If the hostname as returned by "gethostname" resolves
to "localhost" (as it does with the broken Fedora-12
installer), then live migration will fail because the
source will try to migrate to itself.  Detect this
situation up-front and abort the live migration before
we do any real work.

* src/util/util.h src/util/util.c: add a new virGetHostnameLocalhost
  with an optional localhost check, and rewire virGetHostname() to use
  it
* src/libvirt_private.syms: expose the new function
* src/qemu/qemu_driver.c: use it in qemudDomainMigratePrepare2()

For __virExec() this is a semantic NOP except for when fork()
fails. __virExec() would previously forget to restore the signal mask
in this case; virFork() corrects this behavior.

virFileCreate() and virDirCreate() gain the code to reset the logging
and properly deal with the signal handling race condition.

This also removes a log message that had a typo ("cannot fork o create
file '%s'") - this error is now logged in a more generic manner in
virFork() (more generic, but really just as informative, since the
fact that it's forking to create a file is immaterial to the fact that
it simply can't fork)

* src/util/util.c: use the generic virFork() in the 3 functions

virFork() contains bookkeeping that must be done any time a process
forks. Currently this includes:

1) Call virLogLock() prior to fork() and virLogUnlock() just after,
   to avoid a deadlock if some other thread happens to hold that lock
   during the fork.

2) Reset the logging hooks and send all child process log messages to
   stderr.

3) Block all signals prior to fork(), then either a) reset the signal
   mask for the parent process, or b) clear the signal mask for the
   child process.

Note that the signal mask handling in __virExec erroneously fails to
restore the signal mask when fork() fails. virFork() fixes this
problem.

Other than this, it attempts to behave as closely to fork() as
possible (including preserving errno for the caller), with a couple
exceptions:

1) The return value is 0 (success) or -1 (failure), while the pid is
   returned via the pid_t* argument. Like fork(), if pid < 0 there is
   no child process, otherwise both the child and the parent will
   return to the caller, and both should look at the return value,
   which will indicate if some of the extra processing outlined above
   encountered an error.

2) If virFork() returns with pid < 0 or with a return value < 0
   indicating an error condition, the error has already been
   reported. You can log an additional message if you like, but it
   isn't necessary, and may be awkwardly extraneous.

Note that virFork()'s child process will *never* call _exit() - if a
child process is created, it will return to the caller.

* util.c util.h: add virFork() function, based on what is currently
                 done in __virExec().

It was used for error reporting only.

* src/util/util.c (virExecWithHook): Free argv_str string before
returning upon failure to allocate space for environment.

Similar fix as previous one but for fork() usage when creating
a file or directory

* src/util/util.c: virLogLock() and virLogUnlock() around fork()
  in virFileCreate() and virDirCreateSimple()

Ad pointed out by Dan Berrange:
So if some thread in libvirtd is currently executing a logging call,
while another thread calls virExec(), that other thread no longer
exists in the child, but its lock is never released. So when the
child then does virLogReset() it deadlocks.

The only way I see to address this, is for the parent process to call
virLogLock(), immediately before fork(), and then virLogUnlock()
afterwards in both parent & child. This will ensure that no other
thread
can be holding the lock across fork().

* src/util/logging.[ch] src/libvirt_private.syms: export virLogLock() and
  virLogUnlock()
* src/util/util.c: lock just before forking and unlock just after - in
  both parent and child.

* src/util/util.c (virGetUserID, virGetGroupID): In the unlikely event
that sysconf(_SC_GETPW_R_SIZE_MAX) fails, don't use -1 as the size in
the subsequent allocation.

On RHEL-5 the qemu-kvm binary is located in /usr/libexec.
To reduce confusion for people trying to run upstream libvirt
on RHEL-5 machines, make the qemu driver look in /usr/libexec
for the qemu-kvm binary.

To make this work, I modified virFindFileInPath to handle an
absolute path correctly.  I also ran into an issue where
NULL was sometimes being passed for the file parameter
to virFindFileInPath; it didn't crash prior to this patch
since it was building paths like /usr/bin/(null).  This
is non-standard behavior, though, so I added a NULL
check at the beginning.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

* src/util/util.c (virGetUserEnt): In the unlikely event that
sysconf(_SC_GETPW_R_SIZE_MAX) fails, don't use -1 as the size in
the subsequent allocation.

