1. 10 4月, 2017 1 次提交
  2. 28 3月, 2017 1 次提交
    • A
      qemu: Remove qemuDomainRequiresMemLock() · 1f7661af
      Andrea Bolognani 提交于
      Instead of having a separate function, we can simply return
      zero from the existing qemuDomainGetMemLockLimitBytes() to
      signal the caller that the memory locking limit doesn't need
      to be set for the guest.
      
      Having a single function instead of two makes it less likely
      that we will use the wrong value, which is exactly what
      happened when we started applying the limit that was meant
      for VFIO-using guests to <memoryBacking><locked>-using
      guests.
      1f7661af
  3. 27 3月, 2017 5 次提交
  4. 25 3月, 2017 1 次提交
    • J
      qemu: Set up the migration TLS objects for target · 1a6b6d9a
      John Ferlan 提交于
      If the migration flags indicate this migration will be using TLS,
      then set up the destination during the prepare phase once the target
      domain has been started to add the TLS objects to perform the migration.
      
      This will create at least an "-object tls-creds-x509,endpoint=server,..."
      for TLS credentials and potentially an "-object secret,..." to handle the
      passphrase response to access the TLS credentials. The alias/id used for
      the TLS objects will contain "libvirt_migrate".
      
      Once the objects are created, the code will set the "tls-creds" and
      "tls-hostname" migration parameters to signify usage of TLS.
      
      During the Finish phase we'll be sure to attempt to clear the
      migration parameters and delete those objects (whether or not they
      were created). We'll also perform the same reset during recovery
      if we've reached FINISH3.
      
      If the migration isn't using TLS, then be sure to check if the
      migration parameters exist and clear them if so.
      1a6b6d9a
  5. 16 3月, 2017 1 次提交
  6. 10 3月, 2017 1 次提交
    • M
      qemuProcessHandleMonitorEOF: Disable namespace for domain · e915942b
      Michal Privoznik 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1430634
      
      If a qemu process has died, we get EOF on its monitor. At this
      point, since qemu process was the only one running in the
      namespace kernel has already cleaned the namespace up. Any
      attempt of ours to enter it has to fail.
      
      This really happened in the bug linked above. We've tried to
      attach a disk to qemu and while we were in the monitor talking to
      qemu it just died. Therefore our code tried to do some roll back
      (e.g. deny the device in cgroups again, restore labels, etc.).
      However, during the roll back (esp. when restoring labels) we
      still thought that domain has a namespace. So we used secdriver's
      transactions. This failed as there is no namespace to enter.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      e915942b
  7. 09 3月, 2017 1 次提交
  8. 21 2月, 2017 1 次提交
    • M
      qemu: Fix deadlock across fork() in QEMU driver · e22de286
      Marc Hartmayer 提交于
      The functions in virCommand() after fork() must be careful with regard
      to accessing any mutexes that may have been locked by other threads in
      the parent process. It is possible that another thread in the parent
      process holds the lock for the virQEMUDriver while fork() is called.
      This leads to a deadlock in the child process when
      'virQEMUDriverGetConfig(driver)' is called and therefore the handshake
      never completes between the child and the parent process. Ultimately
      the virDomainObjectPtr will never be unlocked.
      
      It gets much worse if the other thread of the parent process, that
      holds the lock for the virQEMUDriver, tries to lock the already locked
      virDomainObject. This leads to a completely unresponsive libvirtd.
      
      It's possible to reproduce this case with calling 'virsh start XXX'
      and 'virsh managedsave XXX' in a tight loop for multiple domains.
      
      This commit fixes the deadlock in the same way as it is described in
      commit 61b52d2e.
      Signed-off-by: NMarc Hartmayer <mhartmay@linux.vnet.ibm.com>
      Reviewed-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
      e22de286
  9. 20 2月, 2017 3 次提交
  10. 15 2月, 2017 1 次提交
    • M
      qemu_conf: Check for namespaces availability more wisely · b57bd206
      Michal Privoznik 提交于
      The bare fact that mnt namespace is available is not enough for
      us to allow/enable qemu namespaces feature. There are other
      requirements: we must copy all the ACL & SELinux labels otherwise
      we might grant access that is administratively forbidden or vice
      versa.
      At the same time, the check for namespace prerequisites is moved
      from domain startup time to qemu.conf parser as it doesn't make
      much sense to allow users to start misconfigured libvirt just to
      find out they can't start a single domain.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      b57bd206
  11. 08 2月, 2017 1 次提交
  12. 31 1月, 2017 1 次提交
  13. 26 1月, 2017 1 次提交
  14. 10 1月, 2017 1 次提交
  15. 04 1月, 2017 1 次提交
    • J
      qemu: Don't assume secret provided for LUKS encryption · 7f7d9904
      John Ferlan 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1405269
      
