September 2010 - Devel - libvirt List Archives

[libvirt] [PATCH] virtualbox: fix a typo in the expected location on mac os x
by Justin Clift 28 Sep '10

28 Sep '10

Mac OS X provides an "/Applications" folder, not an "/Application" folder, so installed VirtualBox wasn't being detected by default. This 1 character patch fixes this. --- Pushed this under the "trivial" rule. It really is fixing someones typo. :) configure.ac | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/configure.ac b/configure.ac index 6100610..0403d1c 100644 --- a/configure.ac +++ b/configure.ac @@ -340,7 +340,7 @@ if test "x$with_vbox" = "xyes" || test "x$with_vbox" = "xcheck"; then /opt/VirtualBox/amd64/VBoxXPCOMC.so \ /usr/local/lib/virtualbox/VBoxXPCOMC.so \ /usr/local/lib/VirtualBox/VBoxXPCOMC.so \ - /Application/VirtualBox.app/Contents/MacOS/VBoxXPCOMC.dylib \ + /Applications/VirtualBox.app/Contents/MacOS/VBoxXPCOMC.dylib \ ; do if test -f "$vbox"; then vbox_xpcomc_dir=`AS_DIRNAME(["$vbox"])` -- 1.7.2.3

1 0

[libvirt] nwfilter: Don't compile nwfilter driver on other systems than Linux
by Stefan Berger 28 Sep '10

28 Sep '10

Don't compile the nwfilter driver (instantiating the rules) on other systems than Linux. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> diff --git a/configure.ac b/configure.ac index 23181dd..4cb0f50 100644 --- a/configure.ac +++ b/configure.ac @@ -1361,7 +1361,7 @@ fi AM_CONDITIONAL([WITH_SECRETS], [test "$with_secrets" = "yes"]) with_nwfilter=yes -if test "$with_libvirtd" = "no"; then +if test "$with_libvirtd" = "no" || test `uname -s` != "Linux"; then with_nwfilter=no fi if test "$with_nwfilter" = "yes" ; then

3 2

[libvirt] [PATCH] python: drop unneccesary conn assignment
by Dan Kenigsberg 28 Sep '10

28 Sep '10

Since 554d82a200289938d5639a782a9f12e3e2e968f0, conn is unused. Let's drop it - but keep the signature of the constructor for backward compatibility. --- python/libvirt-override.py | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) diff --git a/python/libvirt-override.py b/python/libvirt-override.py index de1af2d..d544a0e 100644 --- a/python/libvirt-override.py +++ b/python/libvirt-override.py @@ -18,15 +18,6 @@ import types class libvirtError(Exception): def __init__(self, defmsg, conn=None, dom=None, net=None, pool=None, vol=None): - if dom is not None: - conn = dom._conn - elif net is not None: - conn = net._conn - elif pool is not None: - conn = pool._conn - elif vol is not None: - conn = vol._conn - # Never call virConnGetLastError(). # virGetLastError() is now thread local err = virGetLastError() -- 1.7.2.1

2 1

[libvirt] [PATCH] nwfilter: add a missing define, so libvirtd builds on macos x
by Justin Clift 28 Sep '10

28 Sep '10

The nwfilter code uses ETH_ALEN, which isn't defined on MacOS X. This is a simple workaround, to add it when missing. --- src/nwfilter/nwfilter_learnipaddr.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c index 7c94fc2..554422b 100644 --- a/src/nwfilter/nwfilter_learnipaddr.c +++ b/src/nwfilter/nwfilter_learnipaddr.c @@ -38,6 +38,11 @@ #include <net/if_arp.h> #include <intprops.h> +// Add Linux define missing from OSX +#ifndef ETH_ALEN +#define ETH_ALEN 6 /* Octets in one ethernet addr */ +#endif + #include "internal.h" #include "buf.h" -- 1.7.2.3

3 3

[libvirt] [patch 0/5] nwfilter: Support comment attribute in filter rule descriptions
by Stefan Berger 25 Sep '10

25 Sep '10

The following patch series adds support for a comment node to the XML attributes of all protocols. If possible, as for example in case of iptables, the comments are instantiated (iptables ... -m comment --comment ...). The patches do the following: - extend the parser and XML generator to parse and create XML with the comment attribute - instantiate the comment in case of ip(6)tables - extend the nwfilter.rng schema with the comment attribute - add the information to the web docs - add a test case for the XML parser/generator to be run during 'make check' Regards, Stefan

