April 2010 - Devel - libvirt List Archives

[libvirt] Don't add iptables rules when creating networks
by Felix Schwarz 13 Jun '10

13 Jun '10

Hi, I just found out that libvirt always add some iptables rules if it creates a natted (or routed) network. There were a couple of mailing list posts about this so I'm pretty sure this is not news to you. I don't want to go into the debate if your approach is sensible or not (I guess there are some use cases where I kind of like it). However on my server machine I really need full control over my (rather complicated) firewall settings. Currently the newly added rules really create a lot of problems for me. For example if I manage to have a good configuration after startup and then start a libvirt network afterwards, it will inject its rules at the start of the FORWARD queue (even though the same parameters are already present at the end!). On every net start there will be more duplicated rules and they will take preference over my existing rules. Besides that specific issue I think this is only one tiny problem compared to others (central configuration of firewall rules, auditing requirements, ...). Therefore I would like to have some kind 'power user' flag that prevents libvirt from adding any filter rules. I'm fine with activating it manually as long as I don't have to patch libvirt. fs

3 6

[libvirt] [PATCH] 0/10AppArmor driver updates
by Jamie Strandboge 07 Jun '10

07 Jun '10

This patch series addresses bug fixes in the AppArmor driver as well as updating it to changes made in 0.7.6 and 0.7.7. All of these are self-contained within the driver except 4_qemu_driver_stdin_path.patch. This is required by 5_apparmor-fix-save-restore.patch (see below). These all pass 'make syntax-check' and 'make check' (except 'daemon-conf', which has never passed here and I didn't patch it). 1_apparmor-dont-clear-caps.patch: originally submitted on 2010/02/08 with no feedback. The calls to virExec() in security_apparmor.c when invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without libcap-ng, this is not a problem (it's effectively a no-op) but with libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by virt-aa-helper to manipulate apparmor profiles and without it VMs will not start[1]. This patch calls virExec with the default VIR_EXEC_NONE instead. 2_apparmor-remove-unloaded-profile-is-not-fatal.patch: Don't exit with error if the user unloaded the profile outside of libvirt[2] 3_apparmor-fix-vah-xml-parse.patch: add VIR_DOMAIN_XML_INACTIVE flag to virDomainDefParseString() so virDomainDefParseString() doesn't error out when seeing <seclabel...>. This was needed due to changes since 0.7.5. 4_qemu_driver_stdin_path.patch: adjust args to qemudStartVMDaemon() to also specify path to stdin_fd, so this can be passed to the AppArmor driver via *SetSecurityAllLabel(). This updates all calls to qemudStartVMDaemon() as well as setting up the non-AppArmor security driver *SetSecurityAllLabel() declarations for the above. This is required for 5_apparmor-fix-save-restore.patch since AppArmor resolves the passed file descriptor to the pathname given to open(). 5_apparmor-fix-save-restore.patch: refactoring to update AppArmor security driver to adjust profile for save/restore[3] 6_apparmor-fix-backingstore.patch: adjust virt-aa-helper to handle backing store[4] 7_apparmor-fix-hostdev.patch: adjust virt-aa-helper to handle pci devices. Update valid_path() to have an override array to check against, and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it. 8_apparmor-fix-xauth.patch: adjust virt-aa-helper to handle SDL graphics, specifically Xauthority[6]. Also remove a couple redundant checks 9_apparmor-examples.patch: adjustments to the example profiles 10_apparmor-vah-test.patch: update pcidev test and add SDL xauth [1] https://launchpad.net/bugs/517714 [2] https://launchpad.net/bugs/530400 [3] https://launchpad.net/bugs/457716 [4] https://launchpad.net/bugs/470636 [5] https://launchpad.net/bugs/545795 [6] https://launchpad.net/bugs/545426 -- Jamie Strandboge | http://www.canonical.com

4 24

[libvirt] [PATCH] Strict check when listing domains
by Eduardo Otubo 03 Jun '10

03 Jun '10

-- Eduardo Otubo Software Engineer Linux Technology Center IBM Systems & Technology Group Mobile: +55 19 8135 0885 eotubo(a)linux.vnet.ibm.com

