[libvirt] [PATCH 0/2] rpc: client: stream bugfix and improvement
by Nikolay Shirokovskiy
Nikolay Shirokovskiy (2):
rpc: client: fix race on stream error and stream creation
rpc: client: stream: notify streams of closing connection
src/rpc/virnetclient.c | 13 ++++++++++---
src/rpc/virnetclientstream.c | 30 ++++++++++++++++++++++++++++--
src/rpc/virnetclientstream.h | 2 ++
3 files changed, 40 insertions(+), 5 deletions(-)
--
1.8.3.1
5 years, 12 months
[libvirt] [PATCH] security: apparmor: make vhost-net access a static rule
by Christian Ehrhardt
So far we were detecting at guest start if any devices needed vhost net
and only if that was true added a rule for /dev/vhost-net.
It turns out that it is an absolutely valid case to start a guest
without any vhost-net networking but later on wanting to hotplug such a
device which then would be denied by apparmor.
Unfortunately there also is no security labeling callback involved other
than the one to /dev/net/tun. But on the other hand vhost-net is no more
new and considered rather safe. Therefore drop the old detection and
just add it as a static rule.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 1 +
src/security/virt-aa-helper.c | 17 +----------------
2 files changed, 2 insertions(+), 16 deletions(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index eaa5167525..a71f34c175 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -21,6 +21,7 @@
signal (receive) peer=/usr/sbin/libvirtd,
/dev/net/tun rw,
+ /dev/vhost-net rw,
/dev/kvm rw,
/dev/ptmx rw,
/dev/kqemu rw,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 8e22e9978a..ebc4feac77 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -937,7 +937,7 @@ get_files(vahControl * ctl)
size_t i;
char *uuid;
char uuidstr[VIR_UUID_STRING_BUFLEN];
- bool needsVfio = false, needsvhost = false;
+ bool needsVfio = false;
/* verify uuid is same as what we were given on the command line */
virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1248,21 +1248,6 @@ get_files(vahControl * ctl)
}
}
- if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
- for (i = 0; i < ctl->def->nnets; i++) {
- virDomainNetDefPtr net = ctl->def->nets[i];
- if (net && net->model) {
- if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
- continue;
- if (!virDomainNetIsVirtioModel(net))
- continue;
- }
- needsvhost = true;
- }
- }
- if (needsvhost)
- virBufferAddLit(&buf, " \"/dev/vhost-net\" rw,\n");
-
if (needsVfio) {
virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n");
virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n");
--
2.17.1
6 years
[libvirt] [PATCH v2 0/3] qemu: don't duplicate suspended events and state changes
by Nikolay Shirokovskiy
Patches 1 and 2 are already Reviewed-by: John. Patch 3 needs Peter comments.
Diff from v1:
============
- minor rebase changes
- minor changes according to review
[1] PATCH v1 : https://www.redhat.com/archives/libvir-list/2018-October/msg00591.html
Nikolay Shirokovskiy (3):
qemu: Pass stop reason from qemuProcessStopCPUs to stop handler
qemu: Map suspended state reason to suspended event detail
qemu: Don't duplicate suspend events and state changes
src/qemu/qemu_domain.c | 34 ++++++++++++++++++++++++++++++++++
src/qemu/qemu_domain.h | 7 +++++++
src/qemu/qemu_driver.c | 26 +++-----------------------
src/qemu/qemu_migration.c | 42 ++++++------------------------------------
src/qemu/qemu_migration.h | 4 ----
src/qemu/qemu_process.c | 38 +++++++++++++++++++++++++-------------
6 files changed, 75 insertions(+), 76 deletions(-)
--
1.8.3.1
6 years
[libvirt] [PATCH v6 00/33] BaselineHypervisorCPU using QEMU QMP exchanges
by Chris Venteicher
Some architectures (S390) depend on QEMU to compute baseline CPU model and
expand a models feature set.
Interacting with QEMU requires starting the QEMU process and completing one or
more query-cpu-model-baseline QMP exchanges with QEMU in addition to a
query-cpu-model-expansion QMP exchange to expand all features in the model.
See "s390x CPU models: exposing features" patch set on Qemu-devel for discussion
of QEMU aspects.
