihajlovski 提交于
This commit adds the QEMU driver support for CCW addresses. The current QEMU only allows virtio devices to be attached to the CCW bus. We named the new capability indicating that support QEMU_CAPS_VIRTIO_CCW accordingly. The fact that CCW devices can only be assigned to domains with a machine type of s390-ccw-virtio requires a few extra checks for machine type in qemu_command.c on top of querying QEMU_CAPS_VIRTIO_{CCW|S390}. The majority of the new functions deals with CCW address generation and management. Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
-
由 Viktor Mihajlovski 提交于
Add necessary handling code for the new s390 CCW address type to virDomainDeviceInfo. Further, introduce memory management, XML parsing, output formatting and range validation for the new virDomainDeviceCCWAddress type. Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
-
由 Viktor Mihajlovski 提交于
The native bus for s390 I/O is called CCW (channel command word). As QEMU has added basic support for the CCW bus, i.e. the ability to assign CCW devnos (bus addresses) to devices. Domains with the new machine type s390-ccw-virtio can use the CCW bus. Currently QEMU will only allow to define virtio devices on the CCW bus. Here we add the new machine type and the new device address to the schema definition and add a new paragraph to the domain XML documentation. Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
-
- 13 3月, 2013 9 次提交
-
-
由 Daniel P. Berrange 提交于
In some startup failure modes, the fuse thread may get itself wedged. This will cause the entire libvirt_lxc process to hang trying to the join the thread. There is no compelling reason to wait for the thread to exit if the whole process is exiting, so just daemonize the fuse thread instead. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
A number of symbols are only present when GNUTLS is enabled. Thus we must use a separate libvirt_gnutls.syms file for them instead of libvirt_private.syms Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virDomainLxcEnterNamespace method mistakenly uses virCheckFlags, which returns immediately instead of virCheckFlagsGoto which jumps to the error cleanup patch where there is a virDispatchError call
-
由 Daniel P. Berrange 提交于
The virDomainGetSecurityLabel method is currently (mistakenly) showing the label of the libvirt_lxc process: ...snip... Security model: selinux Security DOI: 0 Security label: system_u:system_r:virtd_t:s0-s0:c0.c1023 (permissive) when it should be showing the init process label ...snip... Security model: selinux Security DOI: 0 Security label: system_u:system_r:svirt_t:s0:c724,c995 (permissive)
-
由 Daniel P. Berrange 提交于
Add a new virDomainLxcEnterSecurityLabel() function as a counterpart to virDomainLxcEnterNamespaces(), which can change the current calling process to have a new security context. This call runs client side, not in libvirtd so we can't use the security driver infrastructure. When entering a namespace, the process spawned from virsh will default to running with the security label of virsh. The actual desired behaviour is to run with the security label of the container most of the time. So this changes virsh lxc-enter-namespace command to invoke the virDomainLxcEnterSecurityLabel method. The current behaviour is: LABEL PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps Note the ps command is running as unconfined_t, After this patch, The new behaviour is this: virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ LABEL PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps The '--noseclabel' flag can be used to skip security labelling. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Michal Privoznik 提交于
With our recent patch (1715c83b) we thrive to get the correct number of maximal VCPUs. However, we are using a constant from linux/kvm.h which may be not defined in every distro. Hence, we should guard usage of the constant with ifdef preprocessor directive. This was introduced in kernel: commit 8c3ba334f8588e1d5099f8602cf01897720e0eca Author: Sasha Levin <levinsasha928@gmail.com> Date: Mon Jul 18 17:17:15 2011 +0300 KVM: x86: Raise the hard VCPU count limit The patch raises the hard limit of VCPU count to 254. This will allow developers to easily work on scalability and will allow users to test high VCPU setups easily without patching the kernel. To prevent possible issues with current setups, KVM_CAP_NR_VCPUS now returns the recommended VCPU limit (which is still 64) - this should be a safe value for everybody, while a new KVM_CAP_MAX_VCPUS returns the hard limit which is now 254. $ git desc 8c3ba334f v3.1-rc7-48-g8c3ba33
-
由 Peter Krempa 提交于
The virCaps structure gathered a ton of irrelevant data over time that. The original reason is that it was propagated to the XML parser functions. This patch aims to create a new data structure virDomainXMLConf that will contain immutable data that are used by the XML parser. This will allow two things we need: 1) Get rid of the stuff from virCaps 2) Allow us to add callbacks to check and add driver specific stuff after domain XML is parsed. This first attempt removes pointers to private data allocation functions to this new structure and update all callers and function that require them.