virFileMakePath is a recursive function that was creates a buffer
PATH_MAX bytes long for each recursion (one recursion for each element
in the path). This changes it to have no buffers on the stack, and to
allocate just one buffer total, no matter how many elements are in the
path. Because the modified algorithm requires a char* to be passed in
rather than const char *, it is now 2 functions - a toplevel API
function that remains identical in function, and a 2nd helper function
called for the recursions, which 1) doesn't allocate anything, and 2)
takes a char* arg, so it can modify the contents.
* src/util/util.c: rewrite virFileMakePath

These functions create a new file or directory with the given
uid/gid. If the flag VIR_FILE_CREATE_AS_UID is given, they do this by
forking a new process, calling setuid/setgid in the new process, and
then creating the file. This is better than simply calling open then
fchown, because in the latter case, a root-squashing nfs server would
create the new file as user nobody, then refuse to allow fchown.

If VIR_FILE_CREATE_AS_UID is not specified, the simpler tactic of
creating the file/dir, then chowning is is used. This gives better
results in cases where the parent directory isn't on a root-squashing
NFS server, but doesn't give permission for the specified uid/gid to
create files. (Note that if the fork/setuid method fails to create the
file due to access privileges, the parent process will make a second
attempt using this simpler method.)

If the bit VIR_FILE_CREATE_ALLOW_EXIST is set in the flags, an
existing file/directory will not cause an error; in this case, the
function will simply set the permissions of the file/directory to
those requested. If VIR_FILE_CREATE_ALLOW_EXIST is not specified, an
existing file/directory is considered (and reported as) an error.

Return from both of these functions is 0 on success, or the value of
errno if there was a failure.

* src/util/util.[ch]: add the 2 new util functions

* src/util/util.[ch]: similar to virExecWithHook, but waits for child to
  exit. Useful for doing things like setuid after the fork but before the
  exec.

Until recently, some gnulib-generated replacement headers
included *other* headers that were not strictly necessary,
thus masking the need in this file for an explicit <stdlib.h>.
* src/util/util.c: Include <stdlib.h> for declarations of e.g.,
strtol, random_r, getenv, etc.

With the introduction virDispatchError, hook function errors are
never sent through the error callback, so users will never see
these messages.

Fix this by calling virDispatchError after hook failure.

This allows debug statements and raised errors in hook functions to
actually be logged somewhere (stderr). Users can enable debugging in the
daemon and now see more info in /var/log/libvirt/...

The virFileResolveLink utility function relied on the POSIX guarantee
that stat.st_size of a symlink is the length of the value.  However,
on some types of file systems, it is invalid, so do not rely on it.
Use gnulib's areadlink module instead.
* bootstrap (modules): Add areadlink.
* src/util/util.c: Include "areadlink.h".
Let areadlink perform the readlink and malloc.
* configure.in (AC_CHECK_FUNCS): Remove readlink.  No need,
since it's presence is guaranteed by gnulib.

Replace free(virBufferContentAndReset()) with virBufferFreeAndReset().
Update documentation and replace all remaining calls to free() with
calls to VIR_FREE(). Also add missing calls to virBufferFreeAndReset()
and virReportOOMError() in OOM error cases.

esxVMX_IndexToDiskName handles indices up to 701. This limit comes
from a mapping gap in virDiskNameToIndex:

  sdzy -> 700
  sdzz -> 701
  sdaaa -> 728
  sdaab -> 729

This line in virDiskNameToIndex causes this gap:

  idx = (idx + i) * 26;

Fixing it by altering this line to:

  idx = (idx + (i < 1 ? 0 : 1)) * 26;

Also add a new version of virIndexToDiskName that handles the inverse
mapping for arbitrary indices.

* src/esx/esx_vmx.[ch]: remove esxVMX_IndexToDiskName
* src/util/util.[ch]: add virIndexToDiskName and fix mapping gap
* tests/esxutilstest.c: update test to verify that the gap is fixed

* configure.in: add new --with-udev, disabled by default, and requiring
  libudev > 145
* src/node_device/node_device_udev.c src/node_device/node_device_udev.h:
  the new node device backend
* src/node_device/node_device_linux_sysfs.c: moved node_device_hal_linux.c
  to a better file name
* src/conf/node_device_conf.c src/conf/node_device_conf.h: add a couple
  of fields in node device definitions, and an API to look them up,
  remove a couple of unused fields from previous patch.
* src/node_device/node_device_driver.c src/node_device/node_device_driver.h:
  plug the new driver
* po/POTFILES.in src/Makefile.am src/libvirt_private.syms: add the new
  files and symbols
* src/util/util.h src/util/util.c: add a new convenience macro
  virBuildPath and virBuildPathInternal() function

All drivers have copy + pasted inadequate error reporting which wraps
util.c:virGetHostname. Move all error reporting to this function, and improve
what we report.