This is part of resolution of: https://bugzilla.redhat.com/show_bug.cgi?id=1511999
-----
v6 addresses these issues from v5:
qemu_process: Move process code from qemu_capabilities to qemu_process
[x] Remove exception statement from commit message
qemu_process: Use qemuProcessQmp prefix
[x] s/ProcessQmp/ProcessQMP/ in this and all subsequent patches
qemu_process: Refer to proc not cmd in process code
[x] Back port indentation fix in qemuProcessQMPRun
qemu_capabilities: Stop QEMU process before freeing
[x] Back port !proc check in qemuProcessQmpStop
qemu_process: Use qemuProcessQmp struct for a single process
[x] Remove extra empty lines
qemu_process: All ProcessQMP errors are fatal
[x] Split into multiple patches
qemu_process: Introduce qemuProcessQmpStart
[x] Log function parameters separately in the first function debug message
[x] Removed NULLSTR check on proc-binary (would fail previously on proc activate)
[x] Back port referring to stderr rather than qmperr in comment
[ ] Combine qemuProcessQmpStop and qemuProcessQmpFree (See reply to v5 email)
emu_process: Collect monitor code in single function
[x] Back port qemuMonitorOpen indent fix to earlier patch
qemu_process: Don't open monitor if process failed
[x] Drop patch
qemu_process: Cleanup qemuProcessQmp alloc function
[x] s/Qemu/QEMU/ in comments for qemuProcessQMPNew
[x] Remove unneeded use of NULLSTR and NULL check before calling qemuProcessQmpFree
qemu_process: Cleanup qemuProcessQmpStop function
[x] Remove lines from from commit message
[x] Remove capitalization from comment
[x] Fix func def to match coding style
[x] Back port !proc check to earlier patch
qemu_process: Catch process free before process stop
[x] Remove capitalization from comment
[x] Don't do proc NULL check in VIR_DEBUG
[ ] Combine qemuProcessQmpStop and qemuProcessQmpFree (See reply to v5 email)
qemu_monitor: Make monitor callbacks optional
[x] Drop patch
qemu_process: Enter QMP command mode when starting QEMU Process
[ ] Don't call qemuMonitorSetCapabilities in qemuProcessQMPConnectMonitor (See reply to v5 email)
qemu_process: Use unique directories for QMP processes
[x] s/qemu./qmp-/ for QMP process directory name prefix
[x] Catch mkdtemp returns NULL
qemu_process: Stop locking QMP process monitor immediately
[x] Drop patch
qemu_monitor: Introduce qemuMonitorCPUModelInfoNew
[x] Use qemuMonitorCPUModelInfoNew to set model name
[x] Drop variable initialization
[x] Use qemuMonitorCPUModelInfoNew in qemuMonitorJSONGetCPUModelExpansion (Pull forward)
[ ] Remove orig NULL check (Unit tests fail if I do this)
qemu_monitor: Introduce qemuMonitorCPUModelInfo / JSON conversion
[x] Make variable initialization easier to read in PropAdd
[x] Require at least one "prop" (don't allow zero in this commit)
qemu_capabilities: Introduce virQEMuCapsMigratablePropsDiff
[x] Remove template txt in commit message
[x] Change function name
[x] Distinguish nmProp from mProp
[x] Don't set cpuData->info to NULL
[ ] Don't use tmp (defer to next patch set... out of time)
qemu_monitor: qemuMonitorGetCPUModelExpansion inputs and outputs CPUModelInfo
[x] Remove extra line from commit message
[x] Change parameter order
[x] Don't use VIR_STEAL_PTR
qemu_capabilities: Introduce CPUModelInfo to virCPUDef function
[x] Change comment
[x] Change parameter order
[x] Separate lines
[x] Move debug message before alloc
[x] Back port function spacing fix from next patch
qemu_capabilities: Introduce virCPUDef to CPUModelInfo function
[x] Change comment
[x] Move debug message before alloc
[x] Remove NULL check on feature->name
[x] Document prop value semantics
Reviewed in v5 but no changes required:
qemu_process: Limit qemuProcessQmpNew to const input strings
qemu_process: Use consistent name for stop process function
qemu_process: Persist stderr in qemuProcessQmp struct
qemu_process: Store libDir in qemuProcessQmp struct
qemu_process: Setup paths within qemuProcessQmpInit
qemu_process: Stop retaining Monitor config in qemuProcessQmp
Not reviewed in v5:
qemu_monitor: Support query-cpu-model-baseline QMP command
qemu_driver: Consolidate code to baseline using libvirt
qemu_driver: Decouple code for baseline using libvirt
qemu_driver: Identify using libvirt as a distinct way to compute baseline
qemu_driver: Support baseline calculation using QEMU
qemu_driver: Support feature expansion via QEMU when baselining cpu
qemu_driver: Remove unsupported props in expanded hypervisor baseline output
qemu_monitor: Default props to migratable when expanding cpu model
-----
v5:
Fixes all process issues identified here:
https://www.redhat.com/archives/libvir-list/2018-November/msg00349.html
- Make the process code generic (not capabilities specific) for use by
BaselineHypervisorCPU
- Many of the process patches are simple code moves with implementation
changes in other distinct patches
- A thread safe library function creates a unique directory under libDir for each QEMU
process (for QMP messaging) to decouple processes in terms of sockets and
file system footprint.
