[libvirt] vbox save/restore
by Lucian Adrian Grijincu
Hello,
I see that the vbox driver in virDomainSave doesn't use the
destination file path and calls vbox's IConsole::SaveState.
As I see it IConsole::SaveState is more like a "pause" command: you
can save the state you're in and wait for the machine to stop running
and you can resume it later.
This limits the uses of the vbox support of libvirt.
There is another way you can do virDomainSave/virDomainRestore: use snapshots.
This way, you can specify the file in which you want to save the
snapshot, you can continue to use the machine and do some crazy
experiments and then restore the machine to the known good state.
As of the current implementation, I don't think there's a way to do
this in libvirt.
I'd like to know if there's a real reason why virDomainSave is
implemented this way (and virDomainRestore is unimplemented), or it
just got implemented like this and no one cared much about it.
--
.
..: Lucian
15 years, 3 months
[libvirt] [PATCH] Compressed save image format for Qemu.
by Chris Lalancette
Implement a compressed save image format for qemu. While ideally
we would have the choice between compressed/non-compressed
available to the libvirt API, unfortunately there is no "flags"
parameter to the virDomainSave() API. Therefore, implement this
as a qemu.conf option. Both gzip and bzip2 are implemented, and
it should be very easy to implement additional compression
methods.
One open question is if/how we should detect the gzip and bzip2
binaries. One way to do it is to do compile-time setting of the
paths (via configure.in), but that doesn't seem like a great thing
to do. Another solution (my preferred solution) is not to detect
at all; when we go to run the commands that need them, if they
aren't available, or aren't available in one of the standard paths,
then we'll fail. Maybe somebody else has another option or
opinion, though.
In the future, we'll have a more robust (managed) save/restore API,
at which time we can expose this functionality properly in the API.
V2: get rid of redundant dd command and just use >> to append data.
Signed-off-by: Chris Lalancette <clalance(a)redhat.com>
---
src/qemu.conf | 10 +++++++
src/qemu_conf.c | 11 ++++++++
src/qemu_conf.h | 2 +
src/qemu_driver.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++---
4 files changed, 90 insertions(+), 4 deletions(-)
diff --git a/src/qemu.conf b/src/qemu.conf
index 653f487..86dcc9d 100644
--- a/src/qemu.conf
+++ b/src/qemu.conf
@@ -129,3 +129,13 @@
# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
# "/dev/rtc", "/dev/hpet", "/dev/net/tun",
#]
+
+# The default format for Qemu/KVM guest save images is raw; that is, the
+# memory from the domain is dumped out directly to a file. If you have
+# guests with a large amount of memory, however, this can take up quite
+# a bit of space. If you would like to compress the images while they
+# are being saved to disk, you can also set "gzip" or "bzip2" for the
+# save_image_format. Note that this means you slow down the process
+# of saving a domain in order to save disk space.
+#
+# save_image_format = "raw"
diff --git a/src/qemu_conf.c b/src/qemu_conf.c
index 7ca5a15..ed87e13 100644
--- a/src/qemu_conf.c
+++ b/src/qemu_conf.c
@@ -280,6 +280,17 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
driver->cgroupDeviceACL[i] = NULL;
}
+ p = virConfGetValue (conf, "save_image_format");
+ CHECK_TYPE ("save_image_format", VIR_CONF_STRING);
+ if (p && p->str) {
+ VIR_FREE(driver->saveImageFormat);
+ if (!(driver->saveImageFormat = strdup(p->str))) {
+ virReportOOMError(NULL);
+ virConfFree(conf);
+ return -1;
+ }
+ }
+
virConfFree (conf);
return 0;
}
diff --git a/src/qemu_conf.h b/src/qemu_conf.h
index 8f4ef6a..e34baab 100644
--- a/src/qemu_conf.h
+++ b/src/qemu_conf.h
