* src/qemu/qemu_driver.c (qemudLogReadFD): Don't pass a negative
offset (from a preceding failed attempt to seek to EOF) to this use
of lseek.

* src/qemu/qemu_monitor_text.c (qemuMonitorTextGetAllPCIAddresses):
Use %s.
* src/storage/storage_backend_iscsi.c (virStorageBackendCreateIfaceIQN):
Likewise.
* tools/virsh.c (cmdSecretSetValue): Likewise.

Similar to the race fixed by
be34c3c7, make sure
to wait around for KVM to release the resources from
a hot-detached PCI device before attempting to
rebind that device to the host driver.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

The QEMU driver contained code to generate a -device string for piix4-ide, but
wasn't using it. This change removes this string generation. It also adds a
comment explaining why IDE and FDC controllers don't generate -device strings.

The change also generates an error if a sata controller is specified for a QEMU
domain, as this isn't supported.

* src/qemu/qemu_conf.c: Remove VIR_DOMAIN_CONTROLLER_TYPE_IDE handler in
  qemuBuildControllerDevStr(). Ignore IDE and FDC controllers. Error if
  SATA controller is discovered. Add comments.

On RHEL-5 the qemu-kvm binary is located in /usr/libexec.
To reduce confusion for people trying to run upstream libvirt
on RHEL-5 machines, make the qemu driver look in /usr/libexec
for the qemu-kvm binary.

To make this work, I modified virFindFileInPath to handle an
absolute path correctly.  I also ran into an issue where
NULL was sometimes being passed for the file parameter
to virFindFileInPath; it didn't crash prior to this patch
since it was building paths like /usr/bin/(null).  This
is non-standard behavior, though, so I added a NULL
check at the beginning.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

If you shutdown libvirtd while a domain with PCI
devices is running, then try to restart libvirtd,
libvirtd will crash.

This happens because qemuUpdateActivePciHostdevs() is calling
pciDeviceListSteal() with a dev of 0x0 (NULL), and then trying
to dereference it.  This patch fixes it up so that
qemuUpdateActivePciHostdevs() steals the devices after first
Get()'ting them, avoiding the crash.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

* src/qemu/qemu_monitor_text.c (qemuMonitorTextAttachDrive): Most other
failures in this function would "goto cleanup", but one mistakenly
returned directly, skipping the cleanup and resulting in a leak.
In addition, iterating the "try_command" loop would clobber, and
thus leak, the "cmd" allocated on the first iteration,
so be careful to free it in addition to "reply" beforehand.

The KVM build of QEMU includs the thread ID of each vCPU in the
'query-cpus' output. This is required for pinning guests to
particular host CPUs

* src/qemu/qemu_monitor_json.c: Extract 'thread_id' from CPU info

* src/util/json.c, src/util/json.h: Declare returned strings
  to be const
* src/qemu/qemu_monitor.c: Wire up JSON mode for qemuMonitorGetPtyPaths
* src/qemu/qemu_monitor_json.c, src/qemu/qemu_monitor_json.h: Fix
  const correctness. Add missing error message in the function
  qemuMonitorJSONGetAllPCIAddresses. Add implementation of the
  qemuMonitorGetPtyPaths function calling 'query-chardev'.

* src/qemu/qemu_monitor_text.c (qemuMonitorCommandWithHandler):
Always free *reply, upon failure.

Certain hypervisors (like qemu/kvm) map the PCI bar(s) on
the host when doing device passthrough.  This can lead to a race
condition where the hypervisor is still cleaning up the device while
libvirt is trying to re-attach it to the host device driver.  To avoid
this situation, we look through /proc/iomem, and if the hypervisor is
still holding onto the bar (denoted by the string in the matcher variable),
then we can wait around a bit for that to clear up.

v2: Thanks to review by DV, make sure we wait the full timeout per-device
Signed-off-by: NChris Lalancette <clalance@redhat.com>

Fix a small problem with the qemu memory stats parsing algorithm.  If qemu
reports a stat that libvirt does not recognize, skip past it so parsing can
continue.  This corrects a potential infinite loop in the parsing code that can
only be triggered if new statistics are added to qemu.