Changes from v1:
  Drop the driver wrappers around virGetHostname. This means we still need
  to keep the new conn argument to virGetHostname, but I think it's worth
  it.

Nearly all of the methods in src/util/util.h have error codes that
must be checked by the caller to correct detect & report failure.
Add ATTRIBUTE_RETURN_CHECK to ensure compile time validation of
this

* daemon/libvirtd.c: Add explicit check on return value of virAsprintf
* src/conf/domain_conf.c: Add missing check on virParseMacAddr return
  value status & report error
* src/network/bridge_driver.c: Add missing OOM check on virAsprintf
  and report error
* src/qemu/qemu_conf.c: Add missing check on virParseMacAddr return
  value status & report error
* src/security/security_selinux.c: Remove call to virRandomInitialize
  that's done in libvirt.c already
* src/storage/storage_backend_logical.c: Add check & log on virRun
  return status
* src/util/util.c: Add missing checks on virAsprintf/Run status
* src/util/util.h: Annotate all methods with ATTRIBUTE_RETURN_CHECK
  if they return an error status code
* src/vbox/vbox_tmpl.c: Add missing check on virParseMacAddr
* src/xen/xm_internal.c: Add missing checks on virAsprintf
* tests/qemuargv2xmltest.c: Remove bogus call to virRandomInitialize()

The fread_file_lim() function uses fread() but never handles
EINTR results, causing unexpected failures when reading QEMU
help arg info. It was unneccessarily using FILE * instead
of plain UNIX file handles, which prevented use of saferead()

* src/util/util.c: Switch fread_file_lim over to use saferead
  instead of fread, remove FILE * use, and rename

* src/util/util.c: output some debug if caller of virExecWithHook have
  set envp[]

* src/util/util.[ch]: Add virFileAbsPath() function to ensure an
  absolute path for a potentially realtive path.
* src/libvirt_private.syms: add it in libvirt private symbols

Signed-off-by: NChris Lalancette <clalance@redhat.com>

Add the virStrncpy function, which takes a dst string, source string,
the number of bytes to copy and the number of bytes available in the
dest string.  If the source string is too large to fit into the
destination string, including the \0 byte, then no data is copied and
the function returns NULL.  Otherwise, this function copies n bytes
from source into dst, including the \0, and returns a pointer to the
dst string.  This function is intended to replace all unsafe uses
of strncpy in the code base, since strncpy does *not* guarantee that
the buffer terminates with a \0.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

* src/bridge.c, src/bridge.h, src/buf.c, src/buf.h, src/cgroup.c,
  src/cgroup.h, src/conf.c, src/conf.h, src/event.c, src/event.h,
  src/hash.c, src/hash.h, src/hostusb.c, src/hostusb.h,
  src/iptables.c, src/iptables.h, src/logging.c, src/logging.h,
  src/memory.c, src/memory.h, src/pci.c, src/pci.h, src/qparams.c,
  src/qparams.h, src/stats_linux.c, src/stats_linux.h,
  src/threads-pthread.c, src/threads-pthread.h, src/threads-win32.c,
  src/threads-win32.h, src/threads.c, src/threads.h, src/util.c,
  src/util.h, src/uuid.c, src/uuid.h, src/virterror.c,
  src/virterror_internal.h, src/xml.c, src/xml.h: Move all files
  into src/util/
* daemon/Makefile.am: Add -Isrc/util/ to build flags
* src/Makefile.am: Add -Isrc/util/ to build flags and update for
  moved files
* src/libvirt_private.syms: Export cgroup APIs since they're now
  in util rather than linking directly to drivers
* src/xen/xs_internal.c: Disable bogus virEventRemoveHandle call
  when built under PROXY
* proxy/Makefile.am: Update for changed file locations. Remove
  bogus build of event.c
* tools/Makefile.am, tests/Makefile.am: Add -Isrc/util/ to build flags

Remove the bogus dependancy between node_device.c & storage_backend.c
by moving the virWaitForDevices into util.h where it can be shared
safely

* src/storage_backend_disk.c, src/storage_backend_logical.c,
  src/storage_backend_mpath.c, src/storage_backend_scsi.c: Replace
  virStorageBackendWaitForDevices with virFileWaitForDevices
* src/storage_backend.c, src/storage_backend.h: Remove
  virStorageBackendWaitForDevices, virWaitForDevices
* src/util.h, src/util.c: Add virFileWaitForDevices
* configure.in: Move xmlrpc check further down after pkgconfig
  is detected
* src/Makefile.am: Add missing XMLRPC_CFLAGS/LIBS to opennebula
* src/libvirt_private.syms: Add many missing exports

* src/util.c (virExecDaemonize): Change flag |= VAR to "flag | VAR".

