April 2013 - Devel - libvirt List Archives

[libvirt] (no subject)
by Dan Walsh 03 Apr '13

03 Apr '13

Most of them effect virt-sandbox-service, with the biggest change beeing the addition of InteractiveContainers. We want to be able to support OpenShift, which requres the abiltiy to run a command within a container environement but does not want to use the systemd/unitfiles. These containers will run a setup script and then a user process to actually run the application. >From Dan Walsh <dwalsh(a)redhat.com> # This line is ignored. From: Dan Walsh <dwalsh(a)redhat.com> Subject: In-Reply-To:

4 36

[libvirt] [PATCH 0/2] Fix numeric overflow in qemu block job handling
by Peter Krempa 03 Apr '13

03 Apr '13

The JSON generator and qemu QMP protocol limit numeric values to LLONG_MAX even for unsigned values. A bug in the code caused numeric overflow when passing through speed parameters to qemu block job commands. Background: https://bugzilla.redhat.com/show_bug.cgi?id=927156 Peter Krempa (2): qemu-JSON: Error out if number is out of range instead of overflowing to negative qemu-blockjob: Fix limit of bandwidth for block jobs to supported value src/qemu/qemu_monitor.c | 21 ++++++++++++--------- src/qemu/qemu_monitor_json.c | 10 ++++++++-- 2 files changed, 20 insertions(+), 11 deletions(-) -- 1.8.1.5

2 6

[libvirt] [PATCH 0/2] Improve security hardening of binaries
by Daniel P. Berrange 03 Apr '13

03 Apr '13

Fedora has a "hardened build" option in RPM specfiles: https://fedoraproject.org/wiki/Packaging:Guidelines#PIE While we could enable that in the RPM, this would only apply to Fedora. Thus these patches directly integrate it in libvirt's configure.ac / Makefile.am files. With these 2 patches all executables gain -fPIE and -z relro -z now. Using the checksec.sh script from http://www.trapkit.de/tools/checksec.html We can see the difference, before: $ ~/checksec.sh --file /usr/sbin/libvirtd 'RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/libvirtd After $ ~/checksec.sh --file /usr/sbin/libvirtd 'RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/sbin/libvirtd

2 4

[libvirt] [libvirt-designer 0/3] A few more cleanups
by Christophe Fergeau 03 Apr '13

03 Apr '13

Hey, here are a few small patches for libvirt-designer to fix a few leaks/polish minor things. Christophe

2 7

[libvirt] [PATCH 1/1] Fix the crash when seclable is freed
by Li Zhang 03 Apr '13

03 Apr '13

From: Li Zhang <zhlcindy(a)linux.vnet.ibm.com> When seclabel's type is VIR_DOMAIN_SECLABEL_NONE, virSecurityLabelDefPtr's members are not allocated. So it will cause crash when calling VIR_FREE. This problem is found when running autotest on PPC. Failed to remove cgroup for virt-tests-vm1 *** glibc detected *** /usr/sbin/libvirtd: free(): invalid pointer: 0x00003fff9c187510 *** ======= Backtrace: ========= /lib64/libc.so.6(+0xb89c4)[0x3fffa9bc89c4] /lib64/libvirt.so.0(virFree-0x3e2320)[0x3fffaa82e9c0] /lib64/libvirt.so.0(virSecurityLabelDefFree-0x378984)[0x3fffaa89d69c] /lib64/libvirt.so.0(virDomainDefFree-0x367c98)[0x3fffaa8ae968] /usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so(qemuProcessStop-0xc85f8)[0x3fffa2899d58] /usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so(+0xc3668)[0x3fffa28e3668] /lib64/libvirt.so.0(virDomainDestroy-0x309bd0)[0x3fffaa90f6f0] /usr/sbin/libvirtd[0x10035230] /lib64/libvirt.so.0(virNetServerProgramDispatch-0x289b50)[0x3fffaa995930] /lib64/libvirt.so.0(+0x20db18)[0x3fffaa98db18] /lib64/libvirt.so.0(+0xfbd24)[0x3fffaa87bd24] /lib64/libvirt.so.0(+0xfaec8)[0x3fffaa87aec8] /lib64/libpthread.so.0(+0xc604)[0x3fffa9d7c604] /lib64/libc.so.6(clone-0xb8fe4)[0x3fffa9c3f094] Signed-off-by: Li Zhang <zhlcindy(a)linux.vnet.ibm.com> --- src/conf/domain_conf.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index f3fca7f..2856660 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -1006,6 +1006,8 @@ virSecurityLabelDefFree(virSecurityLabelDefPtr def) { if (!def) return; + if (def->type == VIR_DOMAIN_SECLABEL_NONE) + return; VIR_FREE(def->model); VIR_FREE(def->label); VIR_FREE(def->imagelabel); -- 1.7.5.4