@@ -111,6 +111,8 @@ struct qemud_driver {
char *securityDriverName;
virSecurityDriverPtr securityDriver;
+
+ char *saveImageFormat;
};
diff --git a/src/qemu_driver.c b/src/qemu_driver.c
index 3c92635..b146330 100644
--- a/src/qemu_driver.c
+++ b/src/qemu_driver.c
@@ -3437,11 +3437,26 @@ static int qemudDomainSave(virDomainPtr dom,
struct qemud_save_header header;
int ret = -1;
virDomainEventPtr event = NULL;
+ int internalret;
memset(&header, 0, sizeof(header));
memcpy(header.magic, QEMUD_SAVE_MAGIC, sizeof(header.magic));
header.version = QEMUD_SAVE_VERSION;
+ if (driver->saveImageFormat == NULL)
+ header.compressed = QEMUD_SAVE_FORMAT_RAW;
+ else if (STREQ(driver->saveImageFormat, "raw"))
+ header.compressed = QEMUD_SAVE_FORMAT_RAW;
+ else if (STREQ(driver->saveImageFormat, "gzip"))
+ header.compressed = QEMUD_SAVE_FORMAT_GZIP;
+ else if (STREQ(driver->saveImageFormat, "bzip2"))
+ header.compressed = QEMUD_SAVE_FORMAT_BZIP2;
+ else {
+ qemudReportError(dom->conn, dom, NULL, VIR_ERR_OPERATION_FAILED,
+ "%s", _("Invalid save image format specified in configuration file"));
+ return -1;
+ }
+
qemuDriverLock(driver);
vm = virDomainFindByUUID(&driver->domains, dom->uuid);
@@ -3514,11 +3529,25 @@ static int qemudDomainSave(virDomainPtr dom,
virReportOOMError(dom->conn);
goto cleanup;
}
- if (virAsprintf(&command, "migrate \"exec:"
- "dd of='%s' oflag=append conv=notrunc 2>/dev/null"
- "\"", safe_path) == -1) {
+
+ if (header.compressed == QEMUD_SAVE_FORMAT_RAW)
+ internalret = virAsprintf(&command, "migrate \"exec:"
+ "dd of='%s' oflag=append conv=notrunc 2>/dev/null"
+ "\"", safe_path);
+ else if (header.compressed == QEMUD_SAVE_FORMAT_GZIP)
+ internalret = virAsprintf(&command, "migrate \"exec:"
+ "gzip -c >> '%s' 2>/dev/null\"", safe_path);
+ else if (header.compressed == QEMUD_SAVE_FORMAT_BZIP2)
+ internalret = virAsprintf(&command, "migrate \"exec:"
+ "bzip2 -c >> '%s' 2>/dev/null\"", safe_path);
+ else {
+ qemudReportError(dom->conn, dom, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("Invalid compress format %d"),
+ header.compressed);
+ goto cleanup;
+ }
+ if (internalret < 0) {
virReportOOMError(dom->conn);
- command = NULL;
goto cleanup;
}
@@ -4039,6 +4068,9 @@ static int qemudDomainRestore(virConnectPtr conn,
char *xml = NULL;
struct qemud_save_header header;
virDomainEventPtr event = NULL;
+ int intermediatefd = -1;
+ pid_t intermediate_pid = -1;
+ int childstat;
qemuDriverLock(driver);
/* Verify the header and read the XML */
@@ -4128,8 +4160,39 @@ static int qemudDomainRestore(virConnectPtr conn,
}
def = NULL;
+ if (header.version == 2) {
+ const char *intermediate_argv[3] = { NULL, "-dc", NULL };
+ if (header.compressed == QEMUD_SAVE_FORMAT_GZIP)
+ intermediate_argv[0] = "gzip";
+ else if (header.compressed == QEMUD_SAVE_FORMAT_BZIP2)
+ intermediate_argv[0] = "bzip2";
+ else if (header.compressed != QEMUD_SAVE_FORMAT_RAW) {
+ qemudReportError(conn, NULL, NULL, VIR_ERR_OPERATION_FAILED,
+ _("Unknown compressed save format %d"),
+ header.compressed);
+ goto cleanup;
+ }
+ if (intermediate_argv[0] != NULL) {
+ intermediatefd = fd;
+ fd = -1;
+ if (virExec(conn, intermediate_argv, NULL, NULL,
+ &intermediate_pid, intermediatefd, &fd, NULL, 0) < 0) {
+ qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("Failed to start decompression binary %s"),
+ intermediate_argv[0]);
+ goto cleanup;
+ }
+ }
+ }
/* Set the migration source and start it up. */
ret = qemudStartVMDaemon(conn, driver, vm, "stdio", fd);
+ if (intermediate_pid != -1) {
+ /* Wait for intermediate process to exit */
+ while (waitpid(intermediate_pid, &childstat, 0) == -1 &&
+ errno == EINTR);
+ }
+ if (intermediatefd != -1)
+ close(intermediatefd);
close(fd);
fd = -1;
if (ret < 0) {
--
1.6.0.6
15 years, 3 months
[libvirt] [PATCH] Remove use of strncpy in qemudExtractMonitorPath.