Separate the guest created QEMU monitor socket location
from the libvirtd create XML / PID data files, to improve
security separation when running QEMU non-root

* libvirt.spec.in: Leave /var/run/libvirt/qemu as root:root
* src/qemu_conf.h: Add libDir and cacheDir directory paths
* src/qemu_driver.c: Move QEMU monitor socket from
  stateDir to libDir to avoid making security critical directory
  accessible to QEMU guests.
* src/util.c: Delay running hook till after damonizing to
  ensure pidfile is still written before changing UID/GID

Add option to domain XML for

     <memoryBacking>
        <hugepages/>
     </memoryBacking>

* configure.in: Add check for mntent.h
* qemud/libvirtd_qemu.aug, qemud/test_libvirtd_qemu.aug, src/qemu.conf
  Add 'hugetlbfs_mount' config parameter
* src/qemu_conf.c, src/qemu_conf.h: Check for -mem-path flag in QEMU,
  and pass it when hugepages are requested.
  Load hugetlbfs_mount config parameter, search for mount if not given.
* src/qemu_driver.c: Free hugetlbfs_mount/path parameter in driver shutdown.
  Create directory for QEMU hugepage usage, chowning if required.
* docs/formatdomain.html.in: Document memoryBacking/hugepages elements
* docs/schemas/domain.rng: Add memoryBacking/hugepages elements to schema
* src/util.c, src/util.h, src/libvirt_private.syms: Add virFileFindMountPoint
  helper API
* tests/qemuhelptest.c: Add -mem-path constants
* tests/qemuxml2argvtest.c, tests/qemuxml2xmltest.c: Add tests for hugepage
  handling
* tests/qemuxml2argvdata/qemuxml2argv-hugepages.xml,
  tests/qemuxml2argvdata/qemuxml2argv-hugepages.args: Data files for
  hugepage tests

* src/util.c: Include path & pid when logging pidfile failure

* src/util.c: Don't drop capabilities until after the PID file has
  been written. Kill off child if writing the PID file fails
* src/qemu_driver.c: Remove bogus trailing '/' in state dir

* src/qemu_driver.c:  Add driver methods qemuGetSchedulerType,
  qemuGetSchedulerParameters, qemuSetSchedulerParameters
* src/lxc_driver.c: Fix to use unsigned long long consistently
  for schedular parameters
* src/cgroup.h, src/cgroup.c: Fix cpu_shares to take unsigned
  long long
* src/util.c, src/util.h, src/libvirt_private.syms: Add a
  virStrToDouble helper
* src/virsh.c: Fix handling of --set arg to schedinfo command
  to honour the designated data type of each schedular tunable
  as declared by the driver

Allow the driver level cgroup to be managed explicitly by the
hypervisor drivers, in order to detect whether to enable or
disable cgroup support for domains. Provides better error
reporting of failures. Also allow for creation of cgroups for
unprivileged drivers if controller is accessible by the user.

* src/cgroup.c, src/cgroup.h: Add an API to obtain a driver cgroup
* src/lxc_conf.h, src/lxc_controller.c, src/lxc_driver.c:
  Obtain a driver cgroup at startup and use that instead of
  re-creating everytime.
* src/util.c, src/util.h, src/libvirt_private.syms: Add a
  virGetUserName() helper

* configure.in: Add --with-qemu-user and --with-qemu-group args
* libvirt.spec.in: use 'qemu' for user/group for Fedora >= 12
* qemud/libvirtd_qemu.arg, qemud/test_libvirtd_qemu.aug,
  src/qemu.conf: Add 'user' and 'group' args for configuration
* src/Makefile.am: Create %localstatedir/cache/libvirt/qemu
* src/qemu_conf.c, src/qemu_conf.h: Load user/group from config
* src/qemu_driver.c: Change user ID/group ID when launching QEMU
  guests. Change user/group ownership on disks/usb/pci devs.
  Put memory dumps in %localstatedir/cache/libvirt/qemu
* src/util.c, src/util.h: Add convenient APIs for converting
  username/groupname to user ID / group ID