[libvirt] [PATCH] virtualbox: fix a typo in the expected location on mac os x
by Justin Clift
Mac OS X provides an "/Applications" folder, not an "/Application" folder,
so installed VirtualBox wasn't being detected by default.
This 1 character patch fixes this.
---
Pushed this under the "trivial" rule. It really is fixing someones typo. :)
configure.ac | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6100610..0403d1c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -340,7 +340,7 @@ if test "x$with_vbox" = "xyes" || test "x$with_vbox" = "xcheck"; then
/opt/VirtualBox/amd64/VBoxXPCOMC.so \
/usr/local/lib/virtualbox/VBoxXPCOMC.so \
/usr/local/lib/VirtualBox/VBoxXPCOMC.so \
- /Application/VirtualBox.app/Contents/MacOS/VBoxXPCOMC.dylib \
+ /Applications/VirtualBox.app/Contents/MacOS/VBoxXPCOMC.dylib \
; do
if test -f "$vbox"; then
vbox_xpcomc_dir=`AS_DIRNAME(["$vbox"])`
--
1.7.2.3
14 years, 6 months
[libvirt] nwfilter: Don't compile nwfilter driver on other systems than Linux
by Stefan Berger
Don't compile the nwfilter driver (instantiating the rules) on other
systems than Linux.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
diff --git a/configure.ac b/configure.ac
index 23181dd..4cb0f50 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1361,7 +1361,7 @@ fi
AM_CONDITIONAL([WITH_SECRETS], [test "$with_secrets" = "yes"])
with_nwfilter=yes
-if test "$with_libvirtd" = "no"; then
+if test "$with_libvirtd" = "no" || test `uname -s` != "Linux"; then
with_nwfilter=no
fi
if test "$with_nwfilter" = "yes" ; then
14 years, 6 months
[libvirt] [PATCH] python: drop unneccesary conn assignment
by Dan Kenigsberg
Since 554d82a200289938d5639a782a9f12e3e2e968f0, conn is unused. Let's
drop it - but keep the signature of the constructor for backward
compatibility.
---
python/libvirt-override.py | 9 ---------
1 files changed, 0 insertions(+), 9 deletions(-)
diff --git a/python/libvirt-override.py b/python/libvirt-override.py
index de1af2d..d544a0e 100644
--- a/python/libvirt-override.py
+++ b/python/libvirt-override.py
@@ -18,15 +18,6 @@ import types
class libvirtError(Exception):
def __init__(self, defmsg, conn=None, dom=None, net=None, pool=None, vol=None):
- if dom is not None:
- conn = dom._conn
- elif net is not None:
- conn = net._conn
- elif pool is not None:
- conn = pool._conn
- elif vol is not None:
- conn = vol._conn
-
# Never call virConnGetLastError().
# virGetLastError() is now thread local
err = virGetLastError()
--
1.7.2.1
14 years, 6 months
[libvirt] [PATCH] nwfilter: add a missing define, so libvirtd builds on macos x
by Justin Clift
The nwfilter code uses ETH_ALEN, which isn't defined on MacOS X.
This is a simple workaround, to add it when missing.
---
src/nwfilter/nwfilter_learnipaddr.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c
index 7c94fc2..554422b 100644
--- a/src/nwfilter/nwfilter_learnipaddr.c
+++ b/src/nwfilter/nwfilter_learnipaddr.c
@@ -38,6 +38,11 @@
#include <net/if_arp.h>
#include <intprops.h>
+// Add Linux define missing from OSX
+#ifndef ETH_ALEN
+#define ETH_ALEN 6 /* Octets in one ethernet addr */
+#endif
+
#include "internal.h"
#include "buf.h"
--
1.7.2.3
14 years, 6 months
[libvirt] [patch 0/5] nwfilter: Support comment attribute in filter rule descriptions
by Stefan Berger
The following patch series adds support for a comment node to the XML
attributes of all protocols. If possible, as for example in case of iptables,
the comments are instantiated (iptables ... -m comment --comment ...).
