query-cpu-model-baseline/comparison will accept a list of features
as part of the command. Since CPUs may be defined with CPU feature
policies, let's parse it to the appropriate boolean that the QMP
command expects.

A feature that is set to required, force, or if it is a hypervisor
CPU feature (-1), then set the property value to true. Otherwise
(optional, disabled) set the value to false.
Signed-off-by: NCollin Walling <walling@linux.ibm.com>
Message-Id: <1568924706-2311-5-git-send-email-walling@linux.ibm.com>
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>

When expanding a CPU model via query-cpu-model-expansion, any features
that were a part of the original model are discarded. For exmaple,
when expanding modelA with features f1, f2, a full expansion may reveal
feature f3, but the expanded model will not include f1 or f2.

Let's pass a virCPUDefPtr to the expansion function in preparation for
taking features into consideration.
Signed-off-by: NCollin Walling <walling@linux.ibm.com>
Message-Id: <1568924706-2311-4-git-send-email-walling@linux.ibm.com>
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>

With refactoring most of the expansion function, let's take care of
some additional cleanups.
Signed-off-by: NCollin Walling <walling@linux.ibm.com>
Message-Id: <1568924706-2311-3-git-send-email-walling@linux.ibm.com>
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>

Refactor some code in qemuMonitorJSONGetCPUModelExpansion to be later
used for the comparison and baseline functions.
Signed-off-by: NCollin Walling <walling@linux.ibm.com>
Reviewed-by: NBjoern Walk <bwalk@linux.ibm.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <1568924706-2311-2-git-send-email-walling@linux.ibm.com>
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>

Signed-off-by: NPeter Krempa <pkrempa@redhat.com>

* docs/news.xml: updated for the release
Signed-off-by: NDaniel Veillard <veillard@redhat.com>

Parseability of disk name is now checked in qemuDomainDeviceDefValidateDisk().
Signed-off-by: NPavel Mores <pmores@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

The way in which the qemu driver generates aliases for disks involves
ignoring the partition number part of a target dev name.  This means that
all partitions of a block device and the device itself all end up with the
same alias.  If multiple such disks are specified in XML, the resulting
name clash makes qemu invocation fail.

Since attaching partitions to qemu VMs doesn't seem to make much sense
anyway, disallow partitions in target specifications altogether.

https://bugzilla.redhat.com/show_bug.cgi?id=1346265Signed-off-by: NPavel Mores <pmores@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

The VIR_TYPED_PARAM_* enum fields are defined in libvirt-common.h, not
in the remote protcol, so shouldn't be part of the protocol structs
output check. This avoids similar problems hitting when we add use of
glib, which has other such anonymous enums.
Reviewed-by: NPavel Hrdina <phrdina@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

There are various ideas / plans floating around for future libvirt work,
some of which is actively in progress. Historically we've never captured
this kind of information anywhere, except in mailing list discussions.
In particular guidelines in hacking.html.in don't appear until a policy
is actively applied.

This patch attempts to fill the documentation gap, by creating a new
"strategy" page which outlines the general vision for some notable
future changes. The key thing to note is that none of the stuff on this
page is guaranteed, plans may change as new information arises. IOW this
is a "best guess" as to the desired future.

This doc has focused on three areas, related to the topic of language
usage / consolidation

 - Use of non-C languages for the library, daemons or helper tools
 - Replacement of autotools with meson
 - Use of RST and Sphinx for documentation (website + man pages)
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Consider having a nc binary in the path with a space in its name,
for example '/tmp/fo o/nc'

This results in libvirt running SSH with the following arg value

  "'if ''/tmp/fo o/nc'' -q 2>&1 | grep \"requires
    an argument\" >/dev/null 2>&1; then ARG=-q0;
    else ARG=;fi;''/tmp/fo o/nc'' $ARG -U
    /var/run/libvirt/libvirt-sock'"

The use of the single quote escaping was introduced by

  commit 6ac6238d
  Author: Guido Günther <agx@sigxcpu.org>
  Date:   Thu Oct 13 21:49:01 2011 +0200

    Use virBufferEscapeShell in virNetSocketNewConnectSSH

    to escape the netcat command since it's passed to the shell. Adjust
    expected test case output accordingly.

While the intention of this change was good, the result is broken as it
is still underquoted.

On the SSH server side, SSH itself runs the command via the shell.
Our command is then invoking the shell again. Thus we see

$ virsh -c qemu+ssh://root@domokun/system?netcat=%2Ftmp%2Ffo%20o%2Fnc list
error: failed to connect to the hypervisor
error: End of file while reading data: sh: /tmp/fo: No such file or directory: Input/output error

With the second level of escaping added we can now successfully use a nc
binary with a space in the path.

The original test case added was misleading as it illustrated using a
binary path of 'nc -4' which is not a path, it is a command with a
separate argument, which is getting interpreted as a path.
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

In the error code path, the temporary parameters are not freed.
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

In the domain capabilities XML there are FW image paths printed.
There are two sources for the image paths (in order of
preference):

  1) firmware descriptor files - as returned by
  qemuFirmwareGetSupported()

  2) a compile time list of FW:NRAM pairs which can be overridden
  in qemu.conf

If either of those contains a duplicate FW image path (which is
a valid use case) it is printed twice in the capabilities XML.
While it's technically not a bug, it doesn't look good.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Tested-by: NKashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>

Similarly to the snapshot code there's no reason to modify current
checkpoint until we are done creating the new one.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Since commit f1056279 we store whether a snapshot is current globally
rather than locally in the snapshot object.

