April 2010 - Devel - libvirt List Archives

[libvirt] [RFC PATCH 0/5] Qemu Monitor Passthrough
by Chris Lalancette 19 Apr '10

19 Apr '10

Hello, As we discussed on the list, here are RFC patches that allow both qemu monitor passthrough and the ability to specify extra arguments to be passed on the qemu command-line. I've specifically not done the more complicated regex command-line editing for now, since we don't have consensus on it. There are a few outstanding issues with these patches: 1) Should we have a separate structure for the per-driver qemuMonitorCommand entry point? 2) Due to the way that virsh parses command-line arguments, it's not possible to pass it an argument that has spaces (even if you properly quote it). Therefore I have a hack in place that will convert ^ to space before passing it along, which is pretty crappy. How should we go about fixing this? Fix virsh argument parsing, or go about it a different way? Questions or comments about the patch series are welcome. Chris Lalancette

2 14

[libvirt] That the Linux bridge configuration does not work afer I upgraded the kernel to 2.6.33.2.
by Frank Peng 19 Apr '10

19 Apr '10

Hello, When I use a standard Redhat kernel, it's ok. Everything's working right. That the Linux bridge configuration does not work afer I upgraded the kernel to 2.6.33.2. Why? [root@node78 ~]# cat /etc/issue Red Hat Enterprise Linux Server release 5.5 (Tikanga) Kernel \r on an \m [root@node78 ~]# uname -a Linux node78 2.6.33.2 #1 SMP Wed Apr 14 10:10:29 CST 2010 x86_64 x86_64 x86_64 GNU/Linux [root@node78 ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted [root@node78 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@node78 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Intel Corporation 80003ES2LAN Gigabit Ethernet Controller (Copper) DEVICE=eth0 HWADDR=00:15:17:11:16:18 BRIDGE=br0 NM_CONTROLLED=no ONBOOT=yes [root@node78 ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0 TYPE=Bridge BOOTPROTO=static BROADCAST=192.168.0.255 IPADDR=192.168.0.78 NETMASK=255.255.255.0 NETWORK=192.168.0.0 DELAY=0 NM_CONTROLLED=no ONBOOT=yes [root@node78 ~]#cd /usr/src/ [root@node78 ~]#tar jxf linux-2.6.33.2.tar.bz2 [root@node78 ~]#ln -s linux-2.6.33.2 linux [root@node78 ~]#cd linux [root@node78 ~]#cp /boot/config-2.6.18-164.el5 /usr/src/linux-2.6.33.2/.config [root@node78 ~]#make menuconfig (add the option "enable deprecated sysfs feathures to support old userspace tools") [root@node78 ~]#make && make modules && make modules_install && make install [root@node78 ~]# ifconfig br0 Link encap:Ethernet HWaddr 00:15:17:11:16:18 inet addr:192.168.0.78 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::215:17ff:fe11:1618/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7217 errors:0 dropped:0 overruns:0 frame:0 TX packets:273 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:738606 (721.2 KiB) TX bytes:36168 (35.3 KiB) eth0 Link encap:Ethernet HWaddr 00:15:17:11:16:18 inet6 addr: fe80::215:17ff:fe11:1618/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7490 errors:0 dropped:0 overruns:0 frame:0 TX packets:304 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:866112 (845.8 KiB) TX bytes:42312 (41.3 KiB) Memory:b8820000-b8840000 eth1 Link encap:Ethernet HWaddr 00:15:17:11:16:19 inet addr:10.0.7.78 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::215:17ff:fe11:1619/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:59 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1056 (1.0 KiB) TX bytes:10982 (10.7 KiB) Memory:b8800000-b8820000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1831 errors:0 dropped:0 overruns:0 frame:0 TX packets:1831 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3576260 (3.4 MiB) TX bytes:3576260 (3.4 MiB) [root@node78 ~]# ifconfig vmbr0 vmbr0: error fetching interface information: Device not found Best Regards, Frank

1 0

[libvirt] [PATCH] nwfilter: Free nwfilter hash of virConnectPtr
by Matthias Bolte 18 Apr '10

