[libvirt] [PATCH v2 0/4] storage: More uniquely identify NPIV LUNs
by John Ferlan
v1: https://www.redhat.com/archives/libvir-list/2018-December/msg00562.html
but no review until January, see:
https://www.redhat.com/archives/libvir-list/2019-January/msg00079.html
Changes since v1:
* Rework code to have virStorageBackendSCSISerial use the existing
virStorageFileGetSCSIKey
* Then introduce and use virStorageFileGetNPIVKey in order to get a
more unique key for NPIV LUNs. Follows same fallback policy as
SCSI LUNs if the called *Key function either doesn't exist or fails
to return a valid value.
John Ferlan (4):
util: Modify virStorageFileGetSCSIKey return
storage: Rework virStorageBackendSCSISerial
util: Introduce virStorageFileGetNPIVKey
storage: Fetch a unique key for vHBA/NPIV LUNs
src/libvirt_private.syms | 1 +
src/storage/storage_util.c | 45 +++++++----------
src/util/virstoragefile.c | 101 +++++++++++++++++++++++++++++++++++--
src/util/virstoragefile.h | 2 +
4 files changed, 118 insertions(+), 31 deletions(-)
--
2.20.1
5 years, 9 months
[libvirt] [PATCH] tests: Update qemucaps2xml for QEMU 4.0.0 on x86_64
by Andrea Bolognani
Commit fb0d0d6c5492 added capabilities data and updated
qemucapabilitiestest but forgot to update qemucaps2xmltest
at the same time.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
*cough* and of course the reviewer didn't notice *cough*
.../qemucaps2xmloutdata/caps_4.0.0.x86_64.xml | 28 +++++++++++++++++++
tests/qemucaps2xmltest.c | 1 +
2 files changed, 29 insertions(+)
create mode 100644 tests/qemucaps2xmloutdata/caps_4.0.0.x86_64.xml
diff --git a/tests/qemucaps2xmloutdata/caps_4.0.0.x86_64.xml b/tests/qemucaps2xmloutdata/caps_4.0.0.x86_64.xml
new file mode 100644
index 0000000000..d41693a001
--- /dev/null
+++ b/tests/qemucaps2xmloutdata/caps_4.0.0.x86_64.xml
@@ -0,0 +1,28 @@
+<capabilities>
+
+ <host>
+ <cpu>
+ <arch>x86_64</arch>
+ </cpu>
+ <power_management/>
+ <iommu support='no'/>
+ </host>
+
+ <guest>
+ <os_type>hvm</os_type>
+ <arch name='x86_64'>
+ <wordsize>64</wordsize>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <domain type='qemu'/>
+ <domain type='kvm'/>
+ </arch>
+ <features>
+ <cpuselection/>
+ <deviceboot/>
+ <disksnapshot default='on' toggle='no'/>
+ <acpi default='on' toggle='yes'/>
+ <apic default='on' toggle='no'/>
+ </features>
+ </guest>
+
+</capabilities>
diff --git a/tests/qemucaps2xmltest.c b/tests/qemucaps2xmltest.c
index dd9fc6917a..9d6b6f474c 100644
--- a/tests/qemucaps2xmltest.c
+++ b/tests/qemucaps2xmltest.c
@@ -198,6 +198,7 @@ mymain(void)
DO_TEST("x86_64", "caps_2.12.0");
DO_TEST("x86_64", "caps_3.0.0");
DO_TEST("x86_64", "caps_3.1.0");
+ DO_TEST("x86_64", "caps_4.0.0");
DO_TEST("aarch64", "caps_2.6.0");
DO_TEST("aarch64", "caps_2.10.0");
DO_TEST("aarch64", "caps_2.12.0");
--
2.20.1
5 years, 9 months
[libvirt] [PATCH 0/5] Override the permissions on /dev/sev when probing
by Erik Skultety
The problem with /dev/sev's default permissions (0600 root:root) is that we
can't make it more permissive at the moment otherwise we'd weaken the security
of SEV and potentially open the door for a DOS attack. Therefore, the
alternative approach is to set CAP_DAC_OVERRIDE capability for the probing QEMU
process (and *only* when probing) so that libvirt truly works with SEV. As a
necessary side job, this series also makes /dev/sev only available to machines
that need it, thus mitigating the possible attack surface even more.
