- 31 1月, 2020 1 次提交
-
-
由 Christian Ehrhardt 提交于
Since a3ab6d42 "apparmor: convert libvirtd profile to a named profile" the detection of the subelement for qemu_bridge_helper is wrong. In combination with the older 123cc3e1 "apparmor: allow /usr/lib/qemu/qemu-bridge-helper" it now detects qemu-bridge-helper no more with its path, but instead as a proper subelement of the named profile like: label=libvirtd//qemu_bridge_helper In the same fashion the reverse rule in the qemu_bridge_helper sub-profile still uses the path and not the named profile label. Triggering denies like: apparmor="DENIED" operation="file_inherit" profile="libvirtd//qemu_bridge_helper" pid=5629 comm="qemu-bridge-hel" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirtd" This patch fixes the unix socket rules for the communication between libvirtd and qemu-bridge-helper to match that. Fixes: a3ab6d42 Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1655111Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 30 1月, 2020 13 次提交
-
-
由 Erik Skultety 提交于
Our nwfilter code doesn't set any timeout on the pcap packet buffer which means that when DHCP snooping is enabled on a guest interface and libvirt is trying to learn the IP address from guest's DHCP traffic, it takes up to 4x longer to ping a guest successfully compared to a case where nwfilter isn't enabled at all or libvirt uses the cached nwfilter leases to populate the corresponding rules to ebtables. With the pcap filter and rate limiting already in place, we should be able to afford enabling the immediate packet delivery, FWIW immediate mode was actually the default prior libpcap-1.5.0 (CentOS 6) regardless of whether a buffer was requested. The lack of any kind of timeout on the pcap buffer messed with the libvirt TCK test suite which, even with a generous timeout in place, timeouts every single time simply because it takes a while until guest actually starts producing any kind of traffic to fill up the buffer in place (apart from the DHCP traffic which happens fairly early on). Signed-off-by: NErik Skultety <eskultet@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Erik Skultety 提交于
libpcap-1.5.0 introduced a function to enforce immediate mode (on all platforms) which the follow-up patches will rely on. Signed-off-by: NErik Skultety <eskultet@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Ján Tomko 提交于
Also add a space after the start in some of the cases. Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NPeter Krempa <pkrempa@redhat.com>
-
由 Michal Privoznik 提交于
At the beginning of each profile we have a comment that says when the profile was last updated. In theory, it makes sense because one can see immediately if they are using an outdated profile. However, we don't do a good job in keeping the comments in sync with reality and also sysadmins should rather use their package manager to find out libvirt version which installed the profiles. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Acked-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Michal Privoznik 提交于
There are two more paths that we are missing in the default domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/. These exist on my Gentoo box and contain UEFI and BIOS images respectively. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Acked-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Michal Privoznik 提交于
Even though we construct a domain specific profile for each domain we start (which should cover domain specific paths), there is also another file that is included from the profile and which contains domain agnostic paths (e.g. to cover libraries that qemu links with). The paths in the file are split into blocks divided by comments. Sort the paths in each block individually (ignoring case sensitivity). Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Acked-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Dario Faggioli 提交于
With Credit2 being Xen default scheduler, it's definitely the case to allow Credit2's scheduling parameters to be get and set via libvirt. This is easy, as Credit and Credit2 have (at least as of now) the very same parameters ('weight' and 'cap'). So we can just let credit2 pass the scheduler-type check and the same code will work for both. Signed-off-by: NDario Faggioli <dfaggioli@suse.com> Reviewed-by: NJim Fehlig <jfehlig@suse.com>
-
由 Laine Stump 提交于
Signed-off-by: NLaine Stump <laine@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
Aside from itinerant error (actually warning) messages due to an unrecognized response from qemu, this isn't even necessary - the migration proceeds successfully to completion anyway. (I'm not sure where to see this status reported in the API though - do we need to add an extra state, or recognition of a new event somewhere?) Signed-off-by: NLaine Stump <laine@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
Normally a PCI hostdev can't be migrated, so qemuMigrationSrcIsAllowedHostdev() won't permit it. In the case of a a hostdev network interface that has <teaming type='transient'/> set, QEMU will automatically unplug the device prior to migration, and re-plug a corresponding device on the destination. This patch modifies qemuMigrationSrcIsAllowedHostdev() to allow domains with those devices to be migrated. Signed-off-by: NLaine Stump <laine@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