by Chris Lalancette
qemudExtractMonitorPath() was doing a VIR_ALLOC_N followed by a
strncpy. However, this isn't necessary; we can do the same thing
using virAsprintf(), which is much safer.
Signed-off-by: Chris Lalancette <clalance(a)redhat.com>
---
src/qemu_driver.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/qemu_driver.c b/src/qemu_driver.c
index 55a09f5..37fdec2 100644
--- a/src/qemu_driver.c
+++ b/src/qemu_driver.c
@@ -1017,12 +1017,13 @@ qemudExtractMonitorPath(virConnectPtr conn,
*/
while (*tmp) {
if (c_isspace(*tmp)) {
- if (VIR_ALLOC_N(*path, (tmp-dev)+1) < 0) {
+ if (virAsprintf(path, "%s", dev) < 0) {
virReportOOMError(conn);
return -1;
}
- strncpy(*path, dev, (tmp-dev));
- (*path)[(tmp-dev)] = '\0';
+ /* the last character is a \n, so back up one to overwrite */
+ (*path)[tmp-dev] = '\0';
+
/* ... now further update offset till we get EOL */
*offset = tmp - haystack;
return 0;
--
1.6.0.6
15 years, 3 months
[libvirt] [PATCH] Convert one use of strncpy + strcat to snprintf in test driver.
by Chris Lalancette
Signed-off-by: Chris Lalancette <clalance(a)redhat.com>
---
src/test.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/test.c b/src/test.c
index 470816b..ab6cfdf 100644
--- a/src/test.c
+++ b/src/test.c
@@ -417,9 +417,8 @@ static char *testBuildFilename(const char *relativeTo,
char *absFile;
if (VIR_ALLOC_N(absFile, baseLen + strlen(filename) + 1) < 0)
return NULL;
- strncpy(absFile, relativeTo, baseLen);
- absFile[baseLen] = '\0';
- strcat(absFile, filename);
+ snprintf(absFile, baseLen + strlen(filename) + 1, "%s%s",
+ relativeTo, filename);
return absFile;
} else {
return strdup(filename);
--
1.6.0.6
15 years, 3 months
[libvirt] [PATCH] Error path mutex unlock in virGetStorageVol.
by Chris Lalancette
Signed-off-by: Chris Lalancette <clalance(a)redhat.com>
---
src/datatypes.c | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)
diff --git a/src/datatypes.c b/src/datatypes.c
index 1889dc3..ac61682 100644
--- a/src/datatypes.c
+++ b/src/datatypes.c
@@ -863,19 +863,16 @@ virGetStorageVol(virConnectPtr conn, const char *pool, const char *name, const c
ret = (virStorageVolPtr) virHashLookup(conn->storageVols, key);
if (ret == NULL) {
if (VIR_ALLOC(ret) < 0) {
- virMutexUnlock(&conn->lock);
virReportOOMError(conn);
goto error;
}
ret->pool = strdup(pool);
if (ret->pool == NULL) {
- virMutexUnlock(&conn->lock);
virReportOOMError(conn);
goto error;
}
ret->name = strdup(name);
if (ret->name == NULL) {
- virMutexUnlock(&conn->lock);
virReportOOMError(conn);
goto error;
}
@@ -885,7 +882,6 @@ virGetStorageVol(virConnectPtr conn, const char *pool, const char *name, const c
ret->conn = conn;
if (virHashAddEntry(conn->storageVols, key, ret) < 0) {
- virMutexUnlock(&conn->lock);
virLibConnError(conn, VIR_ERR_INTERNAL_ERROR,
"%s", _("failed to add storage vol to connection hash table"));
goto error;
@@ -897,6 +893,7 @@ virGetStorageVol(virConnectPtr conn, const char *pool, const char *name, const c
return(ret);
error:
+ virMutexUnlock(&conn->lock);
if (ret != NULL) {
VIR_FREE(ret->name);
VIR_FREE(ret->pool);
--
1.6.0.6
15 years, 3 months
[libvirt] Crash while using virConnectRef
by Chris Lalancette
All,
I've been doing some testing of the virConnectRef() function, and as far as
I can tell, it's busted. Here's the simple example program I'm using:
#include <stdio.h>
#include <stdlib.h>
#include <libvirt/libvirt.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
virConnectPtr conn;
conn = virConnectOpen(NULL);
printf("type is %s\n",virConnectGetType(conn));
virConnectRef(conn);
virConnectClose(conn);
virConnectClose(conn);
return 0;
}
When compiling and running this program, I get a segfault during the *second*
virConnectClose(). The crash comes in the remote_internal driver, because the
first virConnectClose() actually freed up the remote_internal private memory,
and now the second one comes along and accesses a NULL pointer. I think this
actually points to a bug in virConnectClose(); we shouldn't be running the
->close() callbacks on the drivers until we are going to be really closing up
the driver, i.e. we should move all of the ->close() callbacks into
virUnrefConnect(). Is that the right way to fix this?
