* src/qemu/qemu_driver.c (qemudDomainAttachSCSIDisk): Handle
the (theoretical) case of an empty controller list, so that
clang does not think the subsequent dereference of "cont"
would dereference an undefined variable (due to preceding
loop not iterating even once).

* src/qemu/qemu_driver.c (qemudDomainRestore): A corrupt save file
(in particular, a too-large header.xml_len value) would cause an
unwarranted out-of-memory error.  Do not trust the just-read
header.xml_len.  Instead, merely use that as a hint, and
read/allocate up to that number of bytes from the file.
Also verify that header.xml_len is positive; if it were negative,
passing it to virFileReadLimFD could cause trouble.

to saferead_lim, which interprets it as a size_t.
* src/util/util.c (virFileReadLimFD): Do not malfunction when
maxlen < -1.  Return -1,EINVAL in that case.  Handle maxlen==0
in the same manner.

* src/xen/proxy_internal.c (xenProxyDomainDumpXML): An invalid packet
could include a too-large "ans.len" value, which would make us allocate
too much memory and then copy data from beyond the end of "ans",
possibly evoking a segfault.  Ensure that the value we use is no
larger than the remaining portion of "ans".
Also, change unnecessary memmove to memcpy (src and dest obviously
do not overlap, so no need to use memmove).
(xenProxyDomainGetOSType): Likewise.
(xenProxyGetCapabilities): Likewise.

The code erroneously searched the entire "reply" for a comma, when
its intent was to search only that portion after "balloon: actual="
* src/qemu/qemu_monitor_text.c (qemuMonitorTextGetMemoryStats):
Search for "," only starting *after* the BALLOON_PREFIX string.
Otherwise, we'd be more prone to false positives.

Changeset

  commit 5073aa99
  Author: Cole Robinson <crobinso@redhat.com>
  Date:   Mon Jan 11 11:40:46 2010 -0500

Added support for product/vendor based passthrough, but it only
worked at the security driver layer. The main guest XML config
was not updated with the resolved bus/device ID. When the QEMU
argv refactoring removed use of product/vendor, this then broke
launching guests.

THe solution is to move the product/vendor resolution up a layer
into the QEMU driver. So the first thing QEMU does is resolve
the product/vendor to a bus/device and updates the XML config
with this info. The rest of the code, including security drivers
and QEMU argv generated can now rely on bus/device always being
set.

* src/util/hostusb.c, src/util/hostusb.h: Split vendor/product
  resolution code out of usbGetDevice and into usbFindDevice.
  Add accessors for bus/device ID
* src/security/virt-aa-helper.c, src/security/security_selinux.c,
  src/qemu/qemu_security_dac.c: Remove vendor/product from the
  usbGetDevice() calls
* src/qemu/qemu_driver.c: Use usbFindDevice to resolve vendor/product
  into a bus/device ID

The pci_del command is not being ported to QMP. Convert all the
QEMU hotplug code over to use device_del whenever it is available
to avoid the pci_del problem

* src/qemu/qemu_driver.c: Convert unplug code to device_del

Previously hot-unplug could not be supported for USB devices
in QEMU, since usb_del required the guest visible address
which libvirt never knows. With 'device_del' command we can
now unplug based on device alias, so support that.

* src/qemu/qemu_driver.c: Use device_del to remove USB devices

Upstart crashes & burns in a heap if $TERM environment variable
is missing. Presumably the kernel always sets this when booting
init on a real machine, so libvirt should set it for containers
too.

To make a typical inittab / mingetty setup happier, we need to
symlink the primary console /dev/pts/0 to /dev/tty1.

Improve logging in certain scenarios to make troubleshooting
easier

* src/lxc/lxc_container.c: Create /dev/tty1 and set $TERM

When using the 'ns' cgroup controller, the moment a process calls
'unshare(CLONE_NEWNS)', it will be given a private cgroup tree
under its current location. This really messages up the LXC
controller process, because it ends up creating the containers'
cgroup in the wrong place. The fix is fairly easy, just move
the cgroup setup before the code which calls unshare(). The
'ns' controller will still create extra undesired cgroups, but
they at least won't break libvirt's setup now.

The patch also adds a missing cgroups allow rule for /dev/tty
device node

When getting the driver/domain cgroup it is possible to specify
whether it should be auto created. If auto-creation was turned
off, libvirt still mistakenly created its own top level cgroup

* src/util/cgroup.c: Honour autocreate flag for top level cgroup

This allows the config to have a setting that means "leave it alone",
eg when building a pool where the directory already exists the user
may want the current uid/gid of the directory left intact. This
actually gets us back to older behavior - before recent changes to the
pool building code, we weren't as insistent about honoring the uid/gid
settings in the XML, and virt-manager was taking advantage of this
behavior.

As a side benefit, removing calls to getuid/getgid from the XML
parsing functions also seems like a good idea. And having a default
that is different from a common/useful value (0 == root) is a good
thing in general, as it removes ambiguity from decisions (at least one
place in the code was checking for (perms.uid == 0) to see if a
special uid was requested).

