December 2012 - Devel - libvirt List Archives

[libvirt] RFC: Enable Libvirt to handle OVA installation
by Ata Bohra 07 Dec '12

07 Dec '12

This is a proposal to enhance Libvirt library to handle OVA package installation. OVA: OVA is one of the widely accepted and consortium defined/maintained format for Virtual Machine distros. Technically it is a tar file with three main components: 1. VMX descriptor (XML file defining virtual machine specifics such as: virtual hardware etc. 2. VMDKs in a compressed format. 3. Manifest file. Proposal: 1. Expose a public API method to allow an application to invoke OVA installation with a file pointer to OVA file. 2. OVA util file: This file understands the OVA formats and rips out the given package to extract specific information: 2.1. int get_vmx(char *vmx): method can return VMX descriptor associated with a given OVA file. 2.2. int get_vmdks(struct ova_type *ova): method that seek the OVA file and populate ova_type struct which may look like; typedef struct disk_list_tag { char *file_name; off_t file_size; off_t file_offset; struct disk_list_tag *next; }; typedef struct ova_type { int num_vmdks; ova_list *head; } 2. Hypervisor specific changes: It can be done in more than one way: 2.1: Enhance hypervisor driver function to implement hypervisor specific routines to perform OVA installations. 2.2.: Append a new driver to handle OVA installation such as virOvaDriver, main routines can be: open() : parse OVA using util functions. close() list_disk(): may display disk names install() (Please suggest if there can be more routines to this driver, it can be enhanced later as well). It is possible to design this driver to handle OVA parsing as well, but I think keeping it in 'util' may make that code available for all hypervisors given OVA format does not change per hypervisor. I'm inclined more towards 2.2 design as it is more generic and provides room for furture extensions. Looking forward for comments/suggestions. Thanks!Ata

4 6

[libvirt] [PATCHv2] util: Fix virGet{User, Group}IDByName when the user/group cannot be found
by Christophe Fergeau 06 Dec '12

06 Dec '12

Here is the v2 of this patch series. Changes since v1: - return an error only for documented error values returnef from getpwnam_r/getgrnam_r instead of trying to guess what error values mean 'entry not found' - this addresses the indenting comment raised by Osier

3 6

[libvirt] libvirt current git & F18
by Gene Czarcinski 06 Dec '12

06 Dec '12

Anyone know of problems with the libvirt based on today's git and Fedora 18. Trying to rebuild some rpms which build fine on Fedora 17 fail on Fedora 18. It appears that it may be related to xen-devel. Gene

3 3

[libvirt] [PATCHv3 0/3] IPv6 enhancements; put dnsmasq parameters in conf-file
by Gene Czarcinski 06 Dec '12

06 Dec '12

Rebased 3 December 2012 These three patch files are packaged together because they serially depend on each other. This version includes updates to add the ipv6='yes' for enabling the guest-to-guest communications. The DHCPv6 support checks dnsmasq's version and requires a minimum of 2.64. Also, using dnsmasq for providing the RA service is checked against the dnsmasq version and is currently 2.64. There are separate checks for DHCPv6 and Router Advertising support by dnsmasq. As with IPv4, IPv6 DHCP is only one subnetwork on an interface. Additionally, if other IPv6 addresses are defined, a warning message is issued since the Router Advertisement service will support only state-full (DHCP) or state-less (SLAAC) addressing on a network interface (not both). Thus, the additional subnetworks will need to be manually configured to properly function. If dnsmasq provides the RA service, it also points to itself as a RDNSS (Recursive DNS Server) as part of the information is supplies. If IPv6 DHCP is not being run, then SLAAC addressing is supported for any IPv6 addresses specified. Gene Czarcinski (3): v2.0: allow guest to guest IPv6 without gateway definition v8.2 add support for DHCPv6 v7.9: put dnsmasq parameters into conf-file docs/formatnetwork.html.in | 136 ++++- docs/schemas/network.rng | 22 +- src/conf/network_conf.c | 108 ++-- src/conf/network_conf.h | 5 + src/network/bridge_driver.c | 594 ++++++++++++++------- src/network/bridge_driver.h | 7 +- src/util/dnsmasq.c | 9 +- tests/networkxml2argvdata/dhcp6-nat-network.argv | 14 + tests/networkxml2argvdata/dhcp6-nat-network.xml | 24 + tests/networkxml2argvdata/dhcp6-network.argv | 14 + tests/networkxml2argvdata/dhcp6-network.xml | 14 + .../dhcp6host-routed-network.argv | 12 + .../dhcp6host-routed-network.xml | 19 + tests/networkxml2argvdata/isolated-network.argv | 25 +- .../networkxml2argvdata/nat-network-dns-hosts.argv | 14 +- .../nat-network-dns-srv-record-minimal.argv | 34 +- .../nat-network-dns-srv-record.argv | 24 +- .../nat-network-dns-txt-record.argv | 22 +- tests/networkxml2argvdata/nat-network.argv | 22 +- tests/networkxml2argvdata/netboot-network.argv | 28 +- .../networkxml2argvdata/netboot-proxy-network.argv | 26 +- tests/networkxml2argvdata/routed-network.argv | 11 +- tests/networkxml2argvtest.c | 47 +- 23 files changed, 876 insertions(+), 355 deletions(-) create mode 100644 tests/networkxml2argvdata/dhcp6-nat-network.argv create mode 100644 tests/networkxml2argvdata/dhcp6-nat-network.xml create mode 100644 tests/networkxml2argvdata/dhcp6-network.argv create mode 100644 tests/networkxml2argvdata/dhcp6-network.xml create mode 100644 tests/networkxml2argvdata/dhcp6host-routed-network.argv create mode 100644 tests/networkxml2argvdata/dhcp6host-routed-network.xml -- 1.7.11.7