--
Chris Lalancette
15 years, 3 months
[libvirt] [PATCH] Handle kernels with no ipv6 support
by Mark McLoughlin
If the ipv6 kernel module is not loaded, then we get this when starting
a virtual network:
libvir: Network Config error :
cannot enable /proc/sys/net/ipv6/conf/virbr0/disable_ipv6:
No such file or directory
If disable_ipv6 is not present, we should just merrily continue on our
way.
* src/network_driver.c: make networkDisableIPV6() not fail if the kernel
has no ipv6 support
---
src/network_driver.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/src/network_driver.c b/src/network_driver.c
index eaea454..84910ab 100644
--- a/src/network_driver.c
+++ b/src/network_driver.c
@@ -801,6 +801,12 @@ static int networkDisableIPV6(virConnectPtr conn,
goto cleanup;
}
+ if (access(field, W_OK) < 0 && errno == ENOENT) {
+ VIR_DEBUG("ipv6 appears to already be disabled on %s", network->def->bridge);
+ ret = 0;
+ goto cleanup;
+ }
+
if (virFileWriteStr(field, "1") < 0) {
virReportSystemError(conn, errno,
_("cannot enable %s"), field);
--
1.6.2.5
15 years, 3 months
[libvirt] does libvirt support qemu-kvm vmchannel option?
by cyliu7
Hi all,
I noticed that qemu-kvm support an option vmchannel (-net channel ...)
to create a new device to communicate between host and guest.
does libvirt support this option when creating a KVM based VM. if so,
how to config the VM? is there any sample to show this feature?
any suggestions are greatly appreciated.
Regards,
------------------------
Chunyang Liu
15 years, 3 months
[libvirt] PATCH: Support PolicyKit 1.0
by Daniel P. Berrange
In the seriously annoying way of things, the newest PolicyKit in Fedora 12
has been completely re-written from scratch with a totally incompatible
application facing API. Conceptually it is still pretty similar though,
with the exception that client applications no longer need to explicitly
launch an auth dialog - that's done out-of-band by policykit itself.
This patch adjusts libvirtd to the new API, and removes the libvirt client
side code that spawned the auth helper. On the libvirtd side avoid their
APIs and instead spawn an external auth checking program 'pkcheck', which
returns 0 on success, non-0 for denial.
In the final annoying bit, the XML format for the policy has remained with
exactly the same DTD version, except that it has quietly changed the allowed
values for some attributes in an incompatible manner. So I have to add a
new policy file too.
NB, it may not look like we've changed the client side, but we have, since
the #ifdef for the external auth agent is no longer set.
