1. 23 1月, 2014 4 次提交
    • O
      storage: Add document for possible problem on volume detection · 6b29eb84
      Osier Yang 提交于
      For pool which relies on remote resources, such as a "iscsi" type
      pool, since how long it takes to export the corresponding devices
      to host's sysfs is really depended, it could depend on the network
      connection, it also could depend on the host's udev procedures. So
      it's likely that the volumes are not able to be detected during pool
      starting process, polling the sysfs doesn't work, since we don't
      know how much time is best for the polling, and even worse, the
      volumes could still be not detected or partly not detected even after
      the polling.  So we end up with a documentation to prompt the fact,
      in virsh manual.
      
      And as a small improvement, let's explicitly say no LUNs found in
      the debug log in that case.
      6b29eb84
    • O
      util: Correct the NUMA node range checking · ae2860b4
      Osier Yang 提交于
      There are 2 issues here: First we shouldn't add "1" to the return
      value of numa_max_node(), since the semanteme of the error message
      was changed, it's not saying about the number of total NUMA nodes
      anymore.  Second, the value of "bit" is the position of the first
      bit which exceeds either numa_max_node() or NUMA_NUM_NODES, it can
      be any number in the range, so saying "bigger than $bit" is quite
      confused now. For example, assuming there is a NUMA machine which
      has 10 NUMA nodes, and one specifies the "nodeset" as "0,5,88",
      the error message will be like:
      
      Nodeset is out of range, host cannot support NUMA node bigger than 88
      
      It sounds like all NUMA node number less than 88 is fine, but
      actually the maximum NUMA node number the machine supports is 9.
      
      This patch fixes the issues by removing the addition with "1" and
      simplifies the error message as "NUMA node $bit is out of range".
      Also simplifies the comparision in the while loop by getting the
      smaller one of numa_max_node() and NUMA_NUM_NODES up front.
      ae2860b4
    • E
      api: require write permission for guest agent interaction · 7f2d27d1
      Eric Blake 提交于
      I noticed that we allow virDomainGetVcpusFlags even for read-only
      connections, but that with a flag, it can require guest agent
      interaction.  It is feasible that a malicious guest could
      intentionally abuse the replies it sends over the guest agent
      connection to possibly trigger a bug in libvirt's JSON parser,
      or withhold an answer so as to prevent the use of the agent
      in a later command such as a shutdown request.  Although we
      don't know of any such exploits now (and therefore don't mind
      posting this patch publicly without trying to get a CVE assigned),
      it is better to err on the side of caution and explicitly require
      full access to any domain where the API requires guest interaction
      to operate correctly.
      
      I audited all commands that are marked as conditionally using a
      guest agent.  Note that at least virDomainFSTrim is documented
      as needing a guest agent, but that such use is unconditional
      depending on the hypervisor (so the existing domain:fs_trim ACL
      should be sufficient there, rather than also requirng domain:write).
      But when designing future APIs, such as the plans for obtaining
      a domain's IP addresses, we should copy the approach of this patch
      in making interaction with the guest be specified via a flag, and
      use that flag to also require stricter access checks.
      
      * src/libvirt.c (virDomainGetVcpusFlags): Forbid guest interaction
      on read-only connection.
      (virDomainShutdownFlags, virDomainReboot): Improve docs on agent
      interaction.
      * src/remote/remote_protocol.x
      (REMOTE_PROC_DOMAIN_SNAPSHOT_CREATE_XML)
      (REMOTE_PROC_DOMAIN_SET_VCPUS_FLAGS)
      (REMOTE_PROC_DOMAIN_GET_VCPUS_FLAGS, REMOTE_PROC_DOMAIN_REBOOT)
      (REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS): Require domain:write for any
      conditional use of a guest agent.
      * src/xen/xen_driver.c: Fix clients.
      * src/libxl/libxl_driver.c: Likewise.
      * src/uml/uml_driver.c: Likewise.
      * src/qemu/qemu_driver.c: Likewise.
      * src/lxc/lxc_driver.c: Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      7f2d27d1
    • J
      vbox: add support for v4.2.20+ and v4.3.4+ · bb85da2c
      Jean-Baptiste Rouault 提交于
      Bugs have been found in the VirtualBox API C bindings. These bugs have
      been fixed in versions 4.2.20 and 4.3.4. However, the changes in the
      C bindings are incompatible with the vbox_CAPI_v4_2.h and vbox_CAPI_v4_3.h
      files which are bundled in libvirt source code.
      This is why the following patch adds vbox_CAPI_v4_2_20.h and
      vbox_CAPI_v4_3_4.h.
      
