[libvirt] [PATCH] 0/10AppArmor driver updates
by Jamie Strandboge
This patch series addresses bug fixes in the AppArmor driver as well as
updating it to changes made in 0.7.6 and 0.7.7. All of these are
self-contained within the driver except 4_qemu_driver_stdin_path.patch.
This is required by 5_apparmor-fix-save-restore.patch (see below). These
all pass 'make syntax-check' and 'make check' (except 'daemon-conf',
which has never passed here and I didn't patch it).
1_apparmor-dont-clear-caps.patch: originally submitted on 2010/02/08
with no feedback. The calls to virExec() in security_apparmor.c when
invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without
libcap-ng, this is not a problem (it's effectively a no-op) but with
libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by
virt-aa-helper to manipulate apparmor profiles and without it VMs will
not start[1]. This patch calls virExec with the default VIR_EXEC_NONE
instead.
2_apparmor-remove-unloaded-profile-is-not-fatal.patch: Don't exit with
error if the user unloaded the profile outside of libvirt[2]
3_apparmor-fix-vah-xml-parse.patch: add VIR_DOMAIN_XML_INACTIVE flag to
virDomainDefParseString() so virDomainDefParseString() doesn't error out
when seeing <seclabel...>. This was needed due to changes since 0.7.5.
4_qemu_driver_stdin_path.patch: adjust args to qemudStartVMDaemon() to
also specify path to stdin_fd, so this can be passed to the AppArmor
driver via *SetSecurityAllLabel(). This updates all calls to
qemudStartVMDaemon() as well as setting up the non-AppArmor security
driver *SetSecurityAllLabel() declarations for the above. This is
required for 5_apparmor-fix-save-restore.patch since AppArmor resolves
the passed file descriptor to the pathname given to open().
5_apparmor-fix-save-restore.patch: refactoring to update AppArmor
security driver to adjust profile for save/restore[3]
6_apparmor-fix-backingstore.patch: adjust virt-aa-helper to handle
backing store[4]
7_apparmor-fix-hostdev.patch: adjust virt-aa-helper to handle pci
devices. Update valid_path() to have an override array to check against,
and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to
file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it.
8_apparmor-fix-xauth.patch: adjust virt-aa-helper to handle SDL
graphics, specifically Xauthority[6]. Also remove a couple redundant
checks
9_apparmor-examples.patch: adjustments to the example profiles
10_apparmor-vah-test.patch: update pcidev test and add SDL xauth
[1] https://launchpad.net/bugs/517714
[2] https://launchpad.net/bugs/530400
[3] https://launchpad.net/bugs/457716
[4] https://launchpad.net/bugs/470636
[5] https://launchpad.net/bugs/545795
[6] https://launchpad.net/bugs/545426
--
Jamie Strandboge | http://www.canonical.com
13 years, 11 months
[libvirt] Compile v0.8.0 under fedora 12 / mingw
by Dev.Atom
Hi there,
I'm trying to compile the libvirt from git (today).
I use these configure parameters :
./configure --prefix=/usr/i686-pc-mingw32/sys-root/mingw/ --host=i686-pc-mingw32 --without-xen --without-xen-inotify --without-umlt --without-openvz --without-phyp --without-xenapi --without-vbox --without-lxc --without-one --without-esx --without-libvirtd --without-sasl --without-yajl --without-polkit --without-avahi --without-selinux --without-secdriver-selinux --without-apparmor --without-capng --without-netcf --without-python --without-xen-proxy --without-hal --without-udev
And make crash in this way :
make[3]: Entering directory `/home/arnaud/Bureau/MingWinProjects/libvirt/git20102704/libvirt/src'
CC libvirt_util_la-authhelper.lo
CC libvirt_util_la-buf.lo
CC libvirt_util_la-conf.lo
CC libvirt_util_la-cgroup.lo
CC libvirt_util_la-event.lo
CC libvirt_util_la-hash.lo
CC libvirt_util_la-hooks.lo
In file included from ../src/util/threads-pthread.h:24,
from ../src/util/threads.h:65,
from ./conf/domain_conf.h:36,
from util/hooks.c:38:
/usr/i686-pc-mingw32/sys-root/mingw/include/pthread.h:307: error: redefinition of 'struct rpl_timespec'
make[3]: *** [libvirt_util_la-hooks.lo] Error 1
make[3]: Leaving directory `/home/arnaud/Bureau/MingWinProjects/libvirt/git20102704/libvirt/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/arnaud/Bureau/MingWinProjects/libvirt/git20102704/libvirt/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/arnaud/Bureau/MingWinProjects/libvirt/git20102704/libvirt'
make: *** [all] Error 2
Maybe I have made a mistake in the configure line ?
