Convert the nwfilter ebtablesApplyBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebiptablesTearNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebtablesRemoveBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebiptablesTearOldRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebiptablesAllTeardown method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the virebtables.{c,h} files to use the new virFirewall
APIs for changing ebtables rules.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The networkCheckRouteCollision, networkAddFirewallRules and
networkRemoveFirewallRules APIs all take a virNetworkObjPtr
instance, but only ever access the 'def' member. It thus
simplifies testing if the APIs are changed to just take a
virNetworkDefPtr instead
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Update the iptablesXXXX methods so that instead of directly
executing iptables commands, they populate rules in an
instance of virFirewallPtr. The bridge driver can thus
construct the ruleset and then invoke it in one operation
having rollback handled automatically.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.

This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

When a VM fails to launch due to error creating nwfilter
rules, we must avoid overwriting the original error when
tearing down the partially created rules.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The nwfilter ebiptables driver will build up commands to run in
two phases. The first phase contains all of the command, except
for the '-A' part. Instead it has a '%c' placeholder, along with
a '%s' placeholder for a position arg. The second phase than
substitutes these placeholders. The only values ever used for
these substitutions though is '-A' and '', so it is entirely
pointless. Remove the second phase entirely, since it will make
it harder to convert to the new firewall APIs
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The current nwfilter tech driver API has a 'createRuleInstance' method
which populates virNWFilterRuleInstPtr with a command line string
containing variable placeholders. The 'applyNewRules' method then
expands the variables and executes the commands. This split of
responsibility won't work when switching to the virFirewallPtr
APIs, since we can't just build up command line strings. This patch
this merges the functionality of 'createRuleInstance' into the
applyNewRules method.

The virNWFilterRuleInstPtr struct is changed from holding an array
of opaque pointers, into holding generic metadata about the rules
to be processed. In essence this is the result of taking a linked
set of virNWFilterDefPtr's and flattening the tree to get a list
of virNWFilterRuleDefPtr's. At the same time we must keep track of
any nested virNWFilterObjPtr instances, so that the locks are held
for the duration of the 'applyNewRules' method.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Later refactoring will change use of the virNWFilterRuleInstPtr struct.
Prepare for this by pushing use of the virNWFilterRuleInstPtr parameter
out of the ebtablesCreateRuleInstance and iptablesCreateRuleInstance
methods. Instead they simply string(s) with the constructed rule data.
The ebiptablesCreateRuleInstance method will make use of the
virNWFilterRuleInstPtr struct instead.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Add virNWFilterRuleIsProtocol{Ethernet,IPv4,IPv6} helper methods
to avoid having to write a giant switch statements with many cases.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The 'displayRuleInstance' callback in the nwfilter tech driver
is never invoked, so can be deleted.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The 'removeRules' callback in the nwfilter tech driver is never
invoked, so can be deleted.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The virNWFilterHashTable struct contains a virHashTable and
then a 'char **names' field which keeps a copy of all the
hash keys. Presumably this was intended to record the ordering
of the hash keys. No code ever uses this and the ordering is
mangled whenever a variable is removed from the hash, because
the last element in the list is copied into the middle of the
list when shrinking the array.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The 'virDomainNetType' is unused in every impl of the
virNWFilterRuleCreateInstance driver method. Remove it
from the code to avoid the dependancy on the external
enum.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The virNWFilterTechDriver struct is nothing to do with the nwfilter
XML configuration. It stores data specific to the driver implementation
so should be in a header in the driver directory instead.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

If virNWFilterVarValueCreateSimple fails with OOM, then
'val' will be leaked by virNWFilterVarValueCreateSimpleCopyValue
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Commit c4206d7c fixed the overflow for running domains. However, we need
a similar check when setting migration speed on inactive domains.

At first look, it may seem the check in c4206d7c is now redundant but
qemuDomainMigrateSetMaxSpeed is not the only caller of
qemuMonitorSetMigrationSpeed so we need to check the bandwidth in both
places.

https://bugzilla.redhat.com/show_bug.cgi?id=1083483Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

Replace use of cpuMapOverride with virFileFindResource
to locate CPU map from build dir.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Replace virDriverModuleInitialize with virFileFindResource
usage.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Replace virLockManagerSetPluginDir with virFileFindResource
usage.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of hardcoding LIBEXECDIR as the location of the libvirt_iohelper
binary, use virFileFindResource to optionally find it in the current
build directory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of hardcoding LIBEXECDIR as the location of the libvirt_parthelper
binary, use virFileFindResource to optionally find it in the current
build directory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of hardcoding LIBEXECDIR as the location of the libvirt_lxc
binary set in the LXC driver capabilities, use virFileFindResource
to optionally find it in the current build directory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of hardcoding LIBEXECDIR as the location of the libvirt_iohelper
binary, use virFileFindResource to optionally find it in the current
build directory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Add calls to virFileActivateDirOverride so that the build dir
overrides are activated.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Add virFileFindResource which will try to locate files
in the local build tree if the calling binary (eg libvirtd or
test suite) is being run from the build tree. The corresponding
virFileActivateDirOverride should be called at startup passing
in argv[0]. This will be examined for evidence of libtool magic
binary prefix / sub-directory in order to activate the override.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

In debugging a crash on OOM, I thought that the virInsert APIs
might be at fault, but couldn't isolate them as a cause. While
the viralloc APIs are used in many test suites, this is as a
side-effect, they are not directly tested :-)
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Each backing store of a given disk is associated with a unique index
(which is also formatted in domain XML) for easier addressing of any
particular backing store. With this patch, any backing store can be
addressed by its disk target and the index. For example, "vdc[4]"
addresses the backing store with index equal to 4 of the disk identified
by "vdc" target. Such shorthand can be used in any API in place for a
backing file path:

    virsh blockcommit domain vda --base vda[3] --top vda[2]
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

Returning both virStorageSourcePtr and its path member does not make a
lot of sense.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

virStorageFileChainLookup is able to give use virStorageSourcePtr which
contains the pointer to its canonical path. Let's use a more general
virStorageSourcePtr instead of just canonical path.

Former base_canon maps to baseSource->path.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

virStorageFileChainLookup is able to give use virStorageSourcePtr which
contains the pointer to its canonical path. There's no need for the
caller to store both of them.

Former top_meta maps to topSource and top_canon maps to topSource->path.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

Once again, gcc 4.4.7 (hello RHEL) rears its ugly head:

conf/domain_conf.c: In function 'virDomainDiskBackingStoreFormat':
conf/domain_conf.c:14940: error: declaration of 'index' shadows a global declaration [-Wshadow]
/usr/include/string.h:489: error: shadowed declaration is here [-Wshadow]

* src/conf/domain_conf.c (virDomainDiskBackingStoreFormat): Pacify
older gcc.
Signed-off-by: NEric Blake <eblake@redhat.com>

* Add nmdm type device to domain format documnetation
* Add a section about nmdm console usage to the bhyve driver
  documentation

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1019926
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=868673Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Signed-off-by: NJiri Denemark <jdenemar@redhat.com>