Broken by 759b4d1b.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
(cherry picked from commit 6ce3acc1)

At later point it might not be possible or even safe to use getaddrinfo(). It
can in turn result in a load of NSS module.

Notably, on a LXC container startup we may find ourselves with the guest
filesystem already having replaced the host one. Loading a NSS module
from the guest tree would allow a malicous guest to escape the
confinement of its container environment because libvirt will not yet
have locked it down.
Signed-off-by: NLubomir Rintel <lkundrak@v3.sk>
(cherry picked from commit 759b4d1b)

The PROBE macro used in qemuMonitorIOProcess and the VIR_DEBUG message
in qemuMonitorJSONIOProcess create a lot of logging churn when debug
logging is enabled during monitor communication.

The messages logged from the PROBE macro are rather useless since they
are reporting the partial state of receiving the reply from qemu. The
actual full reply is still logged in qemuMonitorJSONIOProcessLine once
the full message is received.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
(cherry picked from commit f10bb334)

PROBE macro adds a logging entry, when used in places seeing a lot of
traffic this can cause a significant slowdown.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
(cherry picked from commit f06e488d)

TPM 2 does not implement sysfs files for cancellation of commands.
We therefore use /dev/null for the cancel path passed to QEMU.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NJavier Martinez Canillas <javierm@redhat.com>
Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
(cherry picked from commit dfbb15b7)

The default_tls_x509_verify (and related) parameters in qemu.conf
control whether the QEMU TLS servers request & verify certificates
from clients. This works as a simple access control system for
servers by requiring the CA to issue certs to permitted clients.
This use of client certificates is disabled by default, since it
requires extra work to issue client certificates.

Unfortunately the code was using this configuration parameter when
setting up both TLS clients and servers in QEMU. The result was that
TLS clients for character devices and disk devices had verification
turned off, meaning they would ignore errors while validating the
server certificate.

This allows for trivial MITM attacks between client and server,
as any certificate returned by the attacker will be accepted by
the client.

This is assigned CVE-2017-1000256  / LSN-2017-0002
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 441d3eb6)

* docs/news.xml: update for release
* po/*.po*: regenerated

If you use the VDDK library to access virtual machines remotely, you
really need to know the Managed Object Reference ("moref") of the VM.
This must be passed each time you connect to the API.

For example nbdkit's VDDK plugin requires a moref to be passed to
mount up a VM's disk remotely:

 nbdkit vddk user=root password=+/tmp/rootpw \
             server=esxi.example.com thumbprint=xx:xx:xx:... \
             vm=moref=2 \
             file="[datastore1] Fedora/Fedora.vmdk"

Getting the moref is a huge pain.  To get some idea of what it is, why
it is needed, and how much trouble it is to get it, see:
https://blogs.vmware.com/vsphere/2012/02/uniquely-identifying-virtual-machines-in-vsphere-and-vcloud-part-1-overview.html
https://blogs.vmware.com/vsphere/2012/02/uniquely-identifying-virtual-machines-in-vsphere-and-vcloud-part-2-technical.html

However the moref is available conveniently in the internals of the
libvirt VMX driver.  This patch exposes it as a custom XML element
using the same "vmware:" namespace which was previously used for the
datacenterpath (see libvirt commit 636a9905).

It appears in the XML like this:

<domain type='vmware' xmlns:vmware='http://libvirt.org/schemas/domain/vmware/1.0'>
  <name>Fedora</name>
...
  <vmware:datacenterpath>ha-datacenter</vmware:datacenterpath>
  <vmware:moref>2</vmware:moref>
</domain>

Note that the moref can appear as either a simple ID (for esx://
connections) or as a "vm-<ID>" (for vpx:// connections).  It should be
treated by users as an opaque string.
Signed-off-by: NRichard W.M. Jones <rjones@redhat.com>

commit '96e55048' caused make check failure for virschematest:

1929) Checking ../docs/news.xml against ../news.rng                     ... libvirt: XML Util error : XML document failed to validate against schema: Unable to validate doc against /home/jferlan/git/libvirt.work/docs/schemas/../news.rng
Datatype element summary has child elements
Element summary failed to validate content
Datatype element summary has child elements
Element summary failed to validate content
^[[31m^[[1mFAILED^[[0m

That's because <code> elements don't appear to be allowed in the schema.
Rather than attempt to fix the schema, figured it was simpler to just
remove them and let the schema fix happen later.

Documents some changes that have slipped through the cracks
during the development cycle.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

This patch documents support for managedsave-dumpxml,
managedsave-define and managedsave-edit commands.
Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1487322

In ace45e67 I tried to fix a problem that we get the reply to
a D-Bus call while we were sleeping. In that case the callback
was never set. So I changed the code that the callback is called
directly in this case. However, I hadn't realized that since the
callback is called out of order it locks the virNetDaemon.
Exactly the very same virNetDaemon object that we are dealing
with right now and that we have locked already (in
virNetDaemonAddShutdownInhibition())
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

We call qemuDomainGetMachineName on domain start. On first
start (after daemon start) pid is 0 and virSystemdGetMachineNameByPID
don't get called. But after domain shutting down pid became -1 so
on next start virSystemdGetMachineNameByPID is called and returned an error.
Error is ignored so it is not critical. But at least on my system
(systemd-219 with extra patches) systemd-machined is crashed on
this request.

