March 2010 - Devel - libvirt List Archives

[libvirt] virsh setmaxmem
by Chris Lalancette 30 Mar '10

30 Mar '10

All, My recent patch to remove qemudDomainSetMaxMem() revealed some surprising (to me) behavior of "virsh setmaxmem". In particular, if you run setmaxmem, and the hypervisor doesn't support it, this fact will be reported to you. However, if the amount you were setting for maxmem happens to be lower than "currentMemory", setmaxmem will silently balloon down the domain for you. This is a surprising result exactly because virsh reports error, but did something anyway. What I would expect is that if a hypervisor doesn't support virDomainSetMaxMem(), nothing at all is done. If we agree that this is behavior that needs to be fixed, I would suggest that we move the code to do the auto-ballooning into each of the individual drivers that *do* support virDomainSetMaxMem(). Currently that includes the test driver, the LXC driver, and the Xen driver. This way, we maintain the current behavior for the hypervisors that support this call, and make sure not to do anything at all for the hypervisors that do not. Opinions? -- Chris Lalancette

3 4

[libvirt] [PATCH 0/4] Add timer element to domain clock elements
by Laine Stump 30 Mar '10

30 Mar '10

This patchset implements the XML described in http://www.redhat.com/archives/libvir-list/2010-March/msg00304.html (with one small change - the tickpolicy 'none' was changed to 'delay' after a later discussion). It also implements the qemu backend for those timer types that qemu supports. One thing to point out to 'early adopters': qemu's driftfix option is currently broken, so if you try to specify a tickpolicy=catchup in an rtc timer, the domain will give an error on startup. A patch for that has been posted by Zach Amsden to qemu-devel: http://lists.gnu.org/archive/html/qemu-devel/2010-03/msg02036.html Backends for other hypervisors have not been implemented. That is left as an exercise for later ;-)

2 5

[libvirt] [PATCH 0/2] virsh: honor VISUAL
by Eric Blake 30 Mar '10

30 Mar '10

On IRC yesterday, the comment came up that 'virsh edit' is over-protective, because it prevented me from editing in-terminal using my favorite editor, even after I worked around the fact that sudo sanitizes EDITOR. Besides, historically, VISUAL is used in situations where opening a new window is okay, while EDITOR is used when editing should reuse the current terminal; so we should honor that convention.

3 7

[libvirt] [PATCH] esx: Allow 'lsisas1068' as SCSI controller type
by Matthias Bolte 30 Mar '10

