For consistency all the APIs in the lxc_process.c file should
have a virLXCProcess prefix in their name
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Any time we have a string with no % passed through gettext, a
translator can inject a % to cause a stack overread.  When there
is nothing to format, it's easier to ask for a string that cannot
be used as a formatter, by using a trivial "%s" format instead.

In the past, we have used --disable-nls to catch some of the
offenders, but that doesn't get run very often, and many more
uses have crept in.  Syntax check to the rescue!

The syntax check can catch uses such as
virReportError(code,
               _("split "
                 "string"));
by using a sed script to fold context lines into one pattern
space before checking for a string without %.

This patch is just mechanical insertion of %s; there are probably
several messages touched by this patch where we would be better
off giving the user more information than a fixed string.

* cfg.mk (sc_prohibit_diagnostic_without_format): New rule.
* src/datatypes.c (virUnrefConnect, virGetDomain)
(virUnrefDomain, virGetNetwork, virUnrefNetwork, virGetInterface)
(virUnrefInterface, virGetStoragePool, virUnrefStoragePool)
(virGetStorageVol, virUnrefStorageVol, virGetNodeDevice)
(virGetSecret, virUnrefSecret, virGetNWFilter, virUnrefNWFilter)
(virGetDomainSnapshot, virUnrefDomainSnapshot): Add %s wrapper.
* src/lxc/lxc_driver.c (lxcDomainSetBlkioParameters)
(lxcDomainGetBlkioParameters): Likewise.
* src/conf/domain_conf.c (virSecurityDeviceLabelDefParseXML)
(virDomainDiskDefParseXML, virDomainGraphicsDefParseXML):
Likewise.
* src/conf/network_conf.c (virNetworkDNSHostsDefParseXML)
(virNetworkDefParseXML): Likewise.
* src/conf/nwfilter_conf.c (virNWFilterIsValidChainName):
Likewise.
* src/conf/nwfilter_params.c (virNWFilterVarValueCreateSimple)
(virNWFilterVarAccessParse): Likewise.
* src/libvirt.c (virDomainSave, virDomainSaveFlags)
(virDomainRestore, virDomainRestoreFlags)
(virDomainSaveImageGetXMLDesc, virDomainSaveImageDefineXML)
(virDomainCoreDump, virDomainGetXMLDesc)
(virDomainMigrateVersion1, virDomainMigrateVersion2)
(virDomainMigrateVersion3, virDomainMigrate, virDomainMigrate2)
(virStreamSendAll, virStreamRecvAll)
(virDomainSnapshotGetXMLDesc): Likewise.
* src/nwfilter/nwfilter_dhcpsnoop.c (virNWFilterSnoopReqLeaseDel)
(virNWFilterDHCPSnoopReq): Likewise.
* src/openvz/openvz_driver.c (openvzUpdateDevice): Likewise.
* src/openvz/openvz_util.c (openvzKBPerPages): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupCgroup): Likewise.
* src/qemu/qemu_command.c (qemuBuildHubDevStr, qemuBuildChrChardevStr)
(qemuBuildCommandLine): Likewise.
* src/qemu/qemu_driver.c (qemuDomainGetPercpuStats): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
* src/rpc/virnetsaslcontext.c (virNetSASLSessionGetIdentity):
Likewise.
* src/rpc/virnetsocket.c (virNetSocketNewConnectUNIX)
(virNetSocketSendFD, virNetSocketRecvFD): Likewise.
* src/storage/storage_backend_disk.c
(virStorageBackendDiskBuildPool): Likewise.
* src/storage/storage_backend_fs.c
(virStorageBackendFileSystemProbe)
(virStorageBackendFileSystemBuild): Likewise.
* src/storage/storage_backend_rbd.c
(virStorageBackendRBDOpenRADOSConn): Likewise.
* src/storage/storage_driver.c (storageVolumeResize): Likewise.
* src/test/test_driver.c (testInterfaceChangeBegin)
(testInterfaceChangeCommit, testInterfaceChangeRollback):
Likewise.
* src/vbox/vbox_tmpl.c (vboxListAllDomains): Likewise.
* src/xenxs/xen_sxpr.c (xenFormatSxprDisk, xenFormatSxpr):
Likewise.
* src/xenxs/xen_xm.c (xenXMConfigGetUUID, xenFormatXMDisk)
(xenFormatXM): Likewise.

