All functions from libnuma must be protected with ifdefs. Avoid this by
using our own wrapper.

aa0f0992 introduced a strict error checking for getsockopt and it
revealed that getting a peer credential of a socket on FreeBSD
didn't work. Libvirtd hits the error:
  error : virNetSocketGetUNIXIdentity:1198 : Failed to get valid
  client socket identity groups

SOL_SOCKET (0xffff) was used as a level of getsockopt for
LOCAL_PEERCRED, however, it was wrong. 0 is correct as well as
Mac OS X.

So for LOCAL_PEERCRED our options are SOL_LOCAL (if defined) or
0 on Mac OS X and FreeBSD. According to the fact, the patch
simplifies the code by removing ifdef __APPLE__.

I tested the patch on FreeBSD 8.4, 9.2 and 10.0-BETA1.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

With Mac OS X 10.9, xdrproc_t is no longer defined as:

typedef bool_t (*xdrproc_t)(XDR *, ...);

but instead as:

typdef bool_t (*xdrproc_t)(XDR *, void *, unsigned int);

For reference, Linux systems typically define it as:

typedef bool_t (*xdrproc_t)(XDR *, void *, ...);

The rationale explained in the header is that using a vararg is
incorrect and has a potential to change the ABI slightly do to compiler
optimizations taken and the undefined behavior. They decided
to specify the exact number of parameters and for compatibility with old
code decided to make the signature require 3 arguments. The third
argument is ignored for cases that its not used and its recommended to
supply a 0.

Rather than casting the virBitmap pointer to uint8_t* and then using
the structure contents as a byte array, use the virBitmap API to determine
the bitmap size and test each bit.
Signed-off-by: NJeremy Fitzhardinge <jeremy@goop.org>

This reverts commit 394d6e0a.
The real problem is accessing the virtBitmap structure as a byte
array, which was correctly identified and fixed by Jeremy Fitzhardinge

https://www.redhat.com/archives/libvir-list/2013-October/msg01257.html

in recently xen commit: 7051d5c8, there is a api changes in
libxl_domain_create_restore.
Author: Andrew Cooper <andrew.cooper3@citrix.com>
Date:   Thu Oct 10 12:23:10 2013 +0100

    tools/migrate: Fix regression when migrating from older version of Xen

use the macro LIBXL_HAVE_DOMAIN_CREATE_RESTORE_PARAMS in libxl.h
in order to make libvirt could compile with old and new xen.

the params checkpointed_stream is useful if libvirt libxl driver
support migration. for new, set it as zero.
Signed-off-by: NBamvor Jian Zhang <bjzhang@suse.com>

When starting a transient VM the first thing done is to check
for duplicates. The check looks if there are any running VMs
with the matching name/uuid. It explicitly allows there to
be inactive VMs, so that a persistent VM can be temporarily
booted with a different config.

There is a race condition, however, where 2 or more clients
try to create the same transient VM. The first client will
cause a virDomainObjPtr to be added to the domain list, and
it is inactive at this stage. The second client may then
come along and see this inactive VM, and mistake it for a
persistent VM.

If the first VM fails to start its transient guest for any
reason, then it'll remove the virDomainObjPtr from the list.
The second client now has a virDomainObjPtr that it can try
to boot, which libvirt no longer has a record of. The result
can be a running QEMU process that is orphaned.

It was also, however, possible for the virDomainObjPtr to be
completely free'd which will cause libvirtd to crash in some
scenarios.

The fix is to only allow an existing inactive VM if it is
marked as persistent.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of using a port from the remote display range.

https://bugzilla.redhat.com/show_bug.cgi?id=1025699

Thie patch fixes the segfault:
    error : nodeStateInitialize:658 : DBus not available,
      disabling HAL driver: internal error: Unable to get DBus
      system bus connection: Failed to connect to socket
      /var/run/dbus/system_bus_socket: No such file or directory
    error : nodeStateInitialize:719 :  ?:
    Caught Segmentation violation dumping internal log buffer:

This segfault occurs at the below VIR_ERROR:
  failure:
      if (dbus_error_is_set(&err)) {
          VIR_ERROR(_("%s: %s"), err.name, err.message);

When virDBusGetSystemBus fails, the code jumps to the above failure
path. However, the err variable is not correctly initialized
before calling virDBusGetSystemBus. As a result, dbus_error_is_set
may pass over the uninitialized err variable whose name or
message may point to somewhere unknown memory region, which
causes a segfault on VIR_ERROR.

