When running unprivileged, virSetUIDGIDWithCaps will fail because it
tries to add the requested capabilities to the permitted and effective
sets.

Detect this case, and invoke the child with cleared permitted and
effective sets.  If it is a setuid program, it will get them.

Some care is needed also because you cannot drop capabilities from the
bounding set without CAP_SETPCAP.  Because of that, ignore errors from
setting the bounding set.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The need_prctl variable is not really needed.  If it is false,
capng_apply will be called twice with the same set, causing
a little extra work but no problem.  This keeps the code a bit
simpler.

It is also clearer to invoke capng_apply(CAPNG_SELECT_BOUNDS)
separately, to make sure it is done while we have CAP_SETPCAP.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Using of a incorrect value for the --holdtime option was silently
ignored and 0 was used. In case a negative number was used, it
overflowed as the API expects a unsigned int.

Fix the data type and getter function type and report errors on
incorrect values.

Rename the get_integer_keycode helper to vshKeyCodeGetInt and get rid of
a unneeded typecast.

Reusing the result of virArchFromHost instead of calling it multiple times
Signed-off-by: NTal Kain <tal.kain@ravellosystems.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

The rng schema for <controller> had been non-specific about which
types of controllers allowed which models, and also allowed the
num_queues attribute (since that hasn't been released yet, should we
rename it to "numQueues"?) and <master> subelement to be included for
any controller type. In reality, half of the models are allowed only
for type='scsi', and the other half only for type='usb', num_queues is
allowed only for type='scsi', and <master> only for type='usb'.

This patch makes a separate <group> for type='scsi' and type='usb',
with each group allowing only the appropriate model values, and
allowing num_queue and <master> only when appropriate.

<interleave> also hadn't been specified, forcing a specific order of
subelements, which should never be done. (Note that the <interleave>
had to surround the main element attributes that are in the <group>
subelements, due to one of the <group>s containing a subelement).

When turning a started persistent network into a transient one we forgot
to remove the autostart flag that is no longer valid at that point.

To tell libvirt-{qemu,lxc}.h shouldn't be included either.

With this patch, include public headers in "" form is only allowed
for "internal.h". And only the external tools (examples|tools|python
|include/libvirt) can include the public headers in <> form.

Directories python/tools/examples should include them in <> form,
though this patch allows "" form in these directories by excluding
them, a later patch will do the cleanup.

gnulib is excluded.

Commit 2d25fd4f removed the including of "libvirt/libvirt.h",
which breaks the build. Pushed under build-breaker rule.

The recent qemu requires "0x" prefix for the disk wwn, this patch
changes virValidateWWN to allow the prefix, and prepend "0x" if
it's not specified. E.g.

qemu-kvm: -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\
drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,wwn=6000c60016ea71ad:
Property 'scsi-hd.wwn' doesn't take value '6000c60016ea71ad'

Though it's a qemu regression, but it's nice to allow the prefix,
and doesn't hurt for us to always output "0x".

Which is already included in "internal.h", later patch will add
syntax-check to avoid it.

Which is already included by "internal.h", later patch will add
syntax-check to avoid it.

Detected by a simple Shell script:

for i in $(git ls-files -- '*.[ch]'); do
    awk 'BEGIN {
        fail=0
    }
    /# *include.*\.h/{
        match($0, /["<][^">]*[">]/)
        arr[substr($0, RSTART+1, RLENGTH-2)]++
    }
    END {
        for (key in arr) {
            if (arr[key] > 1) {
                fail=1
                printf("%d %s\n", arr[key], key)
            }
        }
        if (fail == 1)
            exit 1
    }' $i

    if test $? != 0; then
        echo "Duplicate header(s) in $i"
    fi
done;

A later patch will add the syntax-check to avoid duplicate
headers.

No reason to include it in both "if" and "else" branches.

Fix the error

util/vircgroup.c: In function 'virCgroupNewDomainPartition':
util/vircgroup.c:1299:11: error: declaration of 'dirname' shadows a global declaration [-Werror=shadow]
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Using "./autogen.sh --system lv_cv_static_analysis=yes" for my daily
Coverity builds resulted in the following error when building:

In file included from util/vircgrouppriv.h:32:0,
                 from util/vircgroup.c:44:
util/vircgroup.h:59:5: error: nonnull argument with out-of-range operand number (argument 1, operand 5)
util/vircgroup.h:74:5: error: nonnull argument references non-pointer operand (argument 1, operand 4)
make[3]: *** [libvirt_util_la-vircgroup.lo] Error 1
make[3]: Leaving directory `/home/jferlan/libvirt.cov.curr/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/jferlan/libvirt.cov.curr/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/jferlan/libvirt.cov.curr'
make: *** [all] Error 2

Commit id '1acfc171' resulted in the following valgrind failure:

==25317== 136 (24 direct, 112 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
==25317==    at 0x4A06B6F: calloc (vg_replace_malloc.c:593)
==25317==    by 0x4C6F851: virAlloc (viralloc.c:124)
==25317==    by 0x4C71493: virBitmapNew (virbitmap.c:74)
==25317==    by 0x4C71B79: virBitmapNewData (virbitmap.c:434)
==25317==    by 0x402EF2: test8 (virbitmaptest.c:436)
==25317==    by 0x40499F: virtTestRun (testutils.c:157)
==25317==    by 0x402E8D: mymain (virbitmaptest.c:474)
==25317==    by 0x404FDA: virtTestMain (testutils.c:719)
==25317==    by 0x39D0821A04: (below main) (in /usr/lib64/libc-2.16.so)

Check for an unsupported QMP command when using the query-tpm-models
and query-tpm-types commands before checking for general errors
in order to avoid error messages in the log.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Revert the patch checking for the QMP query-tpm-models
command.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Add support for array elements for agent commands just like 64d5e815 did for
monitor commands

The return value description stated that 0 is returned in case of success
instead of the count of vCPUs.

