August 2013 - Devel - Libvirt List Archives

[libvirt] [PATCH] doc: Update help for virsh_desc command

by Yanbing Du

Signed-off-by: Yanbing Du <ydu(a)redhat.com> --- tools/virsh-domain.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index ccb6080..47fd6cb 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -6657,19 +6657,19 @@ static const vshCmdOptDef opts_desc[] = { }, {.name = "live", .type = VSH_OT_BOOL, - .help = N_("modify/get running state") + .help = N_("get/set description of running state domain") }, {.name = "config", .type = VSH_OT_BOOL, - .help = N_("modify/get persistent configuration") + .help = N_("get/set description of persistent definition domain") }, {.name = "current", .type = VSH_OT_BOOL, - .help = N_("modify/get current state configuration") + .help = N_("get/set description of current state domain") }, {.name = "title", .type = VSH_OT_BOOL, - .help = N_("modify/get the title instead of description") + .help = N_("get/set the title instead of description") }, {.name = "edit", .type = VSH_OT_BOOL, -- 1.7.1

11 years, 2 months

2
1
0 / 0

[libvirt] [PATCH] Add documentation for access control system

by Daniel P. Berrange

From: "Daniel P. Berrange" <berrange(a)redhat.com> This adds two new pages to the website, acl.html describing the general access control framework and permissions models, and aclpolkit.html describing the use of polkit as an access control driver. page.xsl is modified to support a new syntax <div id="include" filename="somefile.htmlinc"/> which will cause the XSL transform to replace that <div> with the contents of 'somefile.htmlinc'. We use this in the acl.html.in file, to pull the table of permissions for each libvirt object. This table is autogenerated from the enums in src/access/viraccessperms.h by the genaclperms.pl script. newapi.xsl is modified so that the list of permissions checks shown against each API will link to the description of the permissions in acl.html Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- .gitignore | 1 + docs/Makefile.am | 12 +- docs/acl.html.in | 100 ++++++++++++ docs/aclpolkit.html.in | 414 +++++++++++++++++++++++++++++++++++++++++++++++++ docs/auth.html.in | 6 +- docs/genaclperms.pl | 124 +++++++++++++++ docs/newapi.xsl | 4 +- docs/page.xsl | 11 ++ docs/sitemap.html.in | 10 ++ 9 files changed, 677 insertions(+), 5 deletions(-) create mode 100644 docs/acl.html.in create mode 100644 docs/aclpolkit.html.in create mode 100644 docs/genaclperms.pl diff --git a/.gitignore b/.gitignore index ae9de0b..4216bf1 100644 --- a/.gitignore +++ b/.gitignore @@ -58,6 +58,7 @@ /daemon/libvirtd.policy /daemon/libvirtd.service /daemon/test_libvirtd.aug +/docs/aclperms.htmlinc /docs/apibuild.py.stamp /docs/devhelp/libvirt.devhelp /docs/hvsupport.html.in diff --git a/docs/Makefile.am b/docs/Makefile.am index aabee44..9057432 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -128,7 +128,7 @@ fig = \ migration-unmanaged-direct.fig EXTRA_DIST= \ - apibuild.py \ + apibuild.py genaclperms.pl \ site.xsl newapi.xsl news.xsl page.xsl \ hacking1.xsl hacking2.xsl wrapstring.xsl \ $(dot_html) $(dot_html_in) $(gif) $(apihtml) $(apipng) \ @@ -139,6 +139,16 @@ EXTRA_DIST= \ sitemap.html.in \ todo.pl hvsupport.pl todo.cfg-example +BUILT_SOURCES += aclperms.htmlinc + +CLEANFILES = aclperms.htmlinc + +acl.html:: aclperms.htmlinc + +aclperms.htmlinc: $(top_srcdir)/src/access/viraccessperm.h \ + genaclperms.pl Makefile.am + $(PERL) genaclperms.pl $< > $@ + MAINTAINERCLEANFILES = \ $(addprefix $(srcdir)/,$(dot_html)) \ $(addprefix $(srcdir)/,$(apihtml)) \ diff --git a/docs/acl.html.in b/docs/acl.html.in new file mode 100644 index 0000000..5fb633d --- /dev/null +++ b/docs/acl.html.in @@ -0,0 +1,100 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + <body> + <h1>Client access control</h1> + <p> + Libvirt's client access control framework allows administrators + to setup fine grained permission rules across client users, + managed objects and API operations. This allows client connections + to be locked down to a minimal set of privileges. + </p> + + <ul id="toc"></ul> + + <h2><a name="intro">Access control introduction</a></h2> + + <p> + In a default configuration, the libvirtd daemon have three levels + of access control. All connections start off in an unauthenticated + state, where the only API operations allowed are those required + to complete authentication. After successful authentication, a + connection either has full, unrestricted access to all libvirt + API calls, or is locked down to only "read only" operations, + according to what socket a client connection originated on. + </p> + + <p> + The access control framework allows authenticated connections to + have fine grained permission rules to be defined by the administrator. + Every API call in libvirt has a set of permissions that will + be validated against the object being used. For example, the + <code>virDomainSetSchedulerParametersFlags</code> method will + check whether the client user has the <code>write</code> + permission on the <code>domain</code> object instance passed + in as a parameter. Further permissions will also be checked + if certain flags are set in the API call. In addition to + checks on the object passed into an API call, some methods + will filter their results. For example the <code>virConnectListAllDomains</code> + method will check the <code>search_domains</code> on the <code>connect</code> + object, but will also filter the returned <code>domain</code> + objects to only those on which the client user has the + <code>getattr</code> permission. + </p> + + <h2><a name="drivers">Access control drivers</a></h2> + + <p> + The access control framework is designed as a pluggable + system to enable future integration with arbitrary access + control technologies. By default, the <code>none</code> + driver is used, which does not access controll checks at + all. At this time, libvirt ships with support for using + <a href="http://www.freedesktop.org/wiki/Software/polkit/">polkit</a> as a real access + control driver. To learn how to use the polkit access + driver consult <a href="aclpolkit.html">the configuration + docs</a>. + </p> + + <p> + The access driver is configured in the <code>libvirtd.conf</code> + configuration file, using the <code>access_drivers</code> + parameter. This parameter accepts an array of access control + driver names. If more than one access driver is requested, + then all must succeed in order for access to be granted. + To enable 'polkit' as the driver + </p> + + <pre> +# augtool -s set '/files/etc/libvirt/libvirtd.conf/access_drivers[1]' polkit + </pre> + + <p> + And to reset back to the default (no-op) driver + </p> + + + <pre> +# augtool -s rm /files/etc/libvirt/libvirtd.conf/access_drivers + </pre> + + <p> + <strong>Note:</strong> changes to libvirtd.conf require that + the libvirtd daemon be restarted. + </p> + + <h2><a name="perms">Objects and permissions</a></h2> + + <p> + Libvirt applies access control to all the main object + types in its API. Each object type, in turn, has a set + of permissions defined. To determine what permissions + are checked for specific API call, consult the + <a href="html/libvirt-libvirt.html">API reference manual</a> + documentation for the API in question. + </p> + + <div