[libvirt] [PATCH] Support script setting for bridge-type interfaces
by john.levon@sun.com
# HG changeset patch
# User john.levon(a)sun.com
# Date 1232562793 28800
# Node ID e0b0295722ecf4645983e3a9a090e0aaabc40da7
# Parent ce10bb67bbcee1a49b900e260a65ccfb1b69588b
Support script setting for bridge-type interfaces
Fix back-compatibility by allowing non-default scripts in interfaces
of bridge type again.
Signed-off-by: John Levon <john.levon(a)sun.com>
diff --git a/src/domain_conf.c b/src/domain_conf.c
--- a/src/domain_conf.c
+++ b/src/domain_conf.c
@@ -288,6 +288,7 @@ void virDomainNetDefFree(virDomainNetDef
case VIR_DOMAIN_NET_TYPE_BRIDGE:
VIR_FREE(def->data.bridge.brname);
+ VIR_FREE(def->data.bridge.script);
break;
}
@@ -897,7 +898,8 @@ virDomainNetDefParseXML(virConnectPtr co
VIR_FREE(ifname);
}
} else if ((script == NULL) &&
- (def->type == VIR_DOMAIN_NET_TYPE_ETHERNET) &&
+ (def->type == VIR_DOMAIN_NET_TYPE_ETHERNET ||
+ def->type == VIR_DOMAIN_NET_TYPE_BRIDGE) &&
xmlStrEqual(cur->name, BAD_CAST "script")) {
script = virXMLPropString(cur, "path");
} else if (xmlStrEqual (cur->name, BAD_CAST "model")) {
@@ -948,6 +950,10 @@ virDomainNetDefParseXML(virConnectPtr co
}
def->data.bridge.brname = bridge;
bridge = NULL;
+ if (script != NULL) {
+ def->data.bridge.script = script;
+ script = NULL;
+ }
break;
case VIR_DOMAIN_NET_TYPE_CLIENT:
@@ -2883,6 +2889,9 @@ virDomainNetDefFormat(virConnectPtr conn
case VIR_DOMAIN_NET_TYPE_BRIDGE:
virBufferEscapeString(buf, " <source bridge='%s'/>\n",
def->data.bridge.brname);
+ if (def->data.bridge.script)
+ virBufferEscapeString(buf, " <script path='%s'/>\n",
+ def->data.bridge.script);
break;
case VIR_DOMAIN_NET_TYPE_SERVER:
diff --git a/src/domain_conf.h b/src/domain_conf.h
--- a/src/domain_conf.h
+++ b/src/domain_conf.h
@@ -154,6 +154,7 @@ struct _virDomainNetDef {
} network;
struct {
char *brname;
+ char *script;
} bridge;
} data;
char *ifname;
diff --git a/src/xend_internal.c b/src/xend_internal.c
--- a/src/xend_internal.c
+++ b/src/xend_internal.c
@@ -60,6 +60,12 @@
#define XEN_SCHED_CRED_NPARAM 2
#endif /* PROXY */
+
+#ifdef __sun
+#define DEFAULT_VIF_SCRIPT "vif-vnic"
+#else
+#define DEFAULT_VIF_SCRIPT "vif-bridge"
+#endif
#ifdef WITH_RHEL5_API
#define XEND_CONFIG_MAX_VERS_NET_TYPE_IOEMU 0
@@ -1739,15 +1745,22 @@ xenDaemonParseSxprNets(virConnectPtr con
if (VIR_ALLOC(net) < 0)
goto no_memory;
- if ((tmp2 && strstr(tmp2, "bridge")) || tmp) {
+ if (tmp != NULL || (STREQ(tmp2, DEFAULT_VIF_SCRIPT))) {
net->type = VIR_DOMAIN_NET_TYPE_BRIDGE;
/* XXX virtual network reverse resolve */
if (tmp &&
!(net->data.bridge.brname = strdup(tmp)))
goto no_memory;
+ if (tmp2 &&
+ net->type == VIR_DOMAIN_NET_TYPE_BRIDGE &&
+ !(net->data.bridge.script = strdup(tmp2)))
+ goto no_memory;
} else {
net->type = VIR_DOMAIN_NET_TYPE_ETHERNET;
+ if (tmp2 &&
+ !(net->data.ethernet.script = strdup(tmp2)))
+ goto no_memory;
}
tmp = sexpr_node(node, "device/vif/vifname");
@@ -1784,11 +1797,6 @@ xenDaemonParseSxprNets(virConnectPtr con
tmp = sexpr_node(node, "device/vif/ip");
if (tmp &&
!(net->data.ethernet.ipaddr = strdup(tmp)))
- goto no_memory;
-
- if (tmp2 &&
- net->type == VIR_DOMAIN_NET_TYPE_ETHERNET &&
- !(net->data.ethernet.script = strdup(tmp2)))
goto no_memory;
if (model &&
@@ -5069,6 +5077,8 @@ xenDaemonFormatSxprNet(virConnectPtr con
int xendConfigVersion,
int isAttach)
{
+ const char *script = DEFAULT_VIF_SCRIPT;
+
if (def->type != VIR_DOMAIN_NET_TYPE_BRIDGE &&
def->type != VIR_DOMAIN_NET_TYPE_NETWORK &&
def->type != VIR_DOMAIN_NET_TYPE_ETHERNET) {
@@ -5090,7 +5100,10 @@ xenDaemonFormatSxprNet(virConnectPtr con
switch (def->type) {
case VIR_DOMAIN_NET_TYPE_BRIDGE:
virBufferVSprintf(buf, "(bridge '%s')", def->data.bridge.brname);
- virBufferAddLit(buf, "(script 'vif-bridge')");
+ if (def->data.bridge.script)
+ script = def->data.bridge.script;
+
+ virBufferVSprintf(buf, "(script '%s')", script);
break;
case VIR_DOMAIN_NET_TYPE_NETWORK:
@@ -5113,7 +5126,7 @@ xenDaemonFormatSxprNet(virConnectPtr con
return -1;
}
virBufferVSprintf(buf, "(bridge '%s')", bridge);
- virBufferAddLit(buf, "(script 'vif-bridge')");
+ virBufferVSprintf(buf, "(script '%s')", script);
VIR_FREE(bridge);
}
break;
diff --git a/src/xm_internal.c b/src/xm_internal.c
--- a/src/xm_internal.c
+++ b/src/xm_internal.c
@@ -1057,14 +1057,19 @@ xenXMDomainConfigParse(virConnectPtr con
net->mac[5] = rawmac[5];
}
- if (bridge[0] || STREQ(script, "vif-bridge"))
+ if (bridge[0] || STREQ(script, "vif-bridge") ||
+ STREQ(script, "vif-vnic")) {