30 Mar '10

Extend tests to cover all SCSI controller types and document the new type. --- docs/drvesx.html.in | 4 +++ src/esx/esx_vmx.c | 14 +++++++----- tests/vmx2xmldata/vmx2xml-scsi-buslogic.vmx | 7 ------ tests/vmx2xmldata/vmx2xml-scsi-buslogic.xml | 20 ------------------ tests/vmx2xmldata/vmx2xml-scsi-driver.vmx | 17 +++++++++++++++ tests/vmx2xmldata/vmx2xml-scsi-driver.xml | 30 +++++++++++++++++++++++++++ tests/vmx2xmltest.c | 2 +- tests/xml2vmxdata/xml2vmx-scsi-buslogic.vmx | 12 ---------- tests/xml2vmxdata/xml2vmx-scsi-buslogic.xml | 15 ------------- tests/xml2vmxdata/xml2vmx-scsi-driver.vmx | 22 +++++++++++++++++++ tests/xml2vmxdata/xml2vmx-scsi-driver.xml | 25 ++++++++++++++++++++++ tests/xml2vmxtest.c | 2 +- 12 files changed, 108 insertions(+), 62 deletions(-) delete mode 100644 tests/vmx2xmldata/vmx2xml-scsi-buslogic.vmx delete mode 100644 tests/vmx2xmldata/vmx2xml-scsi-buslogic.xml create mode 100644 tests/vmx2xmldata/vmx2xml-scsi-driver.vmx create mode 100644 tests/vmx2xmldata/vmx2xml-scsi-driver.xml delete mode 100644 tests/xml2vmxdata/xml2vmx-scsi-buslogic.vmx delete mode 100644 tests/xml2vmxdata/xml2vmx-scsi-buslogic.xml create mode 100644 tests/xml2vmxdata/xml2vmx-scsi-driver.vmx create mode 100644 tests/xml2vmxdata/xml2vmx-scsi-driver.xml diff --git a/docs/drvesx.html.in b/docs/drvesx.html.in index 44a144f..9b413ab 100644 --- a/docs/drvesx.html.in +++ b/docs/drvesx.html.in @@ -275,6 +275,10 @@ ethernet0.checkMACAddress = "false" <dd> LSI Logic SCSI controller for recent guests. </dd> + <dt><code>lsisas1068</code></dt> + <dd> + LSI Logic SAS 1068 controller. + </dd> </dl> <p> Here a domain XML snippet: diff --git a/src/esx/esx_vmx.c b/src/esx/esx_vmx.c index ba4c608..6c1d56e 100644 --- a/src/esx/esx_vmx.c +++ b/src/esx/esx_vmx.c @@ -557,10 +557,11 @@ esxVMX_GatherSCSIControllers(virDomainDefPtr def, char *virtualDev[4], if (disk->driverName != NULL && STRCASENEQ(disk->driverName, "buslogic") && - STRCASENEQ(disk->driverName, "lsilogic")) { + STRCASENEQ(disk->driverName, "lsilogic") && + STRCASENEQ(disk->driverName, "lsisas1068")) { ESX_ERROR(VIR_ERR_INTERNAL_ERROR, "Expecting domain XML entry 'devices/disk/target' to be " - "'buslogic' or 'lsilogic' but found '%s'", + "'buslogic' or 'lsilogic' or 'lsisas1068' but found '%s'", disk->driverName); return -1; } @@ -1269,10 +1270,11 @@ esxVMX_ParseSCSIController(virConfPtr conf, int controller, int *present, if (*virtualDev != NULL && STRCASENEQ(*virtualDev, "buslogic") && - STRCASENEQ(*virtualDev, "lsilogic")) { + STRCASENEQ(*virtualDev, "lsilogic") && + STRCASENEQ(*virtualDev, "lsisas1068")) { ESX_ERROR(VIR_ERR_INTERNAL_ERROR, - "Expecting VMX entry '%s' to be 'buslogic' or 'lsilogic' " - "but found '%s'", virtualDev_name, *virtualDev); + "Expecting VMX entry '%s' to be 'buslogic' or 'lsilogic' or " + "'lsisas1068' but found '%s'", virtualDev_name, *virtualDev); goto failure; } @@ -1312,7 +1314,7 @@ esxVMX_ParseDisk(esxVI_Context *ctx, virConfPtr conf, int device, int bus, * bus = VIR_DOMAIN_DISK_BUS_SCSI * controller = [0..3] * id = [0..6,8..15] - * virtualDev = {'buslogic', 'lsilogic'} + * virtualDev = {'buslogic', 'lsilogic', 'lsisas1068'} * * device = {VIR_DOMAIN_DISK_DEVICE_DISK, VIR_DOMAIN_DISK_DEVICE_CDROM} * bus = VIR_DOMAIN_DISK_BUS_IDE diff --git a/tests/vmx2xmldata/vmx2xml-scsi-buslogic.vmx b/tests/vmx2xmldata/vmx2xml-scsi-buslogic.vmx deleted file mode 100644 index 1725051..0000000 --- a/tests/vmx2xmldata/vmx2xml-scsi-buslogic.vmx +++ /dev/null @@ -1,7 +0,0 @@ -config.version = "8" -virtualHW.version = "4" -scsi0.present = "true" -scsi0.virtualDev = "buslogic" -scsi0:0.present = "true" -scsi0:0.deviceType = "scsi-hardDisk" -scsi0:0.fileName = "harddisk.vmdk" diff --git a/tests/vmx2xmldata/vmx2xml-scsi-buslogic.xml b/tests/vmx2xmldata/vmx2xml-scsi-buslogic.xml deleted file mode 100644 index 2ffb866..0000000 --- a/tests/vmx2xmldata/vmx2xml-scsi-buslogic.xml +++ /dev/null @@ -1,20 +0,0 @@ -<domain type='vmware'> - <uuid>00000000-0000-0000-0000-000000000000</uuid> - <memory>32768</memory> - <currentMemory>32768</currentMemory> - <vcpu>1</vcpu> - <os> - <type arch='i686'>hvm</type> - </os> - <clock offset='utc'/> - <on_poweroff>destroy</on_poweroff> - <on_reboot>restart</on_reboot> - <on_crash>destroy</on_crash> - <devices> - <disk type='file' device='disk'> - <driver name='buslogic'/> - <source file='[datastore] directory/harddisk.vmdk'/> - <target dev='sda' bus='scsi'/> - </disk> - </devices> -</domain> diff --git a/tests/vmx2xmldata/vmx2xml-scsi-driver.vmx b/tests/vmx2xmldata/vmx2xml-scsi-driver.vmx new file mode 100644 index 0000000..cb055f6 --- /dev/null +++ b/tests/vmx2xmldata/vmx2xml-scsi-driver.vmx @@ -0,0 +1,17 @@ +config.version = "8" +virtualHW.version = "4" +scsi0.present = "true" +scsi0.virtualDev = "buslogic" +scsi1.present = "true" +scsi1.virtualDev = "lsilogic" +scsi2.present = "true" +scsi2.virtualDev = "lsisas1068" +scsi0:0.present = "true" +scsi0:0.deviceType = "scsi-hardDisk" +scsi0:0.fileName = "harddisk1.vmdk" +scsi1:0.present = "true" +scsi1:0.deviceType = "scsi-hardDisk" +scsi1:0.fileName = "harddisk2.vmdk" +scsi2:0.present = "true" +scsi2:0.deviceType = "scsi-hardDisk" +scsi2:0.fileName = "harddisk3.vmdk" diff --git a/tests/vmx2xmldata/vmx2xml-scsi-driver.xml b/tests/vmx2xmldata/vmx2xml-scsi-driver.xml new file mode 100644 index 0000000..1fa9ac4 --- /dev/null +++ b/tests/vmx2xmldata/vmx2xml-scsi-driver.xml @@ -0,0 +1,30 @@ +<domain type='vmware'> + <uuid>00000000-0000-0000-0000-000000000000</uuid> + <memory>32768</memory> + <currentMemory>32768</currentMemory> + <vcpu>1</vcpu> + <os> + <type arch='i686'>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <disk type='file' device='disk'> + <driver name='buslogic'/> + <source file='[datastore] directory/harddisk1.vmdk'/> + <target dev='sda' bus='scsi'/> + </disk> + <disk type='file' device='disk'> + <driver name='lsilogic'/> + <source file='[datastore] directory/harddisk2.vmdk'/> + <target dev='sdp' bus='scsi'/> + </disk> + <disk type='file' device='disk'> + <driver name='lsisas1068'/> + <source file='[datastore] directory/harddisk3.vmdk'/> + <target dev='sdae' bus='scsi'/> + </disk> + </devices> +</domain> diff --git a/tests/vmx2xmltest.c b/tests/vmx2xmltest.c index b4eb5d5..e75def4 100644 --- a/tests/vmx2xmltest.c +++ b/tests/vmx2xmltest.c @@ -122,7 +122,7 @@ mymain(int argc, char **argv) DO_TEST("graphics-vnc", "graphics-vnc", esxVI_APIVersion_25); - DO_TEST("scsi-buslogic", "scsi-buslogic", esxVI_APIVersion_25); + DO_TEST("scsi-driver", "scsi-driver", esxVI_APIVersion_25); DO_TEST("scsi-writethrough", "scsi-writethrough", esxVI_APIVersion_25); DO_TEST("harddisk-scsi-file", "harddisk-scsi-file", esxVI_APIVersion_25); diff --git a/tests/xml2vmxdata/xml2vmx-scsi-buslogic.vmx b/tests/xml2vmxdata/xml2vmx-scsi-buslogic.vmx deleted file mode 100644 index 2f98da3..0000000 --- a/tests/xml2vmxdata/xml2vmx-scsi-buslogic.vmx +++ /dev/null @@ -1,12 +0,0 @@ -config.version = "8" -virtualHW.version = "4" -guestOS = "other" -uuid.bios = "56 4d 9b ef ac d9 b4 e0-c8 f0 ae a8 b9 10 35 15" -displayName = "scsi-buslogic" -memsize = "4" -numvcpus = "1" -scsi0.present = "true" -scsi0.virtualDev = "buslogic" -scsi0:0.present = "true" -scsi0:0.deviceType = "scsi-hardDisk" -scsi0:0.fileName = "/vmfs/volumes/datastore/directory/harddisk.vmdk" diff --git a/tests/xml2vmxdata/xml2vmx-scsi-buslogic.xml b/tests/xml2vmxdata/xml2vmx-scsi-buslogic.xml deleted file mode 100644 index 5d52c54..0000000 --- a/tests/xml2vmxdata/xml2vmx-scsi-buslogic.xml +++ /dev/null @@ -1,15 +0,0 @@ -<domain type='vmware'> - <name>scsi-buslogic</name> - <uuid>564d9bef-acd9-b4e0-c8f0-aea8b9103515</uuid> - <memory>4096</memory> - <os> - <type>hvm</type> - </os> - <devices> - <disk type='file' device='disk'> - <driver name='buslogic'/> - <source file='[datastore] directory/harddisk.vmdk'/> - <target dev='sda' bus='scsi'/> - </disk> - </devices> -</domain> diff --git a/tests/xml2vmxdata/xml2vmx-scsi-driver.vmx b/tests/xml2vmxdata/xml2vmx-scsi-driver.vmx new file mode 100644 index 0000000..7cceca0 --- /dev/null +++ b/tests/xml2vmxdata/xml2vmx-scsi-driver.vmx @@ -0,0 +1,22 @@ +config.version = "8" +virtualHW.version = "4" +guestOS = "other" +uuid.bios = "56 4d 9b ef ac d9 b4 e0-c8 f0 ae a8 b9 10 35 15" +displayName = "scsi-buslogic" +memsize = "4" +numvcpus = "1" +scsi0.present = "true" +scsi0.virtualDev = "buslogic" +scsi1.present = "true" +scsi1.virtualDev = "lsilogic" +scsi2.present = "true" +scsi2.virtualDev = "lsisas1068" +scsi0:0.present = "true" +scsi0:0.deviceType = "scsi-hardDisk" +scsi0:0.fileName = "/vmfs/volumes/datastore/directory/harddisk1.vmdk" +scsi1:0.present = "true" +scsi1:0.deviceType = "scsi-hardDisk" +scsi1:0.fileName = "/vmfs/volumes/datastore/directory/harddisk2.vmdk" +scsi2:0.present = "true" +scsi2:0.deviceType = "scsi-hardDisk" +scsi2:0.fileName = "/vmfs/volumes/datastore/directory/harddisk3.vmdk" diff --git a/tests/xml2vmxdata/xml2vmx-scsi-driver.xml b/tests/xml2vmxdata/xml2vmx-scsi-driver.xml new file mode 100644 index 0000000..797a26e --- /dev/null +++ b/tests/xml2vmxdata/xml2vmx-scsi-driver.xml @@ -0,0 +1,25 @@ +<domain type='vmware'> + <name>scsi-buslogic</name> + <uuid>564d9bef-acd9-b4e0-c8f0-aea8b9103515</uuid> + <memory>4096</memory> + <os> + <type>hvm</type> + </os> + <devices> + <disk type='file' device='disk'> + <driver name='buslogic'/> + <source file='[datastore] directory/harddisk1.vmdk'/> + <target dev='sda' bus='scsi'/> + </disk> + <disk type='file' device='disk'> + <driver name='lsilogic'/> + <source file='[datastore] directory/harddisk2.vmdk'/> + <target dev='sdp' bus='scsi'/> + </disk> + <disk type='file' device='disk'> + <driver name='lsisas1068'/> + <source file='[datastore] directory/harddisk3.vmdk'/> + <target dev='sdae' bus='scsi'/> + </disk> + </devices> +</domain> diff --git a/tests/xml2vmxtest.c b/tests/xml2vmxtest.c index b8b9d6f..f9c4730 100644 --- a/tests/xml2vmxtest.c +++ b/tests/xml2vmxtest.c @@ -175,7 +175,7 @@ mymain(int argc, char **argv) DO_TEST("graphics-vnc", "graphics-vnc", esxVI_APIVersion_25); - DO_TEST("scsi-buslogic", "scsi-buslogic", esxVI_APIVersion_25); + DO_TEST("scsi-driver", "scsi-driver", esxVI_APIVersion_25); DO_TEST("scsi-writethrough", "scsi-writethrough", esxVI_APIVersion_25); DO_TEST("harddisk-scsi-file", "harddisk-scsi-file", esxVI_APIVersion_25); -- 1.6.3.3

