[libvirt] [PATCH 2/2] nwfilter: Pass the VM operation type into the nwfilter subsystem
by Stefan Berger
Another preparatory patch for DHCP snooping where we want to be able to
differentiate between a VM start/interface attach and other operations
like VM resume and libvirtd restart so that upon VM start we can internally
discard all DHCP leases that may still be active for a VM's interface
identified by its MAC address (and the VM's UUID). This then helps to prevent
installation of filters with IP addresses from a previous run of the VM upon
for example a libvird restart or a 'kill -SIGHUP':
Pass the VM operation into the nwfilter subsystem. Also this parameter
currently is an ATTRIBUTE_UNUSED in 'virNWFilterInstantiate' until the
DHCP snooping patches make use of it.
I am 'abusing' the enum type originally introduced for 802.1Qb{g|h} to
determine what type of operation is being used. Introducing another type
probably doesn't make much sense but maybe renaming this enum type to
something like 'virVMOperation' would?
---
src/conf/domain_nwfilter.c | 3 ++-
src/conf/domain_nwfilter.h | 2 ++
src/lxc/lxc_driver.c | 10 ++++++++--
src/nwfilter/nwfilter_driver.c | 3 ++-
src/nwfilter/nwfilter_gentech_driver.c | 15 +++++++++++----
src/nwfilter/nwfilter_gentech_driver.h | 1 +
src/qemu/qemu_command.c | 8 +++++---
src/qemu/qemu_command.h | 1 +
src/qemu/qemu_hotplug.c | 4 +++-
src/qemu/qemu_process.c | 7 +++++--
src/uml/uml_conf.c | 14 +++++++++-----
src/uml/uml_conf.h | 3 ++-
src/uml/uml_driver.c | 3 ++-
13 files changed, 53 insertions(+), 21 deletions(-)
Index: libvirt-acl/src/conf/domain_nwfilter.c
===================================================================
--- libvirt-acl.orig/src/conf/domain_nwfilter.c
+++ libvirt-acl/src/conf/domain_nwfilter.c
@@ -38,9 +38,10 @@ virDomainConfNWFilterRegister(virDomainC
int
virDomainConfNWFilterInstantiate(virConnectPtr conn,
const unsigned char *vmuuid,
+ enum virNetDevVPortProfileOp vmOp,
virDomainNetDefPtr net) {
if (nwfilterDriver != NULL)
- return nwfilterDriver->instantiateFilter(conn, vmuuid, net);
+ return nwfilterDriver->instantiateFilter(conn, vmuuid, vmOp, net);
/* driver module not available -- don't indicate failure */
return 0;
}
Index: libvirt-acl/src/conf/domain_nwfilter.h
===================================================================
--- libvirt-acl.orig/src/conf/domain_nwfilter.h
+++ libvirt-acl/src/conf/domain_nwfilter.h
@@ -25,6 +25,7 @@
typedef int (*virDomainConfInstantiateNWFilter)(virConnectPtr conn,
const unsigned char *vmuuid,
+ enum virNetDevVPortProfileOp,
virDomainNetDefPtr net);
typedef void (*virDomainConfTeardownNWFilter)(virDomainNetDefPtr net);
@@ -38,6 +39,7 @@ void virDomainConfNWFilterRegister(virDo
int virDomainConfNWFilterInstantiate(virConnectPtr conn,
const unsigned char *vmuuid,
+ enum virNetDevVPortProfileOp vmOp,
virDomainNetDefPtr net);
void virDomainConfNWFilterTeardown(virDomainNetDefPtr net);
void virDomainConfVMNWFilterTeardown(virDomainObjPtr vm);
Index: libvirt-acl/src/nwfilter/nwfilter_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_driver.c
@@ -444,9 +444,10 @@ cleanup:
static int
nwfilterInstantiateFilter(virConnectPtr conn,
const unsigned char *vmuuid,
+ enum virNetDevVPortProfileOp vmOp,
virDomainNetDefPtr net)
{
- return virNWFilterInstantiateFilter(conn, vmuuid, net);
+ return virNWFilterInstantiateFilter(conn, vmuuid, vmOp, net);
}
Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
@@ -627,6 +627,7 @@ virNWFilterRuleInstancesToArray(int nEnt
*/
static int
virNWFilterInstantiate(const unsigned char *vmuuid ATTRIBUTE_UNUSED,
+ enum virNetDevVPortProfileOp vmOp ATTRIBUTE_UNUSED,
virNWFilterTechDriverPtr techdriver,
enum virDomainNetType nettype,
virNWFilterDefPtr filter,
@@ -764,6 +765,7 @@ err_unresolvable_vars:
*/
static int
__virNWFilterInstantiateFilter(const unsigned char *vmuuid,
+ enum virNetDevVPortProfileOp vmOp,
bool teardownOld,
const char *ifname,
int ifindex,
@@ -856,7 +858,7 @@ __virNWFilterInstantiateFilter(const uns
break;
}
- rc = virNWFilterInstantiate(vmuuid,
