[libvirt] [PATCH] Improve security driver error message
by Sebastian Mitterle
Currently, when security driver is not available users are informed that
it wasn't found which can be confusing.
1. Update error message
2. Add comment to domain doc
Signed-off-by Sebastian Mitterle <smitterl(a)redhat.com>
---
docs/formatdomain.html.in | 3 ++-
src/security/security_manager.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index dd04a05f09..3040448df1 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -9011,7 +9011,8 @@ qemu-kvm -net nic,model=? /dev/null
</dd>
<dt><code>model</code></dt>
<dd>A valid security model name, matching the currently
- activated security model
+ activated security model. Model <code>dac</code> is not available
+ when guest is run by unprivileged user.
</dd>
<dt><code>relabel</code></dt>
<dd>Either <code>yes</code> or <code>no</code>. This must always
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 952675381d..f229d94570 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -769,7 +769,7 @@ static int virSecurityManagerCheckModel(virSecurityManagerPtr mgr,
}
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("Unable to find security driver for model %s"),
+ _("Security driver model '%s' is not available"),
secmodel);
cleanup:
VIR_FREE(sec_managers);
--
2.21.0
4 years, 10 months
[libvirt] [PATCH v1] virSecuritySELinuxSetTapFDLabel: Use fd_path instead of /dev/tap* to get context
by Dominick Grift
/dev/tap* is an invalid path but it works with lax policy. Make it work with more accurate policy as well
v1: fix typo in description
Signed-off-by: Dominick Grift <dac.override(a)gmail.com>
---
src/security/security_selinux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 32dc78d777..8c698966cb 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3251,7 +3251,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- /* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
+ /* Label /dev/tap([0-9]+)? devices only. Leave /dev/net/tun alone! */
proc = g_strdup_printf("/proc/self/fd/%d", fd);
if (virFileResolveLink(proc, &fd_path) < 0) {
@@ -3267,7 +3267,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
+ if (getContext(mgr, fd_path, buf.st_mode, &fcon) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot lookup default selinux label for tap fd %d"), fd);
goto cleanup;
--
2.24.1
4 years, 10 months
[libvirt] [PATCH 0/3] virsh: Fix virshDomainInterfaceSourceCompleter
by Michal Privoznik
*** BLURB HERE ***
Michal Prívozník (3):
virsh: Use VIR_ENUM_* instead of open coding string -> enum conversion
virsh: Fix virshDomainInterfaceSourceCompleter
cmdDomIfAddr: Move domain lookup down a few lines
tools/virsh-completer-domain.c | 17 ++++++++++-------
tools/virsh-domain-monitor.c | 31 +++++++++++++++----------------
tools/virsh-domain-monitor.h | 2 ++
tools/virsh.h | 1 +
4 files changed, 28 insertions(+), 23 deletions(-)
--
2.24.1
4 years, 10 months
[libvirt] [PATCH 0/2] backup: Remove checkpoint metadata on failed backup
by Peter Krempa
When creating a checkpoint along with a backup, failure in some cases
lead to libvirt keeping the stale chekckpoint metadata.