2 5

[libvirt] 0.7.8 schedule
by Daniel Veillard 30 Mar '10

30 Mar '10

So clearly we are a bit late we didn't freezed this week-end, hopefully we can push the last bits for the release tomorrow. I would be tempted to actually name the release 0.8.0 if we get the snapshot API in (which I expect), then start freeze on Wed, and make the official release early next week. There is still a few things to clean up left and right, some patches for bug fixes need ACKs, so I still expect some work before being able to declare the new release ready ! Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

1 0

[libvirt] [PATCH] nwfilter_ebiptables_driver.c: avoid NULL dereference
by Jim Meyering 30 Mar '10

30 Mar '10

Another one caught by clang: Note the first test to see if "inst" may be NULL. Then, in the following loop, "inst" is unconditionally dereferenced via "inst[i]". There are other unprotected used of "inst[i]" below, too. Rather than trying to protect all uses, one by one, I chose to return "success" when given an empty list of rules. In addition, not only does it appear to be possible to call this function with a NULL "inst" pointer, but it may even be undefined. At least one caller is virNWFilterInstantiate, where "inst" maps to the caller's "ptrs" variable. There, ptrs is initialized (or not, in some cases) by virNWFilterRuleInstancesToArray. Fortunately, at least this one caller (virNWFilterRuleInstancesToArray) does initialize "ptrs" to NULL, so in actuality, it cannot currently be used undefined. But the fact that a function like virNWFilterRuleInstancesToArray can return "successfully" without defining that output parameter is a little risky. >From f2d1a49095ed6f7caa3d5ee67409ac561c55ba77 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering(a)redhat.com> Date: Mon, 29 Mar 2010 18:27:26 +0200 Subject: [PATCH] nwfilter_ebiptables_driver.c: avoid NULL dereference * src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesApplyNewRules): Don't dereference a NULL or uninitialized pointer when given an empty list of rules --- src/nwfilter/nwfilter_ebiptables_driver.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 7871926..3932b44 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2378,31 +2378,32 @@ ebiptablesRuleOrderSort(const void *a, const void *b) static int ebiptablesApplyNewRules(virConnectPtr conn, const char *ifname, int nruleInstances, void **_inst) { int i; int cli_status; ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst; int chains_in = 0, chains_out = 0; virBuffer buf = VIR_BUFFER_INITIALIZER; int haveIptables = 0; - if (inst) - qsort(inst, nruleInstances, sizeof(inst[0]), - ebiptablesRuleOrderSort); + if (nruleInstances == 0 || inst == NULL) + return 0; + + qsort(inst, nruleInstances, sizeof(inst[0]), ebiptablesRuleOrderSort); for (i = 0; i < nruleInstances; i++) { if (inst[i]->ruleType == RT_EBTABLES) { if (inst[i]->chainprefix == CHAINPREFIX_HOST_IN_TEMP) chains_in |= (1 << inst[i]->neededProtocolChain); else chains_out |= (1 << inst[i]->neededProtocolChain); } } ebtablesUnlinkTmpRootChain(conn, &buf, 1, ifname); ebtablesUnlinkTmpRootChain(conn, &buf, 0, ifname); ebtablesRemoveTmpSubChains(conn, &buf, ifname); ebtablesRemoveTmpRootChain(conn, &buf, 1, ifname); -- 1.7.0.3.448.g82eeb

4 7

[libvirt] [PATCH] Make int-overflow test case pass
by Stefan Berger 30 Mar '10

30 Mar '10

This fix makes the int-overflow test case pass. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> Index: libvirt/tests/int-overflow =================================================================== --- libvirt.orig/tests/int-overflow +++ libvirt/tests/int-overflow @@ -14,6 +14,7 @@ fi . "$srcdir/test-lib.sh" echo "error: failed to get domain '4294967298'" > exp || fail=1 +echo "error: Failed to start the nwfilter driver: Is the daemon running ?" >> exp || fail=1 echo domname 4294967298 | $abs_top_builddir/tools/virsh --quiet \ --connect test://$abs_top_srcdir/examples/xml/test/testnode.xml \ > /dev/null 2> err || fail=1

3 4

[libvirt] [PATCH v4 00/15] Network filtering (ACL) extensions for libvirt
by Stefan Berger 30 Mar '10