Any help ?
Thanks
Arnaud Champion
13 years, 11 months
[libvirt] [PATCH 00/10] Add support for SPICE graphics in QEMU
by Daniel P. Berrange
Gerd today posted patches to upstream QEMU which support SPICE graphics.
They have not been accepted / merged yet, but I'm optimistic that the
command line syntax will not change significantly.
http://lists.gnu.org/archive/html/qemu-devel/2010-04/msg00967.html
This patch series adds corresponding support in libvirt's QEMU driver.
Although this patch series adds support in the XML RNG for a password
expiry time, this functionality isn't wired up in this patch series
since I need more time to write fallback code for cases where QEMU
doesn't do expiry itself.
Daniel
13 years, 12 months
[libvirt] [PATCH] pci: Give an explicit error if device not found
by Cole Robinson
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
src/util/pci.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/src/util/pci.c b/src/util/pci.c
index 81193b7..e1e11bc 100644
--- a/src/util/pci.c
+++ b/src/util/pci.c
@@ -1028,6 +1028,7 @@ pciGetDevice(unsigned domain,
unsigned function)
{
pciDevice *dev;
+ char devdir[PATH_MAX];
char *vendor, *product;
if (VIR_ALLOC(dev) < 0) {
@@ -1043,8 +1044,17 @@ pciGetDevice(unsigned domain,
snprintf(dev->name, sizeof(dev->name), "%.4x:%.2x:%.2x.%.1x",
dev->domain, dev->bus, dev->slot, dev->function);
+ snprintf(devdir, sizeof(devdir),
+ PCI_SYSFS "devices/%s", dev->name);
snprintf(dev->path, sizeof(dev->path),
- PCI_SYSFS "devices/%s/config", dev->name);
+ "%s/%s/config", devdir, dev->name);
+
+ if (access(devdir, X_OK) != 0) {
+ pciReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Device %s not found"), dev->name);
+ pciFreeDevice(dev);
+ return NULL;
+ }
vendor = pciReadDeviceID(dev, "vendor");
product = pciReadDeviceID(dev, "device");
--
1.7.0.1
14 years
[libvirt] [PATCH] qemu: Report cmdline output if VM dies early
by Cole Robinson
qemuReadLogOutput early VM death detection is racy and won't always work.
Startup then errors when connecting to the VM monitor. This won't report
the emulator cmdline output which is typically the most useful diagnostic.
Check if the VM has died at the very end of the monitor connection step,
and if so, report the cmdline output.