id="include" filename="aclperms.htmlinc"/> + + </body> +</html> diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in new file mode 100644 index 0000000..d7be0bd --- /dev/null +++ b/docs/aclpolkit.html.in @@ -0,0 +1,414 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + <body> + <h1>Polkit access control</h1> + + <p> + Libvirt's client <a href="acl.html">access control framework</a> allows + administrators to setup fine grained permission rules across client users, + managed objects and API operations. This allows client connections + to be locked down to a minimal set of privileges. The polkit driver + provides a simple implementation of the access control framework + </p> + + <ul id="toc"></ul> + + <h2><a name="intro">Introduction</a></h2> + + <p> + A default install of libvirt will typically use + <a href="http://www.freedesktop.org/wiki/Software/polkit/">polkit</a> + to authenticate the initial user connection to libvirtd. This is a + very coarse grained check though either allowing full read-write + access to all APIs, or just read-only access. The polkit access + control driver in libvirt builds on this capability to allow for + fine grained control over the operations a user may perform on an + object. + </p> + + <h2><a name="perms">Permission names</a></h2> + + <p> + The libvirt <a href="acl.html#perms">object names and permission names</a> + are mapped onto polkit action names using the simple pattern: + </p> + + <pre>org.libvirt.api.$object.$permission +</pre> + + <p> + The only caveat is that any underscore characters in the + object or permission names are converted to hyphens. So, + for example, the <code>search_storage_vols</code> permission + on the <code>storage_pool</code> object maps to the polkit + action: + </p> + <pre>org.libvirt.api.storage-pool.search-storage-vols +</pre> + + <p> + The default policy for any permission which corresponds to + an "read only" operation, is to allow access. All other + permissions default to deny access. + </p> + + <h2><a name="attrs">Object identity attributes</a></h2> + + <p> + To allow polkit authorization rules to be written to match + against individual object instances, libvirt provides a number + of authorization detail attributes when performing a permission + check. The set of attributes varies according to the type + of object being checked + </p> + + <h3><a name="object_connect">virConnectPtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + </tbody> + </table> + + <h3><a name="object_domain">virDomainPtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + <tr> + <td>domain_name</td> + <td>Name of the domain, unique to the local host</td> + </tr> + <tr> + <td>domain_uuid</td> + <td>UUID of the domain, globally unique</td> + </tr> + </tbody> + </table> + + <h3><a name="object_interface">virInterfacePtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + <tr> + <td>interface_name</td> + <td>Name of the network interface, unique to the local host</td> + </tr> + <tr> + <td>interface_mac</td> + <td>MAC address of the network interface, not unique</td> + </tr> + </tbody> + </table> + + <h3><a name="object_network">virNetworkPtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + <tr> + <td>network_name</td> + <td>Name of the network, unique to the local host</td> + </tr> + <tr> + <td>network_uuid</td> + <td>UUID of the network, globally unique</td> + </tr> + </tbody> + </table> + + <h3><a name="object_node_device">virNodeDevicePtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + <tr> + <td>node_device_name</td> + <td>Name of the node device, unique to the local host</td> + </tr> + </tbody> + </table> + + <h3><a name="object_nwfilter">virNWFilterPtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + <tr> + <td>nwfilter_name</td> + <td>Name of the network filter, unique to the local host</td> + </tr> + <tr> + <td>nwfilter_uuid</td> + <td>UUID of the network filter, globally unique</td> + </tr> + </tbody> + </table> + + <h3><a name="object_secret">virSecretPtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + <tr> + <td>secret_uuid</td> + <td>UUID of the secret, globally unique</td> + </tr> + <tr> + <td>secret_usage_volume</td> + <td>Name of the associated volume, if any</td> + </tr> + <tr> + <td>secret_usage_ceph</td> + <td>Name of the associated Ceph server, if any</td> + </tr> + <tr> + <td>secret_usage_target</td> + <td>Name of the associated iSCSI target, if any</td> + </tr> + <tr> + <td></td> + <td></td> + </tr> + </tbody> + </table> + + <h3><a name="object_storage_pool">virStoragePoolPtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + <tr> + <td>pool_name</td> + <td>Name of the storage pool, unique to the local host</td> + </tr> + <tr> + <td>pool_uuid</td> + <td>UUID of the storage pool, globally unique</td> + </tr> + </tbody> + </table> + + <h3><a name="object_storage_vol">virStorageVolPtr</a></h3> + <table class="acl"> + <thead> + <tr> + <th>Attribute</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>connect_driver</td> + <td>Name of the libvirt connection driver</td> + </tr> + <tr> + <td>pool_name</td> + <td>Name of the storage pool, unique to the local host</td> + </tr> + <tr> + <td>pool_uuid</td> + <td>UUID of the storage pool, globally unique</td> + </tr> + <tr> + <td>vol_name</td> + <td>Name of the storage volume, unique to the pool</td> + </tr> + <tr> + <td>vol_key</td> + <td>Key of the storage volume, globally unique</td> + </tr> + </tbody> + </table> + + + <h2><a name="user">User identity attributes</a></h2> + + <p> + At this point in time, the only attribute provided by + libvirt to identify the user invoking the operation + is the PID of the client program. This means that the + polkit access control driver is only useful if connections + to libvirt are restricted to its UNIX domain socket. If + connections are being made to a TCP socket, no identifying + information is available & access will be denied. + Also note that if the client is connecting via an SSH + tunnel, it is the local SSH user that will be identified. + In future versions, it is expected that more information + about the client user will be provided, including the + SASAL / Kerberos username and/or x509 distinguished + name obtained from the authentication provider in use. + </p> + + + <h2><a name="checks">Writing acces control policies</a></h2> + + <p> + If using versions of polkit prior to 0.106 then it is only + possible to validate (user, permission) pairs via the <code>.pkla</code> + files. Fully validation of the (user, permission, object) triple + requires the new JavaScript <code>.rules</code> support that + was introduced in version 0.106. That latter is what will be + described here. + </p> + + <p> + Libvirt does not ship any rules files by default. It merely + provides a definition of the default behaviour for each + action (permission). As noted earlier, permissions which + correspond to read-only operations in libvirt will be allowed + to all users by default; everything else is denied by default. + Defining custom rules requires creation of a file in the + <code>/etc/polkit-1/rules.d</code> directory with a name + chosen by the administrator (<code>100-libvirt-acl.rules</code> + would be a reasonable choice). See the <code>polkit(8)</code> + manual page for a description of how to write these files + in general. The key idea is to create a file containing + something like + </p> + + <pre> + polkit.addRule(function(action, subject) { + ....logic to check 'action' and 'subject'... + }); + </pre> + + <p> + In this code snippet above, the <code>action</code> object + instance will represent the libvirt permission being checked + along with identifying attributes for the object it is being + applied to. The <code>subject</code> meanwhile will identify + the libvirt client app (with the caveat above about it only + dealing with local clients connected via the UNIX socket). + On the <code>action</code> object, the permission name is + accessible via the <code>id</code> attribute, while the + object identifying attributes are exposed via a set of + attributes with the naming convention <code>_detail_[attrname]</code>. + For example, the 'domain_name' attribute would be exposed via + a property <code>_detail_domain_name</code>. + </p> + + <h3><a name="exconnect">Example: restricting ability to connect to drivers</a></h3> + + <p> + Consider a local user <code>berrange</code> + who has been granted permission to connect to libvirt in + full read-write mode. The goal is to only allow them to + use the <code>QEMU</code> driver and not the Xen or LXC + drivers which are also available in libvirtd. + To achieve this we need to write a rule which checks + whether the <code>_detail_connect_driver</code> attribute + is <code>QEMU</code>, and match on a action + name of <code>org.libvirt.api.connect.getattr</code>. Using + the javascript rules format, this ends up written as + </p> + + <pre> +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.api.connect.getattr" && + subject.user == "berrange") { + if (action._detail_connect_driver == 'QEMU') { + return polkit.Result.YES; + } else { + return polkit.Result.NO; + } + } +}); + </pre> + + <h3><a name="exdomain">Example: restricting access to a single domain</a></h3> + + <p> + Consider a local user <code>berrange</code> + who has been granted permission to connect to libvirt in + full read-write mode. The goal is to only allow them to + see the domain called <code>demo</code> on the LXC driver. + To achieve this we need to write a rule which checks + whether the <code>_detail_connect_driver</code> attribute + is <code>LXC</code> and the <code>_detail_domain_name</code> + attribute is <code>demo</code>, and match on a action + name of <code>org.libvirt.api.domain.getattr</code>. Using + the javascript rules format, this ends up written as + </p> + + <pre> +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.api.domain.getattr" && + subject.user == "berrange") { + if (action._detail_connect_driver == 'LXC' && + action._detail_domain_name == 'busy') { + return polkit.Result.YES; + } else { + return polkit.Result.NO; + } + } +}); + </pre> + </body> +</html> diff --git a/docs/auth.html.in b/docs/auth.html.in index e5703c7..37f2978 100644 --- a/docs/auth.html.in +++ b/docs/auth.html.in @@ -2,12 +2,14 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <body> - <h1 >Authentication & access control</h1> + <h1>Connection authentication</h1> <p> When connecting to libvirt, some connections may require client authentication before allowing use of the APIs. The set of possible authentication mechanisms is administrator controlled, independent - of applications using libvirt. + of applications using libvirt. Once authenticated, libvirt can apply + fine grained <a href="acl.html">access control</a> to the operations + performed by a client. </p> <ul id="toc"></ul> diff --git a/docs/genaclperms.pl b/docs/genaclperms.pl new file mode 100644 index 0000000..244a68e --- /dev/null +++ b/docs/genaclperms.pl @@ -0,0 +1,124 @@ +#!/usr/bin/perl +# +# Copyright (C) 2013 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see +# <http://www.gnu.org/licenses/>. +# + +use strict; +use warnings; + +my @objects = ( + "CONNECT", "DOMAIN", "INTERFACE", + "NETWORK","NODE_DEVICE", "NWFILTER", + "SECRET", "STORAGE_POOL", "STORAGE_VOL", + ); + +my %class; + +foreach my $object (@objects) { + my $class = lc $object; + + $class =~ s/(^\w|_\w)/uc $1/eg; + $class =~ s/_//g; + $class =~ s/Nwfilter/NWFilter/; + $class = "vir" . $class . "Ptr"; + + $class{$object} = $class; +} + +my $objects = join ("|", @objects); + +my %opts; +my $in_opts = 0; + +my %perms; + +while (<>) { + if ($in_opts) { + if (m,\*/,) { + $in_opts = 0; + } elsif (/\*\s*\@(\w+):\s*(.*?)\s*$/) { + $opts{$1} = $2; + } + } elsif (m,/\*\*,) { + $in_opts = 1; + } elsif (/VIR_ACCESS_PERM_($objects)_((?:\w|_)+),/) { + my $object = $1; + my $perm = lc $2; + next if $perm eq "last"; + + $perm =~ s/_/-/g; + + $perms{$object} = {} unless exists $perms{$object}; + $perms{$object}->{$perm} = { + desc => $opts{desc}, + message => $opts{message}, + anonymous => $opts{anonymous} + }; + %opts = (); + } +} + +print <<EOF; +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + <body> +EOF + +foreach my $object (sort { $a cmp $b } keys %perms) { + my $class = $class{$object}; + my $olink = lc "object_" . $object; + print <<EOF; +<h3><a name="$olink">$class</a></h3> +<table class="acl"> + <thead> + <tr> + <th>Permission</th> + <th>Description</th> + </tr> + </thead> + <tbody> +EOF + + foreach my $perm (sort { $a cmp $b } keys %{$perms{$object}}) { + my $description = $perms{$object}->{$perm}->{desc}; + + die "missing description for $object.$perm" unless + defined $description; + + my $plink = lc "perm_" . $object . "_" . $perm; + $plink =~ s/-/_/g; + + print <<EOF; + <tr> + <td><a name="$plink">$perm</a></td> + <td>$description</td> + </tr> +EOF + + } + + print <<EOF; + </tbody> +</table> +EOF +} + +print <<EOF; + </body> +</html> +EOF diff --git a/docs/newapi.xsl b/docs/newapi.xsl index 58f12eb..606d244 100644 --- a/docs/newapi.xsl +++ b/docs/newapi.xsl @@ -71,8 +71,8 @@ <xsl:template match="check" mode="acl"> <tr> - <td><xsl:value-of select="@object"/></td> - <td><xsl:value-of select="@perm"/></td> + <td><a href="../acl.html#object_{@object}"><xsl:value-of select="@object"/></a></td> + <td><a href="../acl.html#perm_{@object}_{@perm}"><xsl:value-of select="@perm"/></a></td> <xsl:choose> <xsl:when test="@flags"> <td><xsl:value-of select="@flags"/></td> diff --git a/docs/page.xsl b/docs/page.xsl index 7da34ff..a2da854 100644 --- a/docs/page.xsl +++ b/docs/page.xsl @@ -26,6 +26,10 @@ <xsl:call-template name="toc"/> </xsl:template> + <xsl:template match="html:div[@id='include']" mode="content"> + <xsl:call-template name="include"/> + </xsl:template> +  <xsl:template match="html:ul" mode="menu"> @@ -174,4 +178,11 @@ </html> </xsl:template> + <xsl:template name="include"> + <xsl:variable name="inchtml"> + <xsl:copy-of select="document(@filename)"/> + </xsl:variable> + + <xsl:apply-templates select="exsl:node-set($inchtml)/html:html/html:body/*" mode="content"/> + </xsl:template> </xsl:stylesheet> diff --git a/docs/sitemap.html.in b/docs/sitemap.html.in index fd10caf..a8d2177 100644 --- a/docs/sitemap.html.in +++ b/docs/sitemap.html.in @@ -69,6 +69,16 @@ <span>Configure authentication for the libvirt daemon</span> </li> <li> + <a href="acl.html">Access control</a> + <span>Configure access control libvirt APIs</span> + <ul> + <li> + <a href="aclpolkit.html">Polkit access control</a> + <span>Using polkit for API access control</span> + </li> + </ul> + </li> + <li> <a href="migration.html">Migration</a> <span>Migrating guests between machines</span> </li> -- 1.8.1.4

