[libvirt] qemu: Remove code instantiating filters on direct interfaces
by Stefan Berger
Remove code that instantiates network filters on direct type
of interfaces. The parser already does not accept filters on
those type of interfaces.
---
src/qemu/qemu_command.c | 26 +-------------------------
src/qemu/qemu_command.h | 1 -
src/qemu/qemu_hotplug.c | 2 +-
3 files changed, 2 insertions(+), 27 deletions(-)
Index: libvirt-acl/src/qemu/qemu_command.c
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_command.c
+++ libvirt-acl/src/qemu/qemu_command.c
@@ -135,7 +135,6 @@ uname_normalize (struct utsname *ut)
*/
int
qemuPhysIfaceConnect(virDomainDefPtr def,
- virConnectPtr conn,
struct qemud_driver *driver,
virDomainNetDefPtr net,
virBitmapPtr qemuCaps,
@@ -145,7 +144,6 @@ qemuPhysIfaceConnect(virDomainDefPtr def
#if WITH_MACVTAP
char *res_ifname = NULL;
int vnet_hdr = 0;
- int err;
if (qemuCapsGet(qemuCaps, QEMU_CAPS_VNET_HDR) &&
net->model && STREQ(net->model, "virtio"))
@@ -165,28 +163,6 @@ qemuPhysIfaceConnect(virDomainDefPtr def
net->ifname = res_ifname;
}
- if (rc >=0 && driver->macFilter) {
- if ((err = networkAllowMacOnPort(driver, net->ifname,
net->mac))) {
- virReportSystemError(err,
- _("failed to add ebtables rule to allow MAC address on
'%s'"),
- net->ifname);
- }
- }
-
- if (rc >= 0) {
- if ((net->filter) && (net->ifname)) {
- err = virDomainConfNWFilterInstantiate(conn, net);
- if (err) {
- VIR_FORCE_CLOSE(rc);
- delMacvtap(net->ifname, net->mac,
- virDomainNetGetActualDirectDev(net),
- virDomainNetGetActualDirectMode(net),
-
virDomainNetGetActualDirectVirtPortProfile(net),
- driver->stateDir);
- VIR_FREE(net->ifname);
- }
- }
- }
#else
(void)def;
(void)conn;
@@ -4173,7 +4149,7 @@ qemuBuildCommandLine(virConnectPtr conn,
tapfd) >= sizeof(tapfd_name))
goto no_memory;
} else if (actualType == VIR_DOMAIN_NET_TYPE_DIRECT) {
- int tapfd = qemuPhysIfaceConnect(def, conn, driver,
net,
+ int tapfd = qemuPhysIfaceConnect(def, driver, net,
qemuCaps, vmop);
if (tapfd < 0)
goto error;
Index: libvirt-acl/src/qemu/qemu_command.h
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_command.h
+++ libvirt-acl/src/qemu/qemu_command.h
@@ -132,7 +132,6 @@ int qemuNetworkIfaceConnect(virDomainDef
ATTRIBUTE_NONNULL(2);
int qemuPhysIfaceConnect(virDomainDefPtr def,
- virConnectPtr conn,
struct qemud_driver *driver,
virDomainNetDefPtr net,
virBitmapPtr qemuCaps,
Index: libvirt-acl/src/qemu/qemu_hotplug.c
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_hotplug.c
+++ libvirt-acl/src/qemu/qemu_hotplug.c
@@ -676,7 +676,7 @@ int qemuDomainAttachNetDevice(virConnect
if (qemuOpenVhostNet(vm->def, net, priv->qemuCaps, &vhostfd) <
0)
goto cleanup;
} else if (actualType == VIR_DOMAIN_NET_TYPE_DIRECT) {
- if ((tapfd = qemuPhysIfaceConnect(vm->def, conn, driver, net,
+ if ((tapfd = qemuPhysIfaceConnect(vm->def, driver, net,
priv->qemuCaps,
VIR_VM_OP_CREATE)) < 0)
goto cleanup;
13 years
[libvirt] [PATCH 0/4] Support macvlan devices for LXC containers
by Daniel P. Berrange
This series does the bare minimum required to support the network
inteface type=direct for LXC containers, using macvlan devices
as the implementation. There is a slight complication though...
For bridged container NICs we create a veth pair of devices. One
of the devices lives host side, and is enslaved in a bridge. The
other veth device gets moved to the container namespace to form
the eth0. So we both both a host & container side device visible.
