[libvirt] How to get the host network stats
by Zhang, Yijing
Hello there,
I want to find how to get the host's network stats by using libvirt. I found one from PHP API reference which is called libvirt_domain_interface_stats, I'm guessing it's for guest since it's 'domain'. However, I'm not really sure.
Looking forward to hear the answers from you guys.
Thank you,
Tracey
11 years, 4 months
[libvirt] [PATCH v3 00/12] Add user namespace support for libvirt lxc
by Gao feng
This patchset try to add userns support for libvirt lxc.
Since userns is nearly completed in linux-3.9, the old
kernel doesn't support userns, I add some New XML elements
to let people decide if enable userns.The userns is enabled
only when user configure the XML.
The format of user namespace related XML file like below:
<idmap>
<uid start='0' target='1000' count='10'>
<gid start='0' target='1000' count='10'>
</idmap>
it means the user in container (which uid:gid is 0:0) will
be mapped to the user in host (uid:gid is 1000:1000), count
is used to form an u/gid range: The users in container which
uid in [start, start + count -1] will be mapped.
You can have multiple lines to map differnet id ranges,
caution, you must make sure the root user of container has
been mapped.
This patchset also does the below jobs.
1, Because the uninit userns has no right to create devices,
we should create devices for container on host.
2, Changes the owner of fuse and tty device.
Change from v2:
1, Mount tmpfs on /stateDir/domain.dev
2, Create devices under /stateDir/doamin.dev/
3, Mount Move the /.oldroot/stateDir/doamin.dev/ on the /dev/ of container
4, Enhance the configuration, disallow the semi configuration
Gao feng (12):
LXC: Introduce New XML element for user namespace
LXC: enable user namespace only when user set the uidmap
LXC: sort the uidmap/gidmap of domain
LXC: introduce virLXCControllerSetupUserns and lxcContainerSetID
LXC: Creating devices for container on host side
LXC: Move creating /dev/ptmx to virLXCControllerSetupDevPTS
LXC: fuse: Change files owner to the root user of container
LXC: controller: change the owner of tty devices to the root user of
container
LXC: controller: change the owner of /dev to the root user of
container
LXC: controller: change the owner of devices created on host
LXC: controller: change the owner of /dev/pts and ptmx to the root of
container
LXC: introduce virLXCControllerChown
docs/formatdomain.html.in | 23 ++++
docs/schemas/domaincommon.rng | 31 +++++
src/conf/domain_conf.c | 115 ++++++++++++++++++
src/conf/domain_conf.h | 22 ++++
src/lxc/lxc_container.c | 183 ++++++++++++++--------------
src/lxc/lxc_controller.c | 271 +++++++++++++++++++++++++++++++++++++++++-
src/lxc/lxc_fuse.c | 6 +
7 files changed, 557 insertions(+), 94 deletions(-)
--
1.8.1.4
11 years, 4 months
[libvirt] [PATCH] LXC: blkio: allow to setup weight_device
by Gao feng
libivrt lxc can only set generic weight for container,
This patch allows user to setup per device blkio
weigh for container.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
src/lxc/lxc_cgroup.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
index 5c8acb3..4443b83 100644
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -123,21 +123,35 @@ cleanup:
static int virLXCCgroupSetupBlkioTune(virDomainDefPtr def,
virCgroupPtr cgroup)
{
- int ret = -1;
+ int i, rc;
if (def->blkio.weight) {
- int rc = virCgroupSetBlkioWeight(cgroup, def->blkio.weight);
+ rc = virCgroupSetBlkioWeight(cgroup, def->blkio.weight);
if (rc != 0) {
virReportSystemError(-rc,
_("Unable to set Blkio weight for domain %s"),
def->name);
- goto cleanup;
+ return -1;
}
}
- ret = 0;
-cleanup:
- return ret;
+ if (def->blkio.ndevices) {
+ for (i = 0; i < def->blkio.ndevices; i++) {
+ virBlkioDeviceWeightPtr dw = &def->blkio.devices[i];
+ if (!dw->weight)
+ continue;
+ rc = virCgroupSetBlkioDeviceWeight(cgroup, dw->path, dw->weight);
+ if (rc != 0) {
+ virReportSystemError(-rc,
+ _("Unable to set io device weight "
+ "for domain %s"),
+ def->name);
+ return -1;
+ }
+ }
+ }
+
+ return 0;
}
--
1.8.1.4
11 years, 4 months
[libvirt] Memory access API
by Marek Marczykowski-Górecki
Hi,
Is there any zero-copy VM memory access API in libvirt? I see only
virDomainMemoryPeek function, which copy some memory from VM and do not permit
VM memory modifications.
