[libvirt] [TCK] nwfilter: add tests for reject, drop and accept targets
by Stefan Berger
This patch adds test cases for the reject, drop and accept targets.
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall | 61
++++++++++++++
scripts/nwfilter/nwfilterxml2xmlin/target-test.xml | 66
++++++++++++++++
scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml | 18 ++++
3 files changed, 145 insertions(+)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test.xml
@@ -0,0 +1,66 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='accept rule -- dir out'/>
+ </rule>
+ <rule action='drop' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='drop rule -- dir out'/>
+ </rule>
+ <rule action='reject' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='reject rule -- dir out'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='accept rule -- dir in'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='drop rule -- dir in'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='reject rule -- dir in'/>
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all comment='accept rule -- dir inout'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <all comment='drop rule -- dir inout'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <all comment='reject rule -- dir inout'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='drop' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='reject' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+</filter>
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall
@@ -0,0 +1,61 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir out */
+DROP all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02/* drop rule -- dir out */
+REJECT all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */
reject-with icmp-port-unreachable
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */
+DROP all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21/* drop rule -- dir in */
+REJECT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* accept
rule -- dir inout */
+DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop
rule -- dir inout */
+REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject
rule -- dir inout */ reject-with icmp-port-unreachable
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir out */
+DROP all -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02/* drop rule -- dir out */
+REJECT all -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable
+ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir in */
+DROP all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21/* drop rule -- dir in */
+REJECT all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21/* reject rule -- dir in */ reject-with
icmp-port-unreachable
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* accept
rule -- dir inout */
+DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop
rule -- dir inout */
+REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject
rule -- dir inout */ reject-with icmp-port-unreachable
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir out */
+DROP all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02/* drop rule -- dir out */
+REJECT all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */
reject-with icmp-port-unreachable
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */
+DROP all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21/* drop rule -- dir in */
+REJECT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* accept
rule -- dir inout */
+DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop
rule -- dir inout */
+REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject
rule -- dir inout */ reject-with icmp-port-unreachable
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0
+#iptables -L FORWARD --line-number | grep libvirt
+1 libvirt-in all -- anywhere anywhere
+2 libvirt-out all -- anywhere anywhere
+3 libvirt-in-post all -- anywhere
anywhere
+#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$"
+-p ARP -s 1:2:3:4:5:6 -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 -j DROP
+-p ARP -s 1:2:3:4:5:6 -j DROP
+#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP
+
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='in'>
+ <tcp dstportstart='22' state='NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <tcp srcportstart='22' state='NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp dstportstart='80'/>
+ </rule>
+ <rule action='reject' direction='inout'>
+ <tcp/>
+ </rule>
+ <rule action='drop' direction='inout'>
+ <all/>
+ </rule>
+</filter>
14 years
[libvirt] [PATCH] qemu: Fix media eject with qemu-0.12.*
by Jiri Denemark
In qemu-0.12.* "device '...' is locked" message was changed to "Device
..." so libvirt was no longer detecting this as an error.
---
bootstrap.conf | 1 +
src/qemu/qemu_monitor_text.c | 2 +-
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/bootstrap.conf b/bootstrap.conf
index 6070204..6e10828 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -63,6 +63,7 @@ sigpipe
snprintf
socket
stpcpy
+strcasestr
strchrnul
strndup
strerror
diff --git a/src/qemu/qemu_monitor_text.c b/src/qemu/qemu_monitor_text.c
index 75b2995..7ebe62e 100644
--- a/src/qemu/qemu_monitor_text.c
+++ b/src/qemu/qemu_monitor_text.c
@@ -934,7 +934,7 @@ int qemuMonitorTextEjectMedia(qemuMonitorPtr mon,
/* If the command failed qemu prints:
* device not found, device is locked ...
* No message is printed on success it seems */
- if (strstr(reply, "device ")) {
+ if (strcasestr(reply, "device ")) {
qemuReportError(VIR_ERR_OPERATION_FAILED,
_("could not eject media on %s: %s"), devname, reply);
goto cleanup;
--
1.7.4.1
14 years
[libvirt] [PATCH] Add support for DNS TXT records
by Michal Novotny
Hi,
this is the patch to add DNS TXT record support to libvirt networking
driver since this is feature that's supported by DNSMasq that's being
used by the bridge driver.
