- 16 10月, 2017 20 次提交
-
-
由 Daniel P. Berrange 提交于
The default_tls_x509_verify (and related) parameters in qemu.conf control whether the QEMU TLS servers request & verify certificates from clients. This works as a simple access control system for servers by requiring the CA to issue certs to permitted clients. This use of client certificates is disabled by default, since it requires extra work to issue client certificates. Unfortunately the code was using this configuration parameter when setting up both TLS clients and servers in QEMU. The result was that TLS clients for character devices and disk devices had verification turned off, meaning they would ignore errors while validating the server certificate. This allows for trivial MITM attacks between client and server, as any certificate returned by the attacker will be accepted by the client. This is assigned CVE-2017-1000256 / LSN-2017-0002 Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
This adds a rule to require https links for the libvirt, qemu and kvm websites. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Ján Tomko 提交于
Somewhere around commit 9ff9d9f5 reserving entire PCI slots was eliminated, as demonstrated by commit 6cc20142. Reserve the functions required by the implicit devices: 00:01.0 ISA Bridge 00:01.1 IDE Controller 00:01.2 USB Controller (unless USB is disabled) 00:01.3 Bridge https://bugzilla.redhat.com/show_bug.cgi?id=1460143
-
由 Jiri Denemark 提交于
xsaveopt is artificially removed from the host to test disabled feature which is only included in QEMU's version of the CPU model. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
arat is now enabled even if the hardware does not support it. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
xsaves is supported by current QEMU/KVM on this CPU. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
This CPU was incorrectly detected as SandyBridge before because the number of additional <feature> elements was the same for both SandyBridge and Westmere CPU models, but SandyBridge is newer (the CPU signature does not help here because it doesn't match any signature defined in cpu_map.xml). But since QEMU's version of SandyBridge CPU model contains xsaveopt which needs to be disabled, Westmere becomes the best CPU model when translating CPUID data to virCPUDef. Unfortunately, this doesn't help with translating the data we got from QEMU and the CPU model is still computed as SandyBridge in this case. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
The unavailable features do not make any difference in this case, because this is a SandyBridge CPU which has an empty list of unavailable features. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
When testing cpuDecode for computing guest CPU definition from CPUID data (the CPU definition reported by domain capabilities), we need to use CPU models (and their usability blockers) from QEMU if they are available to cpuDecode in the same way it is actually used in the qemu driver. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
To make the code reusable by other tests. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
Gather query-cpu-definitions results and use them for testing CPU model usability blockers in CPUID to virCPUDef translation. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
If the actual result does not match our expectation, the tests would not correctly show the difference if a CPU feature is disabled in the expected result and the actual result does not mention it at all. The test could complain about an unrelated CPU feature or it could even crash in case the actual result contains no more features to go through. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
Various version of json_reformat use different number of spaces for indenting. Let's use a simple python reformatter to gain full control over the formatting for consistent results. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
We will soon need to handle more than two values. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
The "preferred" parameter is not used by any caller of cpuDecode anymore. It's only used internally in cpu_x86 to implement cpuBaseline. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
All APIs which expect a list of CPU models supported by hypervisors were switched from char **models and int models to just accept a pointer to virDomainCapsCPUModels object stored in domain capabilities. This avoids the need to transform virDomainCapsCPUModelsPtr into a NULL-terminated list of model names and also allows the various cpu driver APIs to access additional details (such as its usability) about each CPU model. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
query-cpu-definitions QMP command returns a list of unavailable features which prevent CPU models from being usable on the current host. So far we only checked whether the list was empty to mark CPU models as (un)usable. This patch parses all unavailable features for each CPU model and stores them in virDomainCapsCPUModel as a list of usability blockers. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
When a hypervisor marks a CPU model as unusable on the current host, it may also give us a list of features which prevent the model from being usable. Storing this list in virDomainCapsCPUModel will help the CPU driver with creating a host-model CPU configuration. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 11 10月, 2017 1 次提交
-
-
由 Andrea Bolognani 提交于
Parse the -M (or -machine) command line option before starting processing in earnest and have a fallback ready in case it's not present, so that while parsing other options we can rely on def->os.machine being initialized. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1379218Signed-off-by: NAndrea Bolognani <abologna@redhat.com> Reviewed-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 10 10月, 2017 1 次提交
-
-
由 Marc Hartmayer 提交于
This commit fixes the deadlock introduced by commit 0980764d. The call getgrouplist() of the glibc library isn't safe to be called in between fork and exec (see commit 75c12564). Signed-off-by: NMarc Hartmayer <mhartmay@linux.vnet.ibm.com> Fixes: 0980764d ("util: share code between virExec and virCommandExec") Reviewed-by: NBjoern Walk <bwalk@linux.vnet.ibm.com> Reviewed-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
-
- 06 10月, 2017 2 次提交
-
-
由 John Ferlan 提交于
-
由 Peter Krempa 提交于
Note when no blockjobs are running in the status XML so that we know that the backing chain will not change until we reconnect.