11 years, 2 months

3
5
0 / 0

[libvirt] [PATCH v2 0/9] Support qemu-system-arm vexpress-a9

by Cole Robinson

This series adds the bits needed to kick of a qemu-system-arm -machine vexpress-a9 guest. vexpress-a15 likely works as well but is untested. Patches 1-3 are related bugfixes/improvements. Patch 7 adds disk bus=sd, which is often the only way to specify storage for ARM boards. Patch 9 adds virtio-mmio address support, which enables virtio for ARM vexpress machine types. The rest are mostly about fixing CLI generations. Unfortunately qemu ARM boards don't quite work like x86 where we can mix and match devices, so -device is out of the picture (for non-virtio), meaning we have to fall back to CLI infrastrucure like -net nic and -serial. v2: Rebased series Drop patches applied with Laine's series Add patch 1 and 3 Clarify caveats in a few patch descriptions Cole Robinson (9): qemu: Set QEMU_AUDIO_DRV=none with -nographic qemu: Only setup vhost if virtType == "kvm" domain_conf: Add default memballon in PostParse callbacks qemu: Don't add default memballoon device on ARM qemu: Fix adding specifying char devs for ARM qemu: Don't try to allocate PCI addresses for ARM domain_conf: Add disk bus=sd, wire it up for qemu qemu: Fix networking for ARM guests qemu: Support virtio-mmio transport for virtio on ARM docs/formatdomain.html.in | 3 +- docs/schemas/domaincommon.rng | 20 ++++ src/conf/domain_conf.c | 30 +++-- src/conf/domain_conf.h | 2 + src/qemu/qemu_capabilities.c | 22 ++++ src/qemu/qemu_capabilities.h | 5 + src/qemu/qemu_command.c | 131 +++++++++++++++++---- src/qemu/qemu_domain.c | 32 ++++- src/qemu/qemu_process.c | 37 +++--- src/xen/xen_driver.c | 9 ++ .../qemuxml2argv-arm-vexpressa9-basic.args | 8 ++ .../qemuxml2argv-arm-vexpressa9-basic.xml | 34 ++++++ .../qemuxml2argv-arm-vexpressa9-nodevs.args | 5 + .../qemuxml2argv-arm-vexpressa9-nodevs.xml | 26 ++++ .../qemuxml2argv-arm-vexpressa9-virtio.args | 14 +++ .../qemuxml2argv-arm-vexpressa9-virtio.xml | 45 +++++++ .../qemuxml2argv-balloon-device-auto.args | 3 +- .../qemuxml2argv-balloon-device-period.args | 3 +- .../qemuxml2argv-balloon-device.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-bios.args | 2 +- .../qemuxml2argv-blkdeviotune.args | 3 +- .../qemuxml2argv-blkiotune-device.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-blkiotune.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-boot-cdrom.args | 3 +- .../qemuxml2argv-boot-complex-bootindex.args | 2 +- .../qemuxml2argv-boot-complex.args | 2 +- .../qemuxml2argvdata/qemuxml2argv-boot-floppy.args | 3 +- ...xml2argv-boot-menu-disable-drive-bootindex.args | 3 +- .../qemuxml2argv-boot-menu-disable-drive.args | 3 +- .../qemuxml2argv-boot-menu-disable.args | 3 +- .../qemuxml2argv-boot-menu-enable.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-boot-multi.args | 3 +- .../qemuxml2argv-boot-network.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-boot-order.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-bootloader.args | 3 +- .../qemuxml2argv-channel-guestfwd.args | 3 +- .../qemuxml2argv-channel-virtio-auto.args | 3 +- .../qemuxml2argv-channel-virtio.args | 3 +- .../qemuxml2argv-clock-france.args | 4 +- .../qemuxml2argv-clock-localtime.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-clock-utc.args | 3 +- .../qemuxml2argv-clock-variable.args | 3 +- .../qemuxml2argv-console-compat-auto.args | 3 +- .../qemuxml2argv-console-compat-chardev.args | 3 +- .../qemuxml2argv-console-compat.args | 3 +- .../qemuxml2argv-console-sclp.args | 3 +- .../qemuxml2argv-console-virtio-ccw.args | 3 +- .../qemuxml2argv-console-virtio-many.args | 3 +- .../qemuxml2argv-console-virtio-s390.args | 3 +- .../qemuxml2argv-console-virtio.args | 3 +- .../qemuxml2argv-cpu-eoi-disabled.args | 3 +- .../qemuxml2argv-cpu-eoi-enabled.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-cpu-exact1.args | 3 +- .../qemuxml2argv-cpu-exact2-nofallback.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-cpu-exact2.args | 3 +- .../qemuxml2argv-cpu-fallback.args | 2 +- .../qemuxml2argv-cpu-host-kvmclock.args | 3 +- .../qemuxml2argv-cpu-host-model-fallback.args | 2 +- .../qemuxml2argv-cpu-host-model.args | 2 +- .../qemuxml2argv-cpu-host-passthrough.args | 2 +- .../qemuxml2argv-cpu-kvmclock.args | 3 +- .../qemuxml2argv-cpu-minimum1.args | 3 +- .../qemuxml2argv-cpu-minimum2.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-cpu-numa1.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-cpu-numa2.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-cpu-strict1.args | 3 +- .../qemuxml2argv-cpu-topology1.args | 3 +- .../qemuxml2argv-cpu-topology2.args | 3 +- .../qemuxml2argv-cpu-topology3.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-cputune.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-disk-aio.args | 3 +- .../qemuxml2argv-disk-blockio.args | 2 +- .../qemuxml2argv-disk-cdrom-empty.args | 3 +- ...qemuxml2argv-disk-cdrom-tray-no-device-cap.args | 3 +- .../qemuxml2argv-disk-cdrom-tray.args | 2 +- .../qemuxml2argvdata/qemuxml2argv-disk-cdrom.args | 3 +- .../qemuxml2argv-disk-copy_on_read.args | 2 +- .../qemuxml2argv-disk-drive-boot-cdrom.args | 3 +- .../qemuxml2argv-disk-drive-boot-disk.args | 3 +- .../qemuxml2argv-disk-drive-cache-directsync.args | 3 +- .../qemuxml2argv-disk-drive-cache-unsafe.args | 3 +- .../qemuxml2argv-disk-drive-cache-v1-none.args | 3 +- .../qemuxml2argv-disk-drive-cache-v1-wb.args | 3 +- .../qemuxml2argv-disk-drive-cache-v1-wt.args | 3 +- .../qemuxml2argv-disk-drive-cache-v2-none.args | 3 +- .../qemuxml2argv-disk-drive-cache-v2-wb.args | 3 +- .../qemuxml2argv-disk-drive-cache-v2-wt.args | 3 +- .../qemuxml2argv-disk-drive-discard.args | 2 +- ...uxml2argv-disk-drive-error-policy-enospace.args | 3 +- .../qemuxml2argv-disk-drive-error-policy-stop.args | 3 +- ...gv-disk-drive-error-policy-wreport-rignore.args | 3 +- .../qemuxml2argv-disk-drive-fat.args | 3 +- .../qemuxml2argv-disk-drive-fmt-qcow.args | 3 +- .../qemuxml2argv-disk-drive-network-gluster.args | 3 +- ...qemuxml2argv-disk-drive-network-iscsi-auth.args | 3 +- .../qemuxml2argv-disk-drive-network-iscsi-lun.args | 2 +- .../qemuxml2argv-disk-drive-network-iscsi.args | 3 +- ...qemuxml2argv-disk-drive-network-nbd-export.args | 3 +- ...ml2argv-disk-drive-network-nbd-ipv6-export.args | 3 +- .../qemuxml2argv-disk-drive-network-nbd-ipv6.args | 3 +- .../qemuxml2argv-disk-drive-network-nbd-unix.args | 3 +- .../qemuxml2argv-disk-drive-network-nbd.args | 3 +- .../qemuxml2argv-disk-drive-network-rbd-auth.args | 2 +- ...muxml2argv-disk-drive-network-rbd-ceph-env.args | 4 +- .../qemuxml2argv-disk-drive-network-rbd-ipv6.args | 2 +- .../qemuxml2argv-disk-drive-network-rbd.args | 2 +- .../qemuxml2argv-disk-drive-network-sheepdog.args | 3 +- .../qemuxml2argv-disk-drive-no-boot.args | 2 +- .../qemuxml2argv-disk-drive-readonly-disk.args | 3 +- ...qemuxml2argv-disk-drive-readonly-no-device.args | 3 +- .../qemuxml2argv-disk-drive-shared.args | 3 +- ...emuxml2argv-disk-floppy-tray-no-device-cap.args | 3 +- .../qemuxml2argv-disk-floppy-tray.args | 2 +- .../qemuxml2argvdata/qemuxml2argv-disk-floppy.args | 3 +- .../qemuxml2argv-disk-geometry.args | 3 +- .../qemuxml2argv-disk-ide-drive-split.args | 2 +- .../qemuxml2argv-disk-ide-wwn.args | 2 +- .../qemuxml2argv-disk-ioeventfd.args | 2 +- tests/qemuxml2argvdata/qemuxml2argv-disk-many.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-disk-order.args | 3 +- .../qemuxml2argv-disk-sata-device.args | 3 +- .../qemuxml2argv-disk-scsi-device-auto.args | 3 +- .../qemuxml2argv-disk-scsi-device.args | 3 +- .../qemuxml2argv-disk-scsi-disk-split.args | 2 +- .../qemuxml2argv-disk-scsi-disk-vpd.args | 2 +- .../qemuxml2argv-disk-scsi-disk-wwn.args | 2 +- .../qemuxml2argv-disk-scsi-lun-passthrough.args | 3 +- .../qemuxml2argv-disk-scsi-megasas.args | 3 +- .../qemuxml2argv-disk-scsi-virtio-scsi.args | 3 +- .../qemuxml2argv-disk-scsi-vscsi.args | 3 +- .../qemuxml2argv-disk-snapshot.args | 3 +- .../qemuxml2argv-disk-usb-device.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-disk-usb.args | 3 +- .../qemuxml2argv-disk-virtio-ccw-many.args | 3 +- .../qemuxml2argv-disk-virtio-ccw.args | 3 +- .../qemuxml2argv-disk-virtio-s390.args | 3 +- .../qemuxml2argv-disk-virtio-scsi-ccw.args | 3 +- .../qemuxml2argv-disk-virtio-scsi-num_queues.args | 2 +- .../qemuxml2argvdata/qemuxml2argv-disk-virtio.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-disk-xenvbd.args | 3 +- .../qemuxml2argv-eoi-disabled.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-eoi-enabled.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-event_idx.args | 2 +- .../qemuxml2argv-floppy-drive-fat.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-fs9p.args | 3 +- .../qemuxml2argv-graphics-vnc-sasl.args | 3 +- .../qemuxml2argv-graphics-vnc-tls.args | 3 +- .../qemuxml2argv-graphics-vnc-websocket.args | 3 +- .../qemuxml2argv-hostdev-pci-address-device.args | 3 +- .../qemuxml2argv-hostdev-pci-address.args | 3 +- .../qemuxml2argv-hostdev-scsi-boot.args | 3 +- .../qemuxml2argv-hostdev-scsi-lsi.args | 3 +- .../qemuxml2argv-hostdev-scsi-readonly.args | 3 +- .../qemuxml2argv-hostdev-scsi-virtio-scsi.args | 3 +- ...muxml2argv-hostdev-usb-address-device-boot.args | 3 +- .../qemuxml2argv-hostdev-usb-address-device.args | 3 +- .../qemuxml2argv-hostdev-usb-address.args | 3 +- .../qemuxml2argv-hostdev-vfio.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-hugepages.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-hyperv-off.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-hyperv.args | 3 +- .../qemuxml2argv-input-usbmouse-addr.args | 3 +- .../qemuxml2argv-input-usbmouse.args | 3 +- .../qemuxml2argv-input-usbtablet.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-kvm.args | 2 +- .../qemuxml2argv-kvmclock+eoi-disabled.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-kvmclock.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-lease.args | 3 +- .../qemuxml2argv-machine-aliases1.args | 2 +- .../qemuxml2argv-machine-aliases2.args | 3 +- .../qemuxml2argv-machine-core-off.args | 3 +- .../qemuxml2argv-machine-core-on.args | 3 +- .../qemuxml2argv-machine-usb-opt.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-memtune.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-metadata.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-migrate.args | 3 +- .../qemuxml2argv-minimal-s390.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-minimal.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-misc-acpi.args | 3 +- .../qemuxml2argv-misc-disable-s3.args | 3 +- .../qemuxml2argv-misc-disable-suspends.args | 3 +- .../qemuxml2argv-misc-enable-s4.args | 3 +- .../qemuxml2argv-misc-no-reboot.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-misc-uuid.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-mlock-off.args | 2 +- tests/qemuxml2argvdata/qemuxml2argv-mlock-on.args | 2 +- .../qemuxml2argv-mlock-unsupported.args | 2 +- .../qemuxml2argv-monitor-json.args | 3 +- .../qemuxml2argv-multifunction-pci-device.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-net-client.args | 3 +- .../qemuxml2argv-net-eth-ifname.args | 3 +- .../qemuxml2argv-net-eth-names.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-net-eth.args | 3 +- .../qemuxml2argv-net-hostdev-vfio.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-net-hostdev.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-net-mcast.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-net-server.