Tested with old policy kit, and new policykit, and with none at all.
b/configure.in | 73 +++++++++++++++++++++++++++--------------
b/qemud/Makefile.am | 11 +++++-
b/qemud/libvirtd.policy-0 | 42 +++++++++++++++++++++++
b/qemud/libvirtd.policy-1 | 42 +++++++++++++++++++++++
b/qemud/qemud.c | 4 +-
b/qemud/qemud.h | 4 +-
b/qemud/remote.c | 81 +++++++++++++++++++++++++++++++++++++++++++---
qemud/libvirtd.policy | 42 -----------------------
8 files changed, 223 insertions(+), 76 deletions(-)
Regards,
Daniel
diff --git a/configure.in b/configure.in
index b905b23..77d6c9e 100644
--- a/configure.in
+++ b/configure.in
@@ -607,40 +607,61 @@ AC_SUBST([SASL_LIBS])
dnl PolicyKit library
POLKIT_CFLAGS=
POLKIT_LIBS=
+PKCHECK_PATH=
AC_ARG_WITH([polkit],
[ --with-polkit use PolicyKit for UNIX socket access checks],
[],
[with_polkit=check])
+with_polkit0=no
+with_polkit1=no
if test "x$with_polkit" = "xyes" -o "x$with_polkit" = "xcheck"; then
- PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
- [with_polkit=yes], [
- if test "x$with_polkit" = "xcheck" ; then
- with_polkit=no
- else
- AC_MSG_ERROR(
- [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
- fi
- ])
- if test "x$with_polkit" = "xyes" ; then
+ dnl Check for new polkit first - just a binary
+ AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
+ if test "x$PKCHECK_PATH" != "x" ; then
+ AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
AC_DEFINE_UNQUOTED([HAVE_POLKIT], 1,
- [use PolicyKit for UNIX socket access checks])
-
- old_CFLAGS=$CFLAGS
- old_LDFLAGS=$LDFLAGS
- CFLAGS="$CFLAGS $POLKIT_CFLAGS"
- LDFLAGS="$LDFLAGS $POLKIT_LIBS"
- AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
- CFLAGS="$old_CFLAGS"
- LDFLAGS="$old_LDFLAGS"
-
- AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
- if test "x$POLKIT_AUTH" != "x"; then
- AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
+ [use PolicyKit for UNIX socket access checks])
+ AC_DEFINE_UNQUOTED([HAVE_POLKIT1], 1,
+ [use PolicyKit for UNIX socket access checks])
+ with_polkit="yes"
+ with_polkit1="yes"
+ else
+ dnl Check for old polkit second - library + binary
+ PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
+ [with_polkit=yes], [
+ if test "x$with_polkit" = "xcheck" ; then
+ with_polkit=no
+ else
+ AC_MSG_ERROR(
+ [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
+ fi
+ ])
+ if test "x$with_polkit" = "xyes" ; then
+ AC_DEFINE_UNQUOTED([HAVE_POLKIT], 1,
+ [use PolicyKit for UNIX socket access checks])
+ AC_DEFINE_UNQUOTED([HAVE_POLKIT0], 1,
+ [use PolicyKit for UNIX socket access checks])
+
+ old_CFLAGS=$CFLAGS
+ old_LDFLAGS=$LDFLAGS
+ CFLAGS="$CFLAGS $POLKIT_CFLAGS"
+ LDFLAGS="$LDFLAGS $POLKIT_LIBS"
+ AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
+ CFLAGS="$old_CFLAGS"
+ LDFLAGS="$old_LDFLAGS"
+
+ AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
+ if test "x$POLKIT_AUTH" != "x"; then
+ AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
+ fi
+ with_polkit0="yes"
fi
fi
fi
AM_CONDITIONAL([HAVE_POLKIT], [test "x$with_polkit" = "xyes"])
+AM_CONDITIONAL([HAVE_POLKIT0], [test "x$with_polkit0" = "xyes"])
+AM_CONDITIONAL([HAVE_POLKIT1], [test "x$with_polkit1" = "xyes"])
AC_SUBST([POLKIT_CFLAGS])
AC_SUBST([POLKIT_LIBS])
@@ -1621,7 +1642,11 @@ else
AC_MSG_NOTICE([ avahi: no])
fi
if test "$with_polkit" = "yes" ; then
-AC_MSG_NOTICE([ polkit: $POLKIT_CFLAGS $POLKIT_LIBS])
+if test "$with_polkit0" = "yes" ; then
+AC_MSG_NOTICE([ polkit: $POLKIT_CFLAGS $POLKIT_LIBS (version 0)])
+else
+AC_MSG_NOTICE([ polkit: $PKCHECK_PATH (version 1)])
+fi
else
AC_MSG_NOTICE([ polkit: no])
fi
diff --git a/qemud/Makefile.am b/qemud/Makefile.am
index 959ff88..3d143da 100644
--- a/qemud/Makefile.am
+++ b/qemud/Makefile.am
@@ -21,7 +21,8 @@ EXTRA_DIST = \
remote_protocol.x \
libvirtd.conf \
libvirtd.init.in \
- libvirtd.policy \
+ libvirtd.policy-0 \
+ libvirtd.policy-1 \
libvirtd.sasl \
libvirtd.sysconf \
libvirtd.aug \
@@ -147,7 +148,13 @@ endif
libvirtd_LDADD += ../src/libvirt.la
if HAVE_POLKIT
+if HAVE_POLKIT0
