- 21 3月, 2019 5 次提交
-
-
由 Daniel P. Berrangé 提交于
The unprivileged libvirtd does not have permission to create firewall rules, or bridge devices, or do anything to the host network in general. Historically we still activate the network driver though and let the network start API call fail. The startup code path which reloads firewall rules on active networks would thus effectively be a no-op when unprivileged as it is impossible for there to be any active networks With the change to use a global set of firewall chains, however, we now have code that is run unconditionally. Ideally we would not register the network driver at all when unprivileged, but the entanglement with the virt drivers currently makes that impractical. As a temporary hack, we just make the firewall reload into a no-op. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 5d010c3d)
-
由 Daniel P. Berrangé 提交于
During startup libvirtd creates top level chains for both ipv4 and ipv6 protocols. If this fails for any reason then startup of virtual networks is blocked. The default virtual network, however, only requires use of ipv4 and some servers have ipv6 disabled so it is expected that ipv6 chain creation will fail. There could equally be servers with no ipv4, only ipv6. This patch thus makes error reporting a little more fine grained so that it works more sensibly when either ipv4 or ipv6 is disabled on the server. Only the protocols that are actually used by the virtual network have errors reported. Reviewed-by: NAndrea Bolognani <abologna@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 686803a1)
-
由 Daniel P. Berrangé 提交于
During startup we create some top level chains in which all virtual network firewall rules will be placed. The upfront creation is done to avoid slowing down creation of individual virtual networks by checking for chain existance every time. There are some factors which can cause this upfront creation to fail and while a message will get into the libvirtd log this won't be seen by users who later try to start a virtual network. Instead they'll just get a message saying that the libvirt top level chain does not exist. This message is accurate, but unhelpful for solving the root cause. This patch thus saves any error during daemon startup and reports it when trying to create a virtual network later. Reviewed-by: NAndrea Bolognani <abologna@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 9f4e35dc)
-
由 Daniel P. Berrangé 提交于
The rbd_list method has been deprecated in Ceph >= 14.0.0 in favour of the new rbd_list2 method which populates an array of structs. Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 3aa190f2)
-
由 Daniel P. Berrangé 提交于
The rbd_list method has a quite unpleasant signature returning an array of strings in a single buffer instead of an array. It is being deprecated in favour of rbd_list2. To maintain clarity of code when supporting both APIs in parallel, split the rbd_list code out into a separate method. In splitting this we now honour the rbd_list failures. Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 28c8403e)
-
- 04 3月, 2019 1 次提交
-
-
由 Daniel Veillard 提交于
* docs/news.xml: updated for release Signed-off-by: NDaniel Veillard <veillard@redhat.com>
-
- 01 3月, 2019 2 次提交
-
-
由 Eric Blake 提交于
Mention my snapshot bug fixes, and the corresponding virsh command-line parse tweak I added while working on the snapshot bug fixes. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
The existing qemu snapshot code has a slight bug: if the domain is currently pmsuspended, you can't use the _REDEFINE flag even though the current domain state should have no bearing on being able to recreate metadata state; and conversely, you can use the _REDEFINE flag to create snapshot metadata claiming to be pmsuspended as a bypass to the normal restrictions that you can't create an original qemu snapshot in that state (the restriction against pmsuspend is specific to qemu, rather than part of the driver-agnostic snapshot_conf code). Fix this by checking the snapshot state (when redefining) instead of the domain state (which is a subset of snapshot states). Fixes the second problem mentioned in https://bugzilla.redhat.com/1680304Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 28 2月, 2019 7 次提交
-
-
由 Jiri Denemark 提交于
Both block_size and nb_block are unit32_t and multiplying them overflows at 4GiB. Moreover, the iscsi_*10_* APIs use 32bit number of blocks and thus they can only address images up to 2TiB with 512B blocks. Let's use 64b iscsi_*16_* APIs instead. Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
由 Michal Privoznik 提交于