The new code initializes the err variable before calling
virDBusGetSystemBus.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

Include reference of the VM object pointer and name in debug
logs for QEMU start/stop functions. Also make sure we log the
PID that we started, since it isn't available elsewhere in the
logs.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

In debugging a recent oVirt/libvirt race condition, I was very
frustrated by lack of logging in the job enter/exit code. This
patch adds some key data which would have been useful in by
debugging attempts.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Fix the if statement coding style.
Signed-off-by: NHongwei Bi <hwbi2008@gmail.com>

Using size_t counts will let us use VIR_APPEND_ELEMENT and friends.

* src/conf/storage_conf.h (_virStoragePoolObjList)
(_virStorageVolDefList): Track list sizes with size_t.
* src/storage/storage_backend_rbd.c
(virStorageBackendRBDRefreshPool): Fix type fallout.
Signed-off-by: NEric Blake <eblake@redhat.com>

To make it easier to forbid future attempts at a confusing typedef
name ending in Ptr that isn't actually a pointer, insist that we
follow our preferred style of 'typedef foo *fooPtr'.

* cfg.mk (sc_forbid_const_pointer_typedef): Enforce consistent
style, to prevent issue fixed in previous storage patch.
* src/conf/capabilities.h (virCapsPtr): Fix offender.
* src/security/security_stack.c (virSecurityStackItemPtr):
Likewise.
* tests/qemucapabilitiestest.c (testQemuDataPtr): Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

By indenting code inside of comments, it gets recognized as a
code block when generating the HTML documentation.

See libvirt-libvirt.html#virStreamSend for the effect.

The following sequence

 1. Define a persistent QMEU guest
 2. Start the QEMU guest
 3. Stop libvirtd
 4. Kill the QEMU process
 5. Start libvirtd
 6. List persistent guests

At the last step, the previously running persistent guest
will be missing. This is because of a race condition in the
QEMU driver startup code. It does

 1. Load all VM state files
 2. Spawn thread to reconnect to each VM
 3. Load all VM config files

Only at the end of step 3, does the 'virDomainObjPtr' get
marked as "persistent". There is therefore a window where
the thread reconnecting to the VM will remove the persistent
VM from the list.

The easy fix is to simply switch the order of steps 2 & 3.

In addition to this though, we must only attempt to reconnect
to a VM which had a non-zero PID loaded from its state file.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The 'error' cleanup block in qemuProcessReconnect() had a
'return' statement in the middle of it. This caused a leak
of virConnectPtr & virQEMUDriverConfigPtr instances. This
was identified because netcf recently started checking its
refcount in libvirtd shutdown:

netcfStateCleanup:109 : internal error: Attempt to close netcf state driver with open connections
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

virDomainObjListLoadAllConfigs sets dom->persistent after
having released its lock on the domain object. This exposes
a possible race condition.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

To ensure proper processing by virGetUserID() and virGetGroupID()
of a uid/gid add a "+" prior to the uid/gid to denote it's really
a uid/gid for the label.

The rbd code had a confusing typedef ending in Ptr that was not
actually a pointer, which made the rest of the code harder to
read.  This fixes things to actually pass by pointer rather than
by copy.

* src/storage/storage_backend_rbd.c (virStorageBackendStatePtr):
Fix typedef.
(virStorageBackendRBDOpenRADOSConn)
(virStorageBackendRBDCloseRADOSConn)
(volStorageBackendRBDRefreshVolInfo)
(virStorageBackendRBDRefreshPool, virStorageBackendRBDDeleteVol)
(virStorageBackendRBDCreateVol, virStorageBackendRBDRefreshVol)
(virStorageBackendRBDResizeVol): Fix fallout.
Signed-off-by: NEric Blake <eblake@redhat.com>

Commit 64a68a4a introduced a typo in the initialization of the apparmor
driver structure breaking the build with apparmor enabled.