+ rc = virNWFilterInstantiate(vmuuid, vmOp,
techdriver,
nettype,
filter,
@@ -888,6 +890,7 @@ err_exit:
static int
_virNWFilterInstantiateFilter(virConnectPtr conn,
const unsigned char *vmuuid,
+ enum virNetDevVPortProfileOp vmOp,
const virDomainNetDefPtr net,
bool teardownOld,
enum instCase useNewFilter,
@@ -913,7 +916,7 @@ _virNWFilterInstantiateFilter(virConnect
goto cleanup;
}
- rc = __virNWFilterInstantiateFilter(vmuuid,
+ rc = __virNWFilterInstantiateFilter(vmuuid, vmOp,
teardownOld,
net->ifname,
ifindex,
@@ -951,6 +954,7 @@ virNWFilterInstantiateFilterLate(const u
virNWFilterLockFilterUpdates();
rc = __virNWFilterInstantiateFilter(vmuuid,
+ VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
true,
ifname,
ifindex,
@@ -982,11 +986,12 @@ virNWFilterInstantiateFilterLate(const u
int
virNWFilterInstantiateFilter(virConnectPtr conn,
const unsigned char *vmuuid,
+ enum virNetDevVPortProfileOp vmOp,
const virDomainNetDefPtr net)
{
bool foundNewFilter = false;
- return _virNWFilterInstantiateFilter(conn, vmuuid, net,
+ return _virNWFilterInstantiateFilter(conn, vmuuid, vmOp, net,
1,
INSTANTIATE_ALWAYS,
&foundNewFilter);
@@ -1001,7 +1006,9 @@ virNWFilterUpdateInstantiateFilter(virCo
{
bool foundNewFilter = false;
- int rc = _virNWFilterInstantiateFilter(conn, vmuuid, net,
+ int rc = _virNWFilterInstantiateFilter(conn, vmuuid,
+ VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
+ net,
0,
INSTANTIATE_FOLLOW_NEWFILTER,
&foundNewFilter);
Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.h
+++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h
@@ -39,6 +39,7 @@ enum instCase {
int virNWFilterInstantiateFilter(virConnectPtr conn,
const unsigned char *vmuuid,
+ enum virNetDevVPortProfileOp vmOp,
const virDomainNetDefPtr net);
int virNWFilterUpdateInstantiateFilter(virConnectPtr conn,
const unsigned char *vmuuid,
Index: libvirt-acl/src/qemu/qemu_command.c
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_command.c
+++ libvirt-acl/src/qemu/qemu_command.c
@@ -171,6 +171,7 @@ qemuPhysIfaceConnect(virDomainDefPtr def
int
qemuNetworkIfaceConnect(virDomainDefPtr def,
virConnectPtr conn,
+ enum virNetDevVPortProfileOp vmOp,
struct qemud_driver *driver,
virDomainNetDefPtr net,
virBitmapPtr qemuCaps)
@@ -275,7 +276,8 @@ qemuNetworkIfaceConnect(virDomainDefPtr
if (tapfd >= 0) {
if ((net->filter) && (net->ifname)) {
- if (virDomainConfNWFilterInstantiate(conn, def->uuid, net) < 0)
+ if (virDomainConfNWFilterInstantiate(conn, def->uuid, vmOp,
+ net) < 0)
VIR_FORCE_CLOSE(tapfd);
}
}
@@ -4339,8 +4341,8 @@ qemuBuildCommandLine(virConnectPtr conn,
actualType = virDomainNetGetActualType(net);
if (actualType == VIR_DOMAIN_NET_TYPE_NETWORK ||
actualType == VIR_DOMAIN_NET_TYPE_BRIDGE) {
- int tapfd = qemuNetworkIfaceConnect(def, conn, driver, net,
- qemuCaps);
+ int tapfd = qemuNetworkIfaceConnect(def, conn, vmop, driver,
+ net, qemuCaps);
if (tapfd < 0)
goto error;
Index: libvirt-acl/src/lxc/lxc_driver.c
===================================================================
--- libvirt-acl.orig/src/lxc/lxc_driver.c
+++ libvirt-acl/src/lxc/lxc_driver.c
@@ -1184,6 +1184,7 @@ static void lxcVmCleanup(lxc_driver_t *d
static int lxcSetupInterfaceBridged(virConnectPtr conn,
virDomainDefPtr vm,
+ enum virNetDevVPortProfileOp vmOp,
virDomainNetDefPtr net,
const char *brname,
unsigned int *nveths,
@@ -1228,7 +1229,8 @@ static int lxcSetupInterfaceBridged(virC
}
if (net->filter &&
- virDomainConfNWFilterInstantiate(conn, vm->uuid, net) < 0)
+ virDomainConfNWFilterInstantiate(conn, vm->uuid, vmOp,
+ net) < 0)
goto cleanup;
ret = 0;
@@ -1319,6 +1321,7 @@ cleanup:
*/
static int lxcSetupInterfaces(virConnectPtr conn,
virDomainDefPtr def,
+ enum virNetDevVPortProfileOp vmOp,
unsigned int *nveths,
char ***veths)
{
@@ -1349,6 +1352,7 @@ static int lxcSetupInterfaces(virConnect
if (lxcSetupInterfaceBridged(conn,
def,
+ vmOp,
def->nets[i],
brname,
nveths,
@@ -1368,6 +1372,7 @@ static int lxcSetupInterfaces(virConnect
}
if (lxcSetupInterfaceBridged(conn,
def,
+ vmOp,
def->nets[i],
brname,
nveths,
@@ -1818,7 +1823,8 @@ static int lxcVmStart(virConnectPtr conn