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-net-user.args | 3 +- .../qemuxml2argv-net-virtio-ccw.args | 3 +- .../qemuxml2argv-net-virtio-device.args | 3 +- .../qemuxml2argv-net-virtio-netdev.args | 3 +- .../qemuxml2argv-net-virtio-s390.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-net-virtio.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-no-shutdown.args | 2 +- .../qemuxml2argv-nographics-vga.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-nographics.args | 3 +- .../qemuxml2argv-nosharepages.args | 3 +- ...qemuxml2argv-numad-auto-memory-vcpu-cpuset.args | 3 +- ...d-auto-memory-vcpu-no-cpuset-and-placement.args | 3 +- ...muxml2argv-numad-auto-vcpu-static-numatune.args | 3 +- ...qemuxml2argv-numad-static-memory-auto-vcpu.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-numad.args | 3 +- .../qemuxml2argv-numatune-memory.args | 3 +- .../qemuxml2argv-parallel-parport-chardev.args | 3 +- .../qemuxml2argv-parallel-tcp-chardev.args | 3 +- .../qemuxml2argv-parallel-tcp.args | 3 +- .../qemuxml2argv-pci-autoadd-addr.args | 2 +- .../qemuxml2argv-pci-autoadd-idx.args | 2 +- .../qemuxml2argv-pci-bridge-many-disks.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-pci-rom.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-pcie-root.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-ppc-dtb.args | 2 +- .../qemuxml2argv-pseries-basic.args | 2 +- .../qemuxml2argv-pseries-nvram.args | 3 +- .../qemuxml2argv-pseries-usb-default.args | 2 +- .../qemuxml2argv-pseries-usb-multi.args | 2 +- .../qemuxml2argv-pseries-vio-user-assigned.args | 2 +- .../qemuxml2argvdata/qemuxml2argv-pseries-vio.args | 2 +- tests/qemuxml2argvdata/qemuxml2argv-q35.args | 2 +- .../qemuxml2argv-qemu-ns-no-env.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-qemu-ns.args | 4 +- .../qemuxml2argv-reboot-timeout-disabled.args | 3 +- .../qemuxml2argv-reboot-timeout-enabled.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-restore-v1.args | 3 +- .../qemuxml2argv-restore-v2-fd.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-restore-v2.args | 3 +- .../qemuxml2argv-s390-piix-controllers.args | 2 +- .../qemuxml2argv-s390-usb-none.args | 2 +- .../qemuxml2argv-seclabel-dynamic-baselabel.args | 3 +- .../qemuxml2argv-seclabel-dynamic-override.args | 3 +- .../qemuxml2argv-seclabel-dynamic.args | 3 +- .../qemuxml2argv-seclabel-none.args | 3 +- .../qemuxml2argv-seclabel-static-relabel.args | 3 +- .../qemuxml2argv-seclabel-static.args | 3 +- .../qemuxml2argv-serial-dev-chardev.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-serial-dev.args | 3 +- .../qemuxml2argv-serial-file-chardev.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-serial-file.args | 3 +- .../qemuxml2argv-serial-many-chardev.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-serial-many.args | 3 +- .../qemuxml2argv-serial-pty-chardev.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-serial-pty.args | 3 +- .../qemuxml2argv-serial-tcp-chardev.args | 3 +- .../qemuxml2argv-serial-tcp-telnet-chardev.args | 3 +- .../qemuxml2argv-serial-tcp-telnet.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-serial-tcp.args | 3 +- .../qemuxml2argv-serial-udp-chardev.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-serial-udp.args | 3 +- .../qemuxml2argv-serial-unix-chardev.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-serial-unix.args | 3 +- .../qemuxml2argv-serial-vc-chardev.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-serial-vc.args | 3 +- .../qemuxml2argv-smartcard-controller.args | 3 +- .../qemuxml2argv-smartcard-host-certificates.args | 3 +- .../qemuxml2argv-smartcard-host.args | 3 +- ...emuxml2argv-smartcard-passthrough-spicevmc.args | 3 +- .../qemuxml2argv-smartcard-passthrough-tcp.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-smbios.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-smp.args | 3 +- .../qemuxml2argv-sound-device.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-sound.args | 3 +- .../qemuxml2argv-tpm-passthrough.args | 2 +- .../qemuxml2argv-usb-controller.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-usb-hub.args | 3 +- .../qemuxml2argv-usb-ich9-companion.args | 3 +- .../qemuxml2argv-usb-ich9-ehci-addr.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-usb-none.args | 3 +- .../qemuxml2argv-usb-piix3-controller.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-usb-ports.args | 3 +- .../qemuxml2argv-usb-redir-boot.args | 3 +- .../qemuxml2argv-usb-redir-filter.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-usb-redir.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-usb1-usb2.args | 3 +- .../qemuxml2argvdata/qemuxml2argv-virtio-lun.args | 2 +- .../qemuxml2argv-virtio-rng-ccw.args | 3 +- .../qemuxml2argv-virtio-rng-default.args | 3 +- .../qemuxml2argv-virtio-rng-egd.args | 3 +- .../qemuxml2argv-virtio-rng-random.args | 3 +- .../qemuxml2argv-watchdog-device.args | 3 +- .../qemuxml2argv-watchdog-dump.args | 3 +- tests/qemuxml2argvdata/qemuxml2argv-watchdog.args | 3 +- tests/qemuxml2argvtest.c | 10 ++ .../qemuxmlns-qemu-ns-commandline-ns0.args | 2 +- .../qemuxmlns-qemu-ns-commandline-ns1.args | 2 +- .../qemuxmlns-qemu-ns-commandline.args | 2 +- .../qemuxmlns-qemu-ns-domain-commandline-ns0.args | 2 +- .../qemuxmlns-qemu-ns-domain-commandline.args | 2 +- .../qemuxmlns-qemu-ns-domain-ns0.args | 2 +- tests/qemuxmlnsdata/qemuxmlns-qemu-ns-domain.args | 2 +- tests/testutilsqemu.c | 33 ++++++ 300 files changed, 920 insertions(+), 344 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-basic.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-basic.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-nodevs.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-nodevs.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-virtio.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-virtio.xml -- 1.8.3.1

