When cpu hotplug fails without reporting an error, we would fail the
command but update the count of vCPUs anyways.

Commit 761fc481 fixed the case when CPU
hot-unplug failed silently, but forgot to fix up the value in this case.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1000357

On IRC, someone complained that a system without xmllint installed
failed a number of tests.

* tests/schematestutils.sh: Probe for xmllint.
Signed-off-by: NEric Blake <eblake@redhat.com>

Consistently use "is" or "is not" to compare variables to None,
because doing so is preferrable, as per PEP 8
(http://www.python.org/dev/peps/pep-0008/#programming-recommendations):

> Comparisons to singletons like None should always be done with is or
> is not, never the equality operators.

In tests/qemuagenttest.c, the Timeout test should always be
called last. Any additional tests should come before this.
Signed-off-by: NEric Blake <eblake@redhat.com>

A readonly GOT and detecting indirect linkage is useful here too.

and use it when available

by adding it to AM_LDFLAGS instead of every linking rule and
by avoiding a forked grep.

Commit a0b6a36f is fixing what commit abfff210 broke, so to avoid having
to deal with this issue again, herec comes "virsh-uriprecedence".

The virDomainOpenGraphics method accepts a UNIX socket FD from
the client app. It must set the label on this FD otherwise QEMU
will be prevented from receiving it with recvmsg.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

If user requested multiqueue networking, beside multiple /dev/tap and
/dev/vhost-net openings, we forgot to pass mq=on onto the -device
virtio-net-pci command line. This is advised at:

  http://www.linux-kvm.org/page/Multiqueue#Enable_MQ_feature

Reformat the description to more cleanly delineate the attributes
for a <disk> element.

Re-arrange the code so that the returned bitmap is always initialized to
NULL even on early failures and return an error message as some callers
are already expecting it. Fix up the rest not to shadow the error.

Commit abfff210 changed the order of vshParseArgv() and vshInit() in
order to make fix debugging of parameter parsing.  However, vshInit()
did a vshReconnect() even though ctl->name wasn't set according to the
'-c' parameter yet.  In order to keep both issues fixed, I've split
the vshInit() into vshInitDebug() and vshInit().

One simple memleak of ctl->name is fixed as a part of this patch,
since it is related to the issue it's fixing.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=999323

Previously the error message showed the following:

error: internal error: Invalid or not yet handled value 'auto detect'
for VMX entry 'ide0:0.fileName'

This left the user unsure if it was a CD-ROM or a disk device that they
needed to fix. Now the error shows:

error: internal error: Invalid or not yet handled value 'auto detect'
for VMX entry 'ide0:0.fileName' for device type 'cdrom-raw'

Which should hopefully make it easier to see the issue with the VMX
configuration.

Implement networkEnableIpForwarding() using BSD style sysctl.

Provide an implementation of virNetDev(Set|Clear)IPv4Address based on
BSD ifconfig tool in addition to 'ip' from Linux iproute2 package.

More fallout from commit d72ef888.  When reconnecting to running
domains, the libxl_ctx in libxlDomainObjPrivate was used before
initializing it, causing a segfault in libxl and consequently
crashing libvirtd.

Initialize the libxlDomainObjPrivate libxl_ctx in libxlReconnectDomain,
and while at it use this ctx in libxlReconnectDomain instead of the
driver-wide ctx.

https://bugzilla.redhat.com/show_bug.cgi?id=822052

When doing a live migration, if the destination fails for any
reason after the point in which files should be labeled, then
the cleanup of the destination would restore the labels to their
defaults, even though the source is still trying to continue
running with the image open.  Bug 822052 mentioned one source
of live migration failure - a mismatch in SELinux virt_use_nfs
settings (on for source, off for destination); but I found other
situations that would also trigger it (for example, having a
graphics device tied to port 5999 on the source, and a different
domain on the destination already using that port, so that the
destination cannot reuse the port).

In short, just as cleanup of the source on a successful migration
must not relabel files (because the destination would be crippled
by the relabel), cleanup of the destination on a failed migration
must not relabel files (because the source would be crippled).