      If a secret was not provided for what was determined to be a LUKS
      encrypted disk (during virStorageFileGetMetadata processing when
      called from qemuDomainDetermineDiskChain as a result of hotplug
      attach qemuDomainAttachDeviceDiskLive), then do not attempt to
      look it up (avoiding a libvirtd crash) and do not alter the format
      to "luks" when adding the disk; otherwise, the device_add would
      fail with a message such as:
      
         "unable to execute QEMU command 'device_add': Property 'scsi-hd.drive'
          can't find value 'drive-scsi0-0-0-0'"
      
      because of assumptions that when the format=luks that libvirt would have
      provided the secret to decrypt the volume.
      
      Access to unlock the volume will thus be left to the application.
      7f7d9904
  16. 15 12月, 2016 5 次提交
    • M
      qemu: Manage /dev entry on RNG hotplug · f95c5c48
      Michal Privoznik 提交于
      When attaching a device to a domain that's using separate mount
      namespace we must maintain /dev entries in order for qemu process
      to see them.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      f95c5c48
    • M
      qemu: Manage /dev entry on chardev hotplug · f5fdf23a
      Michal Privoznik 提交于
      When attaching a device to a domain that's using separate mount
      namespace we must maintain /dev entries in order for qemu process
      to see them.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      f5fdf23a
    • M
      qemu: Manage /dev entry on hostdev hotplug · 6e574928
      Michal Privoznik 提交于
      When attaching a device to a domain that's using separate mount
      namespace we must maintain /dev entries in order for qemu process
      to see them.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      6e574928
    • M
      qemu: Manage /dev entry on disk hotplug · 81df2150
      Michal Privoznik 提交于
      When attaching a device to a domain that's using separate mount
      namespace we must maintain /dev entries in order for qemu process
      to see them.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      81df2150
    • M
      qemu: Spawn qemu under mount namespace · bb4e5296
      Michal Privoznik 提交于
      Prime time. When it comes to spawning qemu process and
      relabelling all the devices it's going to touch, there's inherent
      race with other applications in the system (e.g. udev). Instead
      of trying convincing udev to not touch libvirt managed devices,
      we can create a separate mount namespace for the qemu, and mount
      our own /dev there. Of course this puts more work onto us as we
      have to maintain /dev files on each domain start and device
      hot(un-)plug. On the other hand, this enhances security also.
      
      From technical POV, on domain startup process the parent
      (libvirtd) creates:
      
        /var/lib/libvirt/qemu/$domain.dev
        /var/lib/libvirt/qemu/$domain.devpts
      
      The child (which is going to be qemu eventually) calls unshare()
      to create new mount namespace. From now on anything that child
      does is invisible to the parent. Child then mounts tmpfs on
      $domain.dev (so that it still sees original /dev from the host)
      and creates some devices (as explained in one of the previous
      patches). The devices have to be created exactly as they are in
      the host (including perms, seclabels, ACLs, ...). After that it
      moves $domain.dev mount to /dev.
      
      What's the $domain.devpts mount there for then you ask? QEMU can
      create PTYs for some chardevs. And historically we exposed the
      host ends in our domain XML allowing users to connect to them.
      Therefore we must preserve devpts mount to be shared with the
      host's one.
      
      To make this patch as small as possible, creating of devices
      configured for domain in question is implemented in next patches.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      bb4e5296
  17. 23 11月, 2016 2 次提交
    • N
      qemu: agent: fix unsafe agent access · aaf2992d
      Nikolay Shirokovskiy 提交于
      qemuDomainObjExitAgent is unsafe.
      
      First it accesses domain object without domain lock.
      Second it uses outdated logic that goes back to commit 79533da1 of
      year 2009 when code was quite different. (unref function
      instead of unreferencing only unlocked and disposed object
      in case of last reference and leaved unlocking to the caller otherwise).
      Nowadays this logic may lead to disposing locked object
      i guess.
      
      Another problem is that the callers of qemuDomainObjEnterAgent
      use domain object again (namely priv->agent) without domain lock.
      