2 9

[libvirt] [PATCH] [TCK] nwfilter: test case for comment attribute
by Stefan Berger 25 Sep '10

25 Sep '10

This patch adds data for a test case for the comment attribute in the nwfilter XML. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 71 +++++++++++++++ scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml | 68 ++++++++++++++ 2 files changed, 139 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml @@ -0,0 +1,68 @@ +<filter name='tck-testcase'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + + <rule action='accept' direction='in'> + <mac protocolid='0x1234' comment='mac rule'/> + </rule> + + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='0x123' srcportend='0x234' + dstportstart='0x3456' dstportend='0x4567' + dscp='0x32' comment='ip rule'/> + </rule> + + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='tcp' + srcportstart='0x111' srcportend='400' + dstportstart='0x3333' dstportend='65535' comment='ipv6 rule'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='0x12' + protocoltype='0x56' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f' + comment='arp rule'/> + </rule> + + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='0x22' + srcportstart='0x123' srcportend='400' + dstportstart='0x234' dstportend='0x444' + comment='udp rule'/> + </rule> + + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='0x40' + srcportstart='0x20' srcportend='0x21' + dstportstart='0x100' dstportend='0x1111' + comment='tcp/ipv6 rule'/> + </rule> + + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='0x40' + srcportstart='0x20' srcportend='0x21' + dstportstart='0x100' dstportend='0x1111' + comment='`ls`;${COLUMNS};$(ls);"test";&'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall @@ -0,0 +1,71 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p 0x1234 -j ACCEPT +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 +#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED +RETURN udp ::/0 a:b:c::/128 /* `ls`;${COLUMNS};$(ls);"test";& */ udp spts:256:4369 dpts:32:33 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED +ACCEPT udp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 /* `ls`;${COLUMNS};$(ls);"test";& */ udp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 +ACCEPT udp ::/0 a:b:c::/128 /* `ls`;${COLUMNS};$(ls);"test";& */ udp spts:256:4369 dpts:32:33 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0

1 0

[libvirt] [PATCH] nwfilter: report if ip(6)tables rules would not be effective
by Stefan Berger 25 Sep '10

25 Sep '10

The patch below reports a warning in the log if the generated ip(6)tables rules would not be effective due to the proc filesystem entries /proc/sys/net/bridge/bridge-nf-call-iptables /proc/sys/net/bridge/bridge-nf-call-ip6tables containing a '0'. The warning tells the user what to do. I am rate-limiting the warning message to appear only every 10 seconds. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- src/nwfilter/nwfilter_ebiptables_driver.c | 51 ++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -24,6 +24,7 @@ #include <config.h> #include <sys/stat.h> +#include <fcntl.h> #include "internal.h" @@ -63,6 +64,13 @@ : "" +#define PROC_BRIDGE_NF_CALL_IPTABLES \ + "/proc/sys/net/bridge/bridge-nf-call-iptables" +#define PROC_BRIDGE_NF_CALL_IP6TABLES \ + "/proc/sys/net/bridge/bridge-nf-call-ip6tables" + +#define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */ + static char *ebtables_cmd_path; static char *iptables_cmd_path; static char *ip6tables_cmd_path; @@ -2986,6 +2994,45 @@ ebiptablesRuleOrderSort(const void *a, c } +static void +iptablesCheckBridgeNFCallEnabled(bool isIPv6) +{ + static time_t lastReport, lastReportIPv6; + const char *pathname = NULL; + char buffer[1]; + time_t now = time(NULL); + + if (isIPv6 && + (now - lastReportIPv6) > BRIDGE_NF_CALL_ALERT_INTERVAL ) { + pathname = PROC_BRIDGE_NF_CALL_IP6TABLES; + } else if (now - lastReport > BRIDGE_NF_CALL_ALERT_INTERVAL) { + pathname = PROC_BRIDGE_NF_CALL_IPTABLES; + } + + if (pathname) { + int fd = open(pathname, O_RDONLY); + if (fd >= 0) { + if (read(fd, buffer, 1) == 1) { + if (buffer[0] == '0') { + char msg[256]; + snprintf(msg, sizeof(msg), + _("To enable ip%stables filtering for the VM do " + "'echo 1 > %s'\n"), + isIPv6 ? "6" : "", + pathname); + VIR_WARN0(msg); + if (isIPv6) + lastReportIPv6 = now; + else + lastReport = now; + } + } + close(fd); + } + } +} + + static int ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED, const char *ifname, @@ -3099,6 +3146,8 @@ ebiptablesApplyNewRules(virConnectPtr co if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) goto tear_down_tmpiptchains; + + iptablesCheckBridgeNFCallEnabled(false); } if (haveIp6tables) { @@ -3129,6 +3178,8 @@ ebiptablesApplyNewRules(virConnectPtr co if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) goto tear_down_tmpip6tchains; + + iptablesCheckBridgeNFCallEnabled(true); } if (chains_in != 0)