18 Apr '10

And close the driver on connection close. --- src/datatypes.c | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-) diff --git a/src/datatypes.c b/src/datatypes.c index ebcd538..25962a6 100644 --- a/src/datatypes.c +++ b/src/datatypes.c @@ -129,6 +129,20 @@ virSecretFreeName(void *secret_, const char *name ATTRIBUTE_UNUSED) } /** + * virNWFilterPoolFreeName: + * @pool: a nwfilter pool object + * + * Destroy the nwfilter pool object, this is just used by the nwfilter pool hash callback. + * + * Returns 0 in case of success and -1 in case of failure. + */ +static int +virNWFilterPoolFreeName(virNWFilterPtr pool, const char *name ATTRIBUTE_UNUSED) +{ + return (virUnrefNWFilter(pool)); +} + +/** * virDomainSnapshotFreeName: * @snapshot: a domain snapshotobject * @@ -212,6 +226,8 @@ failed: virHashFree(ret->nodeDevices, (virHashDeallocator) virNodeDeviceFree); if (ret->secrets != NULL) virHashFree(ret->secrets, virSecretFreeName); + if (ret->nwfilterPools != NULL) + virHashFree(ret->nwfilterPools, (virHashDeallocator) virNWFilterPoolFreeName); virMutexDestroy(&ret->lock); VIR_FREE(ret); @@ -245,6 +261,8 @@ virReleaseConnect(virConnectPtr conn) { virHashFree(conn->nodeDevices, (virHashDeallocator) virNodeDeviceFree); if (conn->secrets != NULL) virHashFree(conn->secrets, virSecretFreeName); + if (conn->nwfilterPools != NULL) + virHashFree(conn->nwfilterPools, (virHashDeallocator) virNWFilterPoolFreeName); virResetError(&conn->err); @@ -292,6 +310,8 @@ virUnrefConnect(virConnectPtr conn) { conn->deviceMonitor->close (conn); if (conn->secretDriver) conn->secretDriver->close (conn); + if (conn->nwfilterDriver) + conn->nwfilterDriver->close (conn); if (conn->driver) conn->driver->close (conn); -- 1.6.3.3

2 2

[libvirt] [PATCH 00/30] Cleanup translation marks and remove virConnectPtr from error reporting
by Matthias Bolte 17 Apr '10

17 Apr '10

This set of patches removes translation marks from log messages, adds missing translation marks to error messages and removes the virConnectPtr parameter from all error reporting functions. This series is large, but most of it was done by search and replace. 105 files changed, 3574 insertions(+), 4005 deletions(-) Matthias

6 96

[libvirt] [PATCH] Mark internal.h for translation
by Jiri Denemark 16 Apr '10

16 Apr '10

Patch for virCheckFlags added a message marked for translation into internal.h without including that file in POTFILES.in. I've just pushed the following patch. Jirka >From 39f3fee4a48ef39a2baab25e306d94238d1e1361 Mon Sep 17 00:00:00 2001 Message-Id: <39f3fee4a48ef39a2baab25e306d94238d1e1361.1271439006.git.jdenemar(a)redhat.com> From: Jiri Denemark <jdenemar(a)redhat.com> Date: Fri, 16 Apr 2010 19:21:10 +0200 Subject: [PATCH] Mark internal.h for translation Mail-Followup-To: libvir-list(a)redhat.com --- po/POTFILES.in | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/po/POTFILES.in b/po/POTFILES.in index 406e4c2..58e7358 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -25,6 +25,7 @@ src/esx/esx_vi_methods.c src/esx/esx_vi_types.c src/esx/esx_vmx.c src/interface/netcf_driver.c +src/internal.h src/libvirt.c src/lxc/lxc_container.c src/lxc/lxc_controller.c -- 1.7.0.4

1 0

[libvirt] unable to set security context (NFSv4 problem?)
by Harald Dunkel 16 Apr '10