The remaining (non-process) patches in v4 address all issues in v1-v4 of
'BaselineHypervisorCPU using QEMU QMP exchanges'
Thanks,
Chris
*** BLURB HERE ***
Chris Venteicher (33):
qEmu_process: Move process code from qemu_capabilities to qemu_process
qemu_process: Use qemuProcessQMP prefix
qemu_process: Limit qemuProcessQMPNew to const input strings
qemu_process: Refer to proc not cmd in process code
qemu_process: Use consistent name for stop process function
qemu_capabilities: Stop QEMU process before freeing
qemu_process: Use qemuProcessQMP struct for a single process
qemu_process: All ProcessQMP errors are fatal
qemu_process: Expose process exit status code
qemu_process: Persist stderr in qemuProcessQMP struct
qemu_process: Introduce qemuProcessQMPStart
qemu_process: Collect monitor code in single function
qemu_process: Store libDir in qemuProcessQMP struct
qemu_process: Setup paths within qemuProcessQMPInit
qemu_process: Stop retaining Monitor config in qemuProcessQMP
qemu_process: Cleanup qemuProcessQMP alloc function
qemu_process: Cleanup qemuProcessQMPStop function
qemu_process: Catch process free before process stop
qemu_process: Enter QMP command mode when starting QEMU Process
qemu_process: Use unique directories for QMP processes
qemu_monitor: Introduce qemuMonitorCPUModelInfoNew
qemu_monitor: Introduce qemuMonitorCPUModelInfo / JSON conversion
qemu_capabilities: Introduce virQEMuCapsMigratablePropsCalc
qemu_monitor: qemuMonitorGetCPUModelExpansion inputs and outputs
CPUModelInfo
qemu_capabilities: Introduce CPUModelInfo to virCPUDef function
qemu_capabilities: Introduce virCPUDef to CPUModelInfo function
qemu_monitor: Support query-cpu-model-baseline QMP command
qemu_driver: Consolidate code to baseline using libvirt
qemu_driver: Decouple code for baseline using libvirt
qemu_driver: Identify using libvirt as a distinct way to compute
baseline
qemu_driver: Support baseline calculation using QEMU
qemu_driver: Support feature expansion via QEMU when baselining cpu
qemu_monitor: Default props to migratable when expanding cpu model
src/qemu/qemu_capabilities.c | 631 ++++++++----------
src/qemu/qemu_capabilities.h | 4 +
src/qemu/qemu_driver.c | 216 +++++-
src/qemu/qemu_monitor.c | 165 ++++-
src/qemu/qemu_monitor.h | 29 +-
src/qemu/qemu_monitor_json.c | 223 +++++--
src/qemu/qemu_monitor_json.h | 10 +-
src/qemu/qemu_process.c | 345 ++++++++++
src/qemu/qemu_process.h | 32 +
tests/cputest.c | 11 +-
.../caps_2.10.0.s390x.xml | 60 +-
.../caps_2.11.0.s390x.xml | 58 +-
.../caps_2.12.0.s390x.xml | 56 +-
.../qemucapabilitiesdata/caps_2.8.0.s390x.xml | 32 +-
.../qemucapabilitiesdata/caps_2.9.0.s390x.xml | 34 +-
.../qemucapabilitiesdata/caps_3.0.0.s390x.xml | 64 +-
tests/qemucapabilitiestest.c | 7 +
17 files changed, 1375 insertions(+), 602 deletions(-)
--
2.17.1
6 years
[libvirt] [PATCH v2 0/3] qemu: Add support for parallel migration
by Jiri Denemark
This series adds a new VIR_MIGRATE_PARALLEL flag for migration APIs
which will ask the hypervisor to use multiple parallel connections for
migrating a domain. The number of parallel connections can be set using
VIR_MIGRATE_PARAM_PARALLEL_CONNECTIONS typed parameter.
Version 2:
- rebased
Jiri Denemark (3):
Public API for parallel migration
qemu: Add support for parallel migration
virsh: Add options for parallel migration
include/libvirt/libvirt-domain.h | 14 ++++++++++++++
src/qemu/qemu_migration.c | 9 ++++++---
src/qemu/qemu_migration.h | 5 ++++-
src/qemu/qemu_migration_params.c | 18 ++++++++++++++++++
src/qemu/qemu_migration_params.h | 2 ++
tools/virsh-domain.c | 19 +++++++++++++++++++
tools/virsh.pod | 7 +++++++
7 files changed, 70 insertions(+), 4 deletions(-)
--
2.20.1
6 years
[libvirt] [PATCH v2 00/36] network: refactor to decouple virt drivers from network driver
by Daniel P. Berrangé
An update to
v1: https://www.redhat.com/archives/libvir-list/2018-December/msg00681.html
Currently the network driver registers a set of callbacks with the virt
driver in order to handle allocating/releasing network ports associated
with guest NICs.
This series introduces a virNetworkPortPtr object and associated XML
that describes a network port. The virt drivers now call public APIs
associated with this new object to create/delete ports for guest NICs.
Changed in v2:
- Fix many bugs related to upgrades with running VMs
- Convert over bandwidth controls to the new APIs
- Handle reconnecting VIFs to bridges during startup
- Much much more that I can't remember
Daniel P. Berrangé (36):
network: restrict usage of port management APIs
network: pass a virNetworkPtr to port management APIs
conf: simplify link from hostdev back to network device
network: add missing bandwidth limits for bridge forward type
network: use 'bridge' as actual type instead of 'network'
util: add helper method for re-attaching a tap device to a bridge
network: use virNetDevTapReattachBridge API
virt drivers: don't handle type=network after resolving actual network
type
network: move re-attach of bridge device out of network driver
network: move fixup for domain actual net def out of network driver
network: unconditionally merge port profiles
conf: don't pass interface type into virNetDevBandwidthParse
conf: introduce virNetworkPortDefPtr struct and XML support
network: stop passing virDomainNetDefPtr into bandwidth functions
network: make networkLogAllocation independent of domain conf
util: add API for copying virtual port profile data
conf: add APIs to convert virDomainNetDef to virNetworkPortDef
network: convert networkAllocateActualDevice to virNetworkPortDef
