1. 10 12月, 2012 25 次提交
    • D
      Doug Goldstein gained commit capability · c18efc8e
      Daniel Veillard 提交于
      (cherry picked from commit bf60b6b3)
      c18efc8e
    • E
      build: rerun bootstrap if AUTHORS is missing · 74aaec03
      Eric Blake 提交于
      Ever since commit 7b21981c started generating AUTHORS, we now have
      the situation that if you flip between two branches in the same
      git repository that cross that commit boundary, then 'make' will
      fail due to automake complaining about AUTHORS not existing.  The
      simplest solution is to realize that if AUTHORS does not exist,
      then we flipped branches so we will need to rerun bootstrap
      anyways; and rerunning bootstrap ensures AUTHORS will exist in time.
      
      * cfg.mk (_update_required): Also depend on AUTHORS.
      (cherry picked from commit 71d12562)
      74aaec03
    • D
      Fix uninitialized variable in virLXCControllerSetupDevPTS · caea7122
      Daniel P. Berrange 提交于
      The lack of initialization of 'opts' caused a SEGV in the
      cleanup: path if the root->src directory did not exist
      (cherry picked from commit 3782814d)
      caea7122
    • M
      qemu: Don't force port=0 for SPICE · 3186eb05
      Michal Privoznik 提交于
      If domain uses only TLS port we don't want to add
      'port=0' explicitly to command line.
      (cherry picked from commit 9f872472)
      3186eb05
    • G
      Fix "virsh create" example · d070eee1
      Guido Günther 提交于
      We require a file and don't accept standard input:
      
      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692322
      (cherry picked from commit d49adae2)
      d070eee1
    • M
      esx: Yet another connection fix for 5.1 · 245c8135
      Martin Kletzander 提交于
      After the connection to ESX 5.1 being broken since g1e7cd395, the fix
      in bab7752c helped a bit, but still missed a spot, so the connection
      is now successful, but some APIs (for example defineXML) don't work.
      Two cases missing are added in this patch to avoid that.
      (cherry picked from commit 9c294e6f)
      245c8135
    • M
      qemu: Add controllers in specified order · e1cb1c06
      Michal Privoznik 提交于
      qemu is sensitive to the order of arguments passed. Hence, if a
      device requires a controller, the controller cmd string must
      precede device cmd string. The same apply for controllers, when
      for instance ccid controller requires usb controller. So
      controllers create partial ordering in which they should be added
      to qemu cmd line.
      (cherry picked from commit 0f720ab3)
      e1cb1c06
    • M
      qemu: Wrap controllers code into dummy loop · a2e51ac0
      Michal Privoznik 提交于
      which just re-indent code and prepare it for next patch.
      (cherry picked from commit 77b93dbc)
      a2e51ac0
    • V
      spec: replace scriptlets with new systemd macros · 77b780f5
      Václav Pavlín 提交于
      https://bugzilla.redhat.com/850186
      
      I added %with_systemd_macros so it should now work in F17 with old
      scriptlets and in F18+/RHEL7+ with systemd macros
      (see https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd)
      
      I missed libvirt-guests.service because there is no systemctl call for
      it. So I only added systemd macros calls.
      (cherry picked from commit ec02d49d)
      77b780f5
    • M
      iohelper: Don't report errors on special FDs · b222c47b
      Michal Privoznik 提交于
      Some FDs may not implement fdatasync() functionality,
      e.g.  pipes. In that case EINVAL or EROFS is returned.
      We don't want to fail then nor report any error.
      Reported-by: NChristophe Fergeau <cfergeau@redhat.com>
      (cherry picked from commit 46325e51)
      b222c47b
    • P
      qemu: Fix possible race when pausing guest · beb086f6
      Peter Krempa 提交于
      When pausing the guest while migration is running (to speed up
      convergence) the virDomainSuspend API checks if the migration job is
      active before entering the job. This could cause a possible race if the
      virDomainSuspend is called while the job is active but ends before the
      Suspend API enters the job (this would require that the migration is
      aborted). This would cause a incorrect event to be emitted.
      (cherry picked from commit d0fc6dc8)
      beb086f6
    • P
      net: Remove dnsmasq and radvd files also when destroying transient nets · d3fd6176
      Peter Krempa 提交于
      The network driver didn't care about config files when a network was
      destroyed, just when it was undefined leaving behind files for transient
      networks.
      
