1. 03 9月, 2013 17 次提交
    • P
    • M
      qemu: Handle huge number of queues correctly · 1dc5dea7
      Michal Privoznik 提交于
      Currently, kernel supports up to 8 queues for a multiqueue tap device.
      However, if user tries to enter a huge number (e.g. one million) the tap
      allocation fails, as expected. But what is not expected is the log full
      of warnings:
      
          warning : virFileClose:83 : Tried to close invalid fd 0
      
      The problem is, upon error we iterate over an array of FDs (handlers to
      queues) and VIR_FORCE_CLOSE() over each item. However, the array is
      pre-filled with zeros. Hence, we repeatedly close stdin. Ouch.
      But there's more. The queues allocation is done in virNetDevTapCreate()
      which cleans up the FDs in case of error. Then, its caller, the
      virNetDevTapCreateInBridgePort() iterates over the FD array and tries to
      close them too. And so does qemuNetworkIfaceConnect() and
      qemuBuildInterfaceCommandLine().
      1dc5dea7
    • J
    • P
      virsh-domain: Avoid killing ssh transport tunnels when cancelling job · b46c4787
      Peter Krempa 提交于
      The vshWatchJob function registers a SIGINT handler that is used to
      abort the active job and does not terminate virsh. Unfortunately, this
      breaks when using the ssh transport as SIGINT is sent to the foreground
      process group including the ssh transport processes which terminate.
      This breaks the connection and migration is left in a insane state.
      
      With this patch the terminal is modified to ignore key binding that
      sends SIGINT and does the handling manually.
      
      Resoves: https://bugzilla.redhat.com/show_bug.cgi?id=983348
      b46c4787
    • P
      virsh: Remember terminal state when starting and add helpers · ebef6893
      Peter Krempa 提交于
      This patch adds instrumentation to allow modification of config of the
      terminal in virsh and successful reset of the state afterwards.
      
      The added helpers allow to disable receiving of SIGINT when pressing the
      key sequence (Ctrl+C usualy). This normally sends SIGINT to the
      foreground process group which kills ssh processes used for transport of
      the data.
      ebef6893
    • D
      VMX: Add cdrom-raw dev type from VMWare Fusion · f8456e5a
      Doug Goldstein 提交于
      According to VMWare's documentation 'cdrom-raw' is an acceptable value
      for deviceType for a CD-ROM drive. The documentation states that the VMX
      configuration for a CD-ROM deviceType is as follows:
      
      ide|scsi(n):(n).deviceType = "cdrom-raw|atapi-cdrom|cdrom-image"
      
      From the documentation it appears the following is true:
      - cdrom-image = Provides the ISO to the VM
      - atapi-cdrom = Provides a NEC emulated ATAPI CD-ROM on top of the host
        CD-ROM
      - cdrom-raw = Passthru for a host CD-ROM drive. Allows CD-R burning from
        within the guest.
      
      A CD-ROM prior to this patch would always provide an 'atapi-cdrom' is
      modeled as:
        <disk type='block' device='cdrom'>
          <source dev='/dev/scd0'/>
          <target dev='hda' bus='ide'/>
          <address type='drive' controller='0' bus='0' target='0' unit='0'/>
        </disk>
      
      This patch allows the 'device' attribute to be set to 'lun' for a raw
      acccess CD-ROM such as:
        <disk type='block' device='lun'>
          <source dev='/dev/scd0'/>
          <target dev='hda' bus='ide'/>
          <address type='drive' controller='0' bus='0' target='0' unit='0'/>
        </disk>
      f8456e5a
    • D
      VMX: Some serial ports are not actually connected · dba04e7f
      Doug Goldstein 提交于
      Sometimes a serial port might not be actually wired to a device when the
      user does not have the VM powered on and we should not consider this a
      fatal error.
      dba04e7f
    • C
      qemu: Support virtio-mmio transport for virtio on ARM · 4fa17221
      Cole Robinson 提交于
      Starting with qemu 1.6, the qemu-system-arm vexpress-a9 model has a
      hardcoded virtio-mmio transport which enables attaching all virtio
      devices.
      
