When virLockDriverAcquire is invoked during hotplug the state
parameter will be left as NULL.

* src/locking/lock_driver_nop.c,
  src/locking/lock_driver_sanlock.c: Don't reference NULL state
  parameter

Refactoring of the lock manager hotplug methods lost the
ret = 0 assignment for successful return path

* src/locking/domain_lock.c: Add missing ret = 0 assignments

After successfull virDomainSave/virDomainManagedSave calls
the guest will no longer be active, so the domain ID must
be reset to -1

* daemon/remote_generator.pl: Special case virDomainSave &
  virDomainManagedSave for same reason as virDomainDestroy

Commit 4454a9ef introduced bad
behaviour on the VIR_EVENT_HANDLE_ERROR condition. This condition
is only hit when an invalid FD is used in poll() (typically due
to a double-close bug). The QEMU monitor code was treating this
condition as non-fatal, and thus libvirt would poll() in a fast
loop forever burning 100% CPU. VIR_EVENT_HANDLE_ERROR must be
handled in the same way as VIR_EVENT_HANDLE_HANGUP, killing the
QEMU instance.

* src/qemu/qemu_monitor.c: Treat VIR_EVENT_HANDLE_ERROR as EOF

In between fork and exec, a connection to sanlock is acquired
and the socket file descriptor is intionally leaked to the
child process. sanlock watches this FD for POLL_HANGUP to
detect when QEMU has exited. We don't want a rogus/compromised
QEMU from issuing sanlock RPC calls on the leaked FD though,
since that could be used to DOS other guests. By calling
sanlock_restrict() on the socket before exec() we can lock
it down.

* configure.ac: Check for sanlock_restrict API
* src/locking/domain_lock.c: Restrict lock acquired in
  process startup phase
* src/locking/lock_driver.h: Add VIR_LOCK_MANAGER_ACQUIRE_RESTRICT
* src/locking/lock_driver_sanlock.c: Add call to sanlock_restrict
  when requested by VIR_LOCK_MANAGER_ACQUIRE_RESTRICT flag

Partial revert of commit c3c30d4d.

* docs/Makefile.am (internals/%.html.tmp): Restore MKDIR_P; it is
needed for intermediate file after all.
Reported by Daniel P. Berrange.

* tools/virsh.c: Add screenshot command
* tools/virsh.pod: Document new command
* src/libvirt.c: Fix off-be-one error

Based on the equivalent qemu driver code

* src/libxl/libxl_driver.c: refactor the Start save and restore
  routines of the driver and adds the new entry points for
  managed saves handling

* src/libxl/libxl_driver.c: fix the libxlDomainGetInfo to return the
  maximum memory for running domain

Sanlock is a project that implements a disk-paxos locking
algorithm. This is suitable for cluster deployments with
shared storage.

* src/Makefile.am: Add dlopen plugin for sanlock
* src/locking/lock_driver_sanlock.c: Sanlock driver
* configure.ac: Check for sanlock
* libvirt.spec.in: Add a libvirt-lock-sanlock RPM

* src/conf/domain_conf.c, src/conf/domain_conf.h: APIs for
  inserting/finding/removing virDomainLeaseDefPtr instances
* src/qemu/qemu_driver.c: Wire up hotplug/unplug for leases
* src/qemu/qemu_hotplug.h, src/qemu/qemu_hotplug.c: Support
  for hotplug and unplug of leases

Some lock managers associate state with leases, allowing a process
to temporarily release its leases, and re-acquire them later, safe
in the knowledge that no other process has acquired + released the
leases in between.

This is already used between suspend/resume operations, and must
also be used across migration. This passes the lockstate in the
migration cookie. If the lock manager uses lockstate, then it
becomes compulsory to use the migration v3 protocol to get the
cookie support.

