This eliminates the warning message reported in:

 https://bugzilla.redhat.com/show_bug.cgi?id=624447

It was caused by a failure to open an image file that is not
accessible by root (the uid libvirtd is running as) because it's on a
root-squash NFS share, owned by a different user, with permissions of
660 (or maybe 600).

The solution is to use virFileOpenAs() rather than open(). The
codepath that generates the error is during qemuSetupDiskCGroup(), but
the actual open() is in a lower-level generic function called from
many places (virDomainDiskDefForeachPath), so some other pieces of the
code were touched just to add dummy (or possibly useful) uid and gid
arguments.

Eliminating this warning message has the nice side effect that the
requested operation may even succeed (which in this case isn't
necessary, but shouldn't hurt anything either).

virFileOpenAs previously would only try opening a file as the current
user, or as a different user, but wouldn't try both methods in a
single call. This made it cumbersome to use as a replacement for
open(2). Additionally, it had a lot of historical baggage that led to
it being difficult to understand.

This patch refactors virFileOpenAs in the following ways:

* reorganize the code so that everything dealing with both the parent
  and child sides of the "fork+setuid+setgid+open" method are in a
  separate function. This makes the public function easier to understand.

* Allow a single call to virFileOpenAs() to first attempt the open as
  the current user, and if that fails to automatically re-try after
  doing fork+setuid (if deemed appropriate, i.e. errno indicates it
  would now be successful, and the file is on a networkFS). This makes
  it possible (in many, but possibly not all, cases) to drop-in
  virFileOpenAs() as a replacement for open(2).

  (NB: currently qemuOpenFile() calls virFileOpenAs() twice, once
  without forking, then again with forking. That unfortunately can't
  be changed without at least some discussion of the ramifications,
  because the requested file permissions are different in each case,
  which is something that a single call to virFileOpenAs() can't deal
  with.)

* Add a flag so that any fchown() of the file to a different uid:gid
  is explicitly requested when the function is called, rather than it
  being implied by the presence of the O_CREAT flag. This just makes
  for less subtle surprises to consumers. (Commit
  b1643dc1 added the check for O_CREAT
  before forcing ownership. This patch just makes that restriction
  more explicit.)

* If either the uid or gid is specified as "-1", virFileOpenAs will
  interpret this to mean "the current [gu]id".

All current consumers of virFileOpenAs should retain their present
behavior (after a few minor changes to their setup code and
arguments).

Rename the src/util/netlink files to src/util/virnetlink to
better fit the naming scheme. Also rename nlComm to virNetlinkCommand.
Signed-off-by: ND. Herrendoerfer <d.herrendoerfer@herrendoerfer.name>

When libvirt's virDomainDestroy API is shutting down the qemu process,
it first sends SIGTERM, then waits for 1.6 seconds and, if it sees the
process still there, sends a SIGKILL.

There have been reports that this behavior can lead to data loss
because the guest running in qemu doesn't have time to flush its disk
cache buffers before it's unceremoniously whacked.

This patch maintains that default behavior, but provides a new flag
VIR_DOMAIN_DESTROY_GRACEFUL to alter the behavior. If this flag is set
in the call to virDomainDestroyFlags, SIGKILL will never be sent to
the qemu process; instead, if the timeout is reached and the qemu
process still exists, virDomainDestroy will return an error.

Once this patch is in, the recommended method for applications to call
virDomainDestroyFlags will be with VIR_DOMAIN_DESTROY_GRACEFUL
included. If that fails, then the application can decide if and when
to call virDomainDestroyFlags again without
VIR_DOMAIN_DESTROY_GRACEFUL (to force the issue with SIGKILL).

(Note that this does not address the issue of existing applications
that have not yet been modified to use VIR_DOMAIN_DESTROY_GRACEFUL.
That is a separate patch.)

compat{a->i}bility
erron{->e}ous
nec{c->}essary.
Either "the" or "a".
Signed-off-by: NPhilipp Hahn <hahn@univention.de>

Our HACKING discourages use of malloc and free, for at least
a couple of years now.  But we weren't enforcing it, until now :)

For now, I've exempted python and tests, and will clean those up
in subsequent patches.  Examples should be permanently exempt,
since anyone copying our examples won't have use of our
internal-only memory.h via libvirt_util.la.