      On the command line, we have to use virtio-XXX-device rather than
      virtio-XXX-pci, thankfully s390 already set the precedent here so
      it's fairly straight forward.
      
      At the XML level, this adds a new device address type virtio-mmio.
      The controller and addressing don't have any subelements at the
      moment because we they aren't needed for this usecase, but could
      be added later if needed.
      
      Add a test case for an ARM guest with one of every virtio device
      enabled.
      4fa17221
    • C
      qemu: Fix networking for ARM guests · 54a77c6d
      Cole Robinson 提交于
      Similar to the chardev bit, ARM boards depend on the old style '-net nic'
      for actually instantiating net devices. But we can't block out
      -netdev altogether since it's needed for upcoming virtio support.
      
      And add tests for working ARM XML with console, disk, and networking.
      54a77c6d
    • C
      domain_conf: Add disk bus=sd, wire it up for qemu · 3730353f
      Cole Robinson 提交于
      This corresponds to '-sd' and '-drive if=sd' on the qemu command line.
      Needed for many ARM boards which don't provide any other way to
      pass in storage.
      3730353f
    • C
      qemu: Don't try to allocate PCI addresses for ARM · 68e5e93e
      Cole Robinson 提交于
      68e5e93e
    • C
      qemu: Fix specifying char devs for ARM · 3a2beaee
      Cole Robinson 提交于
      QEMU ARM boards don't give us any way to explicitly wire in
      a -chardev, so use the old style -serial options.
      
      Unfortunately this isn't as simple as just turning off the CHARDEV flag
      for qemu-system-arm, as upcoming virtio support _will_ use device/chardev.
      3a2beaee
    • C
      qemu: Don't add default memballoon device on ARM · 7c961764
      Cole Robinson 提交于
      And add test cases for a basic working ARM guest.
      7c961764
    • C
      domain_conf: Add default memballoon in PostParse callbacks · d40cde31
      Cole Robinson 提交于
      This should be a no-op change for now.
      d40cde31
    • C
      qemu: Set QEMU_AUDIO_DRV=none with -nographic · a216e648
      Cole Robinson 提交于
      On my machine, a guest fails to boot if it has a sound card, but not
      graphical device/display is configured, because pulseaudio fails to
      initialize since it can't access $HOME.
      
      A workaround is removing the audio device, however on ARM boards there
      isn't any option to do that, so -nographic always fails.
      
      Set QEMU_AUDIO_DRV=none if no <graphics> are configured. Unfortunately
      this has massive test suite fallout.
      
      Add a qemu.conf parameter nographics_allow_host_audio, that if enabled
      will pass through QEMU_AUDIO_DRV from sysconfig (similar to
      vnc_allow_host_audio)
      a216e648
    • G
      Pass AM_LDFLAGS to driver modules too · f1f0e53b
      Guido Günther 提交于
      This gives us a RO got, otherwise Debian's lintian complains:
      
      W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
      W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
      W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so
      W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_vbox.so
      W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_xen.so
      W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
      W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
      W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so
      W: libvirt-sanlock: hardening-no-relro usr/lib/libvirt/lock-driver/sanlock.so
      f1f0e53b
    • G
      Fix AM_LDFLAGS typo · fe502de3
      Guido Günther 提交于
      fe502de3
  2. 02 9月, 2013 5 次提交
  3. 01 9月, 2013 1 次提交
  4. 31 8月, 2013 5 次提交
    • E
      build: fix virtlockd file distribution · 902d62f0
      Eric Blake 提交于
      Since virtlockd is only built when libvirtd is built, we should
      not install its auxiliary files unconditionally.  This solves
      two failures.  1. 'make distcheck' complains:
      
      rm -f Makefile
      ERROR: files left in build directory after distclean:
      ./src/virtlockd.8
      
      2. './autobuild.sh' complains:
      