For direct container NICS we create a macvlan device, which is
moved to the container namespace. There is no host side interface
that is dedicated for the container - only the general ethernet
device the macvlan is bound to. Since there is no host side
interface for the container we are unable to create network
filter rules, or network bandwidth controls. In addition while
we could perform the 8021.Qb{gh} association during container
startup, before moving the macvlan device to the container namespace,
we can't perform any disassociation on container shutdown. By the
time we see the container has shutdown, the macvlan device has
already been killed off.
The inability to setup iptables/tc rules against devices that
are only visible in the container namespace is arguably a flaw
in the Linux kernel's namespace code support for iptables/tc.
There ought to be a syntax for iptables/tc to write rules which
affect NICs in other namespaces
13 years
[libvirt] [PATCH] Disable numactl on ARM architectures too
by Daniel P. Berrange
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Pushed under trivial rule - a backport from the Fedora spec
* libvirt.spec.in: Disable numactl on ARM
---
libvirt.spec.in | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 10280f0..d4e3e17 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -92,8 +92,8 @@
%define with_libxl 0
%endif
-# Numactl is not available on s390[x]
-%ifarch s390 s390x
+# Numactl is not available on s390[x] and ARM
+%ifarch s390 s390x %{arm}
%define with_numactl 0
%endif
--
1.7.6.4
13 years
[libvirt] [PATCH] Add libvirt confdir to files section in mingw32 spec
by Daniel P. Berrange
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Pushed under the trivial rule - this fix pulled back from Fedora
* mingw32-libvirt.spec.in: Ensure we own the confdir
---
mingw32-libvirt.spec.in | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/mingw32-libvirt.spec.in b/mingw32-libvirt.spec.in
index c2690f3..89d1d7f 100644
--- a/mingw32-libvirt.spec.in
+++ b/mingw32-libvirt.spec.in
@@ -126,6 +126,7 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
+%dir %{_mingw32_sysconfdir}/libvirt/
%config(noreplace) %{_mingw32_sysconfdir}/libvirt/libvirt.conf
%{_mingw32_bindir}/libvirt-0.dll
--
1.7.6.4
13 years
[libvirt] nwfilter - limit VM traffic to specific mac address
by Shahar Havivi
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot
traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'>
<filterref filter='clean-traffic'/>
<rule action='drop' direction='out' priority='500'>
<mac match='no' dstmacaddr='$GATEWAY_MAC'/>
</rule>
</filter>
VM1 domian xml portion:
<interface type="bridge">
<mac address="00:1a:4a:16:01:53"/>
<model type="virtio"/>
<source bridge="red"/>
<filterref filter="isolatedprivatevlan-vdsm">
<parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
</filterref>
</interface>
VM2 domian xml portion:
<interface type="bridge">
<mac address="00:1a:4a:16:01:52"/>
<model type="virtio"/>
<source bridge="red"/>
<filterref filter="isolatedprivatevlan-vdsm">
<parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
</filterref>
</interface>
in each VM (Fedora 15 LiveCD) I assign ip:
# ifconfig eth0 10.35.1.240 netmask 255.255.254.0
# route add default gw 10.35.1.1
vm2:
# ifconfig eth0 10.35.1.241 netmask 255.255.254.0
# route add default gw 10.35.1.1
but the filter is not working,
I can ping the VMs from each other,
Am I missing something?
Thanks,
Shahar Havivi.
13 years
Re: [libvirt] [PATCH] fix crash when starting network
by lvroyce
tested-by: Wen Ruo Lv<lvroyce(a)linux.vnet.ibm.com>
tested
1.net-start cmd with bridge mac specified (failed)
2.attach-device cmd with a hot plug nic(ok)
My network is as below:
<network>
<name>default</name>
<uuid>361441af-e1f0-472d-a503-dfcbbefa03fb</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0' />
<mac address='00:16:3E:5D:C7:9E'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254' />
</dhcp>
</ip>
</network>
It fails at brSetInterfaceMac-->return ioctl(ctl->fd, SIOCSIFHWADDR, &ifr)
but SIOCGIFHWADDR succeed.
