* src/qemu/qemu_driver.c: initialize detach var

Add the virStrncpy function, which takes a dst string, source string,
the number of bytes to copy and the number of bytes available in the
dest string.  If the source string is too large to fit into the
destination string, including the \0 byte, then no data is copied and
the function returns NULL.  Otherwise, this function copies n bytes
from source into dst, including the \0, and returns a pointer to the
dst string.  This function is intended to replace all unsafe uses
of strncpy in the code base, since strncpy does *not* guarantee that
the buffer terminates with a \0.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

This was prevent virDomainSave from working properly by default,
which is a bad thing.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

* src/Makefile.am, src/qemu/qemu_conf.h, src/qemu/qemu_driver.c,
  tests/seclabeltest.c: Adapt for changed paths
* src/security.c: Rename to src/security/security_driver.c
* src/security.h: Rename to src/security/security_driver.h
* src/security_selinux.c, src/security_selinux.h: Move to src/security/

* src/qemu_conf.c, src/qemu_conf.h, src/qemu_driver.c,
  src/qemu_driver.h: Move to src/qemu/
* daemon/qemud.c, src/Makefile.am, tests/qemuargv2xmltest.c,
  tests/qemuhelptest.c, tests/qemuxml2argvtest.c,
  tests/qemuxml2xmltest.c: Adapt for changed paths

* src/Makefile.am, src/proxy_internal.c, src/proxy_internal.h
  src/sexpr.c, src/sexpr.h, src/xen_unified.c, src/xen_unified.h,
  src/xen_internal.c, src/xen_internal.h, src/xen_inotify.c,
  src/xen_inotify.h, src/xend_internal.c, src/xend_internal.h,
  src/xm_internal.c, src/xm_internal.h, src/xs_internal.c,
  src/xs_internal.h: Move to src/xen/ directory
* proxy/Makefile.am, proxy/libvirt_proxy.c, src/Makefile.am,
  src/libvirt.c, tests/sexpr2xmltest.c, tests/statstest.c,
  tests/xencapstest.c, tests/xmconfigtest.c, tests/xml2sexprtest.c:
  Adapt to changed xen location
* src/stats_linux.h, src/stats_linux.c: Remove xen specific block
  stats APIs
* src/qemu_driver.c, src/uml_driver.c: Add missing sys/un.h include
  uncovered after change to stats_linux.h
* src/xen/block_stats.h, src/xen/block_stats.c: Add xen specific
  block stats APIs

* src/qemu_driver.c: sync the hostdev hot-unplug code with the disk/net
  code.

When we hot-unplug the last device, we're currently double-freeing
the device definition.

Reported by Martin Banas here:

  https://bugzilla.redhat.com/523953

* src/qemu_driver.c: fix double free

Convert all the secret/storage encryption APIs / wire format to
handle UUIDs in raw format instead of non-canonical printable
format. Guarentees data format correctness.

* docs/schemas/storageencryption.rng: Make UUID mandatory for a secret
  and validate fully
* docs/schemas/secret.rng: Fully validate UUID
* include/libvirt/libvirt.h, include/libvirt/libvirt.h.in, Add
  virSecretLookupByUUID and virSecretGetUUID. Make
  virSecretGetUUIDString follow normal API design pattern
* python/generator.py: Skip generation of virSecretGetUUID,
  virSecretGetUUIDString and virSecretLookupByUUID
* python/libvir.c, python/libvirt-python-api.xml: Manual impl
  of virSecretGetUUID,virSecretGetUUIDString and virSecretLookupByUUID
* qemud/remote.c: s/virSecretLookupByUUIDString/virSecretLookupByUUID/
  Fix get_nonnull_secret/make_nonnull_secret to use unsigned char
* qemud/remote_protocol.x: Fix remote_nonnull_secret to use a
  remote_uuid instead of remote_nonnull_string for UUID field.
  Rename REMOTE_PROC_SECRET_LOOKUP_BY_UUID_STRING to
  REMOTE_PROC_SECRET_LOOKUP_BY_UUID_STRING and make it take an
  remote_uuid  value
* qemud/remote_dispatch_args.h, qemud/remote_dispatch_prototypes.h,
  qemud/remote_dispatch_ret.h, qemud/remote_dispatch_table.h,
  qemud/remote_protocol.c, qemud/remote_protocol.h: Re-generate
* src/datatypes.h, src/datatypes.c: Store UUID in raw format instead
  of printable. Change virGetSecret to use raw format UUID
* src/driver.h: Rename virDrvSecretLookupByUUIDString to
  virDrvSecretLookupByUUID and use raw format UUID
* src/libvirt.c: Add virSecretLookupByUUID and virSecretGetUUID
  and re-implement virSecretLookupByUUIDString and
  virSecretGetUUIDString in terms of those
* src/libvirt_public.syms: Add virSecretLookupByUUID and
  virSecretGetUUID
* src/remote_internal.c: Rename remoteSecretLookupByUUIDString
  to remoteSecretLookupByUUID. Fix typo in args for
  remoteSecretDefineXML impl. Use raw UUID format for
  get_nonnull_secret and make_nonnull_secret
* src/storage_encryption_conf.c, src/storage_encryption_conf.h:
  Storage UUID in raw format, and require it to be present in
  XML. Use UUID parser to validate.
* secret_conf.h, secret_conf.c: Generate a UUID if none is provided.
  Storage UUID in raw format.
* src/secret_driver.c: Adjust to deal with raw UUIDs. Save secrets
  in a filed with printable UUID, instead of base64 UUID.
* src/virsh.c: Adjust for changed public API contract of
  virSecretGetUUIDString.
* src/storage_Backend.c: DOn't undefine secret we just generated
  upon successful volume creation. Fix to handle raw UUIDs. Generate
  a non-clashing UUID
* src/qemu_driver.c: Change to use lookupByUUID instead of
  lookupByUUIDString