-
由 Daniel P. Berrange 提交于
Currently the server determines whether authentication of clients is complete, by checking whether an identity is set. This patch removes that lame hack and replaces it with an explicit method for changing the client auth code * daemon/remote.c: Update for new APis * src/libvirt_private.syms, src/rpc/virnetserverclient.c, src/rpc/virnetserverclient.h: Remove virNetServerClientGetIdentity and virNetServerClientSetIdentity, adding a new method virNetServerClientSetAuth. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Add a virThreadCancel function. This functional is inherently dangerous and not something we want to use in general, but integration with SELinux requires that we provide this stub. We leave out any Win32 impl to discourage further use and because obviously SELinux isn't enabled on Win32 Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 12 3月, 2013 4 次提交
-
-
由 Daniel P. Berrange 提交于
When setting up disks with loop devices for LXC, one of the switch cases was missing a 'break' causing it to fallthrough to an error condition. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Jiri Denemark 提交于
At least one caller may call qemuSharedDiskEntryFree with NULL as the first argument. Let's make the function similar to other *Free functions and do nothing in such case.
-
由 Jiri Denemark 提交于
Sparse LVM volumes do not behave in the way one would naively expect. The allocation does not automatically increase (which is different from how sparse files work).
-
由 Peter Krempa 提交于
The detection of the maximum number of cpus used incorrect ioctl argument value. This flaw caused that on kvm hosts this returns always "160" as the maximum. This is just a recommended maximum value. The real value is higher than that. This patch tweaks the detection function to behave as described by the kernel docs: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/virtual/kvm/api.txt?id=refs/tags/v3.9-rc2#n199
-
- 11 3月, 2013 5 次提交
-
-
由 Hu Tao 提交于
Signed-off-by: NHu Tao <hutao@cn.fujitsu.com>
-
由 Ján Tomko 提交于
Properly check the return value of vshCommandOptStringReq for xmlfile: * error out on incorrect input (--xmlfile '') * use default XML <domainsnapshot/> with no --xmlfile specified (Broken by commit b2e85855) Bug: https://bugzilla.redhat.com/show_bug.cgi?id=919826
-
由 Guido Günther 提交于
these were missed by 63f18f37
-
由 Guido Günther 提交于
otherwise we crash with #0 virUSBDeviceListFind (list=0x0, dev=dev@entry=0x8193d70) at util/virusb.c:526 #1 0xb1a4995b in virLXCPrepareHostdevUSBDevices (driver=driver@entry=0x815d9a0, name=0x815dbf8 "debian-700267", list=list@entry=0x81d8f08) at lxc/lxc_hostdev.c:88 #2 0xb1a49fce in virLXCPrepareHostUSBDevices (def=0x8193af8, driver=0x815d9a0) at lxc/lxc_hostdev.c:261 #3 virLXCPrepareHostDevices (driver=driver@entry=0x815d9a0, def=0x8193af8) at lxc/lxc_hostdev.c:328 #4 0xb1a4c5b1 in virLXCProcessStart (conn=0x817d3f8, driver=driver@entry=0x815d9a0, vm=vm@entry=0x8190908, autoDestroy=autoDestroy@entry=false, reason=reason@entry=VIR_DOMAIN_RUNNING_BOOTED) at lxc/lxc_process.c:1068 #5 0xb1a57e00 in lxcDomainStartWithFlags (dom=dom@entry=0x815e460, flags=flags@entry=0) at lxc/lxc_driver.c:1014 #6 0xb1a57fc3 in lxcDomainStart (dom=0x815e460) at lxc/lxc_driver.c:1046 #7 0xb79c8375 in virDomainCreate (domain=domain@entry=0x815e460) at libvirt.c:8450 #8 0x08078959 in remoteDispatchDomainCreate (args=0x81920a0, rerr=0xb65c21d0, client=0xb0d00490, server=<optimized out>, msg=<optimized out>) at remote_dispatch.h:1066 #9 remoteDispatchDomainCreateHelper (server=0x80c4928, client=0xb0d00490, msg=0xb0d005b0, rerr=0xb65c21d0, args=0x81920a0, ret=0x815d208) at remote_dispatch.h:1044 #10 0xb7a36901 in virNetServerProgramDispatchCall (msg=0xb0d005b0, client=0xb0d00490, server=0x80c4928, prog=0x80c6438) at rpc/virnetserverprogram.c:432 #11 virNetServerProgramDispatch (prog=0x80c6438, server=server@entry=0x80c4928, client=0xb0d00490, msg=0xb0d005b0) at rpc/virnetserverprogram.c:305 #12 0xb7a300a7 in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0x80c4928) at rpc/virnetserver.c:162 #13 virNetServerHandleJob (jobOpaque=0xb0d00510, opaque=0x80c4928) at rpc/virnetserver.c:183 #14 0xb7924f98 in virThreadPoolWorker (opaque=opaque@entry=0x80a94b0) at util/virthreadpool.c:144 #15 0xb7924515 in virThreadHelper (data=0x80a9440) at util/virthreadpthread.c:161 #16 0xb7887c39 in start_thread (arg=0xb65c2b70) at pthread_create.c:304 #17 0xb77eb78e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130 when adding a domain with a usb device. This is Debian bug http://bugs.debian.org/700267
-
由 Michal Privoznik 提交于
By current implementation, network inbound is required in order to use 'floor' for guaranteeing minimal throughput. This is so, because we want user to tell us the maximal throughput of the network instead of finding out ourselves (and detect bogus values in case of virtual interfaces). However, we are nowadays requiring this only on documentation level. So if user starts a domain with 'floor' set on one its interfaces, we silently ignore the setting. We should error out instead.