network: convert networkNotifyActualDevice to virNetworkPortDef
network: convert networkReleaseActualDevice to virNetworkPortDef
network: convert hook script to take a network port XML
network: remove the virDomainNetBandwidthChangeAllowed callback
network: introduce networkAllocatePort
network: introduce networkNotifyPort
network: introduce networkReleasePort
network: introduce networkUpdatePortBandwidth
network: add public APIs for network port object
access: add permissions for network port objects
remote: add support for new network port APIs
virsh: add support for network port APIs
conf: support recording ports against virNetworkObjPtr
network: add implementation of network port APIs
lxc, libxl: notify network driver of NICs during reconnect
lxc, libxl: save domain status after reconnect
conf: record a portid against the domain conf
conf: switch over to use network port APIs for virt drivers
docs/formatdomain.html.in | 8 +
docs/hooks.html.in | 24 +-
docs/schemas/domaincommon.rng | 5 +
include/libvirt/libvirt-network.h | 122 ++
include/libvirt/virterror.h | 3 +
src/access/genpolkit.pl | 2 +-
src/access/viraccessdriver.h | 6 +
src/access/viraccessdrivernop.c | 11 +
src/access/viraccessdriverpolkit.c | 26 +
src/access/viraccessdriverstack.c | 25 +
src/access/viraccessmanager.c | 16 +
src/access/viraccessmanager.h | 6 +
src/access/viraccessperm.c | 6 +
src/access/viraccessperm.h | 44 +
src/conf/Makefile.inc.am | 2 +
src/conf/domain_conf.c | 558 ++++++-
src/conf/domain_conf.h | 63 +-
src/conf/netdev_bandwidth_conf.c | 22 +-
src/conf/netdev_bandwidth_conf.h | 2 +-
src/conf/network_conf.c | 4 +-
src/conf/virnetworkobj.c | 303 ++++
src/conf/virnetworkobj.h | 34 +
src/conf/virnetworkportdef.c | 514 +++++++
src/conf/virnetworkportdef.h | 112 ++
src/datatypes.c | 60 +
src/datatypes.h | 41 +
src/driver-network.h | 41 +
src/libvirt-network.c | 444 ++++++
src/libvirt_private.syms | 24 +-
src/libvirt_public.syms | 16 +
src/libxl/libxl_conf.c | 21 +-
src/libxl/libxl_domain.c | 28 +-
src/libxl/libxl_driver.c | 60 +-
src/lxc/lxc_driver.c | 37 +-
src/lxc/lxc_process.c | 56 +-
src/network/bridge_driver.c | 1364 +++++++++--------
src/qemu/qemu_command.c | 11 +-
src/qemu/qemu_domain_address.c | 4 +-
src/qemu/qemu_driver.c | 10 +-
src/qemu/qemu_hotplug.c | 84 +-
src/qemu/qemu_hotplug.h | 2 +-
src/qemu/qemu_interface.c | 12 +-
src/qemu/qemu_process.c | 32 +-
src/remote/remote_daemon_dispatch.c | 73 +
src/remote/remote_driver.c | 69 +
src/remote/remote_protocol.x | 124 +-
src/remote_protocol-structs | 69 +
src/rpc/gendispatch.pl | 18 +-
src/util/virerror.c | 9 +
src/util/virhook.c | 4 +-
src/util/virhook.h | 4 +-
src/util/virhostdev.c | 17 +-
src/util/virnetdevtap.c | 69 +
src/util/virnetdevtap.h | 12 +
src/util/virnetdevvportprofile.c | 16 +
src/util/virnetdevvportprofile.h | 2 +
tests/Makefile.am | 7 +
.../net-virtio-network-portgroup.xml | 6 +-
tests/virnetdevbandwidthtest.c | 2 +-
.../plug-bridge-mactbl.xml | 9 +
.../virnetworkportxml2xmldata/plug-bridge.xml | 12 +
.../virnetworkportxml2xmldata/plug-direct.xml | 12 +
.../plug-hostdev-pci.xml | 12 +
tests/virnetworkportxml2xmldata/plug-none.xml | 8 +
tests/virnetworkportxml2xmltest.c | 104 ++
tools/virsh-completer.c | 51 +
tools/virsh-completer.h | 4 +
tools/virsh-network.c | 399 ++++-
tools/virsh-network.h | 5 +
69 files changed, 4532 insertions(+), 850 deletions(-)
create mode 100644 src/conf/virnetworkportdef.c
create mode 100644 src/conf/virnetworkportdef.h
create mode 100644 tests/virnetworkportxml2xmldata/plug-bridge-mactbl.xml
create mode 100644 tests/virnetworkportxml2xmldata/plug-bridge.xml
create mode 100644 tests/virnetworkportxml2xmldata/plug-direct.xml
create mode 100644 tests/virnetworkportxml2xmldata/plug-hostdev-pci.xml
create mode 100644 tests/virnetworkportxml2xmldata/plug-none.xml
create mode 100644 tests/virnetworkportxml2xmltest.c
--
2.20.1
6 years
[libvirt] [PATCH v5] openvswitch: Add new port VLAN mode "802.1ad"
by ZhiPeng LU
This patch adds functionality to allow libvirt to configure the '802.1ad'
modes(802.1ad double-tagged) on openvswitch networks.
For example:
<interface type='bridge'>
<mac address='2c:da:41:1d:05:42'/>
<source bridge='ovs0'/>
<vlan>
<tag id='41' nativeMode='dot1q-tunnel'/>
</vlan>
<virtualport type='openvswitch'>
<parameters interfaceid='6401a152-0b99-40b5-92be-858810aa6d37'/>
</virtualport>
<model type='virtio'/>
<driver name='vhost'/>
<alias name='net0'/>
</interface>
Signed-off-by: ZhiPeng Lu <luzhipeng(a)uniudc.com>
---
v1->v2:
1. Fix "make syntax-check" failure
v2->v3:
1. remove other_config when updating vlan
v3->v4:
1. add commit message that has a brief description of the new
feature
2. add tests for 'dot1q-tunnel' vlan mode
v4->v5:
1. modify some description and format
v4-resend:
https://www.redhat.com/archives/libvir-list/2019-February/msg00988.html
docs/formatdomain.html.in | 33 +++++++++++++++-------
docs/formatnetwork.html.in | 26 ++++++++++-------
docs/schemas/networkcommon.rng | 1 +
src/conf/netdev_vlan_conf.c | 2 +-
src/util/virnetdevopenvswitch.c | 7 +++++
src/util/virnetdevvlan.h | 1 +
tests/networkxml2xmlin/openvswitch-net.xml | 9 ++++++
tests/networkxml2xmlout/openvswitch-net.xml | 9 ++++++
.../openvswitch-net-modified.xml | 9 ++++++
.../openvswitch-net-more-portgroups.xml | 9 ++++++
.../openvswitch-net-without-alice.xml | 9 ++++++
11 files changed, 94 insertions(+), 21 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index b848e53..253f329 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6097,6 +6097,13 @@ qemu-kvm -net nic,model=? /dev/null
<b></vlan></b>
...