* cfg.mk (sc_prohibit_raw_allocation): New rule.
(exclude_file_name_regexp--sc_prohibit_raw_allocation): and
exemptions.
* src/cpu/cpu.c (cpuDataFree): Avoid false positive.
* src/conf/network_conf.c (virNetworkDNSSrvDefParseXML): Fix
offenders.
* src/libxl/libxl_conf.c (libxlMakeDomBuildInfo, libxlMakeVfb)
(libxlMakeDeviceModelInfo): Likewise.
* src/rpc/virnetmessage.c (virNetMessageSaveError): Likewise.
* tools/virsh.c (_vshMalloc, _vshCalloc): Likewise.

Our syntax checker missed all-lower-case variables (this will
be fixed by the next .gnulib update).  Additionally, anywhere
that we mix in-tree files with generated files, automake recommends
listing builddir prior to srcdir for VPATH builds.

* src/Makefile.am (*_la_CFLAGS): Favor $(top_srcdir).
(INCLUDES): Likewise, and follow automake recommendations on
builddir before srcdir.
* python/Makefile.am (INCLUDES): Swap directory order.
* tests/Makefile.am (INCLUDES): Likewise.
* tools/Makefile.am (INCLUDES): Likewise.
* daemon/Makefile.am (INCLUDES): Likewise.
(libvirtd.init, libvirtd.service): Favor $().
* examples/hellolibvirt/Makefile.am (hellolibvirt_LDADD):
Likewise.
* examples/openauth/Makefile.am (openauth_LDADD): Likewise.
* examples/dominfo/Makefile.am (INCLUDES): Drop dead include.
* examples/domsuspend/Makefile.am (INCLUDES): Likewise.

Sometimes, its easier to run children with 2>&1 in shell notation,
and just deal with stdout and stderr interleaved.  This was already
possible for fd handling; extend it to also work when doing string
capture of a child process.

* docs/internals/command.html.in: Document this.
* src/util/command.c (virCommandSetErrorBuffer): Likewise.
(virCommandRun, virExecWithHook): Implement it.
* tests/commandtest.c (test14): Test it.
* daemon/remote.c (remoteDispatchAuthPolkit): Use new command
feature.

This patch fixes the access of variable "con" in two files where the
variable was declared only on SELinux builds and thus the build failed
without SELinux. It's a rather nasty fix but helps fix the build
quickly and without any major changes to the code.

Added RSS information gathering into qemuMemoryStats into qemu driver
and the reporting into virsh dommemstat.

One more parameter added into the function parsing /proc/<pid>/stat
and the call of the function is fixed as well.

Detected by valgrind. Leak is introduced in commit 397e6a70.

* src/conf/domain_conf.c(virDomainDiskDefParseXML): fix memory leak.

How to reproduce?
% make -C tests check TESTS=qemuxml2argvtest
% cd tests && valgrind -v --leak-check=full ./qemuxml2argvtest

* Actual result:

==16352== 4 bytes in 1 blocks are definitely lost in loss record 12 of 147
==16352==    at 0x4A05FDE: malloc (vg_replace_malloc.c:236)
==16352==    by 0x39D90A67DD: xmlStrndup (xmlstring.c:45)
==16352==    by 0x4E83D5: virDomainDiskDefParseXML (domain_conf.c:2894)
==16352==    by 0x4F542D: virDomainDefParseXML (domain_conf.c:7626)
==16352==    by 0x4F8683: virDomainDefParseNode (domain_conf.c:8390)
==16352==    by 0x4F904E: virDomainDefParse (domain_conf.c:8340)
==16352==    by 0x41C626: testCompareXMLToArgvHelper (qemuxml2argvtest.c:105)
==16352==    by 0x41DED1: virtTestRun (testutils.c:142)
==16352==    by 0x418172: mymain (qemuxml2argvtest.c:486)
==16352==    by 0x41D5C7: virtTestMain (testutils.c:697)
==16352==    by 0x39CF01ECDC: (below main) (in /lib64/libc-2.12.so)
Signed-off-by: NAlex Jia <ajia@redhat.com>