3 18

[libvirt] [jenkins@libvirt.sigxcpu.org: Build failed in Jenkins: libvirt-tck-debian-wheezy-qemu-session #227]
by Guido Günther 06 Dec '12

06 Dec '12

Hi, this commit ae2163f852448fafce3bfcb2814e823d18e394ea Only let VM drivers block libvirtd timed shutdown broke the libvirt-tck integration build with qemu:///session: http://honk.sigxcpu.org:8001/job/libvirt-tck-debian-wheezy-qemu-session/227… I won't have a chance to look into this in detail the near future but I thought I'd at least send out a notice. Cheers, -- Guido

3 6

[libvirt] [PATCH] dnsmasq: Fix parsing of the version number
by Michal Privoznik 06 Dec '12

06 Dec '12

If the debugging is enabled, the virCommand subsystem catches debug messages in the command output as well. In that case, we can't assume the string corresponding to command's stdout will start with specific prefix. But the prefix can be moved deeper in the string. This bug shows itself when parsing dnsmasq output: 2012-12-06 11:18:11.445+0000: 18491: error : dnsmasqCapsSetFromBuffer:664 : internal error cannot parse /usr/sbin/dnsmasq version number in '2012-12-06 11:11:02.232+0000: 18492: debug : virFileClose:72 : Closed fd 22' We can clearly see that the output of dnsmasq --version doesn't start with expected "Dnsmasq version " string but a libvirt debug output. --- src/util/dnsmasq.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util/dnsmasq.c b/src/util/dnsmasq.c index 4f210d2..de0293a 100644 --- a/src/util/dnsmasq.c +++ b/src/util/dnsmasq.c @@ -641,9 +641,9 @@ dnsmasqCapsSetFromBuffer(dnsmasqCapsPtr caps, const char *buf) caps->noRefresh = true; - p = STRSKIP(buf, DNSMASQ_VERSION_STR); - if (!p) + if (!(p = strstr(buf, DNSMASQ_VERSION_STR))) goto fail; + p += sizeof(DNSMASQ_VERSION_STR) - 1; virSkipSpaces(&p); if (virParseVersionString(p, &caps->version, true) < 0) goto fail; -- 1.7.8.6

3 6

[libvirt] [PATCH 1/1] add vnc unix sockets to apparmor policy
by Serge Hallyn 06 Dec '12

06 Dec '12

When using vnc gaphics over a unix socket, virt-aa-helper needs to provide access for the qemu domain to access the sockfile. Signed-off-by: Serge Hallyn <serge.hallyn(a)ubuntu.com> --- src/security/virt-aa-helper.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e480b30..c6b9903 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1003,6 +1003,13 @@ get_files(vahControl * ctl) if (vah_add_file(&buf, ctl->def->os.loader, "r") != 0) goto clean; + for (i = 0; i < ctl->def->ngraphics; i++) { + if (ctl->def->graphics[i]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && + ctl->def->graphics[i]->data.vnc.socket && + vah_add_file(&buf, ctl->def->graphics[i]->data.vnc.socket, "rw")) + goto clean; + } + if (ctl->def->ngraphics == 1 && ctl->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL) if (vah_add_file(&buf, ctl->def->graphics[0]->data.sdl.xauth, -- 1.7.10.4