What I'm looking for is xen xc_map_foreign_pages or
xc_gnttab_map_domain_grant_refs equivalent/wrapper. IOW map memory pages to
dom0 address space, without copy. I know that not every hypervisor supports
it, but it is useful to build a high-performance communication channel on top
of it.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
11 years, 4 months
[libvirt] [PATCH 0/8] Filtering of object lists via ACLs
by Daniel P. Berrange
From: "Daniel P. Berrange" <berrange(a)redhat.com>
The current ACL checks validate access to the object being
passed in to the API calls.
There are a few APIs (all the virConnectList* / virConnectNum*
ones) which are used to get lists of objects in the first
place. Currently you could find out that there is a VM called
"foo", but you can't then do virDomainLookupByName since the
ACL check may block it.
This series introduces filtering in the object list APIs,
so you can't even see the existance of an object called
"foo", if you don't have permission over it.
This is not yet filtering the legacy Xen driver.
Daniel P. Berrange (8):
Add access control filtering of domain objects
Add access control filtering of network objects
Add access control filtering of node device objects
Add access control filtering of storage objects
Add access control filtering of secret objects
Add access control filtering of nwfilter objects
Add access control filtering of interface objects
Extend the ACL test case to validate filter rule checks
src/Makefile.am | 1 +
src/check-aclrules.pl | 97 ++++++++++++
src/conf/domain_conf.c | 91 +++++++----
src/conf/domain_conf.h | 17 ++-
src/conf/interface_conf.h | 3 +
src/conf/network_conf.c | 12 +-
src/conf/network_conf.h | 13 +-
src/conf/node_device_conf.c | 12 +-
src/conf/node_device_conf.h | 12 +-
src/conf/storage_conf.c | 12 +-
src/conf/storage_conf.h | 11 +-
src/interface/interface_backend_netcf.c | 262 +++++++++++++++++++++++++++-----
src/interface/interface_backend_udev.c | 56 +++++--
src/libvirt_private.syms | 6 +-
src/libxl/libxl_driver.c | 15 +-
src/lxc/lxc_driver.c | 15 +-
src/network/bridge_driver.c | 44 +++---
src/node_device/node_device_driver.c | 28 ++--
src/nwfilter/nwfilter_driver.c | 39 +++--
src/openvz/openvz_driver.c | 7 +-
src/parallels/parallels_driver.c | 14 +-
src/parallels/parallels_network.c | 2 +-
src/qemu/qemu_driver.c | 24 +--
src/rpc/gendispatch.pl | 42 +++--
src/secret/secret_driver.c | 14 +-
src/storage/storage_driver.c | 62 +++++---
src/test/test_driver.c | 18 ++-
src/uml/uml_driver.c | 15 +-
src/vmware/vmware_driver.c | 12 +-
29 files changed, 716 insertions(+), 240 deletions(-)
--
1.8.1.4
11 years, 4 months
[libvirt] [PATCH 1/2] virCgroupNewPartition: Don't leak @newpath
by Michal Privoznik
The @newpath variable is allocated in virCgroupSetPartitionSuffix(). But
it's newer freed.
---
src/util/vircgroup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index ae71859..e0b25ed 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -1249,7 +1249,7 @@ int virCgroupNewPartition(const char *path,
int rc;
char *parentPath = NULL;
virCgroupPtr parent = NULL;
- char *newpath;
+ char *newpath = NULL;
VIR_DEBUG("path=%s create=%d controllers=%x",
path, create, controllers);
@@ -1295,6 +1295,7 @@ cleanup:
virCgroupFree(group);
virCgroupFree(&parent);
VIR_FREE(parentPath);
+ VIR_FREE(newpath);
return rc;
}
#else
--
1.8.1.5
11 years, 4 months
[libvirt] [libvirt-perl][PATCH] Add missing bracket to Sys::Virt::Domain man page
by Ján Tomko
https://bugzilla.redhat.com/show_bug.cgi?id=954254
---
Pushed as trivial.
lib/Sys/Virt/Domain.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/Sys/Virt/Domain.pm b/lib/Sys/Virt/Domain.pm
index 053f127..3630cf0 100644
--- a/lib/Sys/Virt/Domain.pm
+++ b/lib/Sys/Virt/Domain.pm
@@ -540,7 +540,7 @@ Update the configuration of an existing device. The new configuration
is given by C<$xml>. The optional <$flags> parameter defaults to
0 but can accept one of the device hotplug flags described later.