2 2

[libvirt] [PATCH] qemu: patch to support security model for filesystem type
by Harsh Prateek Bora 25 Sep '10

25 Sep '10

This patch introduces a new attribute security_model to <filesystem> tag, which can have any of the following three values: passthrough, mapped or none. This patch is based on Daniel's patch to support 9pfs qemu commandline options. Usage: <filesystem type='mount' security_model='passthrough'> <source dir='/export/to/guest'/> <target dir='mount_tag'/> </filesystem> --- docs/schemas/domain.rng | 7 +++ src/conf/domain_conf.c | 30 +++++++++++++- src/conf/domain_conf.h | 10 +++++ src/qemu/qemu_conf.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_conf.h | 5 ++ 5 files changed, 153 insertions(+), 2 deletions(-) diff --git a/docs/schemas/domain.rng b/docs/schemas/domain.rng index ccb8cf3..43a292d 100644 --- a/docs/schemas/domain.rng +++ b/docs/schemas/domain.rng @@ -761,6 +761,13 @@ </choice> <optional> <ref name="address"/> + <attribute name="security_model"> + <choice> + <value>passthrough</value> + <value>mapped</value> + <value>none</value> + </choice> + </attribute> </optional> </element> </define> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index e05d5d7..a9881d1 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -161,6 +161,12 @@ VIR_ENUM_IMPL(virDomainFS, VIR_DOMAIN_FS_TYPE_LAST, "file", "template") +VIR_ENUM_IMPL(virDomainFSSecurityModel, VIR_DOMAIN_FS_SECURITY_LAST, + "passthrough", + "mapped", + "none") + + VIR_ENUM_IMPL(virDomainNet, VIR_DOMAIN_NET_TYPE_LAST, "user", "ethernet", @@ -1847,6 +1853,7 @@ virDomainFSDefParseXML(xmlNodePtr node, char *type = NULL; char *source = NULL; char *target = NULL; + char *security_model; if (VIR_ALLOC(def) < 0) { virReportOOMError(); @@ -1864,6 +1871,17 @@ virDomainFSDefParseXML(xmlNodePtr node, def->type = VIR_DOMAIN_FS_TYPE_MOUNT; } + security_model = virXMLPropString(node, "security_model"); + if (security_model) { + if ((def->security_model = virDomainFSSecurityModelTypeFromString(security_model)) < 0) { + virDomainReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown security model '%s'"), security_model); + goto error; + } + } else { + def->security_model = VIR_DOMAIN_FS_SECURITY_PASSTHROUGH; + } + cur = node->children; while (cur != NULL) { if (cur->type == XML_ELEMENT_NODE) { @@ -5602,6 +5620,7 @@ virDomainFSDefFormat(virBufferPtr buf, int flags) { const char *type = virDomainFSTypeToString(def->type); + const char *sec_model = virDomainFSSecurityModelTypeToString(def->security_model); if (!type) { virDomainReportError(VIR_ERR_INTERNAL_ERROR, @@ -5609,9 +5628,16 @@ virDomainFSDefFormat(virBufferPtr buf, return -1; } + if (!sec_model) { + virDomainReportError(VIR_ERR_INTERNAL_ERROR, + _("unexpected security model %d"), def->security_model); + return -1; + } + + virBufferVSprintf(buf, - " <filesystem type='%s'>\n", - type); + " <filesystem type='%s' security_model='%s'>\n", + type, sec_model); if (def->src) { switch (def->type) { diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 7195c04..6adf027 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -236,10 +236,20 @@ enum virDomainFSType { VIR_DOMAIN_FS_TYPE_LAST }; +/* Filesystem mount security model */ +enum virDomainFSSecurityModel { + VIR_DOMAIN_FS_SECURITY_PASSTHROUGH, + VIR_DOMAIN_FS_SECURITY_MAPPED, + VIR_DOMAIN_FS_SECURITY_NONE, + + VIR_DOMAIN_FS_SECURITY_LAST +}; + typedef struct _virDomainFSDef virDomainFSDef; typedef virDomainFSDef *virDomainFSDefPtr; struct _virDomainFSDef { int type; + int security_model; char *src; char *dst; unsigned int readonly : 1; diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 7a37c70..a637dee 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1212,6 +1212,8 @@ static unsigned long long qemudComputeCmdFlags(const char *help, flags |= QEMUD_CMD_FLAG_TDF; if (strstr(help, ",menu=on")) flags |= QEMUD_CMD_FLAG_BOOT_MENU; + if (strstr(help, "-fsdev")) + flags |= QEMUD_CMD_FLAG_FSDEV; /* Keep disabled till we're actually ready to turn on netdev mode * The plan is todo it in 0.13.0 QEMU, but lets wait & see... */ @@ -2008,6 +2010,11 @@ qemuAssignDeviceAliases(virDomainDefPtr def, unsigned long long qemuCmdFlags) if (!(qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) return 0; + for (i=0; i < def->nfss ; i++) { + if (virAsprintf(&def->fss[i]->info.alias, "fs%d", i) < 0) + goto no_memory; + } + for (i = 0; i < def->nsounds ; i++) { if (virAsprintf(&def->sounds[i]->info.alias, "sound%d", i) < 0) goto no_memory; @@ -2371,6 +2378,15 @@ qemuAssignDevicePCISlots(virDomainDefPtr def, qemuDomainPCIAddressSetPtr addrs) goto error; } } + for (i = 0; i < def->nfss ; i++) { + if (def->fss[i]->info.type != VIR_DOMAIN_DEVICE_ADDRESS_TYPE_NONE) + continue; + + /* Only support VirtIO-9p-pci so far. If that changes, + * we might need to skip devices here */ + if (qemuDomainPCIAddressSetNextAddr(addrs, &def->fss[i]->info) < 0) + goto error; + } /* Network interfaces */ for (i = 0; i < def->nnets ; i++) { @@ -2761,6 +2777,70 @@ error: } +char *qemuBuildFSStr(virDomainFSDefPtr fs, + unsigned long long qemuCmdFlags ATTRIBUTE_UNUSED) +{ + virBuffer opt = VIR_BUFFER_INITIALIZER; + + if (fs->type != VIR_DOMAIN_FS_TYPE_MOUNT) { + qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("only supports mount filesystem type")); + goto error; + } + + virBufferAddLit(&opt, "local"); + if (fs->security_model == VIR_DOMAIN_FS_SECURITY_PASSTHROUGH) + virBufferAddLit(&opt, ",security_model=passthrough"); + else if (fs->security_model == VIR_DOMAIN_FS_SECURITY_MAPPED) + virBufferAddLit(&opt, ",security_model=mapped"); + else if (fs->security_model == VIR_DOMAIN_FS_SECURITY_NONE) + virBufferAddLit(&opt, ",security_model=none"); + virBufferVSprintf(&opt, ",id=%s%s", QEMU_FSDEV_HOST_PREFIX, fs->info.alias); + virBufferVSprintf(&opt, ",path=%s", fs->src); + + if (virBufferError(&opt)) { + virReportOOMError(); + goto error; + } + + return virBufferContentAndReset(&opt); + +error: + virBufferFreeAndReset(&opt); + return NULL; +} + + +char * +qemuBuildFSDevStr(virDomainFSDefPtr fs) +{ + virBuffer opt = VIR_BUFFER_INITIALIZER; + + if (fs->type != VIR_DOMAIN_FS_TYPE_MOUNT) { + qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("can only passthrough directories")); + goto