* src/qemu_driver.c: Don't trust monitor for vcpu PID info on
  restart
* src/domain_conf.c: Save and load vCPU PID info from domain
  status file

Integrate with QEMU monitor to provide encryption passphrase when
starting a guest using encrypted qcow volumes

* src/qemu_driver.c (findDomainDiskEncryption,
  findVolumeQcowPassphrase,
  qemudMonitorSendVolumePassphrase, qemudMonitorSendCont): Send a volume
  passphrase if qemu asks for it.

The interface allows qemudMonitorSendCont() to report errors that are
not overridden by its callers.

Also fix a potential infinite loop in qemuDomainCoreDump() if sending
cont repeatedly fails.

* src/qemu_driver.c (qemudMonitorSendCont): New function.
  (qemudAutostartConfigs): Reset error before each call to
  qemudStartVMDaemon().
  (qemudInitCpus, qemudDomainResume, qemudDomainCoreDump,
  qemudDomainRestore, qemudDomainMigratePerform,
  qemudDomainMigrateFinish2): Use qemudMonitorSendCont().

* src/security_selinux.c: Use virReportSystemError whereever an
  errno is involved
* src/qemu_driver.c: Don't overwrite error message from the
  security driver

* src/security.h: Driver API for relabelling host devices
* src/security_selinux.c: Implement relabelling of PCI and USB
  devices
* src/qemu_driver.c: Relabel USB/PCI devices before hotplug

* src/qemu_driver.c: Remove usbfs/sysfs iterator code and call
  into generic helper APIs instead when setting device permissions

Fix all thread locking bugs reported by object-locking test
case.

NB, some of the driver locking is getting too coarse. Driver
mutexes really need to be turned into RW locks instead to
significantly increase concurrency.

* src/lxc_driver.c: Fix useof driver when unlocked in the methods
  lxcDomainGetInfo, lxcSetSchedulerParameters, and
  lxcGetSchedulerParameters
* src/opennebula/one_driver.c: Fix missing unlock in oneDomainUndefine.
  Fix use of driver when unlocked in oneDomainGetInfo,
  oneGetOSType, oneDomainShutdown
* src/qemu_driver.c: Fix use of driver when unlocked in
  qemudDomainSavem, qemuGetSchedulerType, qemuSetSchedulerParameters
  and qemuGetSchedulerParameters
* src/storage_driver.c: Re-work storagePoolCreate to avoid bogus
  lock checking warning. Re-work storageVolumeCreateXMLFrom to
  remove a potential NULL de-reference & avoid bogus lock check
  warnings
* src/test.c: Remove testDomainAssignDef since it break lock chekc
  warnings.
* tests/object-locking.ml: Add oneDriverLock, oneDriverUnlock
  and one_driver_t methods/types to allow lock checking on the
   OpenNebula drivers

The algorithm is quite simple:

  If the emulator matches a guest's domain:
    if domain has machine type info:
      check the domain's machine type info
    else
      check the guest's default machine type info
  else if the emulator matches the guest's default emulator:
     check the guest's default machine type info

The previous implementation was incorrectly falling back to the default
machine type info if the domain's machine type info didn't have an
alias.

* src/qemu_driver.c: simplify and fix qemudCanonicalizeMachine()

This doesn't have any affect on the current tests because we don't have
any machine aliases in the current test data.