Peter Krempa (2):
qemu: checkpoint: Extract and export rollback of checkpoint metadata
storing
qemu: backup: roll-back checkpoint metadata if the checkpoint wasn't
taken
src/qemu/qemu_backup.c | 14 +++++++++++---
src/qemu/qemu_checkpoint.c | 22 ++++++++++++++++++++--
src/qemu/qemu_checkpoint.h | 4 ++++
3 files changed, 35 insertions(+), 5 deletions(-)
--
2.24.1
4 years, 10 months
[libvirt] [PATCH 0/9] Filesystem-device-related refactors (virtio-fs epopee)
by Ján Tomko
Ján Tomko (9):
build: error out when check-augeas fails
qemu: rename gluster_debug_entry
conf: add xmlopt to virDomainFSDefNew
conf: add private data to virDomainFSDef
qemu: add private data to virDomainFSDef
qemu: pass private data to qemuBuildFilesystemCommandLine
qemu: address: take fsdriver type into account
qemu: command: take fsdriver type into account
docs: formatdomain: use 'element' instead of 'block'
docs/formatdomain.html.in | 2 +-
src/Makefile.am | 2 +-
src/conf/domain_conf.c | 9 ++++++--
src/conf/domain_conf.h | 4 +++-
src/lxc/lxc_native.c | 2 +-
src/lxc/lxc_process.c | 2 +-
src/openvz/openvz_conf.c | 2 +-
src/qemu/libvirtd_qemu.aug | 4 ++--
src/qemu/qemu_command.c | 22 ++++++++++++++++----
src/qemu/qemu_conf.c | 11 ++++++----
src/qemu/qemu_domain.c | 38 ++++++++++++++++++++++++++++++++++
src/qemu/qemu_domain.h | 12 +++++++++++
src/qemu/qemu_domain_address.c | 34 ++++++++++++++++++++----------
src/vmx/vmx.c | 2 +-
src/vz/vz_sdk.c | 2 +-
15 files changed, 117 insertions(+), 31 deletions(-)
--
2.21.0
4 years, 10 months
[libvirt] [PATCH v1 00/26] remove more unneeded labels
by Daniel Henrique Barboza
Hi,
This is a follow up of a cleanup I did last year [1], which was
more focused on 'cleanup' labels. In this one I covered all
labels that are simply a 'return' proxy call.
This wasn't a 'purge all return labels' series. Some of them
are still around in cases where they help the code flow
(like Jano suggested in the review at [2], for example).
I divided the series by module and by amount of changes made
to make it less daunting for reviews (although cases such as
domain_conf.c couldn't be avoided without splitting changes
in the same file in multiple patches). The maintainer is
welcome to squash the patches up as needed.
[1] https://www.redhat.com/archives/libvir-list/2019-October/msg01420.html
[2] https://www.redhat.com/archives/libvir-list/2019-November/msg00468.html
Daniel Henrique Barboza (26):
bhyve: remove unneeded labels
conf: remove unneeded labels
conf: remove more unneeded labels
conf/domain_conf.c: remove unneeded labels
test/test_driver.c: remove unneeded labels
storage: remove unneeded labels
nwfilter: remove unneeded labels
remote/remote_daemon_config.c: remove unneeded label
hyperv/hyperv_wmi.c: remove unneeded labels
locking/lock_driver_lockd.c: remove unneeded labels
cpu/cpu_ppc64.c: remove unneeded label
lxc: remove unneeded labels
node_device: remove unneeded labels
secret/secret_driver.c: remove unneeded label
openvz: remove unneeded labels
qemu: remove unneeded labels
qemu: remove remaining unneeded labels
vz/vz_sdk.c: remove unneeded labels
vbox: remove unneeded labels
security: remove unneeded labels
util/virsysinfo.c: remove unneeded labels
util: remove unneeded labels
util: remove remaining unneeded labels
logging: remove unneeded labels
tests: remove unneeded labels
examples: remove unneeded labels
examples/c/misc/hellolibvirt.c | 28 +--
examples/c/misc/openauth.c | 22 +--
src/bhyve/bhyve_device.c | 13 +-
src/bhyve/bhyve_parse_command.c | 47 ++---