net->type = VIR_DOMAIN_NET_TYPE_BRIDGE;
- else
+ } else {
net->type = VIR_DOMAIN_NET_TYPE_ETHERNET;
+ }
if (net->type == VIR_DOMAIN_NET_TYPE_BRIDGE) {
if (bridge[0] &&
!(net->data.bridge.brname = strdup(bridge)))
+ goto no_memory;
+ if (script[0] &&
+ !(net->data.bridge.script = strdup(script)))
goto no_memory;
} else {
if (script[0] &&
diff --git a/tests/sexpr2xmldata/sexpr2xml-curmem.xml b/tests/sexpr2xmldata/sexpr2xml-curmem.xml
--- a/tests/sexpr2xmldata/sexpr2xml-curmem.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-curmem.xml
@@ -24,6 +24,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1d:06:15'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif5.0'/>
</interface>
<console type='pty'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-disk-block-shareable.xml b/tests/sexpr2xmldata/sexpr2xml-disk-block-shareable.xml
--- a/tests/sexpr2xmldata/sexpr2xml-disk-block-shareable.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-disk-block-shareable.xml
@@ -22,6 +22,7 @@
<interface type='bridge'>
<mac address='00:16:3e:23:9e:eb'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif6.0'/>
</interface>
<console type='pty'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-localtime.xml b/tests/sexpr2xmldata/sexpr2xml-fv-localtime.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-localtime.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-localtime.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif3.0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-parallel-tcp.xml b/tests/sexpr2xmldata/sexpr2xml-fv-parallel-tcp.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-parallel-tcp.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-parallel-tcp.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<parallel type='tcp'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-file.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-file.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-file.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-file.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='file'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-null.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-null.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-null.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-null.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='null'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-pipe.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-pipe.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-pipe.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-pipe.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='pipe'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-pty.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-pty.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-pty.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-pty.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='pty'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-stdio.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-stdio.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-stdio.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-stdio.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='stdio'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-tcp-telnet.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-tcp-telnet.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-tcp-telnet.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-tcp-telnet.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='tcp'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-tcp.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-tcp.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-tcp.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-tcp.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='tcp'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-udp.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-udp.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-udp.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-udp.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='udp'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-serial-unix.xml b/tests/sexpr2xmldata/sexpr2xml-fv-serial-unix.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-serial-unix.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-serial-unix.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif1.0'/>