* src/qemu_conf.h, src/qemu_driver.c: expose qemudCanonicalizeMachine()
  for the tests

* tests/qemuxml2argvtest.c: canonicalize the machine type

After the mentioned patch was applied, I noticed that
shutting down a kvm guest from inside (i.e. poweroff) caused
the guest to shutdown, but not removed from the list of
active guests.  DanB pointed out that the problem is that
the virEventAddHandle() call in the qemu driver was asking
to watch for 0 events, not HANGUP | ERROR as it should.  Add
these events so that shutdown works again.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

* src/qemu_driver.c (qemudDomainRestore): Use the new ...TypeToString
function here, too.

* src/qemu_driver.c: avoid a leak of file descriptor when exec'ing qemu

lzop was removed due to some confusion over whether it provided functional
advantages distinct from xz. This has been addressed in the mailing list post
archived at http://permalink.gmane.org/gmane.comp.emulators.libvirt/16487, and
support for lzop is re-added here.

* libvirt.spec.in: add dependancy on lzop
* src/qemu.conf: update documentation of save_image_format
* src/qemu_driver.c: re-add lzop compression option

* src/qemu_driver.c: drop lzma and lzop images compression options
  as they are deprecated by xz
* libvirt.spec.in: add requires for xz/bzip2/gzip as they are needed
  to implement the compression options

* src/qemu_driver.c (QEMUD_SAVE_FORMAT_LAST): Define.
(qemudSaveCompressionTypeFromString): Declare.
(qemudSaveCompressionTypeToString): Declare.
(qemudDomainSave): Use those functions rather than open-coding them.
Use "cat >> '%s' ..." in place of equivalent
"dd of='%s' oflag=append conv=notrunc ...".

* src/qemu_driver.c (enum qemud_save_formats) [QEMUD_SAVE_FORMAT_XZ]:
New member.
[QEMUD_SAVE_FORMAT_LZMA]: Mark as deprecated.
Use an explicit value for each member.
(qemudDomainSave, qemudDomainRestore): Handle the new member.
* src/qemu.conf: Mention xz, too.

* src/openvz_conf.c src/qemu_driver.c src/storage_backend_scsi.c
  src/xen_inotify.c: closes various file descriptors leaks

* src/qemu_driver.c: Free the vm->monitor_chr field at VM shutdown.
  Unlink the UNIX domain socket at VM shutdown to avoid littering
  FS with old sockets

* src/qemu_driver.c: Change ownership of /var/{lib,cache}/libvirt/qemu
  to match user/group that QEMU VMs are configured to run as.

Separate the guest created QEMU monitor socket location
from the libvirtd create XML / PID data files, to improve
security separation when running QEMU non-root

* libvirt.spec.in: Leave /var/run/libvirt/qemu as root:root
* src/qemu_conf.h: Add libDir and cacheDir directory paths
* src/qemu_driver.c: Move QEMU monitor socket from
  stateDir to libDir to avoid making security critical directory
  accessible to QEMU guests.
* src/util.c: Delay running hook till after damonizing to
  ensure pidfile is still written before changing UID/GID

Add option to domain XML for

     <memoryBacking>
        <hugepages/>
     </memoryBacking>

* configure.in: Add check for mntent.h
* qemud/libvirtd_qemu.aug, qemud/test_libvirtd_qemu.aug, src/qemu.conf
  Add 'hugetlbfs_mount' config parameter
* src/qemu_conf.c, src/qemu_conf.h: Check for -mem-path flag in QEMU,
  and pass it when hugepages are requested.
  Load hugetlbfs_mount config parameter, search for mount if not given.
* src/qemu_driver.c: Free hugetlbfs_mount/path parameter in driver shutdown.
  Create directory for QEMU hugepage usage, chowning if required.
* docs/formatdomain.html.in: Document memoryBacking/hugepages elements
* docs/schemas/domain.rng: Add memoryBacking/hugepages elements to schema
* src/util.c, src/util.h, src/libvirt_private.syms: Add virFileFindMountPoint
  helper API
* tests/qemuhelptest.c: Add -mem-path constants
* tests/qemuxml2argvtest.c, tests/qemuxml2xmltest.c: Add tests for hugepage
  handling
* tests/qemuxml2argvdata/qemuxml2argv-hugepages.xml,
  tests/qemuxml2argvdata/qemuxml2argv-hugepages.args: Data files for
  hugepage tests

Paolo Bonzini points out that in my refactoring of the code for
virDomainMigrate(), I added a check for the return value from
virDomainMigratePerform().  The problem is that we don't want to
exit if we fail, we actually want to go on and do
virDomainMigrateFinish2() with a non-0 return code to clean things
up.  Remove the check.