See also: https://bugzilla.redhat.com/show_bug.cgi?id=581381
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
src/qemu/qemu_driver.c | 59 ++++++++++++++++++++++++++++++++++-------------
1 files changed, 42 insertions(+), 17 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 42a653a..c446028 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -2029,39 +2029,47 @@ static void qemudFreePtyPath(void *payload, const char *name ATTRIBUTE_UNUSED)
VIR_FREE(payload);
}
+static void
+qemuReadLogFD(int logfd, char *buf, int maxlen, int off)
+{
+ int ret;
+ char *tmpbuf = buf+off;
+
+ ret = saferead(logfd, tmpbuf, maxlen-off-1);
+ if (ret < 0) {
+ ret = 0;
+ }
+
+ *(tmpbuf+ret) = '\0';
+}
+
static int
qemudWaitForMonitor(struct qemud_driver* driver,
virDomainObjPtr vm, off_t pos)
{
- char buf[4096]; /* Plenty of space to get startup greeting */
+ char buf[4096] = "\0"; /* Plenty of space to get startup greeting */
int logfd;
int ret = -1;
+ virHashTablePtr paths = NULL;
- if ((logfd = qemudLogReadFD(driver->logDir, vm->def->name, pos))
- < 0)
+ if ((logfd = qemudLogReadFD(driver->logDir, vm->def->name, pos)) < 0)
return -1;
- ret = qemudReadLogOutput(vm, logfd, buf, sizeof(buf),
- qemudFindCharDevicePTYs,
- "console", 30);
- if (close(logfd) < 0) {
- char ebuf[4096];
- VIR_WARN(_("Unable to close logfile: %s"),
- virStrerror(errno, ebuf, sizeof ebuf));
- }
-
- if (ret < 0)
- return -1;
+ if (qemudReadLogOutput(vm, logfd, buf, sizeof(buf),
+ qemudFindCharDevicePTYs,
+ "console", 30) < 0)
+ goto closelog;
VIR_DEBUG("Connect monitor to %p '%s'", vm, vm->def->name);
- if (qemuConnectMonitor(driver, vm) < 0)
- return -1;
+ if (qemuConnectMonitor(driver, vm) < 0) {
+ goto cleanup;
+ }
/* Try to get the pty path mappings again via the monitor. This is much more
* reliable if it's available.
* Note that the monitor itself can be on a pty, so we still need to try the
* log output method. */
- virHashTablePtr paths = virHashCreate(0);
+ paths = virHashCreate(0);
if (paths == NULL) {
virReportOOMError();
goto cleanup;
@@ -2082,6 +2090,23 @@ cleanup:
virHashFree(paths, qemudFreePtyPath);
}
+ if (kill(vm->pid, 0) == -1 && errno == ESRCH) {
+ /* VM is dead, any other error raised in the interim is probably
+ * not as important as the qemu cmdline output */
+ qemuReadLogFD(logfd, buf, sizeof(buf), strlen(buf));
+ qemuReportError(VIR_ERR_INTERNAL_ERROR,
+ _("process exited while connecting to monitor: %s"),
+ buf);
+ ret = -1;
+ }
+
+closelog:
+ if (close(logfd) < 0) {
+ char ebuf[4096];
+ VIR_WARN(_("Unable to close logfile: %s"),
+ virStrerror(errno, ebuf, sizeof ebuf));
+ }
+
return ret;
}
--
1.7.0.1
14 years
[libvirt] [PATCH] build: fix autogen rule for VPATH build
by Eric Blake
* cfg.mk (gnulib_srcdir): Override maint.mk default.
(_update_required): Run in correct directory.
---
I noticed an error message about bootstrap.conf not found when trying
to do a VPATH build for my new clang setup.
This subsumes up my earlier patch to declare the correct gnulib_srcdir,
as noticed by Jim, but does not advance to a newer .gnulib, as there
are some other issues to fix on that front first.
cfg.mk | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/cfg.mk b/cfg.mk
index 105b625..a6e9204 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -24,6 +24,9 @@ gnu_rel_host = $(gnu_ftp_host-$(RELEASE_TYPE))
url_dir_list = \
ftp://$(gnu_rel_host)/gnu/coreutils
+# We use .gnulib, not gnulib.