When fetching LUNs from iscsi server the virISCSIDirectReportLuns() is called. This function does some libiscsi calls and then calls virISCSIDirectRefreshVol() over each LUN found. It's unfortunate that the latter calls virStoragePoolObjClearVols() as we lose all LUNs processed in previous iterations. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJiri Denemark <jdenemar@redhat.com>
-
由 Andrea Bolognani 提交于
Some of the recent entries deviated from the established style used throughout the file, so let's fix them. Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
-
由 Michal Privoznik 提交于
Not exhaustive list of new features, improvements and bugfixes. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NAndrea Bolognani <abologna@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
Jirka reported a bug that with every 'virsh pool-refresh' an iscsi-direct pool would grow and grow. The problem is that virISCSIDirectRefreshVol() only adds to def->capacity and def->allocation but nothing clears it out to begin with. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NPavel Hrdina <phrdina@redhat.com>
-
由 Eric Blake 提交于
For consistency with other error messages, and the fact that the object is always called a virDomainSnapshot rather than a mere virSnapshot, include the word "domain" in the error message. Suggested-by: NJohn Ferlan <jferlan@redhat.com> Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Eric Blake 提交于
Commit 28f8dfdc (1.0.0) added a flag to virDomainGetXMLDesc, but failed to document its effects. And considering that the MIGRATABLE flag has been the source of past bugs (CVE-2014-7823, fixed in commit b1674ad5 (1.2.11), or even cf2d4c60 (1.2.13) where flag mismatch broke virsh edit), make the wording wishy-washy enough to discourage using the flag casually, by mentioning that the resulting XML is more for internal use than for validation against the schema. Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 27 2月, 2019 4 次提交
-
-
由 Eric Blake 提交于
Due to historical back-compat, bare 'virsh snapshot-create-as' favors internal snapshots (but can't be used on domains with raw storage), while 'virsh snapshot-create-as --disk-only' favors external snapshots. What's more, snapshots created with --disk-only while the domain was running are marked as snapshot state 'disk-snapshot', while snapshots created while the domain was offline are marked as snapshot state 'shutdown' (a 'disk-snapshot' image might not be quiescent, while a 'shutdown' snapshot always is). But this leads to some interesting problems: if we create a --disk-only snapshot of an offline guest, and then immediately try to 'virsh snapshot-create --redefine' using the resulting XML to overwrite the existing snapashot in place, things silently succeed, but 'virsh snapshot-create --redefine --disk-only' fails with an error message that the snapshot state is not 'disk-only'. Worse, if we delete the snapshot metadata first and then try to recreate things, omitting --disk-only fails because the verification code wants to force the default of an internal snapshot (which doesn't work with raw disks), and using --disk-only still fails because the snapshot XML is not 'disk-only' - making it impossible to recreate the snapshot metadata (or to transfer it from one libvirtd host to another). Ideally, the presence or absence of the --disk-only flag, and the presence or absence of an existing snapshot being overwritten, shouldn't matter; if the XML is valid for one situation, it should always be valid to redefine the metadata for that snapshot. Fix things by uniformly using virDomainSnapshotDefIsExternal() (caching the results up front, and eliminating other 'if' clauses now rendered redundant) when deciding whether the XML being requested for redefinition should permit external or force internal state capture (we got it right in only one out of three places in the function). See also https://bugzilla.redhat.com/1680304; this fixes the domain-agnostic problems mentioned there, but another patch is needed to fix further oddities with the qemu driver. I did not check for sure when the problems were introduced (git blame puts some affected hunks as far back as 1.0.0), but it was definitely been broken even before when commit 670e86bf (1.1.4) factored redefine prep out of qemu code into the common snapshot_conf code. Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Eric Blake 提交于
Upcoming patches plan to introduce virDomainCheckpointPtr as a new object for use in incremental backups, along with documentation on how incremental backups differ from snapshots. But first, we need to rename any existing mention of a 'system checkpoint' to instead be a 'full system snapshot', so that we aren't overloading the term checkpoint. Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Eric Blake 提交于