      This patch splits out the cleanup code to a helper function that handles
      the cleanup if the inactive network object is being removed and re-uses
      this code when getting rid of inactive networks.
      (cherry picked from commit e87af617)
      d3fd6176
    • P
      net: Move creation of dnsmasq hosts file to function starting dnsmasq · b16a4ca9
      Peter Krempa 提交于
      The hosts file was created in the network definition function. This
      patch moves the place the file is being created to the point where
      dnsmasq is being started.
      (cherry picked from commit 23ae3fe4)
      b16a4ca9
    • P
      conf: net: Fix deadlock if assignment of network def fails · 2d49ed5d
      Peter Krempa 提交于
      When the assignment fails, the network object is not unlocked and next
      call that would use it deadlocks.
      (cherry picked from commit f8230891)
      2d49ed5d
    • P
      conf: net: Fix helper for applying new network definition · 43995ddc
      Peter Krempa 提交于
      When there's no new definition the helper overwrote the old one with
      NULL.
      (cherry picked from commit 947230fb)
      43995ddc
    • D
      Linux Containers are not allowed to create device nodes. · 9a543041
      Dan Walsh 提交于
      This needs to be done before the container starts. Turning
      off the mknod capability is noticed by systemd, which will
      no longer attempt to create device nodes.
      
      This eliminates SELinux AVC messages and ugly failure messages in the journal.
      (cherry picked from commit 2e03b08e)
      9a543041
    • M
      net-update docs: s/domain/network/ · d676b742
      Michal Privoznik 提交于
      A leftover from copy paste.
      (cherry picked from commit d1236faa)
      d676b742
    • M
      iohelper: fdatasync() at the end · 8a95078f
      Michal Privoznik 提交于
      Currently, when we are doing (managed) save, we insert the
      iohelper between the qemu and OS. The pipe is created, the
      writing end is passed to qemu and the reading end to the
      iohelper. It reads data and write them into given file. However,
      with write() being asynchronous data may still be in OS
      caches and hence in some (corner) cases, all migration data
      may have been read and written (not physically though). So
      qemu will report success, as well as iohelper. However, with
      some non local filesystems, where ENOSPACE is polled every X
      time units, we may get into situation where all operations
      succeeded but data hasn't reached the disk. And in fact will
      never do. Therefore we ought sync caches to make sure data
      has reached the block device on remote host.
      (cherry picked from commit f32e3a2d)
      8a95078f
    • M
      qemu: Fix EmulatorPinInfo without emulatorpin · ec3f5cad
      Martin Kletzander 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=871312
      
      Recent fixes made almost all the right steps to make emulator pinned
      to the cpuset of the whole domain in case <emulatorpin> isn't
      specified, but qemudDomainGetEmulatorPinInfo still reports all the
      CPUs even when cpuset is specified.  This patch fixes that.
      (cherry picked from commit 10c5212b)
      ec3f5cad
    • G
      bugfix: ip6tables rule removal · c3cc4c18
      Gene Czarcinski 提交于
      Three FORWARD chain rules are added and two INPUT chain rules
      are added when a network is started but only the FORWARD chain
      rules are removed when the network is destroyed.
      (cherry picked from commit adaa7ab6)
      c3cc4c18
    • G
      0004a118
    • L
      util: do a better job of matching up pids with their binaries · 58320848
      Laine Stump 提交于
      This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=871201
      
      If libvirt is restarted after updating the dnsmasq or radvd packages,
      a subsequent "virsh net-destroy" will fail to kill the dnsmasq/radvd
      process.
      
