The virt-login-shell binary is a setuid program that takes
no arguments. When invoked it looks at the invoking uid,
resolves it to a username, and finds an LXC guest with the
same name. It then starts the guest and runs the shell in
side the namespaces of the container.

Given this set of tasks the virt-login-shell binary needs
to connect to libvirtd, make various other libvirt API calls.
This is a problem for setuid binaries as various libraries
that libvirt.so links to are not safe. For example, they have
constructor functions which execute an unknown amount of code
that can be influenced by env variables.

For this reason virt-login-shell doesn't use libvirt.so,
but instead links to a custom, cut down, set of source files
sufficient to be a local client only.

This introduces a problem for integrating glib2 into libvirt
though, as once integrated, there would be no way to build
virt-login-shell without an external dependancy on glib2 and
this is definitely not setuid safe.

To resolve this problem, we split the virt-login-shell binary
into two parts. The first part is setuid and does almost
nothing. It simply records the original uid+gid, and then
invokes the virt-login-shell-helper binary. Crucially when
it does this it completes scrubs all environment variables.
It is thus safe for virt-login-shell-helper to link to the
normal libvirt.so. Any things that constructor functions
do cannot be influenced by user control env vars or cli
args.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

We'll shortly be renaming the binary to virt-login-shell-helper
and introducing a new tool as virt-login-shell. Renaming the
source file first gives a much more usefull diff for the next
commit.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The public API entry points will call virDispatchError which
will print to stderr by default. We then jump to a cleanup
path which calls virDispatchError again.

We tried to stop the entry points printing to stderr, but
incorrectly called virSetErrorFunc. It needs a real function
that is a no-op, not a NULL function.

Once we fix virSetErrorFunc, then we need to use fprintf in
the cleanup path instead of virDispatchError.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

If the 'allowed_users' config setting in virt-login-shell.conf
does not exist, we dereference a NULL pointer resulting in a
crash. We should check for this case and thus ensure the user
is denied access gracefully.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Currently, the way we format PCI address is using printf-s
precision, e.g. "%.4x". This works if we don't want to print any
value outside of bounds (which is usually the case). However,
turns out, PCI domain can be 0x10000 which doesn't work well with
our format strings. However, if we change the format string to
"%04x" then we still pad small values with zeroes but also we are
able to print values that are larger than four digits. In fact,
this format string used by kernel to print a PCI address:

  "%04x:%02x:%02x.%d"

The other three format strings (for bus, device and function) are
changed too, so that we use the same format string as kernel.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

"virsh console" on macOS cannot attach to a domain and it doesn't matter if
it's local or remote domain:
  $ ~ virsh console vm
  Connected to domain vm
  Escape character is ^]
  error: internal error: unable to wait on console condition

The error comes from pthread_cond_wait that fails with EINVAL. The mutex
in the parent is not initialized with pthread_mutex_init and it results
in silent failure of pthead_mutex_lock and the attach failure.

Fixes: 98361cc3 ("tools: console: make console virLockableObject")
Signed-off-by: NRoman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Earlier patches mentioned that the initial implementation will prevent
snapshots and checkpoints from being used on the same domain at once.
However, the actual restriction is done in this separate patch to make
it easier to lift that restriction via a revert, when we are finally
ready to tackle that integration in the future.
Signed-off-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Introduce a bunch of new virsh commands for managing checkpoints in
isolation. More commands are needed for performing incremental
backups, but these commands were easy to implement by modeling heavily
after virsh-snapshot.c. There is no need for checkpoint-revert or
checkpoint-current since those snapshot APIs have no checkpoint
counterpart.  Similarly, it is not necessary to change which
checkpoint is current when redefining from XML, since until we
integrate checkpoints with snapshots, there is only a linear chain
(and you can deduce the current checkpoint by instead using
'checkpoint-list --leaves').  Other aspects of checkpoint-list are
also a bit simpler than the snapshot counterpart, in part because we
don't have to cater to back-compat to older API.

Upcoming patches will test these interfaces once the test driver
supports checkpoints.
Signed-off-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

We don't need domain_conf or libvirt-{qemu,lxc} in these generic files.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Acked-by: NPeter Krempa <pkrempa@redhat.com>

Ever since --parallel-connections option for virsh migrate was
introduced we did not properly check the return value of
vshCommandOptInt. We would set VIR_MIGRATE_PARAM_PARALLEL_CONNECTIONS
parameter even if vshCommandOptInt returned 0 (which means
--parallel-connections was not specified) when another int option which
was checked earlier was specified with a nonzero value.

