1. 17 1月, 2014 2 次提交
    • E
      maint: don't leave garbage on early API exit · c05aebfd
      Eric Blake 提交于
      Several APIs clear out a user input buffer before attempting to
      populate it; but in a few cases we missed this memset if we
      detect a reason for an early exit.  Note that these APIs
      check for non-NULL arguments, and exit early with an error
      message when NULL is passed in; which means that we must be
      careful to avoid a NULL deref in order to get to that error
      message.  Also, we were inconsistent on the use of
      sizeof(virType) vs. sizeof(expression); the latter is more
      robust if we ever change the type of the expression (although
      such action is unlikely since these types are part of our
      public API).
      
      * src/libvirt.c (virDomainGetInfo, virDomainGetBlockInfo)
      (virStoragePoolGetInfo, virStorageVolGetInfo)
      (virDomainGetJobInfo, virDomainGetBlockJobInfo): Move memset
      before any returns.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      c05aebfd
    • M
      qemu: Change the default unix monitor timeout · fe89b687
      Martin Kletzander 提交于
      There is a number of reported issues when we fail starting a domain.
      Turns out that, in some scenarios like high load, 3 second timeout is
      not enough for qemu to start up to the phase where the socket is
      created.  Since there is no downside of waiting longer, raise the
      timeout right to 30 seconds.
      Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
      fe89b687
  2. 16 1月, 2014 19 次提交
    • P
      Add Pavel Hrdina to the committers list · 84f0ddaf
      Pavel Hrdina 提交于
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      84f0ddaf
    • P
      Fix possible memory leak in virsh-domain-monitor.c in cmdDomblklist · bb22de2e
      Pavel Hrdina 提交于
      In a "for" loop there are created two new strings and they may not
      be freed if a "target" string cannot be obtained. We have to free
      the two created strings to prevent the memory leak.
      
      This has been found by coverity.
      
      John also pointed out that we should somehow care about the "type"
      and "device" and Osier agreed to exit with error message if one of
      them is set to NULL.
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      bb22de2e
    • P
      storage: Introduce internal pool support · 362da820
      Peter Krempa 提交于
      To allow using the storage driver APIs to do operation on generic domain
      disks we will need to introduce internal storage pools that will give is
      a base to support this stuff even on files that weren't originally
      defined as a part of the pool.
      
      This patch introduces the 'internal' flag for a storage pool that will
      prevent it from being listed along with the user defined storage pools.
      362da820
    • P
      storage: Sheepdog: Separate creating of the volume from building · b3c1a25d
      Peter Krempa 提交于
      Separate the steps to create libvirt's volume metadata from the actual
      volume building process.
      b3c1a25d
    • P
      storage: RBD: Separate creating of the volume from building · e103acba
      Peter Krempa 提交于
      Separate the steps to create libvirt's volume metadata from the actual
      volume building process.
      e103acba
    • P
      storage: disk: Separate creating of the volume from building · 67ccf91b
      Peter Krempa 提交于
      Separate the steps to create libvirt's volume metadata from the actual
      volume building process.
      67ccf91b
    • P
      storage: lvm: Separate creating of the volume from building · af1fb38f
      Peter Krempa 提交于
      Separate the steps to create libvirt's volume metadata from the actual
      volume building process. This is already done for regular file based
      pools to allow job support for storage APIs.
      af1fb38f
    • P
      storage: Support deletion of volumes on gluster pools · 7de04882
      Peter Krempa 提交于
      Implement the "deleteVol" storage backend function for gluster volumes.
      7de04882
    • C
      conf: Always use VIR_ERR_CONFIG_UNSUPPORTED on enumFromString() failures · 9b73290f
      Christophe Fergeau 提交于
      Currently, during XML parsing, when a call to a FromString() function to
      get an enum value fails, the error which is reported is either
      VIR_ERR_CONFIG_UNSUPPORTED, VIR_ERR_INTERNAL_ERROR or VIR_ERR_XML_ERROR.
      
      This commit makes such conversion failures consistently return
      VIR_ERR_CONFIG_UNSUPPORTED.
      9b73290f
    • C
      Bump version to 1.2.2 for new dev cycle · f902734b
      Christophe Fergeau 提交于
      f902734b
    • D
      Release of libvirt-1.2.1 · 7b84b167
      Daniel Veillard 提交于
      * docs/news.html.in libvirt.spec.in: updated for the release
      * po/*.po*: updated localization from transifex and regenerated
      7b84b167
    • E
      event: filter global events by domain:getattr ACL [CVE-2014-0028] · f9f56340
      Eric Blake 提交于
      Ever since ACL filtering was added in commit 76397360 (v1.1.1), a
      user could still use event registration to obtain access to a
      domain that they could not normally access via virDomainLookup*
      or virConnectListAllDomains and friends.  We already have the
      framework in the RPC generator for creating the filter, and
      previous cleanup patches got us to the point that we can now
      wire the filter through the entire object event stack.
      