policydir = $(datadir)/PolicyKit/policy
+policyfile = libvirtd.policy-0
+else
+policydir = $(datadir)/polkit-1/actions
+policyfile = libvirtd.policy-1
+endif
endif
if HAVE_AVAHI
@@ -197,7 +204,7 @@ endif
if HAVE_POLKIT
install-data-polkit:: install-init
mkdir -p $(DESTDIR)$(policydir)
- $(INSTALL_DATA) $(srcdir)/libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
+ $(INSTALL_DATA) $(srcdir)/$(policyfile) $(DESTDIR)$(policydir)/org.libvirt.unix.policy
uninstall-data-polkit:: install-init
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
else
diff --git a/qemud/libvirtd.policy b/qemud/libvirtd.policy
deleted file mode 100644
index b6da946..0000000
--- a/qemud/libvirtd.policy
+++ /dev/null
@@ -1,42 +0,0 @@
-<!DOCTYPE policyconfig PUBLIC
- "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
-
-<!--
-Policy definitions for libvirt daemon
-
-Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
-
-libvirt is licensed to you under the GNU Lesser General Public License
-version 2. See COPYING for details.
-
-NOTE: If you make changes to this file, make sure to validate the file
-using the polkit-policy-file-validate(1) tool. Changes made to this
-file are instantly applied.
--->
-
-<policyconfig>
- <action id="org.libvirt.unix.monitor">
- <description>Monitor local virtualized systems</description>
- <message>System policy prevents monitoring of local virtualized systems</message>
- <defaults>
- <!-- Any program can use libvirt in read-only mode for monitoring,
- even if not part of a session -->
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-
- <action id="org.libvirt.unix.manage">
- <description>Manage local virtualized systems</description>
- <message>System policy prevents management of local virtualized systems</message>
- <defaults>
- <!-- Only a program in the active host session can use libvirt in
- read-write mode for management, and we require user password -->
- <allow_any>no</allow_any>
- <allow_inactive>no</allow_inactive>
- <allow_active>auth_admin_keep_session</allow_active>
- </defaults>
- </action>
-</policyconfig>
diff --git a/qemud/libvirtd.policy-0 b/qemud/libvirtd.policy-0
new file mode 100644
index 0000000..b6da946
--- /dev/null
+++ b/qemud/libvirtd.policy-0
@@ -0,0 +1,42 @@
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+
+<!--
+Policy definitions for libvirt daemon
+
+Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
+
+libvirt is licensed to you under the GNU Lesser General Public License
+version 2. See COPYING for details.
+
+NOTE: If you make changes to this file, make sure to validate the file
+using the polkit-policy-file-validate(1) tool. Changes made to this
+file are instantly applied.
+-->
+
+<policyconfig>
+ <action id="org.libvirt.unix.monitor">
+ <description>Monitor local virtualized systems</description>
+ <message>System policy prevents monitoring of local virtualized systems</message>
+ <defaults>
+ <!-- Any program can use libvirt in read-only mode for monitoring,
+ even if not part of a session -->
+ <allow_any>yes</allow_any>
+ <allow_inactive>yes</allow_inactive>
+ <allow_active>yes</allow_active>
+ </defaults>
+ </action>
+
+ <action id="org.libvirt.unix.manage">
+ <description>Manage local virtualized systems</description>
+ <message>System policy prevents management of local virtualized systems</message>
+ <defaults>
+ <!-- Only a program in the active host session can use libvirt in
+ read-write mode for management, and we require user password -->
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep_session</allow_active>
+ </defaults>
+ </action>
+</policyconfig>
diff --git a/qemud/libvirtd.policy-1 b/qemud/libvirtd.policy-1
new file mode 100644
index 0000000..6fa3a5e
--- /dev/null
+++ b/qemud/libvirtd.policy-1
@@ -0,0 +1,42 @@
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+
+<!--
+Policy definitions for libvirt daemon
+
+Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
+
+libvirt is licensed to you under the GNU Lesser General Public License
+version 2. See COPYING for details.