* src/qemu/qemu_process.c (qemuProcessStart): Set flag to avoid
label restoration when cleaning up on failed migration.
Signed-off-by: NEric Blake <eblake@redhat.com>

Only compile securityselinuxhelper.c if xattr support was detected to
avoid this error:

securityselinuxhelper.c:34:24: fatal error: attr/xattr.h: No such file
or directory compilation terminated.

Since all SELinux tests depend upon the securityselinuxhelper library,
these test programs are now only build when xattr support is
available.

In commit f905cc99 a use of
uninitialized data was fixed based on a coverity report. It
turns out it was possible to trigger this issue by pointing
libvirt at non-existent certificate files, typically causing
a crash.

This adds a test case for that scenario. With the above
commit reverted, this new test case will crash with a SEGV.
With the fix applied, it passes, reporting a normal libvirt
error to the caller.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Introduced by commit e0139e30. virStorageVolDefFree free'ed the
pointers that are still used by the added volume object, this changes
it back to VIR_FREE.

Introduced by commit e0139e30:

1777 	    /* Updating pool metadata */

(40) Event var_deref_op: Dereferencing null pointer "newvol".
     Also see events: [assign_zero]

1778 	    pool->def->allocation += newvol->allocation;
1779 	    pool->def->available -= newvol->allocation;

Update the iSCSI storage pool example to include the secret

Update formatsecret docs to describe the various options and provide examples
in order to set up secrets for each type of secret.

Add more iSCSI examples including having a secret attached. There are 4 new
examples; one for each way to have an iSCSI - a network disk using virtio,
a passthrough network lun using scsi, a volume disk using "mode='host'",
and a volume disk using "mode='direct'"

Each of the modules handled reporting error messages from the secret fetching
slightly differently with respect to the error. Provide a similar message
for each error case and provide as much data as possible.

Following XML would fail :

    <disk type='network' device='lun'>
      <driver name='qemu' type='raw'/>
      <source protocol='iscsi' name='iqn.2013-07.com.example:iscsi/1'>
        <host name='example.com' port='3260'/>
      </source>
      <target dev='sda' bus='scsi'/>
    </disk>

With the message:

error: Failed to start domain iscsilun
error: Unable to get device ID 'iqn.2013-07.com.example:iscsi/1': No such fi

Cause was commit id '1f49b05a' which added 'virDomainDiskSourceIsBlockType'

When using virsh secret-list - if the secret types are cephx or iscsi,
then allow fetch/print of the usage information. Prior to the change
the following would print:

UUID                                 Usage
-----------------------------------------------------------
1b40a534-8301-45d5-b1aa-11894ebb1735 Unused
a5ba3efe-6adf-4a6a-b243-f010a043e314 Unused

Afterwards:

UUID                                 Usage
-----------------------------------------------------------
1b40a534-8301-45d5-b1aa-11894ebb1735 ceph ceph_example
a5ba3efe-6adf-4a6a-b243-f010a043e314 iscsi libvirtiscsi

If we reached cleanup: prior to allocating cpus, it was possible that
'nr_nodes' had a value, but cpus was NULL leading to a possible NULL
deref. Add a 'cpus' as an end condition to for loop

Daniel Berrange (correctly) pointed out that we should do a better
job of testing selinux labeling fallbacks on NFS disks that lack
labeling support.

* tests/securityselinuxhelper.c (includes): Makefile already
guaranteed xattr support.  Add additional headers.
(init_syms): New function, borrowing from vircgroupmock.c.
(setfilecon_raw, getfilecon_raw): Fake NFS failure.
(statfs): Fake an NFS mount point.
(security_getenforce, security_get_boolean_active): Don't let host
environment affect test.
* tests/securityselinuxlabeldata/nfs.data: New file.
* tests/securityselinuxlabeldata/nfs.xml: New file.
* tests/securityselinuxlabeltest.c (testSELinuxCreateDisks)
(testSELinuxDeleteDisks): Setup and cleanup for fake NFS mount.
(testSELinuxCheckLabels): Test handling of SELinux NFS denial.
Fix memory leak.
(testSELinuxLabeling): Avoid infinite loop on dirty tree.
(mymain): Add new test.

https://bugzilla.redhat.com/show_bug.cgi?id=924153

Commit 904e05a2 (v0.9.9) added a per-<disk> seclabel element with
an attribute relabel='no' in order to try and minimize the
impact of shutdown delays when an NFS server disappears.  The idea
was that if a disk is on NFS and can't be labeled in the first
place, there is no need to attempt the (no-op) relabel on domain
shutdown.  Unfortunately, the way this was implemented was by
modifying the domain XML so that the optimization would survive
libvirtd restart, but in a way that is indistinguishable from an
explicit user setting.  Furthermore, once the setting is turned
on, libvirt avoids attempts at labeling, even for operations like
snapshot or blockcopy where the chain is being extended or pivoted
onto non-NFS, where SELinux labeling is once again possible.  As
a result, it was impossible to do a blockcopy to pivot from an
NFS image file onto a local file.

