In preparation for storing the domain description with the snapshot,
swap the order of declaration.
Signed-off-by: NPhilipp Hahn <hahn@univention.de>

With gcc 4.5.1:

util/virpidfile.c: In function 'virPidFileAcquirePath':
util/virpidfile.c:308:66: error: nested extern declaration of '_gl_verify_function2' [-Wnested-externs]

Then in tests/commandtest.c, the new virPidFile APIs need to be used.

* src/util/virpidfile.c (virPidFileAcquirePath): Move verify to
top level.
* tests/commandtest.c: Use new pid APIs.

In daemons using pidfiles to protect against concurrent
execution there is a possibility that a crash may leave a stale
pidfile on disk, which then prevents later restart of the daemon.

To avoid this problem, introduce a pair of APIs which make
use of virFileLock to ensure crash-safe & race condition-safe
pidfile acquisition & releae

* src/libvirt_private.syms, src/util/virpidfile.c,
  src/util/virpidfile.h: Add virPidFileAcquire and virPidFileRelease

In some cases the caller of virPidFileRead might like extra checks
to determine whether the pid just read is really the one they are
expecting. This adds virPidFileReadIfAlive which will check whether
the pid is still alive with kill(0, -1), and (on linux only) will
look at /proc/$PID/path

* libvirt_private.syms, util/virpidfile.c, util/virpidfile.h: Add
  virPidFileReadIfValid and virPidFileReadPathIfValid
* network/bridge_driver.c: Use new APIs to check PID validity

The functions for manipulating pidfiles are in util/util.{c,h}.
We will shortly be adding some further pidfile related functions.
To avoid further growing util.c, this moves the pidfile related
functions into a dedicated virpidfile.{c,h}. The functions are
also all renamed to have 'virPidFile' as their name prefix

* util/util.h, util/util.c: Remove all pidfile code
* util/virpidfile.c, util/virpidfile.h: Add new APIs for pidfile
  handling.
* lxc/lxc_controller.c, lxc/lxc_driver.c, network/bridge_driver.c,
  qemu/qemu_process.c: Add virpidfile.h include and adapt for API
  renames

Add some simple wrappers around the fcntl() discretionary file
locking capability.

* src/util/util.c, src/util/util.h, src/libvirt_private.syms: Add
  virFileLock and virFileUnlock APIs

We forgot to add virDomainUndefineFlags for a couple of hypervisors.
This wires up trivial versions (since neither hypervisor supports
managed save yet, they do not need to support any flags).

* src/vbox/vbox_tmpl.c (vboxDomainCreateXML): Update caller.
(vboxDomainUndefine): Move guts...
(vboxDomainUndefineFlags): ...to new function.
* src/xenapi/xenapi_driver.c (xenapiDomainUndefine)
(xenapiDomainUndefineFlags): Likewise.

Fix internals of libvirt for new storage volume type.
Libvirt reported an invalid type of the volume.

BZ #727088

Our logic throws off analyzer tools:

ptr var = NULL;
if (flags == 0) flags = live ? _LIVE : _CONFIG;
if (flags & _LIVE) do stuff
if (flags & _CONFIG) var = non-null;
if (flags & _LIVE) do more stuff
else if (flags & _CONFIG) use var

the tools keep thinking that var can still be NULL in the last
if clause, adding the hint shuts them up.

* src/qemu/qemu_driver.c (qemuDomainSetBlkioParameters): Add a
static analysis hint.

While the first encountered dns host record is being parsed, it's
possible for virNetworkDef::hosts to point to memory that has been
allocated, but virNetworkDef::nhosts to still be 0. If there is a
failure during that time, virNetworkDef::hosts will be leaked.

Although this isn't currently the case for virNetworkDef::txtrecords,
it could become that way through future re-factoring, and it hurts
nothing to restructure the freeing of txtrecord data to match that of
hosts data.

When instantiating a filter, a VM may disappear and remove its tap interfaces. Tolerate this case and don't report an error.

The following XML:

    <serial type='udp'>
      <source mode='connect' service='9999'/>
    </serial>

is accepted by domain_conf.c but maps to the qemu command line:

-chardev udp,host=127.0.0.1,port=2222,localaddr=(null),localport=(null)

qemu can cope with everything omitting except the connection port, which
seems to also be the intent of domain_conf validation, so let's not
generate bogus command lines for that case.
The defaults are empty strings for addresses and 0 for the localport

Additionally, tweak the qemu cli parsing to handle omitted host
parameters
for -serial udp

Transient domains reject attempts to set autostart, and using
virDomainCreate to restart a domain only works on persistent
domains.  Therefore, managed save makes no sense on transient
domains, and should be rejected up front rather than creating
an otherwise unrecoverable managed save file.