Check for QMP query-tpm-models and set a capability flag. Do not use
this QMP command if it is not supported.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The LXC driver currently has code to detect cgroups mounts
and then re-mount them inside the new root filesystem. Replace
this fragile code with a call to virCgroupIsolateMount.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Add a virCgroupIsolateMount method which looks at where the
current process is place in the cgroups (eg /system/demo.lxc.libvirt)
and then remounts the cgroups such that this sub-directory
becomes the root directory from the current process' POV.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

If a cgroup controller is co-mounted with another, eg

   /sys/fs/cgroup/cpu,cpuacct

Then it is a requirement that there exist symlinks at

   /sys/fs/cgroup/cpu
   /sys/fs/cgroup/cpuacct

pointing to the real mount point. Add support to virCgroupPtr
to detect and track these symlinks
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The virCgroupNewDriver method had a 'bool privileged' param.
If a false value was ever passed in, it would simply not
work, since non-root users don't have any privileges to create
new cgroups. Just delete this broken code entirely and make
the QEMU driver skip cgroup setup in non-privileged mode
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Historically QEMU/LXC guests have been placed in a cgroup layout
that is

   $LOCATION-OF-LIBVIRTD/libvirt/{qemu,lxc}/$VMNAME

This is bad for a number of reasons

 - The cgroup hierarchy gets very deep which seriously
   impacts kernel performance due to cgroups scalability
   limitations.

 - It is hard to setup cgroup policies which apply across
   services and virtual machines, since all VMs are underneath
   the libvirtd service.

To address this the default cgroup location is changed to
be

    /system/$VMNAME.{lxc,qemu}.libvirt

This puts virtual machines at the same level in the hierarchy
as system services, allowing consistent policy to be setup
across all of them.

This also honours the new resource partition location from the
XML configuration, for example

  <resource>
    <partition>/virtualmachines/production</partitions>
  </resource>

will result in the VM being placed at

    /virtualmachines/production/$VMNAME.{lxc,qemu}.libvirt

NB, with the exception of the default, /system, path which
is intended to always exist, libvirt will not attempt to
auto-create the partitions in the XML. It is the responsibility
of the admin/app to configure the partitions. Later libvirt
APIs will provide a way todo this.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Allow VMs to be placed into resource groups using the
following syntax

  <resource>
    <partition>/virtualmachines/production</partition>
  </resource>

A resource cgroup will be backed by some hypervisor specific
functionality, such as cgroups with KVM/LXC.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

A resource partition is an absolute cgroup path, ignoring the
current process placement. Expose a virCgroupNewPartition API
for constructing such cgroups
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Currently if virCgroupMakeGroup fails, we can get in a situation
where some controllers have been setup, but others not. Ensure
we call virCgroupRemove to remove what we've done upon failure
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Currently the virCgroupPtr struct contains 3 pieces of
information

 - path - path of the cgroup, relative to current process'
   cgroup placement
 - placement - current process' placement in each controller
 - mounts - mount point of each controller

When reading/writing cgroup settings, the path & placement
strings are combined to form the file path. This approach
only works if we assume all cgroups will be relative to
the current process' cgroup placement.

To allow support for managing cgroups at any place in the
heirarchy a change is needed. The 'placement' data should
reflect the absolute path to the cgroup, and the 'path'
value should no longer be used to form the paths to the
cgroup attribute files.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Some aspects of the cgroups setup / detection code are quite subtle
and easy to break. It would greatly benefit from unit testing, but
this is difficult because the test suite won't have privileges to
play around with cgroups. The solution is to use monkey patching
via LD_PRELOAD to override the fopen, open, mkdir, access functions
to redirect access of cgroups files to some magic stubs in the
test suite.

Using this we provide custom content for the /proc/cgroup and
/proc/self/mounts files which report a fixed cgroup setup. We
then override open/mkdir/access so that access to the cgroups
filesystem gets redirected into files in a temporary directory
tree in the test suite build dir.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Rename all the virCgroupForXXX methods to use the form
virCgroupNewXXX since they are all constructors. Also
make sure the output parameter is the last one in the
list, and annotate all pointers as non-null. Fix up
all callers, and make sure they use true/false not 0/1
for the boolean parameters
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The definition of structs for cgroups are kept in vircgroup.c since
they are intended to be private from users of the API. To enable
effective testing, however, they need to be accessible. To address
the latter issue, without compronmising the former, this introduces
a new vircgrouppriv.h file to hold the struct definitions.

To prevent other files including this private header, it requires
that __VIR_CGROUP_ALLOW_INCLUDE_PRIV_H__ be defined before inclusion
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>