</interface>
<serial type='unix'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-sound-all.xml b/tests/sexpr2xmldata/sexpr2xml-fv-sound-all.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-sound-all.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-sound-all.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif3.0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-sound.xml b/tests/sexpr2xmldata/sexpr2xml-fv-sound.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-sound.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-sound.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif3.0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-usbmouse.xml b/tests/sexpr2xmldata/sexpr2xml-fv-usbmouse.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-usbmouse.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-usbmouse.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif3.0'/>
</interface>
<input type='mouse' bus='usb'/>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-usbtablet.xml b/tests/sexpr2xmldata/sexpr2xml-fv-usbtablet.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-usbtablet.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-usbtablet.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif3.0'/>
</interface>
<input type='tablet' bus='usb'/>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-utc.xml b/tests/sexpr2xmldata/sexpr2xml-fv-utc.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-utc.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-utc.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif3.0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv-v2.xml b/tests/sexpr2xmldata/sexpr2xml-fv-v2.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv-v2.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv-v2.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif3.0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/sexpr2xmldata/sexpr2xml-fv.xml b/tests/sexpr2xmldata/sexpr2xml-fv.xml
--- a/tests/sexpr2xmldata/sexpr2xml-fv.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-fv.xml
@@ -32,6 +32,7 @@
<interface type='bridge'>
<mac address='00:16:3e:1b:b1:47'/>
<source bridge='xenbr0'/>
+ <script path='vif-bridge'/>
<target dev='vif3.0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/sexpr2xmldata/sexpr2xml-net-bridged.xml b/tests/sexpr2xmldata/sexpr2xml-net-bridged.xml
--- a/tests/sexpr2xmldata/sexpr2xml-net-bridged.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-net-bridged.xml
@@ -23,6 +23,7 @@
<interface type='bridge'>
<mac address='00:11:22:33:44:55'/>
<source bridge='xenbr2'/>
+ <script path='vif-bridge'/>
<target dev='vif6.0'/>
</interface>
<console type='pty'>
diff --git a/tests/sexpr2xmldata/sexpr2xml-net-e1000.xml b/tests/sexpr2xmldata/sexpr2xml-net-e1000.xml
--- a/tests/sexpr2xmldata/sexpr2xml-net-e1000.xml
+++ b/tests/sexpr2xmldata/sexpr2xml-net-e1000.xml
@@ -23,6 +23,7 @@
<interface type='bridge'>
<mac address='00:11:22:33:44:55'/>
<source bridge='xenbr2'/>
+ <script path='vif-bridge'/>
<target dev='vif6.0'/>
<model type='e1000'/>
</interface>
15 years, 10 months
[libvirt] [PATCH] Solaris least privilege support
by john.levon@sun.com
# HG changeset patch
# User john.levon(a)sun.com
# Date 1232478815 28800
# Node ID 9c7ef175f3a797ecc3ffa6b1fed5a27d1814838c
# Parent ce76623e857f5bb2cf3af8414335f891fd7902b7
Solaris least privilege support
On Solaris dom0, virtd runs as a privilege barrier: all libvirt
connections are routed through it, and it performs the relevant
privilege checks for any clients.
Signed-off-by: John Levon <john.levon(a)sun.com>
diff --git a/qemud/qemud.c b/qemud/qemud.c
--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -84,6 +84,39 @@
#endif
+#ifdef __sun
+#include <ucred.h>
+#include <priv.h>
+
+#ifndef PRIV_VIRT_MANAGE
+#define PRIV_VIRT_MANAGE ((const char *)"virt_manage")
+#endif
+
+#ifndef PRIV_XVM_CONTROL
+#define PRIV_XVM_CONTROL ((const char *)"xvm_control")
+#endif
+
+#define PU_RESETGROUPS 0x0001 /* Remove supplemental groups */
+#define PU_CLEARLIMITSET 0x0008 /* L=0 */
+
+extern int __init_daemon_priv(int, uid_t, gid_t, ...);
+
+#define SYSTEM_UID 60
+
+static gid_t unix_sock_gid = 60; /* Not used */
+static int unix_sock_rw_mask = 0666;
+static int unix_sock_ro_mask = 0666;
+
+#else
+
+#define SYSTEM_UID 0
+
+static gid_t unix_sock_gid = 0; /* Only root by default */
+static int unix_sock_rw_mask = 0700; /* Allow user only */
+static int unix_sock_ro_mask = 0777; /* Allow world */
+
+#endif /* __sun */