This behaviour is triggered by eaf2c9f8.
Reviewed-by: NDaniel P. Berrange <berrange@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1484230

When updating a virtio enabled vNIC and trying to change either
of rx_queue_size or tx_queue_size success is reported although no
operation is actually performed. Moreover, there's no way how to
change these on the fly. This is due to way we check for changes:
explicitly for each struct member. Therefore it's easy to miss
one.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Signed-off-by: NShuang He <shuang.he@zstack.io>
Signed-off-by: NErik Skultety <eskultet@redhat.com>

Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1437797

Rather than using refreshVol which essentially only updates the
allocation, capacity, and permissions for the volume, but not
the format which does get updated in a pool refresh - let's use
the same helper that pool refresh uses in order to update the
volume target.

Create a separate function to handle the volume target update
via probe processing.

Currently while parsing domain XML we clear the UNIX path if it matches
one of the auto-generated paths by libvirt.  After that when the guest
is started new path is generated but the mode is also changed to "bind".

In the real-world use-case the mode should not change, it only happens
if a user provides a mode='connect' and path that matches one of the
auto-generated path or not provides a path at all.

Before *reconnect* feature was introduced there was no issue, but with
the new feature we need to make sure that it's used only with "connect"
mode, therefore we need to move the mode change into parsing in order
to have a proper error reported by validation code.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

The test was introduced by 60135b22.

The auto-generated path is removed by post-parse callback which
also changes the mode from "connect" to "bind" since the auto-generated
path makes sense only for "bind" mode.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

Missed by 9aa72a6d.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

Introduced by 95fd63b1.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

With gnutls 3.6.0, SHA1 is no longer accepted for certificate
signatures. We must usw SHA256 instead.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>

Commit e4cb8500 changed the way ssh command line is created by
adding '--' before the hostname in order to fix a potential security
flaw.  However it failed to modify the tests, so let's do that.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1484234

Turns out, only vhostuser type of interfaces are supported
currently.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Inspired by the recent GIT / Mercurial security flaws
(http://blog.recurity-labs.com/2017-08-10/scm-vulns),
consider someone/something manages to feed libvirt a bogus
URI such as:

  virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system

In this case, the hosname "-oProxyCommand=gnome-calculator"
will get interpreted as an argument to ssh, not a hostname.
Fortunately, due to the set of args we have following the
hostname, SSH will then interpret our bit of shell script
that runs 'nc' on the remote host as a cipher name, which is
clearly invalid. This makes ssh exit during argv parsing and
so it never tries to run gnome-calculator.

We are lucky this time, but lets be more paranoid, by using
'--' to explicitly tell SSH when it has finished seeing
command line options. This forces it to interpret
"-oProxyCommand=gnome-calculator" as a hostname, and thus
see a fail from hostname lookup.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

When recreating folders with namespaces, the directory type was not
being handled at all.  It's not special, we probably just didn't know
that that can be used as a volume path as well.  The code failed
gracefully, but we want to allow that so that we can use <disk
type='dir'> in domains again.

Partially-resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1443434Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Our backing probing code handles directory file types properly in
virStorageFileGetMetadataRecurse(), by that I mean it leaves them
alone.  However its caller, the virStorageFileGetMetadata() resets the
type to raw before probing, without even checking the type.  We need
to special-case TYPE_DIR in order to achieve desired results.

Also, in order to properly test this, we need to stop resetting format
of volumes in tests for TYPE_DIR (probably the reason why we didn't
catch that and why the test data didn't need to be modified).

Partially-resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1443434Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Add a simple virsh command handler which makes use of the new API.
Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>

Add a simple virsh command handler which makes use of the new API.
Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>

Add a simple virsh command handler which makes use of the new API.
Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>

This commit adds qemu driver implementation to edit xml
configuration of managed save state file of a domain.
Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>

This commit adds qemu driver implementation to get xml description
for managed save state domain.
Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>

Similar to domainSaveImageDefineXML this commit adds domainManagedSaveDefineXML
API which allows to edit domain's managed save state xml configuration.
Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>

Similar to domainSaveImageGetXMLDesc this commit adds domainManagedSaveGetXMLDesc
API which allows to get the xml of managed save state domain.
Signed-off-by: NKothapally Madhu Pavan <kmp@linux.vnet.ibm.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1476866

For some reason, we completely ignore <on_reboot/> setting for
domains. The implementation is simply not there. It never was.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

This API is definitely modifying state of @vm. Therefore it
should grab a job.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

At some places we either already have synchronous job or we just
released it. Also, some APIs might want to use this code without
having to release their job. Anyway, the job acquire code is
moved out to qemuDomainRemoveInactiveJob so that
qemuDomainRemoveInactive does just what it promises.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>