[Libvir] netcat "-U" option
by Richard W.M. Jones
Debian ship a completely different version of netcat from Fedora. Not
just a different version, but it appears to be a different codebase.
Debian's netcat doesn't support the (very useful) -U option, so this
code fails in src/remote_internal.c:
cmd_argv[j++] = strdup (command);
//.....
cmd_argv[j++] = strdup (server);
cmd_argv[j++] = strdup (netcat ? netcat : "nc");
cmd_argv[j++] = strdup ("-U");
cmd_argv[j++] = strdup (sockname ? sockname :
LIBVIRTD_PRIV_UNIX_SOCKET);
cmd_argv[j++] = 0;
As a result of this remote-over-ssh fails on Debian. I'm not completely
sure how to solve this at the moment. If anyone has any ideas ...
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
17 years
[Libvir] [PATCH] fixes when running as user or in tree tests
by Daniel Veillard
The following patches does 3 things which correct annoyances when
running as an user or when running from a tree built with --prefix=/usr
- avoid error message when non-root cannot open xenstore
- avoid error message when non-root cannot directly access xend
in those two cases the proxy (or remote code) should implement the access
so there is no need to raise the error there.
- when configuring with --prefix=/usr i.e. the same prefix as the
installed libvirt, use the same localstatedir /var (instead of
/usr/var) and sysconfdir /etc (instead of /usr/etc) to be able to
connect to the system daemon, and use the system local options
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard(a)redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
17 years
[Libvir] (remoteInitializeGnuTLS): Fix a typo in a variable name.
by Jim Meyering
2007-11-21 Jim Meyering <meyering(a)redhat.com>
Fix a typo in a variable name.
* qemud/qemud.c: Check crl_file, not ca_file, for revocation list,
in remoteInitializeGnuTLS.
diff --git a/qemud/qemud.c b/qemud/qemud.c
index 55bd805..f6cd026 100644
--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -165,7 +165,7 @@ remoteInitializeGnuTLS (void)
}
if (crl_file && crl_file[0] != '\0') {
- if (remoteCheckCertFile("CA revocation list", ca_file) < 0)
+ if (remoteCheckCertFile("CA revocation list", crl_file) < 0)
return -1;
qemudDebug ("loading CRL from %s", crl_file);
--
1.5.3.6.736.gb7f30
17 years
[Libvir] <disk> <shareable/> has no effect
by Markus Armbruster
Looks like <shareable/> within <disk> has no effect. I ran virsh
dumpxml, inserted the <shareable/>, redefined the domain, and ran
virsh dumpxml again. No shareable. I even ran virsh undefine and
virsh define again, same thing.
XML and output of xm list --long for this guest attached.
17 years
[Libvir] brSetForwardDelay / brSetEnableSTP
by Richard W.M. Jones
This code in qemu_driver.c doesn't look right to me. I think the second
should be a call to brSetEnableSTP?
Rich.
if (network->def->forwardDelay &&
(err = brSetForwardDelay(driver->brctl, network->bridge,
network->def->forwardDelay))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
"failed to set bridge forward delay to %d\n",
network->def->forwardDelay);
goto err_delbr;
}
if ((err = brSetForwardDelay(driver->brctl, network->bridge,
network->def->disableSTP ? 0 : 1))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
"failed to set bridge STP to %s\n",
network->def->disableSTP ? "off" : "on");
goto err_delbr;
}
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
17 years
[Libvir] [PATCH] virterror Cleanups
by Saori Fukuta
Hi,
The virsh command sometimes says wrong message that indicating where
the error is coming from. So I have some fixes for libvirt error.
* Add two number for virErrorDomain (virterror.h)
* Add six message indicating where it's coming from (virterror.c)
* Fix virErrorDomain number specified with __virRaiseError
(openvz_conf.c/openvz_driver.c/stats_linux.c/xm_internal.c)
Regards,
Saori Fukuta
17 years
[Libvir] [PATCH]: Add virNodeGetInfo to ruby bindings
by Chris Lalancette
All,
Attached is a patch to add the virNodeGetInfo() call to the Libvirt Ruby
bindings. Although it is not technically a virConn* function, it acts like one
since it uses the virConnectPtr structure, so I put it with those functions.
Let me know if I am doing anything completely crazy in here; this is my first
stab at Ruby binding code.
It works like so:
require 'libvirt'
conn = Libvirt::open("qemu:///system")
ni = c.nodeGetInfo
print ni
Signed-off-by: Chris Lalancette <clalance(a)redhat.com>
17 years
[Libvir] [Suggestion] The "ISP scenario"
by Richard W.M. Jones
This pattern has come up a few times now:
ISP provides a Xen hosting service to customers. ISP wants to provide
some basic statistics to their customers. The statistics could be
provided to a customer through the libvirt remote protocol, eg:
customer$ virsh -c xen://dom0/ dominfo mydom
But the problem with this is that (as libvirt is currently architected)
_any_ access to dom0, if it authenticates, gives access to information
from all domains.
We've previously discussed adding access control using something like
SELinux (see for example:
https://www.redhat.com/archives/libvir-list/2007-August/msg00030.html)
but nothing much has come of it so far.
But can we solve the single common case above directly, without
thwarting our ability to solve the bigger picture later?
My suggestion is that we add an option to /etc/libvirt/libvirtd.conf,
something like:
tls_restrict_dn: [
"DN1", "name:customer1",
"DN2", "uuid:12345678",
"DN3", "*"
]
with the meaning that (presumably a customer) connecting with
certificate DN1 could only find out information about the domain
"customer1", DN2 similarly, DN3 is a privileged client, and any other DN
would be rejected.
(Compare and contrast to tls_allowed_dn_list:
http://libvirt.org/remote.html#Remote_libvirtd_configuration)
An implementation of this would modify the call to virConnectOpen to add
an additional flag (or call?) allowing the access control to be passed,
and this would have to be checked in the relevant virDomain* calls.
This is not dissimilar to how read-only connections are implemented in
libvirtd currently.
I would also suggest as a matter of course that we modify all public API
calls in src/libvirt.c to add a call to a generic permission checking
routine, for example:
int
virDomainSuspend(virDomainPtr domain)
{
virConnectPtr conn;
DEBUG("domain=%p", domain);
if (!VIR_IS_CONNECTED_DOMAIN(domain)) {
virLibDomainError(NULL, VIR_ERR_INVALID_DOMAIN, __FUNCTION__);
return (-1);
}
- if (domain->conn->flags & VIR_CONNECT_RO) {
- virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
- return (-1);
- }
+ if (!check_permission (domain, OP_SUSPEND)) return -1;
With the initial implementation of check_permission just doing the
VIR_CONNECT_RO check to start with, but able to do other checks in future.
Also relevant to this is SASL support, see:
https://www.redhat.com/archives/libvir-list/2007-November/msg00005.html
since AIUI this changes the possible formats for Distinguished Names, or
could even make DNs irrelevant.
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
17 years