      The actual underlying problem here is that until now,
      libvirt assumed that VirtualBox API can only change between minor
      versions (4.2 -> 4.3), but we have a case here where it changed
      (or got fixed) between patch versions (4.2.18 -> 4.2.20).
      
      This patch makes the VBOX_API_VERSION represent the full API
      version number (i.e 4002 => 4002000) so there are specific version
      numbers for Vbox 4.2.20 (4002020) and 4.3.4 (4003004)
      bb85da2c
  2. 22 1月, 2014 9 次提交
  3. 21 1月, 2014 10 次提交
    • L
      build: add $(prefix) to SYSTEMD_UNIT_DIR · 00e9d607
      Laine Stump 提交于
      I noticed this problem when adding systemd support to netcf, because I
      setup the configure.ac to automatically prefer using systemd over
      initscripts when possible - although I had copied the
      install-data-local target from the example of libvirt's
      "libvirt-guests" service more or less verbatim, "make distcheck" would
      fail because it was trying to install the service file directly into
      /lib/systemd/system rather than into
      /home/user/some/unimportant/name/lib/systemd/system.
      
      This is caused by the install/uninstall rules for the systemd unit
      files relying on $(DESTDIR) pointing the installed files to the right
      place, but in reality $(DESTDIR) is empty during this part of make
      distcheck - it instead sets $(prefix) with the toplevel directory used
      for its test build/install/uninstall cycle.
      
      (This problem hasn't been seen when running "make distcheck" in
      libvirt because libvirt will never build/install systemd support
      unless explicitly told to do so on the configure commandline, and
      "make distcheck" doesn't put the "--with-initscript=..." option on the
      configure commandline.)
      
      I verified that the same problem does exist in libvirt by modifying
      libvirt's configure.ac to set:
      
        init_systemd=yes
        with_init_script=systemd+redhat
      
      This forces a build/install of the systemd unit files during
      distcheck, which yields an error like this:
      
      /usr/bin/install -c -m 644 virtlockd.service \
        /lib/systemd/system/
      libtool: install: warning: relinking `libvirt-qemu.la'
      /usr/bin/install: cannot remove '/lib/systemd/system/virtlockd.service': Permission denied
      make[4]: *** [install-systemd] Error 1
      
      After adding $(prefix) to all the definitions of SYSTEMD_UNIT_DIR,
      make distcheck now completes successfully with the modified
      configure.ac, and the above lines change to something like this:
      
      /usr/bin/install -c -m 644 virtlockd.service \
        /home/laine/devel/libvirt/libvirt-1.2.1/_inst/lib/systemd/system/
      00e9d607
    • P
      qemu: snapshot: Avoid libvirtd crash when qemu crashes while snapshotting · 55bbb011
      Peter Krempa 提交于
      We shouldn't access the domain definition while we are in the monitor
      section as the domain is unlocked. Additionally after we exit from the
      monitor we need to check if the VM is still alive. Not doing so resulted
      in a crash if qemu exits while attempting to do an external VM snapshot.
      55bbb011
    • F
      spice: expose the QEMU disable file transfer option · 08d07e5f
      Francesco Romani 提交于
      spice-server offers an API to disable file transfer messages
      on the agent channel between the client and the guest.
      This is supported in qemu through the disable-agent-file-xfer option.
      
      This patch exposes this option to libvirt.
      Adds a new element 'filetransfer', with one property,
      'enable', which accepts a boolean.
      Default is enabled, for backward compatibility.
      