4 10

[libvirt] Networking options in libvirt_lxc
by Purcareata Bogdan-B43198 03 Apr '13

03 Apr '13

Hello, I am doing some research on [subject] and I would like to find out some information regarding various scenarios. I've studied the official documentation at [1] and some of the mailing list archives. The configurations I have in mind are somewhat inspired by what the sf LXC package offers in terms of networking. What I've tested so far and works: - Shared networking - all host interfaces are present in the container if no <interface> tag has been specified in the domain configuration. I'm assuming this is because the container is started in the same network namespace like the host. Is it possible to make only a subset of these interfaces visible inside the container? - Bridge to LAN - connecting a domain interface to a host bridge; - Direct attachment through a Macvtap device - all 3 modes (vepa, bridge and private) work as expected, "passthrough" requires some capabilities in the physical device (SRIOV), which I don't have - assuming I have a device with this capability, is this configuration supported by (implemented in) the libvirt_lxc driver? What other scenarios I would be interested in: - host network interface private to the container - much like what lxc.network.phys is offering: "dedicated NIC from host passed through". I've read some documentation about <hostdev> and how to assign PCI devices to virtual machine, but I understand this is only possible with KVM - it's assigned from the kernel, it makes more sense, etc. However, I've also read a thread on the mailing list regarding <hostdev mode="capabilities">, which offers access from a container to a device, but it's currenly only applicable to block and character devices. Is there currently any way to make a host interface private to a container? Thank you very much! Best regards, Bogdan P. [1] http://libvirt.org

2 2

[libvirt] [PATCH] virsh: Fix typo in docs
by Peter Krempa 03 Apr '13

03 Apr '13

s/persitent/persistent/ --- Pushed under trivial rule. tools/virsh.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/virsh.pod b/tools/virsh.pod index 9ca4435..1c8f9ee 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -2152,7 +2152,7 @@ Returns basic information about the I<network> object. Returns the list of active networks, if I<--all> is specified this will also include defined but inactive networks, if I<--inactive> is specified only the inactive ones will be listed. You may also want to filter the returned networks -by I<--persistent> to list the persitent ones, I<--transient> to list the +by I<--persistent> to list the persistent ones, I<--transient> to list the transient ones, I<--autostart> to list the ones with autostart enabled, and I<--no-autostart> to list the ones with autostart disabled. -- 1.8.1.5

1 0

[libvirt] [PATCH] sec_manager: Refuse to start domain with unsupported seclabel
by Michal Privoznik 03 Apr '13

03 Apr '13

https://bugzilla.redhat.com/show_bug.cgi?id=947387 If a user configures a domain to use a seclabel of a specific type, but the appropriate driver is not accessible, we should refuse to start the domain. For instance, if user requires selinux, but it is either non present in the system, or is just disabled, we should not start the domain. Moreover, since we are touching only those labels we have a security driver for, the other labels may confuse libvirt when reconnecting to a domain on libvirtd restart. In our selinux example, when starting up a domain, missing security label is okay, as we auto-generate one. But later, when libvirt is re-connecting to a live qemu instance, we parse a state XML, where security label is required and it is an error if missing: error : virSecurityLabelDefParseXML:3228 : XML error: security label is missing This results in a qemu process left behind without any libvirt control. --- src/security/security_manager.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/security/security_manager.c b/src/security/security_manager.c index b671a91..757fe28 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -425,7 +425,7 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm) { int ret = -1; - size_t i; + size_t i, j; virSecurityManagerPtr* sec_managers = NULL; virSecurityLabelDefPtr seclabel; bool generated = false; @@ -437,6 +437,19 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, return ret; virObjectLock(mgr); + for (i = 0; vm->nseclabels; i++) { + for (j = 0; sec_managers[j]; j++) + if (STREQ(vm->seclabels[i]->model, sec_managers[j]->drv->name)) + break; + + if (!sec_managers[j]) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Unable to find security driver for label %s"), + vm->seclabels[i]->model); + goto cleanup; + } + } + for (i = 0; sec_managers[i]; i++) { generated = false; seclabel = virDomainDefGetSecurityLabelDef(vm, sec_managers[i]->drv->name); -- 1.8.1.5