Erik Skultety (5):
qemu: conf: Remove /dev/sev from the default cgroup device acl list
qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
qemu: domain: Add /dev/sev into the domain mount namespace selectively
security: dac: Relabel /dev/sev in the namespace
qemu: caps: Use CAP_DAC_OVERRIDE for probing to avoid permission
issues
docs/drvqemu.html.in | 2 +-
src/qemu/qemu.conf | 2 +-
src/qemu/qemu_capabilities.c | 11 +++++++
src/qemu/qemu_cgroup.c | 21 +++++++++++-
src/qemu/qemu_domain.c | 24 ++++++++++++++
src/qemu/test_libvirtd_qemu.aug.in | 1 -
src/security/security_dac.c | 51 ++++++++++++++++++++++++++++++
src/util/virutil.c | 31 ++++++++++++++++--
8 files changed, 137 insertions(+), 6 deletions(-)
--
2.20.1
5 years, 9 months
[libvirt] [PATCH v2] qemu: Rework setting process affinity
by Michal Privoznik
https://bugzilla.redhat.com/show_bug.cgi?id=1503284
The way we currently start qemu from CPU affinity POV is as
follows:
1) the child process is set affinity to all online CPUs (unless
some vcpu pinning was given in the domain XML)
2) Once qemu is running, cpuset cgroup is configured taking
memory pinning into account
Problem is that we let qemu allocate its memory just anywhere in
1) and then rely in 2) to be able to move the memory to
configured NUMA nodes. This might not be always possible (e.g.
qemu might lock some parts of its memory) and is very suboptimal
(copying large memory between NUMA nodes takes significant amount
of time).
The solution is to set affinity to one of (in priority order):
- The CPUs associated with NUMA memory affinity mask
- The CPUs associated with emulator pinning
- All online host CPUs
Later (once QEMU has allocated its memory) we then change this
again to (again in priority order):
- The CPUs associated with emulator pinning
- The CPUs returned by numad
- The CPUs associated with vCPU pinning
- All online host CPUs
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
diff to v1 (both points suggested by Dan):
- Expanded the commit message
- fixed qemuProcessGetAllCpuAffinity so that it returns online CPU map
only
src/qemu/qemu_process.c | 132 +++++++++++++++++++---------------------
1 file changed, 63 insertions(+), 69 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 7592c98b74..dace5aaca1 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -2435,6 +2435,21 @@ qemuProcessDetectIOThreadPIDs(virQEMUDriverPtr driver,
}
+static int
+qemuProcessGetAllCpuAffinity(virBitmapPtr *cpumapRet)
+{
+ *cpumapRet = NULL;
+
+ if (!virHostCPUHasBitmap())
+ return 0;
+
+ if (!(*cpumapRet = virHostCPUGetOnlineBitmap()))
+ return -1;
+
+ return 0;
+}
+
+
/*
* To be run between fork/exec of QEMU only
*/
@@ -2443,9 +2458,9 @@ static int
qemuProcessInitCpuAffinity(virDomainObjPtr vm)
{
int ret = -1;
- virBitmapPtr cpumap = NULL;
virBitmapPtr cpumapToSet = NULL;
- virBitmapPtr hostcpumap = NULL;
+ VIR_AUTOPTR(virBitmap) hostcpumap = NULL;
+ virDomainNumatuneMemMode mem_mode;
qemuDomainObjPrivatePtr priv = vm->privateData;
if (!vm->pid) {
@@ -2454,59 +2469,39 @@ qemuProcessInitCpuAffinity(virDomainObjPtr vm)
return -1;
}
- if (vm->def->placement_mode == VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO) {
- VIR_DEBUG("Set CPU affinity with advisory nodeset from numad");
- cpumapToSet = priv->autoCpuset;
+ /* Here is the deal, we can't set cpuset.mems before qemu is
+ * started as it clashes with KVM allocation. Therefore, we
+ * used to let qemu allocate its memory anywhere as we would
+ * then move the memory to desired NUMA node via CGroups.
+ * However, that might not be always possible because qemu
+ * might lock some parts of its memory (e.g. due to VFIO).