3 7

[libvirt] Compile v0.8.0 under fedora 12 / mingw
by Dev.Atom 02 Jun '10

02 Jun '10

Hi there, I'm trying to compile the libvirt from git (today). I use these configure parameters : ./configure --prefix=/usr/i686-pc-mingw32/sys-root/mingw/ --host=i686-pc-mingw32 --without-xen --without-xen-inotify --without-umlt --without-openvz --without-phyp --without-xenapi --without-vbox --without-lxc --without-one --without-esx --without-libvirtd --without-sasl --without-yajl --without-polkit --without-avahi --without-selinux --without-secdriver-selinux --without-apparmor --without-capng --without-netcf --without-python --without-xen-proxy --without-hal --without-udev And make crash in this way : make[3]: Entering directory `/home/arnaud/Bureau/MingWinProjects/libvirt/git20102704/libvirt/src' CC libvirt_util_la-authhelper.lo CC libvirt_util_la-buf.lo CC libvirt_util_la-conf.lo CC libvirt_util_la-cgroup.lo CC libvirt_util_la-event.lo CC libvirt_util_la-hash.lo CC libvirt_util_la-hooks.lo In file included from ../src/util/threads-pthread.h:24, from ../src/util/threads.h:65, from ./conf/domain_conf.h:36, from util/hooks.c:38: /usr/i686-pc-mingw32/sys-root/mingw/include/pthread.h:307: error: redefinition of 'struct rpl_timespec' make[3]: *** [libvirt_util_la-hooks.lo] Error 1 make[3]: Leaving directory `/home/arnaud/Bureau/MingWinProjects/libvirt/git20102704/libvirt/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/arnaud/Bureau/MingWinProjects/libvirt/git20102704/libvirt/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/arnaud/Bureau/MingWinProjects/libvirt/git20102704/libvirt' make: *** [all] Error 2 Maybe I have made a mistake in the configure line ? Any help ? Thanks Arnaud Champion

2 2

[libvirt] [PATCH 00/10] Add support for SPICE graphics in QEMU
by Daniel P. Berrange 24 May '10

24 May '10

Gerd today posted patches to upstream QEMU which support SPICE graphics. They have not been accepted / merged yet, but I'm optimistic that the command line syntax will not change significantly. http://lists.gnu.org/archive/html/qemu-devel/2010-04/msg00967.html This patch series adds corresponding support in libvirt's QEMU driver. Although this patch series adds support in the XML RNG for a password expiry time, this functionality isn't wired up in this patch series since I need more time to write fallback code for cases where QEMU doesn't do expiry itself. Daniel

3 14

[libvirt] [PATCH] pci: Give an explicit error if device not found
by Cole Robinson 17 May '10

17 May '10

Signed-off-by: Cole Robinson <crobinso(a)redhat.com> --- src/util/pci.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/src/util/pci.c b/src/util/pci.c index 81193b7..e1e11bc 100644 --- a/src/util/pci.c +++ b/src/util/pci.c @@ -1028,6 +1028,7 @@ pciGetDevice(unsigned domain, unsigned function) { pciDevice *dev; + char devdir[PATH_MAX]; char *vendor, *product; if (VIR_ALLOC(dev) < 0) { @@ -1043,8 +1044,17 @@ pciGetDevice(unsigned domain, snprintf(dev->name, sizeof(dev->name), "%.4x:%.2x:%.2x.%.1x", dev->domain, dev->bus, dev->slot, dev->function); + snprintf(devdir, sizeof(devdir), + PCI_SYSFS "devices/%s", dev->name); snprintf(dev->path, sizeof(dev->path), - PCI_SYSFS "devices/%s/config", dev->name); + "%s/%s/config", devdir, dev->name); + + if (access(devdir, X_OK) != 0) { + pciReportError(VIR_ERR_INTERNAL_ERROR, + _("Device %s not found"), dev->name); + pciFreeDevice(dev); + return NULL; + } vendor = pciReadDeviceID(dev, "vendor"); product = pciReadDeviceID(dev, "device"); -- 1.7.0.1

2 2

[libvirt] [PATCH] qemu: Report cmdline output if VM dies early
by Cole Robinson 17 May '10