1 0

[libvirt] add security hook for permitting hugetlbfs access (v2)
by Serge Hallyn 06 Dec '12

06 Dec '12

When a qemu domain is backed by huge pages, apparmor needs to grant the domain rw access to files under the hugetlbfs mount point. Add a hook, called in qemu_process.c, which ends up adding the read-write access through virt-aa-helper. Qemu will be creating a randomly named file under the mountpoint and unlinking it as soon as it has mmap()d it, therefore we cannot predict the full pathname, but for the same reason it is generally safe to provide access to $path/**. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/646468 Changelog: (v2) use virBuffer in place of snprintf. Index: libvirt/src/qemu/qemu_process.c =================================================================== --- libvirt.orig/src/qemu/qemu_process.c 2012-12-06 11:50:48.354763986 -0600 +++ libvirt/src/qemu/qemu_process.c 2012-12-06 11:57:58.234773649 -0600 @@ -3475,6 +3475,15 @@ } virDomainAuditSecurityLabel(vm, true); + if (driver->hugepage_path && vm->def->mem.hugepage_backed) { + if (virSecurityManagerSetHugepages(driver->securityManager, + vm->def, driver->hugepage_path) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + "%s", _("Unable to set huge path in security driver")); + goto cleanup; + } + } + /* Ensure no historical cgroup for this VM is lying around bogus * settings */ VIR_DEBUG("Ensuring no historical cgroup is lying around"); Index: libvirt/src/security/security_apparmor.c =================================================================== --- libvirt.orig/src/security/security_apparmor.c 2012-12-06 11:50:48.354763986 -0600 +++ libvirt/src/security/security_apparmor.c 2012-12-06 11:58:23.286774213 -0600 @@ -840,6 +840,31 @@ } static int +ApparmorSetHugepages(virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *path) +{ + const virSecurityLabelDefPtr secdef = + virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); + int ret = -1; + virBuffer buf = VIR_BUFFER_INITIALIZER; + char *newpath; + + if (!secdef) + return -1; + + if (secdef->imagelabel == NULL) + return 0; + + virBufferAsprintf(&buf, "%s/**", path); + newpath = virBufferCurrentContent(&buf); + if (newpath) + ret = reload_profile(mgr, def, newpath, true); + virBufferFreeAndReset(&buf); + return ret; +} + +static int AppArmorSetFDLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, int fd) @@ -908,4 +933,6 @@ .domainSetSecurityImageFDLabel = AppArmorSetFDLabel, .domainSetSecurityTapFDLabel = AppArmorSetFDLabel, + + .domainSetSecurityHugepages = ApparmorSetHugepages, }; Index: libvirt/src/security/security_manager.c =================================================================== --- libvirt.orig/src/security/security_manager.c 2012-12-06 11:50:48.354763986 -0600 +++ libvirt/src/security/security_manager.c 2012-12-06 11:57:58.238773649 -0600 @@ -511,3 +511,13 @@ list[1] = NULL; return list; } + +int virSecurityManagerSetHugepages(virSecurityManagerPtr mgr, + virDomainDefPtr vm, + const char *path) +{ + if (mgr->drv->domainSetSecurityHugepages) + return mgr->drv->domainSetSecurityHugepages(mgr, vm, path); + + return 0; +} Index: libvirt/src/security/security_manager.h =================================================================== --- libvirt.orig/src/security/security_manager.h 2012-12-06 11:50:48.354763986 -0600 +++ libvirt/src/security/security_manager.h 2012-12-06 11:57:58.238773649 -0600 @@ -112,5 +112,8 @@ virDomainDefPtr vm); virSecurityManagerPtr* virSecurityManagerGetNested(virSecurityManagerPtr mgr); +int virSecurityManagerSetHugepages(virSecurityManagerPtr mgr, + virDomainDefPtr sec, + const char *hugepages_path); #endif /* VIR_SECURITY_MANAGER_H__ */ Index: libvirt/src/security/security_driver.h =================================================================== --- libvirt.orig/src/security/security_driver.h 2012-12-06 11:50:48.354763986 -0600 +++ libvirt/src/security/security_driver.h 2012-12-06 11:57:58.238773649 -0600 @@ -100,6 +100,9 @@ int fd); typedef char *(*virSecurityDomainGetMountOptions) (virSecurityManagerPtr mgr, virDomainDefPtr def); +typedef int (*virSecurityDomainSetHugepages) (virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *path); struct _virSecurityDriver { size_t privateDataLen; @@ -140,6 +143,7 @@ virSecurityDomainSetTapFDLabel domainSetSecurityTapFDLabel; virSecurityDomainGetMountOptions domainGetSecurityMountOptions; + virSecurityDomainSetHugepages domainSetSecurityHugepages; }; virSecurityDriverPtr virSecurityDriverLookup(const char *name, Index: libvirt/src/libvirt_private.syms =================================================================== --- libvirt.orig/src/libvirt_private.syms 2012-12-06 11:50:48.354763986 -0600 +++ libvirt/src/libvirt_private.syms 2012-12-06 11:57:58.238773649 -0600 @@ -1052,6 +1052,7 @@ virSecurityManagerStackAddNested; virSecurityManagerVerify; virSecurityManagerGetMountOptions; +virSecurityManagerSetHugepages; # sexpr.h sexpr_append; Index: libvirt/src/security/security_stack.c =================================================================== --- libvirt.orig/src/security/security_stack.c 2012-12-06 11:50:48.354763986 -0600 +++ libvirt/src/security/security_stack.c 2012-12-06 11:57:58.238773649 -0600 @@ -462,6 +462,23 @@ return rc; } +static int +virSecurityStackSetHugepages(virSecurityManagerPtr mgr, + virDomainDefPtr vm, + const char *path) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item = priv->itemsHead; + int rc = 0; + + for (; item; item = item->next) { + if (virSecurityManagerSetHugepages(item->securityManager, vm, path) < 0) + rc = -1; + } + + return rc; +} + static char *virSecurityStackGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED) { return NULL; @@ -529,4 +546,6 @@ .domainSetSecurityTapFDLabel = virSecurityStackSetTapFDLabel, .domainGetSecurityMountOptions = virSecurityStackGetMountOptions, + + .domainSetSecurityHugepages = virSecurityStackSetHugepages, };

