October 2010 - Devel - libvirt List Archives

[libvirt] [PATCH] util: add missing export
by Eric Blake 12 Oct '10

12 Oct '10

Commit 1fe2927a3 forgot to export a symbol. * src/libvirt_private.syms (virHexToBin): Add. * src/.gitignore: Ignore temporary file. --- src/.gitignore | 1 + src/libvirt_private.syms | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/.gitignore b/src/.gitignore index 7ea8d89..a619643 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -14,4 +14,5 @@ libvirt.syms libvirt_qemu.def *.i *.s +remote_protocol-structs-t virt-aa-helper diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 301b0ef..1d94b12 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -668,6 +668,7 @@ virFileResolveLink; saferead; safewrite; safezero; +virHexToBin; virMacAddrCompare; virEnumFromString; virEnumToString; -- 1.7.2.3

2 2

[libvirt] [PATCH 0/4] xen: Fix device hot(un)plug
by Jiri Denemark 12 Oct '10

12 Oct '10

Jiri Denemark (4): xen: Make xenDaemon*DeviceFlags errors less confusing xen: Fix logic bug in xenDaemon*DeviceFlags xen: xenXMDomain*DeviceFlags should obey all flags xen: Fix virDomain{At,De}tachDevice src/xen/xen_driver.c | 24 ++++++++++++++++----- src/xen/xend_internal.c | 51 ++++++++++++++++++++++++---------------------- src/xen/xm_internal.c | 14 +++++++++++- 3 files changed, 57 insertions(+), 32 deletions(-) -- 1.7.3.1

3 16

[libvirt] About the qemu networking
by 杨树林 12 Oct '10

12 Oct '10

Dear libvirt team, I am testing the qemu with libvit networking, and I have a question. First, I connected the switch and server via Ethernet, the link encapsulation is 802.1q (eth1 is trunk link) When I use sub-interface eth1.12 for vlan12,br12 bridged to eth1.12, and then using tap0 ..tapN, the qemu guest networking works fine. But when I use br1 bridged to eth1 without sub-interface, also use tap0… tapn , it does not work. The topology as below: This works fine This doest not work Eth1 (trunk) eth1(trunk) | | | -------------- ----------------- | | | br1 Eth1.12 eth1.13 … | | | _______________ br12 br13 | | | | | … | | | tap0 tapn --------- ---------- | | | ... | | | | | Tap0 … tapn tapn+1 tapm Is the second solution works ? if works? What should I do to ? Thanks very much, I am look forward to hear from you. Best Regards 杨树林技术保障中心网络工程师 snda 上海盛大网络发展有限公司上海浦东新区碧波路690号1号楼邮编：201203 电话：021-50504740-896570 传真：021-50504740-895746 Email：yangshulin(a)shandagames.com 网址：http://www.snda.com

1 0

[libvirt] [PATCH] Return a suitable error message if we can't find a matching emulator
by Guido Günther 12 Oct '10

12 Oct '10

Hi, attached patch improves the error message when we can't find a suitable emulator. Otherwise it's simply "Unknown failure". O.k. to apply? Cheers, -- Guido

2 2

[libvirt] [PATCH v2] Added new attribute mount_security to filesystem element
by Harsh Prateek Bora 11 Oct '10