      The problem is that when libvirtd restarts, it re-reads the dnsmasq
      and radvd pidfiles, then does a sanity check on each pid it finds,
      including checking that the symbolic link in /proc/$pid/exe actually
      points to the same file as the path used by libvirt to execute the
      binary in the first place. If this fails, libvirt assumes that the
      process is no longer alive.
      
      But if the original binary has been replaced, the link in /proc is set
      to "$binarypath (deleted)" (it literally has the string " (deleted)"
      appended to the link text stored in the filesystem), so even if a new
      binary exists in the same location, attempts to resolve the link will
      fail.
      
      In the end, not only is the old dnsmasq/radvd not terminated when the
      network is stopped, but a new dnsmasq can't be started when the
      network is later restarted (because the original process is still
      listening on the ports that the new process wants).
      
      The solution is, when the initial "use stat to check for identical
      inodes" check for identity between /proc/$pid/exe and $binpath fails,
      to check /proc/$pid/exe for a link ending with " (deleted)" and if so,
      truncate that part of the link and compare what's left with the
      original binarypath.
      
      A twist to this problem is that on systems with "merged" /sbin and
      /usr/sbin (i.e. /sbin is really just a symlink to /usr/sbin; Fedora
      17+ is an example of this), libvirt may have started the process using
      one path, but /proc/$pid/exe lists a different path (indeed, on F17
      this is the case - libvirtd uses /sbin/dnsmasq, but /proc/$pid/exe
      shows "/usr/sbin/dnsmasq"). The further bit of code to resolve this is
      to call virFileResolveAllLinks() on both the original binarypath and
      on the truncated link we read from /proc/$pid/exe, and compare the
      results.
      
      The resulting code still succeeds in all the same cases it did before,
      but also succeeds if the binary was deleted or replaced after it was
      started.
      (cherry picked from commit 7bafe009)
      58320848
    • V
      qemu: pass -usb and usb hubs earlier, so USB disks with static address are handled properly · d8199361
      Vladislav Bogdanov 提交于
      (cherry picked from commit 81af5336)
      
      Conflicts:
      	tests/qemuxml2argvdata/qemuxml2argv-bios.args
      	tests/qemuxml2argvdata/qemuxml2argv-disk-copy_on_read.args
      	tests/qemuxml2argvdata/qemuxml2argv-disk-ioeventfd.args
      	tests/qemuxml2argvdata/qemuxml2argv-event_idx.args
      	tests/qemuxml2argvdata/qemuxml2argv-hyperv.args
      	tests/qemuxml2argvdata/qemuxml2argv-virtio-lun.args
      d8199361
    • V
      qemu: Do not ignore address for USB disks · 3f3d0944
      Vladislav Bogdanov 提交于
      (cherry picked from commit 8f708761)
      3f3d0944
    • M
      esx: Fix connection to ESX 5.1 · b29534a6
      Martin Kletzander 提交于
      After separating 5.x and 5.1 versions of ESX, we forgot to add 5.1
      into the list of allowed connections, so connections to 5.1 fail since
      v1.0.0-rc1-5-g1e7cd395
      (cherry picked from commit bab7752c)
      b29534a6
  2. 04 12月, 2012 1 次提交
    • L
      conf: fix virDomainNetGetActualDirect*() and BridgeName() · 48aaabd9
      Laine Stump 提交于
      This resolves:
      
         https://bugzilla.redhat.com/show_bug.cgi?id=881480
      
      These three functions:
      
        virDomainNetGetActualBridgeName
        virDomainNetGetActualDirectDev
        virDomainNetGetActualDirectMode
      
      return attributes that are in a union whose contents are interpreted
      differently depending on the actual->type and so they should only
      return non-0 when actual->type is 'bridge' (in the first case) or
      'direct' (in the other two cases, but I had neglected to do that, so
      ...DirectDev() was returning bridge.brname (which happens to share the
      same spot in the union with direct.linkdev) if actual->type was
      'bridge', and ...BridgeName was returning direct.linkdev when
      actual->type was 'direct'.
      