+ * Even if it possible, memory has to be copied between NUMA
+ * nodes which is suboptimal.
+ * Solution is to set affinity that matches the best what we
+ * would have set in CGroups and then fix it later, once qemu
+ * is already running. */
+ if (virDomainNumaGetNodeCount(vm->def->numa) <= 1 &&
+ virDomainNumatuneGetMode(vm->def->numa, -1, &mem_mode) == 0 &&
+ mem_mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT) {
+ if (virDomainNumatuneMaybeGetNodeset(vm->def->numa,
+ priv->autoNodeset,
+ &cpumapToSet,
+ -1) < 0)
+ goto cleanup;
+ } else if (vm->def->cputune.emulatorpin) {
+ cpumapToSet = vm->def->cputune.emulatorpin;
} else {
- VIR_DEBUG("Set CPU affinity with specified cpuset");
- if (vm->def->cpumask) {
- cpumapToSet = vm->def->cpumask;
- } else {
- /* You may think this is redundant, but we can't assume libvirtd
- * itself is running on all pCPUs, so we need to explicitly set
- * the spawned QEMU instance to all pCPUs if no map is given in
- * its config file */
- int hostcpus;
-
- if (virHostCPUHasBitmap()) {
- hostcpumap = virHostCPUGetOnlineBitmap();
- cpumap = virProcessGetAffinity(vm->pid);
- }
-
- if (hostcpumap && cpumap && virBitmapEqual(hostcpumap, cpumap)) {
- /* we're using all available CPUs, no reason to set
- * mask. If libvirtd is running without explicit
- * affinity, we can use hotplugged CPUs for this VM */
- ret = 0;
- goto cleanup;
- } else {
- /* setaffinity fails if you set bits for CPUs which
- * aren't present, so we have to limit ourselves */
- if ((hostcpus = virHostCPUGetCount()) < 0)
- goto cleanup;
-
- if (hostcpus > QEMUD_CPUMASK_LEN)
- hostcpus = QEMUD_CPUMASK_LEN;
-
- virBitmapFree(cpumap);
- if (!(cpumap = virBitmapNew(hostcpus)))
- goto cleanup;
-
- virBitmapSetAll(cpumap);
-
- cpumapToSet = cpumap;
- }
- }
+ if (qemuProcessGetAllCpuAffinity(&hostcpumap) < 0)
+ goto cleanup;
+ cpumapToSet = hostcpumap;
}
- if (virProcessSetAffinity(vm->pid, cpumapToSet) < 0)
+ if (cpumapToSet &&
+ virProcessSetAffinity(vm->pid, cpumapToSet) < 0)
goto cleanup;
ret = 0;
-
cleanup:
- virBitmapFree(cpumap);
- virBitmapFree(hostcpumap);
return ret;
}
#else /* !defined(HAVE_SCHED_GETAFFINITY) && !defined(HAVE_BSD_CPU_AFFINITY) */
@@ -2586,7 +2581,8 @@ qemuProcessSetupPid(virDomainObjPtr vm,
qemuDomainObjPrivatePtr priv = vm->privateData;
virDomainNumatuneMemMode mem_mode;
virCgroupPtr cgroup = NULL;
- virBitmapPtr use_cpumask;
+ virBitmapPtr use_cpumask = NULL;
+ VIR_AUTOPTR(virBitmap) hostcpumap = NULL;
char *mem_mask = NULL;
int ret = -1;
@@ -2598,12 +2594,21 @@ qemuProcessSetupPid(virDomainObjPtr vm,
}
/* Infer which cpumask shall be used. */
- if (cpumask)
+ if (cpumask) {
use_cpumask = cpumask;
- else if (vm->def->placement_mode == VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO)
+ } else if (vm->def->placement_mode == VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO) {
use_cpumask = priv->autoCpuset;
- else
+ } else if (vm->def->cpumask) {
use_cpumask = vm->def->cpumask;
+ } else {
+ /* You may think this is redundant, but we can't assume libvirtd
+ * itself is running on all pCPUs, so we need to explicitly set
+ * the spawned QEMU instance to all pCPUs if no map is given in
+ * its config file */
+ if (qemuProcessGetAllCpuAffinity(&hostcpumap) < 0)
+ goto cleanup;
+ use_cpumask = hostcpumap;
+ }
/*
* If CPU cgroup controller is not initialized here, then we need
@@ -2628,13 +2633,7 @@ qemuProcessSetupPid(virDomainObjPtr vm,
qemuSetupCgroupCpusetCpus(cgroup, use_cpumask) < 0)
goto cleanup;
- /*
- * Don't setup cpuset.mems for the emulator, they need to
- * be set up after initialization in order for kvm
- * allocations to succeed.