      Furthermore, whether or not domain:getattr is honored, use of
      global events is a form of obtaining a list of networks, which
      is covered by connect:search_domains added in a93cd08f (v1.1.0).
      Ideally, we'd have a way to enforce connect:search_domains when
      doing global registrations while omitting that check on a
      per-domain registration.  But this patch just unconditionally
      requires connect:search_domains, even when no list could be
      obtained, based on the following observations:
      1. Administrators are unlikely to grant domain:getattr for one
      or all domains while still denying connect:search_domains - a
      user that is able to manage domains will want to be able to
      manage them efficiently, but efficient management includes being
      able to list the domains they can access.  The idea of denying
      connect:search_domains while still granting access to individual
      domains is therefore not adding any real security, but just
      serves as a layer of obscurity to annoy the end user.
      2. In the current implementation, domain events are filtered
      on the client; the server has no idea if a domain filter was
      requested, and must therefore assume that all domain event
      requests are global.  Even if we fix the RPC protocol to
      allow for server-side filtering for newer client/server combos,
      making the connect:serach_domains ACL check conditional on
      whether the domain argument was NULL won't benefit older clients.
      Therefore, we choose to document that connect:search_domains
      is a pre-requisite to any domain event management.
      
      Network events need the same treatment, with the obvious
      change of using connect:search_networks and network:getattr.
      
      * src/access/viraccessperm.h
      (VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
      (VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
      effect of the permission.
      * src/conf/domain_event.h (virDomainEventStateRegister)
      (virDomainEventStateRegisterID): Add new parameter.
      * src/conf/network_event.h (virNetworkEventStateRegisterID):
      Likewise.
      * src/conf/object_event_private.h (virObjectEventStateRegisterID):
      Likewise.
      * src/conf/object_event.c (_virObjectEventCallback): Track a filter.
      (virObjectEventDispatchMatchCallback): Use filter.
      (virObjectEventCallbackListAddID): Register filter.
      * src/conf/domain_event.c (virDomainEventFilter): New function.
      (virDomainEventStateRegister, virDomainEventStateRegisterID):
      Adjust callers.
      * src/conf/network_event.c (virNetworkEventFilter): New function.
      (virNetworkEventStateRegisterID): Adjust caller.
      * src/remote/remote_protocol.x
      (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
      (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
      (REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
      filter, and require connect:search_domains instead of weaker
      connect:read.
      * src/test/test_driver.c (testConnectDomainEventRegister)
      (testConnectDomainEventRegisterAny)
      (testConnectNetworkEventRegisterAny): Update callers.
      * src/remote/remote_driver.c (remoteConnectDomainEventRegister)
      (remoteConnectDomainEventRegisterAny): Likewise.
      * src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
      (xenUnifiedConnectDomainEventRegisterAny): Likewise.
      * src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
      * src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
      (libxlConnectDomainEventRegisterAny): Likewise.
      * src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
      (qemuConnectDomainEventRegisterAny): Likewise.
      * src/uml/uml_driver.c (umlConnectDomainEventRegister)
      (umlConnectDomainEventRegisterAny): Likewise.
      * src/network/bridge_driver.c
      (networkConnectNetworkEventRegisterAny): Likewise.
      * src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
      (lxcConnectDomainEventRegisterAny): Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      f9f56340
    • E
      event: wire up RPC for server-side network event filtering · 8d9d098b
      Eric Blake 提交于
      We haven't had a release with network events yet, so we are free
      to fix the RPC so that it actually does what we want.  Doing
      client-side filtering of per-network events is inefficient if a
      connection is only interested in events on a single network out
      of hundreds available on the server.  But to do server-side
      per-network filtering, the server needs to know which network
      to filter on - so we need to pass an optional network over on
      registration.  Furthermore, it is possible to have a client with
      both a global and per-network filter; in the existing code, the
      server sends only one event and the client replicates to both
      callbacks.  But with server-side filtering, the server will send
      the event twice, so we need a way for the client to know which
      callbackID is sending an event, to ensure that the client can
      filter out events from a registration that does not match the
      callbackID from the server.  Likewise, the existing style of
      deregistering by eventID alone is fine; but in the new style,
      we have to remember which callbackID to delete.
      