      How does this involve Bug 881480 (which was about the inability to
      switch between two networks that both have "<forward mode='bridge'/>
      <bridge name='xxx'/>"? Whenever the return value of
      virDomainNetGetActualDirectDev() for the new and old network
      definitions doesn't match, qemuDomainChangeNet() requires a "complete
      reconnect" of the device, which qemu currently doesn't
      support. ...DirectDev() *should* have been returning NULL for old and
      new, but was instead returning the old and new bridge names, which
      differ.
      
      (The other two functions weren't causing any behavioral problems in
      virDomainChangeNet(), but their problem and fix was identical, so I
      included them in this same patch).
      (cherry picked from commit 3738cf41)
      48aaabd9
  3. 30 11月, 2012 3 次提交
    • L
      network: use dnsmasq --bind-dynamic when available · 3fbab08a
      Laine Stump 提交于
      This bug resolves CVE-2012-3411, which is described in the following
      bugzilla report:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=833033
      
      The following report is specifically for libvirt on Fedora:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=874702
      
      In short, a dnsmasq instance run with the intention of listening for
      DHCP/DNS requests only on a libvirt virtual network (which is
      constructed using a Linux host bridge) would also answer queries sent
      from outside the virtualization host.
      
      This patch takes advantage of a new dnsmasq option "--bind-dynamic",
      which will cause the listening socket to be setup such that it will
      only receive those requests that actually come in via the bridge
      interface. In order for this behavior to actually occur, not only must
      "--bind-interfaces" be replaced with "--bind-dynamic", but also all
      "--listen-address" options must be replaced with a single
      "--interface" option. Fully:
      
         --bind-interfaces --except-interface lo --listen-address x.x.x.x ...
      
      (with --listen-address possibly repeated) is replaced with:
      
         --bind-dynamic --interface virbrX
      
      Of course libvirt can't use this new option if the host's dnsmasq
      doesn't have it, but we still want libvirt to function (because the
      great majority of libvirt installations, which only have mode='nat'
      networks using RFC1918 private address ranges (e.g. 192.168.122.0/24),
      are immune to this vulnerability from anywhere beyond the local subnet
      of the host), so we use the new dnsmasqCaps API to check if dnsmasq
      supports the new option and, if not, we use the "old" option style
      instead. In order to assure that this permissiveness doesn't lead to a
      vulnerable system, we do check for non-private addresses in this case,
      and refuse to start the network if both a) we are using the old-style
      options, and b) the network has a publicly routable IP
      address. Hopefully this will provide the proper balance of not being
      disruptive to those not practically affected, and making sure that
      those who *are* affected get their dnsmasq upgraded.
      
      (--bind-dynamic was added to dnsmasq in upstream commit
      54dd393f3938fc0c19088fbd319b95e37d81a2b0, which was included in
      dnsmasq-2.63)
      3fbab08a
    • L
      util: new virSocketAddrIsPrivate function · 337efad9
      Laine Stump 提交于
      This new function returns true if the given address is in the range of
      any "private" or "local" networks as defined in RFC1918 (IPv4) or
      RFC3484/RFC4193 (IPv6), otherwise they return false.
      
      These ranges are:
      
         192.168.0.0/16
         172.16.0.0/16
         10.0.0.0/24
         FC00::/7
         FEC0::/10
      337efad9
    • L
      util: capabilities detection for dnsmasq · c1bbfabd
      Laine Stump 提交于
      In order to optionally take advantage of new features in dnsmasq when
      the host's version of dnsmasq supports them, but still be able to run
      on hosts that don't support the new features, we need to be able to
      detect the version of dnsmasq running on the host, and possibly
      determine from the help output what options are in this dnsmasq.
      
