Consider having a nc binary in the path with a space in its name,
for example '/tmp/fo o/nc'

This results in libvirt running SSH with the following arg value

  "'if ''/tmp/fo o/nc'' -q 2>&1 | grep \"requires
    an argument\" >/dev/null 2>&1; then ARG=-q0;
    else ARG=;fi;''/tmp/fo o/nc'' $ARG -U
    /var/run/libvirt/libvirt-sock'"

The use of the single quote escaping was introduced by

  commit 6ac6238d
  Author: Guido Günther <agx@sigxcpu.org>
  Date:   Thu Oct 13 21:49:01 2011 +0200

    Use virBufferEscapeShell in virNetSocketNewConnectSSH

    to escape the netcat command since it's passed to the shell. Adjust
    expected test case output accordingly.

While the intention of this change was good, the result is broken as it
is still underquoted.

On the SSH server side, SSH itself runs the command via the shell.
Our command is then invoking the shell again. Thus we see

$ virsh -c qemu+ssh://root@domokun/system?netcat=%2Ftmp%2Ffo%20o%2Fnc list
error: failed to connect to the hypervisor
error: End of file while reading data: sh: /tmp/fo: No such file or directory: Input/output error

With the second level of escaping added we can now successfully use a nc
binary with a space in the path.

The original test case added was misleading as it illustrated using a
binary path of 'nc -4' which is not a path, it is a command with a
separate argument, which is getting interpreted as a path.
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

In the error code path, the temporary parameters are not freed.
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

In the domain capabilities XML there are FW image paths printed.
There are two sources for the image paths (in order of
preference):

  1) firmware descriptor files - as returned by
  qemuFirmwareGetSupported()

  2) a compile time list of FW:NRAM pairs which can be overridden
  in qemu.conf

If either of those contains a duplicate FW image path (which is
a valid use case) it is printed twice in the capabilities XML.
While it's technically not a bug, it doesn't look good.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Tested-by: NKashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>

Similarly to the snapshot code there's no reason to modify current
checkpoint until we are done creating the new one.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Since commit f1056279 we store whether a snapshot is current globally
rather than locally in the snapshot object.

This means that we don't have to unset the current snapshot prior to
taking/reverting the snapshot and we can do it only when everything is
done successfully.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

The NVDIMM backend file can be a normal file or a real device file,
Current xml example and explainations may mislead users. So add more
info about the NVDIMM related elements and update the xml examples.
Signed-off-by: NLuyao Zhong <luyao.zhong@intel.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

The AppArmor profile generated by virt-aa-helper is too strict for swtpm.
This change contains 2 small fixes:
- Relax append access to swtpm's log file to permit write access instead.
Append access is insufficient because the log is opened with O_CREAT.
- Permit swtpm to acquire a lock on its lock file.
Signed-off-by: NChris Coulson <chris.coulson@canonical.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Ensure that the FD we're passing to QEMU is actually open, so we get a
sane error message upfront instead of telling QEMU to use a closed FD.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The video private data was not initializing the vhostuser FD
causing us to attempt to close FD 0 many times over.

Fixes

  commit ca60ecfa
  Author: Marc-André Lureau <marcandre.lureau@redhat.com>
  Date:   Mon Sep 23 14:44:36 2019 +0400

      qemu: add qemuDomainVideoPrivate

Since the test suite does not invoke qemuExtDevicesStart(), no
vhost_user_fd will be present when generating test XML. To deal
with this we can must a fake FD number. While the current XML
is using FD == 0, we pick a very interesting number that's unlikely
to be a real FD, so that we're more likely to see any mistakes
closing the invalid FD.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Now it's not used outside of qemu_monitor_json.c.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Use the generators provided by the monitor code instead.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Use the new generator residing in the monitor code rather than directly
using qemuMonitorJSONTransactionAdd.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Validate all the commands against the schema.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Unify with other code that generates parameters for the 'transaction'
command.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Rather than generating the transaction contents in random places add a
unified set of APIs to generate the contents for a 'transaction' for the
dirty bitmap APIs.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

The QEMU_CAPS_INCREMENTAL_BACKUP will be enabled once all bits of the
incremental backup feature work as expected which means also properly
interacting with blockjobs and snapshots.

Thus we can allow blockjobs and snapshots if QEMU_CAPS_INCREMENTAL_BACKUP
is present even when checkpoints exist.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Rather than having to fix 5 places once we support the combination, add
a function called by all the blockjob/snapshot APIs.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Checkpoints by themselves are not very useful for anything else than
testing the few bitmap interactions that are currently implemented.

It's very unlikely that anybody used this feature and thus we can
disable it until we have a more complete implementation ready.

Additionally the code for deleting checkpoints has many broken failure
scenarios which should be fixed first. This will require support of
deleting a bitmap in a qemu 'transaction' which was not released yet.