</interface>
+ <interface type='bridge'>
+ <b><vlan trunk='yes'></b>
+ <b><tag id='42'/></b>
+ <b><tag id='555' nativeMode='802.1ad'/></b>
+ <b></vlan></b>
+ ...
+ </interface>
</devices>
...</pre>
@@ -6132,16 +6139,22 @@ qemu-kvm -net nic,model=? /dev/null
</p>
<p>
For network connections using Open vSwitch it is also possible
- to configure 'native-tagged' and 'native-untagged' VLAN modes
- <span class="since">Since 1.1.0.</span> This is done with the
- optional <code>nativeMode</code> attribute on
- the <code><tag></code> subelement: <code>nativeMode</code>
- may be set to 'tagged' or 'untagged'. The <code>id</code>
- attribute of the <code><tag></code> subelement
- containing <code>nativeMode</code> sets which VLAN is considered
- to be the "native" VLAN for this interface, and
- the <code>nativeMode</code> attribute determines whether or not
- traffic for that VLAN will be tagged.
+ to configure the following VLAN modes:
+ </p>
+ <ul>
+ <li>'tagged' <span class="since">Since 1.1.0.</span></li>
+ <li>'untagged' <span class="since">Since 1.1.0.</span></li>
+ <li>'802.1ad' <span class="since">Since 5.1.0.</span></li>
+ </ul>
+ <p>
+ This is done with the optional <code>nativeMode</code> attribute
+ on the <code><tag></code> subelement. The attribute may be
+ set to a string from the above list. The <code>id</code> attribute
+ of the <code><tag></code> subelement containing
+ <code>nativeMode</code> sets which VLAN is considered to be the
+ "native" VLAN for this interface and the <code>nativeMode</code>
+ attribute determines whether or not traffic for that VLAN will be
+ tagged or 802.1ad double tagged.
</p>
<h5><a id="elementLink">Modifying virtual link state</a></h5>
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 509cca9..eea86f4 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -705,16 +705,22 @@
</p>
<p>
For network connections using Open vSwitch it is also possible
- to configure 'native-tagged' and 'native-untagged' VLAN modes
- <span class="since">Since 1.1.0.</span> This is done with the
- optional <code>nativeMode</code> attribute on
- the <code><tag></code> subelement: <code>nativeMode</code>
- may be set to 'tagged' or 'untagged'. The <code>id</code>
- attribute of the <code><tag></code> subelement
- containing <code>nativeMode</code> sets which VLAN is considered
- to be the "native" VLAN for this interface, and
- the <code>nativeMode</code> attribute determines whether or not
- traffic for that VLAN will be tagged.
+ to configure the following VLAN modes:
+ </p>
+ <ul>
+ <li>'tagged' <span class="since">Since 1.1.0.</span></li>
+ <li>'untagged' <span class="since">Since 1.1.0.</span></li>
+ <li>'802.1ad' <span class="since">Since 5.1.0.</span></li>
+ </ul>
+ <p>
+ This is done with the optional <code>nativeMode</code> attribute
+ on the <code><tag></code> subelement. The attribute may be
+ set to a string from the above list. The <code>id</code> attribute
+ of the <code><tag></code> subelement containing
+ <code>nativeMode</code> sets which VLAN is considered to be the
+ "native" VLAN for this interface and the <code>nativeMode</code>
+ attribute determines whether or not traffic for that VLAN will be
+ tagged or 802.1ad double tagged.