}
}
- if (lxcSetupInterfaces(conn, vm->def, &nveths, &veths) != 0)
+ if (lxcSetupInterfaces(conn, vm->def, VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
+ &nveths, &veths) != 0)
goto cleanup;
/* Save the configuration for the controller */
Index: libvirt-acl/src/qemu/qemu_command.h
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_command.h
+++ libvirt-acl/src/qemu/qemu_command.h
@@ -126,6 +126,7 @@ char * qemuBuildRedirdevDevStr(virDomain
int qemuNetworkIfaceConnect(virDomainDefPtr def,
virConnectPtr conn,
+ enum virNetDevVPortProfileOp vmOp,
struct qemud_driver *driver,
virDomainNetDefPtr net,
virBitmapPtr qemuCaps)
Index: libvirt-acl/src/qemu/qemu_hotplug.c
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_hotplug.c
+++ libvirt-acl/src/qemu/qemu_hotplug.c
@@ -669,7 +669,9 @@ int qemuDomainAttachNetDevice(virConnect
actualType = virDomainNetGetActualType(net);
if (actualType == VIR_DOMAIN_NET_TYPE_BRIDGE ||
actualType == VIR_DOMAIN_NET_TYPE_NETWORK) {
- if ((tapfd = qemuNetworkIfaceConnect(vm->def, conn, driver, net,
+ if ((tapfd = qemuNetworkIfaceConnect(vm->def, conn,
+ VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
+ driver, net,
priv->qemuCaps)) < 0)
goto cleanup;
iface_connected = true;
Index: libvirt-acl/src/qemu/qemu_process.c
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_process.c
+++ libvirt-acl/src/qemu/qemu_process.c
@@ -2310,6 +2310,7 @@ qemuProcessNotifyNets(virDomainDefPtr de
static int
qemuProcessFiltersInstantiate(virConnectPtr conn,
+ enum virNetDevVPortProfileOp vmOp,
virDomainDefPtr def)
{
int err = 0;
@@ -2321,7 +2322,8 @@ qemuProcessFiltersInstantiate(virConnect
for (i = 0 ; i < def->nnets ; i++) {
virDomainNetDefPtr net = def->nets[i];
if ((net->filter) && (net->ifname)) {
- if (virDomainConfNWFilterInstantiate(conn, def->uuid, net) < 0) {
+ if (virDomainConfNWFilterInstantiate(conn, def->uuid, vmOp,
+ net) < 0) {
err = 1;
break;
}
@@ -2662,7 +2664,8 @@ qemuProcessReconnect(void *opaque)
if (qemuProcessNotifyNets(obj->def) < 0)
goto error;
- if (qemuProcessFiltersInstantiate(conn, obj->def))
+ if (qemuProcessFiltersInstantiate(conn, VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
+ obj->def))
goto error;
if (qemuDomainCheckEjectableMedia(driver, obj) < 0)
Index: libvirt-acl/src/uml/uml_conf.c
===================================================================
--- libvirt-acl.orig/src/uml/uml_conf.c
+++ libvirt-acl/src/uml/uml_conf.c
@@ -118,6 +118,7 @@ virCapsPtr umlCapsInit(void) {
static int
umlConnectTapDevice(virConnectPtr conn,
virDomainDefPtr vm,
+ enum virNetDevVPortProfileOp vmOp,
virDomainNetDefPtr net,
const char *bridge)
{
@@ -144,7 +145,7 @@ umlConnectTapDevice(virConnectPtr conn,
}
if (net->filter) {
- if (virDomainConfNWFilterInstantiate(conn, vm->uuid, net) < 0) {
+ if (virDomainConfNWFilterInstantiate(conn, vm->uuid, vmOp, net) < 0) {
if (template_ifname)
VIR_FREE(net->ifname);
goto error;
@@ -162,6 +163,7 @@ error:
static char *
umlBuildCommandLineNet(virConnectPtr conn,
virDomainDefPtr vm,
+ enum virNetDevVPortProfileOp vmOp,
virDomainNetDefPtr def,
int idx)
{
@@ -227,7 +229,7 @@ umlBuildCommandLineNet(virConnectPtr con
goto error;
}
- if (umlConnectTapDevice(conn, vm, def, bridge) < 0) {
+ if (umlConnectTapDevice(conn, vm, vmOp, def, bridge) < 0) {
VIR_FREE(bridge);
goto error;
}
@@ -238,7 +240,7 @@ umlBuildCommandLineNet(virConnectPtr con
}
case VIR_DOMAIN_NET_TYPE_BRIDGE:
- if (umlConnectTapDevice(conn, vm, def,
+ if (umlConnectTapDevice(conn, vm, vmOp, def,
def->data.bridge.brname) < 0)
goto error;
@@ -399,7 +401,8 @@ static char *umlNextArg(char *args)
*/
virCommandPtr umlBuildCommandLine(virConnectPtr conn,
struct uml_driver *driver,
- virDomainObjPtr vm)
+ virDomainObjPtr vm,
+ enum virNetDevVPortProfileOp vmOp)
{
int i, j;
struct utsname ut;
@@ -432,7 +435,8 @@ virCommandPtr umlBuildCommandLine(virCon
}
for (i = 0 ; i < vm->def->nnets ; i++) {
- char *ret = umlBuildCommandLineNet(conn, vm->def, vm->def->nets[i], i);
+ char *ret = umlBuildCommandLineNet(conn, vm->def, vmOp,
+ vm->def->nets[i], i);
