Daemon uses the following pattern when dispatching APIs with typed
parameters:

    VIR_ALLOC_N(params, nparams);
    virDomain*(dom, params, &nparams, flags);
    virTypedParameterArrayClear(params, nparams);

In case nparams was originally set to 0, virDomain* API would fill it
with the number of typed parameters it can provide and we would use this
number (rather than zero) to clear params. Because VIR_ALLOC* returns
non-NULL pointer even if size is 0, the code would end up walking
through random memory. If we were lucky enough and the memory contained
7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
random pointer and crash.

Let's make sure params stays NULL when nparams is 0.

When a domain has a active console connection and is destroyed the
callback is called on private data that no longer exist causing a
segfault.

Commit 6ed5a1b9 adds close callback
functions to the public API but doesn't add python implementation. This
patch sets the function to be written manually (to fix the build), but
doesn't implement them yet.

If an LXC container is using a virtual network and that network
is not active, currently the user gets a rather unhelpful
error message about tap device setup failure. Add an explicit
check for whether the network is active, in exactly the same
way as the QEMU driver

The cfg.mk file rule to check for tab characters was not
applied to perl files. Much of our Perl code is full of
tabs as a result. Kill them, kill them all !

The reboot() syscall is allowed by new kernels for LXC containers.
The LXC controller can detect whether a reboot was requested
(instead of a normal shutdown) by looking at the "init" process
exit status. If a reboot was triggered, the exit status will
record SIGHUP as the kill reason.

The LXC controller has cleared all its capabilities, and the
veth network devices will no longer exist at this time. Thus
it cannot restart the container init process itself. Instead
it emits an event which is picked up by the LXC driver in
libvirtd. This will then re-create the container, using the
same configuration as it was previously running with (ie it
will not activate 'newDef').
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Check whether the reboot() system call is virtualized, and if
it is, then allow the container to keep CAP_SYS_REBOOT.

Based on an original patch by Serge Hallyn
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

This defines a new RPC protocol to be used between the LXC
controller and the libvirtd LXC driver. There is only a
single RPC message defined thus far, an asynchronous "EXIT"
event that is emitted just before the LXC controller process
exits. This provides the LXC driver with details about how
the container shutdown - normally, or abnormally (crashed),
thus allowing the driver to emit better libvirt events.

Emitting the event in the LXC controller requires a few
little tricks with the RPC service. Simply calling the
virNetServiceClientSendMessage does not work, since this
merely queues the message for asynchronous processing.
In addition the main event loop is no longer running at
the point the event is emitted, so no I/O is processed.

Thus after invoking virNetServiceClientSendMessage it is
necessary to mark the client as being in "delayed close"
mode. Then the event loop is run again, until the client
completes its close - this happens only after the queued
message has been fully transmitted. The final complexity
is that it is not safe to run virNetServerQuit() from the
client close callback, since that is invoked from a
context where the server is locked. Thus a zero-second
timer is used to trigger shutdown of the event loop,
causing the controller to finally exit.

* src/Makefile.am: Add rules for generating RPC protocol
  files and dispatch methods
* src/lxc/lxc_controller.c: Emit an RPC event immediately
  before exiting
* src/lxc/lxc_domain.h: Record the shutdown reason
  given by the controller
* src/lxc/lxc_monitor.c, src/lxc/lxc_monitor.h: Register
  RPC program and event handler. Add callback to let
  driver receive EXIT event.
* src/lxc/lxc_process.c: Use monitor exit event to decide
  what kind of domain event to emit
* src/lxc/lxc_protocol.x: Define wire protocol for LXC
  controller monitor.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Update the gendispatch.pl script to get a little closer to
being able to generate code for the LXC monitor, by passing
in the struct prefix separately from the procedure prefix.
Also allow method names using virCapitalLetters instead
of vir_underscore_separator
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the code that handles the LXC monitor out of the
lxc_process.c file and into lxc_monitor.{c,h}
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Update the LXC driver to use the virNetClient APIs for
connecting to the libvirt_lxc monitor, instead of the
low-level socket APIs. This is a step towards running
a full RPC protocol with libvirt_lxc
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Update all LXC code to use virReportError instead of the custom
lxcError macro
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Rename the lxc_driver_t struct typedef to virLXCDriver to more
closely follow normal libvirt naming conventions
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