When adding an automatically allocated port to a well-formed migration
URI, keep it well-formed:

  tcp://1.2.3.4/  ->  tcp://1.2.3.4/:12345   # wrong
  tcp://1.2.3.4/  ->  tcp://1.2.3.4:12345/   # fixed
  tcp://1.2.3.4   ->  tcp://1.2.3.4:12345    # still works
  tcp:1.2.3.4     ->  tcp:1.2.3.4:12345      # still works (old syntax)
Signed-off-by: NMichael Chapman <mike@very.puzzling.org>

Introduced by commit 0f31f7b7.
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: NJán Tomko <jtomko@redhat.com>

Expand the "secmodel" XML fragment of "host" with a sequence of
baselabel's which describe the default security context used by
libvirt with a specific security model and virtualization type:

<secmodel>
  <model>selinux</model>
  <doi>0</doi>
  <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
  <baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
</secmodel>
<secmodel>
  <model>dac</model>
  <doi>0</doi>
  <baselabel type='kvm'>107:107</baselabel>
  <baselabel type='qemu'>107:107</baselabel>
</secmodel>

"baselabel" is driver-specific information, e.g. in the DAC security
model, it indicates USER_ID:GROUP_ID.
Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

virSecurityManagerGetBaseLabel queries the default settings used by
a security model.
Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>

Merge the functions 'virSecurityDACSetUser' and
'virSecurityDACSetGroup' into 'virSecurityDACSetUserAndGroup'.
Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>

The lxcContainerSetID() method prints a misleading log
message about setting the uid/gid when no ID map is
present in the XML config. Skip the debug message in
this case.
Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>

Commit '922b7fda' resulted in two DEADCODE warnings from Coverity in
remoteDispatchAuthPolkit and virAccessDriverPolkitFormatProcess.
Commit '604ae657' modified the daemon.c code to remove the deadcode
issue, but did not do so for viracessdriverpolkit.c. This just mimics
the same changes

According to the following valgrind output, there seems to be a
invalid limit for the iterator (captured on Fedora 19):

==3945== Invalid read of size 1
==3945==    at 0x1E1FA410: libxlVmStart (libxl_driver.c:475)
==3945==    by 0x1E1FAD9A: libxlDomainCreateWithFlags (libxl_driver.c:2633)
==3945==    by 0x5187D46: virDomainCreate (libvirt.c:9439)
==3945==    by 0x13BAA6: remoteDispatchDomainCreateHelper (remote_dispatch.h:2910)
==3945==    by 0x51DE5B9: virNetServerProgramDispatch (virnetserverprogram.c:435)
==3945==    by 0x51D93E7: virNetServerHandleJob (virnetserver.c:165)
==3945==    by 0x50F5BF4: virThreadPoolWorker (virthreadpool.c:144)
==3945==    by 0x50F5670: virThreadHelper (virthreadpthread.c:161)
==3945==    by 0x8046C52: start_thread (pthread_create.c:308)
==3945==    by 0x8758E1C: clone (clone.S:113)
==3945==  Address 0x23424d81 is 0 bytes after a block of size 1 alloc'd
==3945==    at 0x4A08121: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3945==    by 0x50B1F8C: virAllocN (viralloc.c:189)
==3945==    by 0x1E1FA3CA: libxlVmStart (libxl_driver.c:468)
==3945==    by 0x1E1FAD9A: libxlDomainCreateWithFlags (libxl_driver.c:2633)
==3945==    by 0x5187D46: virDomainCreate (libvirt.c:9439)
==3945==    by 0x13BAA6: remoteDispatchDomainCreateHelper (remote_dispatch.h:2910)
==3945==    by 0x51DE5B9: virNetServerProgramDispatch (virnetserverprogram.c:435)
==3945==    by 0x51D93E7: virNetServerHandleJob (virnetserver.c:165)
==3945==    by 0x50F5BF4: virThreadPoolWorker (virthreadpool.c:144)
==3945==    by 0x50F5670: virThreadHelper (virthreadpthread.c:161)
==3945==    by 0x8046C52: start_thread (pthread_create.c:308)
==3945==    by 0x8758E1C: clone (clone.S:113)
==3945==

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1013045Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Currently, we ignore whether dnsmasqCapsRefresh succeeds or fails. We
shouldn't do that as we may generate wrong dnsmasq command line (what
is done just a few lines below).
Signed-off-by: NHongwei Bi <hwbi2008@gmail.com>
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

While LOCAL_PEERCRED on the BSDs does not return the pid information of
the peer, Mac OS X 10.8 added LOCAL_PEERPID to retrieve the pid so we
should use that when its available to get that information.

There are still two places where we are using 1bit width unsigned
integer to store a boolean. There's no real need for this and these
occurrences can be replaced with 'bool'.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

After commit 3e2f27e1, I've noticed build failures of virt-login-shell
when libapparmor-devel is installed on the build host

CCLD     virt-login-shell
../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o):
In function `virExec':
/home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined
reference to `aa_change_profile'
collect2: error: ld returned 1 exit status

I was about to commit an easy fix under the build-breaker rule
(build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS
to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it
makes sense (build-fix-2.patch).