- */
- if (nameval != VIR_CGROUP_THREAD_EMULATOR &&
- mem_mask && virCgroupSetCpusetMems(cgroup, mem_mask) < 0)
+ if (mem_mask && virCgroupSetCpusetMems(cgroup, mem_mask) < 0)
goto cleanup;
}
@@ -6634,12 +6633,7 @@ qemuProcessLaunch(virConnectPtr conn,
/* This must be done after cgroup placement to avoid resetting CPU
* affinity */
- if (!vm->def->cputune.emulatorpin &&
- qemuProcessInitCpuAffinity(vm) < 0)
- goto cleanup;
-
- VIR_DEBUG("Setting emulator tuning/settings");
- if (qemuProcessSetupEmulator(vm) < 0)
+ if (qemuProcessInitCpuAffinity(vm) < 0)
goto cleanup;
VIR_DEBUG("Setting cgroup for external devices (if required)");
@@ -6708,10 +6702,6 @@ qemuProcessLaunch(virConnectPtr conn,
if (qemuProcessUpdateAndVerifyCPU(driver, vm, asyncJob) < 0)
goto cleanup;
- VIR_DEBUG("Setting up post-init cgroup restrictions");
- if (qemuSetupCpusetMems(vm) < 0)
- goto cleanup;
-
VIR_DEBUG("setting up hotpluggable cpus");
if (qemuDomainHasHotpluggableStartupVcpus(vm->def)) {
if (qemuDomainRefreshVcpuInfo(driver, vm, asyncJob, false) < 0)
@@ -6737,6 +6727,10 @@ qemuProcessLaunch(virConnectPtr conn,
if (qemuProcessDetectIOThreadPIDs(driver, vm, asyncJob) < 0)
goto cleanup;
+ VIR_DEBUG("Setting emulator tuning/settings");
+ if (qemuProcessSetupEmulator(vm) < 0)
+ goto cleanup;
+
VIR_DEBUG("Setting global CPU cgroup (if required)");
if (qemuSetupGlobalCpuCgroup(vm) < 0)
goto cleanup;
--
2.19.2
5 years, 9 months
[libvirt] [PATCH 0/4] qemu: Add PCI support for RISC-V guests
by Andrea Bolognani
Now that the QEMU part has been merged, it's time to make the
feature available to libvirt users as well.
Andrea Bolognani (4):
tests: Add capabilities data for QEMU 4.0.0 on RISC-V
qemu: Add PCI support for RISC-V guests
tests: Add test for PCI usage on RISC-V
news: Update for PCI support on RISC-V
docs/news.xml | 10 +
src/qemu/qemu_capabilities.c | 4 +-
src/qemu/qemu_domain.c | 2 +
src/qemu/qemu_domain_address.c | 3 +-
.../caps_4.0.0.riscv32.replies | 17625 ++++++++++++++++
.../caps_4.0.0.riscv32.xml | 180 +
.../caps_4.0.0.riscv64.replies | 17625 ++++++++++++++++
.../caps_4.0.0.riscv64.xml | 180 +
tests/qemucapabilitiestest.c | 2 +
.../caps_4.0.0.riscv32.xml | 25 +
.../caps_4.0.0.riscv64.xml | 25 +
tests/qemucaps2xmltest.c | 2 +
.../riscv64-virt-headless.riscv64-latest.args | 3 +-
tests/qemuxml2argvdata/riscv64-virt-pci.args | 27 +
tests/qemuxml2argvdata/riscv64-virt-pci.xml | 24 +
tests/qemuxml2argvtest.c | 2 +
tests/qemuxml2xmloutdata/riscv64-virt-pci.xml | 28 +
tests/qemuxml2xmltest.c | 2 +
18 files changed, 35766 insertions(+), 3 deletions(-)
create mode 100644 tests/qemucapabilitiesdata/caps_4.0.0.riscv32.replies
create mode 100644 tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
create mode 100644 tests/qemucapabilitiesdata/caps_4.0.0.riscv64.replies
create mode 100644 tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
create mode 100644 tests/qemucaps2xmloutdata/caps_4.0.0.riscv32.xml
create mode 100644 tests/qemucaps2xmloutdata/caps_4.0.0.riscv64.xml
create mode 100644 tests/qemuxml2argvdata/riscv64-virt-pci.args
create mode 100644 tests/qemuxml2argvdata/riscv64-virt-pci.xml
create mode 100644 tests/qemuxml2xmloutdata/riscv64-virt-pci.xml
--
2.20.1
5 years, 9 months
[libvirt] [cim PATCH] Ensure nul termination of hostname
by Daniel P. Berrangé
Newest GCC warns that the string copying is potentially truncated and
thus not nul terminated.