The solution is to separate the semantics of a chain that must
not be labeled (which the user can set even on persistent domains)
vs. the optimization of not attempting a relabel on cleanup (a
live-only annotation), and using only the user's explicit notation
rather than the optimization as the decision on whether to skip
a label attempt in the first place.  When upgrading an older
libvirtd to a newer, an NFS volume will still attempt the relabel;
but as the avoidance of a relabel was only an optimization, this
shouldn't cause any problems.

In the ideal future, libvirt will eventually have XML describing
EVERY file in the backing chain, with each file having a separate
<seclabel> element.  At that point, libvirt will be able to track
more closely which files need a relabel attempt at shutdown.  But
until we reach that point, the single <seclabel> for the entire
<disk> chain is treated as a hint - when a chain has only one
file, then we know it is accurate; but if the chain has more than
one file, we have to attempt relabel in spite of the attribute,
in case part of the chain is local and SELinux mattered for that
portion of the chain.

* src/conf/domain_conf.h (_virSecurityDeviceLabelDef): Add new
member.
* src/conf/domain_conf.c (virSecurityDeviceLabelDefParseXML):
Parse it, for live images only.
(virSecurityDeviceLabelDefFormat): Output it.
(virDomainDiskDefParseXML, virDomainChrSourceDefParseXML)
(virDomainDiskSourceDefFormat, virDomainChrDefFormat)
(virDomainDiskDefFormat): Pass flags on through.
* src/security/security_selinux.c
(virSecuritySELinuxRestoreSecurityImageLabelInt): Honor labelskip
when possible.
(virSecuritySELinuxSetSecurityFileLabel): Set labelskip, not
norelabel, if labeling fails.
(virSecuritySELinuxSetFileconHelper): Fix indentation.
* docs/formatdomain.html.in (seclabel): Document new xml.
* docs/schemas/domaincommon.rng (devSeclabel): Allow it in RNG.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-labelskip.xml:
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-labelskip.args:
* tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-*-labelskip.xml:
New test files.
* tests/qemuxml2argvtest.c (mymain): Run the new tests.
* tests/qemuxml2xmltest.c (mymain): Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

Use the new semantics of vshStringToArray to avoid leaking the array of
volumes to be deleted. The array would be leaked in case the first
volume was found in the domain definition. Also refactor the code a bit
to sanitize naming of variables hoding arrays and dimensions of the
arrays.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=996050

Explicitly let the user know about the unknown pool type.

At a slightly larger memory expense allow stealing of items from the
string array returned from vshStringToArray and turn the result into a
string list compatible with virStringSplit. This will allow to use the
common dealloc function.

This patch also fixes a few forgotten checks of return from
vshStringToArray and one memory leak.

If there's no hard_limit set and domain uses VFIO we still must lock the
guest memory (prerequisite from qemu). Hence, we should compute the
amount to be locked from max_balloon.

Since 16bcb3 we have a regression. The hard_limit is set
unconditionally. By default the limit is zero. Hence, if user hasn't
configured any, we set the zero in cgroup subsystem making the kernel
kill the corresponding qemu process immediately. The proper fix is to
set hard_limit iff user has configured any.

Another program gains --help/--version :)

* tools/virt-pki-validate.in: Add option parsing.  Update
documentation to match.
* tools/Makefile.am (virt-pki-validate): Substitute version.
Signed-off-by: NEric Blake <eblake@redhat.com>

We were failing to autoprobe which schema to use for several
top-level XML elements.

* tools/virt-xml-validate.in (TYPE): Recognize <domainsnapshot>,
<filter>, and <secret>.
Signed-off-by: NEric Blake <eblake@redhat.com>