* src/qemu/qemu_monitor_text.c: qemuMonitorParseExtraBalloonInfo add a
  skip for extra ','

* src/qemu/qemu_conf.c (qemuBuildDriveStr): Use "%s".
* src/qemu/qemu_monitor_json.c (qemuMonitorJSONGetGuestPCIAddress):
(qemuMonitorJSONGetGuestDriveAddress): Likewise.

The loop looking for the controller associated with a SCI drive had
an off by one, causing it to miss the last controller.

* src/qemu/qemu_driver.c: Fix off-by-1 in searching for SCSI
  drive hotplug

The hotplug code in QEMU was leaking memory because although the
inner device object was being moved into the main virDomainDefPtr
config object, the outer container virDomainDeviceDefPtr was not.

 * src/qemu/qemu_driver.c: Clarify code to show that the inner
   device object is owned by the main domain config upon
   successfull attach.

Add the ability to turn off dynamic management of file permissions
for libvirt guests.

* qemu/libvirtd_qemu.aug: Support 'dynamic_ownership' flag
* qemu/qemu.conf: Document 'dynamic_ownership' flag.
* qemu/qemu_conf.c: Load 'dynamic_ownership' flag
* qemu/test_libvirtd_qemu.aug: Test 'dynamic_ownership' flag

The hotplug code was not correctly invoking the security driver
in error paths. If a hotplug attempt failed, the device would
be left with VM permissions applied, rather than restored to the
original permissions. Also, a CDROM media that is ejected was
not restored to original permissions. Finally there was a bogus
call to set hostdev permissions in the hostdev unplug code

* qemu/qemu_driver.c: Fix security driver usage in hotplug/unplug

If there is a problem with VM startup, PCI devices may be left
assigned to pci-stub / pci-back. Adding a call to reattach
host devices in the cleanup path is required.

* qemu/qemu_driver.c: qemuDomainReAttachHostDevices() when
  VM startup fails

Remove all the QEMU driver calls for setting file ownership and
process uid/gid. Instead wire in the QEMU DAC security driver,
stacking it ontop of the primary SELinux/AppArmour driver.

* qemu/qemu_driver.c: Switch over to new DAC security driver

This new security driver is responsible for managing UID/GID changes
to the QEMU process, and any files/disks/devices assigned to it.

* qemu/qemu_conf.h: Add flag for disabling automatic file permission
  changes
* qemu/qemu_security_dac.h, qemu/qemu_security_dac.c: New DAC driver
  for QEMU guests
* Makefile.am: Add new files

* qemu/qemu_conf.h: Add securityPrimaryDriver and
  securitySecondaryDriver fields to 'struct qemud_driver'
* Makefile.am: Add new files
* qemu/qemu_security_stacked.c, qemu/qemu_security_stacked.h: A
  simple stacked security driver

Pulling the disk labelling code out of the exec hook, and into
libvirtd will allow it to access shared state in the daemon. It
will also make debugging & error reporting easier / more reliable.

* qemu/qemu_driver.c: Move initial disk labelling calls up into
  libvirtd. Add cleanup of disk labels upon failure

If a VM fails to start, we can't simply free the security label
strings, we must call the domainReleaseSecurityLabel() method
otherwise the reserved 'mcs' level will be leaked in SElinux

* src/qemu/qemu_driver.c: Invoke domainReleaseSecurityLabel()
  when domain fails to start

The current security driver architecture has the following
split of logic

 * domainGenSecurityLabel

    Allocate the unique label for the domain about to be started

 * domainGetSecurityLabel

    Retrieve the current live security label for a process

 * domainSetSecurityLabel

    Apply the previously allocated label to the current process
    Setup all disk image / device labelling

 * domainRestoreSecurityLabel

    Restore the original disk image / device labelling.
    Release the unique label for the domain

The 'domainSetSecurityLabel' method is special because it runs
in the context of the child process between the fork + exec.