      This patch fixes the RPC wire definition to contain all the
      needed pieces of information, and hooks into the server and
      client side improvements of the previous patches, in order to
      switch over to full server-side filtering of network events.
      Also, since we fixed this in time, all released versions of
      libvirtd that support network events also support per-network
      filtering, so we can hard-code that assumption into
      network_event.c.
      
      Converting domain events to server-side filtering will require
      the introduction of new RPC numbers, as well as a server
      feature bit that the client can use to tell whether to use
      old-style (server only supports global events) or new-style
      (server supports filtered events), so that is deferred to a
      later set of patches.
      
      * src/conf/network_event.c (virNetworkEventStateRegisterClient):
      Assume server-side filtering.
      * src/remote/remote_protocol.x
      (remote_connect_network_event_register_any_args): Add network
      argument.
      (remote_connect_network_event_register_any_ret): Return callbackID
      instead of count.
      (remote_connect_network_event_deregister_any_args): Pass
      callbackID instead of eventID.
      (remote_connect_network_event_deregister_any_ret): Drop unused
      type.
      (remote_network_event_lifecycle_msg): Add callbackID.
      * daemon/remote.c
      (remoteDispatchConnectNetworkEventDeregisterAny): Drop unused arg,
      and deal with callbackID from client.
      (remoteRelayNetworkEventLifecycle): Pass callbackID.
      (remoteDispatchConnectNetworkEventRegisterAny): Likewise, and
      recognize non-NULL network.
      * src/remote/remote_driver.c
      (remoteConnectNetworkEventRegisterAny): Pass network, and track
      server side id.
      (remoteConnectNetworkEventDeregisterAny): Deregister by callback id.
      (remoteNetworkBuildEventLifecycle): Pass remote id to event queue.
      * src/remote_protocol-structs: Regenerate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      8d9d098b
    • E
      event: add notion of remoteID for filtering client network events · a59097e5
      Eric Blake 提交于
      In order to mirror a server with per-object filtering, the client
      needs to track which server callbackID is servicing the client
      callback.  This patch introduces the notion of a serverID, as
      well as the plumbing to use it for network events, although the
      actual complexity of using per-object filtering in the remote
      driver is deferred to a later patch.
      
      * src/conf/object_event.h (virObjectEventStateEventID): Add parameter.
      (virObjectEventStateQueueRemote, virObjectEventStateSetRemote):
      New prototypes.
      (virObjectEventStateRegisterID): Move...
      * src/conf/object_event_private.h: ...here, and add parameter.
      (_virObjectEvent): Add field.
      * src/conf/network_event.h (virNetworkEventStateRegisterClient): New
      prototype.
      * src/conf/object_event.c (_virObjectEventCallback): Add field.
      (virObjectEventStateSetRemote): New function.
      (virObjectEventStateQueue): Make wrapper around...
      (virObjectEventStateQueueRemote): New function.
      (virObjectEventCallbackListCount): Tweak return count when remote
      id matching is used.
      (virObjectEventCallbackLookup, virObjectEventStateRegisterID):
      Tweak registration when remote id matching will be used.
      (virObjectEventNew): Default to no remote id.
      (virObjectEventCallbackListAddID): Likewise, but set remote id
      when one is available.
      (virObjectEventCallbackListRemoveID)
      (virObjectEventCallbackListMarkDeleteID): Adjust return value when
      remote id was set.
      (virObjectEventStateEventID): Query existing id.
      (virObjectEventDispatchMatchCallback): Require matching event id.
      (virObjectEventStateCallbackID): Adjust caller.
      * src/conf/network_event.c (virNetworkEventStateRegisterClient): New
      function.
      (virNetworkEventStateRegisterID): Update caller.
      * src/conf/domain_event.c (virDomainEventStateRegister)
      (virDomainEventStateRegisterID): Update callers.
      * src/remote/remote_driver.c
      (remoteConnectNetworkEventRegisterAny)
      (remoteConnectNetworkEventDeregisterAny)
      (remoteConnectDomainEventDeregisterAny): Likewise.
      (remoteEventQueue): Hoist earlier to avoid forward declaration,
      and add parameter.  Adjust all callers.
      * src/libvirt_private.syms (conf/object_event.h): Drop function.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      a59097e5
    • E
      event: track callbackID on daemon side of RPC · b9d14ef0
      Eric Blake 提交于
      Right now, the daemon side of RPC events is hard-coded to at most
      one callback per eventID.  But when there are hundreds of domains
      or networks coupled and multiple conections, then sending every
      event to every connection that wants an event, even for the
      connections that only care about events for a particular object,
      is inefficient.  In order to track more than one callback in the
      server, we need to store callbacks by more than just their
      eventID.  This patch rearranges the daemon side to store network
      callbacks in a dynamic array, which can eventually be used for
      multiple callbacks of the same eventID, although actual behavior
      is unchanged without further patches to the RPC protocol.  For
      ease of review, domain events are saved for a later patch, as
      they touch more code.
      