      Checking for unpackaged file(s): /usr/lib/rpm/check-files
      /home/eblake/rpmbuild/BUILDROOT/mingw-libvirt-1.1.1-1.fc19.eblake1377879911.x86_64
      error: Installed (but unpackaged) file(s) found:
         /usr/i686-w64-mingw32/sys-root/mingw/etc/libvirt/virtlockd.conf
      
      /usr/i686-w64-mingw32/sys-root/mingw/share/augeas/lenses/tests/test_virtlockd.aug
         /usr/i686-w64-mingw32/sys-root/mingw/share/augeas/lenses/virtlockd.aug
         /usr/i686-w64-mingw32/sys-root/mingw/share/man/man8/virtlockd.8
         /usr/x86_64-w64-mingw32/sys-root/mingw/etc/libvirt/virtlockd.conf
      
      /usr/x86_64-w64-mingw32/sys-root/mingw/share/augeas/lenses/tests/test_virtlockd.aug
         /usr/x86_64-w64-mingw32/sys-root/mingw/share/augeas/lenses/virtlockd.aug
         /usr/x86_64-w64-mingw32/sys-root/mingw/share/man/man8/virtlockd.8
      
      * src/Makefile.am (CLEANFILES): Add virtlockd.8.
      (man8_MANS, conf_DATA, augeas_DATA, augeastest_DATA): Only install
      virtlockd files when daemon is built.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      902d62f0
    • E
      build: shipped files must not depend on BUILT_SOURCES · cd3fa762
      Eric Blake 提交于
      'make distcheck' was failing with:
      make[3]: Entering directory `/home/eblake/libvirt-tmp2/libvirt-1.1.1/_build/docs'
      perl ../../docs/genaclperms.pl ../../src/access/viraccessperm.h > ../../docs/aclperms.htmlinc
      /bin/sh: ../../docs/aclperms.htmlinc: Permission denied
      
      when simulating the case of a user doing a VPATH build from a
      read-only source tree.  The culprit?  BUILT_SOURCES are _always_
      built, and so must NOT be built into srcdir and need not be part
      of the tarball.  On the other hand, shipped files must never
      depend on files in the builddir.  While it would be possible to
      fix the problem by generating aclperms.htmlinc into builddir,
      we then have the problem that we ship acl.html - we'd have to
      rejigger a lot of things to not ship pre-built html.  So this
      patch goes the other direction - we don't need BUILT_SOURCES,
      but instead ensure that we have proper dependencies so that
      all files in srcdir are up-to-date at the time the tarball is
      created.  And because we ship html files in the tarball, that
      implies we don't expect users to be able to rebuild them, so
      we must not clean any files that would trigger a rebuild except
      under the maintainer rules.
      
      * docs/Makefile.am (BUILT_SOURCES): Delete.
      (CLEANFILES): Downgrade aclperms.htmlinc cleanup...
      (maintainer-clean-local): ...and move hvsupport.html.in...
      (MAINTAINERCLEANFILES): ...to a maintainer action.
      (hvsupport.html.in): Write into srcdir.
      (hvsupport.html): Ensure files are built in order.
      (aclperms.htmlinc): Honor silent make.
      (EXTRA_DIST): Ship aclperms.htmlinc.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      cd3fa762
    • E
      build: fix 'make distcheck' out of the box · f06eb52f
      Eric Blake 提交于
      With the 1.1.1 tarball, if a user does 'make && make distcheck',
      things pass, but if they do 'make distcheck' after 'make clean',
      there is an odd failure:
      
        GEN      ../../docs/devhelp/index.html
      I/O error : Permission denied
      I/O error : Permission denied
      runtime error: file ../../docs/devhelp/devhelp.xsl line 43 element document
      xsltDocumentElem: unable to save to ../../docs/devhelp/libvirt-virterror.html
      I/O error : Permission denied
      I/O error : Permission denied
      
      This implies that the rules for 'make dist' are missing a
      dependency - the generated documentation needs to be up-to-date
      before creating the tarball, or else the tarball will be missing
      files, where the end user will end up trying to rebuild files in
      srcdir, and that fails when srcdir is read-only.
      