Maybe you fail to understand the reasons why to implement such a feature
however it's a good thing IMHO since user could provide some information
in the DNS TXT record headers. The headers are, of course, configurable
in the network XML description and the idea got to me when I was reading
an article about DKIM (DomainKeys Identified Mail) since it's using TXT
records in the DNS to provide the public keys. This inspired me to
implement the DNS TXT record support to libvirt bridge driver to allow
users expose some information to the guest if they want to do so etc.
Limitations:
- Records names and values containing space (' ') arguments are altered
to change spaces to underscores ('_'). This is because of proper
argument handling when spawning dnsmasq.
Technical details:
The --txt-record argument should be supported by all version of DNSMasq
which allows us to use it in all of the cases for the libvirt bridge
driver. The only thing user has to do is to edit the network XML
description in libvirt and append:
<dns>
<txt_record name='some name' value='some value' />
</dns>
after the DHCP elements of network IP (<ip>) tree. After creating such
a definition user has to restart this virtual network for changes to
take effect, i.e. to spawn DNSMasq with new --txt-record arguments.
User can confirm the proper configuration of DNS TXT records both by
looking to the dnsmasq command-line (i.e. `ps aux | grep dnsmasq`)
where information about --txt-record=some_name,some_value should be
present or test it in the host/guest itself by digging the TXT record
from there, i.e. using `dig TXT some_name @ip` from the host (since
the it's running on the @ip and not the gateway for host) or `dig TXT
some_name` from the guest where the value "some_value" should be output
in both cases.
This has been developed and tested on Fedora i386 box and everything
was working fine.
Michal
Signed-off-by: Michal Novotny <minovotn(a)redhat.com>
---
src/conf/network_conf.c | 64 +++++++++++++++++++++++++++++++++++++++++++
src/conf/network_conf.h | 16 +++++++++++
src/network/bridge_driver.c | 28 +++++++++++++++++++
3 files changed, 108 insertions(+), 0 deletions(-)
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index dcab9de..3e07496 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -435,6 +435,53 @@ virNetworkDHCPRangeDefParseXML(const char *networkName,
}
static int
+virNetworkDNSDefParseXML(virNetworkIpDefPtr def,
+ xmlNodePtr node)
+{
+
+ xmlNodePtr cur;
+
+ if (VIR_ALLOC(def->dns)) {
+ virReportOOMError();
+ return -1;
+ }
+
+ cur = node->children;
+ while (cur != NULL) {
+ if (cur->type == XML_ELEMENT_NODE &&
+ xmlStrEqual(cur->name, BAD_CAST "txt_record")) {
+ char *name, *value;
+
+ if (!(name = virXMLPropString(cur, "name"))) {
+ cur = cur->next;
+ continue;
+ }
+ if (!(value = virXMLPropString(cur, "value"))) {
+ VIR_FREE(name);
+ cur = cur->next;
+ continue;
+ }
+
+ if (VIR_REALLOC_N(def->dns->txtrecords, def->dns->ntxtrecords + 1) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+
+ def->dns->txtrecords[def->dns->ntxtrecords].name = strdup(name);
+ def->dns->txtrecords[def->dns->ntxtrecords].value = strdup(value);
+ def->dns->ntxtrecords++;
+
+ VIR_FREE(name);
+ VIR_FREE(value);
+ }
+
+ cur = cur->next;
+ }
+
+ return 0;
+}
+
+static int
virNetworkIPParseXML(const char *networkName,
virNetworkIpDefPtr def,
xmlNodePtr node,
@@ -550,6 +597,12 @@ virNetworkIPParseXML(const char *networkName,