For consistency all the APIs in the lxc_domain.c file should
have a virLXCDomain prefix in their name
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

For consistency all the APIs in the lxc_process.c file should
have a virLXCProcess prefix in their name
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

In the socket event handler for the RPC client we must deal
with read/write events, before checking for EOF, otherwise
we might close the socket before we've read & acted upon the
last RPC messages
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Use a driver close callback to trigger shutdown of the
events demo program
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Update the remote driver to use the virNetClient close callback
to trigger the virConnectPtr close callbacks
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Allow detection of socket close in virNetClient via a callback
function, triggered on any condition that causes the socket to
be closed.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Currently if the keepalive timer triggers, the 'markClose'
flag is set on the virNetClient. A controlled shutdown will
then be performed. If an I/O error occurs during read or
write of the connection an error is raised back to the
caller, but the connection isn't marked for close. This
patch ensures that all I/O error scenarios always result
in the connection being marked for close.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Define new virConnect{Register,Unregister}CloseCallback() public APIs
which allows registering/unregistering a callback to be invoked when
the connection to a hypervisor is closed. The callback is provided
with the reason for the close, which may be 'error', 'eof', 'client'
or 'keepalive'.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Print the actual unknown type name instead of <other> for AnyType objects.

If a domain is explicitly configured with <seclabel type="none"/> we
correctly ensure that no labeling will be done by setting
norelabel=true. However, if no seclabel element is present in domain XML
and hypervisor is configured not to confine domains by default, we only
set type to "none" without turning off relabeling. Thus if such a domain
is being started, security driver wants to relabel resources with
default label, which doesn't make any sense.

Moreover, with SELinux security driver, the generated image label lacks
"s0" sensitivity, which causes setfilecon() fail with EINVAL in
enforcing mode.

Commit 3ad13c92 blindly touched all files to have a 3-line
hint for getting LGPL, but bootstrap is synced from gnulib where
it has a 2-line hint.

* bootstrap: Resync from gnulib.

I originally postet this into the Fedora bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=843836

Currently gracefully shutting down guest vms on host shutdown does not work on
Fedora 17, the guests are killed hard on system shutdown.

The reason is systemd considers libvirt-guests.service to be stopped when the
system is running:

$ systemctl status libvirt-guests.service
libvirt-guests.service - Suspend Active Libvirt Guests
          Loaded: loaded (/usr/lib/systemd/system/libvirt-guests.service;
enabled)
          Active: deactivating (stop) since Fri, 27 Jul 2012 15:47:31 +0200;
2min 48s ago
         Process: 1085 ExecStart=/etc/init.d/libvirt-guests start
(code=exited, status=0/SUCCESS)
         Control: 1150 (libvirt-guests)
          CGroup: name=systemd:/system/libvirt-guests.service
                  └ control
                    ├ 1150 /bin/sh /etc/init.d/libvirt-guests stop
                    └ 2257 sleep 1

libvirt-guests.service is defined as type "simple" in systemd (the default).
That means systemd will shut down the service when the start executable is
terminated after starting is done. Systemd will not call stop again on system
shutdown because it thinks it is already stopped.

The solution is to define it as type "oneshot" and set the flag
"RemainAfterExit". Then systemd will consider the service as active after
startup and will call the stop function on host shutdown.

Those fields are used by the apibuild script to create documentation.
This commit partialy reverts a4bcefbc.

The method was not existing and did not allow to diagnose problems.

Commit f9ce7dad tried to kill uses of a raw street address, but
missed a few instances.  Automate things so we don't introduce
new problems in the future.