1 0

[libvirt] [PATCH] network: prevent a few invalid configuration combinations
by Laine Stump 06 Dec '12

06 Dec '12

This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=767057 It was possible to define a network with <forward mode='bridge'> that had both a bridge device and a forward device defined. These two are mutually exclusive by definition (if you are using a bridge device, then this is a host bridge, and if you have a forward dev defined, this is using macvtap). It was also possible to put <ip>, <dns>, and <domain> elements in this definition, although those aren't supported by the current driver (although it's conceivable that some other driver might support that). The items that are invalid by definition, are now checked in the XML parser (since they will definitely *always* be wrong), and the others are checked in networkValidate() in the network driver (since, as mentioned, it's possible that some other network driver, or even this one, could some day support setting those). --- src/conf/network_conf.c | 9 +++++++++ src/libvirt_private.syms | 1 + src/network/bridge_driver.c | 29 +++++++++++++++++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 6ce2e63..06932d8 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -1577,6 +1577,15 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) def->name); goto error; } + if (def->bridge && (def->nForwardIfs || nForwardPfs)) { + virReportError(VIR_ERR_XML_ERROR, + _("A network with forward mode='%s' can specify " + "a bridge name or a forward dev, but not " + "both (network '%s')"), + virNetworkForwardTypeToString(def->forwardType), + def->name); + goto error; + } break; } } diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 946bb20..bc01fe5 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -857,6 +857,7 @@ virNetworkDefParseString; virNetworkDeleteConfig; virNetworkFindByName; virNetworkFindByUUID; +virNetworkForwardTypeToString; virNetworkIpDefNetmask; virNetworkIpDefPrefix; virNetworkList; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index e8be00a..0893e9b 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2733,6 +2733,35 @@ networkValidate(struct network_driver *driver, return -1; virNetworkSetBridgeMacAddr(def); + } else { + /* They are also the only types that currently support setting + * an IP address for the host-side device (bridge) + */ + if (virNetworkDefGetIpByIndex(def, AF_UNSPEC, 0)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Unsupported <ip> element in network %s " + "with forward mode='%s'"), + def->name, + virNetworkForwardTypeToString(def->forwardType)); + return -1; + } + if (def->dns && + (def->dns->ntxtrecords || def->dns->nhosts || def->dns->nsrvrecords)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Unsupported <dns> element in network %s " + "with forward mode='%s'"), + def->name, + virNetworkForwardTypeToString(def->forwardType)); + return -1; + } + if (def->domain) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Unsupported <domain> element in network %s " + "with forward mode='%s'"), + def->name, + virNetworkForwardTypeToString(def->forwardType)); + return -1; + } } /* We only support dhcp on one IPv4 address per defined network */ -- 1.7.11.7