* src/qemu/qemu_driver.c: Validate that migration v2 protocol is
  not used if lock manager needs state transfer
* src/qemu/qemu_migration.c: Transfer lock state in migration
  cookie XML

The QEMU integrates with the lock manager instructure in a number
of key places

 * During startup, a lock is acquired in between the fork & exec
 * During startup, the libvirtd process acquires a lock before
   setting file labelling
 * During shutdown, the libvirtd process acquires a lock
   before restoring file labelling
 * During hotplug, unplug & media change the libvirtd process
   holds a lock while setting/restoring labels

The main content lock is only ever held by the QEMU child process,
or libvirtd during VM shutdown. The rest of the operations only
require libvirtd to hold the metadata locks, relying on the active
QEMU still holding the content lock.

* src/qemu/qemu_conf.c, src/qemu/qemu_conf.h,
  src/qemu/libvirtd_qemu.aug, src/qemu/test_libvirtd_qemu.aug:
  Add config parameter for configuring lock managers
* src/qemu/qemu_driver.c: Add calls to the lock manager

To facilitate use of the locking plugins from hypervisor drivers,
introduce a higher level API for locking virDomainObjPtr instances.
In includes APIs targetted to VM startup, and hotplug/unplug

* src/Makefile.am: Add domain lock API
* src/locking/domain_lock.c, src/locking/domain_lock.h: High
  level API for domain locking

To allow hypervisor drivers to assume that a lock driver impl
will be guaranteed to exist, provide a 'nop' impl that is
compiled into the library

* src/Makefile.am: Add nop driver
* src/locking/lock_driver_nop.c, src/locking/lock_driver_nop.h:
  Nop lock driver implementation
* src/locking/lock_manager.c: Enable direct access of 'nop'
  driver, instead of dlopen()ing it.

Define the basic framework lock manager plugins. The
basic plugin API for 3rd parties to implemented is
defined in

  src/locking/lock_driver.h

This allows dlopen()able modules for alternative locking
schemes, however, we do not install the header. This
requires lock plugins to be in-tree allowing changing of
the lock manager plugin API in future.

The libvirt code for loading & calling into plugins
is in

  src/locking/lock_manager.{c,h}

* include/libvirt/virterror.h, src/util/virterror.c: Add
  VIR_FROM_LOCKING
* src/locking/lock_driver.h: API for lock driver plugins
  to implement
* src/locking/lock_manager.c, src/locking/lock_manager.h:
  Internal API for managing locking
* src/Makefile.am: Add locking code

A lock manager may operate in various modes. The direct mode of
operation is to obtain locks based on the resources associated
with devices in the XML. The indirect mode is where the app
creating the domain provides explicit leases for each resource
that needs to be locked. This XML extension allows for listing
resources in the XML

  <devices>
     ...
     <lease>
       <lockspace>somearea</lockspace>
       <key>thequickbrownfoxjumpsoverthelazydog</key>
       <target path='/some/lease/path' offset='23432'/>
     </lease>
     ...
  </devices>

The 'lockspace' is a unique identifier for the lockspace which
the lease is associated

The 'key' is a unique identifier for the resource associated
with the lease.

The 'target' is the file on disk where the leases are held.

* docs/schemas/domain.rng: Add lease schema
* src/conf/domain_conf.c, src/conf/domain_conf.h: parsing and
  formatting for leases
* tests/qemuxml2argvdata/qemuxml2argv-lease.args,
  tests/qemuxml2argvdata/qemuxml2argv-lease.xml,
  tests/qemuxml2xmltest.c: Test XML handling for leases

Allow the parent process to perform a bi-directional handshake
with the child process during fork/exec. The child process
will fork and do its initial setup. Immediately prior to the
exec(), it will stop & wait for a handshake from the parent
process. The parent process will spawn the child and wait
until the child reaches the handshake point. It will do
whatever extra setup work is required, before signalling the
child to continue.

The implementation of this is done using two pairs of blocking
pipes. The first pair is used to block the parent, until the
child writes a single byte. Then the second pair pair is used
to block the child, until the parent confirms with another
single byte.