+
static int godaemon = 0; /* -d: Be a daemon */
static int verbose = 0; /* -v: Verbose mode */
static int timeout = -1; /* -t: Shutdown timeout */
@@ -101,10 +134,6 @@ static char *listen_addr = (char *) LIB
static char *listen_addr = (char *) LIBVIRTD_LISTEN_ADDR;
static char *tls_port = (char *) LIBVIRTD_TLS_PORT;
static char *tcp_port = (char *) LIBVIRTD_TCP_PORT;
-
-static gid_t unix_sock_gid = 0; /* Only root by default */
-static int unix_sock_rw_mask = 0700; /* Allow user only */
-static int unix_sock_ro_mask = 0777; /* Allow world */
#if HAVE_POLKIT
static int auth_unix_rw = REMOTE_AUTH_POLKIT;
@@ -638,10 +667,11 @@ static int qemudInitPaths(struct qemud_s
static int qemudInitPaths(struct qemud_server *server,
char *sockname,
char *roSockname,
- int maxlen) {
+ int maxlen)
+{
uid_t uid = geteuid();
- if (!uid) {
+ if (uid == SYSTEM_UID) {
if (snprintf (sockname, maxlen, "%s/run/libvirt/libvirt-sock",
LOCAL_STATE_DIR) >= maxlen)
goto snprintf_error;
@@ -1110,6 +1140,29 @@ static int qemudDispatchServer(struct qe
return -1;
}
+#ifdef __sun
+ {
+ ucred_t *ucred = NULL;
+ const priv_set_t *privs;
+
+ if (getpeerucred (fd, &ucred) == -1 ||
+ (privs = ucred_getprivset (ucred, PRIV_EFFECTIVE)) == NULL) {
+ if (ucred != NULL)
+ ucred_free (ucred);
+ close (fd);
+ return -1;
+ }
+
+ if (!priv_ismember (privs, PRIV_VIRT_MANAGE)) {
+ ucred_free (ucred);
+ close (fd);
+ return -1;
+ }
+
+ ucred_free (ucred);
+ }
+#endif /* __sun */
+
/* Disable Nagle. Unix sockets will ignore this. */
setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&no_slow_start,
sizeof no_slow_start);
@@ -2257,6 +2310,30 @@ version (const char *argv0)
{
printf ("%s (%s) %s\n", argv0, PACKAGE_NAME, PACKAGE_VERSION);
}
+
+#ifdef __sun
+static int
+qemudSetupPrivs (void)
+{
+ chown ("/var/run/libvirt", SYSTEM_UID, SYSTEM_UID);
+
+ if (__init_daemon_priv (PU_RESETGROUPS | PU_CLEARLIMITSET,
+ SYSTEM_UID, SYSTEM_UID, PRIV_XVM_CONTROL, NULL)) {
+ fprintf (stderr, "additional privileges are required\n");
+ return -1;
+ }
+
+ if (priv_set (PRIV_OFF, PRIV_ALLSETS, PRIV_FILE_LINK_ANY, PRIV_PROC_INFO,
+ PRIV_PROC_SESSION, PRIV_PROC_EXEC, PRIV_PROC_FORK, NULL)) {
+ fprintf (stderr, "failed to set reduced privileges\n");
+ return -1;
+ }
+
+ return 0;
+}
+#else
+#define qemudSetupPrivs() 0
+#endif
/* Print command-line usage. */
static void
@@ -2435,6 +2512,21 @@ int main(int argc, char **argv) {
sig_action.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &sig_action, NULL);
+ /* Ensure the rundir exists (on tmpfs on some systems) */
+ if (geteuid () == 0) {
+ const char *rundir = LOCAL_STATE_DIR "/run/libvirt";
+
+ if (mkdir (rundir, 0755)) {
+ if (errno != EEXIST) {
+ VIR_ERROR0 (_("unable to create rundir"));
+ return -1;
+ }
+ }
+ }
+
+ if (qemudSetupPrivs() < 0)
+ goto error2;
+
if (!(server = qemudInitialize(sigpipe[0]))) {
ret = 2;
goto error2;
diff --git a/src/remote_internal.c b/src/remote_internal.c
--- a/src/remote_internal.c
+++ b/src/remote_internal.c
@@ -885,18 +885,21 @@ remoteOpen (virConnectPtr conn,
}
/*
- * If URI is NULL, then do a UNIX connection
- * possibly auto-spawning unprivileged server
- * and probe remote server for URI
+ * If URI is NULL, then do a UNIX connection possibly auto-spawning
+ * unprivileged server and probe remote server for URI. On Solaris,
+ * this isn't supported, but we may be privileged enough to connect
+ * to the UNIX socket anyway.
*/
if (!conn->uri) {
DEBUG0("Auto-probe remote URI");
rflags |= VIR_DRV_OPEN_REMOTE_UNIX;
+#ifndef __sun
if (getuid() > 0) {
DEBUG0("Auto-spawn user daemon instance");
rflags |= VIR_DRV_OPEN_REMOTE_USER;
rflags |= VIR_DRV_OPEN_REMOTE_AUTOSTART;
}
+#endif
}
priv->sock = -1;
diff --git a/src/xen_internal.c b/src/xen_internal.c
--- a/src/xen_internal.c
+++ b/src/xen_internal.c
@@ -26,6 +26,17 @@
#include <errno.h>
#include <sys/utsname.h>
+#ifdef __sun
+#include <sys/systeminfo.h>
+
+#include <priv.h>
+
+#ifndef PRIV_XVM_CONTROL
+#define PRIV_XVM_CONTROL ((const char *)"xvm_control")
+#endif
+
+#endif /* __sun */
+
/* required for dom0_getdomaininfo_t */
#include <xen/dom0_ops.h>
#include <xen/version.h>
@@ -35,10 +46,6 @@
#ifdef HAVE_XEN_SYS_PRIVCMD_H
#include <xen/sys/privcmd.h>
#endif
-#endif
-
-#ifdef __sun
-#include <sys/systeminfo.h>
#endif
/* required for shutdown flags */
@@ -3393,3 +3400,17 @@ xenHypervisorGetVcpuMax(virDomainPtr dom
return maxcpu;
}
+/**
+ * xenHavePrivilege()
+ *
+ * Return true if the current process should be able to connect to Xen.