if (!ret)
goto error;
virCommandAddArg(cmd, ret);
Index: libvirt-acl/src/uml/uml_conf.h
===================================================================
--- libvirt-acl.orig/src/uml/uml_conf.h
+++ libvirt-acl/src/uml/uml_conf.h
@@ -79,6 +79,7 @@ virCapsPtr umlCapsInit (v
virCommandPtr umlBuildCommandLine(virConnectPtr conn,
struct uml_driver *driver,
- virDomainObjPtr dom);
+ virDomainObjPtr dom,
+ enum virNetDevVPortProfileOp vmOp);
#endif /* __UML_CONF_H */
Index: libvirt-acl/src/uml/uml_driver.c
===================================================================
--- libvirt-acl.orig/src/uml/uml_driver.c
+++ libvirt-acl/src/uml/uml_driver.c
@@ -1039,7 +1039,8 @@ static int umlStartVMDaemon(virConnectPt
return -1;
}
- if (!(cmd = umlBuildCommandLine(conn, driver, vm))) {
+ if (!(cmd = umlBuildCommandLine(conn, driver, vm,
+ VIR_NETDEV_VPORT_PROFILE_OP_CREATE))) {
VIR_FORCE_CLOSE(logfd);
virDomainConfVMNWFilterTeardown(vm);
umlCleanupTapDevices(vm);
12 years, 11 months
[libvirt] KVM Call Agenda for 12/6 (Tuesday) @ 10am US/Eastern
by Anthony Liguori
Hi,
I'd like to propose that we discuss guest agent convergence in our next KVM
call. I've CC'd folks from oVirt and libvirt to join the discussion.
I think we should probably attempt to have some structure to the discussion. I
would suggest:
1. A short introduction to each of the guest agents, what guests they support,
and what verbs they support.
2. A short description of key requirements from each party (oVirt, libvirt,
QEMU) for a guest agent
3. An open discussion about possible ways to collaborate/converge.
Regards,
Anthony Liguori
12 years, 11 months
[libvirt] [PATCH v2 0/2] Guest NUMA topology support
by Bharata B Rao
Hi,
This is v2 of the patchset that adds support for specifying NUMA topology
for guests.
<cpu>
...
<topology sockets='2' cores='4' threads='2'/>
<numa>
<cell cpus='0-7' mems='512000'/>
<cell cpus='8-15' mems='512000'/>
</numa>
...
</cpu>
This change allows libvirt to generate -numa options for QEMU/KVM.
This patchset passes all tests except daemon-conf test.
Changes for v2
--------------
- Renamed mems to memory in NUMA cell specification.
- Make both cpus= and memory= mandatory in a NUMA cell.
- Reuse cpuset and memoryKB definitions for cpus and memory.
- Fix a bug in reading memory=.
- Correct error handling for usages of virXMLPropString.
- Support virsh dumpxml.
- Fix XML in domaincommon.rng so that <numa> works correctly for
both <cpu> ... <cpu> as well as <cpu match="..."> ... <cpu>
- Don't use virBufferTruncate.
- Modifiy qemuxml2argv test cases for s/mems/memory change.
- Use virBufferLit wherever possible.
- Now qemuBuildNumaCPUArgStr can't fail, hence doesn't need return val.
- Pass memory in MB to qemu.
v1 - https://www.redhat.com/archives/libvir-list/2011-November/msg00247.html
v0 - https://www.redhat.com/archives/libvir-list/2011-October/msg00025.html
RFC - http://permalink.gmane.org/gmane.comp.emulators.libvirt/44626
Regards,
Bharata.
12 years, 11 months
[libvirt] [PATCH 0/5] Interface pools and passthrough mode
by Shradha Shah
Interface Pools and Passthrough mode:
Current Method:
The passthrough mode uses a macvtap a direct connection to connect each guest to the network. The physical interface to be used is picked from among those listed in <interface> sub elements of the <forward> element.
The current specification for <forward> extends to allow 0 or more <interface> sub-elements:
Example:
<forward mode='passthrough' dev='eth10'/>
<interface dev='eth10'/>
<interface dev='eth12'/>
<interface dev='eth18'/>
<interface dev='eth20'/>
</forward>
However with an ethernet card with 64 VF's or more, the above method gets tedious on the system.
On the other hand, just parameterizing a string (eth%d) is inadequate, eg, when there are multiple non-contiguous ranges.
Proposed Method:
The 5 patches provided along with this introductory e-mail
i) Introduce a structure to store the state of all the virtual functions attached to each physical function
ii) Find a free virtual function given the physical function.