16 Apr '10

Hi folks, Since I have moved the image file of a domain to an NFS partition I get an error message at start time: # virsh start mydomain error: Failed to start domain mydomain error: unable to set security context '110:140' on '/storage/mydomain/vda.img': Invalid argument The /storage partition is mounted with these options: # cat /proc/mounts | grep /storage nasl002:/storage/ /storage nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.31,addr=172.19.96.213 0 0 If I use a local disk instead, then there is no such problem. libvirt is version 0.7.7-4, as included with Debian. Any helpful comment would be highly appreciated. Regards Harri

4 5

[libvirt] [PATCH] Don't build nwfilter examples when not building libvirtd
by Matthew Booth 16 Apr '10

16 Apr '10

* Makefile.am: Make examples/xml/nwfilter conditional on WITH_LIBVIRTD --- Makefile.am | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index dd334b5..40352c4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5,8 +5,11 @@ GENHTML = genhtml SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \ python tests po examples/domain-events/events-c examples/hellolibvirt \ - examples/dominfo examples/domsuspend examples/python examples/apparmor \ - examples/xml/nwfilter + examples/dominfo examples/domsuspend examples/python examples/apparmor + +if WITH_LIBVIRTD + SUBDIRS += examples/xml/nwfilter +endif ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4 -- 1.6.6.1

2 1

[libvirt] [PATCH] esx: Add nwfilter driver stub
by Matthias Bolte 16 Apr '10

16 Apr '10

This stops libvirt trying to connect to a non-existing libvirtd on the ESX server. --- src/Makefile.am | 1 + src/esx/esx_driver.c | 4 +- src/esx/esx_nwfilter_driver.c | 86 +++++++++++++++++++++++++++++++++++++++++ src/esx/esx_nwfilter_driver.h | 29 ++++++++++++++ 4 files changed, 119 insertions(+), 1 deletions(-) create mode 100644 src/esx/esx_nwfilter_driver.c create mode 100644 src/esx/esx_nwfilter_driver.h diff --git a/src/Makefile.am b/src/Makefile.am index df577ea..66dc349 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -247,6 +247,7 @@ ESX_DRIVER_SOURCES = \ esx/esx_storage_driver.c esx/esx_storage_driver.h \ esx/esx_device_monitor.c esx/esx_device_monitor.h \ esx/esx_secret_driver.c esx/esx_secret_driver.h \ + esx/esx_nwfilter_driver.c esx/esx_nwfilter_driver.h \ esx/esx_util.c esx/esx_util.h \ esx/esx_vi.c esx/esx_vi.h \ esx/esx_vi_methods.c esx/esx_vi_methods.h \ diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c index e3340c9..a2fc85c 100644 --- a/src/esx/esx_driver.c +++ b/src/esx/esx_driver.c @@ -39,6 +39,7 @@ #include "esx_storage_driver.h" #include "esx_device_monitor.h" #include "esx_secret_driver.h" +#include "esx_nwfilter_driver.h" #include "esx_private.h" #include "esx_vi.h" #include "esx_vi_methods.h" @@ -3834,7 +3835,8 @@ esxRegister(void) esxNetworkRegister() < 0 || esxStorageRegister() < 0 || esxDeviceRegister() < 0 || - esxSecretRegister() < 0) { + esxSecretRegister() < 0 || + esxNWFilterRegister() < 0) { return -1; } diff --git a/src/esx/esx_nwfilter_driver.c b/src/esx/esx_nwfilter_driver.c new file mode 100644 index 0000000..71d7aca --- /dev/null +++ b/src/esx/esx_nwfilter_driver.c @@ -0,0 +1,86 @@ + +/* + * esx_nwfilter_driver.c: nwfilter driver functions for managing VMware ESX + * firewall rules + * + * Copyright (C) 2010 Matthias Bolte <matthias.bolte(a)googlemail.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +#include <config.h> + +#include "internal.h" +#include "util.h" +#include "memory.h" +#include "logging.h" +#include "uuid.h" +#include "esx_private.h" +#include "esx_nwfilter_driver.h" +#include "esx_vi.h" +#include "esx_vi_methods.h" +#include "esx_util.h" + +#define VIR_FROM_THIS VIR_FROM_ESX + + + +static virDrvOpenStatus +esxNWFilterOpen(virConnectPtr conn, + virConnectAuthPtr auth ATTRIBUTE_UNUSED, + int flags ATTRIBUTE_UNUSED) +{ + if (STRNEQ(conn->driver->name, "ESX")) { + return VIR_DRV_OPEN_DECLINED; + } + + conn->nwfilterPrivateData = conn->privateData; + + return VIR_DRV_OPEN_SUCCESS; +} + + + +static int +esxNWFilterClose(virConnectPtr conn) +{ + conn->interfacePrivateData = NULL; + + return 0; +} + + + +static virNWFilterDriver esxNWFilterDriver = { + "ESX", /* name */ + esxNWFilterOpen, /* open */ + esxNWFilterClose, /* close */ + NULL, /* numOfNWFilters */ + NULL, /* listNWFilters */ + NULL, /* nwfilterLookupByName */ + NULL, /* nwfilterLookupByUUID */ + NULL, /* defineXML */ + NULL, /* undefine */ + NULL, /* getXMLDesc */ +}; + + + +int +esxNWFilterRegister(void) +{ + return virRegisterNWFilterDriver(&esxNWFilterDriver); +} diff --git a/src/esx/esx_nwfilter_driver.h b/src/esx/esx_nwfilter_driver.h new file mode 100644 index 0000000..64cceab --- /dev/null +++ b/src/esx/esx_nwfilter_driver.h @@ -0,0 +1,29 @@ + +/* + * esx_nwfilter_driver.h: nwfilter driver functions for managing VMware ESX + * firewall rules + * + * Copyright (C) 2010 Matthias Bolte <matthias.bolte(a)googlemail.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +#ifndef __ESX_NWFILTER_DRIVER_H__ +# define __ESX_NWFILTER_DRIVER_H__ + +int esxNWFilterRegister(void); + +#endif /* __ESX_NWFILTER_DRIVER_H__ */ -- 1.6.3.3