This means that we don't have to unset the current snapshot prior to
taking/reverting the snapshot and we can do it only when everything is
done successfully.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

The NVDIMM backend file can be a normal file or a real device file,
Current xml example and explainations may mislead users. So add more
info about the NVDIMM related elements and update the xml examples.
Signed-off-by: NLuyao Zhong <luyao.zhong@intel.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

The AppArmor profile generated by virt-aa-helper is too strict for swtpm.
This change contains 2 small fixes:
- Relax append access to swtpm's log file to permit write access instead.
Append access is insufficient because the log is opened with O_CREAT.
- Permit swtpm to acquire a lock on its lock file.
Signed-off-by: NChris Coulson <chris.coulson@canonical.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Ensure that the FD we're passing to QEMU is actually open, so we get a
sane error message upfront instead of telling QEMU to use a closed FD.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The video private data was not initializing the vhostuser FD
causing us to attempt to close FD 0 many times over.

Fixes

  commit ca60ecfa
  Author: Marc-André Lureau <marcandre.lureau@redhat.com>
  Date:   Mon Sep 23 14:44:36 2019 +0400

      qemu: add qemuDomainVideoPrivate

Since the test suite does not invoke qemuExtDevicesStart(), no
vhost_user_fd will be present when generating test XML. To deal
with this we can must a fake FD number. While the current XML
is using FD == 0, we pick a very interesting number that's unlikely
to be a real FD, so that we're more likely to see any mistakes
closing the invalid FD.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Now it's not used outside of qemu_monitor_json.c.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Use the generators provided by the monitor code instead.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Use the new generator residing in the monitor code rather than directly
using qemuMonitorJSONTransactionAdd.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Validate all the commands against the schema.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Unify with other code that generates parameters for the 'transaction'
command.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Rather than generating the transaction contents in random places add a
unified set of APIs to generate the contents for a 'transaction' for the
dirty bitmap APIs.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

The QEMU_CAPS_INCREMENTAL_BACKUP will be enabled once all bits of the
incremental backup feature work as expected which means also properly
interacting with blockjobs and snapshots.

Thus we can allow blockjobs and snapshots if QEMU_CAPS_INCREMENTAL_BACKUP
is present even when checkpoints exist.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Rather than having to fix 5 places once we support the combination, add
a function called by all the blockjob/snapshot APIs.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Checkpoints by themselves are not very useful for anything else than
testing the few bitmap interactions that are currently implemented.

It's very unlikely that anybody used this feature and thus we can
disable it until we have a more complete implementation ready.

Additionally the code for deleting checkpoints has many broken failure
scenarios which should be fixed first. This will require support of
deleting a bitmap in a qemu 'transaction' which was not released yet.

Curious users obviously can use the qemu namespace in the XML to enable
this for experiments:

  <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
    ...
    <qemu:capabilities>
      <qemu:add capability='incremental-backup'/>
    </qemu:capabilities>
  </domain>
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Add a new all-covering capability which will be used to interlock
incremental backup support until all bits are ready.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Add a 'cleanup' label and use jumps as we do in other places.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Once somebody is motivated enough to add the support for the quiesce
flag or offline checkpoint deletion they are welcome to do so but we
don't need to have a reminder.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Use VIR_AUTO* helpers and get rid of the 'cleanup' label.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

There's nothing that uses it directly now. Also not allowing direct use
will promote our layering.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Finish the refactor by moving and renaming functions from qemu_domain.c
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Move all extensive functions to a new file so that we don't just pile
everything in the common files. This obviously isn't possible with
straight code movement as we still need stubs in qemu_driver.c

Additionally some functions e.g. for looking up a checkpoint by name
were so short that moving the impl didn't make sense.

Note that in the move the new file also doesn't use
virQEMUMomentReparent but rather an stripped down copy. As I plan to
split out snapshot code into a separate file the unification doesn't
make sense any more.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

The interlocking with snapshots is executed prior to the ACL check so if
a VM has snapshots invoking the checkpoint API may leak it's existance.

Introduced with the qemuDomainCheckpointCreateXML API implementation in
commit 5f4e0796.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NPavel Hrdina <phrdina@redhat.com>

It is documented that a command to run inside the container can be
passed with the -c arg.

  virt-login-shell -c "ls -l /"

This fixes

  commit 4feeb2d9
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Thu Aug 1 10:58:31 2019 +0100

    tools: split virt-login-shell into two binaries
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

We recently forbid the use of --listen with socket activation:

  commit 3a6a725b
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Thu Aug 22 14:52:16 2019 +0100

      remote: forbid the --listen arg when systemd socket activation

In this change we forgot that virtproxyd doesn't have a --listen
parameter, and instead behaves as if it was always present. Thus
when systemd socket activation is present, we must disable this
built-in default
Reviewed-by: NErik Skultety <eskultet@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

If a symbol file for either of NSS modules is changed then
subsequent 'make' doesn't regenerate the library, because there
is no implicit dependency between the library and symbols file.
Put an explicit dependency into the Makefile then. Unfortunately,
setting _DEPENDENCIES makes us lose automake's generated
dependencies (see src/Makefile.am:592 for details). But
fortunately, the only dependency we had was _LIBADD variable.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

I find it more readable that way.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>