The forward specification will hence only mention the physical function as the interface sub element:
Example:
<forward mode='passthrough' dev='eth2'/>
<interface dev='eth2'/>
</forward>
Shradha Shah (5):
Moving the declaration of _pciDevice and _pciDeviceList to pci.h
Added function pciSysfsFile to enable access to the PCI SYSFS files.
Adding functions virNetDevGetVirtualFunctions and virNetDevGetNetName
virNetDevGetVirtualFunctions: Gets the BDF of all the Virtual
Functions given a physical function virNetDevGetNetName: Gets
the interface name of the PCI Device.
Addition of a new device structure to store the state of a Virtual
Function Modifications to the Physical Device Structure to
store state of its Virtual Functions
If a system has 64 or more VF's, it is quite tedious to mention each
VF in the interface pool. The following modification find a
Free VF given a Physical Function when mode=passthrough. We
also save the state of each VF. Hence modifications to
networkAllocateActualDevice, networkNotifyActualDevice and
networkReleaseActualDevice were required. The following
patch does just that.
src/conf/network_conf.c | 19 ++++-
src/conf/network_conf.h | 10 ++
src/network/bridge_driver.c | 208 +++++++++++++++++++++++++++++++++++++------
src/util/pci.c | 52 ++++-------
src/util/pci.h | 36 ++++++++
src/util/virnetdev.c | 89 ++++++++++++++++++
src/util/virnetdev.h | 10 ++
7 files changed, 359 insertions(+), 65 deletions(-)
--
1.7.4.4
12 years, 11 months
[libvirt] [PATCH 00/14] Add a virtlockd lock manager daemon
by Daniel P. Berrange
The lock manager infrastructure we recently added to QEMU only has
two possible drivers at this time, 'nop' and 'sanlock'. The former
does absolutely nothing, while the latter requires a 3rd party
package installed and is a little heavy on disk I/O and storage
requirements.
This series adds a new daemon 'virtlockd' which is intended to be
enabled by default on all hosts running 'libvirtd'. This daemon
provides a service for disk locking based on the traditional
fcntl() lock primitives. There is a new libvirt manager plugin
which talks to this daemon over RPC. The reason for doing the
locks in a separate process is that we want the locks to remain
active, even if libvirtd crashes, or is restarted. The virtlockd
daemon has this one single job so should be pretty reliable and
selfcontained. This patch series really benefits from the new RPC
APIs, requiring minimal code for the new daemon / client
At this time, virtlockd does not lock the actual disk files, but
instead creates a lockspace & leases under /var/lib/libvirt/lockd.
The lockspace we use for disks is named org.libvirt.lockd.files,
and lease names are based on a SHA256 checksum of the fully
qualified disk name. eg
/var/lib/libvirt/lockd/org.libvirt.lockd.files/adf94fc33a24da1abff7dd7374a9919bb51efee646da8c3ac464c10cd59750bd
These leases are all zero-bytes long and no I/O is ever performed
on them, only fcntl() is used. So there is material overhead.
Whenever creating or deleting leases, we first acquire a lock on
/var/lib/libvirt/lockd/org.libvirt.lockd.files/org.libvirt.lockd.index
A non-root virtlockd will instead use $HOME/.libvirt/lockd
By default we gain protection out of the box against
- Starting two guests on the same host with the same disk image
not marked with <shareable/>
- libvirtd getting confused and forgetting a guest, allowing it
to be started for a 2nd time
If the admin mounts a shared filesytem (eg NFS) on /var/lib/libvirt/lockd
then this protection is extended across all hosts sharing that
mount volume.
As part of this series, I also introduce support for systemd
services for libvirtd and libvir-guests.
12 years, 11 months
[libvirt] [PATCH 00/10] Console coruption with two or more clients series
by Peter Krempa
This series fixes anoying console corruption if two clients try to connect
at same time to the console. The current state of this is, that two/more
of libvirt iohelpers are spawned on the same time that compete for data
from the pty. This causes that each of the consoles get scrambled and
unusable.
Patches
fdstream: Emit stream abort callback even if poll() doesnt.
virnetclientstream: Propagate stream error messages to callback
daemon: Subscribe the stream event callback for error events.
add the ability to abort a stream from the daemon side.
fdstream: Add internal function to check if a fdstream is open
This patch adds a helper function that checks internally if a fdstream
is open and working.
virsh: fix console stream error reporting
Add flags for virDomainOpenConsole
virsh: add support for VIR_DOMAIN_CONSOLE_FORCE flag
This patches add instrumentation to virsh that supports the new ability to
abort streams from the daemon side and adapts the console callback to handle
this. These patches also add a new flag set for virDomainOpenConsole API
call that allow users to control the if the existing console connection should
be left in place or killed in favor of the new one
qemu: Add ability to abort existing console while creating new one
lxc: Add ability to abort existing console when creating a new one
uml: Add ability to abort existing console when creating a new one
These patches modify the hypervisor drivers so that they are aware of existing
console connections and refuse to create a new one (or kill the old).
The xen driver also supports console in a similar way like the previously
mentioned drivers, but lacks the means to store a stream reference
permanently. I'll look in if it's possible to modify this driver to support
this new functionality.