2 2

[libvirt] [PATCH v2] Allow multiple parameters for schedinfo
by Martin Kletzander 03 Apr '13

03 Apr '13

virsh schedinfo was able to set only one parameter at a time (not counting the deprecated options), but it is useful to set more at once, so this patch adds the possibility to do stuff like this: virsh schedinfo <domain> cpu_shares=0 vcpu_period=0 vcpu_quota=0 \ emulator_period=0 emulator_quota=0 Invalid scheduler options are reported as well. These were previously reported only if the command hadn't updated any values (when cmdSchedInfoUpdate returned 0). Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=810078 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=919372 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=919375 Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com> --- v2: - correctly report unsupported options - man page updated tests/virsh-schedinfo | 4 +- tools/virsh-domain.c | 119 ++++++++++++++++++++++++++++---------------------- tools/virsh.pod | 4 +- 3 files changed, 72 insertions(+), 55 deletions(-) diff --git a/tests/virsh-schedinfo b/tests/virsh-schedinfo index 4f462f8..37f7bd3 100755 --- a/tests/virsh-schedinfo +++ b/tests/virsh-schedinfo @@ -1,7 +1,7 @@ #!/bin/sh # Ensure that virsh schedinfo --set invalid=val fails -# Copyright (C) 2010-2011 Red Hat, Inc. +# Copyright (C) 2010-2011, 2013 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -37,7 +37,7 @@ fi . "$srcdir/test-lib.sh" printf 'Scheduler : fair\n\n' > exp-out || framework_failure -printf 'error: invalid scheduler option: j=k\n' > exp-err || framework_failure +printf 'error: invalid scheduler option: j\n' > exp-err || framework_failure fail=0 diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 128e516..cc2eddc 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -3918,16 +3918,14 @@ static const vshCmdOptDef opts_schedinfo[] = { .flags = VSH_OFLAG_REQ, .help = N_("domain name, id or uuid") }, - {.name = "set", - .type = VSH_OT_STRING, - .help = N_("parameter=value") - }, {.name = "weight", .type = VSH_OT_INT, + .flags = VSH_OFLAG_REQ_OPT, .help = N_("weight for XEN_CREDIT") }, {.name = "cap", .type = VSH_OT_INT, + .flags = VSH_OFLAG_REQ_OPT, .help = N_("cap for XEN_CREDIT") }, {.name = "current", @@ -3942,72 +3940,100 @@ static const vshCmdOptDef opts_schedinfo[] = { .type = VSH_OT_BOOL, .help = N_("get/set value from running domain") }, + {.name = "set", + .type = VSH_OT_ARGV, + .flags = VSH_OFLAG_NONE, + .help = N_("parameter=value") + }, {.name = NULL} }; static int +cmdSchedInfoUpdateOne(vshControl *ctl, + virTypedParameterPtr src_params, int nsrc_params, + virTypedParameterPtr *params, + int *nparams, int *maxparams, + const char *field, const char *value) +{ + virTypedParameterPtr param; + int ret = -1; + int i; + + for (i = 0; i < nsrc_params; i++) { + param = &(src_params[i]); + + if (STRNEQ(field, param->field)) + continue; + + if (virTypedParamsAddFromString(params, nparams, maxparams, + field, param->type, + value) < 0) { + vshSaveLibvirtError(); + goto cleanup; + } + ret = 0; + break; + } + + if (ret < 0) + vshError(ctl, _("invalid scheduler option: %s"), field); + + cleanup: + return ret; +} + +static int cmdSchedInfoUpdate(vshControl *ctl, const vshCmd *cmd, virTypedParameterPtr src_params, int nsrc_params, virTypedParameterPtr *update_params) { - const char *set_arg; char *set_field = NULL; char *set_val = NULL; - virTypedParameterPtr param; + const char *val = NULL; + const vshCmdOpt *opt = NULL; virTypedParameterPtr params = NULL; int nparams = 0; int maxparams = 0; int ret = -1; int rv; - int val; - int i; - if (vshCommandOptString(cmd, "set", &set_arg) > 0) { - set_field = vshStrdup(ctl, set_arg); + while ((opt = vshCommandOptArgv(cmd, opt))) { + set_field = vshStrdup(ctl, opt->data); if (!