+ */
+int
+xenHavePrivilege()
+{
+#ifdef __sun
+ return priv_ineffect (PRIV_XVM_CONTROL);
+#else
+ return getuid () == 0;
+#endif
+}
diff --git a/src/xen_internal.h b/src/xen_internal.h
--- a/src/xen_internal.h
+++ b/src/xen_internal.h
@@ -104,4 +104,6 @@ int xenHypervisorNodeGetCellsFreeMem
int startCell,
int maxCells);
+int xenHavePrivilege(void);
+
#endif /* __VIR_XEN_INTERNAL_H__ */
diff --git a/src/xen_unified.c b/src/xen_unified.c
--- a/src/xen_unified.c
+++ b/src/xen_unified.c
@@ -65,6 +65,8 @@ static struct xenUnifiedDriver *drivers[
#endif
};
+static int inside_daemon;
+
#define xenUnifiedError(conn, code, fmt...) \
virReportErrorHelper(conn, VIR_FROM_XEN, code, __FILE__, \
__FUNCTION__, __LINE__, fmt)
@@ -195,6 +197,21 @@ done:
return(res);
}
+#ifdef WITH_LIBVIRTD
+
+static int
+xenInitialize (void)
+{
+ inside_daemon = 1;
+ return 0;
+}
+
+static virStateDriver state_driver = {
+ .initialize = xenInitialize,
+};
+
+#endif
+
/*----- Dispatch functions. -----*/
/* These dispatch functions follow the model used historically
@@ -231,6 +248,15 @@ xenUnifiedOpen (virConnectPtr conn, virC
xenUnifiedPrivatePtr priv;
virDomainEventCallbackListPtr cbList;
+#ifdef __sun
+ /*
+ * Only the libvirtd instance can open this driver.
+ * Everything else falls back to the remote driver.
+ */
+ if (!inside_daemon)
+ return VIR_DRV_OPEN_DECLINED;
+#endif
+
if (conn->uri == NULL) {
if (!xenUnifiedProbe())
return VIR_DRV_OPEN_DECLINED;
@@ -283,8 +309,8 @@ xenUnifiedOpen (virConnectPtr conn, virC
priv->proxy = -1;
- /* Hypervisor is only run as root & required to succeed */
- if (getuid() == 0) {
+ /* Hypervisor is only run with privilege & required to succeed */
+ if (xenHavePrivilege()) {
DEBUG0("Trying hypervisor sub-driver");
if (drivers[XEN_UNIFIED_HYPERVISOR_OFFSET]->open(conn, auth, flags) ==
VIR_DRV_OPEN_SUCCESS) {
@@ -293,7 +319,7 @@ xenUnifiedOpen (virConnectPtr conn, virC
}
}
- /* XenD is required to suceed if root.
+ /* XenD is required to succeed if privileged.
* If it fails as non-root, then the proxy driver may take over
*/
DEBUG0("Trying XenD sub-driver");
@@ -318,12 +344,12 @@ xenUnifiedOpen (virConnectPtr conn, virC
DEBUG0("Activated XS sub-driver");
priv->opened[XEN_UNIFIED_XS_OFFSET] = 1;
} else {
- if (getuid() == 0)
- goto fail; /* XS is mandatory as root */
+ if (xenHavePrivilege())
+ goto fail; /* XS is mandatory when privileged */
}
} else {
- if (getuid() == 0) {
- goto fail; /* XenD is mandatory as root */
+ if (xenHavePrivilege()) {
+ goto fail; /* XenD is mandatory when privileged */
} else {
#if WITH_PROXY
DEBUG0("Trying proxy sub-driver");
@@ -1472,6 +1498,10 @@ xenRegister (void)
(void) xenHypervisorInit ();
(void) xenXMInit ();
+#ifdef WITH_LIBVIRTD
+ if (virRegisterStateDriver (&state_driver) == -1) return -1;
+#endif
+
return virRegisterDriver (&xenUnifiedDriver);
}
diff --git a/src/xend_internal.c b/src/xend_internal.c
--- a/src/xend_internal.c
+++ b/src/xend_internal.c
@@ -42,7 +42,7 @@
#include "buf.h"
#include "uuid.h"
#include "xen_unified.h"
-#include "xen_internal.h" /* for DOM0_INTERFACE_VERSION */
+#include "xen_internal.h"
#include "xs_internal.h" /* To extract VNC port & Serial console TTY */
#include "memory.h"
@@ -159,9 +159,10 @@ do_connect(virConnectPtr xend)
s = -1;
/*
- * Connecting to XenD as root is mandatory, so log this error
+ * Connecting to XenD when privileged is mandatory, so log this
+ * error
*/
- if (getuid() == 0) {
+ if (xenHavePrivilege()) {
virXendError(xend, VIR_ERR_INTERNAL_ERROR,
"%s", _("failed to connect to xend"));
}
diff --git a/src/xs_internal.c b/src/xs_internal.c
--- a/src/xs_internal.c
+++ b/src/xs_internal.c
@@ -35,7 +35,7 @@
#include "uuid.h"
#include "xen_unified.h"
#include "xs_internal.h"
-#include "xen_internal.h" /* for xenHypervisorCheckID */
+#include "xen_internal.h"
#ifdef __linux__
#define XEN_HYPERVISOR_SOCKET "/proc/xen/privcmd"
@@ -299,11 +299,11 @@ xenStoreOpen(virConnectPtr conn,
if (priv->xshandle == NULL) {
/*
- * not being able to connect via the socket as a normal user
- * is rather normal, this should fallback to the proxy (or
+ * not being able to connect via the socket as an unprivileged
+ * user is rather normal, this should fallback to the proxy (or
* remote) mechanism.