For convinience, to review these patches:
git checkout -b console_corruption 33b55fd85ae5435bda53c3cfcbe1385074befd01
git pull git://aeon.pipo.sk/libvirt.git console_corruption
Peter
Peter Krempa (10):
fdstream: Emit stream abort callback even if poll() doesnt.
virnetclientstream: Propagate stream error messages to callback
daemon: Subscribe the stream event callback for error events.
fdstream: Add internal function to check if a fdstream is open
virsh: fix console stream error reporting
Add flags for virDomainOpenConsole
virsh: add support for VIR_DOMAIN_CONSOLE_FORCE flag
qemu: Add ability to abort existing console while creating new one
lxc: Add ability to abort existing console when creating a new one
uml: Add ability to abort existing console when creating a new one
daemon/stream.c | 2 +-
include/libvirt/libvirt.h.in | 12 +++++++-
src/fdstream.c | 61 ++++++++++++++++++++++++++++++++++++++---
src/fdstream.h | 2 +
src/libvirt_private.syms | 1 +
src/lxc/lxc_driver.c | 28 ++++++++++++++++++-
src/qemu/qemu_domain.c | 3 ++
src/qemu/qemu_domain.h | 2 +
src/qemu/qemu_driver.c | 23 +++++++++++++++-
src/rpc/virnetclientstream.c | 12 +++++---
src/uml/uml_driver.c | 28 ++++++++++++++++++-
tools/console.c | 27 ++++++++++++------
tools/console.h | 2 +-
tools/virsh.c | 18 +++++++++---
14 files changed, 192 insertions(+), 29 deletions(-)
--
1.7.3.4
12 years, 11 months
[libvirt] [PATCH 0/2] Expose virNodeGetCPUStats and virNodeGetMemoryStats in python
by Peter Krempa
These patches add two API functions to the libvirt python bindings, that
were missing.
The constants denoting a summary stat value instead of a separate per-node
values was declared using a preprocessor macro:
...
#define VIR_NODE_MEMORY_STATS_ALL_CELLS (-1)
#define VIR_NODE_CPU_STATS_ALL_CPUS (-1)
...
This inhibits automatic generation of these constants in the automaticaly
generated python library code.
If this change is too controversial, there's another option: Including these
constants in the python library (using libvirt-override.py). Please let me know
which of those options you prefer.
Thanks
Peter
Peter Krempa (2):
python: Expose binding for virNodeGetCPUStats()
python: Expose binding for virNodeGetMemoryStats()
include/libvirt/libvirt.h.in | 12 +++--
- change macro definitions to enums
python/libvirt-override-api.xml | 14 ++++++
- add doc's about newly added functions
python/libvirt-override.c | 95 +++++++++++++++++++++++++++++++++++++++
- add code for calling those functions and reclaiming return values.
3 files changed, 117 insertions(+), 4 deletions(-)
--
1.7.3.4
12 years, 11 months
[libvirt] [RFC v3 PATCH 0/5] PowerPC : Extend libvirt for the PowerPC-KVM platform
by Prerna Saxena
Recent development in KVM for 64-bit Power ISA Book3S machines, allows
users to run multiple KVM guest instances on POWER7 and PPC970
processor based systems. Also qemu-system-ppc64 has been enhanced to
support a new machine type "pseries" suitable for Power Book3S machines.
This addition effectively brings the KVM+qemu combination to run
multiple guest instances on a Power Book3S machine.
Libvirt continues to be the key interface to configure and manage the
KVM guest instances on x86. This patch set is an effort to enable
libvirt to support KVM guest configuration and management on Power Book3S
machines.
Based on community discussion around the earlier version, this patch
series augments the present 'kvm' driver to support PowerPC-KVM based
guests.Since some of the supported devices vary between architectures,
libvirt must be capable of choosing supported device backends and
defaults for each architecture in qemu.
To check if qemu supports a certain feature, libvirt at present parses
the -help string which is generated by running the qemu binary with the
'-h' argument. This approach is gated by QEMU's inherent limitation.
When generating the list of allowed options with the '-h' flags, qemu
today blindly lists all options defined for any architecture/platform
instead of doing any arch-specific checking. This tricks libvirt into
assuming a much bigger set of host capabilities than is actually
available.
Ideally, it would be good to have qemu specify a list of devices for a
given architecture and platform which libvirt can parse to understand
supported capabilities for that guest.
As a part of this patchset, there is an attempt to cleanly bifurcate
libvirt code and to remove x86-specific assumptions from generic qemu
commandline code.
Series Description:
-------------------
This patch series consists of 5 patches :
Patch 1/5 : Use sysfs to gather host topology in place of /proc/cpuinfo.
Patch 2/5 : Add PowerPC CPU Driver
Patch 3/5 : Add support for qemu-system-ppc64
Patch 4/5 : Clean up x86-specific assumptions from generic qemu code.
Patch 5/5 : Add address family "spapr-vio"
Changelog:
---------
** v1->v2 :
* Patches 1,2,3 unchanged ; The hacks in Patch 4 of v1 replaced by a
new patch to neatly select arch-specific features.
** v2->v3 :
* Patches 1,2,3 have minor cleanups ; Patch 4 no longer has an
arch-specific handler routine. It is now replaced by a much simpler
patch that merely removes x86/pc-specific assumptions from libvirt.