* src/util/command.c, src/util/command.h,
  src/libvirt_private.syms: Add APIs to perform a handshake

Regression introduced in commit d6623003 (v0.8.8) - using the
wrong sizeof operand meant that security manager private data
was overlaying the allowDiskFormatProbing member of struct
_virSecurityManager.  This reopens disk probing, which was
supposed to be prevented by the solution to CVE-2010-2238.

* src/security/security_manager.c
(virSecurityManagerGetPrivateData): Use correct offset.

Alas, /usr/bin/kvm is also not directly supported by testutilsqemu.c.

In fact, _any_ test that uses <cpu match=...> has to use our faked
qemu.sh in order to properly answer the 'qemu -cpu ?' probe done
during qemu command line building.

* tests/qemuxml2argvdata/*graphics-spice-timeout*: Switch emulator, again.

I noticed this while building from libvirt.git on RHEL 5.6:

Generating internals/command.html.tmp
mkdir: cannot create directory `/internals': Permission denied

If I had been building as root instead, this pollutes /.

Older autoconf lacks $(builddir), but it is rigorously equal to '.'
in newer autoconf, so we could use '$(MKDIR_P) internals' instead.

However, since internals/command.html is part of the tarball, we
_already_ build it in $(srcdir), not $(builddir) during VPATH
builds, so the mkdir is wasted effort!

* docs/Makefile.am (internals/%.html.tmp): Drop unused mkdir.

Commit 2d6adabd replaced qsorting disk
and controller devices with inserting them at the right position. That
was to fix unnecessary reordering of devices. However, when parsing
domain XML devices are just taken in the order in which they appear in
the XML since. Use the correct insertion algorithm to honor device
target.

The test used an emulator that is not supported in testutilsqemu.c.
Switch from qemu-kvm to kvm to fix this.

This doesn't cover the getters that allow to query nparams yet.

New APIs have to use long long instead of long.

Also make apibuild errors fatal.

Remove some special case code that took care of mapping hyper to the
correct C types.

As the list of procedures that is allowed to map hyper to long is fixed
put it in the generator instead annotations in the .x files. This
results in simpler .x file parsing code.

Use macros for hyper to long assignments that perform overflow checks
when long is smaller than hyper. Map hyper to long long by default.

Suggested by Eric Blake.

The gnutls_certificate_type_set_priority method is deprecated.
Since we already set the default gnutls priority, and do not
support OpenGPG credentials in any case, it was not serving
any useful purpose and can be removed

* src/remote/remote_driver.c: Remove src/remote/remote_driver.c
  call

We commonly use "value, length" order, let's stick to this.

Convert openvzLocateConfFile to a replaceable function pointer to
allow testing the config file parsing without rewriting the whole
OpenVZ config parsing to a more testable structure.

Otherwise virsh dumpxml will report <domain type='qemu'> instead
of the expected <domain type='openvz'>.

Substitute VIR_ERR_NO_SUPPORT with VIR_ERR_INTERNAL_ERROR. Error
like following is not what user want to see.

error : pciDeviceIsAssignable:1487 : this function is not supported
by the connection driver: Device 0000:07:10.0 is behind a switch
lacking ACS and cannot be assigned

* daemon/THREADING.txt: Rename...
* daemon/THREADS.txt: ...to match qemu thread notes.
* daemon/Makefile.am (EXTRA_DIST): Reflect rename.

This function is also affected by getline conversion. But this
didn't result in a regression in general, because the difference
would only affect the behavior of the function when the line in
/proc/vz/vestat for the given vpsid wasn't found. Under normal
conditions this should not happen.

The regression fix in 3aab7f2d altered the error handling.
getline returns -1 on failure to read a line (including EOF). The
original openvzReadConfigParam function using openvz_readline only
treated EOF as not-found. The current getline version treats all
getline failures as not-found.

This patch fixes this and distinguishes EOF from other getline
failures.

Since directories can be used for <filesystem> passthrough, they are
basically storage volumes.

v2:
    Skip ., .., lost+found dirs

v3:
    Use gnulib last_component

v4:
    Use gnulib "dirname.h", not system <dirname.h>
    Don't skip lost+found