goto error;
} else if (cur->type == XML_ELEMENT_NODE &&
+ xmlStrEqual(cur->name, BAD_CAST "dns")) {
+ result = virNetworkDNSDefParseXML(def, cur);
+ if (result)
+ goto error;
+
+ } else if (cur->type == XML_ELEMENT_NODE &&
xmlStrEqual(cur->name, BAD_CAST "tftp")) {
char *root;
@@ -828,6 +881,17 @@ virNetworkIpDefFormat(virBufferPtr buf,
virBufferAddLit(buf, " </dhcp>\n");
}
+ if ((def->dns != NULL) && (def->dns->ntxtrecords)) {
+ int ii;
+
+ virBufferAddLit(buf, " <dns>\n");
+ for (ii = 0 ; ii < def->dns->ntxtrecords ; ii++) {
+ virBufferVSprintf(buf, " <txt_record name='%s' value='%s' />\n",
+ def->dns->txtrecords[ii].name,
+ def->dns->txtrecords[ii].value);
+ }
+ virBufferAddLit(buf, " </dns>\n");
+ }
virBufferAddLit(buf, " </ip>\n");
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index 281124b..5f47595 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -57,6 +57,20 @@ struct _virNetworkDHCPHostDef {
virSocketAddr ip;
};
+typedef struct _virNetworkDNSTxtRecordsDef virNetworkDNSTxtRecordsDef;
+typedef virNetworkDNSTxtRecordsDef *virNetworkDNSTxtRecordsDefPtr;
+struct _virNetworkDNSTxtRecordsDef {
+ char *name;
+ char *value;
+};
+
+struct virNetworkDNSDef {
+ unsigned int ntxtrecords;
+ virNetworkDNSTxtRecordsDefPtr txtrecords;
+} virNetworkDNSDef;
+
+typedef struct virNetworkDNSDef *virNetworkDNSDefPtr;
+
typedef struct _virNetworkIpDef virNetworkIpDef;
typedef virNetworkIpDef *virNetworkIpDefPtr;
struct _virNetworkIpDef {
@@ -75,6 +89,8 @@ struct _virNetworkIpDef {
unsigned int nranges; /* Zero or more dhcp ranges */
virNetworkDHCPRangeDefPtr ranges;
+ virNetworkDNSDefPtr dns; /* DNS related settings for DNSMasq */
+
unsigned int nhosts; /* Zero or more dhcp hosts */
virNetworkDHCPHostDefPtr hosts;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index c30620a..89c1431 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -442,6 +442,19 @@ networkSaveDnsmasqHostsfile(virNetworkIpDefPtr ipdef,
return 0;
}
+static char *
+replace_all(char *input, int chr1, int chr2)
+{
+ int pos;
+ char *tmp;
+ char *out;
+
+ out = strdup(input);
+ while ((tmp = strchr(out, chr1)) != NULL)
+ out[ strlen(input) - strlen(tmp) ] = chr2;
+
+ return out;
+}
static int
networkBuildDnsmasqArgv(virNetworkObjPtr network,
@@ -497,6 +510,21 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE)
virCommandAddArg(cmd, "--dhcp-option=3");
+ if (ipdef->dns != NULL) {
+ int i;
+
+ for (i = 0; i < ipdef->dns->ntxtrecords; i++) {
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+
+ virBufferVSprintf(&buf, "%s,%s",
+ replace_all(ipdef->dns->txtrecords[i].name, ' ', '_'),
+ replace_all(ipdef->dns->txtrecords[i].value, ' ', '_'));
+
+ virCommandAddArgPair(cmd, "--txt-record", virBufferContentAndReset(&buf));
+ VIR_FREE(buf);
+ }
+ }
+
/*
* --interface does not actually work with dnsmasq < 2.47,
* due to DAD for ipv6 addresses on the interface.
--
1.7.3.2
14 years
[libvirt] [PATCH] do not send monitor command after monitor met error
by Wen Congyang
If the monitor met a error, and we will call qemuProcessHandleMonitorEOF().
But we may try to send monitor command after qemuProcessHandleMonitorEOF()
returned. Then libvirtd will be blocked in qemuMonitorSend().
Steps to reproduce this bug:
1. use gdb to attach libvirtd, and set a breakpoint in the function
qemuConnectMonitor()
2. start a vm
3. let the libvirtd to run until qemuMonitorOpen() returns.