Specifically, running virsh migrate with either
--auto-converge-increment, --auto-converge-initial, --comp-mt-dthreads,
--comp-mt-threads, or --comp-mt-level would set
VIR_MIGRATE_PARAM_PARALLEL_CONNECTIONS parameter and if --parallel
option was not used, libvirt would complain

    error: invalid argument: Turn parallel migration on to tune it

even though --parallel-connections option was not used at all.

https://bugzilla.redhat.com/show_bug.cgi?id=1726643Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

This is a very simple completer for completing --cap argument of
nodedev-list command.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

There are more arguments than 'shutdown --mode' that accept a
list of strings separated by commas. 'nodedev-list --cap' is one
of them. To avoid duplicating code, let's separate interesting
bits of virshDomainShutdownModeCompleter() into a function that
can then be reused.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Ideally, a software that's translating domain names would iterate
over all addresses the NSS returned, but some software does not
bother (e.g. ping). What happens is that for instance when
installing a guest, it's assigned one IP address but once it's
installed and rebooted it gets a different IP address (because
client ID used for the first DHCP traffic when installing the
guest was generated dynamically and never saved so after reboot
the guest generated new ID which resulted in different IP address
to be assigned). This results in 'ping $domain' not working
properly as it still pings the old IP address. Well, it might -
NSS plugin does not guarantee any order of addresses.

To resolve this problem, we can sort the array just before
returning it to the caller (ping) so that the newer IP addresses
come before older ones.
Reported-by: NAndrea Bolognani <abologna@redhat.com>
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

In the nss plugin we have ERROR() macro which by default does
nothing. However, at compile time it can be made to report errors
(this is useful for debugging because by nature of NSS debugging
is hard). Anyway, the appendAddr() function uses @name (which
contains name the caller wants us to resolve) for error
reporting. But the caller findLeaseInJSON() is not passing it.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Add pool list type flag VIR_CONNECT_LIST_STORAGE_POOLS_ISCSI_DIRECT,
which was forgotten when introducing iscsi-direct pool at f0bf1be3.

https://bugzilla.redhat.com/show_bug.cgi?id=1726609Signed-off-by: NHan Han <hhan@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Signed-off-by: NHan Han <hhan@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

We've been doing a terrible job of performing XML validation in our
various API that parse XML with a corresponding schema (we started
with domains back in commit dd69a14f, v1.2.12, but didn't catch all
domain-related APIs, didn't document the use of the flag, and didn't
cover other XML). New APIs (like checkpoints) should do the validation
unconditionally, but it doesn't hurt to continue retrofitting existing
APIs to at least allow the option.

While there are many APIs that could be improved, this patch focuses
on wiring up a new snapshot XML creation flag through all the
hypervisors that support snapshots, as well as exposing it in 'virsh
snapshot-create'.  For 'virsh snapshot-create-as', we blindly set the
flag without a command-line option, since the XML we create from the
command line should generally always comply (note that validation
might cause failures where it used to succeed, such as if we tighten
the RNG to reject a name of '../\n'); but blindly passing the flag
means we also have to add in fallback code to disable validation if
the server is too old to understand the flag.
Signed-off-by: NEric Blake <eblake@redhat.com>
Acked-by: NPeter Krempa <pkrempa@redhat.com>

virsh snapshot-create-as supports 'file' storage type in --diskspec by default.
But it doesn't support 'block' storage type in the virshParseSnapshotDiskspec().
So if a snapshot on a block device (e.g. LV) was created, the type of
current running storage source in dumpxml is inconsistent with the actual
backend storage source. It will check file-system type mismatch failed
and return an error message of 'Migration without shared storage is unsafe'
when VM performs a live migration after this snapshot.

Considering virsh has to be able to work remotely that recognizing a block device
by prefix /dev/ or by stat() may be not suitable, so adding a "stype" field
for the --diskspec string which will be either "file" or "block".
e.g. --diskspec vda,snapshot=external,driver=qcow2,stype=block,file=/dev/xxx.
Signed-off-by: NLiu Dayu <liu.dayu@zte.com.cn>
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>

Firstly, there's no reason to enumerate all XATTRs since they
differ only in the prefix and we can construct them in a loop.

