September 2019 - Devel - Libvirt List Archives

[libvirt] [PATCH v2] qemu: ensure vhostuser FD is initialized to -1

by Daniel P. Berrangé

The video private data was not initializing the vhostuser FD causing us to attempt to close FD 0 many times over. Fixes commit ca60ecfa8cc1bd85baf7137dd1864d5f00f019f0 Author: Marc-André Lureau <marcandre.lureau(a)redhat.com> Date: Mon Sep 23 14:44:36 2019 +0400 qemu: add qemuDomainVideoPrivate Since the test suite does not invoke qemuExtDevicesStart(), no vhost_user_fd will be present when generating test XML. To deal with this we can must a fake FD number. While the current XML is using FD == 0, we pick a very interesting number that's unlikely to be a real FD, so that we're more likely to see any mistakes closing the invalid FD. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- In v2: - Fix FD initialization in test suite src/qemu/qemu_domain.c | 2 ++ .../vhost-user-gpu-secondary.x86_64-latest.args | 4 ++-- .../qemuxml2argvdata/vhost-user-vga.x86_64-latest.args | 2 +- tests/qemuxml2argvdata/virtio-options.args | 2 +- tests/qemuxml2argvtest.c | 10 ++++++++++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index e8e895d9aa..e2b78c2457 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -1367,6 +1367,8 @@ qemuDomainVideoPrivateNew(void) if (!(priv = virObjectNew(qemuDomainVideoPrivateClass))) return NULL; + priv->vhost_user_fd = -1; + return (virObjectPtr) priv; } diff --git a/tests/qemuxml2argvdata/vhost-user-gpu-secondary.x86_64-latest.args b/tests/qemuxml2argvdata/vhost-user-gpu-secondary.x86_64-latest.args index 58f49595e7..77643d31c0 100644 --- a/tests/qemuxml2argvdata/vhost-user-gpu-secondary.x86_64-latest.args +++ b/tests/qemuxml2argvdata/vhost-user-gpu-secondary.x86_64-latest.args @@ -31,8 +31,8 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \ -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ -drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \ -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 \ --chardev socket,id=chr-vu-video0,fd=0 \ --chardev socket,id=chr-vu-video1,fd=0 \ +-chardev socket,id=chr-vu-video0,fd=1729 \ +-chardev socket,id=chr-vu-video1,fd=1729 \ -device vhost-user-vga,id=video0,max_outputs=1,chardev=chr-vu-video0,bus=pci.0,\ addr=0x2 \ -device vhost-user-gpu-pci,id=video1,max_outputs=1,chardev=chr-vu-video1,\ diff --git a/tests/qemuxml2argvdata/vhost-user-vga.x86_64-latest.args b/tests/qemuxml2argvdata/vhost-user-vga.x86_64-latest.args index 6640d86fa5..dd5f9800d9 100644 --- a/tests/qemuxml2argvdata/vhost-user-vga.x86_64-latest.args +++ b/tests/qemuxml2argvdata/vhost-user-vga.x86_64-latest.args @@ -31,7 +31,7 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \ -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ -drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \ -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 \ --chardev socket,id=chr-vu-video0,fd=0 \ +-chardev socket,id=chr-vu-video0,fd=1729 \ -device vhost-user-vga,id=video0,max_outputs=1,chardev=chr-vu-video0,bus=pci.0,\ addr=0x2 \ -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 \ diff --git a/tests/qemuxml2argvdata/virtio-options.args b/tests/qemuxml2argvdata/virtio-options.args index 79216a5503..33ecd8f4e8 100644 --- a/tests/qemuxml2argvdata/virtio-options.args +++ b/tests/qemuxml2argvdata/virtio-options.args @@ -49,7 +49,7 @@ ats=on \ ats=on \ -device virtio-input-host-pci,id=input3,evdev=/dev/input/event1234,bus=pci.0,\ addr=0x12,iommu_platform=on,ats=on \ --chardev socket,id=chr-vu-video0,fd=0 \ +-chardev socket,id=chr-vu-video0,fd=1729 \ -device vhost-user-gpu-pci,id=video0,max_outputs=1,chardev=chr-vu-video0,\ bus=pci.0,addr=0x2,iommu_platform=on,ats=on \ -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0xc,iommu_platform=on,\ diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 5bbac1c8b8..5f4e87aa6d 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -528,6 +528,16 @@ testCompareXMLToArgv(const void *data) } } + for (i = 0; i < vm->def->nvideos; i++) { + virDomainVideoDefPtr video = vm->def->videos[i]; + + if (video->backend == VIR_DOMAIN_VIDEO_BACKEND_TYPE_VHOSTUSER) { + qemuDomainVideoPrivatePtr vpriv = QEMU_DOMAIN_VIDEO_PRIVATE(video); + + vpriv->vhost_user_fd = 1729; + } + } + if (flags & FLAG_SLIRP_HELPER) { for (i = 0; i < vm->def->nnets; i++) { virDomainNetDefPtr net = vm->def->nets[i]; -- 2.21.0