Besides, transient domains imply that a lot more management is
being done by the upper layer; this includes the assumption
that the upper layer is okay managing the saved state file
created by virDomainSave, and does not need to use managed save.

* src/libvirt.c: Document that transient domains are incompatible
with managed save.
* src/qemu/qemu_driver.c (qemuDomainManagedSave): Enforce it.
* src/libxl/libxl_driver.c (libxlDomainManagedSave): Likewise.

I noticed some inconsistent use of 'else'.

* src/qemu/qemu_driver.c (qemuCPUCompare)
(qemuDomainSnapshotCreateXML, qemuDomainRevertToSnapshot)
(qemuDomainSnapshotDiscard): Match coding conventions.

If a snapshot with the name already exists, virDomainSnapshotAssignDef()
just returns NULL, in which case the snapshot definition is leaked.
Currently this leak is not a big problem, since qemuDomainSnapshotLoad()
is only called once during initial startup of libvirtd.
Signed-off-by: NPhilipp Hahn <hahn@univention.de>

A previous commit gave the LXC driver the ability to mount
block devices for the container filesystem. Through use of
the loopback device functionality, we can build on this to
support use of plain file images for LXC filesytems.

By setting the LO_FLAGS_AUTOCLEAR flag we can ensure that
the loop device automatically disappears when the container
dies / shuts down

* src/lxc/lxc_container.c: Raise error if we see a file
  based filesystem, since it should have been turned into
  a loopback device already
* src/lxc/lxc_controller.c: Rewrite any filesystems of
  type=file, into type=block, by binding the file image
  to a free loop device

* src/lxc/lxc_controller.c: s/PYT/PTY/

Currently the LXC driver can only populate filesystems from
host filesystems, using bind mounts. This patch allows host
block devices to be mounted. It autodetects the filesystem
format at mount time, and adds the block device to the cgroups
ACL. Example usage is

    <filesystem type='block' accessmode='passthrough'>
      <source dev='/dev/sda1'/>
      <target dir='/home'/>
    </filesystem>

* src/lxc/lxc_container.c: Mount block device filesystems
* src/lxc/lxc_controller.c: Add block device filesystems
  to cgroups ACL

An application container shouldn't get a private /dev. Fix
the regression from 6d37888e

* src/lxc/lxc_container.c: Don't mount /dev for app containers

Detected by ccc-analyzer, reported by Alex Jia.

qemuProcessStart always calls qemuProcessWaitForMonitor with a
non-negative position, but qemuProcessAttach always calls with -1.
In the latter case, there is no log file we can scrape, so we
also should not be trying to scrape the logs if the qemu process
died at the very end.

* src/qemu/qemu_process.c (qemuProcessWaitForMonitor): Don't try
to read from log in qemuProcessAttach case.

This addresses https://bugzilla.redhat.com/show_bug.cgi?id=713728

When "defining" a new network (or one that exists but isn't currently
active) the new definition is stored in network->def, but for a
network that already exists and is active, the new definition is
stored in network->newDef, and then moved over to network->def as soon
as the network is destroyed.

However, the code that writes the dhcp and dns hosts files used by
dnsmasq was always using network->def for its information, even when
the new data was actually in network->newDef, so the hosts files
always lagged one edit behind the definition.

This patch changes the code to keep the pointer to the new definition
after it's been assigned into the network, and use it directly
(regardless of whether it's stored in network->newDef or network->def)
to construct the hosts files.

Value stored to 'ret' is never read, so remove this dead assignment.

* src/qemu/qemu_monitor_text.c: kill dead assignment.
Signed-off-by: NAlex Jia <ajia@redhat.com>

Value stored to 'ret' is never read, in fact, 'cleanup' section will
directly return -1 when function is fail, so remove this dead assignment.

* src/qemu/qemu_process.c: kill dead assignment.
Signed-off-by: NAlex Jia <ajia@redhat.com>

When trying to use any SASL authentication for TCP sockets by
setting auth_tls = "sasl" in libvirtd.conf on server side, the
client will hang because of the sasl session relocking other than
dropping the lock when exiting virNetSASLSessionExtKeySize()
* src/rpc/virnetsaslcontext.c: virNetSASLSessionExtKeySize drop the
  lock on exit

This patch introduces a internal RPC API "virNetServerClose", which
is standalone with "virNetServerFree".  it closes all the socket fds,
and unlinks the unix socket paths, regardless of whether the socket
is still referenced or not.