-=item $data = $dom->block_peek($path, $offset, $size[, $flags)
+=item $data = $dom->block_peek($path, $offset, $size[, $flags])
Peek into the guest disk C<$path>, at byte C<$offset> capturing
C<$size> bytes of data. The returned scalar may contain embedded
--
1.8.1.5
11 years, 4 months
[libvirt] [PATCH] doc: blkio: add some notification
by Gao feng
If the I/O elevator of disk is not cfq, the setting
of blkio.weight is ineffective. And the setting up
blkio.weight_device will fail.
Add notification for this situation.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
docs/formatdomain.html.in | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 47d91ab..8d048be 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -740,7 +740,8 @@
<dd> The optional <code>blkiotune</code> element provides the ability
to tune Blkio cgroup tunable parameters for the domain. If this is
omitted, it defaults to the OS provided
- defaults. <span class="since">Since 0.8.8</span></dd>
+ defaults. Notice: blkiotune is effective only when the I/O elevator
+ of disk is cfq. <span class="since">Since 0.8.8</span></dd>
<dt><code>weight</code></dt>
<dd> The optional <code>weight</code> element is the overall I/O
weight of the guest. The value should be in the range [100,
@@ -761,7 +762,8 @@
mandatory sub-elements, <code>path</code> describing the
absolute path of the device, and <code>weight</code> giving
the relative weight of that device, in the range [100,
- 1000]. <span class="since">Since 0.9.8</span></dd>
+ 1000]. The setting up device.weight will fail if the I/O elevator
+ of this disk device is not cfq. <span class="since">Since 0.9.8</span></dd>
</dl>
--
1.8.1.4
11 years, 4 months
[libvirt] [PATCH] Crash of libvirtd by unprivileged user in virConnectListAllInterfaces
by Eric Blake
From: "Daniel P. Berrange" <berrange(a)redhat.com>
On Thu, Jun 27, 2013 at 03:56:42PM +0100, Daniel P. Berrange wrote:
> Hi Security Team,
>
> I've discovered a way for an unprivileged user with a readonly connection
> to libvirtd, to crash the daemon.
Ok, the final patch for this is issue will be the simpler variant that
Eric suggested
The embargo can be considered to be lifted on Monday July 1st, at
0900 UTC
The following is the GIT change that DV or myself will apply to libvirt
GIT master immediately before the 1.1.0 release:
>From 177b4165c531a4b3ba7f6ab6aa41dca9ceb0b8cf Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Date: Fri, 28 Jun 2013 10:48:37 +0100
Subject: [PATCH] CVE-2013-2218: Fix crash listing network interfaces with
filters
The virConnectListAllInterfaces method has a double-free of the
'struct netcf_if' object when any of the filtering flags cause
an interface to be skipped over. For example when running the
command 'virsh iface-list --inactive'
This is a regression introduced in release 1.0.6 by
commit 7ac2c4fe624f30f2c8270116513fa2ddab07631f
Author: Guannan Ren <gren(a)redhat.com>
Date: Tue May 21 21:29:38 2013 +0800
interface: list all interfaces with flags == 0
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
Posting as a courtesy FYI for anyone reading this list but who does
not have access to the security list and doesn't want to crawl
through git. This commit has been included in 1.1.0 and has been
applied to all affected stable branches (just v1.0.6-maint).
The rule in determining that a CVE was necessary is the
"escalation of privilege" test - any time a read-only client can
cause a denial-of-service against a more-privileged read-write
client (by crashing libvirtd), there is an escalation.
src/interface/interface_backend_netcf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/interface/interface_backend_netcf.c b/src/interface/interface_backend_netcf.c
index a995816..9aa673d 100644
--- a/src/interface/interface_backend_netcf.c
+++ b/src/interface/interface_backend_netcf.c
@@ -412,6 +412,7 @@ netcfConnectListAllInterfaces(virConnectPtr conn,
(MATCH(VIR_CONNECT_LIST_INTERFACES_INACTIVE) &&
(status & NETCF_IFACE_INACTIVE)))) {
ncf_if_free(iface);
+ iface = NULL;
continue;
}
--
1.8.1.4
11 years, 4 months