*/
- if (getuid() == 0) {
+ if (xenHavePrivilege()) {
virXenStoreError(NULL, VIR_ERR_NO_XEN,
"%s", _("failed to connect to Xen Store"));
}
15 years, 10 months
[libvirt] [PATCH] Add .hgignore entries
by john.levon@sun.com
# HG changeset patch
# User john.levon(a)sun.com
# Date 1232563649 28800
# Node ID 256c8a54b46909dcdd6999d55538e64ec5931e4d
# Parent c109dd0801246b82aed8d5f9b1fa4196432868d0
Add .hgignore entries
Signed-off-by: John Levon <john.levon(a)sun.com>
diff --git a/.hgignore b/.hgignore
--- a/.hgignore
+++ b/.hgignore
@@ -1,6 +1,38 @@
-(^|/)CVS($|/)
-(^|/)\.hg($|/)
-(^|/)\.hgtags($|/)
-^state$
-^state.old$
-^state.journal$
+.*.a
+.*.o
+.*.orig
+.*.rej
+.*~
+.git
+ABOUT-NLS
+COPYING
+INSTALL
+Makefile
+Makefile.in
+aclocal.m4
+autom4te.cache
+config.cache
+config.guess
+config.h
+config.h.in
+config.log
+config.rpath
+config.status
+config.sub
+configure
+coverage
+libtool
+libvirt-.*.tar.gz
+libvirt.pc
+libvirt.spec
+ltconfig
+ltmain.sh
+m4
+mingw32-libvirt.spec
+mkinstalldirs
+results.log
+stamp-h
+stamp-h.in
+stamp-h1
+update.log
+TAGS
15 years, 10 months
[libvirt] [PATCH] Add .hgignore entries
by john.levon@sun.com
# HG changeset patch
# User john.levon(a)sun.com
# Date 1232563649 28800
# Node ID 256c8a54b46909dcdd6999d55538e64ec5931e4d
# Parent c109dd0801246b82aed8d5f9b1fa4196432868d0
Add .hgignore entries
Signed-off-by: John Levon <john.levon(a)sun.com>
diff --git a/.hgignore b/.hgignore
--- a/.hgignore
+++ b/.hgignore
@@ -1,6 +1,38 @@
-(^|/)CVS($|/)
-(^|/)\.hg($|/)
-(^|/)\.hgtags($|/)
-^state$
-^state.old$
-^state.journal$
+.*.a
+.*.o
+.*.orig
+.*.rej
+.*~
+.git
+ABOUT-NLS
+COPYING
+INSTALL
+Makefile
+Makefile.in
+aclocal.m4
+autom4te.cache
+config.cache
+config.guess
+config.h
+config.h.in
+config.log
+config.rpath
+config.status
+config.sub
+configure
+coverage
+libtool
+libvirt-.*.tar.gz
+libvirt.pc
+libvirt.spec
+ltconfig
+ltmain.sh
+m4
+mingw32-libvirt.spec
+mkinstalldirs
+results.log
+stamp-h
+stamp-h.in
+stamp-h1
+update.log
+TAGS
15 years, 10 months
[libvirt] [PATCH] Fix remote driver crash
by john.levon@sun.com
# HG changeset patch
# User john.levon(a)sun.com
# Date 1232501231 28800
# Node ID 12e2e9f6eb99f86c2ab20f1e6a7b7a77418e66db
# Parent 39479c2678f822349169112e31e6061af3289548
Fix remote driver crash
Ensure ->watch is initialized so it's not used before an
updateHandleImpl is registered.