* cfg.mk (sc_copyright_address): New rule.
(exclude_file_name_regexp--sc_copyright_address): Add exemption.
* bootstrap.conf: Adjust offenders.
* build-aux/augeas-gentest.pl: Likewise.
* examples/systemtap/events.stp: Likewise.
* examples/systemtap/qemu-monitor.stp: Likewise.
* examples/systemtap/rpc-monitor.stp: Likewise.
* src/dtrace2systemtap.pl: Likewise.
* src/esx/esx_vi_generator.py: Likewise.
* src/hyperv/hyperv_wmi_generator.py: Likewise.
* src/remote/qemu_protocol.x: Likewise.
* src/remote/remote_protocol.x: Likewise.
* src/rpc/gensystemtap.pl: Likewise.
* src/rpc/virnetprotocol.x: Likewise.
* tests/object-locking.ml: Likewise.
* tools/virt-xml-validate.in: Likewise.

This is a follow up patch of commit f9ce7dad, it modifies all
the files which declare the copyright like "See COPYING.LIB for
the License of this software" to use the detailed/consistent one.

And deserts the outdated comments like:

 * libvirt-qemu.h:
 * Summary: qemu specific interfaces
 * Description: Provides the interfaces of the libvirt library to handle
 *              qemu specific methods
 *
 * Copy:  Copyright (C) 2010, 2012 Red Hat, Inc.

Uses the more compact style like:

 * libvirt-qemu.h: Interfaces specific for QEMU/KVM driver
 *
 * Copyright (C) 2010, 2012 Red Hat, Inc.

During refactoring of code, it has proved common to forget to
remove old symbols from the .syms file. While the Win32 linker
will complain about this, the Linux ELF linker does not. The
new test case validates that every symbol listed in the .syms
file actually exists in the built ELF libraries.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The virNetClientSetEOFNotify symbol was accidentally added to
the libvirt_private.syms file due to an out-of-order cherry-pick

virNWFilterGetIpAddrForIfname and virNWFilterDelIpAddrForIfname
do not exist, so remove them from libvirt_nwfilter.syms
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

On some fallback paths in virsh, error reported by the previously failed
API is cleared by virResetLastError() that doesn't free error stored by
virsh. This patch changes this to clear it using vshResetLibvirtError().

Virsh uses an error handler to save errors from libvirt. On some code
paths it's needed to clear libvirt errors and continue on fallback code
paths without reporting failure.

This patch adds function vshResetLibvirtError() that clears error
returned by libvirt and updates all places where the old two-line method
was used.

Any time we have a string with no % passed through gettext, a
translator can inject a % to cause a stack overread.  When there
is nothing to format, it's easier to ask for a string that cannot
be used as a formatter, by using a trivial "%s" format instead.

In the past, we have used --disable-nls to catch some of the
offenders, but that doesn't get run very often, and many more
uses have crept in.  Syntax check to the rescue!

The syntax check can catch uses such as
virReportError(code,
               _("split "
                 "string"));
by using a sed script to fold context lines into one pattern
space before checking for a string without %.

This patch is just mechanical insertion of %s; there are probably
several messages touched by this patch where we would be better
off giving the user more information than a fixed string.