+
+NOTE: If you make changes to this file, make sure to validate the file
+using the polkit-policy-file-validate(1) tool. Changes made to this
+file are instantly applied.
+-->
+
+<policyconfig>
+ <action id="org.libvirt.unix.monitor">
+ <description>Monitor local virtualized systems</description>
+ <message>System policy prevents monitoring of local virtualized systems</message>
+ <defaults>
+ <!-- Any program can use libvirt in read-only mode for monitoring,
+ even if not part of a session -->
+ <allow_any>yes</allow_any>
+ <allow_inactive>yes</allow_inactive>
+ <allow_active>yes</allow_active>
+ </defaults>
+ </action>
+
+ <action id="org.libvirt.unix.manage">
+ <description>Manage local virtualized systems</description>
+ <message>System policy prevents management of local virtualized systems</message>
+ <defaults>
+ <!-- Only a program in the active host session can use libvirt in
+ read-write mode for management, and we require user password -->
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ </action>
+</policyconfig>
diff --git a/qemud/qemud.c b/qemud/qemud.c
index 3e551ca..50b0cdd 100644
--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -895,7 +895,7 @@ static struct qemud_server *qemudNetworkInit(struct qemud_server *server) {
}
#endif
-#ifdef HAVE_POLKIT
+#if HAVE_POLKIT0
if (auth_unix_rw == REMOTE_AUTH_POLKIT ||
auth_unix_ro == REMOTE_AUTH_POLKIT) {
DBusError derr;
@@ -982,7 +982,7 @@ static struct qemud_server *qemudNetworkInit(struct qemud_server *server) {
sock = sock->next;
}
-#ifdef HAVE_POLKIT
+#if HAVE_POLKIT0
if (server->sysbus)
dbus_connection_unref(server->sysbus);
#endif
diff --git a/qemud/qemud.h b/qemud/qemud.h
index 254db44..e8ce209 100644
--- a/qemud/qemud.h
+++ b/qemud/qemud.h
@@ -34,7 +34,7 @@
#include <sasl/sasl.h>
#endif
-#ifdef HAVE_POLKIT
+#if HAVE_POLKIT0
#include <dbus/dbus.h>
#endif
@@ -253,7 +253,7 @@ struct qemud_server {
#if HAVE_SASL
char **saslUsernameWhitelist;
#endif
-#if HAVE_POLKIT
+#if HAVE_POLKIT0
DBusConnection *sysbus;
#endif
};
diff --git a/qemud/remote.c b/qemud/remote.c
index d32d513..490a807 100644
--- a/qemud/remote.c
+++ b/qemud/remote.c
@@ -43,7 +43,7 @@
#include <fnmatch.h>
#include "virterror_internal.h"
-#ifdef HAVE_POLKIT
+#if HAVE_POLKIT0
#include <polkit/polkit.h>
#include <polkit-dbus/polkit-dbus.h>
#endif
@@ -3106,7 +3106,80 @@ remoteDispatchAuthSaslStep (struct qemud_server *server ATTRIBUTE_UNUSED,
#endif /* HAVE_SASL */
-#if HAVE_POLKIT
+#if HAVE_POLKIT1
+static int
+remoteDispatchAuthPolkit (struct qemud_server *server,
+ struct qemud_client *client,
+ virConnectPtr conn ATTRIBUTE_UNUSED,
+ remote_error *rerr,
+ void *args ATTRIBUTE_UNUSED,
+ remote_auth_polkit_ret *ret)
+{
+ pid_t callerPid;
+ uid_t callerUid;
+ const char *action;
+ int status = -1;
+ char pidbuf[50];
+ int rv;
+
+ virMutexLock(&server->lock);
+ virMutexLock(&client->lock);
+ virMutexUnlock(&server->lock);
+
+ action = client->readonly ?