+gnulib_srcdir = $(srcdir)/.gnulib
+
# Tests not to run as part of "make distcheck".
local-checks-to-skip = \
changelog-check \
@@ -282,6 +285,7 @@ ifeq (0,$(MAKELEVEL))
# b653eda3ac4864de205419d9f41eec267cb89eeb
_submodule_hash = sed 's/^[ +-]//;s/ .*//'
_update_required := $(shell \
+ cd '$(srcdir)'; \
actual=$$(git submodule status | $(_submodule_hash); \
git hash-object bootstrap.conf; \
git diff .gnulib); \
--
1.6.6.1
14 years
[libvirt] why we should use a mechanical indentation checker
by Jim Meyering
I introduced a bug with this supposedly-safe, no-semantic-change delta:
http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=b6719eab9e95c5daeeea85
See if you can spot it.
Here is the loop in question, as it was prior to my erroneous change:
for (i = 0; i < nruleInstances; i++)
switch (inst[i]->ruleType) {
case RT_EBTABLES:
ebiptablesInstCommand(&buf,
inst[i]->commandTemplate,
'A', -1, 1);
break;
case RT_IPTABLES:
haveIptables = true;
break;
case RT_IP6TABLES:
haveIp6tables = true;
break;
}
Its formatting is WRONG.
Sure, it is technically correct to omit the curly braces
when the for-loop body is a single *statement*, as it is above.
However, the moment the construct in the body occupies
more than one line, it is very risky to omit the curly braces.
I demonstrated that yesterday by inserting a no-op sa_assert
statement as the "first" line of that loop body, not noticing
that unlike my other two additions, this one pushed the
single-stmt body *out of the loop*. Nasty.
For example, do not omit the curly braces even when the body is
just a single-line statement but with a preceding comment.
while (true)
/* explanation... */ BAD!
single_line_stmt ();
while (true) { /* Always put braces around a multi-line body. */
/* explanation... */
single_line_stmt ();
}
Of course do not do this, either:
if (expr)
while (other_expr) { BAD!
...
}
Do this, instead:
if (expr) {
while (other_expr) {
...
}
}
I am adding something like the following to coreutils' HACKING,
and will add the equivalent (adjusting indentation/brace-positioning style
in the examples) to libvirt's hacking.html.in, so if you object,
speak up soon.
While writing the above and below,
I noticed that with the GNU formatting style,
this is less of a problem, since there you do not add those
oh-so-important-to-semantics curly braces at the *end* of a line
where it easy to miss them, but at the beginning. In addition,
with the GNU style, adding the opening curly brace changes the
indentation level of the body, while in libvirt's style, it does not.
In either case, an automatic indentation checker would catch the problem.
This is yet another reason to enforce an indentation style.
The longer we wait, the harder it will become.
Note: these diffs are relative to coreutils' HACKING file, not libvirt's:
diff --git a/HACKING b/HACKING
index 124c666..4a6d593 100644
--- a/HACKING
+++ b/HACKING
@@ -233,6 +233,110 @@ Try to make the summary line fit one of the following forms:
maint: change-description
+Curly braces: use judiciously
+=============================
+Omit the curly braces around an "if", "while", "for" etc. body only when
+that body occupies a single line. In every other case we require the braces.
+This ensures that it is trivially easy to identify a single-*statement* loop:
+each has only one *line* in its body.
+
+For example, do not omit the curly braces even when the body is just a
+single-line statement but with a preceding comment.
+
+Omitting braces with a single-line body is fine:
+
+ while (expr)
+ single_line_stmt ();
+
+However, the moment your loop body extends onto a second line, for
+whatever reason (even if it's just an added comment), then you should
+add braces. Otherwise, it would be too easy to insert a statement just
+before that comment (without adding braces), thinking it is already a
+multi-statement loop:
+
+ while (true)
+ /* comment... */ // BAD: multi-line body without braces
+ single_line_stmt ();
+
+Do this instead:
+
+ while (true)
+ { /* Always put braces around a multi-line body. */
+ /* explanation... */
+ single_line_stmt ();
+ }
+
+There is one exception: when the second body line is not
+at the same indentation level as the first body line.