** v3->v4 :
* Patches 1,2,3,4 unchanged ; patch 5 is a new addition from Michael Ellerman
that adds a new device-tree based addressing mechanism for the 'pseries'
guest.
--
Prerna Saxena
Linux Technology Centre,
IBM Systems and Technology Lab,
Bangalore, India
12 years, 12 months
[libvirt] [PATCH] nwfilter: Update of filters to handle multiple IP addresses
by Stefan Berger
With fragments borrowed from David Steven's previous submission and some
further modifications:
A set of modifications to existing filters to handle multiple IP addresses
(and MAC addresses) per interface.
Also:
- enable DHCP traffic from VM to any DHCP server
- will require an update to a libvirt-tck data file
Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com>
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
examples/xml/nwfilter/Makefile.am | 2 +
examples/xml/nwfilter/clean-traffic.xml | 12 +++++++-
examples/xml/nwfilter/no-arp-ip-spoofing.xml | 9 ++++++
examples/xml/nwfilter/no-arp-mac-spoofing.xml | 7 ++++
examples/xml/nwfilter/no-arp-spoofing.xml | 38
++------------------------
examples/xml/nwfilter/no-ip-spoofing.xml | 17 ++++++++---
examples/xml/nwfilter/no-mac-spoofing.xml | 11 +++++--
7 files changed, 52 insertions(+), 44 deletions(-)
Index: libvirt-acl/examples/xml/nwfilter/Makefile.am
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/Makefile.am
+++ libvirt-acl/examples/xml/nwfilter/Makefile.am
@@ -9,6 +9,8 @@ FILTERS = \
allow-ipv4.xml \
clean-traffic.xml \
no-arp-spoofing.xml \
+ no-arp-ip-spoofing.xml \
+ no-arp-mac-spoofing.xml \
no-ip-multicast.xml \
no-ip-spoofing.xml \
no-mac-broadcast.xml \
Index: libvirt-acl/examples/xml/nwfilter/no-arp-ip-spoofing.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-arp-ip-spoofing.xml
@@ -0,0 +1,9 @@
+<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
+ <!-- no arp spoofing -->
+ <!-- drop if ipaddr does not belong to guest -->
+ <rule action='return' direction='out' priority='400' >
+ <arp match='yes' arpsrcipaddr='$IP' />
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-arp-mac-spoofing.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-arp-mac-spoofing.xml
@@ -0,0 +1,7 @@
+<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
+ <rule action='return' direction='out' priority='350' >
+ <arp match='yes' arpsrcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/clean-traffic.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/clean-traffic.xml
+++ libvirt-acl/examples/xml/nwfilter/clean-traffic.xml
@@ -1,4 +1,4 @@
-<filter name='clean-traffic'>
+<filter name='clean-traffic' chain='root'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
@@ -6,11 +6,21 @@
<!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
<filterref filter='no-ip-spoofing'/>
+
+ <rule direction='out' action='accept' priority='-650'>
+ <mac protocolid='ipv4'/>
+ </rule>
+
<filterref filter='allow-incoming-ipv4'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
+ <!-- accept all other incoming and outgoing ARP traffic -->
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+
<!-- preventing any other traffic than IPv4 and ARP -->
<filterref filter='no-other-l2-traffic'/>
Index: libvirt-acl/examples/xml/nwfilter/no-mac-spoofing.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/no-mac-spoofing.xml
+++ libvirt-acl/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -1,5 +1,10 @@
-<filter name='no-mac-spoofing' chain='ipv4'>
- <rule action='drop' direction='out' priority='10'>
- <mac match='no' srcmacaddr='$MAC' />
+<filter name='no-mac-spoofing' chain='mac' priority='-800'>
+ <!-- return packets with VM's MAC address as source address -->
+ <rule direction='out' action='return'>
+ <mac srcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule direction='out' action='drop'>
+ <mac/>
</rule>
</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/no-arp-spoofing.xml
+++ libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -1,36 +1,4 @@
-<filter name='no-arp-spoofing' chain='arp'>
- <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
- <rule action='drop' direction='out' priority='300' >
- <mac match='no' srcmacaddr='$MAC'/>
- </rule>
-
- <!-- no arp spoofing -->
- <!-- drop if ipaddr or macaddr does not belong to guest -->
- <rule action='drop' direction='out' priority='350' >
- <arp match='no' arpsrcmacaddr='$MAC'/>
- </rule>
- <rule action='drop' direction='out' priority='400' >
- <arp match='no' arpsrcipaddr='$IP' />
- </rule>
- <!-- allow gratuitous arp -->
- <rule action='accept' direction='in' priority='425'>
- <arp gratuitous='true'/>
- </rule>
- <!-- drop if ipaddr or macaddr does not belong to guest -->
- <rule action='drop' direction='in' priority='450' >
- <arp match='no' arpdstmacaddr='$MAC'/>
- <arp opcode='reply'/>
- </rule>
- <rule action='drop' direction='in' priority='500' >
- <arp match='no' arpdstipaddr='$IP' />
- </rule>
- <!-- accept only request or reply packets -->
- <rule action='accept' direction='inout' priority='600' >
- <arp opcode='request'/>
- </rule>
- <rule action='accept' direction='inout' priority='650' >
- <arp opcode='reply'/>
- </rule>
- <!-- drop everything else -->
- <rule action='drop' direction='inout' priority='1000' />
+<filter name='no-arp-spoofing' chain='root'>
+ <filterref filter='no-arp-mac-spoofing'/>
+ <filterref filter='no-arp-ip-spoofing'/>
</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml
+++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -1,7 +1,14 @@
-<filter name='no-ip-spoofing' chain='ipv4'>
+<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
+ <!-- allow DHCP requests -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' srcportend='68'/>
+ </rule>
- <!-- drop if srcipaddr is not the IP address of the guest -->
- <rule action='drop' direction='out'>
- <ip match='no' srcipaddr='$IP' />
- </rule>
+ <!-- allow all known IP addresses -->
+ <rule direction='out' action='return' priority='500'>
+ <ip srcipaddr='$IP'/>
+ </rule>
+
+ <!-- drop everything else -->
+ <rule direction='out' action='drop' priority='1000'/>
</filter>
12 years, 12 months
[libvirt] [PATCH] conf: Improve incorrect root element error messages
by Michal Privoznik
When user pass wrong root element, it is not 'internal error' and
we can give him hint what we are expecting.