3 3

[libvirt] [PATCH v2 0/2] Enhance checking of supported flags in drivers
by Jiri Denemark 16 Apr '10

16 Apr '10

I think we need a simple and consistent way of checking whether flags passed to API entry points in drivers are valid/supported or not. So far some entry points don't check flags at all and some checks for 0 when no flags are expected/supported. The first patch introduces a macro which can be called with a whitelist of supported flags (more info about it inside the patch). The second patch changes all API calls introduced in 0.8.0 release to use the macro for checking valid flags. I'm not sure if we can change existing API calls to do the same as it could break some badly written apps which pass invalid flags. My opinion is that we may often do that as such apps don't use the API in a documented/valid way. Changes in v2: - virCheckFlags moved from checks.h to existing internal.h Jirka Jiri Denemark (2): Introduce virCheckFlags for consistent flags checking Use virCheckFlags for APIs added in 0.8.0 src/esx/esx_driver.c | 43 ++++++++++++------------- src/internal.h | 23 +++++++++++++ src/nwfilter/nwfilter_driver.c | 4 ++- src/qemu/qemu_driver.c | 68 +++++++++++++++++++--------------------- src/storage/storage_driver.c | 6 +--- src/vbox/vbox_tmpl.c | 41 ++++++++++++++++------- src/xen/xend_internal.c | 4 ++ 7 files changed, 111 insertions(+), 78 deletions(-)

3 7

[libvirt] [PATCH] nwfilter: Clear all state tracking from a drop rule
by Stefan Berger 16 Apr '10

16 Apr '10

Don't use state-matching in a drop rule. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1380,13 +1380,16 @@ _iptablesCreateRuleInstance(int directio return 0; } - if (match) - virBufferVSprintf(&buf, " %s", match); - if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT) target = accept_target; - else + else { target = "DROP"; + match = NULL; + } + + if (match) + virBufferVSprintf(&buf, " %s", match); + virBufferVSprintf(&buf, " -j %s" CMD_DEF_POST CMD_SEPARATOR

2 2