Note that this will only affect newly created pools and volumes. Due
to the way that the XML is parsed, then formatted for newly created
volumes, all existing pools/volumes already have an explicit uid and
gid set.

src/conf/storage_conf.c: Remove calls to setuid/setgid for default values
                         of uid/gid, and set them to -1 instead

src/storage/storage_backend.c:
src/storage/storage_backend_fs.c:
        Make account for the new default values of perms.uid
        and perms.gid.

With the recent changes to the linking defaults in Fedora 13 (namely
enabling --no-add-needed behaviour by default), we have to pass the
dlopen()-providing libraries directly at the link of the module; use the
same AC_SEARCH_LIBS function as used before to look for it and add it to
the Makefile.

QEMU has a monitor command 'set_cpu' which allows a specific
CPU to be toggled between online& offline state. libvirt CPU
hotplug does not work in terms of individual indexes CPUs.
Thus to support this, we iteratively toggle the online state
when the total number of vCPUs is adjusted via libvirt

NB, currently untested since QEMU segvs when running this!

* src/qemu/qemu_driver.c: Toggle online state for CPUs when
  doing hotplug
* src/qemu/qemu_monitor.c, src/qemu/qemu_monitor.h,
  src/qemu/qemu_monitor_json.c, src/qemu/qemu_monitor_json.h,
  src/qemu/qemu_monitor_text.c, src/qemu/qemu_monitor_text.h: Add
  monitor API for toggling a CPU's online status via 'set_cpu

The storage backend implementations all presume that the XML parser
is validating correctness of the source specification. The check for
a source device was lost at some point. This allowed for a potential
crash in the disk backend. Re-introduce the sanity check

* src/conf/storage_conf.c: Re-add check for source device

When trying to delete a pool the error message claimed the volume
could not be deleted.

* src/storage/storage_driver.c: Error message referred to
  volumes instead of pools

The QMP code was running query-migration instead of query-migrate.
This doesn't work so well

* src/qemu/qemu_monitor_json.c: s/query-migration/query-migrate/

The code to remove the cgroup after QEMU failed to startup could
be obscuring a real error from earlier on. It is not neccessary
to raise an error in this case, so tell cgroups to keep quiet

* src/qemu/qemu_driver.c: Don't raise cgroups error in QEMU start
  cleanup code.

The QEMU hotunplug code for PCI devices was looking at host
devices in the guest config without first filtering non
PCI devices. This means it was reading garbage

* src/qemu/qemu_driver.c: Filter out non-PCI devices

Commit 3c12a67b added
a dependency on the NFS_SUPER_MAGIC macro, which is
defined in linux/magic.h.  Unfortunately linux/magic.h
is not available in RHEL-5, and causes a compile error.
Just define it locally, since this is something that
can't change.
Signed-off-by: NChris Lalancette <clalance@redhat.com>

Move *all* file operations related to creation and writing of libvirt
header to the domain save file into a hook function that is called by
virFileOperation. First try to call virFileOperation as root. If that
fails with EACCESS, and (in the case of Linux) statfs says that we're
trying to save the file on an NFS share, rerun virFileOperation,
telling it to fork a child process and setuid to the qemu user. This
is the only way we can successfully create a file on a root-squashed
NFS server.

This patch (along with setting dynamic_ownership=0 in qemu.conf)
makes qemudDomainSave work on root-squashed NFS.

* src/qemu/qemu_driver.c: provide new qemudDomainSaveFileOpHook()
  utility, use it in qemudDomainSave() if normal creation of the
  file as root failed, and after checking the filesystem type for
  the storage is NFS. In that case we also bypass the security
  driver, as this would fail on NFS.

If qemudDomainRestore fails to open the domain save file, create a
pipe, then fork a process that does setuid(qemu_user) and opens the
file, then reads this file and stuffs it into the pipe. the parent
libvirtd process will use the other end of the pipe as its fd, then
reap the child process after it's done reading.

This makes domain restore work on a root-squash NFS share that is only
visible to the qemu user.

* src/qemu/qemu_driver.c: add new qemudOpenAsUID() helper function,
  and use it in qemudDomainRestore() if reading as root directly failed.

The USB/PCI device hotplug code for the QEMU driver was forgetting
to allocate a unique device alias.

* src/qemu/qemu_driver.c: Fill in device alias for USB/PCI devices

The code assumed that 'device_add' returned an empty string upon
success. This is not true, it sometimes prints random debug info.
THus we need to check for an explicit fail string

* src/qemu/qemu_monitor_text.c: Fix error checking of the device_add
  monitor command

Another warning caught by coverity.  Continue to perform best-effort
closing and resource release, but warn the caller about the failure.

* src/esx/esx_driver.c (esxClose): Return an error on failure to close.

Coverity detected a potential dereference of uninitialized memory
if recvfrom got cut short.

* src/uml/uml_driver.c (umlMonitorCommand): Validate complete read
prior to dereferencing res.

Various safezero() implementations used either -1, errno or -errno
return values. This patch fixes them all to return -1 and set errno
appropriately.