The previous patch made it possible to split multiple commands by adding newline, but not to split a long single command. The sequence backslash-newline was being used as if it were a quoted newline character, rather than completely elided the way the shell does. Again, add more tests, although this time it seems more like I am suffering from a leaning-toothpick syndrome with all the \. Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Eric Blake 提交于
I wanted to do a demonstration with virsh batch mode, which takes multiple commands all packed into a single argument: $ virsh -c test:///default 'echo a; echo b;' a b but that produced a really long line, so I tried to make it more legible: $ virsh -c test:///default ' echo a; echo b; ' error: unknown command: ' ' Let's be more like the shell, and treat unquoted newline as a command separator just as we do for semicolon. In fact, with that, I can even now mix styles: $ virsh -c test:///default ' echo a; echo b echo c ' a b c Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 26 2月, 2019 2 次提交
-
-
由 Yi Wang 提交于
vcpupin will fail when maxvcpus is larger than current vcpu: virsh vcpupin win7 --vcpu 0 --cpulist 5-6 error: Requested operation is not valid: cpu affinity is not supported win7 xml in the command above is like below: ... <vcpu current="3" placement="static">8</vcpu> ... The reason is vcpu[3] and vcpu[4] have zero tids and should not been compared as valid situation in qemuDomainRefreshVcpuInfo(). This issue is introduced by commit 34f77437, which fix recording of vCPU pids for MTTCG. Signed-off-by: NYi Wang <wang.yi59@zte.com.cn> Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Diego Michelotto 提交于
Added GPFS as shared file system recognized during live migration security checks. GPFS is 'IBM General Parallel File System' also called 'IBM Spectrum Scale' BUG: https://bugzilla.redhat.com/show_bug.cgi?id=1679528Signed-off-by: NDiego Michelotto <diego.michelotto@cnaf.infn.it> Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
-
- 25 2月, 2019 13 次提交
-
-
由 Julio Faracco 提交于
The structure used to handle network entries was based on 'if,else' conditions. This commit converts this ugly structure into a switch to clearify each option of the handler. Signed-off-by: NJulio Faracco <jcfaracco@gmail.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Julio Faracco 提交于
Extract out the network "type" processing into it's own method rather than inline within lxcNetworkParseDataSuffix. Signed-off-by: NJulio Faracco <jcfaracco@gmail.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Julio Faracco 提交于
This commit removes the full network entry setting: "lxc.network.X" to type only. Like "type", "name", "flags", etc. This will handle entries regardless of whether they are prefixed by "lxc.network." (today) or "lxc.net.X." (the future). Signed-off-by: NJulio Faracco <jcfaracco@gmail.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Julio Faracco 提交于
Refactor lxcNetworkWalkCallback to be a simple method to handle both possible network settings with indexes or the simple one. It is better the decouple the whole algorithm to parse data to only parse which entry type libvirt is handling. The new method is responsible to verify is the settings correspond to network entry. Right now, it is only verifying "lxc.network.", but in the future, it can be used to verify "lxc.net.X." too. Any other case would be rejected. On the other hand, the idea here is working only with types. If we know that entry is part of network settings, after we just need to know which type is. It keeps the handler simple. Signed-off-by: NJulio Faracco <jcfaracco@gmail.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Julio Faracco 提交于
The new method called lxcNetworkParseDataIPs() is responsible to handle IPv{4,6} settings now. The idea is let lxcNetworkWalkCallback() method handle all entries related to network definition only. Signed-off-by: NJulio Faracco <jcfaracco@gmail.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Andrea Bolognani 提交于
libvirt_iohelper is used internally by the virFileWrapperFd APIs; more specifically, in the QEMU driver we have the doCoreDump() and qemuDomainSaveMemory() helper functions as users, and those in turn end up being called by the implementation of several driver APIs. By calling virReportError() if libvirt_iohelper has failed, we overwrite whatever generic error message QEMU might have raised with the more useful one generated by the helper program. After this commit, the user will be able to see the error directly instead of having to dig in the journal or libvirtd log. https://bugzilla.redhat.com/show_bug.cgi?id=1578741Signed-off-by: NAndrea Bolognani <abologna@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Andrea Bolognani 提交于