4. kill the qemu process
5. continue running libvirtd
Signed-off-by: Wen Congyang <wency(a)cn.fujitsu.com>
---
src/qemu/qemu_monitor.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 800f744..eed83f4 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -572,6 +572,13 @@ qemuMonitorIO(int watch, int fd, int events, void *opaque) {
mon->msg->lastErrno = EIO;
virCondSignal(&mon->notify);
}
+ /* If qemu quited unexpectedly, and we may try to send monitor
+ * command later. But we have no chance to wake up it. So set
+ * mon->lastErrno to EIO, and check it before sending monitor
+ * command.
+ */
+ if (!mon->lastErrno)
+ mon->lastErrno = EIO;
quit = 1;
} else if (events) {
VIR_ERROR(_("unhandled fd event %d for monitor fd %d"),
@@ -725,6 +732,12 @@ int qemuMonitorSend(qemuMonitorPtr mon,
{
int ret = -1;
+ /* Check whether qemu quited unexpectedly */
+ if (mon->lastErrno) {
+ msg->lastErrno = mon->lastErrno;
+ return -1;
+ }
+
mon->msg = msg;
qemuMonitorUpdateWatch(mon);
--
1.7.1
14 years
[libvirt] cont command failing via JSON monitor on restore
by Jim Fehlig
libvirt 0.8.7
qemu 0.13
I'm looking into a problem with qemu save/restore via JSON monitor. On
restore, the vm is left in a paused state with following error returned
for 'cont' command
An incoming migration is expected before this command can be executed
I was trying to debug the issue in gdb, but stepping through the code
introduces enough delay between qemudStartVMDaemon() and doStartCPUs()
that the latter succeeds. Any suggestions on how to determine when it
is safe to call doStartCPUs() to prevent the above error? I don't see
this issue with the text monitor btw.
Thanks,
Jim
14 years
[libvirt] [RFC] Add persistent XML for cpu tunables
by Osier Yang
Example of cputune XML:
<cputune>
<shares>2048</shares>
<vcpupin vcpu='0' cpuset='0-4,^1'/>
<vcpupin vcpu='1' cpuset='1,3'/>
<vcpupin vcpu='2' cpuset='0,2'/>
</cputune>
"shares" is to define the the proportional weighted cpu share
for the domain.
"vcpupin" is to define the cpu affinities of vcpus, it will
not be displayed if one doesn't specify it explicitly in
XML or set the cpu affinites for vcpu via "vcpupin", means
there will be no vcpupin element in domain XML by default,
and the constraints are:
- Error if one specify entries more than the count of maxvcpus.
- Error when one specify entries for same vcpu.
- Error if value of attribute "vcpu" is more than count of
"maxvcpus - 1".
Attribute "cpuset" works same as "cpuset" of element "vcpu",
reuse the codes for parsing and formating value of "cpuset"
of element "vcpu".
NB, the idea to add persistent XML for "cpushares" is from
"Nikunj A. Dadhania":
https://www.redhat.com/archives/libvir-list/2011-January/msg01183.html
I rebased it and include it together in this patch series.
[PATCH 1/8] cputune: Add xml schema for cputune xml
[PATCH 2/8] cputune: Add document for cputune xml
[PATCH 3/8] cputune: Add data structures presenting cputune xml
[PATCH 4/8] cputune: implementations of parsing and formating cputune xml
[PATCH 5/8] cputune: support cputune for qemu driver
[PATCH 6/8] cputune: support cputune for lxc driver
[PATCH 7/8] cputune: support cputune for xend driver
[PATCH 8/8] cputune: new tests for testing cputune xml
14 years
[libvirt] [PATCH] qemu: fix regression with fd labeling on migration
by Eric Blake
My earlier testing for commit 34fa0de0 was done while starting
just-built libvirt from an unconfined_t shell, where the fds happened
to work when transferring to qemu. But when installed and run under
virtd_t, failure to label the raw file (with no compression) or the
pipe (with compression) triggers SELinux failures when passing fds
over SCM_RIGHTS to svirt_t qemu.
* src/qemu/qemu_migration.c (qemuMigrationToFile): When passing
FDs, make sure they are labeled.
---
This copies the fd-labeling approach added in commit 34a19dda1.