5 years, 1 month

2
1
0 / 0

[libvirt] [PATCH] qemu: ensure vhostuser FD is initialized to -1

by Daniel P. Berrangé

The video private data was not initializing the vhostuser FD causing us to attempt to close FD 0 many times over. Fixes commit ca60ecfa8cc1bd85baf7137dd1864d5f00f019f0 Author: Marc-André Lureau <marcandre.lureau(a)redhat.com> Date: Mon Sep 23 14:44:36 2019 +0400 qemu: add qemuDomainVideoPrivate Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- src/qemu/qemu_domain.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index bfd49beb21..bb81bda88e 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -1336,6 +1336,8 @@ qemuDomainVideoPrivateNew(void) if (!(priv = virObjectNew(qemuDomainVideoPrivateClass))) return NULL; + priv->vhost_user_fd = -1; + return (virObjectPtr) priv; } -- 2.21.0

5 years, 1 month

2
2
0 / 0

[libvirt] [PATCH 0/5] Couple of NSS fixes

by Michal Privoznik

I'm trying to develop gethostbyaddr() and meanwhile I've noticed couple of almost trivial patches. Michal Prívozník (5): nss: Compare addresses iff their family matches nss: Drop needless free() in gethostbyname3() nss: Don't leak @addr in gethostbyname4() libvirt_nss.h: Separate function declarations with an empty line tools: Record NSS dependency on symbols file tools/Makefile.am | 8 ++++++++ tools/nss/libvirt_nss.c | 4 +--- tools/nss/libvirt_nss.h | 2 ++ tools/nss/libvirt_nss_leases.c | 6 ++++-- 4 files changed, 15 insertions(+), 5 deletions(-) -- 2.21.0

5 years, 1 month

2
10
0 / 0

[libvirt] [PATCH] qemu: checkpoint: Do ACL check prior to snapshot interlocking

by Peter Krempa

The interlocking with snapshots is executed prior to the ACL check so if a VM has snapshots invoking the checkpoint API may leak it's existance. Introduced with the qemuDomainCheckpointCreateXML API implementation in commit 5f4e0796503. Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- Split out from the checkpoint refactor series as I didn't notice this one originally. src/qemu/qemu_driver.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index d5f5fd6990..3b2eb30606 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -17283,18 +17283,18 @@ qemuDomainCheckpointCreateXML(virDomainPtr domain, if (!(vm = qemuDomObjFromDomain(domain))) goto cleanup; - if (virDomainSnapshotObjListNum(vm->snapshots, NULL, 0) > 0) { - virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", - _("cannot create checkpoint while snapshot exists")); - goto cleanup; - } - priv = vm->privateData; cfg = virQEMUDriverGetConfig(driver); if (virDomainCheckpointCreateXMLEnsureACL(domain->conn, vm->def, flags) < 0) goto cleanup; + if (virDomainSnapshotObjListNum(vm->snapshots, NULL, 0) > 0) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("cannot create checkpoint while snapshot exists")); + goto cleanup; + } + if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_BITMAP_MERGE)) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("qemu binary lacks persistent bitmaps support")); -- 2.21.0

