We document steps how to fix images if they are rejected for missing
the 'backing file format' field. Document also how to securely probe
the image format if it's unknown.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

The default memlock limit is 64k which is not enough to start a single
VM. The requirements for one VM are 12k, 8k for eBPF map and 4k for eBPF
program, however, it fails to create eBPF map and program with 64k limit.
By testing I figured out that the minimal limit is 80k to start a single
VM with functional eBPF and if I add 12k I can start another one.

This leads into following calculation:

80k as memlock limit worked to start a VM with eBPF which means there
is 68k of lock memory that I was not able to figure out what was using
it.  So to get a number for 4096 VMs:

        68 + 12 * 4096 = 49220

If we round it up we will get 64M of memory lock limit to support 4096
VMs with default map size which can hold 64 entries for devices.

This should be good enough as a sane default and users can change it if
the need to.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1807090Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Signed-off-by: NLaine Stump <laine@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

We now support setting bandwidth on networks with type bridge.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Whenever there is a guest CPU configured in domain XML, we will call
some CPU driver APIs to validate the CPU definition and check its
compatibility with the hypervisor. Thus domains with guest CPU
specification can only be started if the guest architecture is supported
by the CPU driver. But we would add a default CPU to any domain as long
as QEMU reports it causing failures to start any domain on affected
architectures.

https://bugzilla.redhat.com/show_bug.cgi?id=1805755Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Allow format probing to work around lazy clients which did not specify
their format in the overlay. Format probing will be allowed only, if we
are able to probe the image, the probing result was successful and the
probed image does not have any backing or data file.

This relaxes the restrictions which were imposed in commit 3615e8b3
in cases when we know that the image probing will not result in security
issues or data corruption.

We perform the image format detection and in the case that we were able
to probe the format and the format does not specify a backing store (or
doesn't support backing store) we can use this format.

With pre-blockdev configurations this will restore the previous
behaviour for the images mentioned above as qemu would probe the format
anyways. It also improves error reporting compared to the old state as
we now report that the backing chain will be broken in case when there
is a backing file.

In blockdev configurations this ensures that libvirt will not cause data
corruption by ending the chain prematurely without notifying the user,
but still allows the old semantics when the users forgot to specify the
format.

Users thus don't have to re-invent when image format detection is safe
to do.

The price for this is that libvirt will need to keep the image format
detector still current and working or replace it by invocation of
qemu-img.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

While our code can detect ISO as a separate format, qemu does not use it
as such and just passes it through as raw. Add conversion for detected
parts of the backing chain so that the validation code does not reject
it right away.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Now that this file no longer transitively includes
domain_conf.h, it can be included here.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

All the _conf includes are only needed in the C file.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

This function only uses the domain definition.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Make the header easier to read and let the compiler inline
what it wants.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NPavel Mores <pmores@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

This is pulled in via domain_conf.h somehow, but it is directly used.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

This file uses the virNetDevBandwidth*Floor helpers
without including the correct include,
relying on virnetworkportdef.h to include it.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Fixes: 17f430ebReviewed-by: NMichal Privoznik <mprivozn@redhat.com>

The ParseNode function takes arguments with types
from libxml.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>

The network port XML files were not including any usage of vlan
tags or port options, and one of the files was not even processed.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

There are a lots of strings being handled inside some LXC functions.
They can be moved to g_autofree to avoid declaring a return value to get
proper code cleanups. This commit is changing functions from
lxc_{controller,cgroup,fuse} only.
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
Signed-off-by: NJulio Faracco <jcfaracco@gmail.com>

Ever since commit c5a00350 the libxl parser invokes the emulator
to probe which device model to use.

Commit b90c4b5f introduced a workaround that used a stable path
which was very likely to result in the answer matching the default.
However the test is still affected by the host state and the binary
gets invoked if present.

Mock the libxlDomainGetEmulatorType function to stop wasting CPU
cycles every time a 'make check' is run on a system with xen installed.