17 May '10

qemuReadLogOutput early VM death detection is racy and won't always work. Startup then errors when connecting to the VM monitor. This won't report the emulator cmdline output which is typically the most useful diagnostic. Check if the VM has died at the very end of the monitor connection step, and if so, report the cmdline output. See also: https://bugzilla.redhat.com/show_bug.cgi?id=581381 Signed-off-by: Cole Robinson <crobinso(a)redhat.com> --- src/qemu/qemu_driver.c | 59 ++++++++++++++++++++++++++++++++++------------- 1 files changed, 42 insertions(+), 17 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 42a653a..c446028 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -2029,39 +2029,47 @@ static void qemudFreePtyPath(void *payload, const char *name ATTRIBUTE_UNUSED) VIR_FREE(payload); } +static void +qemuReadLogFD(int logfd, char *buf, int maxlen, int off) +{ + int ret; + char *tmpbuf = buf+off; + + ret = saferead(logfd, tmpbuf, maxlen-off-1); + if (ret < 0) { + ret = 0; + } + + *(tmpbuf+ret) = '\0'; +} + static int qemudWaitForMonitor(struct qemud_driver* driver, virDomainObjPtr vm, off_t pos) { - char buf[4096]; /* Plenty of space to get startup greeting */ + char buf[4096] = "\0"; /* Plenty of space to get startup greeting */ int logfd; int ret = -1; + virHashTablePtr paths = NULL; - if ((logfd = qemudLogReadFD(driver->logDir, vm->def->name, pos)) - < 0) + if ((logfd = qemudLogReadFD(driver->logDir, vm->def->name, pos)) < 0) return -1; - ret = qemudReadLogOutput(vm, logfd, buf, sizeof(buf), - qemudFindCharDevicePTYs, - "console", 30); - if (close(logfd) < 0) { - char ebuf[4096]; - VIR_WARN(_("Unable to close logfile: %s"), - virStrerror(errno, ebuf, sizeof ebuf)); - } - - if (ret < 0) - return -1; + if (qemudReadLogOutput(vm, logfd, buf, sizeof(buf), + qemudFindCharDevicePTYs, + "console", 30) < 0) + goto closelog; VIR_DEBUG("Connect monitor to %p '%s'", vm, vm->def->name); - if (qemuConnectMonitor(driver, vm) < 0) - return -1; + if (qemuConnectMonitor(driver, vm) < 0) { + goto cleanup; + } /* Try to get the pty path mappings again via the monitor. This is much more * reliable if it's available. * Note that the monitor itself can be on a pty, so we still need to try the * log output method. */ - virHashTablePtr paths = virHashCreate(0); + paths = virHashCreate(0); if (paths == NULL) { virReportOOMError(); goto cleanup; @@ -2082,6 +2090,23 @@ cleanup: virHashFree(paths, qemudFreePtyPath); } + if (kill(vm->pid, 0) == -1 && errno == ESRCH) { + /* VM is dead, any other error raised in the interim is probably + * not as important as the qemu cmdline output */ + qemuReadLogFD(logfd, buf, sizeof(buf), strlen(buf)); + qemuReportError(VIR_ERR_INTERNAL_ERROR, + _("process exited while connecting to monitor: %s"), + buf); + ret = -1; + } + +closelog: + if (close(logfd) < 0) { + char ebuf[4096]; + VIR_WARN(_("Unable to close logfile: %s"), + virStrerror(errno, ebuf, sizeof ebuf)); + } + return ret; } -- 1.7.0.1

2 2

[libvirt] [PATCH] build: fix autogen rule for VPATH build
by Eric Blake 10 May '10

10 May '10

* cfg.mk (gnulib_srcdir): Override maint.mk default. (_update_required): Run in correct directory. --- I noticed an error message about bootstrap.conf not found when trying to do a VPATH build for my new clang setup. This subsumes up my earlier patch to declare the correct gnulib_srcdir, as noticed by Jim, but does not advance to a newer .gnulib, as there are some other issues to fix on that front first. cfg.mk | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/cfg.mk b/cfg.mk index 105b625..a6e9204 100644 --- a/cfg.mk +++ b/cfg.mk @@ -24,6 +24,9 @@ gnu_rel_host = $(gnu_ftp_host-$(RELEASE_TYPE)) url_dir_list = \ ftp://$(gnu_rel_host)/gnu/coreutils +# We use .gnulib, not gnulib. +gnulib_srcdir = $(srcdir)/.gnulib + # Tests not to run as part of "make distcheck". local-checks-to-skip = \ changelog-check \ @@ -282,6 +285,7 @@ ifeq (0,$(MAKELEVEL)) # b653eda3ac4864de205419d9f41eec267cb89eeb _submodule_hash = sed 's/^[ +-]//;s/ .*//' _update_required := $(shell \ + cd '$(srcdir)'; \ actual=$$(git submodule status | $(_submodule_hash); \ git hash-object bootstrap.conf; \ git diff .gnulib); \ -- 1.6.6.1

4 18

[libvirt] why we should use a mechanical indentation checker
by Jim Meyering 04 May '10