5 years, 1 month

2
1
0 / 0

[libvirt] [PATCH] qemu: make attaching disk partition to VM illegal

by Pavel Mores

The way in which the qemu driver generates aliases for disks involves ignoring the partition number part of a target dev name. This means that all partitions of a block device and the device itself all end up with the same alias. If multiple such disks are specified in XML, the resulting name clash makes qemu invocation fail. Since attaching partitions to qemu VMs doesn't seem to make much sense anyway, disallow partitions in target specifications altogether. https://bugzilla.redhat.com/show_bug.cgi?id=1346265 Signed-off-by: Pavel Mores <pmores(a)redhat.com> --- src/qemu/qemu_domain.c | 10 +++++++ .../disk-attaching-partition-invalid.xml | 27 +++++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 3 files changed, 38 insertions(+) create mode 100644 tests/qemuxml2argvdata/disk-attaching-partition-invalid.xml diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index e8e895d9aa..d03f3bed5f 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -5880,6 +5880,8 @@ qemuDomainDeviceDefValidateDisk(const virDomainDiskDef *disk, { const char *driverName = virDomainDiskGetDriver(disk); virStorageSourcePtr n; + int idx; + int partition; if (disk->src->shared && !disk->src->readonly && !qemuBlockStorageSourceSupportsConcurrentAccess(disk->src)) { @@ -5948,6 +5950,14 @@ qemuDomainDeviceDefValidateDisk(const virDomainDiskDef *disk, return -1; } + int result = virDiskNameParse(disk->dst, &idx, &partition); + if (result != 0 || partition != 0) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("can't attach disk partition '%s', please attach whole disk instead"), + disk->dst); + return -1; + } + for (n = disk->src; virStorageSourceIsBacking(n); n = n->backingStore) { if (qemuDomainValidateStorageSource(n, qemuCaps) < 0) return -1; diff --git a/tests/qemuxml2argvdata/disk-attaching-partition-invalid.xml b/tests/qemuxml2argvdata/disk-attaching-partition-invalid.xml new file mode 100644 index 0000000000..591819fbb6 --- /dev/null +++ b/tests/qemuxml2argvdata/disk-attaching-partition-invalid.xml @@ -0,0 +1,27 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219100</memory> + <currentMemory unit='KiB'>219100</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-i686</emulator> + <disk type='file' device='disk'> + <driver name='qemu' type='raw'/> + <source file='/export/vmimages/1.raw'/> + <target dev='vdb1' bus='virtio'/> + </disk> + <controller type='usb' index='0'/> + <controller type='ide' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <memballoon model='virtio'/> + </devices> +</domain> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 5bbac1c8b8..b54b4bbf35 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1097,6 +1097,7 @@ mymain(void) DO_TEST("disk-no-boot", NONE); DO_TEST_PARSE_ERROR("disk-device-lun-type-invalid", QEMU_CAPS_VIRTIO_SCSI); + DO_TEST_CAPS_LATEST_PARSE_ERROR("disk-attaching-partition-invalid"); DO_TEST_FAILURE("disk-usb-nosupport", NONE); DO_TEST("disk-usb-device", QEMU_CAPS_DEVICE_USB_STORAGE); -- 2.21.0