This is to address regression bug:
https://bugzilla.redhat.com/show_bug.cgi?id=725702

Detection based on gnutls_session doesn't work because GnuTLS 2.x.y
comes with a compat.h that defines gnutls_session to gnutls_session_t.

Instead detect this based on LIBGNUTLS_VERSION_MAJOR. Move this from
configure/config.h to gnutls_1_0_compat.h and make sure that all users
include gnutls_1_0_compat.h properly.

Also fix header guard in gnutls_1_0_compat.h.

Coverity gets confused by our logic.  Add some hints to silence
false positives.

* src/qemu/qemu_driver.c (qemudDomainGetVcpuPinInfo): Add hint.
(qemuDomainGetMemoryParameters): Likewise.

Leak detected by Coverity; only possible on unlikely ptsname_r
failure.  Additionally, the man page for ptsname_r states that
failure is merely non-zero, not necessarily -1.

* src/util/util.c (virFileOpenTtyAt): Avoid leak on ptsname_r
failure.

Coverity detected that ifaceGetNthParent had already dereferenced
'nth' prior to the conditional; all callers already complied with
passing a non-NULL pointer so make this part of the contract.

* src/util/interface.h (ifaceGetNthParent): Add annotations.
* src/util/interface.c (ifaceGetNthParent): Drop useless null check.

In virNetServerNew, Coverity didn't realize that srv->mdsnGroupName
can only be non-NULL if mdsnGroupName was non-NULL.

In virNetServerRun, Coverity didn't realize that the array is non-NULL
if the array count is non-zero.

* src/rpc/virnetserver.c (virNetServerNew): Use alternate pointer.
(virNetServerRun): Give coverity a hint.

Detected by Coverity.

* src/rpc/virnetserverclient.c (virNetServerClientDispatchRead):
Avoid null deref on OOM.

Coverity complained that 395 out of 409 virAsprintf calls are
checked, and therefore assumed that the remaining cases are bugs
waiting to happen.  But in each of these cases, a failed virAsprintf
will properly set the target string to NULL, and pass on that
failure to the caller, without wasting efforts to check the call.
Adding the ignore_value silences Coverity.

* src/conf/domain_audit.c (virDomainAuditGetRdev): Ignore
virAsprintf return value, when it behaves like we need.
* src/network/bridge_driver.c (networkDnsmasqLeaseFileNameDefault)
(networkRadvdConfigFileName, networkBridgeDummyNicName)
(networkRadvdPidfileBasename): Likewise.
* src/util/storage_file.c (absolutePathFromBaseFile): Likewise.
* src/openvz/openvz_driver.c (openvzGenerateContainerVethName):
Likewise.
* src/util/command.c (virCommandTranslateStatus): Likewise.

Quite a few leaks detected by coverity.  For chr, the leaks were
close enough to the allocations to plug in place; for disk, the
leaks were separated from the allocation by enough other lines with
intermediate failure cases that I refactored the cleanup instead.

* src/qemu/qemu_command.c (qemuParseCommandLine): Plug leaks.

Detected by Coverity.  Leak introduced by typo in commit 58e668d2.

* src/qemu/qemu_driver.c (doCoreDump): Use correct function.

Warning detected by Coverity.  No need for the NULL check, and
removing it silences the warning without any semantic change.

* src/qemu/qemu_migration.c (qemuMigrationFinish): All entries to
endjob had non-NULL vm.

Detected by Coverity.  Leak on meta introduced in commit 85aa40e2.

* src/conf/domain_conf.c (virDomainDiskDefForeachPath): Plug leak.

Detected by Coverity.  Freeing the wrong variable results in both
a memory leak and the likelihood of the caller dereferencing through
a freed pointer.

* src/rpc/virnettlscontext.c (virNetTLSSessionNew): Free correct
variable.

Coverity detected that 5 of 6 callers of virJSONValueArrayGet checked
for a NULL return; and that by not checking we risk a null deref
during an error.  The error is unlikely since the prior call to
virJSONValueArraySize would probably have already caught any botched
JSON array parse, but better safe than sorry.

* src/qemu/qemu_monitor_json.c (qemuMonitorJSONGetBlockJobInfo):
Check for NULL.
(qemuMonitorJSONExtractPtyPaths): Fix typo.

Detected by Coverity.  We want to compare the result of fnmatch 'rv',
not our pre-set return value 'ret'.

* src/rpc/virnetsaslcontext.c (virNetSASLContextCheckIdentity):
Check correct variable.