+
+ if (expr)
+ error (0, 0, _("a diagnostic that would make this line"
+ " extend past the 80-column limit"));
+
+It seems safe not to require curly braces in this case,
+since the further-indented second body line makes it obvious
+that this is still a single-statement body.
+
+To reiterate, don't do this:
+
+ if (expr)
+ while (expr_2) // BAD: multi-line body without braces
+ {
+ ...
+ }
+
+Do this, instead:
+
+ if (expr)
+ {
+ while (expr_2)
+ {
+ ...
+ }
+ }
+
+However, there is one exception in the other direction, when
+even a one-line block should have braces.
+That occurs when that one-line, brace-less block
+is an "else" block, and the corresponding "then" block *does* use braces.
+In that case, either put braces around the "else" block, or negate the
+"if"-condition and swap the bodies, putting the one-line block first
+and making the longer, multi-line block be the "else" block.
+
+ if (expr)
+ {
+ ...
+ ...
+ }
+ else
+ x = y; // BAD: braceless "else" with braced "then"
+
+This is preferred, especially when the multi-line body is more
+than a few lines long, because it is easier to read and grasp
+the semantics of an if-then-else block when the simpler block
+occurs first, rather than after the more involved block:
+
+ if (!expr)
+ x = y; /* more readable */
+ else
+ {
+ ...
+ ...
+ }
+
+If you'd rather not negate the condition, then add braces:
+
+ if (expr)
+ {
+ ...
+ ...
+ }
+ else
+ {
+ x = y;
+ }
+
+
Use SPACE-only indentation in all[*] files
==========================================
We use space-only indentation in nearly all files.
14 years
[libvirt] Creating multiple network interfaces in libvirt Domain.
by Kumar L Srikanth-B22348
Hi,
I want to create a Domain with two interfaces. I am using LXC hypervisor
in the libvirt.
My domain XML is shown below:
<domain type='lxc' id='1'>
<name>srikanth_vm2</name>
<memory>500000</memory>
<os>
<type>exe</type>
<init>/bin/sh</init>
</os>
<vcpu>1</vcpu>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/libexec/libvirt_lxc</emulator>
<filesystem type='mount'>
<source dir='/root/lxc/fedora1'/>
<target dir='/'/>
</filesystem>
<interface type='network'>
<source network='default'/>
</interface>
<interface type='network'>
<source network='default'/>
</interface>
<console type='pty' />
</devices>
</domain>
I am able to define the Domain. But, I am not able to start the Domain.
While starting the domain, I am getting the following error:
error: Failed to start domain srikanth_vm2
error: internal error Failed to create veth device pair: 512
Can you please let me know where I am going wrong?
Regards,
Srikanth.
14 years
[libvirt] [PATCH] Fix a virsh edit memory leak
by Chris Lalancette
When running virsh edit, we are unlinking and setting
the tmp variable to NULL before going to the end of the
function, meaning that we never free tmp. Since the
exit to the function will always unlink and free tmp,
just remove this bit of code and let it get done at the
end.
Signed-off-by: Chris Lalancette <clalance(a)redhat.com>
---
tools/virsh.c | 3 ---
1 files changed, 0 insertions(+), 3 deletions(-)
diff --git a/tools/virsh.c b/tools/virsh.c
index 04b47a1..ab099da 100644
--- a/tools/virsh.c
+++ b/tools/virsh.c
@@ -8066,9 +8066,6 @@ cmdEdit (vshControl *ctl, const vshCmd *cmd)
doc_edited = editReadBackFile (ctl, tmp);
if (!doc_edited) goto cleanup;
- unlink (tmp);
- tmp = NULL;
-
/* Compare original XML with edited. Has it changed at all? */
if (STREQ (doc, doc_edited)) {
vshPrint (ctl, _("Domain %s XML configuration not changed.\n"),
--
1.6.6.1
14 years