5 years, 1 month

3
3
0 / 0

[libvirt] [PATCH] tools: fix regression passing command with virt-login-shell

by Daniel P. Berrangé

It is documented that a command to run inside the container can be passed with the -c arg. virt-login-shell -c "ls -l /" This fixes commit 4feeb2d986b98013ebfb1d41ab6b9007b6cce6e2 Author: Daniel P. Berrangé <berrange(a)redhat.com> Date: Thu Aug 1 10:58:31 2019 +0100 tools: split virt-login-shell into two binaries Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- tools/virt-login-shell.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/tools/virt-login-shell.c b/tools/virt-login-shell.c index f92cc0a749..f5aa02420b 100644 --- a/tools/virt-login-shell.c +++ b/tools/virt-login-shell.c @@ -38,11 +38,13 @@ int main(int argc, char **argv) { char uidstr[INT_BUFSIZE_BOUND(uid_t)]; char gidstr[INT_BUFSIZE_BOUND(gid_t)]; - const char *const newargv[] = { + const char * newargv[] = { LIBEXECDIR "/virt-login-shell-helper", uidstr, gidstr, NULL, + NULL, + NULL, }; char *newenv[] = { NULL, @@ -60,8 +62,15 @@ int main(int argc, char **argv) { exit(EXIT_FAILURE); } - if (argc != 1) { - fprintf(stderr, "%s: no arguments expected\n", argv[0]); + if (argc == 3) { + if (strcmp(argv[1], "-c") != 0) { + fprintf(stderr, "%s: syntax: %s [-c CMDSTR]\n", argv[0], argv[0]); + exit(EXIT_FAILURE); + } + newargv[3] = argv[1]; + newargv[4] = argv[2]; + } else if (argc != 1) { + fprintf(stderr, "%s: syntax: %s [-c CMDSTR]\n", argv[0], argv[0]); exit(EXIT_FAILURE); } -- 2.21.0