The patches do the following:
- extend the parser and XML generator to parse and create XML with the
comment attribute
- instantiate the comment in case of ip(6)tables
- extend the nwfilter.rng schema with the comment attribute
- add the information to the web docs
- add a test case for the XML parser/generator to be run during 'make check'
Regards,
Stefan
14 years, 6 months
[libvirt] [PATCH] [TCK] nwfilter: test case for comment attribute
by Stefan Berger
This patch adds data for a test case for the comment attribute in the
nwfilter XML.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 71
+++++++++++++++
scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml | 68
++++++++++++++
2 files changed, 139 insertions(+)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
@@ -0,0 +1,68 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <rule action='accept' direction='in'>
+ <mac protocolid='0x1234' comment='mac rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ protocol='udp'
+ srcportstart='0x123' srcportend='0x234'
+ dstportstart='0x3456' dstportend='0x4567'
+ dscp='0x32' comment='ip rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+ srcipaddr='::10.1.2.3' srcipmask='22'
+ dstipaddr='::10.1.2.3'
+ dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+ protocol='tcp'
+ srcportstart='0x111' srcportend='400'
+ dstportstart='0x3333' dstportend='65535' comment='ipv6 rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='0x12'
+ protocoltype='0x56'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'
+ comment='arp rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='0x22'
+ srcportstart='0x123' srcportend='400'
+ dstportstart='0x234' dstportend='0x444'
+ comment='udp rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='0x40'
+ srcportstart='0x20' srcportend='0x21'
+ dstportstart='0x100' dstportend='0x1111'
+ comment='tcp/ipv6 rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='0x40'
+ srcportstart='0x20' srcportend='0x21'
+ dstportstart='0x100' dstportend='0x1111'
+ comment='`ls`;${COLUMNS};$(ls);"test";&'/>
+ </rule>
+
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -0,0 +1,71 @@
+#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$"
+-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst
10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport
13398:17767 -j ACCEPT
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d
aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst
::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp
--ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype
18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f
-j ACCEPT
+#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
+-p 0x1234 -j ACCEPT
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092 state NEW,ESTABLISHED
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092
+#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED
+RETURN udp ::/0 a:b:c::/128 /*
`ls`;${COLUMNS};$(ls);"test";& */ udp spts:256:4369 dpts:32:33 state
ESTABLISHED
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state
NEW,ESTABLISHED
+ACCEPT udp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 /* `ls`;${COLUMNS};$(ls);"test";& */ udp spts:32:33
dpts:256:4369 state NEW,ESTABLISHED
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33
+ACCEPT udp ::/0 a:b:c::/128 /*
`ls`;${COLUMNS};$(ls);"test";& */ udp spts:256:4369 dpts:32:33
+#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in-post -n | grep vnet0
+ACCEPT all ::/0 ::/0 PHYSDEV
match --physdev-in vnet0
+#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0
+#ip6tables -L INPUT -n --line-numbers | grep libvirt
+1 libvirt-host-in all ::/0 ::/0
+#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in-post -n | grep vnet0
+ACCEPT all ::/0 ::/0 PHYSDEV
match --physdev-in vnet0
+#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0
14 years, 6 months