      While at it, fix a bug where a malicious client could send a
      negative eventID to cause network event registration to access
      outside of array bounds (thankfully not a CVE, since domain
      events were already doing the bounds check, and since network
      events have not been released).
      
      * daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of
      network events.
      * daemon/remote.c (daemonClientEventCallback): New struct.
      (remoteEventCallbackFree): New function.
      (remoteClientInitHook, remoteRelayNetworkEventLifecycle)
      (remoteClientFreeFunc)
      (remoteDispatchConnectNetworkEventRegisterAny): Track network
      callbacks differently.
      (remoteDispatchConnectNetworkEventDeregisterAny): Enforce bounds.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      b9d14ef0
    • P
      qemu: Avoid operations on NULL monitor if VM fails early · b952cbbc
      Peter Krempa 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1047659
      
      If a VM dies very early during an attempted connect to the guest agent
      while the locks are down the domain monitor object will be freed. The
      object is then accessed later as any failure during guest agent startup
      isn't considered fatal.
      
      In the current upstream version this doesn't lead to a crash as
      virObjectLock called when entering the monitor in
      qemuProcessDetectVcpuPIDs checks the pointer before attempting to
      dereference (lock) it. The NULL pointer is then caught in the monitor
      helper code.
      
      Before the introduction of virObjectLockable - observed on 0.10.2 - the
      pointer is locked directly via virMutexLock leading to a crash.
      
      To avoid this problem we need to differentiate between the guest agent
      not being present and the VM quitting when the locks were down. The fix
      reorganizes the code in qemuConnectAgent to add the check and then adds
      special handling to the callers.
      b952cbbc
    • E
      tests: be more explicit on qcow2 versions in virstoragetest · 974e5914
      Eric Blake 提交于
      While working on v1.0.5-maint (the branch in use on Fedora 19)
      with the host at Fedora 20, I got a failure in virstoragetest.
      I traced it to the fact that we were using qemu-img to create a
      qcow2 file, but qemu-img changed from creating v2 files by
      default in F19 to creating v3 files in F20.  Rather than leaving
      it up to qemu-img, it is better to write the test to force
      testing of BOTH file formats (better code coverage and all).
      
      This patch alone does not fix all the failures in v1.0.5-maint;
      for that, we must decide to either teach the older branch to
      understand v3 files, or to reject them outright as unsupported.
      But for upstream, making the test less dependent on changing
      qemu-img defaults is always a good thing.
      
      * tests/virstoragetest.c (testPrepImages): Simplify creation of
      raw file; check if qemu supports compat and if so use it.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      974e5914
    • E
      docs: mention maintenance branches · 908903b3
      Eric Blake 提交于
      Mitre tried to assign us two separate CVEs for the fix for
      https://bugzilla.redhat.com/show_bug.cgi?id=1047577, on the
      grounds that the fixes were separated by more than an hour
      and thus triggered different hourly snapshots.  But we
      explicitly do NOT want to treat transient security bugs as
      CVEs if they can only be triggered by patches in libvirt.git
      but where the problem is cleaned up before a formal release.
      
      Meanwhile, I noticed that while our wiki mentioned maintenance
      branches and releases, our formal documentation did not.
      
      * docs/downloads.html.in: Contrast hourly snapshots with
      maintenance branches.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      908903b3
    • C
      Fix docs for PMWakeup/PMSuspend callback types · e8eb8d84
      Claudio Bley 提交于
      s/is waken up/is woken up/
      
      A registered PMSuspendCallback is called when the domain is suspended, not
      when it is woken up.
      e8eb8d84
  3. 15 1月, 2014 7 次提交
  4. 14 1月, 2014 4 次提交
    • N
      Fix memory leak in testDomainCreateXMLMixed() · b22f7726
      Nehal J Wani 提交于
      While running objecteventtest, it was found that valgrind pointed out the
      following memory leak:
      