      This patch implements a greatly simplified version of the capabilities
      code we already have for qemu. A dnsmasqCaps device can be created and
      populated either from running a program on disk, reading a file with
      the concatenated output of "dnsmasq --version; dnsmasq --help", or
      examining a buffer in memory that contains the concatenated output of
      those two commands. Simple functions to retrieve capabilities flags,
      the version number, and the path of the binary are also included.
      
      bridge_driver.c creates a single dnsmasqCaps object at driver startup,
      and disposes of it at driver shutdown. Any time it must be used, the
      dnsmasqCapsRefresh method is called - it checks the mtime of the
      binary, and re-runs the checks if the binary has changed.
      
      networkxml2argvtest.c creates 2 "artificial" dnsmasqCaps objects at
      startup - one "restricted" (doesn't support --bind-dynamic) and one
      "full" (does support --bind-dynamic). Some of the test cases use one
      and some the other, to make sure both code pathes are tested.
      c1bbfabd
  4. 17 11月, 2012 1 次提交
  5. 13 11月, 2012 1 次提交
    • J
      qemu: Always format CPU topology · 165518d5
      Jiri Denemark 提交于
      When libvirt cannot find a suitable CPU model for host CPU (easily
      reproducible by running libvirt in a guest), it would not provide CPU
      topology in capabilities XML either. Even though CPU topology is known
      and can be queried by virNodeGetInfo. With this patch, CPU topology will
      always be provided in capabilities XML regardless on the presence of CPU
      model.
      (cherry picked from commit f1c70100)
      
      Conflicts:
      
          src/qemu/qemu_capabilities.c
          src/qemu/qemu_command.c
      
          The new code uses capabilities caching.
      165518d5
  6. 06 11月, 2012 1 次提交
  7. 02 11月, 2012 2 次提交
  8. 28 10月, 2012 6 次提交
    • C
      Prep for release 0.10.2.1 · 3feed5c1
      Cole Robinson 提交于
      3feed5c1
    • C
      d564e0a8
    • L
      parallels: fix build for some older compilers · 93ac917c
      Laine Stump 提交于
      Found this when building on RHEL5:
      
      parallels/parallels_storage.c: In function 'parallelsStorageOpen':
      parallels/parallels_storage.c:180: error: 'for' loop initial declaration used outside C99 mode
      
      (and similar error in parallels_driver.c). This was in spite of
      configuring with "-Wno-error".
      (cherry picked from commit 73ebd86d)
      93ac917c
    • P
      documentation: HTML tag fix · 9a9527d2
      Philipp Hahn 提交于
      Replace '%' by '&' for correct escaping of '>' in Domain specification.
      Signed-off-by: NPhilipp Hahn <hahn@univention.de>
      (cherry picked from commit 7083cdc7)
      9a9527d2
    • L
      network: fix networkValidate check for default portgroup and vlan · e9f16f25
      Laine Stump 提交于
      This was found during testing of the fix for:
      
         https://bugzilla.redhat.com/show_bug.cgi?id=868483
      
      networkValidate was supposed to check for the existence of multiple
      portgroups and report an error if this was encountered. It did, but
      there were two problems:
      
      1) even though it logged an error, it still returned success, allowing
      the operation to continue.
      
      2) It could exit the portgroup checking loop early (or possibly not
      even do it once) if a vlan tag was supplied in the base network config
      or one of the portgroups.
      
      This patch fixes networkValidate to return failure in addition to
      logging the error, and also changes it to not exit the portgroup
      checking loop early. The logic was a bit off in the checking for vlan
      anyway, and it's intertwined with fixing the early loop exit, so I
      fixed that as well. Now it correctly checks for combinations where a
      <virtualport> is specified in the base network def and <vlan> is given
      in a portgroup, as well as the opposite (<vlan> in base network def
      and <virtualport> in portgroup), and ignores the case of a disallowed
      vlan when using *no* portgroup if there is a default portgroup (since
      in that case there is no way to not use any portgroup).
      (cherry picked from commit d8aae15a)
      e9f16f25
    • M
      esx: Update version checks for vSphere 5.1 · addce0a7
      Matthias Bolte 提交于
      Also remove warnings for upcoming versions. There hadn't been any
      compatibility problems with new ESX version over the whole lifetime
      of the ESX driver, so I don't expect any in the future.
      
      Update documentation to mention vSphere 5.x support.
      (cherry picked from commit 1e7cd395)
      addce0a7