</p>
<p>
<code><vlan></code> elements can also be specified in
diff --git a/docs/schemas/networkcommon.rng b/docs/schemas/networkcommon.rng
index 2699555..7262783 100644
--- a/docs/schemas/networkcommon.rng
+++ b/docs/schemas/networkcommon.rng
@@ -223,6 +223,7 @@
<choice>
<value>tagged</value>
<value>untagged</value>
+ <value>802.1ad</value>
</choice>
</attribute>
</optional>
diff --git a/src/conf/netdev_vlan_conf.c b/src/conf/netdev_vlan_conf.c
index 57d73ed..54e2b02 100644
--- a/src/conf/netdev_vlan_conf.c
+++ b/src/conf/netdev_vlan_conf.c
@@ -25,7 +25,7 @@
#define VIR_FROM_THIS VIR_FROM_NONE
VIR_ENUM_IMPL(virNativeVlanMode, VIR_NATIVE_VLAN_MODE_LAST,
- "default", "tagged", "untagged",
+ "default", "tagged", "untagged", "802.1ad",
);
int
diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c
index 4fa3a57..d8268bc 100644
--- a/src/util/virnetdevopenvswitch.c
+++ b/src/util/virnetdevopenvswitch.c
@@ -85,6 +85,11 @@ virNetDevOpenvswitchConstructVlans(virCommandPtr cmd, virNetDevVlanPtr virtVlan)
virCommandAddArg(cmd, "vlan_mode=native-untagged");
virCommandAddArgFormat(cmd, "tag=%d", virtVlan->nativeTag);
break;
+ case VIR_NATIVE_VLAN_MODE_8021AD:
+ virCommandAddArg(cmd, "vlan_mode=dot1q-tunnel");
+ virCommandAddArg(cmd, "other_config:qinq-ethtype=802.1q");
+ virCommandAddArgFormat(cmd, "tag=%d", virtVlan->nativeTag);
+ break;
case VIR_NATIVE_VLAN_MODE_DEFAULT:
default:
break;
@@ -498,6 +503,8 @@ int virNetDevOpenvswitchUpdateVlan(const char *ifname,
"--", "--if-exists", "clear", "Port", ifname, "tag",
"--", "--if-exists", "clear", "Port", ifname, "trunk",
"--", "--if-exists", "clear", "Port", ifname, "vlan_mode",
+ "--", "--if-exists", "remove", "Port", ifname,
+ "other_config", "qinq-ethtype",
"--", "--if-exists", "set", "Port", ifname, NULL);
if (virNetDevOpenvswitchConstructVlans(cmd, virtVlan) < 0)
diff --git a/src/util/virnetdevvlan.h b/src/util/virnetdevvlan.h
index 2a13759..54109c6 100644
--- a/src/util/virnetdevvlan.h
+++ b/src/util/virnetdevvlan.h
@@ -27,6 +27,7 @@ typedef enum {
VIR_NATIVE_VLAN_MODE_DEFAULT = 0,
VIR_NATIVE_VLAN_MODE_TAGGED,
VIR_NATIVE_VLAN_MODE_UNTAGGED,
+ VIR_NATIVE_VLAN_MODE_8021AD,
VIR_NATIVE_VLAN_MODE_LAST
} virNativeVlanMode;
diff --git a/tests/networkxml2xmlin/openvswitch-net.xml b/tests/networkxml2xmlin/openvswitch-net.xml
index 2f6084d..5734d36 100644
--- a/tests/networkxml2xmlin/openvswitch-net.xml
+++ b/tests/networkxml2xmlin/openvswitch-net.xml
@@ -30,4 +30,13 @@
<parameters profileid='native-profile'/>
</virtualport>
</portgroup>
+ <portgroup name='8021ad'>
+ <vlan trunk='yes'>
+ <tag id='555' nativeMode='802.1ad'/>
+ <tag id='666'/>
+ </vlan>
+ <virtualport>
+ <parameters profileid='8021ad-profile'/>
+ </virtualport>
+ </portgroup>
</network>
diff --git a/tests/networkxml2xmlout/openvswitch-net.xml b/tests/networkxml2xmlout/openvswitch-net.xml
index 2f6084d..5734d36 100644
--- a/tests/networkxml2xmlout/openvswitch-net.xml
+++ b/tests/networkxml2xmlout/openvswitch-net.xml
@@ -30,4 +30,13 @@
<parameters profileid='native-profile'/>
</virtualport>
</portgroup>
+ <portgroup name='8021ad'>
+ <vlan trunk='yes'>
+ <tag id='555' nativeMode='802.1ad'/>
+ <tag id='666'/>
+ </vlan>
+ <virtualport>
+ <parameters profileid='8021ad-profile'/>
+ </virtualport>
+ </portgroup>
</network>
diff --git a/tests/networkxml2xmlupdateout/openvswitch-net-modified.xml b/tests/networkxml2xmlupdateout/openvswitch-net-modified.xml
index cc0c344..ed605bf 100644
--- a/tests/networkxml2xmlupdateout/openvswitch-net-modified.xml
+++ b/tests/networkxml2xmlupdateout/openvswitch-net-modified.xml
@@ -30,4 +30,13 @@
<parameters profileid='native-profile'/>
</virtualport>
</portgroup>
+ <portgroup name='8021ad'>
+ <vlan trunk='yes'>
+ <tag id='555' nativeMode='802.1ad'/>
+ <tag id='666'/>
+ </vlan>
+ <virtualport>
+ <parameters profileid='8021ad-profile'/>
+ </virtualport>
+ </portgroup>
</network>
diff --git a/tests/networkxml2xmlupdateout/openvswitch-net-more-portgroups.xml b/tests/networkxml2xmlupdateout/openvswitch-net-more-portgroups.xml
index 7c19ad9..0237e42 100644
--- a/tests/networkxml2xmlupdateout/openvswitch-net-more-portgroups.xml
+++ b/tests/networkxml2xmlupdateout/openvswitch-net-more-portgroups.xml
@@ -41,4 +41,13 @@
<parameters profileid='native-profile'/>
</virtualport>
</portgroup>
+ <portgroup name='8021ad'>
+ <vlan trunk='yes'>
+ <tag id='555' nativeMode='802.1ad'/>
+ <tag id='666'/>
+ </vlan>
+ <virtualport>
+ <parameters profileid='8021ad-profile'/>
+ </virtualport>
+ </portgroup>
</network>
diff --git a/tests/networkxml2xmlupdateout/openvswitch-net-without-alice.xml b/tests/networkxml2xmlupdateout/openvswitch-net-without-alice.xml
index 4104424..cb9d12d 100644
--- a/tests/networkxml2xmlupdateout/openvswitch-net-without-alice.xml
+++ b/tests/networkxml2xmlupdateout/openvswitch-net-without-alice.xml
@@ -20,4 +20,13 @@
<parameters profileid='native-profile'/>
</virtualport>
</portgroup>
+ <portgroup name='8021ad'>
+ <vlan trunk='yes'>
+ <tag id='555' nativeMode='802.1ad'/>
+ <tag id='666'/>
+ </vlan>
+ <virtualport>
+ <parameters profileid='8021ad-profile'/>
+ </virtualport>
+ </portgroup>
</network>
--
1.8.3.1
6 years
[libvirt] [PATCH] vz: build fix for virStorageBackendVzPoolStart
by Nikolay Shirokovskiy
Remove unused variable. Fix for [1]
[1] 821dd6d8: storage: Use VIR_AUTOFREE for storage backends
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy(a)virtuozzo.com>
---
Pushed as trivial build fix.