5 years, 1 month

2
1
0 / 0

[libvirt] [PATCH] network: allow DHCP/DNS/TFTP explicitly in OUTPUT rules

by Daniel P. Berrangé

From: Malina Salina <malina.salina(a)protonmail.com> While the default iptables setup used by Fedora/RHEL distros only restricts traffic on the INPUT and/or FORWARD rules, some users might have custom firewalls that restrict the OUTPUT rules too. These can prevent DHCP/DNS/TFTP responses from dnsmasq from reaching the guest VMs. We should thus whitelist these protocols in the OUTPUT chain, as well as the INPUT chain. Signed-off-by: Malina Salina <malina.salina(a)protonmail.com> Initial patch then modified to add unit tests and IPv6 support Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- src/libvirt_private.syms | 2 + src/network/bridge_driver_linux.c | 29 ++++++++++--- src/util/viriptables.c | 36 ++++++++++++++++ src/util/viriptables.h | 8 ++++ .../nat-default-linux.args | 21 ++++++++++ .../nat-ipv6-linux.args | 42 +++++++++++++++++++ .../nat-many-ips-linux.args | 21 ++++++++++ .../nat-no-dhcp-linux.args | 42 +++++++++++++++++++ .../nat-tftp-linux.args | 28 +++++++++++++ .../route-default-linux.args | 21 ++++++++++ 10 files changed, 244 insertions(+), 6 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 7b681fac64..83b97af364 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2186,6 +2186,7 @@ iptablesAddForwardRejectIn; iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum; iptablesAddTcpInput; +iptablesAddTcpOutput; iptablesAddUdpInput; iptablesAddUdpOutput; iptablesRemoveDontMasquerade; @@ -2198,6 +2199,7 @@ iptablesRemoveForwardRejectIn; iptablesRemoveForwardRejectOut; iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; +iptablesRemoveTcpOutput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; iptablesSetDeletePrivate; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index 35459c10d1..0b6ff45b17 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -553,18 +553,23 @@ networkAddGeneralIPv4FirewallRules(virFirewallPtr fw, break; } - /* allow DHCP requests through to dnsmasq */ + /* allow DHCP requests through to dnsmasq & back out */ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - /* allow DNS requests through to dnsmasq */ + /* allow DNS requests through to dnsmasq & back out */ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - /* allow TFTP requests through to dnsmasq if necessary */ - if (ipv4def && ipv4def->tftproot) + /* allow TFTP requests through to dnsmasq if necessary & back out*/ + if (ipv4def && ipv4def->tftproot) { iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + } /* Catch all rules to block forwarding to/from bridges */ iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); @@ -592,13 +597,18 @@ networkRemoveGeneralIPv4FirewallRules(virFirewallPtr fw, iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - if (ipv4def && ipv4def->tftproot) + if (ipv4def && ipv4def->tftproot) { iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + } iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); } @@ -626,10 +636,14 @@ networkAddGeneralIPv6FirewallRules(virFirewallPtr fw, iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { - /* allow DNS over IPv6 */ + /* allow DNS over IPv6 & back out */ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + /* allow DHCPv6 & back out */ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); } } @@ -643,7 +657,10 @@ networkRemoveGeneralIPv6FirewallRules(virFirewallPtr fw, } if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); } diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 0e3c0ad73a..46d0c3df7a 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -303,6 +303,42 @@ iptablesRemoveUdpInput(virFirewallPtr fw, iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0); } +/** + * iptablesAddTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to add + * + * Add an output to the IP table allowing access to the given @port from + * the given @iface interface for TCP packets + */ +void +iptablesAddTcpOutput(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, true, iface, port, ADD, 1); +} + +/** + * iptablesRemoveTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an output from the IP table, hence forbidding access to the given + * @port from the given @iface interface for TCP packets + */ +void +iptablesRemoveTcpOutput(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 1); +} + /** * iptablesAddUdpOutput: * @ctx: pointer to the IP table context diff --git a/src/util/viriptables.h b/src/util/viriptables.h index feea988acd..07b4851013 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -45,6 +45,14 @@ void iptablesRemoveUdpInput (virFirewallPtr fw, const char *iface, int port); +void iptablesAddTcpOutput (virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int port); +void iptablesRemoveTcpOutput (virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int port); void iptablesAddUdpOutput (virFirewallPtr fw, virFirewallLayer layer, const char *iface, diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args index c9d523d043..ab18f30bd0 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args index a57b9266af..05d9ee33ca 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT @@ -81,11 +102,32 @@ ip6tables \ --jump ACCEPT ip6tables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT iptables \ --table filter \ --insert LIBVIRT_FWO \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args index 1bdc43fd6a..82e1380f51 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args index 7d359f3824..8954cc5473 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT @@ -81,11 +102,32 @@ ip6tables \ --jump ACCEPT ip6tables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT iptables \ --table filter \ --insert LIBVIRT_FWO \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args index b721801b70..88e9929b62 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ @@ -42,6 +63,13 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 69 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args index ed3c560f74..c427d9602d 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT -- 2.21.0

5 years, 1 month

2
1
0 / 0

[libvirt] [PATCH v2] tools: fix regression passing command with virt-login-shell

by Daniel P. Berrangé

It is documented that a command to run inside the container can be passed with the -c arg. virt-login-shell -c "ls -l /" This fixes commit 4feeb2d986b98013ebfb1d41ab6b9007b6cce6e2 Author: Daniel P. Berrangé <berrange(a)redhat.com> Date: Thu Aug 1 10:58:31 2019 +0100 tools: split virt-login-shell into two binaries Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- tools/virt-login-shell.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/tools/virt-login-shell.c b/tools/virt-login-shell.c index f92cc0a749..7d1e0ccc8a 100644 --- a/tools/virt-login-shell.c +++ b/tools/virt-login-shell.c @@ -38,12 +38,8 @@ int main(int argc, char **argv) { char uidstr[INT_BUFSIZE_BOUND(uid_t)]; char gidstr[INT_BUFSIZE_BOUND(gid_t)]; - const char *const newargv[] = { - LIBEXECDIR "/virt-login-shell-helper", - uidstr, - gidstr, - NULL, - }; + const char * newargv[6]; + size_t nargs = 0; char *newenv[] = { NULL, NULL, @@ -60,10 +56,23 @@ int main(int argc, char **argv) { exit(EXIT_FAILURE); } - if (argc != 1) { - fprintf(stderr, "%s: no arguments expected\n", argv[0]); + newargv[nargs++] = LIBEXECDIR "/virt-login-shell-helper"; + if (argc == 3) { + if (strcmp(argv[1], "-c") != 0) { + fprintf(stderr, "%s: syntax: %s [-c CMDSTR]\n", argv[0], argv[0]); + exit(EXIT_FAILURE); + } + newargv[nargs++] = argv[1]; + newargv[nargs++] = argv[2]; + } else if (argc != 1) { + fprintf(stderr, "%s: syntax: %s [-c CMDSTR]\n", argv[0], argv[0]); exit(EXIT_FAILURE); } + newargv[nargs++] = uidstr; + newargv[nargs++] = gidstr; + newargv[nargs++] = NULL; + + assert(nargs <= (sizeof(newargv)/sizeof(newargv[0]))); if (term && asprintf(&(newenv[0]), "TERM=%s", term) < 0) { -- 2.21.0