30 Mar '10

Hi! This is a repost of this set of patches with some of the suggested fixes applied and ipv6 support on the ebtables layer added. Between V3 and V4 of this patch series the following changes were made: - occurrences of typo 'scp' were changed to 'sctp' - the root ebtables chain for each interface now has the previx of 'libvirt-' - additional calls into tear-down functions in case something goes wrong while starting the qemu/kvm VM in 2nd level error paths - additional functions in the driver interface to split up the application of firewall rules into - creation of new firewall rules 'tree' - switch-over to new firewall rules 'tree', tear down of old one and renaming of new firewall 'tree' - tear down of new firewall rules 'tree' in case an error happend during update of several VMs. - additional patch with example filters The following set of patches add network filtering (ACL) extensions to libvirt and enable network traffic filtering for VMs using ebtables and, depending on the networking technology being used (tap, but not macvtap), also iptables. Usage of either is optional and controlled through filters that a VM is referencing. The ebtables-level filtering is based on the XML derived from the CIM network slide 10 (filtering) from the DMTF website (http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf) The XML we derived from this was discussed on the list before. On the ebtables level we currently handle filtering of IPv4 and ARP traffic. The iptables-level filtering is based on similar XML where XML nodes described the particular protocol to filter for. Its extensions enable the filtering of traffic using iptables for tcp, udp, icmp, igmp, sctp and 'all' types of traffic. This list of protocols maps to the features supported by iptables and only excludes protocols like 'esp', 'ah' and 'udplite'. Currently only bridging mode is supported and based on availability of the physdev match. The filtering framework adds new libvirt virsh commands for managing the filters. The 5 new commands are: - virsh nwfilter-list - virsh nwfilter-dumpxml <name of filter> - virsh nwfilter-define <name of file containing filter desc.> - virsh nwfilter-undefine <name of filter> - virsh nwfilter-edit <name of filter> Above commands are similar to commands for already existing pools and as such much of the code directly related to the above commands could be borrowed from other drivers. The network filters can either contain rules using the above mentioned XML or contain references to other filters in order to build more complex filters that form some sort of filter tree or can contain both. An example for a filter referencing other filters would be this one here: <filter name='demofilter4' chain='root'> <uuid>66f62d1d-34c1-1421-824f-c62d5ee5e8b6</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-mac-broadcast'/> <filterref filter='no-arp-spoofing'/> <filterref filter='allow-dhcp'> <parameter name='DHCPSERVER' value='10.0.0.1'/> </filterref> <filterref filter='no-other-l2-traffic'/> <filterref filter='recv-only-vm-ipaddress'/> <filterref filter='recv-only-vm-macaddress'/> <filterref filter='l3-test'/> <filterref filter='ipv6test'/> </filter> A filter containing actual rules would look like this: <filter name='no-mac-broadcast' chain='ipv4'> <uuid>ffe2ccd6-edec-7360-1852-6b5ccb553234</uuid> <rule action='drop' direction='out' priority='500'> <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/> </rule> </filter> The filter XML now also holds a priority attribute in the rule. This provides control over the ordering of the applied ebtables/iptables rules beyond their appearance in the XML. The domain XML has been extended to reference a top level filter from within each <interface> XML node. A valid reference to such a top level filter looks like this: <interface type='bridge'> <source bridge='static'/> <filterref filter='demofilter4'> <parameter name='IP' value='9.59.241.151'/> </filterref> </interface> In this XML a parameter IP is passed for instantiation of the referenced filters, that may require the availability of this parameter. In the above case the IP parameter's value describes the value of the IP address of the VM and allows to enable those filters to be instantiated that require this 'IP' variable. If a filter requires a parameter that is not provided, the VM will not start or the interface will not attach to a running VM. Any names of parameters can be provided for instantiation of filters and their names and values only need to pass a regular expression test. In a subsequent patch we will be adding capability to allow users to omit the IP parameter (only) and enable libvirt to learn the IP address of the VM and have it instantiate the filter once it knows it. While virtual machines are running, it is possible to update their filters. For that all running VMs' filter 'trees' are traversed to detect whether the updated filter is referenced by the VM. If so, its ebtables/iptable rules are applied. If one of the VMs' update fails allupdates are rolled back and the filter XML update is rejected. One comment about the instantiation of the rules: Since the XML allows to create nearly any possible combination of parameters to ebtables or iptables commands, I haven't used the ebtables or iptables wrappers. Instead, I am writing ebtables/iptables command into a buffer, add command line options to each one of them as described in the rule's XML, write the buffer into a file and run it as a script. For those commands that are not allowed to fail I am using the following format to run them: cmd="ebtables <some options>" r=`${cmd}` if [ $? -ne 0 ]; then echo "Failure in command ${cmd}." exit 1 fi cmd="..." [...] If one of the command fails in such a batch, the libvirt code is going pick up the error code '1', tear down anything previously established and report an error back. The actual error message shown above is currently not reported back, but can be later on with some changes to the commands running external programs that need to read the script's stdout. One comment to patch 14: It currently #include's a .c file into a .c file only for the reason so I don't have to change too much code once I change code in the underlying patch. So this has to be changed. The patch series works without patch 13, but then only supports ebtables. The patches apply to the current tip. They pass 'make syntax-check' and have been frequently run in valgrind for memory leak checks. Looking forward to your feedback on the patches. Thanks and regards, Stefan and Gerhard