Per the FSF address could be changed from time to time, and GNU
recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html)

  You should have received a copy of the GNU General Public License
  along with Foobar.  If not, see <http://www.gnu.org/licenses/>.

This patch removes the explicit FSF address, and uses above instead
(of course, with inserting 'Lesser' before 'General').

Except a bunch of files for security driver, all others are changed
automatically, the copyright for securify files are not complete,
that's why to do it manually:

  src/security/security_selinux.h
  src/security/security_driver.h
  src/security/security_selinux.c
  src/security/security_apparmor.h
  src/security/security_apparmor.c
  src/security/security_driver.c

The 'lxc_driver' global variable is now used from several of
the LXC sources files. Thus it needs to be non-static to
avoid runtime linkage errors
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>

Move all the code that manages stop/start of LXC processes
into separate lxc_process.{c,h} file to make the lxc_driver.c
file smaller
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the cgroup setup code out of the lxc_controller.c file
and into lxc_cgroup.{c,h}. This reduces the size of the
lxc_controller.c file and paves the way to invoke cgroup
setup from lxc_driver.c instead of lxc_controller.c in the
future
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the LXC driver code related to the virDomainObjPtr
private data into separate lxc_domain.{c,h} files
to reduce the size of lxc_driver.c
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

When sending SIGHUP to libvirtd, it will trigger the virStateDriver
reload operation. This is intended to reload the configuration files
for guests. For unknown historical reasons this is also triggering
autostart of all guests. Autostart is generally expected to be
something that happens on OS startup. Starting VMs on SIGHUP will
violate that expectation and potentially cause dangerous scenarios
if the admin has explicitly shutdown a misbehaving VM that has
been marked as autostart
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

This patch passes down the sec_mount_options to the
lxcContainerMountCGroups function and then mounts the tmpfs with
the correct label.

Basically within a Secure Linux Container (virt-sandbox) we want all content
that the process within the container can write to be labeled the same.  We
are labeling the physical disk correctly but when we create "RAM" based file
systems
libvirt is not labeling them, and they are defaulting to tmpfs_t, which will
will not allow the processes to write.  This patch labels the RAM based file
systems correctly.

Introduce new members in the virMacAddr 'class'
- virMacAddrSet: set virMacAddr from a virMacAddr
- virMacAddrSetRaw: setting virMacAddr from raw 6 byte MAC address buffer
- virMacAddrGetRaw: writing virMacAddr into raw 6 byte MAC address buffer
- virMacAddrCmp: comparing two virMacAddr
- virMacAddrCmpRaw: comparing a virMacAddr with a raw 6 byte MAC address buffer

then replace raw MAC addresses by replacing

- 'unsigned char *' with virMacAddrPtr
- 'unsigned char ... [VIR_MAC_BUFLEN]' with virMacAddr

and introduce usage of above functions where necessary.

Since we are not yet using the virNetServerPtr object for running
the event loop, we can't use virNetServerQuit(). Instead set the
global 'quit' flag in libvirt_lxc

The only useful translation of "%s" as a format string is "%s" (I
suppose you could claim "%1$s" is also valid, but why bother).  So
it is not worth translating; fixing this exposes some instances
where we were failing to translate real error messages.  This makes
the fix of commit 097da1ab more generic, as well as ensuring no
future regressions.

* cfg.mk (sc_prohibit_useless_translation): New rule.
* src/lxc/lxc_driver.c (lxcSetVcpuBWLive): Fix offender.
* src/openvz/openvz_conf.c (openvzReadFSConf): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupCgroupForVcpu): Likewise.
* src/qemu/qemu_driver.c (qemuSetVcpusBWLive): Likewise.
* src/xenapi/xenapi_utils.c (xenapiSessionErrorHandle): Likewise.