Signed-off-by: John Levon <john.levon(a)sun.com>
diff --git a/src/remote_internal.c b/src/remote_internal.c
--- a/src/remote_internal.c
+++ b/src/remote_internal.c
@@ -902,7 +902,9 @@ remoteOpen (virConnectPtr conn,
#endif
}
+ priv->watch = -1;
priv->sock = -1;
+
ret = doRemoteOpen(conn, priv, auth, rflags);
if (ret != VIR_DRV_OPEN_SUCCESS) {
conn->privateData = NULL;
15 years, 10 months
[libvirt] spec file: don't create networks/default.xml if it already exists
by Mark McLoughlin
If you un-install libvirt and re-install it, you get a warning
from the post-install script:
Installing : libvirt
ln: creating symbolic link `/etc/libvirt/qemu/networks/autostart/default.xml': File exists
See https://bugzilla.redhat.com/462011
Signed-off-by: Mark McLoughlin <markmc(a)redhat.com>
---
libvirt.spec.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index e0ce497..9121c6d 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -294,7 +294,7 @@ rm -fr %{buildroot}
# or on the first upgrade from a non-network aware libvirt only.
# We check this by looking to see if the daemon is already installed
/sbin/chkconfig --list libvirtd 1>/dev/null 2>&1
-if [ $? != 0 ]
+if [ $? != 0 -a ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ]
then
UUID=`/usr/bin/uuidgen`
sed -e "s,</name>,</name>\n <uuid>$UUID</uuid>," \
--
1.6.0.6
15 years, 10 months
[libvirt] [PATCH] Fix openlog() ident usage
by john.levon@sun.com
# HG changeset patch
# User john.levon(a)sun.com
# Date 1232478815 28800
# Node ID 37a6a671e38d7f4449d3b47bc5cf06c19362bc41
# Parent 15bfba92a98744f8c554757ed608c3bf89fa38aa
Fix openlog() ident usage
It cannot be freed, as it's used by reference in the syslog code, at
least on Solaris.
Signed-off-by: John Levon <john.levon(a)sun.com>
diff --git a/src/logging.c b/src/logging.c
--- a/src/logging.c
+++ b/src/logging.c
@@ -705,7 +705,10 @@ int virLogParseOutputs(const char *outpu
return(-1);
if (virLogAddOutputToSyslog(prio, name) == 0)
ret++;
- VIR_FREE(name);
+ /*
+ * Do *NOT* free(name) - openlog() uses this string by
+ * reference, instead of keeping its own copy.
+ */
#endif /* HAVE_SYSLOG_H */
} else if (STREQLEN(cur, "file", 4)) {
cur += 4;
15 years, 10 months
[libvirt] [PATCH] Set syslog logging priority based on LIBVIRT_DEBUG
by john.levon@sun.com
# HG changeset patch
# User john.levon(a)sun.com
# Date 1232478815 28800
# Node ID a9c75296e1d6e09947a231fa9864d67a543979eb
# Parent 37a6a671e38d7f4449d3b47bc5cf06c19362bc41
Set syslog logging priority based on LIBVIRT_DEBUG
Currently, qemud in daemonized is dropping all messages below level 3,
regardless of LIBVIRT_DEBUG setting.
Signed-off-by: John Levon <john.levon(a)sun.com>
diff --git a/qemud/qemud.c b/qemud/qemud.c
--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -2151,10 +2151,15 @@ qemudSetLogging(virConfPtr conf, const c
*/
GET_CONF_STR (conf, filename, log_outputs);
if (log_outputs == NULL) {
- if (godaemon)
- virLogParseOutputs("3:syslog:libvirtd");
- else
+ if (godaemon) {
+ char *tmp = NULL;
+ if (virAsprintf (&tmp, "%d:syslog:libvirtd", log_level) < 0)
+ goto free_and_fail;
+ virLogParseOutputs (tmp);
+ VIR_FREE (tmp);
+ } else {
virLogParseOutputs("0:stderr:libvirtd");
+ }
} else
virLogParseOutputs(log_outputs);
ret = 0;
15 years, 10 months
[libvirt] [PATCH] maint: update list of error function names and adapt
by Jim Meyering
I updated the list of error function names
in Makefile.maint, and exposed 3 more unmarked diagnostics.
Going through the old/new lists, I also found two
now-unused (#define'd) "functions".
I originally did this on top of Dan's patch series,
but it also applies to the trunk, modulo some offset differences
in xen_unified.c.
>From 8124c5ae693fdad477df6b38dc5b75b4cd8f36cf Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering(a)redhat.com>
Date: Mon, 19 Jan 2009 09:25:02 +0100
Subject: [PATCH] maint: update list of error function names and adapt
* Makefile.maint (msg_gen_function): Update list.
Remove some now-unused names, add some new ones.
* src/hash.c (virHashError): Remove unused definition.
* src/openvz_conf.h (openvzLog): Likewise.
* src/xen_unified.c: Mark newly-exposed diagnostics for translation.