11 years, 2 months

3
19
0 / 0

[libvirt] [PATCH] Let test_virtlockd.aug find the libvird augeas lense

by Guido Günther

Otherwise we fail "make check" like: GEN check-augeas-virtlockd Syntax error in lens definition test_virtlockd.aug:8.8-.20:Could not load module Libvirtd for Libvirtd.lns test_virtlockd.aug:8.8-.20:Undefined variable Libvirtd.lns This doesn't show up on systems where libvirtd (and it's lenses) are installed but in a clean chroot. --- src/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Makefile.am b/src/Makefile.am index d8b943d..bf2ec79 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1675,7 +1675,8 @@ check-augeas-lockd: test_libvirt_lockd.aug check-augeas-virtlockd: test_virtlockd.aug $(AM_V_GEN)if test -x '$(AUGPARSE)'; then \ - '$(AUGPARSE)' -I $(srcdir)/locking test_virtlockd.aug; \ + '$(AUGPARSE)' -I $(top_srcdir)/daemon/ \ + -I $(srcdir)/locking test_virtlockd.aug; \ fi # -- 1.8.4.rc3

11 years, 2 months

2
5
0 / 0

[libvirt] [PATCH] Change way we fake dbus method calls

by Daniel P. Berrange

From: "Daniel P. Berrange" <berrange(a)redhat.com> Ubuntu libdbus.so links with -Bsymbolic-functions, which means that we can only LD_PRELOAD functions that we directly call. Functions which libdbus.so calls internally can not be replaced. Thus we cannot use dbus_message_new_error or dbus_message_new_method_return Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- tests/virsystemdmock.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/tests/virsystemdmock.c b/tests/virsystemdmock.c index ded52d2..5dbd33f 100644 --- a/tests/virsystemdmock.c +++ b/tests/virsystemdmock.c @@ -65,22 +65,32 @@ dbus_bool_t dbus_message_set_reply_serial(DBusMessage *message ATTRIBUTE_UNUSED, } DBusMessage *dbus_connection_send_with_reply_and_block(DBusConnection *connection ATTRIBUTE_UNUSED, - DBusMessage *message, + DBusMessage *message ATTRIBUTE_UNUSED, int timeout_milliseconds ATTRIBUTE_UNUSED, DBusError *error) { DBusMessage *reply = NULL; - if (getenv("FAIL_BAD_SERVICE")) - reply = dbus_message_new_error(message, - "org.freedesktop.systemd.badthing", - "Something went wrong creating the machine"); - else if (getenv("FAIL_NO_SERVICE")) + if (getenv("FAIL_BAD_SERVICE")) { + DBusMessageIter iter; + const char *error_message = "Something went wrong creating the machine"; + if (!(reply = dbus_message_new(DBUS_MESSAGE_TYPE_ERROR))) + return NULL; + dbus_message_set_error_name(reply, "org.freedesktop.systemd.badthing"); + dbus_message_iter_init_append(reply, &iter); + if (!dbus_message_iter_append_basic(&iter, + DBUS_TYPE_STRING, + &error_message)) { + dbus_message_unref(reply); + return NULL; + } + } else if (getenv("FAIL_NO_SERVICE")) { dbus_set_error(error, "org.freedesktop.DBus.Error.ServiceUnknown", "%s", "The name org.freedesktop.machine1 was not provided by any .service files"); - else - reply = dbus_message_new_method_return(message); + } else { + reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN); + } return reply; } -- 1.7.9.5

11 years, 2 months

3
2
0 / 0

[libvirt] [PATCH 0/3] Fix bitmap parsing code and add tests

by Peter Krempa

The bitmap parsing code might cause a crash of the application using it. Fix it and add tests so that it doesn't happen again. Peter Krempa (3): virbitmap: Refactor virBitmapParse to avoid access beyond bounds of array virbitmaptest: Fix function header formatting virbitmaptest: Add test for out of bounds condition src/util/virbitmap.c | 38 +++++++++++++------------------- tests/virbitmaptest.c | 60 ++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 67 insertions(+), 31 deletions(-) -- 1.8.3.2

11 years, 2 months

4
10
0 / 0

[libvirt] [PATCHv3 0/6] virsh: More intelligent auto-completion

by Tomas Meszaros

Hi, this patch series is a prototype for my GSoC project (Michal Privoznik is my mentor). I'm working on virsh auto-completion, trying to make it more "intelligent". At this stage, prototype is capable of command and option completion. Three completer functions are currently implemented so you can test it. If it turns out that this prototype is good enough, I will implement more completer functions. --- v3: * vshReconnect() is now called only when we reach the point that completion is being attempted on commands that needs connection * moved all .completer intializations into the 4/6, 5/6 and 6/6 v2: https://www.redhat.com/archives/libvir-list/2013-August/msg00992.html v1: https://www.redhat.com/archives/libvir-list/2013-August/msg00371.html Tomas Meszaros (6): virsh: C99 style for info_domfstrim and opts_lxc_enter_namespace virsh: Add vshCmdCompleter and vshOptCompleter virsh: Improve readline generators and readline completion virsh: Add vshDomainCompleter virsh: Add vshSuspendTargetCompleter virsh: Add vshRebootShutdownModeCompleter .gnulib | 2 +- tools/virsh-domain-monitor.c | 32 ++- tools/virsh-domain.c | 248 +++++++++++++++++----- tools/virsh-snapshot.c | 45 +++- tools/virsh.c | 480 +++++++++++++++++++++++++++++++++++++++++-- tools/virsh.h | 11 + 6 files changed, 725 insertions(+), 93 deletions(-) -- 1.8.3.1

11 years, 2 months

2
15
0 / 0

[libvirt] [PATCH V2] Use loop-control to allocate loop device.