      This patch address these two problems.
      
      qemuDomainGetAgent is dropped as unused.
      aaf2992d
    • N
      qemu: drop write-only agentStart · 3c1c5678
      Nikolay Shirokovskiy 提交于
      3c1c5678
  18. 22 11月, 2016 1 次提交
  19. 15 11月, 2016 1 次提交
  20. 11 11月, 2016 1 次提交
    • P
      qemu: process: detect if dimm aliases are broken on reconnect · 93d9ff3d
      Peter Krempa 提交于
      Detect on reconnect to a running qemu VM whether the alias of a
      hotpluggable memory device (dimm) does not match the dimm slot number
      where it's connected to. This is necessary as qemu is actually
      considering the alias as machine ABI used to connect the backend object
      to the dimm device.
      
      This will require us to keep them consistent so that we can reliably
      restore them on migration. In some situations it was currently possible
      to create a mismatched configuration and qemu would refuse to restore
      the migration stream.
      
      To avoid breaking existing VMs we'll need to keep the old algorithm
      though.
      93d9ff3d
  21. 26 10月, 2016 1 次提交
    • J
      qemu: Add a secret object to/for a char source dev · daf5c651
      John Ferlan 提交于
      Add the secret object so the 'passwordid=' can be added if the command line
      if there's a secret defined in/on the host for TCP chardev TLS objects.
      
      Preparation for the secret involves adding the secinfo to the char source
      device prior to command line processing. There are multiple possibilities
      for TCP chardev source backend usage.
      
      Add test for at least a serial chardev as an example.
      daf5c651
  22. 25 10月, 2016 1 次提交
  23. 24 10月, 2016 1 次提交
    • P
      domain: Add optional 'tls' attribute for TCP chardev · 0298531b
      Pavel Hrdina 提交于
      Add an optional "tls='yes|no'" attribute for a TCP chardev.
      
      For QEMU, this will allow for disabling the host config setting of the
      'chardev_tls' for a domain chardev channel by setting the value to "no" or
      to attempt to use a host TLS environment when setting the value to "yes"
      when the host config 'chardev_tls' setting is disabled, but a TLS environment
      is configured via either the host config 'chardev_tls_x509_cert_dir' or
      'default_tls_x509_cert_dir'
      Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      0298531b
  24. 22 10月, 2016 1 次提交
    • J
      conf: Move the privateData from virDomainChrDef to virDomainChrSourceDef · 7bd8312e
      John Ferlan 提交于
      Commit id '5f2a1327' should have placed the data in the host source
      def structure since that's also used by smartcard, redirdev, and rng in
      order to provide a backend tcp channel.  The data in the private structure
      will be necessary in order to provide the secret properly.
      
      This also renames the previous names from "Chardev" to "ChrSource" for
      the private data structures and API's
      7bd8312e
  25. 20 10月, 2016 1 次提交
    • J
      qemu: Introduce qemuDomainChardevPrivatePtr · 5f2a1327
      John Ferlan 提交于
      Modeled after the qemuDomainHostdevPrivatePtr (commit id '27726d8c'),
      create a privateData pointer in the _virDomainChardevDef to allow storage
      of private data for a hypervisor in order to at least temporarily store
      secret data for usage during qemuBuildCommandLine.
      
      NB: Since the qemu_parse_command (qemuParseCommandLine) code is not
      expecting to restore the secret data, there's no need to add code
      code to handle this new structure there.
      Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
      5f2a1327
  26. 12 10月, 2016 1 次提交
  27. 21 9月, 2016 1 次提交
  28. 20 9月, 2016 1 次提交
  29. 12 9月, 2016 1 次提交
    • J
      qemu: Don't use query-migrate on destination · 56258a38
      Jiri Denemark 提交于
      When migration fails, we need to poke QEMU monitor to check for a reason
      of the failure. We did this using query-migrate QMP command, which is
      not supposed to return any meaningful result on the destination side.
      Thus if the monitor was still functional when we detected the migration
      failure, parsing the answer from query-migrate always failed with the
      following error message:
      
          "info migration reply was missing return status"
      
      This irrelevant message was then used as the reason for the migration
      failure replacing any message we might have had.
      
      Let's use harmless query-status for poking the monitor to make sure we
      only get an error if the monitor connection is broken.
      
      https://bugzilla.redhat.com/show_bug.cgi?id=1374613Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
      56258a38