src/storage/storage_backend_vstorage.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/storage/storage_backend_vstorage.c b/src/storage/storage_backend_vstorage.c
index df157a4..d446aa2 100644
--- a/src/storage/storage_backend_vstorage.c
+++ b/src/storage/storage_backend_vstorage.c
@@ -37,7 +37,6 @@ virStorageBackendVzPoolBuild(virStoragePoolObjPtr pool,
static int
virStorageBackendVzPoolStart(virStoragePoolObjPtr pool)
{
- int ret = -1;
virStoragePoolDefPtr def = virStoragePoolObjGetDef(pool);
VIR_AUTOFREE(char *) grp_name = NULL;
VIR_AUTOFREE(char *) usr_name = NULL;
--
1.8.3.1
6 years
[libvirt] [PATCH v2 00/25] qemu: virtio-{non-}transitional support
by Cole Robinson
v1 libvirt patches:
https://www.redhat.com/archives/libvir-list/2019-January/msg00593.html
Previous incomplete RFC here:
https://www.redhat.com/archives/libvir-list/2019-January/msg00346.html
qemu patches, queued for qemu 4.0.0:
https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg00923.html
Previous libvirt discussion around this:
https://www.redhat.com/archives/libvir-list/2018-August/msg01073.html
Long story short we need to expose these options so apps have a
usable way to support rhel6 + virtio + q35. This series exposes
the new devices as model= values. This required adding new
model= attributes for several devices. See v1 posting for a summary
of the XML changes introduced, mostly it's adding virtio-transitional
and virtio-non-transitional to existing model= enums, and adding
model= XML attributes for devices that don't have them (disk, fs,
input)
Changes from v1:
- <filesystem> models are now named virtio-9p, virtio-9p-transitional,
virtio-9p-non-transitional. This is to avoid ambiguity as in the near
future we will likely add virtio-fs <filesystem> support
- Cleanup and prep work is separated into separate patches and front
loaded into the series.
- qemu caps additions are separated from the qemu_command.c patches,
and squashed together upfront.
- virDomainDeviceSetData is added to make it easier to compose a
virDomainDeviceDef on the fly. This is used for the transitional cli
building but can be useful elsewhere too, but that's for another
series.
- Lots of small improvements and fixes suggested by Andrea.
Thanks,
Cole
Cole Robinson (25):
conf: Set net->model earlier
conf: Add virDomainNetIsVirtioModel
qemu: Move <memballoon> validation out of qemu_command.c
qemu: Move <rng> validation out of qemu_command.c
qemu: command: Make vhost-scsi device string depend on address
qemu: command: Convert vhost-{vsock,scsi} to qemuBuildVirtioDevStr
conf: Add virDomainDeviceSetData
qemu: command: Make BuildVirtioDevStr more generic
qemu: command: Add qemuCaps to BuildVirtioStr
qemu: capabilities: Add virtio/vhost {non-}transitional
conf: Add <disk model='virtio-{non-}transitional'/>
qemu: Support disk model=virtio-{non-}transitional
qemu: Support interface model=virtio-{non-}transitional
conf: Add <hostdev model='virtio-{non-}transitional'/>
qemu: Support hostdev model=virtio-{non-}transitional
qemu: Support rng model=virtio-{non-}transitional
conf: Add <filesystem model='virtio-9p-{non-}transitional'/>
qemu: Support filesystem model=virtio-9p-{non-}transitional
qemu: Support memballoon model=virtio-{non-}transitional
qemu: Support vsock model=virtio-{non-}transitional
conf: Add <input model='virtio-{non-}transitional'/>
qemu: Support input model=virtio-{non-}transitional
qemu: Support virtio-serial controller model=virtio-{non-}transitional
qemu: Support scsi controller model=virtio-{non-}transitional
qemu: domcaps: Report disk <enum name="model">
docs/formatdomain.html.in | 39 ++-
docs/schemas/domaincommon.rng | 61 +++-
src/conf/domain_capabilities.c | 1 +
src/conf/domain_capabilities.h | 1 +
src/conf/domain_conf.c | 328 ++++++++++++++++--
src/conf/domain_conf.h | 67 ++++
src/libvirt_private.syms | 6 +
src/libxl/libxl_conf.c | 2 +
src/qemu/qemu_capabilities.c | 61 ++++
src/qemu/qemu_capabilities.h | 28 ++
src/qemu/qemu_command.c | 252 +++++++++++---
src/qemu/qemu_domain.c | 79 ++++-
src/qemu/qemu_domain_address.c | 97 ++++--
src/qemu/qemu_driver.c | 17 +-
src/qemu/qemu_hotplug.c | 2 +-
src/qemu/qemu_interface.c | 8 +-
src/qemu/qemu_process.c | 3 +-
src/security/virt-aa-helper.c | 2 +-
src/vbox/vbox_common.c | 2 +
src/vmx/vmx.c | 5 +-
.../bhyve_basic.x86_64.xml | 1 +
.../bhyve_fbuf.x86_64.xml | 1 +
.../bhyve_uefi.x86_64.xml | 1 +
tests/domaincapsschemadata/full.xml | 6 +
.../domaincapsschemadata/libxl-xenfv-usb.xml | 1 +
.../domaincapsschemadata/libxl-xenpv-usb.xml | 1 +
.../qemu_1.7.0.x86_64.xml | 3 +
.../qemu_2.12.0-virt.aarch64.xml | 5 +
.../qemu_2.12.0.ppc64.xml | 5 +
.../qemu_2.12.0.s390x.xml | 5 +
.../qemu_2.12.0.x86_64.xml | 5 +
.../qemu_2.6.0-virt.aarch64.xml | 5 +