This is require in order to set the process label. It is not
required in order to label disks/devices though. Having the
disk labelling code run in the child process limits what it
can do.

In particularly libvirtd would like to remember the current
disk image label, and only change shared image labels for the
first VM to start. This requires use & update of global state
in the libvirtd daemon, and thus cannot run in the child
process context.

The solution is to split domainSetSecurityLabel into two parts,
one applies process label, and the other handles disk image
labelling. At the same time domainRestoreSecurityLabel is
similarly split, just so that it matches the style. Thus the
previous 4 methods are replaced by the following 6 new methods

 * domainGenSecurityLabel

    Allocate the unique label for the domain about to be started
    No actual change here.

 * domainReleaseSecurityLabel

   Release the unique label for the domain

 * domainGetSecurityProcessLabel

   Retrieve the current live security label for a process
   Merely renamed for clarity.

 * domainSetSecurityProcessLabel

   Apply the previously allocated label to the current process

 * domainRestoreSecurityAllLabel

    Restore the original disk image / device labelling.

 * domainSetSecurityAllLabel

    Setup all disk image / device labelling

The SELinux and AppArmour drivers are then updated to comply with
this new spec. Notice that the AppArmour driver was actually a
little different. It was creating its profile for the disk image
and device labels in the 'domainGenSecurityLabel' method, where as
the SELinux driver did it in 'domainSetSecurityLabel'. With the
new method split, we can have consistency, with both drivers doing
that in the domainSetSecurityAllLabel method.

NB, the AppArmour changes here haven't been compiled so may not
build.

The QEMU driver is doing 90% of the calls to check for static vs
dynamic labelling. Except it is forgetting todo so in many places,
in particular hotplug is mistakenly assigning disk labels. Move
all this logic into the security drivers themselves, so the HV
drivers don't have to think about it.

* src/security/security_driver.h: Add virDomainObjPtr parameter
  to virSecurityDomainRestoreHostdevLabel and to
  virSecurityDomainRestoreSavedStateLabel
* src/security/security_selinux.c, src/security/security_apparmor.c:
  Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all
  chcon() code in those cases
* src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC
  or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL
  driver entry points.

* src/lxc/lxc_container.c src/lxc/lxc_controller.c src/lxc/lxc_driver.c
  src/network/bridge_driver.c src/qemu/qemu_driver.c
  src/uml/uml_driver.c: virFileMakePath returns 0 for success, or the
  value of errno on failure, so error checking should be to test
  if non-zero, not if lower than 0

The test expected all environment variables copied in qemudBuildCommandLine
to have known values. So all of them have to be either set to a known value
or be unset. SDL_VIDEODRIVER and QEMU_AUDIO_DRV are not handled at all but
should be handled. Unset both, otherwise the test will fail if they are set
in the testing environment.

* src/qemu/qemu_conf.c: add a comment about copied environment variables
  and qemuxml2argvtest
* tests/qemuxml2argvtest.c: unset SDL_VIDEODRIVER and QEMU_AUDIO_DRV

Invoking the virConnectGetCapabilities() method causes the QEMU
driver to rebuild its internal capabilities object. Unfortunately
it was forgetting to register the custom domain status XML hooks
again.

To avoid this kind of error in the future, the code which builds
capabilities is refactored into one single method, which can be
called from all locations, ensuring reliable rebuilds.