      1.1.1 plus this patch now works without issues (other issues have
      crept in to 1.1.2-rc1 that prevent 'make distcheck' from working,
      but those will be cleaned up in later patches).
      
      * docs/Makefile.am (dist-local): New dependency.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      f06eb52f
    • E
      build: only create virt-login-shell for lxc builds · b9189c80
      Eric Blake 提交于
      I noticed from an ./autobuild.sh run that we were installing a
      virt-login-shell.exe binary when cross-building for mingw,
      even though such a binary is necessarily worthless since the
      code depends on lxc which is a Linux-only concept.
      
      * tools/Makefile.am (conf_DATA, bin_PROGRAMS, dist_man1_MANS):
      Make virt-login-shell installation conditional.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      b9189c80
    • C
      qemu: Only setup vhost if virtType == "kvm" · d962318c
      Cole Robinson 提交于
      vhost only works in KVM mode at the moment, and is infact compiled
      out if the emulator is built for non-native architecture. While it
      may work at some point in the future for plain qemu, for now it's
      just noise on the command line (and which contributes to arm cli
      breakage).
      d962318c
  5. 30 8月, 2013 4 次提交
    • G
      Process virtlockd.conf instead of libvirtd.conf · 3e325448
      Guido Günther 提交于
      3e325448
    • D
      Change way we fake dbus method calls · dbd2bc8c
      Daniel P. Berrange 提交于
      Ubuntu libdbus.so links with -Bsymbolic-functions, which means
      that we can only LD_PRELOAD functions that we directly call.
      Functions which libdbus.so calls internally can not be replaced.
      Thus we cannot use dbus_message_new_error or dbus_message_new_method_return
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      dbd2bc8c
    • E
      random: don't mix RAND_MAX with random_r · dd3688e4
      Eric Blake 提交于
      FreeBSD 10 recently changed their definition of RAND_MAX, to try
      and cover the fact that their evenly distributed results of rand()
      really are a smaller range than a full power of 2.  As a result,
      I did some investigation, and learned:
      
      1. POSIX requires random() to be evenly distributed across exactly
      31 bits.  glibc also guarantees this for rand(), but the two are
      unrelated, and POSIX only associates RAND_MAX with rand().
      Avoiding RAND_MAX altogether thus avoids a build failure on
      FreeBSD 10.
      
      2. Concatenating random bits from a PRNG will NOT provide uniform
      coverage over the larger value UNLESS the period of the original
      PRNG is at least as large as the number of bits being concatenated.
      Simple example: suppose that RAND_MAX were 1 with a period of 2**1
      (which means that the PRNG merely alternates between 0 and 1).
      Concatenating two successive rand() calls would then invariably
      result in 01 or 10, which is a rather non-uniform distribution
      (00 and 11 are impossible) and an even worse period (2**0, since
      our second attempt will get the same number as our first attempt).
      But a RAND_MAX of 1 with a period of 2**2 (alternating between
      0, 1, 1, 0) provides sane coverage of all four values, if properly
      tempered.  (Back-to-back calls would still only see half the values
      if we don't do some tempering).  We therefore want to guarantee a
      period of at least 2**64, preferably larger (as a tempering factor);
      POSIX only makes this guarantee for random() with 256 bytes of info.
      
      * src/util/virrandom.c (virRandomBits): Use constants that are
      accurate for the PRNG we are using, not an unrelated PRNG.
      (randomState): Ensure the period of our PRNG exceeds our usage.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      dd3688e4
    • P
      8c725cc1
  6. 29 8月, 2013 8 次提交
    • E
      security: provide supplemental groups even when parsing label (CVE-2013-4291) · 745aa55f
      Eric Blake 提交于
      Commit 29fe5d74 (released in 1.1.1) introduced a latent problem
      for any caller of virSecurityManagerSetProcessLabel and where
      the domain already had a uid:gid label to be parsed.  Such a
      setup would collect the list of supplementary groups during
      virSecurityManagerPreFork, but then ignores that information,
      and thus fails to call setgroups() to adjust the supplementary
      groups of the process.
      