.../qemu_2.6.0.aarch64.xml | 5 +
.../domaincapsschemadata/qemu_2.6.0.ppc64.xml | 5 +
.../qemu_2.6.0.x86_64.xml | 5 +
.../domaincapsschemadata/qemu_2.7.0.s390x.xml | 5 +
.../qemu_2.8.0-tcg.x86_64.xml | 5 +
.../domaincapsschemadata/qemu_2.8.0.s390x.xml | 5 +
.../qemu_2.8.0.x86_64.xml | 5 +
.../qemu_2.9.0-q35.x86_64.xml | 5 +
.../qemu_2.9.0-tcg.x86_64.xml | 5 +
.../qemu_2.9.0.x86_64.xml | 5 +
.../domaincapsschemadata/qemu_3.0.0.s390x.xml | 5 +
.../qemu_4.0.0.x86_64.xml | 154 ++++++++
tests/domaincapstest.c | 4 +
.../caps_4.0.0.x86_64.xml | 20 ++
.../virtio-non-transitional.x86_64-3.1.0.args | 65 ++++
...virtio-non-transitional.x86_64-latest.args | 62 ++++
.../virtio-non-transitional.xml | 40 +++
.../virtio-transitional.x86_64-3.1.0.args | 50 +++
.../virtio-transitional.x86_64-latest.args | 52 +++
.../qemuxml2argvdata/virtio-transitional.xml | 40 +++
tests/qemuxml2argvmock.c | 2 +-
tests/qemuxml2argvtest.c | 6 +
.../virtio-non-transitional.xml | 121 +++++++
.../virtio-transitional.xml | 80 +++++
tests/qemuxml2xmltest.c | 26 +-
57 files changed, 1736 insertions(+), 141 deletions(-)
create mode 100644 tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml
create mode 100644 tests/qemuxml2argvdata/virtio-non-transitional.x86_64-3.1.0.args
create mode 100644 tests/qemuxml2argvdata/virtio-non-transitional.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/virtio-non-transitional.xml
create mode 100644 tests/qemuxml2argvdata/virtio-transitional.x86_64-3.1.0.args
create mode 100644 tests/qemuxml2argvdata/virtio-transitional.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/virtio-transitional.xml
create mode 100644 tests/qemuxml2xmloutdata/virtio-non-transitional.xml
create mode 100644 tests/qemuxml2xmloutdata/virtio-transitional.xml
--
2.20.1
6 years
[libvirt] AMD SEV's /dev/sev permissions and probing QEMU for capabilities
by Erik Skultety
Hi,
this is a summary of a private discussion I've had with guys CC'd on this email
about finding a solution to [1] - basically, the default permissions on
/dev/sev (below) make it impossible to query for SEV platform capabilities,
since by default we run QEMU as qemu:qemu when probing for capabilities. It's
worth noting is that this is only relevant to probing, since for a proper QEMU
VM we create a mount namespace for the process and chown all the nodes (needs a
SEV fix though).
# ll /dev/sev
crw-------. 1 root root
I suggested either force running QEMU as root for probing (despite the obvious
security implications) or using namespaces for probing too. Dan argued that
this would have a significant perf impact and suggested we ask systemd to add a
global udev rule.
I proceeded with cloning [1] to systemd and creating an udev rule that I planned
on submitting to systemd upstream - the initial idea was to mimic /dev/kvm and
make it world accessible to which Brijesh from AMD expressed a concern that
regular users might deplete the resources (limit on the number of guests
allowed by the platform). But since the limit is claimed to be around 4, Dan
discouraged me to continue with restricting the udev rule to only the 'kvm'
group which Laszlo suggested earlier as the limit is so small that a malicious
QEMU could easily deplete this during probing. This fact also ruled out any
kind of ACL we could create dynamically. Instead, he suggested that we filter
out the kvm-capable QEMU and put only that one in the namespace without a
significant perf impact.
- my take on this is that there could potentially be more than a single
kvm-enabled QEMU and therefore we'd need to create more than just a
single namespace.
- I also argued that I can image that the same kind of DOS attack might be
possible from within the namespace, even if we created the /dev/sev node
only in SEV-enabled guests (which we currently don't). All of us have
agreed that allowing /dev/sev in the namespace for only SEV-enabled
guests is worth doing nonetheless.
In the meantime, Christophe went through the kernel code to verify how the SEV
resources are managed and what protection is currently in place to mitigate the
chance of a process easily depleting the limit on SEV guests. He found that
ASID, which determines the encryption key, is allocated from a single ASID
bitmap and essentially guarded by a single 'sev->active' flag.
So, in conclusion, we absolutely need input from Brijesh (AMD) whether there
was something more than the low limit on number of guests behind the default
permissions. Also, we'd like to get some details on how the limit is managed,
helping to assess the approaches mentioned above.
Thanks and please do share your ideas,
Erik
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1665400
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1561113
6 years