+ "org.libvirt.unix.monitor" :
+ "org.libvirt.unix.manage";
+
+ const char * const pkcheck [] = {
+ PKCHECK_PATH,
+ "--action-id", action,
+ "--process", pidbuf,
+ "--allow-user-interaction",
+ NULL
+ };
+
+ REMOTE_DEBUG("Start PolicyKit auth %d", client->fd);
+ if (client->auth != REMOTE_AUTH_POLKIT) {
+ VIR_ERROR0(_("client tried invalid PolicyKit init request"));
+ goto authfail;
+ }
+
+ if (qemudGetSocketIdentity(client->fd, &callerUid, &callerPid) < 0) {
+ VIR_ERROR0(_("cannot get peer socket identity"));
+ goto authfail;
+ }
+
+ VIR_INFO(_("Checking PID %d running as %d"), callerPid, callerUid);
+
+ rv = snprintf(pidbuf, sizeof pidbuf, "%d", callerPid);
+ if (rv < 0 || rv >= sizeof pidbuf) {
+ VIR_ERROR(_("Caller PID was too large %d"), callerPid);
+ goto authfail;
+ }
+
+ if (virRun(NULL, pkcheck, &status) < 0) {
+ VIR_ERROR(_("Cannot invoke %s"), PKCHECK_PATH);
+ goto authfail;
+ }
+ if (status != 0) {
+ VIR_ERROR(_("Policy kit denied action %s from pid %d, uid %d, result: %d\n"),
+ action, callerPid, callerUid, status);
+ goto authfail;
+ }
+ VIR_INFO(_("Policy allowed action %s from pid %d, uid %d"),
+ action, callerPid, callerUid);
+ ret->complete = 1;
+ client->auth = REMOTE_AUTH_NONE;
+
+ virMutexUnlock(&client->lock);
+ return 0;
+
+authfail:
+ remoteDispatchAuthError(rerr);
+ virMutexUnlock(&client->lock);
+ return -1;
+}
+#elif HAVE_POLKIT0
static int
remoteDispatchAuthPolkit (struct qemud_server *server,
struct qemud_client *client,
@@ -3217,7 +3290,7 @@ authfail:
return -1;
}
-#else /* HAVE_POLKIT */
+#else /* !HAVE_POLKIT0 & !HAVE_POLKIT1*/
static int
remoteDispatchAuthPolkit (struct qemud_server *server ATTRIBUTE_UNUSED,
@@ -3231,7 +3304,7 @@ remoteDispatchAuthPolkit (struct qemud_server *server ATTRIBUTE_UNUSED,
remoteDispatchAuthError(rerr);
return -1;
}
-#endif /* HAVE_POLKIT */
+#endif /* HAVE_POLKIT1 */
/***************************************************************
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
15 years, 3 months
[libvirt] Project announcement: abiCloud
by Diego Mariño
Hi all,
This is a one-time post to announce a project which supports libvirt
for managing virtual machines: abiCloud.
AbiCloud is an open source cloud platform manager which allows to
easily deploy a private cloud in your datacenter. One of the key
differences of AbiCloud is the the web rich interface for managing the
infrastructure. You can deploy a new service just dragging and
dropping a VM.
Currently, we use libvirt for:
- Managing (deployment, configuration, administration...) of Xen & KVM
virtual machines trought the java binding
- Events monitoring trough a C API for openwsman
We truly believe that V2V will boost the adoption of new hypervisors
from users, and libvirt will have a prominent role in this space. So,
we will continue adding support for more hypervisors trough libvirt.
homepage: http://community.abiquo.com/display/AbiCloud
Features:
- Rich interface
- User management through ACL
- Infrastructure management (from datacenters to virtual machines)
- Network management
- Appliance repository
- Design virtual datacenters
Requirements:
- Linux/Windows/MacOSX
- Any hypervisor supported installed in a node
- Sun Java Runtime Environment (JRE) 1.6
Licenses
- CPAL 1.0 for the UI
- MPL 1.1 for the services
Thanks,
PS: We will really appreciate if you could add us as in your website a
"Third Party Libvirt Application"
-
Diego Mariño
Co-founder & Community Manager
+34 636-016-062
+1 408-386-8559
www.abiquo.com
15 years, 3 months