      Upstream does not use virSecurityManagerSetProcessLabel for
      qemu (it uses virSecurityManagerSetChildProcessLabel instead),
      so this problem remained latent until backporting the initial
      commit into v0.10.2-maint (commit c061ff5e, released in 0.10.2.7),
      where virSecurityManagerSetChildProcessLabel has not been
      backported.  As a result of using a different code path in the
      backport, attempts to start a qemu domain that runs as qemu:qemu
      will end up with supplementary groups unchanged from the libvirtd
      parent process, rather than the desired supplementary groups of
      the qemu user.  This can lead to failure to start a domain
      (typical Fedora setup assigns user 107 'qemu' to both group 107
      'qemu' and group 36 'kvm', so a disk image that is only readable
      under kvm group rights is locked out).  Worse, it is a security
      hole (the qemu process will inherit supplemental group rights
      from the parent libvirtd process, which means it has access
      rights to files owned by group 0 even when such files should
      not normally be visible to user qemu).
      
      LXC does not use the DAC security driver, so it is not vulnerable
      at this time.  Still, it is better to plug the latent hole on
      the master branch first, before cherry-picking it to the only
      vulnerable branch v0.10.2-maint.
      
      * src/security/security_dac.c (virSecurityDACGetIds): Always populate
      groups and ngroups, rather than only when no label is parsed.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      745aa55f
    • D
      Prohibit unbounded arrays in XDR protocols · a4d1cfdc
      Daniel P. Berrange 提交于
      The use of <> is a security issue for RPC parameters, since a
      malicious client can set a huge array length causing arbitrary
      memory allocation in the daemon.
      
      It is also a robustness issue for RPC return values, because if
      the stream is corrupted, it can cause the client to also allocate
      arbitrary memory.
      
      Use a syntax-check rule to prohibit any use of <>
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      a4d1cfdc
    • D
      Add bounds checking on virConnectListAllSecrets RPC call · 47fb5672
      Daniel P. Berrange 提交于
      The return values for the virConnectListAllSecrets call were not
      bounds checked. This is a robustness issue for clients if
      something where to cause corruption of the RPC stream data.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      47fb5672
    • D
      Add bounds checking on virConnectListAllNWFilters RPC call · 12034511
      Daniel P. Berrange 提交于
      The return values for the virConnectListAllNWFilters call were not
      bounds checked. This is a robustness issue for clients if
      something where to cause corruption of the RPC stream data.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      12034511
    • D
      Add bounds checking on virConnectListAllNodeDevices RPC call · 1dcff6a7
      Daniel P. Berrange 提交于
      The return values for the virConnectListAllNodeDevices call were not
      bounds checked. This is a robustness issue for clients if
      something where to cause corruption of the RPC stream data.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      1dcff6a7
    • D
      Add bounds checking on virConnectListAllInterfaces RPC call · 8be21728
      Daniel P. Berrange 提交于
      The return values for the virConnectListAllInterfaces call were not
      bounds checked. This is a robustness issue for clients if
      something where to cause corruption of the RPC stream data.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      8be21728
    • D
      Add bounds checking on virConnectListAllNetworks RPC call · 174f7dd5
      Daniel P. Berrange 提交于
      The return values for the virConnectListAllNetworks call were not
      bounds checked. This is a robustness issue for clients if
      something where to cause corruption of the RPC stream data.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      174f7dd5
    • D
      Add bounds checking on virStoragePoolListAllVolumes RPC call · 046acaf3
      Daniel P. Berrange 提交于
      The return values for the virStoragePoolListAllVolumes call were not
      bounds checked. This is a robustness issue for clients if
      something where to cause corruption of the RPC stream data.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      046acaf3