---
Makefile.maint | 8 ++++----
src/hash.c | 5 -----
src/openvz_conf.h | 8 --------
src/xen_unified.c | 8 ++++----
4 files changed, 8 insertions(+), 21 deletions(-)
diff --git a/Makefile.maint b/Makefile.maint
index 2ac6dd7..35eddd1 100644
--- a/Makefile.maint
+++ b/Makefile.maint
@@ -390,6 +390,7 @@ msg_gen_function += ERROR0
msg_gen_function += REMOTE_DEBUG
msg_gen_function += ReportError
msg_gen_function += VIR_FREE
+msg_gen_function += VIR_INFO
msg_gen_function += VIR_USE_CPU
msg_gen_function += errorf
msg_gen_function += lxcError
@@ -401,9 +402,7 @@ msg_gen_function += qemudDispatchClientFailure
msg_gen_function += qemudLog
msg_gen_function += qemudReportError
msg_gen_function += regerror
-msg_gen_function += remoteDispatchError
msg_gen_function += remoteDispatchFormatError
-msg_gen_function += umlError
msg_gen_function += umlLog
msg_gen_function += umlReportError
msg_gen_function += virConfError
@@ -414,18 +413,19 @@ msg_gen_function += virLibDomainError
msg_gen_function += virLog
msg_gen_function += virNetworkReportError
msg_gen_function += virNodeDeviceReportError
+msg_gen_function += virProxyError
msg_gen_function += virRaiseError
msg_gen_function += virReportErrorHelper
+msg_gen_function += virReportSystemError
msg_gen_function += virSexprError
msg_gen_function += virStorageLog
msg_gen_function += virStorageReportError
-msg_gen_function += virTestError
msg_gen_function += virXMLError
msg_gen_function += virXenInotifyError
msg_gen_function += virXenStoreError
msg_gen_function += virXendError
-msg_gen_function += virxmlRpcError
msg_gen_function += vshCloseLogFile
+msg_gen_function += xenUnifiedError
msg_gen_function += xenXMError
# Uncomment the following and run "make syntax-check" to see diagnostics
diff --git a/src/hash.c b/src/hash.c
index b960640..bde3a0b 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -32,10 +32,6 @@
/* #define DEBUG_GROW */
-#define virHashError(conn, code, fmt...) \
- virReportErrorHelper(conn, VIR_FROM_NONE, code, __FILE__, \
- __FUNCTION__, __LINE__, fmt)
-
/*
* A single entry in the hash table
*/
@@ -593,4 +589,3 @@ void *virHashSearch(virHashTablePtr table, virHashSearcher iter, const void *dat
}
return (NULL);
}
-
diff --git a/src/openvz_conf.h b/src/openvz_conf.h
index 1030d17..8e02056 100644
--- a/src/openvz_conf.h
+++ b/src/openvz_conf.h
@@ -34,14 +34,6 @@
enum { OPENVZ_WARN, OPENVZ_ERR };
-#define openvzLog(level, msg...) { if(level == OPENVZ_WARN) \
- fprintf(stderr, "\nWARNING: ");\
- else \
- fprintf(stderr, "\nERROR: ");\
- fprintf(stderr, "\n\t");\
- fprintf(stderr, msg);\
- fprintf(stderr, "\n"); }
-
#define openvzError(conn, code, fmt...) \
virReportErrorHelper(conn, VIR_FROM_OPENVZ, code, __FILE__, \
__FUNCTION__, __LINE__, fmt)
diff --git a/src/xen_unified.c b/src/xen_unified.c
index e0a446a..66d5fc2 100644
--- a/src/xen_unified.c
+++ b/src/xen_unified.c
@@ -1,7 +1,7 @@
/*
* xen_unified.c: Unified Xen driver.
*
- * Copyright (C) 2007, 2008 Red Hat, Inc.
+ * Copyright (C) 2007, 2008, 2009 Red Hat, Inc.
*
* See COPYING.LIB for the License of this software
*
@@ -235,7 +235,7 @@ xenUnifiedOpen (virConnectPtr conn, virConnectAuthPtr auth, int flags)
/* Allocate per-connection private data. */
if (VIR_ALLOC(priv) < 0) {
- xenUnifiedError (NULL, VIR_ERR_NO_MEMORY, "allocating private data");
+ xenUnifiedError (NULL, VIR_ERR_NO_MEMORY, _("allocating private data"));
return VIR_DRV_OPEN_ERROR;
}
if (virMutexInit(&priv->lock) < 0) {
@@ -247,7 +247,7 @@ xenUnifiedOpen (virConnectPtr conn, virConnectAuthPtr auth, int flags)
/* Allocate callback list */
if (VIR_ALLOC(cbList) < 0) {
- xenUnifiedError (NULL, VIR_ERR_NO_MEMORY, "allocating callback list");
+ xenUnifiedError (NULL, VIR_ERR_NO_MEMORY, _("allocating callback list"));
virMutexDestroy(&priv->lock);
VIR_FREE(priv);
return VIR_DRV_OPEN_ERROR;
@@ -1533,7 +1533,7 @@ xenUnifiedAddDomainInfo(xenUnifiedDomainInfoListPtr list,
list->count++;
return 0;
memory_error:
- xenUnifiedError (NULL, VIR_ERR_NO_MEMORY, "allocating domain info");
+ xenUnifiedError (NULL, VIR_ERR_NO_MEMORY, _("allocating domain info"));
if (info)
VIR_FREE(info->name);
VIR_FREE(info);
--
1.6.1.258.g7ff14
15 years, 10 months