To allow the container to access /dev and /dev/pts when under
sVirt, set an explicit mount option. Also set a max size on
the /dev mount to prevent DOS on memory usage

* src/lxc/lxc_container.c: Set /dev mount context
* src/lxc/lxc_controller.c: Set /dev/pts mount context

For the sake of backwards compat, LXC guests are *not*
confined by default. This is because it is not practical
to dynamically relabel containers using large filesystem
trees. Applications can create confined containers though,
by giving suitable XML configs

* src/Makefile.am: Link libvirt_lxc to security drivers
* src/lxc/libvirtd_lxc.aug, src/lxc/lxc_conf.h,
  src/lxc/lxc_conf.c, src/lxc/lxc.conf,
  src/lxc/test_libvirtd_lxc.aug: Config file handling for
  security driver
* src/lxc/lxc_driver.c: Wire up security driver functions
* src/lxc/lxc_controller.c: Add a '--security' flag to
  specify which security driver to activate
* src/lxc/lxc_container.c, src/lxc/lxc_container.h: Set
  the process label just before exec'ing init.

Curently security labels can be of type 'dynamic' or 'static'.
If no security label is given, then 'dynamic' is assumed. The
current code takes advantage of this default, and avoids even
saving <seclabel> elements with type='dynamic' to disk. This
means if you temporarily change security driver, the guests
can all still start.

With the introduction of sVirt to LXC though, there needs to be
a new default of 'none' to allow unconfined LXC containers.

This patch introduces two new security label types

 - default:  the host configuration decides whether to run the
             guest with type 'none' or 'dynamic' at guest start
 - none:     the guest will run unconfined by security policy

The 'none' label type will obviously be undesirable for some
deployments, so a new qemu.conf option allows a host admin to
mandate confined guests. It is also possible to turn off default
confinement

  security_default_confined = 1|0  (default == 1)
  security_require_confined = 1|0  (default == 0)

* src/conf/domain_conf.c, src/conf/domain_conf.h: Add new
  seclabel types
* src/security/security_manager.c, src/security/security_manager.h:
  Set default sec label types
* src/security/security_selinux.c: Handle 'none' seclabel type
* src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h,
  src/qemu/libvirtd_qemu.aug: New security config options
* src/qemu/qemu_driver.c: Tell security driver about default
  config

This re-introduces parsing & formatting for per device seclabels.
There is a new virDomainDeviceSeclabelPtr struct and corresponding
APIs for parsing/formatting.

Revert parsing changes:

  commit 302fe95f
  Author: Eric Blake <eblake@redhat.com>
  Date:   Wed Jan 4 16:01:24 2012 -0700

    seclabel: fix regression in libvirtd restart

  commit b4343293
  Author: Eric Blake <eblake@redhat.com>
  Date:   Thu Dec 22 17:47:50 2011 -0700

    seclabel: allow a seclabel override on a disk src

These two commits changed the sec label parsing code so that
the same code dealt with both the VM level sec label, and the
per device label. Unfortunately, as we add more options to the
VM level sec label, the logic required to use the same parsing
code for the per device label becomes unintelligible.

* src/conf/domain_conf.c: Remove support for parsing per
  device sec labels

I slightly botched commit be9fb5af - I converted '--arg=value' to
'--arg value', which has no semantic change, but did trip up the
testsuite.

* src/network/bridge_driver.c (networkBuildDnsmasqArgv): Restore
expected output.

libvirt supports 4 different versions of the user-land XenD daemon. When
queried the daemon just returns its generation number, which is hard to
match to the version of the Xen tools.

Replace the magic generation numbers by named enum definitions to
improve code readability.
Signed-off-by: NPhilipp Hahn <hahn@univention.de>

Detected by valgrind. Leaks introduced in commit 973af236.

* src/network/bridge_driver.c: fix memory leaks on failure and successful path.