5 years, 1 month

2
1
0 / 0

[libvirt] [PATCH 0/2] Fix cgroupv2 issue on Fedora 31

by Cole Robinson

There's been a bunch of reports of VM startup failures on Fedora 31 and elsewhere: https://bugzilla.redhat.com/show_bug.cgi?id=1751120 The reproducer I found is running a mock build, which adds a name=systemd cgroup to /proc/self/cgroup, which messes up libvirt's logic. The first patch has a bit more detail. I'm not positive this is entirely correct... maybe we should be doing something with that cgroup in some way? I'm kinda ignorant here. I also filed a systemd bug incase that behavior is unintentional. We probably want to change libvirt regardless though https://bugzilla.redhat.com/show_bug.cgi?id=1756143 Cole Robinson (2): vircgroupv2: Fix VM startup when legacy cgroups are defined vircgroup: Add some VIR_DEBUG statements src/util/vircgroup.c | 3 ++- src/util/vircgroupv2.c | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) -- 2.23.0

5 years, 1 month

2
5
0 / 0

[libvirt] [PATCH v2 0/7] qemu: checkpoints: Collect most code in a single place

by Peter Krempa

The checkpoint code is quite complex and was dispersed in many places. Refactor it to be in one new separate file. I also plan to do the same to the snapshot code once this is dealt with. Additionally aggregating all the code in one place will allow refactoring and reuse in the incremental backup implementation. diff to v1: - rebased on top of the patches to remove checking of AUTODESTROY - kept only one instance of virCheckFlags per API (inside qemu_checkpoint.c) Peter Krempa (7): qemu: Move, rename and export qemuDomObjFromDomain conf: Drop pointless 'domain' argument from virDomainCheckpointRedefinePrep conf: Drop pointless 'domain' argument from virDomainSnapshotRedefinePrep qemu: driver: Remove misplaced qemuDomainObjEndJob in qemuDomainCheckpointGetXMLDesc qemu: driver: Move checkpoint-related code to qemu_checkpoint.c qemu: domain: Move checkpoint related code to qemu_checkpoint.c qemu: driver: Don't pull in qemu_monitor_json.h directly src/conf/checkpoint_conf.c | 7 +- src/conf/checkpoint_conf.h | 3 +- src/conf/snapshot_conf.c | 5 +- src/conf/snapshot_conf.h | 3 +- src/qemu/Makefile.inc.am | 2 + src/qemu/qemu_checkpoint.c | 646 ++++++++++++++++++++++++++++++++++ src/qemu/qemu_checkpoint.h | 55 +++ src/qemu/qemu_domain.c | 193 ++--------- src/qemu/qemu_domain.h | 16 +- src/qemu/qemu_driver.c | 689 ++++++++----------------------------- src/test/test_driver.c | 4 +- 11 files changed, 887 insertions(+), 736 deletions(-) create mode 100644 src/qemu/qemu_checkpoint.c create mode 100644 src/qemu/qemu_checkpoint.h -- 2.21.0

5 years, 2 months

3
16
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel September 2019