For example xlconfigtest gets faster by 90 %
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Fixes: b90c4b5fReviewed-by: NJim Fehlig <jfehlig@suse.com>

This lets us mock functions from the libxl driver.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NJim Fehlig <jfehlig@suse.com>

Point the logDir to abs_builddir instead.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NJim Fehlig <jfehlig@suse.com>

Take the parts affected by the host state out of DriverConfigNew
and put them into a separate function.

Adjust all the callers to call both functions.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NJim Fehlig <jfehlig@suse.com>

Use g_autofree to free the driver config file path.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NJim Fehlig <jfehlig@suse.com>

These hardcoded defaults do not need to be read from
the file. Move them out of libxlDriverConfigLoadFile.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NJim Fehlig <jfehlig@suse.com>

libxlDriverConfigNew can possibly fail on wrong
firmware values (unlikely) or on failure to create
the log directory (possible if you're debugging
tests with VIR_FILE_ACCESS)
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Fixes: 4a4132b4Reviewed-by: NJim Fehlig <jfehlig@suse.com>

The way that our file locking works is that we open() the file we
want to lock and then use fcntl(fd, F_SETLKW, ...) to lock it.
The problem is, we are doing all of these as root which doesn't
work if the file lives on root squashed NFS, because if it does
then the open() fails. The way to resolve this is to make this a
non fatal error and leave callers deal with this (i.e. disable
remembering) - implemented in the previous commit.

https://bugzilla.redhat.com/show_bug.cgi?id=1804672Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NPeter Krempa <pkrempa@redhat.com>

There are some cases where we want to remember the original owner
of a file but we fail to lock it for XATTR change (e.g. root
squashed NFS). If that is the case we error out and refuse to
start a domain. Well, we can do better if we disable remembering
for paths we haven't locked successfully.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NPeter Krempa <pkrempa@redhat.com>

So far, in the lock state we are storing only the file
descriptors of the files we've locked. Therefore, when unlocking
them and something does wrong the only thing we can report is FD
number, which is not user friendly at all. But if we store paths
among with FDs we can do better error reporting.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NPeter Krempa <pkrempa@redhat.com>

The virutil.h header defines a geteuid() macro for Windows platforms.
This fixes a few missed cases from:

  commit b11e8ccc
  Author: Ján Tomko <jtomko@redhat.com>
  Date:   Sun Feb 16 23:09:15 2020 +0100

    Remove virutil.h from all header files
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The autoreconf script will already run aclocal for us,
so there's no need to do that ahead of time.
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Signed-off-by: NJán Tomko <jtomko@redhat.com>
Fixes: b11e8ccc

Commit fb01e1a4 missed including virutil.h, causing the following
compilation error

../../src/security/virt-aa-helper.c:1055:43: error: implicit declaration of
function 'virHostGetDRMRenderNode' [-Werror=implicit-function-declaration]
1055 |                 char *defaultRenderNode = virHostGetDRMRenderNode();
Signed-off-by: NJim Fehlig <jfehlig@suse.com>

After the split of enum functions into virenum.h,
this function does not contain anything worth including
in another header file.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>

Include virutil.h in all files that use it,
instead of relying on it being pulled in somehow.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>

Include unistd.h in all files that use it, instead
of relying on it being pulled in via virutil.h
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>

After the introduction of virenum.h in commit 285c5f28,
it is only needed in the C file.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>

Include both virutil.h and unistd.h.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>

There is nothing in the vircgroup.h header file
requiring virutil.h.

Remove it and include unistd.h in the C files.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>

These tests do not use anything from virutil.h
apart from the transitive include.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>

Historically, this file was a dump for most of our helper
functions and needed almost everywhere.
With the introduction of virfile.h and virstring.h,
and more importantly, virenum.h and the introduction
of GLib, that is no longer true.

Remove its include from C files that don't even use it.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>