There was also a bug in size parameter passed to safewrite() which could
result in an attempt to write gigabytes out of a megabyte buffer.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

When a VM save attempt failed, the VM would be left in a paused
state. It is neccessary to resume CPU execution upon failure
if it was running originally

* src/qemu/qemu_driver.c: Resume CPUs upon save failure

This supports cancellation of jobs for the QEMU driver against
the virDomainMigrate, virDomainSave and virDomainCoreDump APIs.
It is not yet supported for the virDomainRestore API, although
it is desirable.

* src/qemu/qemu_driver.c: Issue 'migrate_cancel' command if
  virDomainAbortJob is issued during a migration operation
* tools/virsh.c: Add a domjobabort command

This defines the wire protocol for the new API

* src/remote/remote_protocol.x: Wire protocol definition
* src/remote/remote_driver.c,daemon/remote.c: Client and server
  side implementation
* daemon/remote_dispatch_args.h, daemon/remote_dispatch_prototypes.h,
  daemon/remote_dispatch_table.h, src/remote/remote_protocol.c,
  src/remote/remote_protocol.h: Re-generate from remote_protocol.x

This provides the internal glue for the driver API

* src/driver.h: Internal API contract
* src/libvirt.c, src/libvirt_public.syms: Connect public API
  to driver API
* src/esx/esx_driver.c, src/lxc/lxc_driver.c, src/opennebula/one_driver.c,
  src/openvz/openvz_driver.c, src/phyp/phyp_driver.c,
  src/qemu/qemu_driver.c, src/remote/remote_driver.c,
  src/test/test_driver.c src/uml/uml_driver.c, src/vbox/vbox_tmpl.c,
  src/xen/xen_driver.c: Stub out entry points

Introduce support for  virDomainGetJobInfo in the QEMU driver. This
allows for monitoring of any API that uses the 'info migrate' monitor
command. ie virDomainMigrate, virDomainSave and virDomainCoreDump

Unfortunately QEMU does not provide a way to monitor incoming migration
so we can't wire up virDomainRestore yet.

The virsh tool gets a new command 'domjobinfo' to query status

* src/qemu/qemu_driver.c: Record virDomainJobInfo and start time
  in qemuDomainObjPrivatePtr objects. Add generic shared handler
  for calling 'info migrate' with all migration based APIs.
* src/qemu/qemu_monitor_text.c: Fix parsing of 'info migration' reply
* tools/virsh.c: add new 'domjobinfo' command to query progress

* src/remote/remote_protocol.x: Define wire protocol format
  for virDomainGetJobInfo API
* src/remote/remote_driver.c, daemon/remote.c: Implement client
  and server marshalling code for virDomainGetJobInfo()
* daemon/remote_dispatch_args.h, daemon/remote_dispatch_prototypes.h
  daemon/remote_dispatch_ret.h, daemon/remote_dispatch_table.h,
  src/remote/remote_protocol.c, src/remote/remote_protocol.h: Rebuild
  files from src/remote/remote_protocol.x

The internal glue layer for the new pubic API

* src/driver.h: Define internal driver API contract
* src/libvirt.c, src/libvirt_public.syms: Wire up public
  API to internal driver API
* src/esx/esx_driver.c, src/lxc/lxc_driver.c, src/opennebula/one_driver.c,
  src/openvz/openvz_driver.c, src/phyp/phyp_driver.c,
  src/qemu/qemu_driver.c, src/remote/remote_driver.c,
  src/test/test_driver.c, src/uml/uml_driver.c, src/vbox/vbox_tmpl.c,
  src/xen/xen_driver.c: Stub new entry point

All other uses of get_str_prop in this file that ignored
failure explicitly cast to void.

* src/node_device/node_device_hal.c (dev_create): Silence coverity
warning.

A number of the error messages raised when parsing USB devices
refered to PCI devices by mistake

* src/qemu/qemu_conf.c: s/PCI/USB/ in qemuParseCommandLineUSB()

The USB hotplug method was mistakenly generating a PCI address
string

* src/qemu/qemu_driver.c: Fix USB hotplug device string

when the underlying qemu supports the drive/device model and the
controller has been added this way.
* src/qemu/qemu_driver.c: use qemuMonitorDelDevice() when detaching
  PCI controller and if supported
* src/qemu/qemu_monitor.[ch]: add new qemuMonitorDelDevice() function
* src/qemu/qemu_monitor_json.[ch]: JSON backend for DelDevice command
* src/qemu/qemu_monitor_text.[ch]: Text backend for DelDevice command

* src/qemu/qemu_driver.c: in qemudDomainDetachPciControllerDevice()
  when a controller is not present in the system anymore, the PCI
  address must be deleted from libvirt's hashtable because it can
  be re-used for other purposes.

* src/qemu/qemu_driver.c: in qemudDomainAttachDevice(), one must not
  delete the data part when the operation succeeds because it is
  required later on. The correct pattern to handlethe parsed
  representation of the device information on success
  is dev->data.controller = NULL; virDomainDeviceDefFree(dev);,
  which leaves the structure pointed at by data in memory.