Previous commits added code to unmount the existing /proc,
/sys and /dev hierarchies on the root filesystem of the
container. This should only have been done if the container's
root filesystem was the same as the host's root. ie if
the root source is '/'.   As it is, this causes LXC containersr
to fail to start if their root source is not '/'
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

In preparation for introducing a full RPC protocol for
libvirt_lxc, switch over to using the virNetServer APIs
for the monitor connection
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

While it is not currently used elsewhere in libvirt, the code
for finding a free loop device & associating a file with it
is not LXC specific. Move it into the viffile.{c,h} file where
potentially shared code is more commonly kept.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the cgroup object into virLXCControllerPtr and rename
all the setup methods to include 'Cgroup' in their name
if appropriate
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the monitor FDs into the virLXCControllerPtr object
removing the need for the 'struct lxcMonitor' object
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The virLXCControllerRun method is getting a little too large,
and about 50% of its code is related to setting up a /dev/pts
mount. Move the latter out into a dedicated method
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the security manager object into the virLXCControllerPtr
object. Also simplify the code creating it in the first place
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the list of loop device FDs into the virLXCControllerPtr
object and make sure that virLXCControllerStopInit will
close them all
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Keep the FD used to handshake with the libvirtd daemon in the
virLXCControllerPtr object.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Turn 'struct lxc_console' into virLXCControllerConsolePtr and make it
a part of virLXCControllerPtr
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Keep a record of the init PID in the virLXCController object
and create a virLXCControllerStopInit method for killing this
process
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Move the veth device name state into the virLXCControllerPtr
object and stop passing it around. Also use size_t instead
of unsigned int for the array length parameters.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The LXC controller code is having to pass around an ever increasing
number of parameters between methods. To make the code more managable
introduce a virLXCControllerPtr to hold all this state, starting with
the container name and virDomainDefPtr object
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Since we are mounting a new /dev in the container, we must
remove any sub-mounts like /dev/shm, /dev/mqueue, etc,
otherwise they'll be recorded in /proc/mounts, but not be
accessible to applications.

Currently libvirt-lxc checks to see if the destination exists and is a
directory.  If it is not a directory then the mount fails.  Since
libvirt-lxc can bind mount files on an inode, this patch is needed to
allow us to bind mount files on files.  Currently we want to bind mount
on top of /etc/machine-id, and /etc/adjtime

If the destination of the mount point does not exists, it checks if the
src is a directory and then attempts to create a directory, otherwise it
creates an empty file for the destination.  The code will then bind mount
over the destination.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Currently you can configure LXC to bind a host directory to
a guest directory, but not to bind a guest directory to a
guest directory. While the guest container init could do
this itself, allowing it in the libvirt XML means a stricter
SELinux policy can be written

Introduce a new syntax for filesystems to allow use of a RAM
filesystem

   <filesystem type='ram'>
      <source usage='10' units='MiB'/>
      <target dir='/mnt'/>
   </filesystem>

The usage units default to KiB to limit consumption of host memory.

* docs/formatdomain.html.in: Document new syntax
* docs/schemas/domaincommon.rng: Add new attributes
* src/conf/domain_conf.c: Parsing/formatting of RAM filesystems
* src/lxc/lxc_container.c: Mounting of RAM filesystems
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The lxc contoller eventually makes use of virRandomBits(), which was
segfaulting since virRandomInitialize() is never invoked.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff554d560 in random_r () from /lib64/libc.so.6
(gdb) bt
0  0x00007ffff554d560 in random_r () from /lib64/libc.so.6
1  0x0000000000469eaa in virRandomBits (nbits=32) at util/virrandom.c:80
2  0x000000000045bf69 in virHashCreateFull (size=256,
    dataFree=0x4aa2a2 <hashDataFree>, keyCode=0x45bd40 <virHashStrCode>,
    keyEqual=0x45bdad <virHashStrEqual>, keyCopy=0x45bdfa <virHashStrCopy>,
    keyFree=0x45be37 <virHashStrFree>) at util/virhash.c:134
3  0x000000000045c069 in virHashCreate (size=0, dataFree=0x4aa2a2 <hashDataFree>)
    at util/virhash.c:164
4  0x00000000004aa562 in virNWFilterHashTableCreate (n=0)
    at conf/nwfilter_params.c:686
5  0x00000000004aa95b in virNWFilterParseParamAttributes (cur=0x711d30)
    at conf/nwfilter_params.c:793
6  0x0000000000481a7f in virDomainNetDefParseXML (caps=0x702c90, node=0x7116b0,
    ctxt=0x7101b0, bootMap=0x0, flags=0) at conf/domain_conf.c:4589
7  0x000000000048cc36 in virDomainDefParseXML (caps=0x702c90, xml=0x710040,
    root=0x7103b0, ctxt=0x7101b0, expectedVirtTypes=16, flags=0)
    at conf/domain_conf.c:8658
8  0x000000000048f011 in virDomainDefParseNode (caps=0x702c90, xml=0x710040,
    root=0x7103b0, expectedVirtTypes=16, flags=0) at conf/domain_conf.c:9360
9  0x000000000048ee30 in virDomainDefParse (xmlStr=0x0,
    filename=0x702ae0 "/var/run/libvirt/lxc/x.xml", caps=0x702c90,
    expectedVirtTypes=16, flags=0) at conf/domain_conf.c:9310
10 0x000000000048ef00 in virDomainDefParseFile (caps=0x702c90,
    filename=0x702ae0 "/var/run/libvirt/lxc/x.xml", expectedVirtTypes=16, flags=0)
    at conf/domain_conf.c:9332
11 0x0000000000425053 in main (argc=5, argv=0x7fffffffe2b8)
    at lxc/lxc_controller.c:1773