src/conf/capabilities.c | 14 +-
src/conf/cpu_conf.c | 36 ++--
src/conf/domain_addr.c | 9 +-
src/conf/domain_conf.c | 192 +++++++--------------
src/conf/interface_conf.c | 9 +-
src/conf/network_conf.c | 45 ++---
src/conf/networkcommon_conf.c | 11 +-
src/conf/nwfilter_conf.c | 3 +-
src/conf/nwfilter_params.c | 5 +-
src/conf/virnetworkobj.c | 7 +-
src/cpu/cpu_ppc64.c | 12 +-
src/hyperv/hyperv_wmi.c | 15 +-
src/locking/lock_driver_lockd.c | 16 +-
src/logging/log_handler.c | 7 +-
src/logging/log_manager.c | 14 +-
src/lxc/lxc_container.c | 7 +-
src/lxc/lxc_controller.c | 10 +-
src/node_device/node_device_driver.c | 4 +-
src/node_device/node_device_hal.c | 10 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 11 +-
src/nwfilter/nwfilter_learnipaddr.c | 3 +-
src/openvz/openvz_conf.c | 11 +-
src/openvz/openvz_driver.c | 42 ++---
src/qemu/qemu_capabilities.c | 15 +-
src/qemu/qemu_command.c | 93 +++++-----
src/qemu/qemu_domain.c | 11 +-
src/qemu/qemu_domain_address.c | 52 +++---
src/qemu/qemu_driver.c | 32 ++--
src/qemu/qemu_hostdev.c | 11 +-
src/qemu/qemu_hotplug.c | 15 +-
src/qemu/qemu_migration_cookie.c | 10 +-
src/qemu/qemu_migration_params.c | 11 +-
src/remote/remote_daemon_config.c | 101 ++++++-----
src/secret/secret_driver.c | 6 +-
src/security/security_dac.c | 26 ++-
src/security/security_selinux.c | 26 ++-
src/security/virt-aa-helper.c | 41 ++---
src/storage/storage_backend_iscsi_direct.c | 4 +-
src/storage/storage_driver.c | 4 +-
src/test/test_driver.c | 51 +++---
src/util/virhostcpu.c | 6 +-
src/util/virnetdev.c | 13 +-
src/util/virnetdevmacvlan.c | 3 +-
src/util/virnetdevtap.c | 15 +-
src/util/virnetdevvportprofile.c | 52 +++---
src/util/virnetlink.c | 4 +-
src/util/virpci.c | 14 +-
src/util/virsocketaddr.c | 11 +-
src/util/virstoragefile.c | 4 +-
src/util/virsysinfo.c | 54 ++----
src/util/virtpm.c | 5 +-
src/util/virtypedparam.c | 14 +-
src/util/viruuid.c | 13 +-
src/vbox/vbox_MSCOMGlue.c | 11 +-
src/vbox/vbox_snapshot_conf.c | 9 +-
src/vz/vz_sdk.c | 102 ++++-------
tests/qemumonitortestutils.c | 15 +-
tests/testutilsqemu.c | 8 +-
tests/virhostdevtest.c | 14 +-
63 files changed, 564 insertions(+), 915 deletions(-)
--
2.24.1
4 years, 10 months
[libvirt] [PATCH] virSecuritySELinuxSetTapFDLabel: Use fd_path instead of /dev/tap* to get context
by Dominick Grift
/dev/tap* is an invalid path but it works with lacks policy. Make it work with more accurate policy as well
Signed-off-by: Dominick Grift <dac.override(a)gmail.com>
---
src/security/security_selinux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 32dc78d777..8c698966cb 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3251,7 +3251,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- /* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
+ /* Label /dev/tap([0-9]+)? devices only. Leave /dev/net/tun alone! */
proc = g_strdup_printf("/proc/self/fd/%d", fd);
if (virFileResolveLink(proc, &fd_path) < 0) {
@@ -3267,7 +3267,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
+ if (getContext(mgr, fd_path, buf.st_mode, &fcon) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot lookup default selinux label for tap fd %d"), fd);
goto cleanup;
--
2.24.1
4 years, 10 months
[libvirt] [PATCH 0/7] fix debian 9 incompatibility with recent changes
by Daniel P. Berrangé
Previous commits to eliminate gnulib modules accidentally
used some glib APIs not available in Debian 9.
GLib has support for compile time version checking of
APIs but we mistakenly havent enabled it in libvirt.