-
- 10 3月, 2013 2 次提交
-
-
由 Peter Krempa 提交于
The function is marked as unused and breaks compilation on RHEL4. Remove it from the tree until a new use case can be found.
-
由 Peter Krempa 提交于
The commit originally fixed code that isn't being used. Revert it and remove the unused code as a real fix. This reverts commit a66b32d9.
-
- 09 3月, 2013 2 次提交
-
-
由 Dusty Mabe 提交于
'virsh capabilities' will now include a new <memory> element per <cell> of the topology, as in: <topology> <cells num='2'> <cell id='0'> <memory unit='KiB'>12572412</memory> <cpus num='12'> ... </cell> Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Guido Günther 提交于
This fixes the build on Debian Wheezy which otherwise fails with: CC libvirt_driver_lxc_impl_la-lxc_process.lo lxc/lxc_process.c: In function 'virLXCProcessGetNsInode': lxc/lxc_process.c:648:5: error: implicit declaration of function 'stat' [-Werror=implicit-function-declaration] lxc/lxc_process.c:648:5: error: nested extern declaration of 'stat' [-Werror=nested-externs] cc1: all warnings being treated as errors
-
- 08 3月, 2013 4 次提交
-
-
由 Michal Privoznik 提交于
When there are two concurrent threads, we may dereference a NULL pointer, even though it has been checked before: 1. Thread1: starts executing qemuDomainBlockStatsFlags() with nparams != 0. It finds given disk and successfully pass check for disk->info.alias not being NULL. 2. Thread2: starts executing qemuDomainDetachDeviceFlags() on the very same disk as Thread1 is working on. 3. Thread1: gets to qemuDomainObjBeginJob() where it sets a job on a domain. 4. Thread2: also tries to set a job. However, we are not guaranteed which thread wins. So assume it's Thread2 who can continue. 5. Thread2: does the actual detach and frees disk->info.alias 6. Thread2: quits the job 7. Thread1: now successfully acquires the job, and accesses a NULL pointer.
-
由 Guannan Ren 提交于
Rename AppArmorSetImageFDLabel to AppArmorSetFDLabel which could be used as a common function for *ALL* fd relabelling in Linux. In apparmor profile for specific vm with uuid cdbebdfa-1d6d-65c3-be0f-fd74b978a773 Path: /etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files The last line is for the tapfd relabelling. # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/rhel6qcow2.log" w, "/var/lib/libvirt/**/rhel6qcow2.monitor" rw, "/var/run/libvirt/**/rhel6qcow2.pid" rwk, "/run/libvirt/**/rhel6qcow2.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw, "/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw, "/var/lib/libvirt/images/rhel6u3qcow2.img" rw, "/dev/tap45" rw,
-
由 Daniel P. Berrange 提交于
To allow the efficient correlation of container audit messages with host hosts, include the pid namespace inode in audit messages.
-
由 Daniel P. Berrange 提交于
By using a loopback device, disks backed by plain files can be made available to LXC containers. We make no attempt to auto-detect format if <driver type="raw"/> is not set, instead we unconditionally treat that as meaning raw. This is to avoid the security issues inherent with format auto-detection Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-