In file included from /usr/include/string.h:494,
from ../../src/Virt_HostSystem.c:23:
In function ‘strncpy’,
inlined from ‘resolve_host’ at ../../src/Virt_HostSystem.c:55:28,
inlined from ‘get_fqdn’ at ../../src/Virt_HostSystem.c:92:23,
inlined from ‘set_host_system_properties’ at ../../src/Virt_HostSystem.c:109:13:
/usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 256 equals destination size [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘strncpy’,
inlined from ‘resolve_host’ at ../../src/Virt_HostSystem.c:67:17,
inlined from ‘get_fqdn’ at ../../src/Virt_HostSystem.c:92:23,
inlined from ‘set_host_system_properties’ at ../../src/Virt_HostSystem.c:109:13:
/usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 256 equals destination size [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/Virt_HostSystem.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/src/Virt_HostSystem.c b/src/Virt_HostSystem.c
index ebe8184..5bc52ca 100644
--- a/src/Virt_HostSystem.c
+++ b/src/Virt_HostSystem.c
@@ -38,7 +38,7 @@
const static CMPIBroker *_BROKER;
-static int resolve_host(char *host, char *buf, int size)
+static int resolve_host(char *host, int size)
{
struct hostent *he;
int i;
@@ -52,7 +52,8 @@ static int resolve_host(char *host, char *buf, int size)
for (i = 0; he->h_aliases[i] != NULL; i++) {
if ((strchr(he->h_aliases[i], '.') != NULL) &&
(strstr(he->h_aliases[i], "localhost") == NULL)) {
- strncpy(buf, he->h_aliases[i], size);
+ strncpy(host, he->h_aliases[i], size - 1);
+ host[size - 1] = '\0';
return 0;
}
}
@@ -63,12 +64,13 @@ static int resolve_host(char *host, char *buf, int size)
// but also be sure the value isn't empty and that it doesn't
// contain "localhost"
if ((he->h_name != NULL) && (!STREQC(he->h_name, "")) &&
- (strstr(he->h_name, "localhost") == NULL))
- strncpy(buf, he->h_name, size);
- else if ((host != NULL) && (!STREQC(host, "")) &&
- (strstr(host, "localhost") == NULL))
- strncpy(buf, host, size);
- else {
+ (strstr(he->h_name, "localhost") == NULL)) {
+ strncpy(host, he->h_name, size - 1);
+ host[size - 1] = '\0';
+ } else if ((host != NULL) && (!STREQC(host, "")) &&
+ (strstr(host, "localhost") == NULL)) {
+ return 0;
+ } else {
CU_DEBUG("Unable to find valid hostname value.");
return -1;
}
@@ -76,20 +78,18 @@ static int resolve_host(char *host, char *buf, int size)
return 0;
}
-static int get_fqdn(char *buf, int size)
+static int get_fqdn(char *host, int size)
{
- char host[256];
int ret = 0;
- if (gethostname(host, sizeof(host)) != 0) {
+ if (gethostname(host, size) != 0) {
CU_DEBUG("gethostname(): %m");
return -1;
}
- if (strchr(host, '.') != NULL)
- strncpy(buf, host, size);
- else
- ret = resolve_host(host, buf, size);
+ if (strchr(host, '.') == NULL) {
+ ret = resolve_host(host, size);
+ }
return ret;
}
--
2.20.1
5 years, 9 months
[libvirt] [cim PATCH] Update description of DMTF schema distribution terms
by Daniel P. Berrangé
The schema files that we actually download & bundle in the tar.gz dist
have removed the clause "for uses consistent with this purpose" which
is good because that clause might be considered a distribution
restriction which could make it a non-free license.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
base_schema/README.DMTF | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/base_schema/README.DMTF b/base_schema/README.DMTF
index 3e6b164..66da62d 100644
--- a/base_schema/README.DMTF
+++ b/base_schema/README.DMTF
@@ -4,6 +4,5 @@ distribution per the guidelines at the top of the main MOF file:
// DMTF is a not-for-profit association of industry members dedicated
// to promoting enterprise and systems management and interoperability.