04 May '10

I introduced a bug with this supposedly-safe, no-semantic-change delta: http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=b6719eab9e95c5daeeea85 See if you can spot it. Here is the loop in question, as it was prior to my erroneous change: for (i = 0; i < nruleInstances; i++) switch (inst[i]->ruleType) { case RT_EBTABLES: ebiptablesInstCommand(&buf, inst[i]->commandTemplate, 'A', -1, 1); break; case RT_IPTABLES: haveIptables = true; break; case RT_IP6TABLES: haveIp6tables = true; break; } Its formatting is WRONG. Sure, it is technically correct to omit the curly braces when the for-loop body is a single *statement*, as it is above. However, the moment the construct in the body occupies more than one line, it is very risky to omit the curly braces. I demonstrated that yesterday by inserting a no-op sa_assert statement as the "first" line of that loop body, not noticing that unlike my other two additions, this one pushed the single-stmt body *out of the loop*. Nasty. For example, do not omit the curly braces even when the body is just a single-line statement but with a preceding comment. while (true) /* explanation... */ BAD! single_line_stmt (); while (true) { /* Always put braces around a multi-line body. */ /* explanation... */ single_line_stmt (); } Of course do not do this, either: if (expr) while (other_expr) { BAD! ... } Do this, instead: if (expr) { while (other_expr) { ... } } I am adding something like the following to coreutils' HACKING, and will add the equivalent (adjusting indentation/brace-positioning style in the examples) to libvirt's hacking.html.in, so if you object, speak up soon. While writing the above and below, I noticed that with the GNU formatting style, this is less of a problem, since there you do not add those oh-so-important-to-semantics curly braces at the *end* of a line where it easy to miss them, but at the beginning. In addition, with the GNU style, adding the opening curly brace changes the indentation level of the body, while in libvirt's style, it does not. In either case, an automatic indentation checker would catch the problem. This is yet another reason to enforce an indentation style. The longer we wait, the harder it will become. Note: these diffs are relative to coreutils' HACKING file, not libvirt's: diff --git a/HACKING b/HACKING index 124c666..4a6d593 100644 --- a/HACKING +++ b/HACKING @@ -233,6 +233,110 @@ Try to make the summary line fit one of the following forms: maint: change-description +Curly braces: use judiciously +============================= +Omit the curly braces around an "if", "while", "for" etc. body only when +that body occupies a single line. In every other case we require the braces. +This ensures that it is trivially easy to identify a single-*statement* loop: +each has only one *line* in its body. + +For example, do not omit the curly braces even when the body is just a +single-line statement but with a preceding comment. + +Omitting braces with a single-line body is fine: + + while (expr) + single_line_stmt (); + +However, the moment your loop body extends onto a second line, for +whatever reason (even if it's just an added comment), then you should +add braces. Otherwise, it would be too easy to insert a statement just +before that comment (without adding braces), thinking it is already a +multi-statement loop: + + while (true) + /* comment... */ // BAD: multi-line body without braces + single_line_stmt (); + +Do this instead: + + while (true) + { /* Always put braces around a multi-line body. */ + /* explanation... */ + single_line_stmt (); + } + +There is one exception: when the second body line is not +at the same indentation level as the first body line. + + if (expr) + error (0, 0, _("a diagnostic that would make this line" + " extend past the 80-column limit")); + +It seems safe not to require curly braces in this case, +since the further-indented second body line makes it obvious +that this is still a single-statement body. + +To reiterate, don't do this: + + if (expr) + while (expr_2) // BAD: multi-line body without braces + { + ... + } + +Do this, instead: + + if (expr) + { + while (expr_2) + { + ... + } + } + +However, there is one exception in the other direction, when +even a one-line block should have braces. +That occurs when that one-line, brace-less block +is an "else" block, and the corresponding "then" block *does* use braces. +In that case, either put braces around the "else" block, or negate the +"if"-condition and swap the bodies, putting the one-line block first +and making the longer, multi-line block be the "else" block. + + if (expr) + { + ... + ... + } + else + x = y; // BAD: braceless "else" with braced "then" + +This is preferred, especially when the multi-line body is more +than a few lines long, because it is easier to read and grasp +the semantics of an if-then-else block when the simpler block +occurs first, rather than after the more involved block: + + if (!expr) + x = y; /* more readable */ + else + { + ... + ... + } + +If you'd rather not negate the condition, then add braces: + + if (expr) + { + ... + ... + } + else + { + x = y; + } + + Use SPACE-only indentation in all[*] files ========================================== We use space-only indentation in nearly all files.

2 3

[libvirt] Creating multiple network interfaces in libvirt Domain.
by Kumar L Srikanth-B22348 01 May '10

01 May '10

Hi, I want to create a Domain with two interfaces. I am using LXC hypervisor in the libvirt. My domain XML is shown below: <domain type='lxc' id='1'> <name>srikanth_vm2</name> <memory>500000</memory> <os> <type>exe</type> <init>/bin/sh</init> </os> <vcpu>1</vcpu> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <filesystem type='mount'> <source dir='/root/lxc/fedora1'/> <target dir='/'/> </filesystem> <interface type='network'> <source network='default'/> </interface> <interface type='network'> <source network='default'/> </interface> <console type='pty' /> </devices> </domain> I am able to define the Domain. But, I am not able to start the Domain. While starting the domain, I am getting the following error: error: Failed to start domain srikanth_vm2 error: internal error Failed to create veth device pair: 512 Can you please let me know where I am going wrong? Regards, Srikanth.

2 2