      ==125== 538 (56 direct, 482 indirect) bytes in 1 blocks are definitely lost in loss record 216 of 226
      ==125==    at 0x4A06B6F: calloc (vg_replace_malloc.c:593)
      ==125==    by 0x4C65D8D: virAllocVar (viralloc.c:558)
      ==125==    by 0x4C9F055: virObjectNew (virobject.c:190)
      ==125==    by 0x4D2B2E8: virGetDomain (datatypes.c:220)
      ==125==    by 0x4D79180: testDomainDefineXML (test_driver.c:2962)
      ==125==    by 0x4D4977D: virDomainDefineXML (libvirt.c:8512)
      ==125==    by 0x4029C2: testDomainCreateXMLMixed (objecteventtest.c:226)
      ==125==    by 0x403A21: virtTestRun (testutils.c:138)
      ==125==    by 0x4021C2: mymain (objecteventtest.c:549)
      ==125==    by 0x4040C2: virtTestMain (testutils.c:593)
      ==125==    by 0x341F421A04: (below main) (libc-start.c:225)
      Signed-off-by: NJán Tomko <jtomko@redhat.com>
      b22f7726
    • J
      Really don't crash if a connection closes early · 066c8ef6
      Jiri Denemark 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1047577
      
      When writing commit 173c2914, I missed the fact virNetServerClientClose
      unlocks the client object before actually clearing client->sock and thus
      it is possible to hit a window when client->keepalive is NULL while
      client->sock is not NULL. I was thinking client->sock == NULL was a
      better check for a closed connection but apparently we have to go with
      client->keepalive == NULL to actually fix the crash.
      Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
      066c8ef6
    • P
      storage: FS: Tweak some comments and fix typos · fbe472d5
      Peter Krempa 提交于
      fbe472d5
    • E
      build: fix build on mingw with winpthreads · c91d13bd
      Eric Blake 提交于
      On my Fedora 20 box with mingw cross-compiler, the build failed with:
      
      ../../src/rpc/virnetclient.c: In function 'virNetClientSetTLSSession':
      ../../src/rpc/virnetclient.c:745:14: error: unused variable 'oldmask' [-Werror=unused-variable]
           sigset_t oldmask, blockedsigs;
                    ^
      
      I traced it to the fact that mingw64-winpthreads installs a header
      that does #define pthread_sigmask(...) 0, which means any argument
      only ever passed to pthread_sigmask is reported as unused.  This
      patch works around the compilation failure, with behavior no worse
      than what mingw already gives us regarding the function being a
      no-op.
      
      * configure.ac (pthread_sigmask): Probe for broken mingw macro.
      * src/util/virutil.h (pthread_sigmask): Rewrite to something that
      avoids unused variables.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      c91d13bd
  5. 13 1月, 2014 2 次提交
    • P
    • J
      Don't crash if a connection closes early · 173c2914
      Jiri Denemark 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1047577
      
      When a client closes its connection to libvirtd early during
      virConnectOpen, more specifically just after making
      REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call to check if
      VIR_DRV_FEATURE_PROGRAM_KEEPALIVE is supported without even waiting for
      the result, libvirtd may crash due to a race in keep-alive
      initialization. Once receiving the REMOTE_PROC_CONNECT_SUPPORTS_FEATURE
      call, the daemon's event loop delegates it to a worker thread. In case
      the event loop detects EOF on the connection and calls
      virNetServerClientClose before the worker thread starts to handle
      REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call, client->keepalive will be
      disposed by the time virNetServerClientStartKeepAlive gets called from
      remoteDispatchConnectSupportsFeature. Because the flow is common for
      both authenticated and read-only connections, even unprivileged clients
      may cause the daemon to crash.
      
      To avoid the crash, virNetServerClientStartKeepAlive needs to check if
      the connection is still open before starting keep-alive protocol.
      
      Every libvirt release since 0.9.8 is affected by this bug.
      173c2914
  6. 11 1月, 2014 2 次提交
    • D
      Exercise the ABI stability check code in test suite · 53a699a0
      Daniel P. Berrange 提交于
      Any test suite which involves a virDomainDefPtr should
      call virDomainDefCheckABIStability with itself just as
      a basic sanity check that the identity-comparison always
      succeeds. This would have caught the recent NULL pointer
      access crash.
      
      Make sure we cope with def->name being NULL since the
      VMWare config parser produces NULL names.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      53a699a0
    • E
      schema: fix idmap validation · dd0dda2e
      Eric Blake 提交于
      When idmap was added to LXC, we forgot to cover it in the testsuite.
      The schema was missing an <element> layer, and as a result,
      virt-xml-validate was failing on valid dumpxml output.
      
      Reported by Eduard - Gabriel Munteanu on IRC.
      
      * docs/schemas/domaincommon.rng (idmap): Include <idmap> element,
      and support interleaves.
      * tests/lxcxml2xmldata/lxc-idmap.xml: New file.
      * tests/lxcxml2xmltest.c (mymain): Test it.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      dd0dda2e
  7. 10 1月, 2014 4 次提交