The QEMU driver uses the <teaming type='persistent|transient' persistent='blah'/> element to setup a "failover" pair of devices - the persistent device must be a virtio emulated NIC, with the only extra configuration being the addition of ",failover=on" to the device commandline, and the transient device must be a hostdev NIC (<interface type='hostdev'> or <interface type='network'> with a network that is a pool of SRIOV VFs) where the extra configuration is the addition of ",failover_pair_id=$aliasOfVirtio" to the device commandline. These new options are supported in QEMU 4.2.0 and later. Extra qemu-specific validation is added to ensure that the device type/model is appropriate and that the qemu binary supports these commandline options. The result of this will be: 1) The virtio device presented to the guest will have an extra bit set in its PCI capabilities indicating that it can be used as a failover backup device. The virtio guest driver will need to be equipped to do something with this information - this is included in the Linux virtio-net driver in kernel 4.18 and above (and also backported to some older distro kernels). Unfortunately there is no way for libvirt to learn whether or not the guest driver supports failover - if it doesn't then the extra PCI capability will be ignored and the guest OS will just see two independent devices. (NB: the current virtio guest driver also requires that the MAC addresses of the two NICs match in order to pair them into a bond). 2) When a migration is requested, QEMu will automatically unplug the transient/hostdev NIC from the guest on the source host before starting migration, and automatically re-plug a similar device after restarting the guest CPUs on the destination host. While the transient NIC is unplugged, all network traffic will go through the persistent/virtio device, but when the hostdev NIC is plugged in, it will get all the traffic. This means that in normal circumstances the guest gets the performance advantage of vfio-assigned "real hardware" networking, but it can still be migrated with the only downside being a performance penalty (due to using an emulated NIC) during the migration. Signed-off-by: NLaine Stump <laine@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
The subelement <teaming> of <interface> devices is used to configure a simple teaming association between two interfaces in a domain. Example: <interface type='bridge'> <source bridge='br0'/> <model type='virtio'/> <mac address='00:11:22:33:44:55'/> <alias name='ua-backup0'/> <teaming type='persistent'/> </interface> <interface type='hostdev'> <source> <address type='pci' bus='0x02' slot='0x10' function='0x4'/> </source> <mac address='00:11:22:33:44:55'/> <teaming type='transient' persistent='ua-backup0'/> </interface> The interface with <teaming type='persistent'/> is assumed to always be present, while the interface with type='transient' may be be unplugged and later re-plugged; the persistent='blah' attribute (and in the one currently available implementation, also the matching MAC addresses) is what associates the two devices with each other. It is up to the hypervisor and the guest network drivers to determine what to do with this information. Signed-off-by: NLaine Stump <laine@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
Presence of the virtio-net-pci option called "failover" indicates support in a qemu binary of a simplistic bonding of a virtio-net device with another PCI device. This feature allows migration of guests that have a network device assigned to a guest with VFIO, by creating a network bond device in the guest consisting of the VFIO-assigned device and a virtio-net-pci device, then temporarily (and automatically) unplugging the VFIO net device prior to migration (and hotplugging an equivalent device on the migration destination). (The feature is called "failover" because the bond device uses the vfio-pci netdev for normal guest networking, but "fails over" to the virtio-net-pci netdev once the vfio-pci device is unplugged for migration.) Full functioning of the feature also requires support in the virtio-net driver in the guest OS (since that is where the bond device resides), but if the "failover" commandline option is present for the virtio-net-pci device in qemu, at least the qemu part of the feature is available, and libvirt can add the proper options to both the virtio-net-pci and vfio-pci device commandlines to indicate qemu should attempt doing the failover during migration. This patch just adds the qemu capabilities flag "virtio-net.failover". Signed-off-by: NLaine Stump <laine@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 29 1月, 2020 26 次提交
-
-
由 Daniel P. Berrangé 提交于
* chown: use is conditionally compiled * configmake: functionality imported to Makefile.am * getaddrinfo: we have no portability problems with Windows impl * getpass: simplified impl is imported * mgetgroups: getgrouplist is used directly * net_if: header includes are conditionalized * netdb: header includes are conditionalized * passfd: simplified impl is imported * posix-shell: functionality was unused & removed * sigaction: usage is conditionalized * sigpipe: usage is conditionalized * stat-time: struct stat is used directly * strchrnul: usage is eliminated * strtok_r: usage is not a portability problem * sys_stat: usage is conditionalized * uname: rewritten to use native Win32 function to get host arch * waitpid: usage is conditionalized * wcwidth: rewritten using g_unichar APIs Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The EAI_ADDRFAMILY constant has been removed from FreeBSD headers, supposedly because it is deprecated by new RFC drafts. Previously GNULIB was providing a replacement because MinGW lacked it too. The replacement provided for MinGW was thus being used on FreeBSD too, but with a completely bogus integer value. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