11 Oct '10

This patch introduces new attribute to filesystem element to support customizable security for mount type. Valid mount_security are: passthrough and mapped. Usage: <filesystem type='mount' mount_security='passthrough'> <source dir='/export/to/guest'/> <target dir='mount_tag'/> </filesystem> Here is the detailed explanation on these security models: Security model: mapped ---------------------- Fileserver intercepts and maps all the file object create requests. Files on the fileserver will be created with Fileserver's user credentials and the client-user's credentials are stored in extended attributes. During getattr() server extracts the client-user's credentials from extended attributes and sends to the client. This adds a great deal of security in the cloud environments where the guest's(client) user space is kept completely isolated from host's user space. Security model : passthrough ---------------------------- In this security model, Fileserver passes down all requests to the underlying filesystem. File system objects on the fileserver will be created with client-user's credentials. This is done by setting setuid()/setgid() during creation or chmod/chown after file creation. At the end of create protocol request, files on the fileserver will be owned by cleint-user's uid/gid. This model mimic's current NFSv3 level of security. Note: This patch is based on Daniel's patch to support 9pfs. It shall be applied after applying Daniel's patch to support 9pfs. Signed-off-by: Harsh Prateek Bora <harsh(a)linux.vnet.ibm.com> --- docs/schemas/domain.rng | 6 ++++++ src/conf/domain_conf.c | 29 +++++++++++++++++++++++++++-- src/conf/domain_conf.h | 10 ++++++++++ src/qemu/qemu_conf.c | 9 +++++++-- 4 files changed, 50 insertions(+), 4 deletions(-) diff --git a/docs/schemas/domain.rng b/docs/schemas/domain.rng index ccb8cf3..36eec63 100644 --- a/docs/schemas/domain.rng +++ b/docs/schemas/domain.rng @@ -761,6 +761,12 @@ </choice> <optional> <ref name="address"/> + <attribute name="mount_security"> + <choice> + <value>passthrough</value> + <value>mapped</value> + </choice> + </attribute> </optional> </element> </define> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index e05d5d7..ece6937 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -161,6 +161,11 @@ VIR_ENUM_IMPL(virDomainFS, VIR_DOMAIN_FS_TYPE_LAST, "file", "template") +VIR_ENUM_IMPL(virDomainFSMountSecurity, VIR_DOMAIN_FS_SECURITY_LAST, + "passthrough", + "mapped") + + VIR_ENUM_IMPL(virDomainNet, VIR_DOMAIN_NET_TYPE_LAST, "user", "ethernet", @@ -1847,6 +1852,7 @@ virDomainFSDefParseXML(xmlNodePtr node, char *type = NULL; char *source = NULL; char *target = NULL; + char *mount_security = NULL; if (VIR_ALLOC(def) < 0) { virReportOOMError(); @@ -1864,6 +1870,17 @@ virDomainFSDefParseXML(xmlNodePtr node, def->type = VIR_DOMAIN_FS_TYPE_MOUNT; } + mount_security = virXMLPropString(node, "mount_security"); + if (mount_security) { + if ((def->mount_security = virDomainFSMountSecurityTypeFromString(mount_security)) < 0) { + virDomainReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown mount security '%s'"), mount_security); + goto error; + } + } else { + def->mount_security = VIR_DOMAIN_FS_SECURITY_PASSTHROUGH; + } + cur = node->children; while (cur != NULL) { if (cur->type == XML_ELEMENT_NODE) { @@ -5602,6 +5619,7 @@ virDomainFSDefFormat(virBufferPtr buf, int flags) { const char *type = virDomainFSTypeToString(def->type); + const char *mount_sec = virDomainFSMountSecurityTypeToString(def->mount_security); if (!type) { virDomainReportError(VIR_ERR_INTERNAL_ERROR, @@ -5609,9 +5627,16 @@ virDomainFSDefFormat(virBufferPtr buf, return -1; } + if (!mount_sec) { + virDomainReportError(VIR_ERR_INTERNAL_ERROR, + _("unexpected mount security %d"), def->mount_security); + return -1; + } + + virBufferVSprintf(buf, - " <filesystem type='%s'>\n", - type); + " <filesystem type='%s' mount_security='%s'>\n", + type, mount_sec); if (def->src) { switch (def->type) { diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 7195c04..3463942 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -236,10 +236,19 @@ enum virDomainFSType { VIR_DOMAIN_FS_TYPE_LAST }; +/* Filesystem mount security model */ +enum virDomainFSMountSecurity { + VIR_DOMAIN_FS_SECURITY_PASSTHROUGH, + VIR_DOMAIN_FS_SECURITY_MAPPED, + + VIR_DOMAIN_FS_SECURITY_LAST +}; + typedef struct _virDomainFSDef virDomainFSDef; typedef virDomainFSDef *virDomainFSDefPtr; struct _virDomainFSDef { int type; + int mount_security; char *src; char *dst; unsigned int readonly : 1; @@ -1167,6 +1176,7 @@ VIR_ENUM_DECL(virDomainDiskErrorPolicy) VIR_ENUM_DECL(virDomainController) VIR_ENUM_DECL(virDomainControllerModel) VIR_ENUM_DECL(virDomainFS) +VIR_ENUM_DECL(virDomainFSMountSecurity) VIR_ENUM_DECL(virDomainNet) VIR_ENUM_DECL(virDomainChrDevice) VIR_ENUM_DECL(virDomainChrChannelTarget) diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 18a302a..012be27 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -2014,6 +2014,7 @@ qemuAssignDeviceAliases(virDomainDefPtr def, unsigned long long qemuCmdFlags) if (virAsprintf(&def->fss[i]->info.alias, "fs%d", i) < 0) goto no_memory; } + for (i = 0; i < def->nsounds ; i++) { if (virAsprintf(&def->sounds[i]->info.alias, "sound%d", i) < 0) goto no_memory; @@ -2783,11 +2784,15 @@ char *qemuBuildFSStr(virDomainFSDefPtr fs, if (fs->type != VIR_DOMAIN_FS_TYPE_MOUNT) { qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("can only passthrough directories")); + _("only supports mount filesystem type")); goto error; } - virBufferAddLit(&opt, "local,security_model=passthrough"); + virBufferAddLit(&opt, "local"); + if (fs->mount_security == VIR_DOMAIN_FS_SECURITY_PASSTHROUGH) + virBufferAddLit(&opt, ",mount_security=passthrough"); + else if (fs->mount_security == VIR_DOMAIN_FS_SECURITY_MAPPED) + virBufferAddLit(&opt, ",mount_security=mapped"); virBufferVSprintf(&opt, ",id=%s%s", QEMU_FSDEV_HOST_PREFIX, fs->info.alias); virBufferVSprintf(&opt, ",path=%s", fs->src); -- 1.7.1.1