While reproducing this issue, I also noticed that we wouldn't
always properly propagate an error message.  In particular, I
found that if you blocked off the migration ports (with iptables)
and then tried the migration, it would actually fail but we would
get no failure output from Qemu.  Therefore, we would think we
succeeded, and leave a huge mess behind us.  Execute the monitor
command "info migrate", and look for a failure string in there
as well.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

Calling qsort() on the disks array causes disk to be
unneccessarily re-ordered, potentially breaking the
ability to boot if the boot disk gets moved later in
the list. The new algorithm will insert a new disk as
far to the end of the list as possible, while being
ordered correctly wrt other disks on the same bus.

* src/domain_conf.c, src/domain_conf.h: Remove disk sorting
  routines. Add API to insert a disk into existing list at
  the optimal position, without resorting disks
* src/libvirt_private.syms: Export virDomainDiskInsert
* src/xend_internal.c, src/xm_internal.c: Remove calls to
  qsort, use virDomainDiskInsert instead.
* src/qemu_driver.c: Remove calls to qsort, use virDoaminDiskInsert
  instead. Fix reordering bugs when hotunplugging disks and
  networks. Fix memory leak in disk/net unplug

* src/qemu_driver.c: Support arbitrary callbacks for "secondary
  prompts".  Reimplement qemudMonitorCommandExtra using such a
  callback.

The if ((nlptr...)) implicitly assumes commptr != NULL (and that "buf"
starts with "cmd").  Make the assumption explicit, it will be broken in
a future patch.

* src/qemu_driver.c: Don't assume buffered monitor output echoes the
  command.

Per prior discussion -- this was, indeed, trivial.

I'm a little disappointed to be breaking the ordering characteristics of
the enum (as it had been ordered by increasing time requirements and
decreasing output size), but breaking any save files with the old
constants in the headers would of course be worse.

>From 2a9cdcfc88de091a8d34aa3fc3b1208d7681790e Mon Sep 17 00:00:00 2001
From: Charles Duffy <Charles_Duffy@dell.com>
Date: Fri, 28 Aug 2009 11:49:54 -0500
Subject: [PATCH] support lzop save compression for qemu

One of the larger disincentives towards use of compression for migrated-out save
files is performance impact. This patch adds support for lzop; CPU time for
compression is about 5x faster than gzip (the next most performant algorithm)
and decompression is about 3x faster.
Signed-off-by: NCharles Duffy <Charles_Duffy@dell.com>
Signed-off-by: NChris Lalancette <clalance@redhat.com>

qemudExtractMonitorPath() was doing a VIR_ALLOC_N followed by a
strncpy.  However, this isn't necessary; we can do the same thing
using strndup, which is much safer.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

Fix up a small memory leak pointed out by DanB; I was forgetting
to release memory allocated to driver->saveImageFormat.
Also add the "save_image_format" and "security" entries to
the augeas lens.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

As we start/shutdown guests, or hotplug/hot-unplug devices, we can add
or delete devices as appropriate from a list of active devices.

Then, in pciReset(), we can use this to determine whether its safe to
reset a device as a side effect of resetting another device.

* src/qemu_conf.h: add activePciHostdevs to qemud_driver

* src/qemu_driver.c: maintain the activePciHostdevs list, and pass it
  to pciResetDevice()

* src/pci.[ch]: pass the activeDevs list to pciResetDevice() and use
  it to determine whether a Secondary Bus Reset is safe

The qemuPrepareHostDevices() and qemuDomainReAttachHostDevices()
functions are clutter with a bunch of calls to pciGetDevice() and
pciFreeDevice() obscuring the basic logic.

Add a pciDeviceList type and add a qemuGetPciHostDeviceList() function
to build a list from a domain definition. Use this in prepare/re-attach
fto simplify things and eliminate the multiple pciGetDevice calls.

This is especially useful because in the next patch we need to iterate
the hostdevs list a third time and we also need a list type for keeping
track of active devices.

* src/pci.[ch]: add pciDeviceList type and also a per-device 'managed'
  property

* src/libvirt_private.syms: export the new functions

* src/qemu_driver.c: add qemuGetPciHostDeviceList() and re-write
  qemuPrepareHostDevices() and qemuDomainReAttachHostDevices() to use it

Newer versions of QEMU accept 'pci_add auto', but older versions require
'pci_add pci_addr=auto'

* src/qemu_driver.c: use pci_addr= in qemudDomainAttachHostPciDevice()
  for older versions of QEMU