(set_val = strchr(set_field, '='))) { - vshError(ctl, "%s", _("Invalid syntax for --set, expecting name=value")); + vshError(ctl, "%s", _("Invalid syntax for --set, " + "expecting name=value")); goto cleanup; } *set_val = '\0'; set_val++; - } - for (i = 0; i < nsrc_params; i++) { - param = &(src_params[i]); - - /* Legacy 'weight' and 'cap' parameter */ - if (param->type == VIR_TYPED_PARAM_UINT && - (STREQ(param->field, "weight") || STREQ(param->field, "cap")) && - (rv = vshCommandOptInt(cmd, param->field, &val)) != 0) { - if (rv < 0) { - vshError(ctl, _("Invalid value of %s"), param->field); - goto cleanup; - } - - if (virTypedParamsAddUInt(&params, &nparams, &maxparams, - param->field, val) < 0) { - vshSaveLibvirtError(); - goto cleanup; - } + if (cmdSchedInfoUpdateOne(ctl, src_params, nsrc_params, + &params, &nparams, &maxparams, + set_field, set_val) < 0) + goto cleanup; - continue; - } + VIR_FREE(set_field); + } - if (set_field && STREQ(set_field, param->field)) { - if (virTypedParamsAddFromString(&params, &nparams, &maxparams, - set_field, param->type, - set_val) < 0) { - vshSaveLibvirtError(); - goto cleanup; - } + rv = vshCommandOptStringReq(ctl, cmd, "cap", &val); + if (rv < 0 || + (val && + cmdSchedInfoUpdateOne(ctl, src_params, nsrc_params, + &params, &nparams, &maxparams, + "cap", val) < 0)) + goto cleanup; - continue; - } - } + rv = vshCommandOptStringReq(ctl, cmd, "weight", &val); + if (rv < 0 || + (val && + cmdSchedInfoUpdateOne(ctl, src_params, nsrc_params, + &params, &nparams, &maxparams, + "weight", val) < 0)) + goto cleanup; - *update_params = params; ret = nparams; + *update_params = params; params = NULL; cleanup: @@ -4102,15 +4128,6 @@ cmdSchedinfo(vshControl *ctl, const vshCmd *cmd) if (ret == -1) goto cleanup; } else { - /* See if we've tried to --set var=val. If so, the fact that - we reach this point (with update == 0) means that "var" did - not match any of the settable parameters. Report the error. */ - const char *var_value_pair = NULL; - if (vshCommandOptString(cmd, "set", &var_value_pair) > 0) { - vshError(ctl, _("invalid scheduler option: %s"), - var_value_pair); - goto cleanup; - } /* When not doing --set, --live and --config do not mix. */ if (live && config) { vshError(ctl, "%s", diff --git a/tools/virsh.pod b/tools/virsh.pod index b5e632e..6111e58 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -1281,8 +1281,8 @@ except that it does some error checking. The editor used can be supplied by the C<$VISUAL> or C<$EDITOR> environment variables, and defaults to C<vi>. -=item B<schedinfo> [I<--set> B<parameter=value>] I<domain> [[I<--config>] -[I<--live>] | [I<--current>]] +=item B<schedinfo> I<domain> [[I<--config>] [I<--live>] | [I<--current>]] +[[I<--set>] B<parameter=value>]... =item B<schedinfo> [I<--weight> B<number>] [I<--cap> B<number>] I<domain> -- 1.8.1.5

2 3

[libvirt] mistake in libvirt-php document
by mahdi faryabi 03 Apr '13

03 Apr '13

hi, in libvirt-php you have a little mistake here : http://libvirt.org/php/api-reference.html#libvirt_image_remove "Function is used to create the image of desired name, size and format. The image will be created in the image path"

1 0