-// DMTF specifications and documents may be reproduced for uses
-// consistent with this purpose by members and non-members,
-// provided that correct attribution is given.
+// DMTF specifications and documents may be reproduced by
+// members and non-members, provided that correct attribution is given.
--
2.20.1
5 years, 9 months
[libvirt] [PATCH] network: set mtu as a DHCP option when specified
by Casey Callendrello
This adds an additional directive to the dnsmasq configuration file that
notifies clients via dhcp about the link's MTU. Guests can then choose
adjust their link accordingly.
Signed-off-by: Casey Callendrello <cdc(a)redhat.com>
---
src/network/bridge_driver.c | 7 ++++++
.../networkxml2confdata/nat-network-mtu.conf | 19 +++++++++++++++
tests/networkxml2confdata/nat-network-mtu.xml | 22 +++++++++++++++++
tests/networkxml2conftest.c | 1 +
tests/networkxml2xmlin/nat-network-mtu.xml | 22 +++++++++++++++++
tests/networkxml2xmlout/nat-network-mtu.xml | 24 +++++++++++++++++++
tests/networkxml2xmltest.c | 1 +
7 files changed, 96 insertions(+)
create mode 100644 tests/networkxml2confdata/nat-network-mtu.conf
create mode 100644 tests/networkxml2confdata/nat-network-mtu.xml
create mode 100644 tests/networkxml2xmlin/nat-network-mtu.xml
create mode 100644 tests/networkxml2xmlout/nat-network-mtu.xml
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 4bbc4f5a6d..81edf72493 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1506,6 +1506,13 @@ networkDnsmasqConfContents(virNetworkObjPtr obj,
dctx->addnhostsfile->path);
}
+ /* Configure DHCP to tell clients about the MTU.
+ */
+ if (def->mtu > 0) {
+ virBufferAsprintf(&configbuf, "dhcp-option=option:mtu,%d\n",
+ def->mtu);
+ }
+
/* Are we doing RA instead of radvd? */
if (DNSMASQ_RA_SUPPORT(caps)) {
if (ipv6def) {
diff --git a/tests/networkxml2confdata/nat-network-mtu.conf b/tests/networkxml2confdata/nat-network-mtu.conf
new file mode 100644
index 0000000000..91b574b964
--- /dev/null
+++ b/tests/networkxml2confdata/nat-network-mtu.conf
@@ -0,0 +1,19 @@
+##WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+##OVERWRITTEN AND LOST. Changes to this configuration should be made using:
+## virsh net-edit default
+## or other application using the libvirt API.