[libvirt] [PATCH] nwfilter: report if ip(6)tables rules would not be effective
by Stefan Berger
The patch below reports a warning in the log if the generated
ip(6)tables rules would not be effective due to the proc filesystem entries
/proc/sys/net/bridge/bridge-nf-call-iptables
/proc/sys/net/bridge/bridge-nf-call-ip6tables
containing a '0'. The warning tells the user what to do. I am
rate-limiting the warning message to appear only every 10 seconds.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 51
++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -24,6 +24,7 @@
#include <config.h>
#include <sys/stat.h>
+#include <fcntl.h>
#include "internal.h"
@@ -63,6 +64,13 @@
: ""
+#define PROC_BRIDGE_NF_CALL_IPTABLES \
+ "/proc/sys/net/bridge/bridge-nf-call-iptables"
+#define PROC_BRIDGE_NF_CALL_IP6TABLES \
+ "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+
+#define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */
+
static char *ebtables_cmd_path;
static char *iptables_cmd_path;
static char *ip6tables_cmd_path;
@@ -2986,6 +2994,45 @@ ebiptablesRuleOrderSort(const void *a, c
}
+static void
+iptablesCheckBridgeNFCallEnabled(bool isIPv6)
+{
+ static time_t lastReport, lastReportIPv6;
+ const char *pathname = NULL;
+ char buffer[1];
+ time_t now = time(NULL);
+
+ if (isIPv6 &&
+ (now - lastReportIPv6) > BRIDGE_NF_CALL_ALERT_INTERVAL ) {
+ pathname = PROC_BRIDGE_NF_CALL_IP6TABLES;
+ } else if (now - lastReport > BRIDGE_NF_CALL_ALERT_INTERVAL) {
+ pathname = PROC_BRIDGE_NF_CALL_IPTABLES;
+ }
+
+ if (pathname) {
+ int fd = open(pathname, O_RDONLY);
+ if (fd >= 0) {
+ if (read(fd, buffer, 1) == 1) {
+ if (buffer[0] == '0') {
+ char msg[256];
+ snprintf(msg, sizeof(msg),
+ _("To enable ip%stables filtering for the
VM do "
+ "'echo 1 > %s'\n"),
+ isIPv6 ? "6" : "",
+ pathname);
+ VIR_WARN0(msg);
+ if (isIPv6)
+ lastReportIPv6 = now;
+ else
+ lastReport = now;
+ }
+ }
+ close(fd);
+ }
+ }
+}
+
+
static int
ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
const char *ifname,
@@ -3099,6 +3146,8 @@ ebiptablesApplyNewRules(virConnectPtr co
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpiptchains;
+
+ iptablesCheckBridgeNFCallEnabled(false);
}
if (haveIp6tables) {
@@ -3129,6 +3178,8 @@ ebiptablesApplyNewRules(virConnectPtr co
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpip6tchains;
+
+ iptablesCheckBridgeNFCallEnabled(true);
}
if (chains_in != 0)
14 years, 6 months
[libvirt] [PATCH] qemu: patch to support security model for filesystem type
by Harsh Prateek Bora
This patch introduces a new attribute security_model to <filesystem>
tag, which can have any of the following three values: passthrough,
mapped or none. This patch is based on Daniel's patch to support 9pfs
qemu commandline options.
Usage:
<filesystem type='mount' security_model='passthrough'>
<source dir='/export/to/guest'/>
<target dir='mount_tag'/>
</filesystem>
---
docs/schemas/domain.rng | 7 +++
src/conf/domain_conf.c | 30 +++++++++++++-
src/conf/domain_conf.h | 10 +++++
src/qemu/qemu_conf.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++
src/qemu/qemu_conf.h | 5 ++
5 files changed, 153 insertions(+), 2 deletions(-)
diff --git a/docs/schemas/domain.rng b/docs/schemas/domain.rng
index ccb8cf3..43a292d 100644
--- a/docs/schemas/domain.rng
+++ b/docs/schemas/domain.rng
@@ -761,6 +761,13 @@
</choice>
<optional>
<ref name="address"/>
+ <attribute name="security_model">
+ <choice>
+ <value>passthrough</value>
+ <value>mapped</value>
+ <value>none</value>
+ </choice>
+ </attribute>
</optional>
</element>
</define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index e05d5d7..a9881d1 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -161,6 +161,12 @@ VIR_ENUM_IMPL(virDomainFS, VIR_DOMAIN_FS_TYPE_LAST,
"file",
"template")
+VIR_ENUM_IMPL(virDomainFSSecurityModel, VIR_DOMAIN_FS_SECURITY_LAST,
+ "passthrough",
+ "mapped",