Secondly, and more importantly, the script was still looking for
just one prefix "trusted.libvirt.security" even on FreeBSD.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NCole Robinson <crobinso@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

While the script ultimately needs to be executable, the
source file really shouldn't be.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>

When testing stuff you might want to print the XML. Interlocking it with
no metadata adds exactly 0 value to the user.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

Signed-off-by: NJonathon Jongsma <jjongsma@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Signed-off-by: NJán Tomko <jtomko@redhat.com>

Reviewed-by: NLaine Stump <laine@laine.org>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Signed-off-by: NJohannes Holmberg <johannes.holmberg@dataductus.se>
Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>

The flag causes undefine to fail if trying to remove a non-RBD disk. Add
a warning about that.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NFabiano Fidêncio <fidencio@redhat.com>
ACKed-by: NEric Blake <eblake@redhat.com>

The old flag name confused some users into thinking it's the correct way
to undefine a VM with libvirt (not storage volume) snapshots.

The correct flag in that case is way less obvious: --snapshots-metadata.

Rename the flag (by adding an alias) to something which will promote
looking up the actual purpose of the flag.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NFabiano Fidêncio <fidencio@redhat.com>
ACKed-by: NEric Blake <eblake@redhat.com>

Reword the end of the help string to make it more obvious that the VM
must be inactive.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NFabiano Fidêncio <fidencio@redhat.com>
ACKed-by: NEric Blake <eblake@redhat.com>

Qemu added reporting of virtio balloon new statistics stat-htlb-pgalloc and
stat-htlb-pgfail since qemu-3.0 commit b7b12644297. The value of
stat-htlb-pgalloc represents the number of successful hugetlb page allocations
while stat-htlb-pgfail represents the number of failed ones. Add this
statistics reporting to libvirt.

To enable this feature for vm, guest kenel >= 4.17 is required because
the exporting hugetlb page allocation for virtio balloon is introduced
since 6c64fe7f.
Signed-off-by: NHan Han <hhan@redhat.com>
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

The virDomainGetDiskErrors() API copies disk targets into @disks
array that we allocate. But we forgot to free it:

==140828== 16 bytes in 4 blocks are definitely lost in loss record 41 of 242
==140828==    at 0x4C2F08F: malloc (vg_replace_malloc.c:299)
==140828==    by 0x8C406D9: strdup (in /lib64/libc-2.28.so)
==140828==    by 0x5377DD3: virStrdup (virstring.c:966)
==140828==    by 0x54C112F: testDomainGetDiskErrors (test_driver.c:3068)
==140828==    by 0x55C863D: virDomainGetDiskErrors (libvirt-domain.c:10988)
==140828==    by 0x15D1FA: cmdDomBlkError (virsh-domain-monitor.c:1215)
==140828==    by 0x17F1A8: vshCommandRun (vsh.c:1335)
==140828==    by 0x13489E: main (virsh.c:920)
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Commit a3dbaa36 neglected to add the source-protocol-ver to the
pool-define-as command.
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
ACKed-by: NMichal Privoznik <mprivozn@redhat.com>

Each attribute is on its own line. We forgot to add new line
character for <alias/>
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

The table included in the sample output for 'list --title' is
unnecessarily wide, which causes man to complain:

  warning [p 8, 0.5i]: can't break line

Make the table narrower.

Spotted by Lintian (manpage-has-errors-from-man tag).
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Acked-by: NMichal Privoznik <mprivozn@redhat.com>

Apparently "allow(s) to frobnicate" is not correct English, and
either "allow(s) one to frobnicate" or "allow(s) frobnicating"
should be used instead.

Spotted by Lintian (spelling-error-in-{binary,manpage} tags).
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Though it used to be called "Mac OS X" and "OS X" in the past,
it was never "MacOS X" nor "OS-X", and it's just "macOS" now.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>

This code is needed to use readline older than 4.1, but all
our target platforms ship with at least 6.0 these days so we
can safely get rid of it.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Standardize on putting the _LAST enum value on the second line
of VIR_ENUM_IMPL invocations. Later patches that add string labels
to VIR_ENUM_IMPL will push most of these to the second line anyways,
so this saves some noise.
Signed-off-by: NCole Robinson <crobinso@redhat.com>

This completer is used to offer shutdown/reboot modes.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NCole Robinson <crobinso@redhat.com>