2 1

[libvirt] Ephemeral VM operation
by Dave Allan 09 Oct '10

09 Oct '10

A number of hypervisors have a mode in which changes made to storage are not persisted across a reboot of the VM. qemu uses the -snapshot flag; VMware refers to this functionality as non-persistent disk[1]. Is this functionality something that is interesting to libvirt? Dave [1] http://www.virtuesofvirtualization.com/2006/10/magic-of-nonpersistent-drive…

4 3

[libvirt] [PATCH] Pass -n to ip(6)tables
by Guido Günther 08 Oct '10

08 Oct '10

Hi, attached patch passes -n to ip(6)tables to avoid long timeouts waiting for DNS servers. O.k. to apply? Cheers, -- Guido

2 2

[libvirt] [PATCH] Added new attribute security_model to filesystem element
by Harsh Prateek Bora 07 Oct '10

07 Oct '10

This patch introduces new attribute to filesystem element to support customizable security_model for mount type. Valid security_model are: passthrough, mapped and none. Usage: <filesystem type='mount' security_model='passthrough'> <source dir='/export/to/guest'/> <target dir='mount_tag'/> </filesystem> Note: This patch is based on Daniel's patch to support 9pfs. It shall be applied after applying Daniel's patch to support 9pfs. Signed-off-by: Harsh Prateek Bora <harsh(a)linux.vnet.ibm.com> --- docs/schemas/domain.rng | 7 +++++++ src/conf/domain_conf.c | 30 ++++++++++++++++++++++++++++-- src/conf/domain_conf.h | 10 ++++++++++ src/qemu/qemu_conf.c | 11 +++++++++-- 4 files changed, 54 insertions(+), 4 deletions(-) diff --git a/docs/schemas/domain.rng b/docs/schemas/domain.rng index ccb8cf3..43a292d 100644 --- a/docs/schemas/domain.rng +++ b/docs/schemas/domain.rng @@ -761,6 +761,13 @@ </choice> <optional> <ref name="address"/> + <attribute name="security_model"> + <choice> + <value>passthrough</value> + <value>mapped</value> + <value>none</value> + </choice> + </attribute> </optional> </element> </define> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index e05d5d7..a9881d1 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -161,6 +161,12 @@ VIR_ENUM_IMPL(virDomainFS, VIR_DOMAIN_FS_TYPE_LAST, "file", "template") +VIR_ENUM_IMPL(virDomainFSSecurityModel, VIR_DOMAIN_FS_SECURITY_LAST, + "passthrough", + "mapped", + "none") + + VIR_ENUM_IMPL(virDomainNet, VIR_DOMAIN_NET_TYPE_LAST, "user", "ethernet", @@ -1847,6 +1853,7 @@ virDomainFSDefParseXML(xmlNodePtr node, char *type = NULL; char *source = NULL; char *target = NULL; + char *security_model; if (VIR_ALLOC(def) < 0) { virReportOOMError(); @@ -1864,6 +1871,17 @@ virDomainFSDefParseXML(xmlNodePtr node, def->type = VIR_DOMAIN_FS_TYPE_MOUNT; } + security_model = virXMLPropString(node, "security_model"); + if (security_model) { + if ((def->security_model = virDomainFSSecurityModelTypeFromString(security_model)) < 0) { + virDomainReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown security model '%s'"), security_model); + goto error; + } + } else { + def->security_model = VIR_DOMAIN_FS_SECURITY_PASSTHROUGH; + } + cur = node->children; while (cur != NULL) { if (cur->type == XML_ELEMENT_NODE) { @@ -5602,6 +5620,7 @@ virDomainFSDefFormat(virBufferPtr buf, int flags) { const char *type = virDomainFSTypeToString(def->type); + const char *sec_model = virDomainFSSecurityModelTypeToString(def->security_model); if (!type) { virDomainReportError(VIR_ERR_INTERNAL_ERROR, @@ -5609,9 +5628,16 @@ virDomainFSDefFormat(virBufferPtr buf, return -1; } + if (!sec_model) { + virDomainReportError(VIR_ERR_INTERNAL_ERROR, + _("unexpected security model %d"), def->security_model); + return -1; + } + + virBufferVSprintf(buf, - " <filesystem type='%s'>\n", - type); + " <filesystem type='%s' security_model='%s'>\n", + type, sec_model); if (def->src) { switch (def->type) { diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 7195c04..6adf027 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -236,10 +236,20 @@ enum virDomainFSType { VIR_DOMAIN_FS_TYPE_LAST }; +/* Filesystem mount security model */ +enum virDomainFSSecurityModel { + VIR_DOMAIN_FS_SECURITY_PASSTHROUGH, + VIR_DOMAIN_FS_SECURITY_MAPPED, + VIR_DOMAIN_FS_SECURITY_NONE, + + VIR_DOMAIN_FS_SECURITY_LAST +}; + typedef struct _virDomainFSDef virDomainFSDef; typedef virDomainFSDef *virDomainFSDefPtr; struct _virDomainFSDef { int type; + int security_model; char *src; char *dst; unsigned int readonly : 1; diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 18a302a..6b96d2f 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -2014,6 +2014,7 @@ qemuAssignDeviceAliases(virDomainDefPtr def, unsigned long long qemuCmdFlags) if (virAsprintf(&def->fss[i]->info.alias, "fs%d", i) < 0) goto no_memory; } + for (i = 0; i < def->nsounds ; i++) { if (virAsprintf(&def->sounds[i]->info.alias, "sound%d", i) < 0) goto no_memory; @@ -2783,11 +2784,17 @@ char *qemuBuildFSStr(virDomainFSDefPtr fs, if (fs->type != VIR_DOMAIN_FS_TYPE_MOUNT) { qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("can only passthrough directories")); + _("only supports mount filesystem type")); goto error; } - virBufferAddLit(&opt, "local,security_model=passthrough"); + virBufferAddLit(&opt, "local"); + if (fs->security_model == VIR_DOMAIN_FS_SECURITY_PASSTHROUGH) + virBufferAddLit(&opt, ",security_model=passthrough"); + else if (fs->security_model == VIR_DOMAIN_FS_SECURITY_MAPPED) + virBufferAddLit(&opt, ",security_model=mapped"); + else if (fs->security_model == VIR_DOMAIN_FS_SECURITY_NONE) + virBufferAddLit(&opt, ",security_model=none"); virBufferVSprintf(&opt, ",id=%s%s", QEMU_FSDEV_HOST_PREFIX, fs->info.alias); virBufferVSprintf(&opt, ",path=%s", fs->src); -- 1.7.1.1