Should I just stick with the simple fix, or is something along the lines
of patch 2 preferred?

Regards,
Jim

>From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@suse.com>
Date: Mon, 21 Oct 2013 15:30:02 -0600
Subject: [PATCH] build: fix virt-login-shell build with apparmor

With libapparmor-devel installed, virt-login-shell fails to link

CCLD     virt-login-shell
../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec':
/home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile'
collect2: error: ld returned 1 exit status

Fix by linking libvirt_setuid_rpc_client with previously determined
SECDRIVER_LIBS in src/Makefile.am.  While at it, introduce SECDRIVER_CFLAGS
and use both throughout src/Makefile.am where it makes sense.
Signed-off-by: NJim Fehlig <jfehlig@suse.com>

HW_PHYSMEM is available on Mac OS X as well as FreeBSD, however,
its resulting value for Mac OS X is 32 bits. Mac OS X provides
HW_MEMSIZE that is 64 bits version of HW_PHYSMEM. We have to use it.

I tested the patch on Mac OS X 10.6.8, 10.7.4, 10.8.5 and FreeBSD 9.2.
Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>

This patch (and the two patches that precede it) resolve:

  https://bugzilla.redhat.com/show_bug.cgi?id=1005682

When libvirt was changed to delay the final cleanup of device removal
until the qemu process had signaled it with a DEVICE_DELETED event for
that device, the hostdev removal function
(qemuDomainRemoveHostDevice()) was written to properly handle the
removal of a hostdev that was actually an SRIOV virtual function
(defined with <interface type='hostdev'>). However, the function used
to search for a device matching the alias name provided in the
DEVICE_DELETED message (virDomainDefFindDevice()) would search through
the list of netdevs before hostdevs, so qemuDomainRemoveHostDevice()
was never called; instead the netdev function,
qemuDomainRemoveNetDevice() (which *doesn't* properly cleanup after
removal of <interface type='hostdev'>), was called.

(As a reminder - each <interface type='hostdev'> results in a
virDomainNetDef which contains a virDomainHostdevDef having a parent
type of VIR_DOMAIN_DEVICE_NET, and parent.data.net pointing back to
the virDomainNetDef; both Defs point to the same device info object
(and the info contains the device's "alias", which is used by qemu to
identify the device). The virDomainHostdevDef is added to the domain's
hostdevs list *and* the virDomainNetDef is added to the domain's nets
list, so searching either list for a particular alias will yield a
positive result.)

This function modifies the qemuDomainRemoveNetDevice() to short
circuit itself and call qemu DomainRemoveHostDevice() instead when the
actual device is a VIR_DOMAIN_NET_TYPE_HOSTDEV (similar logic to what
is done in the higher level qemuDomainDetachNetDevice())

Note that even if virDomainDefFindDevice() changes in the future so
that it finds the hostdev entry first, the current code will continue
to work properly.

pure code movement to setup for next patch.

This function was called in three places, and in each the call was
qualified by a slightly different conditional. In reality, this
function should only be called for a hostdev if all of the following
are true:

  1) mode='subsystem'
  2) type='pci'
  3) there is a parent device definition which is an <interface>
     (VIR_DOMAIN_DEVICE_NET)

We can simplify the callers and make them more consistent by checking
these conditions at the top ov qemuDomainHostdevNetConfigRestore and
returning 0 if one of them isn't satisfied.

The location of the call to qemuDomainHostdevNetConfigRestore() has
also been changed in the hot-plug case - it is moved into the caller
of its previous location (i.e. from qemuDomainRemovePCIHostDevice() to
qemuDomainRemoveHostDevice()). This was done to be more consistent
about which functions pay attention to whether or not this is one of
the special <interface> hostdevs or just a normal hostdev -
qemuDomainRemoveHostDevice() already contained a call to
networkReleaseActualDevice() and virDomainNetDefFree(), so it makes
sense for it to also handle the resetting of the device's MAC address
and vlan tag (which is what's done by
qemuDomainHostdevNetConfigRestore()).

Avoid people introducing security flaws in their apps by
forbidding the use of libvirt.so in setuid programs, with
a check in virInitialize.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Most of the usage of getuid()/getgid() is in cases where we are
considering what privileges we have. As such the code should be
using the effective IDs, not real IDs.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>