1. 24 6月, 2013 14 次提交
    • D
      Add ACL checks into the storage driver · c930410b
      Daniel P. Berrange 提交于
      Insert calls to the ACL checking APIs in all storage driver
      entrypoints.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      c930410b
    • D
      Add ACL checks into the libxl driver · f5e007c3
      Daniel P. Berrange 提交于
      Insert calls to the ACL checking APIs in all libxl driver
      entrypoints.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      f5e007c3
    • D
      Add ACL checks into the Xen driver · cffe870c
      Daniel P. Berrange 提交于
      Insert calls to the ACL checking APIs in all Xen driver
      entrypoints.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      cffe870c
    • D
      Add ACL checks into the UML driver · d78277f9
      Daniel P. Berrange 提交于
      Insert calls to the ACL checking APIs in all UML driver
      entrypoints.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d78277f9
    • D
      Add ACL checks into the LXC driver · 279866d5
      Daniel P. Berrange 提交于
      Insert calls to the ACL checking APIs in all LXC driver
      entrypoints.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      279866d5
    • D
      Add ACL checks into the QEMU driver · abf75aea
      Daniel P. Berrange 提交于
      Insert calls to the ACL checking APIs in all QEMU driver
      entrypoints.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      abf75aea
    • D
      Auto-generate helpers for checking access control rules · 68602622
      Daniel P. Berrange 提交于
      Extend the 'gendispatch.pl' script to be able to generate
      three new types of file.
      
      - 'aclheader' - defines signatures of helper APIs for
        doing authorization checks. There is one helper API
        for each API requiring an auth check. Any @acl
        annotations result in a method being generated with
        a suffix of 'EnsureACL'. If the ACL check requires
        examination of flags, an extra 'flags' param will be
        present. Some examples
      
        extern int virConnectBaselineCPUEnsureACL(void);
        extern int virConnectDomainEventDeregisterEnsureACL(virDomainDefPtr domain);
        extern int virDomainAttachDeviceFlagsEnsureACL(virDomainDefPtr domain, unsigned int flags);
      
        Any @aclfilter annotations resuilt in a method being
        generated with a suffix of 'CheckACL'.
      
        extern int virConnectListAllDomainsCheckACL(virDomainDefPtr domain);
      
        These are used for filtering individual objects from APIs
        which return a list of objects
      
      - 'aclbody' - defines the actual implementation of the
        methods described above. This calls into the access
        manager APIs. A complex example:
      
          /* Returns: -1 on error (denied==error), 0 on allowed */
          int virDomainAttachDeviceFlagsEnsureACL(virConnectPtr conn,
                                                  virDomainDefPtr domain,
                                                  unsigned int flags)
          {
              virAccessManagerPtr mgr;
              int rv;
      
              if (!(mgr = virAccessManagerGetDefault()))
                  return -1;
      
              if ((rv = virAccessManagerCheckDomain(mgr,
                                                    conn->driver->name,
                                                    domain,
                                                    VIR_ACCESS_PERM_DOMAIN_WRITE)) <= 0) {
                  virObjectUnref(mgr);
                  if (rv == 0)
                      virReportError(VIR_ERR_ACCESS_DENIED, NULL);
                  return -1;
              }
              if (((flags & (VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE)) == 0) &&
                  (rv = virAccessManagerCheckDomain(mgr,
                                                    conn->driver->name,
                                                    domain,
                                                    VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) {
                  virObjectUnref(mgr);
                  if (rv == 0)
                      virReportError(VIR_ERR_ACCESS_DENIED, NULL);
                  return -1;
              }
              if (((flags & (VIR_DOMAIN_AFFECT_CONFIG)) == (VIR_DOMAIN_AFFECT_CONFIG)) &&
                  (rv = virAccessManagerCheckDomain(mgr,
                                                    conn->driver->name,
                                                    domain,
                                                    VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) {
                  virObjectUnref(mgr);
                  if (rv == 0)
                      virReportError(VIR_ERR_ACCESS_DENIED, NULL);
                  return -1;
              }
              virObjectUnref(mgr);
              return 0;
          }
      
      - 'aclsyms' - generates a linker script to export the
         APIs to drivers. Some examples
      
        virConnectBaselineCPUEnsureACL;
        virConnectCompareCPUEnsureACL;
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      68602622
    • D
      Add ACL annotations to all RPC messages · e341435e
      Daniel P. Berrange 提交于
      Introduce annotations to all RPC messages to declare what
      access control checks are required. There are two new
      annotations defined:
      
       @acl: <object>:<permission>
       @acl: <object>:<permission>:<flagname>
      
        Declare the access control requirements for the API. May be repeated
        multiple times, if multiple rules are required.
      