+##
+## dnsmasq conf file created by libvirt
+strict-order
+except-interface=lo
+bind-dynamic
+interface=virbr0
+dhcp-range=192.168.122.2,192.168.122.254
+dhcp-no-override
+dhcp-authoritative
+dhcp-lease-max=253
+dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
+addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
+dhcp-option=option:mtu,7000
+dhcp-range=2001:db8:ac10:fe01::1,ra-only
+dhcp-range=2001:db8:ac10:fd01::1,ra-only
diff --git a/tests/networkxml2confdata/nat-network-mtu.xml b/tests/networkxml2confdata/nat-network-mtu.xml
new file mode 100644
index 0000000000..87b214e95c
--- /dev/null
+++ b/tests/networkxml2confdata/nat-network-mtu.xml
@@ -0,0 +1,22 @@
+<network>
+ <name>default</name>
+ <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+ <forward dev='eth1' mode='nat'/>
+ <bridge name='virbr0' stp='on' delay='0'/>
+ <mtu size='7000'/>
+ <ip address='192.168.122.1' netmask='255.255.255.0'>
+ <dhcp>
+ <range start='192.168.122.2' end='192.168.122.254'/>
+ <host mac='00:16:3e:77:e2:ed' name='a.example.com' ip='192.168.122.10'/>
+ <host mac='00:16:3e:3e:a9:1a' name='b.example.com' ip='192.168.122.11'/>
+ </dhcp>
+ </ip>
+ <ip family='ipv4' address='192.168.123.1' netmask='255.255.255.0'>
+ </ip>
+ <ip family='ipv6' address='2001:db8:ac10:fe01::1' prefix='64'>
+ </ip>
+ <ip family='ipv6' address='2001:db8:ac10:fd01::1' prefix='64'>
+ </ip>
+ <ip family='ipv4' address='10.24.10.1'>
+ </ip>
+</network>
diff --git a/tests/networkxml2conftest.c b/tests/networkxml2conftest.c
index 367e30b994..f3b4dafc1b 100644
--- a/tests/networkxml2conftest.c
+++ b/tests/networkxml2conftest.c
@@ -137,6 +137,7 @@ mymain(void)
DO_TEST("nat-network-dns-forwarders", full);
DO_TEST("nat-network-dns-forwarder-no-resolv", full);
DO_TEST("nat-network-dns-local-domain", full);
+ DO_TEST("nat-network-mtu", dhcpv6);
DO_TEST("dhcp6-network", dhcpv6);
DO_TEST("dhcp6-nat-network", dhcpv6);
DO_TEST("dhcp6host-routed-network", dhcpv6);
diff --git a/tests/networkxml2xmlin/nat-network-mtu.xml b/tests/networkxml2xmlin/nat-network-mtu.xml
new file mode 100644
index 0000000000..07d0d9f22d
--- /dev/null
+++ b/tests/networkxml2xmlin/nat-network-mtu.xml
@@ -0,0 +1,22 @@
+<network>
+ <name>default</name>
+ <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+ <bridge name="virbr0"/>
+ <mtu size='7000'/>
+ <forward mode="nat" dev="eth1"/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ <host mac="00:16:3e:77:e2:ed" name="a.example.com" ip="192.168.122.10"/>
+ <host mac="00:16:3e:3e:a9:1a" name="b.example.com" ip="192.168.122.11"/>
+ </dhcp>
+ </ip>
+ <ip family="ipv4" address="192.168.123.1" netmask="255.255.255.0">
+ </ip>
+ <ip family="ipv6" address="2001:db8:ac10:fe01::1" prefix="64">
+ </ip>
+ <ip family="ipv6" address="2001:db8:ac10:fd01::1" prefix="64">
+ </ip>
+ <ip family="ipv4" address="10.24.10.1">
+ </ip>
+</network>
diff --git a/tests/networkxml2xmlout/nat-network-mtu.xml b/tests/networkxml2xmlout/nat-network-mtu.xml
new file mode 100644
index 0000000000..715bc1b505
--- /dev/null
+++ b/tests/networkxml2xmlout/nat-network-mtu.xml
@@ -0,0 +1,24 @@
+<network>
+ <name>default</name>
+ <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+ <forward dev='eth1' mode='nat'>
+ <interface dev='eth1'/>
+ </forward>
+ <bridge name='virbr0' stp='on' delay='0'/>
+ <mtu size='7000'/>
+ <ip address='192.168.122.1' netmask='255.255.255.0'>
+ <dhcp>
+ <range start='192.168.122.2' end='192.168.122.254'/>
+ <host mac='00:16:3e:77:e2:ed' name='a.example.com' ip='192.168.122.10'/>
+ <host mac='00:16:3e:3e:a9:1a' name='b.example.com' ip='192.168.122.11'/>
+ </dhcp>
+ </ip>
+ <ip family='ipv4' address='192.168.123.1' netmask='255.255.255.0'>