5 5

[libvirt] [PATCH v3] nwfilter: resolve deadlock between VM operations and filter update
by Stefan Berger 07 Oct '10

07 Oct '10

V3: - removed debugging code - I looked through existing code and I could not find any other instances where the filter and domain_lock were locked without a preceding qemu/uml_driver lock. So the 2nd assumption seems to hold and no further changes should be required for this issue. V2: - remove the locks from qemudVMFilterRebuild & umlVMFilterRebuild This is from a bug report and conversation on IRC where Soren reported that while a filter update is occurring on one or more VMs (due to a rule having been edited for example), a deadlock can occur when a VM referencing a filter is started. The problem is caused by the two locking sequences of qemu driver, qemu domain, filter # for the VM start operation filter, qemu_driver, qemu_domain # for the filter update operation that obviously don't lock in the same order. The problem is the 2nd lock sequence. Here the qemu_driver lock is being grabbed in qemu_driver:qemudVMFilterRebuild() The following solution is based on the idea of trying to re-arrange the 2nd sequence of locks as follows: qemu_driver, filter, qemu_driver, qemu_domain and making the qemu driver recursively lockable so that a second lock can occur, this would then lead to the following net-locking sequence qemu_driver, filter, qemu_domain where the 2nd qemu_driver lock has been ( logically ) eliminated. The 2nd part of the idea is that the sequence of locks (filter, qemu_domain) and (qemu_domain, filter) becomes interchangeable if all code paths where filter AND qemu_domain are locked have a preceding qemu_domain lock that basically blocks their concurrent execution So, the following code paths exist towards qemu_driver:qemudVMFilterRebuild where we now want to put a qemu_driver lock in front of the filter lock. -> nwfilterUndefine() [ locks the filter ] -> virNWFilterTestUnassignDef() -> virNWFilterTriggerVMFilterRebuild() -> qemudVMFilterRebuild() -> nwfilterDefine() -> virNWFilterPoolAssignDef() [ locks the filter ] -> virNWFilterTriggerVMFilterRebuild() -> qemudVMFilterRebuild() -> nwfilterDriverReload() -> virNWFilterPoolLoadAllConfigs() ->virNWFilterPoolObjLoad() -> virNWFilterPoolAssignDef() [ locks the filter ] -> virNWFilterTriggerVMFilterRebuild() -> qemudVMFilterRebuild() -> nwfilterDriverStartup() -> virNWFilterPoolLoadAllConfigs() ->virNWFilterPoolObjLoad() -> virNWFilterPoolAssignDef() [ locks the filter ] -> virNWFilterTriggerVMFilterRebuild() -> qemudVMFilterRebuild() Qemu is not the only driver using the nwfilter driver, but also the UML driver calls into it. Therefore qemuVMFilterRebuild() can be exchanged with umlVMFilterRebuild() along with the driver lock of qemu_driver that can now be a uml_driver. Further, since UML and Qemu domains can be running on the same machine, the triggering of a rebuild of the filter can touch both types of drivers and their domains. In the patch below I am now extending each nwfilter callback driver with functions for locking and unlocking the (VM) driver (UML, QEMU) and introduce new functions for locking all registered callback drivers and unlocking them. Then I am distributing the lock-all-cbdrivers/unlock-all-cbdrivers call into the above call paths. The last shown callpath starting with nwfilterDriverStart() is problematic since it is initialize before the Qemu and UML drives are and thus a lock in the path would result in a NULL pointer attempted to be locked -- the call to virNWFilterTriggerVMFilterRebuild() is