With this patch, I tested both unconfined_t and virtd_t SELinux
process labels for libvirtd (shell start vs. init start).
virsh managedsave dom/virsh start dom
works for both raw and compressed save_image_format, both contexts
virsh save dom file/virsh restore file
works for raw save_image_format, both contexts
works for compressed with virtd_t context
save fails for compressed with unconfined_t context, with the failure
looking identical to the previously-reported failure for restore
in the same settings (https://bugzilla.redhat.com/show_bug.cgi?id=691499)
So I'm reasonably confident that this is a good patch.
src/qemu/qemu_migration.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 98b9d01..43741e1 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1304,8 +1304,12 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
if (qemuCaps && qemuCapsGet(qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD) &&
(!compressor || pipe(pipeFD) == 0)) {
/* All right! We can use fd migration, which means that qemu
- * doesn't have to open() the file, so we don't have to futz
- * around with granting access or revoking it later. */
+ * doesn't have to open() the file, so while we still have to
+ * grant SELinux access, we can do it on fd and avoid cleanup
+ * later, as well as skip futzing with cgroup. */
+ if (virSecurityManagerSetFDLabel(driver->securityManager, vm,
+ compressor ? pipeFD[1] : fd) < 0)
+ goto cleanup;
is_reg = true;
bypassSecurityDriver = true;
} else {
--
1.7.4
14 years
[libvirt] [PATCH] qemu: improve error message on failed fd transfer
by Eric Blake
First fallout of fd: migration - it looks like SELinux enforcing
_does_ require fd labeling (running uninstalled libvirtd from an
unconstrained shell had no problems, but once faked out by doing
chcon `stat -c %C /usr/sbin/libvirtd` daemon/libvirtd
run_init $PWD/daemon/libvirtd
to run it with the same context as an init script service, and with
SELinux enforcing, I got a rather confusing failure:
error: Failed to save domain fedora_12 to fed12.img
error: internal error unable to send TAP file handle: No file descriptor supplied via SCM_RIGHTS
This fixes the error message, then I need to figure out a subsequent
patch that does the fsetfilecon() necessary to keep things happy.
It also appears that libvirtd hangs on a failed fd transfer; I don't
know if that needs an independent fix.
* src/qemu/qemu_monitor_text.c (qemuMonitorTextSendFileHandle):
Improve message, since TAP is no longer only client.
---
src/qemu/qemu_monitor_text.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_monitor_text.c b/src/qemu/qemu_monitor_text.c
index 75b2995..5b1290b 100644
--- a/src/qemu/qemu_monitor_text.c
+++ b/src/qemu/qemu_monitor_text.c
@@ -1679,0 +1679,0 @@ int qemuMonitorTextSendFileHandle(qemuMonitorPtr mon,
if (STRNEQ(reply, "")) {
qemuReportError(VIR_ERR_INTERNAL_ERROR,
- _("unable to send TAP file handle: %s"),
- reply);
+ _("unable to send file handle '%s': %s"),
+ fdname, reply);
goto cleanup;
}
--
1.7.4
14 years
[libvirt] [PATCHv2 0/8] Additional functionality for libxl driver
by Markus Groß
This series of patches adds new functionality to the libxl driver.
V2:
- Incorporated review from Jim Fehlig
- Allow domainGetSchedulerType only on active domains
- Fix warnings about virDomainObjUnref
Markus Groß (8):
Ignore return value of virDomainObjUnref
Add event callbacks to libxl driver
List authors in copyright headers
Add vcpu functions to libxl driver
Add domainXMLFromNative/domainXMLToNative to libxl driver
Add domainGetSchedulerType to libxl driver
Add domainGetOSType to libxl driver
Add domainSuspend/Resume to libxl driver
configure.ac | 2 +
daemon/Makefile.am | 3 +
src/Makefile.am | 8 +-
src/libxl/libxl_conf.c | 3 +
src/libxl/libxl_conf.h | 11 +-
src/libxl/libxl_driver.c | 823 +++++++++++++++++++++++++++++++++++++++++++++-
src/libxl/libxl_driver.h | 3 +
7 files changed, 832 insertions(+), 21 deletions(-)
--
1.7.4.1
14 years