error msg is:
cannot create dummy tap device 'virbr0-nic' to set mac address on bridge
'virbr0':no such device
13 years
[libvirt] [test-API][PATCH 1/3] add new "clean" keyword to clean environment after each testcase
by Guannan Ren
testcase1
option1
avalue
option2
bvalue
clean
testcase2
option1
cvalue
option2
dvalue
clean
---
generator.py | 44 ++++++++++++++++++++++++++++++++------------
1 files changed, 32 insertions(+), 12 deletions(-)
diff --git a/generator.py b/generator.py
index 5a3a2ab..2d59353 100644
--- a/generator.py
+++ b/generator.py
@@ -41,6 +41,7 @@ class FuncGen(object):
self.lockfile = lockfile
self.bugstxt = bugstxt
self.loglevel = loglevel
+ self.testcase_number = 0
self.fmt = format.Format(logfile)
self.log_xml_parser = log_xml_parser
@@ -49,19 +50,21 @@ class FuncGen(object):
self.__case_info_save(activity, testrunid)
mapper_obj = mapper.Mapper(activity)
- pkg_tripped_cases = mapper_obj.get_package_tripped()
+ pkg_casename_func = mapper_obj.package_casename_func_map()
- for test_procedure in pkg_tripped_cases:
+ for test_procedure in pkg_casename_func:
log_xml_parser.add_testprocedure_xml(testrunid,
testid,
test_procedure)
self.cases_ref_names = []
- for case in pkg_tripped_cases:
+ for case in pkg_casename_func:
case_ref_name = case.keys()[0]
+ if case_ref_name[-6:] != "_clean":
+ self.testcase_number += 1
self.cases_ref_names.append(case_ref_name)
self.cases_params_list = []
- for case in pkg_tripped_cases:
+ for case in pkg_casename_func:
case_params = case.values()[0]
self.cases_params_list.append(case_params)
@@ -101,7 +104,7 @@ class FuncGen(object):
envlog = log.EnvLog(self.logfile, self.loglevel)
logger = envlog.env_log()
- testcase_number = len(self.cases_ref_names)
+ loop_number = len(self.cases_ref_names)
start_time = time.strftime("%Y-%m-%d %H:%M:%S")
logger.info("Checking Testing Environment... ")
@@ -111,7 +114,7 @@ class FuncGen(object):
sys.exit(1)
else:
logger.info("\nStart Testing:")
- logger.info(" Case Count: %s" % testcase_number)
+ logger.info(" Case Count: %s" % self.testcase_number)
logger.info(" Log File: %s\n" % self.logfile)
del envlog
@@ -119,21 +122,31 @@ class FuncGen(object):
logger = caselog.case_log()
retflag = 0
- for i in range(testcase_number):
+ for i in range(loop_number):
case_ref_name = self.cases_ref_names[i]
- self.fmt.printf('start', case_ref_name)
+ pkg_casename = case_ref_name.rpartition(":")[0]
+ funcname = case_ref_name.rpartition(":")[-1]
+
+ cleanoper = 0 if "_clean" not in funcname else 1
+
+ if not cleanoper:
+ self.fmt.printf('start', pkg_casename)
+ else:
+ self.fmt.printf('string', 12*" " + "Cleaning...")
+
case_params = self.cases_params_list[i]
case_start_time = time.strftime("%Y-%m-%d %H:%M:%S")
ret = -1
+ clean_ret = -1
try:
try:
if case_ref_name != 'sleep':
case_params['logger'] = logger
- existed_bug_list = self.bug_check(case_ref_name)
+ existed_bug_list = self.bug_check(pkg_casename)
if len(existed_bug_list) == 0:
if case_ref_name == 'sleep':
@@ -143,13 +156,16 @@ class FuncGen(object):
ret = 0
else:
ret = self.cases_func_ref_dict[case_ref_name](case_params)
+ if cleanoper:
+ clean_ret = ret
+ ret = 0
else:
logger.info("about the testcase , bug existed:")
for existed_bug in existed_bug_list:
logger.info("%s" % existed_bug)
ret = 100
- self.fmt.printf('end', case_ref_name, ret)
+ self.fmt.printf('end', pkg_casename, ret)
continue
except Exception, e:
logger.error(traceback.format_exc())
@@ -163,7 +179,11 @@ class FuncGen(object):
else:
pass
retflag += ret
- self.fmt.printf('end', case_ref_name, ret)
+
+ if not cleanoper:
+ self.fmt.printf('end', pkg_casename, ret)
+ else:
+ self.fmt.printf('string', 21*" " + "Done" if clean_ret < 1 else 21*" " + "Fail")
end_time = time.strftime("%Y-%m-%d %H:%M:%S")
del caselog
@@ -172,7 +192,7 @@ class FuncGen(object):
logger = envlog.env_log()
logger.info("\nSummary:")
logger.info(" Total:%s [Pass:%s Fail:%s]" % \
- (testcase_number, (testcase_number - retflag), retflag))
+ (self.testcase_number, (self.testcase_number - retflag), retflag))
del envlog
result = (retflag and "FAIL") or "PASS"
--
1.7.1
13 years
[libvirt] [PATCH 0/2] fix nwfilter when /tmp is mounted noexec
by Eric Blake
https://bugzilla.redhat.com/show_bug.cgi?id=752254 points out that
libvirt cannot support nwfilter on a system with /tmp mounted
noexec (which is a very common setup in security-conscious setups),
all because we were trying to directly invoke a temporary script
instead of invoking a shell to read the script.