virFileWrapperFdFree(), like all free functions, is supposed to only release allocated resources, so error reporting is better suited for virFileWrapperFdClose(). This reverts commit b0c3e931. Signed-off-by: NAndrea Bolognani <abologna@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Andrea Bolognani 提交于
Right now we're reporting errors in virFileWrapperFdFree(), but that's hardly the appropriate place to do so, as free functions are supposed to do nothing more than release allocated resources. We want to move that code back into virFileWrapperFdClose(), but before we can do that we need to make sure the function is actually called every time we're done processing the wrapped file. The cleanup path is the obvious candidate. In a couple of cases we can just move the call, but for the remaining ones we need to duplicate it instead in order not to alter the existing behavior. We do, however, make sure that in all cases a failure to properly close the wrapper results in the overall operation being reported as failed. Signed-off-by: NAndrea Bolognani <abologna@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Andrea Bolognani 提交于
We'll want to use this function in the cleanup path soon, and in order to be able to do that we need to make sure we can call it multiple times on the same virFileWrapperFd without side effects. Signed-off-by: NAndrea Bolognani <abologna@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Marc Hartmayer 提交于
Replace virDomainChrSourceDefFree with virObjectUnref. Signed-off-by: NMarc Hartmayer <mhartmay@linux.ibm.com> Reviewed-by: NBoris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Marc Hartmayer 提交于
Use refcounting for priv->monConfig instead of asymmetric freeing. Signed-off-by: NMarc Hartmayer <mhartmay@linux.ibm.com> Reviewed-by: NBoris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
由 Christian Ehrhardt 提交于
Change fb01e1a4 "virt-aa-helper: generate rules for gl enabled graphics devices" implemented the detection for gl enabled devices in virt-aa-helper. But further testing showed that it will need much more access for the full gl stack to work. Upstream apparmor just recently split those things out and now has two related abstractions at https://gitlab.com/apparmor/apparmor/blob/master: - dri-common at /profiles/apparmor.d/abstractions/dri-common - mesa: at /profiles/apparmor.d/abstractions/mesa If would be great to just include that for the majority of rules, but they are not yet in any distribution so we need to add rules inspired by them based on the testing that we can do. Furthermore qemu with opengl will also probe the backing device of the rendernode for attributes which should be safe as read-only wildcard rules. Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
Change fb01e1a4 "virt-aa-helper: generate rules for gl enabled graphics devices" implemented the detection for gl enabled devices in virt-aa-helper. But it will in certain cases e.g. if no rendernode was explicitly specified need to read /dev/dri which it currently isn't allowed. Add a rule to the apparmor profile of virt-aa-helper itself to be able to do that. Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 24 2月, 2019 4 次提交
-
-
由 Roman Bogorodskiy 提交于
Add a bhyveDomainDefNeedsISAController() helper function which by domain configuration determines whether LPC controller is required or not. Signed-off-by: NRoman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Roman Bogorodskiy 提交于
Describe bhyve's ignoring unknown MSRs access feature introduced by commit e9528f41. Signed-off-by: NRoman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: NCole Robinson <crobinso@redhat.com>
-
由 Roman Bogorodskiy 提交于
Implement the MSRs ignore unknown reads and writes feature that's specified using: <features> ... <msrs unknown='ignore'> ... </features> in the domain XML. In bhyve, it's just passing '-w' command line argument to the bhyve(8) executable. Signed-off-by: NRoman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: NCole Robinson <crobinso@redhat.com>
-
由 Roman Bogorodskiy 提交于
Introduce the 'msrs' feature element that controls Model Specific Registers related behaviour. At this moment it allows only single tunable attribute "unknown": <msrs unknown='ignore|fault'/> Which tells hypervisor to ignore accesses to unimplemented Model Specific Registers. The only user of that for now is going to be the bhyve driver. Signed-off-by: NRoman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: NCole Robinson <crobinso@redhat.com>
-
- 23 2月, 2019 2 次提交
-
-
由 Jiri Denemark 提交于
Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Jiri Denemark 提交于
The tests/cputestdata/cpu-parse.sh script has been broken since the cpu_map.xml file was split into several XMLs. Signed-off-by: NJiri Denemark <jdenemar@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-