---
src/conf/domain_conf.c | 12 ++++++++----
src/conf/interface_conf.c | 6 ++++--
src/conf/network_conf.c | 6 ++++--
src/conf/node_device_conf.c | 6 ++++--
src/conf/secret_conf.c | 6 ++++--
src/security/virt-aa-helper.c | 2 +-
6 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index f04e477..bb504f9 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -7932,8 +7932,10 @@ virDomainDefPtr virDomainDefParseNode(virCapsPtr caps,
virDomainDefPtr def = NULL;
if (!xmlStrEqual(root->name, BAD_CAST "domain")) {
- virDomainReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("incorrect root element"));
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ _("unexpected root element <%s>, "
+ "expecting <domain>"),
+ root->name);
goto cleanup;
}
@@ -7963,8 +7965,10 @@ virDomainObjParseNode(virCapsPtr caps,
virDomainObjPtr obj = NULL;
if (!xmlStrEqual(root->name, BAD_CAST "domstatus")) {
- virDomainReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("incorrect root element"));
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ _("unexpected root element <%s>, "
+ "expecting <domstatus>"),
+ root->name);
goto cleanup;
}
diff --git a/src/conf/interface_conf.c b/src/conf/interface_conf.c
index fd8d1ae..59f74a1 100644
--- a/src/conf/interface_conf.c
+++ b/src/conf/interface_conf.c
@@ -838,8 +838,10 @@ virInterfaceDefPtr virInterfaceDefParseNode(xmlDocPtr xml,
virInterfaceDefPtr def = NULL;
if (!xmlStrEqual(root->name, BAD_CAST "interface")) {
- virInterfaceReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("incorrect root element"));
+ virInterfaceReportError(VIR_ERR_XML_ERROR,
+ _("unexpected root element <%s>, "
+ "expecting <interface>"),
+ root->name);
return NULL;
}
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 10afcde..1058b07 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1107,8 +1107,10 @@ virNetworkDefPtr virNetworkDefParseNode(xmlDocPtr xml,
virNetworkDefPtr def = NULL;
if (!xmlStrEqual(root->name, BAD_CAST "network")) {
- virNetworkReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("incorrect root element"));
+ virNetworkReportError(VIR_ERR_XML_ERROR,
+ _("unexpected root element <%s>, "
+ "expecting <network>"),
+ root->name);
return NULL;
}
diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
index fc284e0..084121f 100644
--- a/src/conf/node_device_conf.c
+++ b/src/conf/node_device_conf.c
@@ -1204,8 +1204,10 @@ virNodeDeviceDefParseNode(xmlDocPtr xml,
virNodeDeviceDefPtr def = NULL;
if (!xmlStrEqual(root->name, BAD_CAST "device")) {
- virNodeDeviceReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("incorrect root element"));
+ virNodeDeviceReportError(VIR_ERR_XML_ERROR,
+ _("unexpected root element <%s> "
+ "expecting <device>"),
+ root->name);
return NULL;
}
diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c
index a51fc69..6e80733 100644
--- a/src/conf/secret_conf.c
+++ b/src/conf/secret_conf.c
@@ -126,8 +126,10 @@ secretXMLParseNode(xmlDocPtr xml, xmlNodePtr root)
char *uuidstr = NULL;
if (!xmlStrEqual(root->name, BAD_CAST "secret")) {
- virSecretReportError(VIR_ERR_XML_ERROR, "%s",
- _("incorrect root element"));
+ virSecretReportError(VIR_ERR_XML_ERROR,
+ _("unexpected root element <%s>, "
+ "expecting <secret>"),
+ root->name);
goto cleanup;
}
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index ad06974..14399cc 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -644,7 +644,7 @@ caps_mockup(vahControl * ctl, const char *xmlStr)
}
if (!xmlStrEqual(ctxt->node->name, BAD_CAST "domain")) {
- vah_error(NULL, 0, _("incorrect root element"));
+ vah_error(NULL, 0, _("unexpected root element, expecting <domain>"));
goto cleanup;
}
--
1.7.3.4
12 years, 12 months