Curious users obviously can use the qemu namespace in the XML to enable
this for experiments:

  <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
    ...
    <qemu:capabilities>
      <qemu:add capability='incremental-backup'/>
    </qemu:capabilities>
  </domain>
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Add a new all-covering capability which will be used to interlock
incremental backup support until all bits are ready.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Add a 'cleanup' label and use jumps as we do in other places.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Once somebody is motivated enough to add the support for the quiesce
flag or offline checkpoint deletion they are welcome to do so but we
don't need to have a reminder.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Use VIR_AUTO* helpers and get rid of the 'cleanup' label.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

There's nothing that uses it directly now. Also not allowing direct use
will promote our layering.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Finish the refactor by moving and renaming functions from qemu_domain.c
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Move all extensive functions to a new file so that we don't just pile
everything in the common files. This obviously isn't possible with
straight code movement as we still need stubs in qemu_driver.c

Additionally some functions e.g. for looking up a checkpoint by name
were so short that moving the impl didn't make sense.

Note that in the move the new file also doesn't use
virQEMUMomentReparent but rather an stripped down copy. As I plan to
split out snapshot code into a separate file the unification doesn't
make sense any more.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

The interlocking with snapshots is executed prior to the ACL check so if
a VM has snapshots invoking the checkpoint API may leak it's existance.

Introduced with the qemuDomainCheckpointCreateXML API implementation in
commit 5f4e0796.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NPavel Hrdina <phrdina@redhat.com>

It is documented that a command to run inside the container can be
passed with the -c arg.

  virt-login-shell -c "ls -l /"

This fixes

  commit 4feeb2d9
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Thu Aug 1 10:58:31 2019 +0100

    tools: split virt-login-shell into two binaries
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

We recently forbid the use of --listen with socket activation:

  commit 3a6a725b
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Thu Aug 22 14:52:16 2019 +0100

      remote: forbid the --listen arg when systemd socket activation

In this change we forgot that virtproxyd doesn't have a --listen
parameter, and instead behaves as if it was always present. Thus
when systemd socket activation is present, we must disable this
built-in default
Reviewed-by: NErik Skultety <eskultet@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

If a symbol file for either of NSS modules is changed then
subsequent 'make' doesn't regenerate the library, because there
is no implicit dependency between the library and symbols file.
Put an explicit dependency into the Makefile then. Unfortunately,
setting _DEPENDENCIES makes us lose automake's generated
dependencies (see src/Makefile.am:592 for details). But
fortunately, the only dependency we had was _LIBADD variable.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

I find it more readable that way.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

Similarly to gethostbyname3(), the @addr must be freed on return
from the function.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

The findLease() function allocates @addr array iff no error
occurred and at least one satisfactory record was found.
Therefore, there is no need to call free() if findLease() failed,
or did not find any records as addr == NULL.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

When parsing leases file, appendAddr() is called to append parsed
tuple (address, expiry time, family) into an array. Whilst doing
so, the array is searched for possible duplicate. This is done by
comparing each item of the array by passed @family: if @family is
AF_INET then the item is viewed as IPv4 address. Similarly, if
@family is AF_INET6 then the item is viewed as IPv6 address. This
is not exactly right - the array can contain addresses of both
families and thus the address family of each item of the array
must be considered.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>

These helped with debugging
https://bugzilla.redhat.com/show_bug.cgi?id=1612383Reviewed-by: NPavel Hrdina <phrdina@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>

On Fedora 31, starting a 'mock' build alters /proc/$pid/cgroup,
probably due to usage of systemd-nspawn.

Before:
$ cat /proc/self/cgroup
0::/user.slice/user-1000.slice/...

After:
$ cat /proc/self/cgroup
1:name=systemd:/
0::/user.slice/user-1000.slice/...

The cgroupv2 code mishandles that first line in the second case, which
causes VM startup to fail with: Unable to read from
'/sys/fs/cgroup/machine/cgroup.controllers': No such file or directory

The kernel docs[1] say that the cgroupv2 path will always start with
'0::', which in the code here controllers="". Only set the v2 placement
path when we see that cgroup file entry.

[1] https://www.kernel.org/doc/html/v5.3/admin-guide/cgroup-v2.html#processes

https://bugzilla.redhat.com/show_bug.cgi?id=1751120Reviewed-by: NPavel Hrdina <phrdina@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>

The code that gets the job to refresh disk sizes was not merged yet so
remove this artifact.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

'vm' is passed in which contains the definition which contains the UUID
so we don't need another parameter for this.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

'vm' is passed in which contains the definition which contains the UUID
so we don't need another parameter for this.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

Move it to qemu_domain.c and rename it to qemuDomainObjFromDomain. This
will allow reusing it after splitting out checkpoint code from
qemu_driver.c.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

Blacklist Perl and Shell code in favour of Python for
sake of readability and portability.
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>