This series fixes the bad API usage, then enables
version checkihng, and finally adds Debian to the
Travis config
Daniel P. Berrangé (7):
util: always replace g_fsync usage with our wrapper
util: keep glib compat methods in alphabetical order
util: fix indent depth for glib compat impls
util: add compat impl of g_canonicalize_filename
src: remove use of g_date_time_new_from_iso8601 function
util: introduce compile time API version checking
travis: add build for Debian 9
.travis.yml | 7 ++
config-post.h | 10 ++
src/conf/domain_conf.c | 28 ++++--
src/esx/esx_vi_types.c | 56 +++++++++--
src/libvirt_private.syms | 1 +
src/util/glibcompat.c | 196 ++++++++++++++++++++++++++++++++++-----
src/util/glibcompat.h | 10 +-
src/vz/vz_sdk.c | 24 ++++-
8 files changed, 286 insertions(+), 46 deletions(-)
--
2.24.1
4 years, 10 months
[libvirt] [PATCH] man: virsh: Mention how to disable snapshot of disk in snapshot-create-as
by Peter Krempa
Document that --diskspec DISK,snapshot=no disables snapshot for the
given disk.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/manpages/virsh.rst | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index d0f9e15c38..4522259657 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -6734,7 +6734,8 @@ form ``disk[,snapshot=type][,driver=type][,stype=type][,file=name]``.
A *diskspec* must be provided for disks backed by block devices as libvirt
doesn't auto-generate file names for those. The optional ``stype`` parameter
allows to control the type of the source file. Supported values are 'file'
-(default) and 'block'.
+(default) and 'block'. To exclude a disk from an external snapshot use
+``--diskspec disk,snapshot=no``.
To include a literal comma in ``disk`` or in ``file=name``, escape it with a
second comma. A literal *--diskspec* must precede each ``diskspec`` unless
--
2.24.1
4 years, 10 months
[libvirt] [PATCH 0/7] Support rng backend model 'builtin'
by Han Han
https://bugzilla.redhat.com/show_bug.cgi?id=1785091
This rng backend is added since QEMU 4.2. It uses getrandom() syscall to
generate random instread of external rng source.
QEMU bug reference: https://bugzilla.redhat.com/show_bug.cgi?id=1689946
Han Han (7):
qemu_capabilities: Introduce QEMU_CAPS_OBJECT_RNG_BUILTIN
util: Do not assume comma after object id
qemu: Implement builtin rng backend
docs: Add schemas for rng backend builtin
tests: Add tests fr virtio-rng backend builtin
docs: Documents for virtio-rng backend builtin
news: Update news for rng backend type builtin
docs/formatdomain.html.in | 10 ++++++
docs/formatdomaincaps.html.in | 1 +
docs/news.xml | 10 ++++++
docs/schemas/domaincommon.rng | 6 ++++
src/conf/domain_audit.c | 2 ++
src/conf/domain_conf.c | 9 ++++++
src/conf/domain_conf.h | 1 +
src/qemu/qemu_capabilities.c | 4 +++
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 15 +++++++++
src/qemu/qemu_domain.c | 3 ++
src/util/virqemu.c | 13 ++++----
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
.../qemu_4.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
.../caps_4.2.0.aarch64.xml | 1 +
.../qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 +
.../qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 +
.../caps_4.2.0.x86_64.xml | 1 +
.../qemuxml2argvdata/virtio-rng-builtin.args | 30 ++++++++++++++++++
tests/qemuxml2argvdata/virtio-rng-builtin.xml | 26 ++++++++++++++++
tests/qemuxml2argvtest.c | 3 ++
.../qemuxml2xmloutdata/virtio-rng-builtin.xml | 31 +++++++++++++++++++
tests/qemuxml2xmltest.c | 2 ++
28 files changed, 172 insertions(+), 6 deletions(-)
create mode 100644 tests/qemuxml2argvdata/virtio-rng-builtin.args
create mode 100644 tests/qemuxml2argvdata/virtio-rng-builtin.xml
create mode 100644 tests/qemuxml2xmloutdata/virtio-rng-builtin.xml
--
2.23.0
4 years, 10 months