This patch adds support for listing all domains into drivers that use
the common virDomainObj implementation: libxl, lxc, openvz, qemu, test,
uml, vmware.

For drivers that don't support managed save images the guests are
treated as if they had none, so filtering guests that do have such an
image on this driver succeeds and produces 0 results.

when lxcContainerIdentifyCGroups failed, the memory it allocated
has been freed, so we should not free this memory again in
lxcContainerSetupPivortRoot and lxcContainerSetupExtraMounts.
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>

print debug info "container support is enabled"
when host support the user or net namespace.
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>

kill the "return 0;" code, it will cause memory leak.
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>

Introduced in commit 1f8c33b6.

* src/lxc/lxc_container.c (lxcContainerGetSubtree): Avoid TAB.

when libvirt_lxc trigger oom error in lxcContainerGetSubtree
we should free the alloced memory for mounts.

so when lxcContainerGetSubtree failed,we should do some
memory cleanup in lxcContainerUnmountSubtree.
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>

we alloc the memory for format in lxcContainerMountDetectFilesystem
but without free it in lxcContainerMountFSBlockHelper.

this patch just call VIR_FREE to free it.
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>

This reverts

  commit c16b4c43
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Fri May 11 15:09:27 2012 +0100

    Avoid LXC pivot root in the root source is still /

This commit broke setup of /dev, because the code which
deals with setting up a private /dev and /dev/pts only
works if you do a pivotroot.

The original intent of avoiding the pivot root was to
try and ensure the new root has a minimumal mount
tree. The better way todo this is to just unmount the
bits we don't want (ie old /proc & /sys subtrees.
So apply the logic from

  commit c529b47a
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Fri May 11 11:35:28 2012 +0100

    Trim /proc & /sys subtrees before mounting new instances

to the pivot_root codepath as well

A core use case of the hook scripts is to be able to do things
to a guest's network configuration. It is possible to hook into
the 'start' operation for a QEMU guest which runs just before
the guest is started. The TAP devices will exist at this point,
but the QEMU process will not. It can be desirable to have a
'started' hook too, which runs once QEMU has started.

If libvirtd is restarted it will re-populate firewall rules,
but there is no QEMU hook to trigger for existing domains.
This is solved with a 'reconnect' hook.

Finally, if attaching to an external QEMU process there needs
to be an 'attach' hook script.

This all also applies to the LXC driver

* docs/hooks.html.in: Document new operations
* src/util/hooks.c, src/util/hooks.c: Add 'started', 'reconnect'
  and 'attach' operations for QEMU. Add 'prepare', 'started',
  'release' and 'reconnect' operations for LXC
* src/lxc/lxc_driver.c: Add hooks for 'prepare', 'started',
  'release' and 'reconnect' operations
* src/qemu/qemu_process.c: Add hooks for 'started', 'reconnect'
  and 'reconnect' operations