* cfg.mk (sc_prohibit_diagnostic_without_format): New rule.
* src/datatypes.c (virUnrefConnect, virGetDomain)
(virUnrefDomain, virGetNetwork, virUnrefNetwork, virGetInterface)
(virUnrefInterface, virGetStoragePool, virUnrefStoragePool)
(virGetStorageVol, virUnrefStorageVol, virGetNodeDevice)
(virGetSecret, virUnrefSecret, virGetNWFilter, virUnrefNWFilter)
(virGetDomainSnapshot, virUnrefDomainSnapshot): Add %s wrapper.
* src/lxc/lxc_driver.c (lxcDomainSetBlkioParameters)
(lxcDomainGetBlkioParameters): Likewise.
* src/conf/domain_conf.c (virSecurityDeviceLabelDefParseXML)
(virDomainDiskDefParseXML, virDomainGraphicsDefParseXML):
Likewise.
* src/conf/network_conf.c (virNetworkDNSHostsDefParseXML)
(virNetworkDefParseXML): Likewise.
* src/conf/nwfilter_conf.c (virNWFilterIsValidChainName):
Likewise.
* src/conf/nwfilter_params.c (virNWFilterVarValueCreateSimple)
(virNWFilterVarAccessParse): Likewise.
* src/libvirt.c (virDomainSave, virDomainSaveFlags)
(virDomainRestore, virDomainRestoreFlags)
(virDomainSaveImageGetXMLDesc, virDomainSaveImageDefineXML)
(virDomainCoreDump, virDomainGetXMLDesc)
(virDomainMigrateVersion1, virDomainMigrateVersion2)
(virDomainMigrateVersion3, virDomainMigrate, virDomainMigrate2)
(virStreamSendAll, virStreamRecvAll)
(virDomainSnapshotGetXMLDesc): Likewise.
* src/nwfilter/nwfilter_dhcpsnoop.c (virNWFilterSnoopReqLeaseDel)
(virNWFilterDHCPSnoopReq): Likewise.
* src/openvz/openvz_driver.c (openvzUpdateDevice): Likewise.
* src/openvz/openvz_util.c (openvzKBPerPages): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupCgroup): Likewise.
* src/qemu/qemu_command.c (qemuBuildHubDevStr, qemuBuildChrChardevStr)
(qemuBuildCommandLine): Likewise.
* src/qemu/qemu_driver.c (qemuDomainGetPercpuStats): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
* src/rpc/virnetsaslcontext.c (virNetSASLSessionGetIdentity):
Likewise.
* src/rpc/virnetsocket.c (virNetSocketNewConnectUNIX)
(virNetSocketSendFD, virNetSocketRecvFD): Likewise.
* src/storage/storage_backend_disk.c
(virStorageBackendDiskBuildPool): Likewise.
* src/storage/storage_backend_fs.c
(virStorageBackendFileSystemProbe)
(virStorageBackendFileSystemBuild): Likewise.
* src/storage/storage_backend_rbd.c
(virStorageBackendRBDOpenRADOSConn): Likewise.
* src/storage/storage_driver.c (storageVolumeResize): Likewise.
* src/test/test_driver.c (testInterfaceChangeBegin)
(testInterfaceChangeCommit, testInterfaceChangeRollback):
Likewise.
* src/vbox/vbox_tmpl.c (vboxListAllDomains): Likewise.
* src/xenxs/xen_sxpr.c (xenFormatSxprDisk, xenFormatSxpr):
Likewise.
* src/xenxs/xen_xm.c (xenXMConfigGetUUID, xenFormatXMDisk)
(xenFormatXM): Likewise.

We were defining 'func_or' as '|VIR_ERROR|...', which when put
inside 'func_re' resulted in a regex that matches everything in
isolation.  Thankfully, we always used func_re with a leading
anchor \<, and since the empty regex does not start a word, we
happened to get the result we wanted; but it's better to define
func_or without a leading space converted into a leading empty
alternation.

* cfg.mk (func_or): Strip leading space.

Pick up some build fixes in the latest gnulib.  In particular,
we want to ensure that official tarballs are secure, but don't
want to penalize people who don't run 'make dist', since fixed
automake still hasn't hit common platforms like Fedora 17.

* .gnulib: Update to latest, for Automake CVE-2012-3386 detection.
* bootstrap: Resync from gnulib.
* bootstrap.conf (gnulib_extra_files): Drop missing, since gnulib
has dropped it in favor of Automake's version.
* cfg.mk (local-checks-to-skip): Conditionally skip the security
check in cases where it doesn't matter.

When undefining a domain and removing associated storage using "virsh
undefine --storage" the domain was at first undefined and after that the
storage removal proces was started. If the user specified an invalid
disk to remove, the error could not be corrected.

This patch moves enumeration and filtering of volumes that should be
removed before the domain is undefined, but the removal process is still
kept after the domain has been undefined.