SIGPIPE is not available on the Windows platform. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
There are a large number of different header files that are related to the sockets APIs. The virsocket.h header includes all of the relevant headers for Windows and UNIX in one convenient place. If virsocketaddr.h is already included, then there's no need for virsocket.h Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
chown and some stat constants are not available on the Windows platform. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The O_BINARY flag is not defined on all platforms so we must conditionalize its use once we remove GNULIB. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The O_DIRECT flag is not available on all platforms, so we must introduce a compat define the same way gnulib does. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The F_DUPFD_CLOEXEC functionality is not available on some platformms. We must thus explicitly call the virSetCloexec function once we remove GNULIB's equiv fix for this. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Windows uses _O_NOINHERIT as the name for its O_CLOEXEC equivalent. Define O_CLOEXEC to match this to fix portability when we remove GNULIB. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The O_DIRECTORY flag causes open() to return an error if the filename is a directory. There's no obvious reason why resctrl needs to use this, while the rest of libvirt code does not. Removing it avoids build issues on platforms where O_DIRECTORY is not defined, once we remove GNULIB. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The AC_USE_SYSTEM_EXTENSIONS macro causes things like "USE_GNU" to be defined, which enables access to OS specific extensions to POSIX. We currently got this indirectly via GNULIB's 'extensions' module which is a dependancy of other GNULIB modules we use. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The S_ISSOCK macro is not available on Windows platforms. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
We currently get the sys/ioctl.h check indirectly via GNULIB, but this will soon stop happening. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The net/if.h is not portable so we must check for its existance and avoid using it when missing. Some use of net/if.h was redundant and could be removed. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Many of the virProcess APIs are relying on GNULIB providing POSIX API stubs. Even with these stubs the APIs don't do anything useful once compiled. We can thus conditionalize the code so that we don't compile anything at all. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Cygwin is not a supported build platform for libvirt and has no testing coverage in our CI systems. Stop pretending the code is usable and remove it so there is less to port to Meson. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
A large part of the virCommand code is still built on WIN32, despite the fact that the core fork() & execve() functions are not available. So despite succesfully building most of the code, at runtime the APIs are none the less unusuable. With the elimination of GNULIB many of the APIs being used in this code no longer have portability wrappers/shims for Windows. Rather than try to add portability wrappers, or do tests for each individual function, it is clearer to conditionalize nearly all of the code using #ifdef WIN32. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
polkit is only useful on Linux systems Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
g_mkdir() provides portability to Windows platforms. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The sys/uio.h header is only needed when building logging code with journald support enabled. Conditionally include it so that we avoid break on platforms which lack this header. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The Windows platform does not have the signal handling support we need, so it must be disabled in several parts of the codebase. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
This is a simplified variant of gnulib's passfd module without the portability code that we do not require. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The gnulib stat-time.h header provides wrapper functions to hide the differences in 'struct stat' between various platforms. Linux and FreeBSD support the same names, except for birthtime which Linux only provides in the new 'statx()' syscall we're not using. macOS has completely different naming. Since we only rely on this code in one place we just use conditionals at time of need. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The virProcess code relies on windows.h and is getting it indirectly via some GNULIB header fixes. This dependancy needs to be made explicit. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The combination of g_unichar_iszerowidth and g_unichar_iswide is sufficient to replicate the logic of wcwidth() for libvirt. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-