error; + } + + virBufferAddLit(&opt, "virtio-9p-pci"); + virBufferVSprintf(&opt, ",id=%s", fs->info.alias); + virBufferVSprintf(&opt, ",fsdev=%s%s", QEMU_FSDEV_HOST_PREFIX, fs->info.alias); + virBufferVSprintf(&opt, ",mount_tag=%s", fs->dst); + qemuBuildDeviceAddressStr(&opt, &fs->info); + + if (virBufferError(&opt)) { + virReportOOMError(); + goto error; + } + + return virBufferContentAndReset(&opt); + +error: + virBufferFreeAndReset(&opt); + return NULL; +} + + char * qemuBuildControllerDevStr(virDomainControllerDefPtr def) { @@ -4377,6 +4457,29 @@ int qemudBuildCommandLine(virConnectPtr conn, } } + if (qemuCmdFlags & QEMUD_CMD_FLAG_FSDEV) { + for (i = 0 ; i < def->nfss ; i++) { + char *optstr; + virDomainFSDefPtr fs = def->fss[i]; + + ADD_ARG_LIT("-fsdev"); + if (!(optstr = qemuBuildFSStr(fs, qemuCmdFlags))) + goto error; + ADD_ARG(optstr); + + ADD_ARG_LIT("-device"); + if (!(optstr = qemuBuildFSDevStr(fs))) + goto error; + ADD_ARG(optstr); + } + } else { + if (def->nfss) { + qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("filesystem passthrough not supported by this QEMU")); + goto error; + } + } + if (!def->nnets) { /* If we have -device, then we set -nodefault already */ if (!(qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) { diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 2c9e608..7005466 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -93,6 +93,7 @@ enum qemud_cmd_flags { QEMUD_CMD_FLAG_NODEFCONFIG = (1LL << 37), /* -nodefconfig */ QEMUD_CMD_FLAG_BOOT_MENU = (1LL << 38), /* -boot menu=on support */ QEMUD_CMD_FLAG_ENABLE_KQEMU = (1LL << 39), /* -enable-kqemu flag */ + QEMUD_CMD_FLAG_FSDEV = (1LL << 40) /* -fstype filesystem passthrough */ }; /* Main driver state */ @@ -188,6 +189,7 @@ struct _qemuDomainCmdlineDef { # define QEMU_DRIVE_HOST_PREFIX "drive-" # define QEMU_VIRTIO_SERIAL_PREFIX "virtio-serial" +# define QEMU_FSDEV_HOST_PREFIX "fsdev-" # define qemuReportError(code, ...) \ virReportErrorHelper(NULL, VIR_FROM_QEMU, code, __FILE__, \ @@ -248,9 +250,12 @@ char *qemuDeviceDriveHostAlias(virDomainDiskDefPtr disk, char *qemuBuildDriveStr(virDomainDiskDefPtr disk, int bootable, unsigned long long qemuCmdFlags); +char *qemuBuildFSStr(virDomainFSDefPtr fs, + unsigned long long qemuCmdFlags); /* Current, best practice */ char * qemuBuildDriveDevStr(virDomainDiskDefPtr disk); +char * qemuBuildFSDevStr(virDomainFSDefPtr fs); /* Current, best practice */ char * qemuBuildControllerDevStr(virDomainControllerDefPtr def); -- 1.7.1.1

3 2

[libvirt] PATCH 3/4: AppArmor updates
by Jamie Strandboge 24 Sep '10

24 Sep '10

Attached is 0003-apparmor-examples.patch -- Jamie Strandboge | http://www.canonical.com

2 7

[libvirt] Error starting VM as a root user, but works fine as a normal (non-root) user
by Harsh Bora 24 Sep '10

24 Sep '10

[harsh@harshbora libvirt]$ sudo virsh create ~/testVMs/my_vm.xml error: Failed to create domain from /home/harsh/testVMs/my_vm.xml error: internal error cannot parse /home/harsh/local/qemu/bin/qemu-system-x86_64 version number in '' [harsh@harshbora libvirt]$ virsh create ~/testVMs/my_vm.xml Domain my_vm created from /home/harsh/testVMs/my_vm.xml Anyone, help?

3 2