          <object> is one of 'connect', 'domain', 'network', 'storagepool',
                   'interface', 'nodedev', 'secret'.
          <permission> is one of the permissions in access/viraccessperm.h
          <flagname> indicates the rule only applies if the named flag
          is set in the API call
      
       @aclfilter: <object>:<permission>
      
        Declare an access control filter that will be applied to a list
        of objects being returned by an API. This allows the returned
        list to be filtered to only show those the user has permissions
        against
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      e341435e
    • D
      Add a policy kit access control driver · b904bba7
      Daniel P. Berrange 提交于
      Add an access control driver that uses the pkcheck command
      to check authorization requests. This is fairly inefficient,
      particularly for cases where an API returns a list of objects
      and needs to check permission for each object.
      
      It would be desirable to use the polkit API but this links
      to glib with abort-on-OOM behaviour, so can't be used. The
      other alternative is to speak to dbus directly
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      b904bba7
    • D
      Setup default access control manager in libvirtd · ed3bac71
      Daniel P. Berrange 提交于
      Add a new 'access_drivers' config parameter to the libvirtd.conf
      configuration file. This allows admins to setup the default
      access control drivers to use for API authorization. The same
      driver is to be used by all internal drivers & APIs
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      ed3bac71
    • D
      Set conn->driver before running driver connectOpen method · ba7b867b
      Daniel P. Berrange 提交于
      The access control checks in the 'connectOpen' driver method
      will require 'conn->driver' to be non-NULL. Set this before
      running the 'connectOpen' method and NULL-ify it again on
      failure.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      ba7b867b
    • D
      Define basic internal API for access control · a93cd08f
      Daniel P. Berrange 提交于
      This patch introduces the virAccessManagerPtr class as the
      interface between virtualization drivers and the access
      control drivers. The viraccessperm.h file defines the
      various permissions that will be used for each type of object
      libvirt manages
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      a93cd08f
    • J
      qemu: check if block I/O limits fit into long long · d3c87884
      Ján Tomko 提交于
      We can only pass values up to LLONG_MAX through JSON
      and QEMU checks if the int64_t number is not negative
      at startup since 1.5.0.
      
      https://bugzilla.redhat.com/show_bug.cgi?id=974010
      d3c87884
    • J
      Get rid of useless VIR_STORAGE_FILE_FEATURE_NONE · 7a99eb91
      Ján Tomko 提交于
      It's not used anywhere except for the switch in
      virStorageBackendCreateQemuImgOpts, where leaving it in causes
      a dead code coverity warning and omitting it breaks compilation
      because of unhandled enum value.
      
      Introduced by 6298f74d.
      7a99eb91
  2. 22 6月, 2013 4 次提交
    • J
      netdev: accept NULL in virNetDevSetupControl · 695593fe
      Ján Tomko 提交于
      Commit b9c6b073 dropped the version of virNetDevSetupControl
      that didn't check for NULL arguments, but we call it like that
      in virNetDevBridgeDelete.
      695593fe
    • J
      xen: Implement virConnectGetSysinfo · 3a3b8f69
      Jim Fehlig 提交于
      virConnectGetSysinfo was never implemented in the legacy xen driver.
      This patch provides an implementation based on the qemu driver.
      3a3b8f69
    • J
      libxl: Implement virConnectGetSysinfo · fdc10e8d
      Jim Fehlig 提交于
      virConnectGetSysinfo was never implemented in the libxl driver.
      This patch provides an implementation based on the qemu driver.
      fdc10e8d
    • J
      libxl: Allow libxl to set NIC devid · ba64b971
      Jim Fehlig 提交于
      libxl contains logic to determine an appropriate devid for new devices
      that do not specify one in their configuration.  For all device types
      except NICs, the libxl driver allows libxl to determine devid.  Do the
      same for NICs.
      ba64b971
  3. 21 6月, 2013 15 次提交
    • J
      storage: add support for creating qcow2 images with extensions · 6298f74d
      Ján Tomko 提交于
      Add -o compat= and -o lazy_refcounts options for qemu-img.
      6298f74d
    • J
      conf: add features to volume target XML · 31d42506
      Ján Tomko 提交于
      Add <features> and <compat> elements to volume target XML.
      