by Ian Main

This patch changes virFileLoopDeviceOpen() to use the new loop-control device to allocate a new loop device. If this behavior is unsupported we fall back to the previous method of searching /dev for a free device. With this patch you can start as many image based LXC domains as you like (well almost). Fixes bug https://bugzilla.redhat.com/show_bug.cgi?id=995543 V2: - Modified to use a dedicated error return for loop-control allocation function. - Only do fallback if /dev/loop-control does not exist, otherwise return error. Signed-off-by: Ian Main <imain(a)redhat.com> --- configure.ac | 12 +++++++++ src/util/virfile.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 84 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index ac8cfa1..10cd872 100644 --- a/configure.ac +++ b/configure.ac @@ -913,6 +913,18 @@ if test "$with_lxc" = "yes" || test "$with_lxc" = "check"; then AC_MSG_ERROR([Required kernel features for LXC were not found]) fi ]) + AC_LINK_IFELSE([AC_LANG_PROGRAM( + [[ + #include <sched.h> + #include <linux/loop.h> + #include <sys/epoll.h> + ]], [[ + unshare(!(LOOP_CTL_GET_FREE)); + ]])], [ + AC_DEFINE([HAVE_DECL_LOOP_CTL_GET_FREE], [1], + [Define to 1 if you have the declaration of `LOOP_CTL_GET_FREE', + and to 0 if you don't.]) + ]) fi if test "$with_lxc" = "yes" ; then AC_DEFINE_UNQUOTED([WITH_LXC], 1, [whether LXC driver is enabled]) diff --git a/src/util/virfile.c b/src/util/virfile.c index 2b07ac9..22a0db5 100644 --- a/src/util/virfile.c +++ b/src/util/virfile.c @@ -528,7 +528,56 @@ int virFileUpdatePerm(const char *path, #if defined(__linux__) && HAVE_DECL_LO_FLAGS_AUTOCLEAR -static int virFileLoopDeviceOpen(char **dev_name) + +#if HAVE_DECL_LOOP_CTL_GET_FREE + +/* virFileLoopDeviceOpenLoopCtl() returns -1 when a real failure has occured + * while in the process of allocating or opening the loop device. On success + * we return 0 and modify the fd to the appropriate file descriptor. + * If /dev/loop-control does not exist, we return 0 and do not set fd. */ + +static int virFileLoopDeviceOpenLoopCtl(char **dev_name, int *fd) +{ + int devnr; + int ctl_fd; + char *looppath = NULL; + + VIR_DEBUG("Opening loop-control device"); + if ((ctl_fd = open("/dev/loop-control", O_RDWR)) < 0) { + virReportSystemError(errno, "%s", + _("Unable to open /dev/loop-control")); + if (errno == ENOENT) { + return 0; + } + return -1; + } + + if ((devnr = ioctl(ctl_fd, LOOP_CTL_GET_FREE)) < 0) { + virReportSystemError(errno, "%s", + _("Unable to get free loop device via ioctl")); + close(ctl_fd); + return -1; + } + close(ctl_fd); + + VIR_DEBUG("Found free loop device number %i", devnr); + + if (virAsprintf(&looppath, "/dev/loop%i", devnr) < 0) + return -1; + + if ((*fd = open(looppath, O_RDWR)) < 0) { + virReportSystemError(errno, + _("Unable to open %s"), looppath); + VIR_FREE(looppath); + return -1; + } + + *dev_name = looppath; + return 0; +} +#endif /* HAVE_DECL_LOOP_CTL_GET_FREE */ + +static int virFileLoopDeviceOpenSearch(char **dev_name) { int fd = -1; DIR *dh = NULL; @@ -601,6 +650,28 @@ cleanup: return fd; } +static int virFileLoopDeviceOpen(char **dev_name) +{ + int loop_fd = -1; + +#ifdef HAVE_DECL_LOOP_CTL_GET_FREE + if (virFileLoopDeviceOpenLoopCtl(dev_name, &loop_fd) < 0) + return -1; + + VIR_DEBUG("Return from loop-control got fd %d\n", loop_fd); + + if (loop_fd < 0) { + VIR_WARN("loop-control allocation failed, trying search technique."); + } else { + return loop_fd; + } +#endif /* HAVE_DECL_LOOP_CTL_GET_FREE */ + + /* Without the loop control device we just use the old technique. */ + loop_fd = virFileLoopDeviceOpenSearch(dev_name); + + return loop_fd; +} int virFileLoopDeviceAssociate(const char *file, char **dev) -- 1.8.1.4

11 years, 2 months

2
1
0 / 0

[libvirt] [RFC]Libvirt Wireshark Dissector

by Yuto KAWAMURA

Hi libvirt developers, I would like to ask you to review the dissector of libvirt RPC protocol which I've been developing on project of Google Summer of Code 2013[1][2][3]. It can add support for dissecting libvirt RPC protocol packet which communicate via TCP socket to Wireshark. This feature was presented by Michal Privoznik year before last[4]. But it did only support dissecting packet headers. This time I enhanced that dissector to support dissecting packet payload. Furthermore, I provide code generator of dissector. So you can get fresh build of dissector from libvirt RPC specification file at any version you like. Now it is available to build and install dissector from repository[3]. Only you need to do is: git clone https://github.com/kawamuray/libvirt-wireshark-dissector.git cd libvirt-wireshark-dissector autoreconf --install ./configure && make sudo make install Above commands only install a single shared object: $(dirname `which wireshark`)/../lib/wireshark/plugins/<wireshark version>/libvirt.so . After rebooting wireshark(or tshark), your wireshark have support for dissecting libvirt RPC packet. Please make sure your libvirtd is listening on port 16509(default libvirtd port) and connect to libvirtd using TCP socket(e.g. qemu+tcp:///system). You can also try the feature; generate dissector from your libvirt source tree by adding few options to ./configure. Please see README and ./configure --help output for more detail. Please try and review it. Any comments, reviews and patches for dissector code, generator code and usability are welcome. Regards. kawamuray [1] http://www.google-melange.com/gsoc/project/google/gsoc2013/kawamuray/7001 [2] http://wiki.qemu.org/Features/LibvirtWiresharkDissector [3] https://github.com/kawamuray/libvirt-wireshark-dissector [4] http://www.redhat.com/archives/libvir-list/2011-October/msg00301.html

11 years, 2 months

2
2
0 / 0

[libvirt] RFC: btrfs storage pool using subvolumes & snapshots

by Oskari Saarenmaa

I wrote an experimental btrfs storage pool which uses subvolumes (and optionally snapshots) as storage volumes in LXC domains. The code is available at https://github.com/saaros/libvirt/compare/btrfs-storage but it's still missing some features like quotas for the subvolumes (currently the capacity definition for volumes is ignored) and doesn't have any documentation so far. Sample usage: mkdir /virtual; mkfs.btrfs /dev/vdb; mount -t btrfs /dev/vdb /virtual virsh pool-create-as testpool btrfs --target /virtual virsh vol-create-as testpool vanilla 0 echo vanilla > /virtual/vanilla/test virsh vol-create-as testpool test 0 --backing-vol vanilla cat /virtual/test/test btrfs subvolume list /virtual Does this look like a useful feature and does it make sense to implement it as a new storage pool type, or should it be merged into an existing one? I looked at the existing ones and couldn't really figure out how to make it fit nicely in any of them. As far as I could tell none of the existing storage pools or volumes offered a way to create a new copy-on-write volume for easy use in LXC domains using the libvirt API. With the new btrfs pool I was able to replace KVM domains using qcow2 volumes with LXC + btrfs with very little changes to the application code. Cheers, Oskari

11 years, 2 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel August 2013