      Depends on the capability exported in the first patch of the series.
      Signed-off-by: NFrancesco Romani <fromani@redhat.com>
      08d07e5f
    • F
      spice: detect if qemu can disable file transfer · 19bbc812
      Francesco Romani 提交于
      spice-server offers an API to disable file transfer messages
      on the agent channel between the client and the guest.
      This is supported in qemu through the disable-agent-file-xfer option.
      
      This patch detects if QEMU supports this option, and add
      a capability if does.
      Signed-off-by: NFrancesco Romani <fromani@redhat.com>
      19bbc812
    • M
      lxc: Fix coverity · 5ce90b3f
      Martin Kletzander 提交于
      Commit 399394ab removed some coverity
      comments which skipped the dead code, so add them back.
      Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
      5ce90b3f
    • G
      lxc: allow to setup throttle blkio cgroup through virsh · 399394ab
      Gao feng 提交于
      With this patch,user can set throttle blkio cgroup for
      lxc domain through virsh tool.
      Signed-off-by: NGuan Qiang <hzguanqiang@corp.netease.com>
      Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
      399394ab
    • W
      Add test for transient disk support in VMX files · 4fbfac85
      Wout Mertens 提交于
      --001a11c3e84c4130bc04f03cda95
      Content-Type: text/plain; charset=ISO-8859-1
      
      From: Wout Mertens <Wout.Mertens@gmail.com>
      
      Adds test for transient disk translation in vmx files
      4fbfac85
    • R
      Use AC_PATH_PROG to search for dmidecode · 881c6c00
      Roman Bogorodskiy 提交于
      This is useful in certain circumstances, for example when
      libvirtd is being executed by FreeBSD rc script, it cannot find
      dmidecode installed from FreeBSD ports because it doesn't have
      /usr/local (default prefix for ports) in PATH.
      881c6c00
    • Y
      Add sample output of Wireshark dissector · bad1cbe1
      Yuto KAWAMURA(kawamuray) 提交于
      Add directory tools/wireshark/samples/ and
      libvirt-sample.pdml which is sample output of dissector.
      bad1cbe1
    • Y
      Introduce Libvirt Wireshark dissector · 4f32c5f7
      Yuto KAWAMURA(kawamuray) 提交于
      Introduce Wireshark dissector plugin which adds support to Wireshark
      for dissecting libvirt RPC protocol.
      Added following files to build Wireshark dissector from libvirt source
      tree.
      * tools/wireshark/*: Source tree of Wireshark dissector plugin.
      
      Added followings to configure.ac or Makefile.am.
      configure.ac
      * --with-wireshark-dissector: Enable support for building Wireshark
        dissector.
      * --with-ws-plugindir: Specify wireshark plugin directory that dissector
        will installed.
      * Added tools/wireshark/{Makefile,src/Makefile} to  AC_CONFIG_FILES.
      Makefile.am
      * Added tools/wireshark/ to SUBDIR.
      4f32c5f7
  4. 20 1月, 2014 15 次提交
  5. 18 1月, 2014 1 次提交
  6. 17 1月, 2014 1 次提交
    • M
      virSecuritySELinuxSetFileconHelper: Don't fail on read-only NFS · d1fdecb6
      Michal Privoznik 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=996543
      
      When starting up a domain, the SELinux labeling is done depending on
      current configuration. If the labeling fails we check for possible
      causes, as not all labeling failures are fatal. For example, if the
      labeled file is on NFS which lacks SELinux support, the file can still
      be readable to qemu process. These cases are distinguished by the errno
      code: NFS without SELinux support returns EOPNOTSUPP. However, we were
      missing one scenario. In case there's a read-only disk on a read-only
      NFS (and possibly any FS) and the labeling is just optional (not
      explicitly requested in the XML) there's no need to make the labeling
      error fatal. In other words, read-only file on read-only NFS can fail to
      be labeled, but be readable at the same time.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      d1fdecb6