+ "none")
+
+
VIR_ENUM_IMPL(virDomainNet, VIR_DOMAIN_NET_TYPE_LAST,
"user",
"ethernet",
@@ -1847,6 +1853,7 @@ virDomainFSDefParseXML(xmlNodePtr node,
char *type = NULL;
char *source = NULL;
char *target = NULL;
+ char *security_model;
if (VIR_ALLOC(def) < 0) {
virReportOOMError();
@@ -1864,6 +1871,17 @@ virDomainFSDefParseXML(xmlNodePtr node,
def->type = VIR_DOMAIN_FS_TYPE_MOUNT;
}
+ security_model = virXMLPropString(node, "security_model");
+ if (security_model) {
+ if ((def->security_model = virDomainFSSecurityModelTypeFromString(security_model)) < 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unknown security model '%s'"), security_model);
+ goto error;
+ }
+ } else {
+ def->security_model = VIR_DOMAIN_FS_SECURITY_PASSTHROUGH;
+ }
+
cur = node->children;
while (cur != NULL) {
if (cur->type == XML_ELEMENT_NODE) {
@@ -5602,6 +5620,7 @@ virDomainFSDefFormat(virBufferPtr buf,
int flags)
{
const char *type = virDomainFSTypeToString(def->type);
+ const char *sec_model = virDomainFSSecurityModelTypeToString(def->security_model);
if (!type) {
virDomainReportError(VIR_ERR_INTERNAL_ERROR,
@@ -5609,9 +5628,16 @@ virDomainFSDefFormat(virBufferPtr buf,
return -1;
}
+ if (!sec_model) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unexpected security model %d"), def->security_model);
+ return -1;
+ }
+
+
virBufferVSprintf(buf,
- " <filesystem type='%s'>\n",
- type);
+ " <filesystem type='%s' security_model='%s'>\n",
+ type, sec_model);
if (def->src) {
switch (def->type) {
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 7195c04..6adf027 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -236,10 +236,20 @@ enum virDomainFSType {
VIR_DOMAIN_FS_TYPE_LAST
};
+/* Filesystem mount security model */
+enum virDomainFSSecurityModel {
+ VIR_DOMAIN_FS_SECURITY_PASSTHROUGH,
+ VIR_DOMAIN_FS_SECURITY_MAPPED,
+ VIR_DOMAIN_FS_SECURITY_NONE,
+
+ VIR_DOMAIN_FS_SECURITY_LAST
+};
+
typedef struct _virDomainFSDef virDomainFSDef;
typedef virDomainFSDef *virDomainFSDefPtr;
struct _virDomainFSDef {
int type;
+ int security_model;
char *src;
char *dst;
unsigned int readonly : 1;
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 7a37c70..a637dee 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1212,6 +1212,8 @@ static unsigned long long qemudComputeCmdFlags(const char *help,
flags |= QEMUD_CMD_FLAG_TDF;
if (strstr(help, ",menu=on"))
flags |= QEMUD_CMD_FLAG_BOOT_MENU;
+ if (strstr(help, "-fsdev"))
+ flags |= QEMUD_CMD_FLAG_FSDEV;
/* Keep disabled till we're actually ready to turn on netdev mode
* The plan is todo it in 0.13.0 QEMU, but lets wait & see... */
@@ -2008,6 +2010,11 @@ qemuAssignDeviceAliases(virDomainDefPtr def, unsigned long long qemuCmdFlags)
if (!(qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE))
return 0;
+ for (i=0; i < def->nfss ; i++) {
+ if (virAsprintf(&def->fss[i]->info.alias, "fs%d", i) < 0)
+ goto no_memory;
+ }
+
for (i = 0; i < def->nsounds ; i++) {
if (virAsprintf(&def->sounds[i]->info.alias, "sound%d", i) < 0)
goto no_memory;
@@ -2371,6 +2378,15 @@ qemuAssignDevicePCISlots(virDomainDefPtr def, qemuDomainPCIAddressSetPtr addrs)
goto error;
}
}
+ for (i = 0; i < def->nfss ; i++) {
+ if (def->fss[i]->info.type != VIR_DOMAIN_DEVICE_ADDRESS_TYPE_NONE)
+ continue;
+
+ /* Only support VirtIO-9p-pci so far. If that changes,
+ * we might need to skip devices here */
+ if (qemuDomainPCIAddressSetNextAddr(addrs, &def->fss[i]->info) < 0)
+ goto error;
+ }
/* Network interfaces */
for (i = 0; i < def->nnets ; i++) {
@@ -2761,6 +2777,70 @@ error:
}
+char *qemuBuildFSStr(virDomainFSDefPtr fs,
+ unsigned long long qemuCmdFlags ATTRIBUTE_UNUSED)
+{
+ virBuffer opt = VIR_BUFFER_INITIALIZER;
+
+ if (fs->type != VIR_DOMAIN_FS_TYPE_MOUNT) {
+ qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("only supports mount filesystem type"));
+ goto error;
+ }
+
+ virBufferAddLit(&opt, "local");