      <compat> is a string which for qcow2 represents the QEMU version
      it should be compatible with. Valid values are 0.10 and 1.1.
      1.1 is implicit if the <features> element is present, otherwise
      qemu-img default is used. 0.10 can be specified to explicitly
      create older images after the qemu-img default changes.
      
      <features> contains optional features, so far
      <lazy_refcounts/> is available, which enables caching of reference
      counters, improving performance for snapshots.
      31d42506
    • J
      util: add support for qcow2v3 image detection · a1ee8e18
      Ján Tomko 提交于
      Detect qcow2 images with version 3 in the image header as
      VIR_STORAGE_FILE_QCOW2.
      
      These images have a feature bitfield, with just one feature supported
      so far: lazy_refcounts.
      
      The header length changed too, moving the location of the backing
      format name.
      a1ee8e18
    • J
      qemu: add hv_vapic and hv_spinlocks support · 19f75d5e
      Ján Tomko 提交于
      XML:
      <features>
        <hyperv>
          <vapic state='on'/>
          <spinlocks state='on' retries='4096'/>
        </hyperv>
      </features>
      
      results in the following QEMU command line:
      qemu -cpu <cpu_model>,hv_vapic,hv_spinlocks=0x1000
      
      https://bugzilla.redhat.com/show_bug.cgi?id=784836
      19f75d5e
    • J
      conf: add vapic and spinlocks to hyperv features · 800b51d7
      Ján Tomko 提交于
      Add new CPU features for HyperV:
      vapic for virtual APIC support
      spinlocks for setting spinlock support
      
      <features>
        <hyperv>
          <vapic state='on'/>
          <spinlocks state='on' retries='4096'/>
        </hyperv>
      </features>
      
      https://bugzilla.redhat.com/show_bug.cgi?id=784836
      800b51d7
    • R
      ce240067
    • R
      BSD: implement virNetDevBridgeCreate() and virNetDevBridgeDelete() · b9c6b073
      Roman Bogorodskiy 提交于
      Implementation uses SIOCIFCREATE2 and SIOCIFDESTROY ioctls.
      Also, drop static virNetDevSetupControl() as we have
      public one avialable now.
      b9c6b073
    • O
      conf: Requires either uuid or usage of secret · 9b8ee6d0
      Osier Yang 提交于
      As the RNG schema for disk auth secret implies, it requires either
      "uuid" or "usage":
      
        <define name='diskAuthSecret'>
          <element name='secret'>
            <attribute name='type'>
              <choice>
                <value>ceph</value>
                <value>iscsi</value>
              </choice>
            </attribute>
            <choice>
              <attribute name='uuid'>
                <ref name="UUID"/>
              </attribute>
              <attribute name='usage'>
                <ref name='genericName'/>
              </attribute>
            </choice>
          </element>
        </define>
      9b8ee6d0
    • J
      qemu: Make probing for commands declarative · adb7b0b5
      Jiri Denemark 提交于
      adb7b0b5
    • J
      qemu: Make probing for events declarative · 61a28414
      Jiri Denemark 提交于
      61a28414
    • J
      build: Fix build with -Werror · 24d0e67a
      Jim Fehlig 提交于
      Commit 752596b5 broke the build with -Werror
      
      qemu/qemu_hotplug.c: In function 'qemuDomainChangeGraphics':
      qemu/qemu_hotplug.c:1980:39: error: declaration of 'listen' shadows a
        global declaration [-Werror=shadow]
      
      Fix with s/listen/newlisten/
      24d0e67a
    • L
      network: increase max number of routes · 2bdf548f
      Laine Stump 提交于
      This fixes the problem reported in:
      
         https://bugzilla.redhat.com/show_bug.cgi?id=972690
      
      When checking for a collision of a new libvirt network's subnet with
      any existing routes, we read all of /proc/net/route into memory, then
      parse all the entries. The function that we use to read this file
      requires a "maximum length" parameter, which had previously been set
      to 64*1024. As each line in /proc/net/route is 128 bytes, this would
      allow for a maximum of 512 entries in the routing table.
      