3 3

[libvirt] [PATCH] maint: Sort util source file definitions in makefile
by Peter Krempa 06 Dec '12

06 Dec '12

--- src/Makefile.am | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index 1a2f94f..9aff77a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -54,44 +54,37 @@ augeastest_DATA = UTIL_SOURCES = \ util/bitmap.c util/bitmap.h \ util/buf.c util/buf.h \ + util/cgroup.c util/cgroup.h \ util/command.c util/command.h \ util/conf.c util/conf.h \ - util/cgroup.c util/cgroup.h \ + util/dnsmasq.c util/dnsmasq.h \ + util/ebtables.c util/ebtables.h \ util/event.c util/event.h \ util/event_poll.c util/event_poll.h \ util/hooks.c util/hooks.h \ + util/hostusb.c util/hostusb.h \ util/iptables.c util/iptables.h \ - util/ebtables.c util/ebtables.h \ - util/dnsmasq.c util/dnsmasq.h \ util/json.c util/json.h \ util/logging.c util/logging.h \ util/memory.c util/memory.h \ util/pci.c util/pci.h \ util/processinfo.c util/processinfo.h \ - util/hostusb.c util/hostusb.h \ util/sexpr.c util/sexpr.h \ util/stats_linux.c util/stats_linux.h \ util/storage_file.c util/storage_file.h \ util/sysinfo.c util/sysinfo.h \ - util/threads.c util/threads.h \ + util/threadpool.c util/threadpool.h \ util/threads-pthread.h \ util/threads-win32.h \ - util/threadpool.c util/threadpool.h \ - util/uuid.c util/uuid.h \ + util/threads.c util/threads.h \ util/util.c util/util.h \ + util/uuid.c util/uuid.h \ util/viratomic.h util/viratomic.c \ util/viraudit.c util/viraudit.h \ util/virauth.c util/virauth.h \ util/virauthconfig.c util/virauthconfig.h \ - util/virfile.c util/virfile.h \ - util/virnodesuspend.c util/virnodesuspend.h \ - util/virobject.c util/virobject.h \ - util/virpidfile.c util/virpidfile.h \ - util/virprocess.c util/virprocess.h \ - util/virtypedparam.c util/virtypedparam.h \ - util/xml.c util/xml.h \ - util/virterror.c util/virterror_internal.h \ util/virdbus.c util/virdbus.h \ + util/virfile.c util/virfile.h \ util/virhash.c util/virhash.h \ util/virhashcode.c util/virhashcode.h \ util/virinitctl.c util/virinitctl.h \ @@ -110,11 +103,18 @@ UTIL_SOURCES = \ util/virnetdevvlan.h util/virnetdevvlan.c \ util/virnetdevvportprofile.h util/virnetdevvportprofile.c \ util/virnetlink.c util/virnetlink.h \ + util/virnodesuspend.c util/virnodesuspend.h \ + util/virobject.c util/virobject.h \ + util/virpidfile.c util/virpidfile.h \ + util/virprocess.c util/virprocess.h \ util/virrandom.h util/virrandom.c \ util/virsocketaddr.h util/virsocketaddr.c \ util/virstring.h util/virstring.c \ + util/virterror.c util/virterror_internal.h \ util/virtime.h util/virtime.c \ - util/viruri.h util/viruri.c + util/virtypedparam.c util/virtypedparam.h \ + util/viruri.h util/viruri.c \ + util/xml.c util/xml.h EXTRA_DIST += $(srcdir)/util/virkeymaps.h $(srcdir)/util/keymaps.csv \ $(srcdir)/util/virkeycode-mapgen.py -- 1.8.0

2 2