+ if (fs->security_model == VIR_DOMAIN_FS_SECURITY_PASSTHROUGH)
+ virBufferAddLit(&opt, ",security_model=passthrough");
+ else if (fs->security_model == VIR_DOMAIN_FS_SECURITY_MAPPED)
+ virBufferAddLit(&opt, ",security_model=mapped");
+ else if (fs->security_model == VIR_DOMAIN_FS_SECURITY_NONE)
+ virBufferAddLit(&opt, ",security_model=none");
+ virBufferVSprintf(&opt, ",id=%s%s", QEMU_FSDEV_HOST_PREFIX, fs->info.alias);
+ virBufferVSprintf(&opt, ",path=%s", fs->src);
+
+ if (virBufferError(&opt)) {
+ virReportOOMError();
+ goto error;
+ }
+
+ return virBufferContentAndReset(&opt);
+
+error:
+ virBufferFreeAndReset(&opt);
+ return NULL;
+}
+
+
+char *
+qemuBuildFSDevStr(virDomainFSDefPtr fs)
+{
+ virBuffer opt = VIR_BUFFER_INITIALIZER;
+
+ if (fs->type != VIR_DOMAIN_FS_TYPE_MOUNT) {
+ qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("can only passthrough directories"));
+ goto error;
+ }
+
+ virBufferAddLit(&opt, "virtio-9p-pci");
+ virBufferVSprintf(&opt, ",id=%s", fs->info.alias);
+ virBufferVSprintf(&opt, ",fsdev=%s%s", QEMU_FSDEV_HOST_PREFIX, fs->info.alias);
+ virBufferVSprintf(&opt, ",mount_tag=%s", fs->dst);
+ qemuBuildDeviceAddressStr(&opt, &fs->info);
+
+ if (virBufferError(&opt)) {
+ virReportOOMError();
+ goto error;
+ }
+
+ return virBufferContentAndReset(&opt);
+
+error:
+ virBufferFreeAndReset(&opt);
+ return NULL;
+}
+
+
char *
qemuBuildControllerDevStr(virDomainControllerDefPtr def)
{
@@ -4377,6 +4457,29 @@ int qemudBuildCommandLine(virConnectPtr conn,
}
}
+ if (qemuCmdFlags & QEMUD_CMD_FLAG_FSDEV) {
+ for (i = 0 ; i < def->nfss ; i++) {
+ char *optstr;
+ virDomainFSDefPtr fs = def->fss[i];
+
+ ADD_ARG_LIT("-fsdev");
+ if (!(optstr = qemuBuildFSStr(fs, qemuCmdFlags)))
+ goto error;
+ ADD_ARG(optstr);
+
+ ADD_ARG_LIT("-device");
+ if (!(optstr = qemuBuildFSDevStr(fs)))
+ goto error;
+ ADD_ARG(optstr);
+ }
+ } else {
+ if (def->nfss) {
+ qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("filesystem passthrough not supported by this QEMU"));
+ goto error;
+ }
+ }
+
if (!def->nnets) {
/* If we have -device, then we set -nodefault already */
if (!(qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) {
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 2c9e608..7005466 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -93,6 +93,7 @@ enum qemud_cmd_flags {
QEMUD_CMD_FLAG_NODEFCONFIG = (1LL << 37), /* -nodefconfig */
QEMUD_CMD_FLAG_BOOT_MENU = (1LL << 38), /* -boot menu=on support */
QEMUD_CMD_FLAG_ENABLE_KQEMU = (1LL << 39), /* -enable-kqemu flag */
+ QEMUD_CMD_FLAG_FSDEV = (1LL << 40) /* -fstype filesystem passthrough */
};
/* Main driver state */
@@ -188,6 +189,7 @@ struct _qemuDomainCmdlineDef {
# define QEMU_DRIVE_HOST_PREFIX "drive-"
# define QEMU_VIRTIO_SERIAL_PREFIX "virtio-serial"
+# define QEMU_FSDEV_HOST_PREFIX "fsdev-"
# define qemuReportError(code, ...) \
virReportErrorHelper(NULL, VIR_FROM_QEMU, code, __FILE__, \
@@ -248,9 +250,12 @@ char *qemuDeviceDriveHostAlias(virDomainDiskDefPtr disk,
char *qemuBuildDriveStr(virDomainDiskDefPtr disk,
int bootable,
unsigned long long qemuCmdFlags);
+char *qemuBuildFSStr(virDomainFSDefPtr fs,
+ unsigned long long qemuCmdFlags);
/* Current, best practice */
char * qemuBuildDriveDevStr(virDomainDiskDefPtr disk);
+char * qemuBuildFSDevStr(virDomainFSDefPtr fs);
/* Current, best practice */
char * qemuBuildControllerDevStr(virDomainControllerDefPtr def);
--
1.7.1.1
14 years, 6 months
[libvirt] Error starting VM as a root user, but works fine as a normal (non-root) user
by Harsh Bora
[harsh@harshbora libvirt]$ sudo virsh create ~/testVMs/my_vm.xml
error: Failed to create domain from /home/harsh/testVMs/my_vm.xml
error: internal error cannot parse
/home/harsh/local/qemu/bin/qemu-system-x86_64 version number in ''
[harsh@harshbora libvirt]$ virsh create ~/testVMs/my_vm.xml
Domain my_vm created from /home/harsh/testVMs/my_vm.xml
Anyone, help?
14 years, 6 months