-
- 05 10月, 2017 5 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1447169Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1447169 Since domain can have at most one watchdog it simplifies things a bit. However, since we must be able to set the watchdog action as well, new monitor command needs to be used. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Peter Krempa 提交于
Unindent the static XML block and move around the autoindent calls so that further additions don't have to add more of them. Also rename the string holding the static XML section.
-
由 Michal Privoznik 提交于
Similarly to previous patch, for some types of interface domain and host are on the same side of RX/TX barrier. In that case, we need to set up the QoS differently. Well, swapped. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Jiri Denemark 提交于
clang doesn't like mode_t type as an argument to va_arg(): error: second argument to 'va_arg' is of promotable type 'mode_t' (aka 'unsigned short'); this va_arg has undefined behavior because arguments will be promoted to 'int' mode = va_arg(ap, mode_t); ^~~~~~ Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
- 04 10月, 2017 4 次提交
-
-
由 Lin Ma 提交于
qemu 2.7.0 introduces multiqueue virtio-blk(commit 2f27059). This patch introduces a new attribute "queues". An example of the XML: <disk type='file' device='disk'> <driver name='qemu' type='qcow2' queues='4'/> The corresponding QEMU command line: -device virtio-blk-pci,scsi=off,num-queues=4,id=virtio-disk0 Signed-off-by: NLin Ma <lma@suse.com> Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Lin Ma 提交于
Signed-off-by: NLin Ma <lma@suse.com>
-
由 Michal Privoznik 提交于
It will come handy to know if the MAC address was generated (e.g. during XML parse) or if it was parsed since provided by user in the XML. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
由 Luyao Huang 提交于
This is normally not an issue since the tests which use mocked open() do not create files. But once coverage build is enabled, gcov_open will use O_CREATE and real_open will read random data rather than the actual mode argument. Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
- 29 9月, 2017 1 次提交
-
-
由 Daniel P. Berrange 提交于
The test suite has hardcoded /etc/pki/qemu as the cert dir, but this only works if configure has --sysconfdir=/etc passed. We must set the vxhs cert dir to a stable path in the test suite. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 28 9月, 2017 2 次提交
-
-
由 Ashish Mittal 提交于
Alter qemu command line generation in order to possibly add TLS for a suitably configured domain. Sample TLS args generated by libvirt - -object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\ endpoint=client,verify-peer=yes \ -drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\ file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=tcp,file.server.host=192.168.0.1,\ file.server.port=9999,format=raw,if=none,\ id=drive-virtio-disk0,cache=none \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0 Update the qemuxml2argvtest with a couple of examples. One for a simple case and the other a bit more complex where multiple VxHS disks are added where at least one uses a VxHS that doesn't require TLS credentials and thus sets the domain disk source attribute "tls = 'no'". Update the hotplug to be able to handle processing the tlsAlias whether it's to add the TLS object when hotplugging a disk or to remove the TLS object when hot unplugging a disk. The hot plug/unplug code is largely generic, but the addition code does make the VXHS specific checks only because it needs to grab the correct config directory and generate the object as the command line would do. Signed-off-by: NAshish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Ashish Mittal 提交于
Add an optional virTristateBool haveTLS to virStorageSource to manage whether a storage source will be using TLS. Sample XML for a VxHS disk: <disk type='network' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'> <host name='192.168.0.1' port='9999'/> </source> <target dev='vda' bus='virtio'/> </disk> Additionally add a tlsFromConfig boolean to control whether the TLS setting was due to domain configuration or qemu.conf global setting in order to decide whether to Format the haveTLS setting for either a live or saved domain configuration file. Update the qemuxml2xmltest in order to add a test to show the proper parsing. Also update the docs to describe the tls attribute. Signed-off-by: NAshish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
-
- 27 9月, 2017 1 次提交
-
-
由 Pavel Hrdina 提交于
This reverts commit edaf4ebe. This uses "reconnect" as attribute for <source> element, but we already have a <reconnect> element for <source> element for chardev devices. Since this is the same feature for different device it should be presented in XML the same way. Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 26 9月, 2017 1 次提交
-
-
由 Ján Tomko 提交于
It is possible (although possibly not very useful) to leave out the service attribute when using <source mode='bind'/> Fix the formatter bug introduced by commit 4a0da345 and format the host when its present (checked for non-NULL inside virBufferEscapeString) instead of basing it on the presence of the service attribute. https://bugzilla.redhat.com/show_bug.cgi?id=1455825
-
- 22 9月, 2017 1 次提交
-
-
由 Boris Fiuczynski 提交于
Adding s390x qemu caps test for qemu version 2.10.0. Signed-off-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
-
- 21 9月, 2017 1 次提交
-
-
由 Jiri Denemark 提交于
In the past we updated host-model CPUs with host CPU data by adding a model and features, but keeping the host-model mode. And since the CPU model is not normally formatted for host-model CPU defs, we had to pass the updateCPU flag to the formatting code to be able to properly output updated host-model CPUs. Libvirt doesn't do this anymore, host-model CPUs are turned into custom mode CPUs once updated with host CPU data and thus there's no reason for keeping the hacks inside CPU XML formatters. Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-