+ </ip>
+ <ip family='ipv6' address='2001:db8:ac10:fe01::1' prefix='64'>
+ </ip>
+ <ip family='ipv6' address='2001:db8:ac10:fd01::1' prefix='64'>
+ </ip>
+ <ip family='ipv4' address='10.24.10.1'>
+ </ip>
+</network>
diff --git a/tests/networkxml2xmltest.c b/tests/networkxml2xmltest.c
index 4e4c7d20a6..b19a365ff4 100644
--- a/tests/networkxml2xmltest.c
+++ b/tests/networkxml2xmltest.c
@@ -141,6 +141,7 @@ mymain(void)
DO_TEST("nat-network-dns-forwarder-no-resolv");
DO_TEST("nat-network-forward-nat-address");
DO_TEST("nat-network-forward-nat-no-address");
+ DO_TEST("nat-network-mtu");
DO_TEST("8021Qbh-net");
DO_TEST("direct-net");
DO_TEST("host-bridge-net");
--
2.17.2
5 years, 9 months
[libvirt] [PATCH 0/3] storagepoolxml2argvtest: delete some lines
by Ján Tomko
Also fix the build on FreeBSD
Ján Tomko (3):
storagepoolxml2argvtest: pass the platform suffix as a string
storagepoolxml2argvtest: introduce DO_TEST_PLATFORM
storagepoolxml2argvtest: run mountopts test conditionally
tests/storagepoolxml2argvtest.c | 76 +++++++++++++++--------------------------
1 file changed, 28 insertions(+), 48 deletions(-)
--
2.16.4
5 years, 9 months
[libvirt] [PATCH v3 0/4] Restructure firewall rules for virtual networks into private chains
by Daniel P. Berrangé
v1: https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html
v2: https://www.redhat.com/archives/libvir-list/2018-December/msg00198.html
The virtual networks in NAT mode are supposed to only allow outbound
network access for guests. Unfortunately due to ordering of the firewall
rules libvirt creates, when you have multiple virtual networks, guests
on the more recently created virtual networks can connect to guests on
old virtual networks.
This was reported way back in 2008 but we always thought the fix would
be very complicated to deal with, so we've been putting it off forever.
In parallel with this there's also been a long standing desire since
2009 to move our firewall rules out of the builtin chains, to libvirt
private chains. This is to make it easier for admins to use hook scripts
to setup rules in the builtin chains that take priority over rules
libvirt creates.
In implementing the changes to use private chains, I suddenly realized
that fixing the network to network traffic blocking problem was trivial
if I grouped the forwarding rules into three distinct sets.
So this series finally fixes an annoying 10 year old bug, and implements
a 9 year old RFE.
It may take us a while, but we'll get to your bugs eventually ;-)
Changed in v3:
- Rebase to git master
Changed in v2:
- Detect whether chains already exist before creating them
- Only try to delete legacy rules from builtin chain during startup
Daniel P. Berrangé (4):
network: add platform driver callbacks around firewall reload
util: pass layer into firewall query callback
util: create private chains for virtual network firewall rules
util: move virtual network firwall rules into private chains
src/libvirt_private.syms | 2 +
src/network/bridge_driver.c | 13 +-
src/network/bridge_driver_linux.c | 32 +++
src/network/bridge_driver_nop.c | 11 +
src/network/bridge_driver_platform.h | 3 +
src/nwfilter/nwfilter_ebiptables_driver.c | 17 +-
src/util/virfirewall.c | 2 +-
src/util/virfirewall.h | 1 +
src/util/viriptables.c | 254 +++++++++++++++---
src/util/viriptables.h | 4 +
.../nat-default-linux.args | 32 +--
.../nat-ipv6-linux.args | 48 ++--
.../nat-many-ips-linux.args | 60 ++---
.../nat-no-dhcp-linux.args | 46 ++--
.../nat-tftp-linux.args | 34 +--
.../route-default-linux.args | 22 +-
tests/virfirewalltest.c | 3 +-
17 files changed, 405 insertions(+), 179 deletions(-)
--
2.20.1
5 years, 9 months