I've split this patch into 2 parts, on the off-chance that patch
2 would run afoul of command line length limits (if the total
size of the generated nwfilter commands could possibly cause
E2BIG, then we have to go through a temporary file). But my
recollection is that modern Linux kernels support unlimited
command-line length (that is, ARG_MAX is not a concern on Linux),
and that nwfilter_ebiptables_driver only compiles on Linux, so
my preference would be to squash these into a single commit, if
others agree that we don't have to worry about length limits.
At any rate, I'm quite impressed at the number of lines of code
I was able to remove in order to fix a bug!
Eric Blake (2):
nwfilter: avoid failure with noexec /tmp
nwfilter: simplify execution of ebiptables scripts
src/nwfilter/nwfilter_ebiptables_driver.c | 134 ++--------------------------
1 files changed, 10 insertions(+), 124 deletions(-)
--
1.7.4.4
13 years
[libvirt] [PATCH] command: handle empty buffer argument correctly
by Eric Blake
virBufferContentAndReset (intentionally) returns NULL for a buffer
with no content, but it is feasible to invoke a command with an
explicit empty string.
* src/util/command.c (virCommandAddEnvBuffer): Reject empty string.
(virCommandAddArgBuffer): Allow explicit empty argument.
* tests/commandtest.c (test9): Test it.
* tests/commanddata/test9.log: Adjust.
---
As pointed out here:
https://www.redhat.com/archives/libvir-list/2011-November/msg00435.html
src/util/command.c | 13 ++++++++++++-
tests/commanddata/test9.log | 4 +++-
tests/commandtest.c | 13 ++++++++++++-
3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/src/util/command.c b/src/util/command.c
index c3ce361..f5effdf 100644
--- a/src/util/command.c
+++ b/src/util/command.c
@@ -983,6 +983,10 @@ virCommandAddEnvBuffer(virCommandPtr cmd, virBufferPtr buf)
virBufferFreeAndReset(buf);
return;
}
+ if (!virBufferUse(buf)) {
+ cmd->has_error = EINVAL;
+ return;
+ }
cmd->env[cmd->nenv++] = virBufferContentAndReset(buf);
}
@@ -1092,7 +1096,14 @@ virCommandAddArgBuffer(virCommandPtr cmd, virBufferPtr buf)
return;
}
- cmd->args[cmd->nargs++] = virBufferContentAndReset(buf);
+ cmd->args[cmd->nargs] = virBufferContentAndReset(buf);
+ if (!cmd->args[cmd->nargs])
+ cmd->args[cmd->nargs] = strdup("");
+ if (!cmd->args[cmd->nargs]) {
+ cmd->has_error = ENOMEM;
+ return;
+ }
+ cmd->nargs++;
}
diff --git a/tests/commanddata/test9.log b/tests/commanddata/test9.log
index 2607530..3a93c19 100644
--- a/tests/commanddata/test9.log
+++ b/tests/commanddata/test9.log
@@ -2,8 +2,10 @@ ARG:-version
ARG:-log=bar.log
ARG:arg1
ARG:arg2
-ARG:arg3
+ARG:
ARG:arg4
+ARG:arg5
+ARG:arg6
ENV:DISPLAY=:0.0
ENV:HOME=/home/test
ENV:HOSTNAME=test
diff --git a/tests/commandtest.c b/tests/commandtest.c
index dd6c248..efc48fe 100644
--- a/tests/commandtest.c
+++ b/tests/commandtest.c
@@ -352,11 +352,22 @@ static int test9(const void *unused ATTRIBUTE_UNUSED)
{
virCommandPtr cmd = virCommandNew(abs_builddir "/commandhelper");
const char* const args[] = { "arg1", "arg2", NULL };
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
virCommandAddArg(cmd, "-version");
virCommandAddArgPair(cmd, "-log", "bar.log");
virCommandAddArgSet(cmd, args);
- virCommandAddArgList(cmd, "arg3", "arg4", NULL);
+ virCommandAddArgBuffer(cmd, &buf);
+ virBufferAddLit(&buf, "arg4");
+ virCommandAddArgBuffer(cmd, &buf);
+ virCommandAddArgList(cmd, "arg5", "arg6", NULL);
+
+ if (virBufferUse(&buf)) {
+ printf("Buffer not transferred\n");
+ virBufferFreeAndReset(&buf);
+ virCommandFree(cmd);
+ return -1;
+ }
if (virCommandRun(cmd, NULL) < 0) {
virErrorPtr err = virGetLastError();
--
1.7.4.4
13 years