* How to reproduce?
% make -C tests check TESTS=networkxml2argvtest
% cd tests && valgrind -v --leak-check=full ./networkxml2argvtest

* Actual result:

==2226== 3 bytes in 1 blocks are definitely lost in loss record 1 of 24
==2226==    at 0x4A05FDE: malloc (vg_replace_malloc.c:236)
==2226==    by 0x39CF0FEDE7: __vasprintf_chk (in /lib64/libc-2.12.so)
==2226==    by 0x41DFF7: virVasprintf (stdio2.h:199)
==2226==    by 0x41E0B7: virAsprintf (util.c:1695)
==2226==    by 0x41A2D9: networkBuildDhcpDaemonCommandLine (bridge_driver.c:545)
==2226==    by 0x4145C8: testCompareXMLToArgvHelper (networkxml2argvtest.c:47)
==2226==    by 0x4156A1: virtTestRun (testutils.c:141)
==2226==    by 0x414332: mymain (networkxml2argvtest.c:123)
==2226==    by 0x414D97: virtTestMain (testutils.c:696)
==2226==    by 0x39CF01ECDC: (below main) (in /lib64/libc-2.12.so)
==2226==
==2226== 3 bytes in 1 blocks are definitely lost in loss record 2 of 24
==2226==    at 0x4A05FDE: malloc (vg_replace_malloc.c:236)
==2226==    by 0x39CF0FEDE7: __vasprintf_chk (in /lib64/libc-2.12.so)
==2226==    by 0x41DFF7: virVasprintf (stdio2.h:199)
==2226==    by 0x41E0B7: virAsprintf (util.c:1695)
==2226==    by 0x41A307: networkBuildDhcpDaemonCommandLine (bridge_driver.c:551)
==2226==    by 0x4145C8: testCompareXMLToArgvHelper (networkxml2argvtest.c:47)
==2226==    by 0x4156A1: virtTestRun (testutils.c:141)
==2226==    by 0x414332: mymain (networkxml2argvtest.c:123)
==2226==    by 0x414D97: virtTestMain (testutils.c:696)
==2226==    by 0x39CF01ECDC: (below main) (in /lib64/libc-2.12.so)
==2226==
==2226== 5 bytes in 1 blocks are definitely lost in loss record 4 of 24
==2226==    at 0x4A05FDE: malloc (vg_replace_malloc.c:236)
==2226==    by 0x39CF0FEDE7: __vasprintf_chk (in /lib64/libc-2.12.so)
==2226==    by 0x41DFF7: virVasprintf (stdio2.h:199)
==2226==    by 0x41E0B7: virAsprintf (util.c:1695)
==2226==    by 0x41A2AB: networkBuildDhcpDaemonCommandLine (bridge_driver.c:539)
==2226==    by 0x4145C8: testCompareXMLToArgvHelper (networkxml2argvtest.c:47)
==2226==    by 0x4156A1: virtTestRun (testutils.c:141)
==2226==    by 0x414332: mymain (networkxml2argvtest.c:123)
==2226==    by 0x414D97: virtTestMain (testutils.c:696)
==2226==    by 0x39CF01ECDC: (below main) (in /lib64/libc-2.12.so)
==2226==
==2226== LEAK SUMMARY:
==2226==    definitely lost: 11 bytes in 3 blocks
Signed-off-by: NAlex Jia <ajia@redhat.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

This is a trivial implementation, which works with the current
released qemu 1.0 with backports of preliminary block pull but
no partial rebase.  Future patches will update the monitor handling
to support an optional parameter for partial rebase; but as qemu
1.1 is unreleased, it can be in later patches, designed to be
backported on top of the supported API.

* src/qemu/qemu_driver.c (qemuDomainBlockJobImpl): Add parameter,
and adjust callers.  Drop redundant check.
(qemuDomainBlockPull): Move guts...
(qemuDomainBlockRebase): ...to new function.

Nice and simple.

* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_BLOCK_REBASE):
New RPC.
* src/remote/remote_driver.c (remote_driver): Wire it up.
* src/remote_protocol-structs: Regenerate.

Qemu is adding the ability to do a partial rebase.  That is, given:

base <- intermediate <- current

virDomainBlockPull will produce:

current

but qemu now has the ability to leave base in the chain, to produce:

base <- current

Note that current qemu can only do a forward merge, and only with
the current image as the destination, which is fully described by
this API without flags.  But in the future, it may be possible to
enhance this API for additional scenarios by using flags:

Merging the current image back into a previous image (that is,
undoing a live snapshot), could be done by passing base as the
destination and flags with a bit requesting a backward merge.