      This patch increases that number to 128 * 100000, which allows for
      100,000 routing table entries. This means that it's possible that 12MB
      would be allocated, but that would only happen if there really were
      100,000 route table entries on the system, it's only held for a very
      short time.
      
      Since there is no method of specifying and unlimited max (and that
      would create a potential denial of service anyway) hopefully this
      limit is large enough to accomodate everyone.
      2bdf548f
    • M
    • M
      qemuDomainChangeGraphics: Check listen address change by listen type · 752596b5
      Michal Privoznik 提交于
      Currently, we have a bug when updating a graphics device. A graphics device can
      have a listen address set. This address is either defined by user (in which case
      it's type is VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_ADDRESS) or it can be inherited
      from a network (in which case it's type is
      VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_NETWORK). However, in both cases we have a
      listen address to process (e.g. during migration, as I've tried to fix in
      7f15ebc7).
      Later, when a user tries to update the graphics device (e.g. set a password),
      we check if listen addresses match the original as qemu doesn't know how to
      change listen address yet. Hence, users are required to not change the listen
      address. The implementation then just dumps listen addresses and compare them.
      Previously, while dumping the listen addresses, NULL was returned for NETWORK.
      After my patch, this is no longer true, and we get a listen address for olddev
      even if it is a type of NETWORK. So we have a real string on one side, the NULL
      from user's XML on the other side and hence we think user wants to change the
      listen address and we refuse it.
      
      Therefore, we must take the type of listen address into account as well.
      752596b5
    • M
      libxl: initialize device structures · c3358d14
      Marek Marczykowski-Górecki 提交于
      Do not leave uninitialized variables, not all parameters are set in
      libxlMake*.
      Signed-off-by: NMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
      c3358d14
  4. 20 6月, 2013 3 次提交
    • M
      libxl: populate xenstore memory entries at startup, handle dom0_mem · 7ed47d16
      Marek Marczykowski-Górecki 提交于
      libxl uses some xenstore entries for hints in memory management
      (especially when starting new domain). This includes dom0 memory limit
      and Xen free memory margin, based on current system state. Entries are
      created at first function usage, so force such call at daemon startup,
      which most likely will be before any domain startup.
      Also prevent automatic memory management if dom0_mem= option passed to
      xen hypervisor - it is known to be incompatible with autoballoon.
      Signed-off-by: NMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
      7ed47d16
    • J
      lxc: Resolve issue with GetScheduler APIs for non running domain · 38ada092
      John Ferlan 提交于
      As a consequence of the cgroup layout changes from commit 'cfed9ad4', the
      lxcDomainGetSchedulerParameters[Flags]()' and lxcGetSchedulerType() APIs
      failed to return data for a non running domain.  This can be seen through
      a 'virsh schedinfo <domain>' command which returns:
      
      Scheduler      : Unknown
      error: Requested operation is not valid: cgroup CPU controller is not mounted
      
      Prior to that change a non running domain would return:
      
      Scheduler      : posix
      cpu_shares     : 0
      vcpu_period    : 0
      vcpu_quota     : 0
      emulator_period: 0
      emulator_quota : 0
      
      This patch will restore the capability to return configuration only data
      for a non running domain regardless of whether cgroups are available.
      38ada092
    • J
      qemu: Resolve issue with GetScheduler APIs for non running domain · b2375453
      John Ferlan 提交于
      As a consequence of the cgroup layout changes from commit '632f78ca', the
      qemuDomainGetSchedulerParameters[Flags]()' and qemuGetSchedulerType() APIs
      failed to return data for a non running domain.  This can be seen through
      a 'virsh schedinfo <domain>' command which returns:
      
      Scheduler      : Unknown
      error: Requested operation is not valid: cgroup CPU controller is not mounted
      
      Prior to that change a non running domain would return:
      
      Scheduler      : posix
      cpu_shares     : 0
      vcpu_period    : 0
      vcpu_quota     : 0
      emulator_period: 0
      emulator_quota : 0
      
      This patch will restore the capability to return configuration only data
      for a non running domain regardless of whether cgroups are available.
      b2375453
  5. 19 6月, 2013 3 次提交
  6. 18 6月, 2013 1 次提交