never called, so we never lock either the qemu_driver or the uml_driver in that path. Therefore, only the first 3 paths now receive calls to lock and unlock all callback drivers. Now that the locks are distributed where it matters I can remove the qemu_driver and uml_driver lock from qemudVMFilterRebuild() and umlVMFilterRebuild() and not requiring the recursive locks. For now I want to put this out as an RFC patch. I have tested it by 'stretching' the critical section after the define/undefine functions each lock the filter so I can (easily) concurrently execute another VM operation (suspend,start). That code is in this patch and if you want you can de-activate it. It seems to work ok and operations are being blocked while the update is being done. I still also want to verify the other assumption above that locking filter and qemu_domain always has a preceding qemu_driver lock. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- src/conf/nwfilter_conf.c | 18 ++++++++++++++++++ src/conf/nwfilter_conf.h | 6 ++++++ src/libvirt_private.syms | 2 ++ src/nwfilter/nwfilter_driver.c | 13 +++++++++++++ src/qemu/qemu_driver.c | 19 +++++++++++++++---- src/uml/uml_driver.c | 18 ++++++++++++++---- 6 files changed, 68 insertions(+), 8 deletions(-) Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -658,6 +658,8 @@ void virNWFilterConfLayerShutdown(void); typedef int (*virNWFilterRebuild)(virConnectPtr conn, virHashIterator, void *data); +typedef void (*virNWFilterVoidCall)(void); + typedef struct _virNWFilterCallbackDriver virNWFilterCallbackDriver; typedef virNWFilterCallbackDriver *virNWFilterCallbackDriverPtr; @@ -665,9 +667,13 @@ struct _virNWFilterCallbackDriver { const char *name; virNWFilterRebuild vmFilterRebuild; + virNWFilterVoidCall vmDriverLock; + virNWFilterVoidCall vmDriverUnlock; }; void virNWFilterRegisterCallbackDriver(virNWFilterCallbackDriverPtr); +void virNWFilterCallbackDriversLock(void); +void virNWFilterCallbackDriversUnlock(void); VIR_ENUM_DECL(virNWFilterRuleAction); Index: libvirt-acl/src/qemu/qemu_driver.c =================================================================== --- libvirt-acl.orig/src/qemu/qemu_driver.c +++ libvirt-acl/src/qemu/qemu_driver.c @@ -12725,11 +12725,7 @@ static int qemudVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED, virHashIterator iter, void *data) { - struct qemud_driver *driver = qemu_driver; - - qemuDriverLock(driver); virHashForEach(qemu_driver->domains.objs, iter, data); - qemuDriverUnlock(driver); return 0; } @@ -12757,9 +12753,24 @@ qemudVMFiltersInstantiate(virConnectPtr return err; } + +static void +qemudVMDriverLock(void) { + qemuDriverLock(qemu_driver); +}; + + +static void +qemudVMDriverUnlock(void) { + qemuDriverUnlock(qemu_driver); +}; + + static virNWFilterCallbackDriver qemuCallbackDriver = { .name = "QEMU", .vmFilterRebuild = qemudVMFilterRebuild, + .vmDriverLock = qemudVMDriverLock, + .vmDriverUnlock = qemudVMDriverUnlock, }; int qemuRegister(void) { Index: libvirt-acl/src/uml/uml_driver.c =================================================================== --- libvirt-acl.orig/src/uml/uml_driver.c +++ libvirt-acl/src/uml/uml_driver.c @@ -2202,11 +2202,7 @@ static int umlVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED, virHashIterator iter, void *data) { - struct uml_driver *driver = uml_driver; - - umlDriverLock(driver); virHashForEach(uml_driver->domains.objs, iter, data); - umlDriverUnlock(driver); return 0; } @@ -2219,9 +2215,23 @@ static virStateDriver umlStateDriver = { .active = umlActive, }; +static void +umlVMDriverLock(void) +{ + umlDriverLock(uml_driver); +} + +static void +umlVMDriverUnlock(void) +{ + umlDriverUnlock(uml_driver); +} + static virNWFilterCallbackDriver umlCallbackDriver = { .name = "UML", .vmFilterRebuild = umlVMFilterRebuild, + .vmDriverLock = umlVMDriverLock, + .vmDriverUnlock = umlVMDriverUnlock, }; int umlRegister(void) { Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -2303,6 +2303,24 @@ virNWFilterRegisterCallbackDriver(virNWF } } +void +virNWFilterCallbackDriversLock(void) +{ + int i; + + for (i = 0; i < nCallbackDriver; i++) + callbackDrvArray[i]->vmDriverLock(); +} + +void +virNWFilterCallbackDriversUnlock(void) +{ + int i; + + for (i = 0; i < nCallbackDriver; i++) + callbackDrvArray[i]->vmDriverUnlock(); +} + static virHashIterator virNWFilterDomainFWUpdateCB; Index: libvirt-acl/src/libvirt_private.syms =================================================================== --- libvirt-acl.orig/src/libvirt_private.syms +++ libvirt-acl/src/libvirt_private.syms @@ -535,6 +535,8 @@ virNWFilterConfLayerShutdown; virNWFilterLockFilterUpdates; virNWFilterUnlockFilterUpdates; virNWFilterPrintStateMatchFlags; +virNWFilterCallbackDriversLock; +virNWFilterCallbackDriversUnlock; # nwfilter_params.h Index: libvirt-acl/src/nwfilter/nwfilter_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_driver.c @@ -34,6 +34,7 @@ #include "memory.h" #include "domain_conf.h" #include "domain_nwfilter.h" +#include "nwfilter_conf.h" #include "nwfilter_driver.h" #include "nwfilter_gentech_driver.h" @@ -152,9 +153,13 @@ nwfilterDriverReload(void) { virNWFilterLearnThreadsTerminate(true); nwfilterDriverLock(driverState); + virNWFilterCallbackDriversLock(); + virNWFilterPoolLoadAllConfigs(conn, &driverState->pools, driverState->configDir); + + virNWFilterCallbackDriversUnlock(); nwfilterDriverUnlock(driverState); virConnectClose(conn); @@ -328,6 +333,8 @@ nwfilterDefine(virConnectPtr conn, virNWFilterPtr ret = NULL; nwfilterDriverLock(driver); + virNWFilterCallbackDriversLock(); + if (!(def = virNWFilterDefParseString(conn, xml))) goto cleanup; @@ -347,6 +354,8 @@ cleanup: virNWFilterDefFree(def); if (pool) virNWFilterPoolObjUnlock(pool); + + virNWFilterCallbackDriversUnlock(); nwfilterDriverUnlock(driver); return ret; } @@ -359,6 +368,8 @@ nwfilterUndefine(virNWFilterPtr obj) { int ret = -1; nwfilterDriverLock(driver); + virNWFilterCallbackDriversLock(); + pool = virNWFilterPoolObjFindByUUID(&driver->pools, obj->uuid); if (!pool) { virNWFilterReportError(VIR_ERR_INVALID_NWFILTER, @@ -385,6 +396,8 @@ nwfilterUndefine(virNWFilterPtr obj) { cleanup: if (pool) virNWFilterPoolObjUnlock(pool); + + virNWFilterCallbackDriversUnlock(); nwfilterDriverUnlock(driver); return ret; }

1 0

[libvirt] [PATCH v2 0/5] nwfilter: Support comment attribute in filter rule descriptions
by Stefan Berger 07 Oct '10

07 Oct '10

V2: - work on the iptables instantiation patch (2/5) - work on the parser patch (1/5) - small changes to the test cases (5/5) The following patch series adds support for a comment node to the XML attributes of all protocols. If possible, as for example in case of iptables, the comments are instantiated (iptables ... -m comment --comment ...). The patches do the following: - extend the parser and XML generator to parse and create XML with the comment attribute - instantiate the comment in case of ip(6)tables - extend the nwfilter.rng schema with the comment attribute - add the information to the web docs - add a test case for the XML parser/generator to be run during 'make check' Regards, Stefan

4 21