3 21

[libvirt] [PATCH] nwfilter_conf.c: don't test an uninitialized local variable
by Jim Meyering 30 Mar '10

30 Mar '10

I've just run the code through clang, and it spotted a few new problems. Here's one: >From 4c848787c8268e37db9a1d0754b8fcd8e5774f73 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering(a)redhat.com> Date: Mon, 29 Mar 2010 17:34:32 +0200 Subject: [PATCH] nwfilter_conf.c: don't test an uninitialized local variable * src/conf/nwfilter_conf.c (virNWIPAddressFormat): Do not use "i" uninitialized. --- src/conf/nwfilter_conf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index e82aae6..f673e69 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -2423,7 +2423,7 @@ virNWIPAddressFormat(virBufferPtr buf, nwIPAddressPtr ipaddr) ipaddr->addr.ipv4Addr[2], ipaddr->addr.ipv4Addr[3]); } else { - int i; + unsigned int i = 0; int dcshown = 0, in_dc = 0; unsigned short n; while (i < 8) { -- 1.7.0.3.448.g82eeb

3 2

[libvirt] [PATCH] Fix 'make check' runs due to usage of conn parameter in error reporting
by Stefan Berger 30 Mar '10

30 Mar '10

This patch fixes the 'make check' runs for me which, under certain circumstances and login configurations, did invoke popups requesting authentication. I removed the parameter conn from being passed into the error reporting function. Signed-off-by; Stefan Berger <stefanb(a)us.ibm.com> --- src/conf/nwfilter_conf.c | 15 ++++++--------- src/conf/nwfilter_conf.h | 3 ++- 2 files changed, 8 insertions(+), 10 deletions(-) Index: libvirt/src/conf/nwfilter_conf.c =================================================================== --- libvirt.orig/src/conf/nwfilter_conf.c +++ libvirt/src/conf/nwfilter_conf.c @@ -44,9 +44,6 @@ #define VIR_FROM_THIS VIR_FROM_NWFILTER -#define virNWFilterError(conn, code, fmt...) \ - virReportErrorHelper(conn, VIR_FROM_NWFILTER, code, __FILE__,\ - __FUNCTION__, __LINE__, fmt) VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST, "drop", @@ -2248,9 +2245,9 @@ virNWFilterPoolObjLoad(virConnectPtr con } if (!virFileMatchesNameSuffix(file, def->name, ".xml")) { - virNWFilterError(conn, VIR_ERR_INVALID_NWFILTER, - "NWFilter pool config filename '%s' does not match pool name '%s'", - path, def->name); + virNWFilterReportError(conn, VIR_ERR_INVALID_NWFILTER, + _("network filter pool config filename '%s' does not match pool name '%s'"), + path, def->name); virNWFilterDefFree(def); return NULL; } @@ -2300,9 +2297,9 @@ virNWFilterPoolLoadAllConfigs(virConnect if (virFileBuildPath(configDir, entry->d_name, NULL, path, PATH_MAX) < 0) { - virNWFilterError(conn, VIR_ERR_INTERNAL_ERROR, - "Config filename '%s/%s' is too long", - configDir, entry->d_name); + virNWFilterReportError(conn, VIR_ERR_INTERNAL_ERROR, + _("config filename '%s/%s' is too long"), + configDir, entry->d_name); continue; } Index: libvirt/src/conf/nwfilter_conf.h =================================================================== --- libvirt.orig/src/conf/nwfilter_conf.h +++ libvirt/src/conf/nwfilter_conf.h @@ -523,7 +523,8 @@ int virNWFilterParamConfLayerInit(void); void virNWFilterParamConfLayerShutdown(void); # define virNWFilterReportError(conn, code, fmt...) \ - virReportErrorHelper(conn, VIR_FROM_NWFILTER, code, __FILE__, \ + (void)conn; \ + virReportErrorHelper(NULL, VIR_FROM_NWFILTER, code, __FILE__, \ __FUNCTION__, __LINE__, fmt)

1 0