* src/qemu/qemu_driver.c: Fix rebuilding of capabilities XML and
  guarentee it is always consistent

I noticed some debug messages are printed with an empty lines after
them. This patch removes these empty lines from all invocations of the
following macros:
    VIR_DEBUG
    VIR_DEBUG0
    VIR_ERROR
    VIR_ERROR0
    VIR_INFO
    VIR_WARN
    VIR_WARN0
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

QEMU's command line equivalent for the following domain XML fragment
    <vcpus>2</vcpus>
    <cpu ...>
        ...
        <topology sockets='1' cores='2', threads='1'/>
    </cpu>

is

    -smp 2,sockets=1,cores=2,threads=1

This syntax was introduced in QEMU-0.12.

Version 2 changes:
- -smp argument build split into a separate function
- always add ",sockets=S,cores=C,threads=T" to -smp if qemu supports it
- use qemuParseCommandLineKeywords for command line parsing

Version 3 changes:
- ADD_ARG_LIT => ADD_ARG and line reordering in qemudBuildCommandLine
- rebased
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

Current version expects name=value,... list and when an incorrect string
such as "a,b,c=d" would be parsed as "a,b,c" keyword with "d" value
without reporting any error, which is probably not the expected
behavior.

This patch adds an extra argument called allowEmptyValue, which if
non-zero will permit keywords with no value; "a,b=c,,d=" will be parsed
as follows:
    keyword value
    "a"     NULL
    "b"     "c"
    ""      NULL
    "d"     ""

In case allowEmptyValue is zero, the string is required to contain
name=value pairs only; retvalues is guaranteed to contain non-NULL
pointers. Now, "a,b,c=d" will result in an error.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

Replace

   -balloon virtio

With

   -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3

This allows it to get correct assigned PCI address as declared in
previous patch

 * src/qemu/qemu_conf.c: Convert Virtio ballon to -device and
   give it an explicit PCI address
 * tests/qemuxml2argvdata/qemuxml2argv-*args: Add in virtio balloon
   where appropriate

Instead of relying on QEMU to assign PCI addresses and then querying
them with 'info pci', manually assign all PCI addresses before starting
the guest.  These addresses are not stable across reboots. That will
come in a later patch

NB, the PIIX3 (IDE, FDC, ISA-Bridge) will always have slot 1 and
VGA will always have slot 2. We declare the Virtio Balloon gets
slot 3, and then all remaining slots are for configured devices.

* src/qemu/qemu_conf.c: If -device is supported, then assign all PCI
  addresses when building the command line
* src/qemu/qemu_driver.c: Don't query monitor for PCI addresses if
  they have already been assigned
* tests/qemuxml2argvdata/qemuxml2argv-hostdev-pci-address-device.args,
  tests/qemuxml2argvdata/qemuxml2argv-net-virtio-device.args,
  tests/qemuxml2argvdata/qemuxml2argv-sound-device.args,
  tests/qemuxml2argvdata/qemuxml2argv-watchdog-device.args: Update
  to include PCI slot/bus information

QEMU always configures a VGA card. If no video card is included in
the libvirt XML, it is neccessary to explicitly turn off the default
using -vga none

* src/qemu/qemu_conf.c: Pass -vga none if no video card is configured
* tests/qemuargv2xmltest.c, tests/qemuxml2argvtest.c: Test for
  handling -vga none.
* tests/qemuxml2argvdata/qemuxml2argv-nographics-vga.args,
  tests/qemuxml2argvdata/qemuxml2argv-nographics-vga.xml: Test
  data files

Not all QEMU builds default to SDL graphics for their display.
Newer QEMU now has an explicit -sdl flag, which we can use to
explicitly request SDL intead of relying on the default. This
protects libvirt against unexpected changes in graphics default

* src/qemu/qemu_conf.c, src/qemu/qemu_conf.h: Probe for -sdl
  flag and use it if it is found
* tests/qemuhelptest.c: Add SDL flag to tests

The old syntax was

   -chardev SOMECONFIG
   -nic user,guestfwd=tcp:IP:PORT-chardev:CHARDEV

The new syntax is

   -chardev SOMECONFIG
   -netdev user,guestfwd=tcp:IP:PORT,chardev=ID,id=user-ID