Merging any other part of the image chain, whether forwards (the
backing image contents are pulled into the newer file) or backwards
(the deltas recorded in the newer file are merged back into the
backing file), could also be done by passing a new flag that says
that base should be treated as an XML snippet rather than an
absolute path name, where the XML could then supply the additional
instructions of which part of the image chain is being merged into
any other part.

* include/libvirt/libvirt.h.in (virDomainBlockRebase): New
declaration.
* src/libvirt.c (virDomainBlockRebase): Implement it.
* src/libvirt_public.syms (LIBVIRT_0.9.10): Export it.
* src/driver.h (virDrvDomainBlockRebase): New driver callback.
* src/rpc/gendispatch.pl (long_legacy): Add exemption.
* docs/apibuild.py (long_legacy_functions): Likewise.

This patch adds support for the new api into the qemu driver to support
modification and retrieval of domain description and title. This patch
does not add support for modifying the <metadata> element.

This patch adds API to modify domain metadata for running and stopped
domains. The api supports changing description, title as well as the
newly added <metadata> element. The API has support for storing data in
the metadata element using xml namespaces.

* include/libvirt/libvirt.h.in
* src/libvirt_public.syms
        - add function headers
        - add enum to select metadata to operate on
        - export functions
* src/libvirt.c
        - add public api implementation
* src/driver.h
        - add driver support
* src/remote/remote_driver.c
* src/remote/remote_protocol.x
        - wire up the remote protocol
* include/libvirt/virterror.h
* src/util/virterror.c
        - add a new error message note that metadata for domain are
        missing

This patch adds a new element <title> to the domain XML. This attribute
can hold a short title defined by the user to ease the identification of
domains. The title may not contain newlines and should be reasonably short.

 *docs/formatdomain.html.in
 *docs/schemas/domaincommon.rng
        - add schema grammar for the new element and documentation
  *src/conf/domain_conf.c
  *src/conf/domain_conf.h
        - add field to hold the new attribute
        - add code to parse and create XML with the new attribute

This was forgotten when the function was originally written (not
noticed because it wasn't used at the time). It's required for
proper compilation with modules enabled after applying the recent
virStorageVolResize patches.

This was forgotten when the function was initially written (not
noticed because it wasn't used at the time). It's required for proper
compilation with modules enabled after applying the recent rawio
patches.

We already provide ways to detect when a domain has been paused as a
result of I/O error, but there was no way of getting the exact error or
even the device that experienced it.  This new API may be used for both.

If we are building not on a WIN32 architecture and without HAVE_CAPNG
virSetCapabilities has unused argument and virClearCapabilities
is unused as well.

which contained some useless lines, copied code, NULL
dereference.

In qemuDomainShutdownFlags if we try to use guest agent,
which has error or is not configured, we jump go endjob
label even if we haven't started any job yet. This may
lead to the daemon crash:
1) virsh shutdown --mode agent on a domain without agent configured
2) wait until domain quits
3) virsh edit

Fix my typo at
  commit 74e03496

"disk->rawio == -1" indicates that this value is not
specified. So in case of this, domain must not
be tainted.
Signed-off-by: NTaku Izumi <izumi.taku@jp.fujitsu.com>

Using new function 'virTypedParameterArrayClear' to simplify block of codes.

* daemon/remote.c, src/remote/remote_driver.c: simplify codes.
Signed-off-by: NAlex Jia <ajia@redhat.com>

This patch revises qemuProcessStart() function for qemu
processes to retain CAP_SYS_RAWIO if needed.
And in case of that, add taint flag to domain.
Signed-off-by: NTaku Izumi <izumi.taku@jp.fujitsu.com>
Signed-off-by: NShota Hirae <m11g1401@hibikino.ne.jp>

This patch extends virExecWithHook() to receive
capability information.
Signed-off-by: NTaku Izumi <izumi.taku@jp.fujitsu.com>
Signed-off-by: NShota Hirae <m11g1401@hibikino.ne.jp>