July 2011 - Devel - libvirt List Archives

[libvirt] [PATCH v4 1/6] undefine: Define the new API
by Osier Yang 20 Jul '11

20 Jul '11

This introduces a new API virDomainUndefineFlags to control the domain undefine process, as the existing API virDomainUndefine doesn't support flags. Currently only flag VIR_DOMAIN_UNDEFINE_MANAGED_SAVE is supported. If the domain has a managed save image, including VIR_DOMAIN_UNDEFINE_MANAGED_SAVE in @flags will also remove that file, and omitting the flag will cause undefine process to fail. This patch also changes the behavior of virDomainUndefine, if the domain has a managed save image, the undefine will be refused. --- include/libvirt/libvirt.h.in | 10 +++++++ src/driver.h | 4 +++ src/libvirt.c | 60 +++++++++++++++++++++++++++++++++++++++++- src/libvirt_public.syms | 5 +++ 4 files changed, 78 insertions(+), 1 deletions(-) diff --git a/include/libvirt/libvirt.h.in b/include/libvirt/libvirt.h.in index 607b5bc..5f9f08a 100644 --- a/include/libvirt/libvirt.h.in +++ b/include/libvirt/libvirt.h.in @@ -1200,6 +1200,16 @@ int virDomainMemoryPeek (virDomainPtr dom, virDomainPtr virDomainDefineXML (virConnectPtr conn, const char *xml); int virDomainUndefine (virDomainPtr domain); + +typedef enum { + VIR_DOMAIN_UNDEFINE_MANAGED_SAVE = 1, + + /* Future undefine control flags should come here. */ +} virDomainUndefineFlagsValues; + + +int virDomainUndefineFlags (virDomainPtr domain, + unsigned int flags); int virConnectNumOfDefinedDomains (virConnectPtr conn); int virConnectListDefinedDomains (virConnectPtr conn, char **const names, diff --git a/src/driver.h b/src/driver.h index 9d0d3de..4c4955f 100644 --- a/src/driver.h +++ b/src/driver.h @@ -219,6 +219,9 @@ typedef virDomainPtr typedef int (*virDrvDomainUndefine) (virDomainPtr dom); typedef int + (*virDrvDomainUndefineFlags) (virDomainPtr dom, + unsigned int flags); +typedef int (*virDrvDomainSetVcpus) (virDomainPtr domain, unsigned int nvcpus); typedef int @@ -733,6 +736,7 @@ struct _virDriver { virDrvDomainCreateWithFlags domainCreateWithFlags; virDrvDomainDefineXML domainDefineXML; virDrvDomainUndefine domainUndefine; + virDrvDomainUndefineFlags domainUndefineFlags; virDrvDomainAttachDevice domainAttachDevice; virDrvDomainAttachDeviceFlags domainAttachDeviceFlags; virDrvDomainDetachDevice domainDetachDevice; diff --git a/src/libvirt.c b/src/libvirt.c index 39e2041..2f5241a 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -6374,7 +6374,13 @@ error: * virDomainUndefine: * @domain: pointer to a defined domain * - * Undefine a domain but does not stop it if it is running + * Undefine a domain. If the domain is running, it's converted to + * transient domain, without stopping it. If the domain is inactive, + * the domain configuration is removed. + * + * If the domain has a managed save image (see + * virDomainHasManagedSaveImage()), then the undefine will fail. See + * virDomainUndefineFlags() for more control. * * Returns 0 in case of success, -1 in case of error */ @@ -6413,6 +6419,58 @@ error: } /** + * virDomainUndefineFlags: + * @domain: pointer to a defined domain + * @flags: bitwise-or of supported virDomainUndefineFlagsValues + * + * Undefine a domain. If the domain is running, it's converted to + * transient domain, without stopping it. If the domain is inactive, + * the domain configuration is removed. + * + * If the domain has a managed save image (see virDomainHasManagedSaveImage()), + * then including VIR_DOMAIN_UNDEFINE_MANAGED_SAVE in @flags will also remove + * that file, and omitting the flag will cause the undefine process to fail. + * + * Returns 0 in case of success, -1 in case of error + */ +int +virDomainUndefineFlags(virDomainPtr domain, + unsigned int flags) +{ + virConnectPtr conn; + + VIR_DOMAIN_DEBUG(domain, "flags=%x", flags); + + virResetLastError(); + + if (!VIR_IS_CONNECTED_DOMAIN(domain)) { + virLibDomainError(VIR_ERR_INVALID_DOMAIN, __FUNCTION__); + virDispatchError(NULL); + return -1; + } + conn = domain->conn; + if (conn->flags & VIR_CONNECT_RO) { + virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__); + goto error; + } + + if (conn->driver->domainUndefineFlags) { + int ret; + ret = conn->driver->domainUndefineFlags (domain, flags); + if (ret < 0) + goto error; + return ret; + } + + virLibConnError(VIR_ERR_NO_SUPPORT, __FUNCTION__); + +error: + virDispatchError(domain->conn); + return -1; +} + + +/** * virConnectNumOfDefinedDomains: * @conn: pointer to the hypervisor connection * diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms index 5f2541a..5cc480e 100644 --- a/src/libvirt_public.syms +++ b/src/libvirt_public.syms @@ -466,4 +466,9 @@ LIBVIRT_0.9.3 { virNodeGetMemoryStats; } LIBVIRT_0.9.2; +LIBVIRT_0.9.4 { + global: + virDomainUndefineFlags; +} LIBVIRT_0.9.3; + # .... define new API here using predicted next version number .... -- 1.7.6

2 12

[libvirt] RHEL guest shuts down after running anaconda instead of rebooting
by Eric 20 Jul '11

20 Jul '11

when i create a RHEL 6 guest using virt-install it will go through the process of installing the OS and want to reboot once finished. when it reboots the VM powers off and i have to start it manually. is there a way to prevent this? i can reboot guests once they're up and running and they'll come back up without issue, but they always shut down when i'm installing them. host OS is RHEL 6 x86_64.

1 0

[libvirt] CentOS/RHEL 6 RPMs repository
by Mohammed Naser 19 Jul '11

19 Jul '11

Hi list! First post here, thanks for a wonderful application, I have been around in #virt on IRC and just signed up today. My little contribution: We use CentOS 6 in production and we were not able to get access to the latest 0.9.3 RPMs and we needed some of the new features, so we compiled a bunch of RPMs to help those save time (and us). Please note that we're not responsible if it blows up your computer, etc. etc. wget http://repo.vexxhost.com/virt/virt.repo -O /etc/yum.repos.d/virt.repo yum install libvirt That should get you started on libvirt 0.9.3, there are a couple of unavailable dependencies that are also on the repo, so you should be good to go! If anyone has any issues, please let me know. Other than that, enjoy the repos! Also, if you don't trust us and want to compile the SRPMS yourself, they are also available -- if you are running i386 and compile a set, drop it by so we can help people as it is x86_64 RPMs only right now. Regards, -- Mohammed Naser — vexxhost -----------------------------------------------------

1 0

[libvirt] [PATCH] maint: fix spelling of Red Hat
by Eric Blake 19 Jul '11

19 Jul '11

* cfg.mk (sc_copyright_format): Add to rule. * src/util/files.h: Fix offenders. * src/util/files.c: Likewise. --- Pushing under the trivial rule. Noticed it because my upcoming edits to files.c triggered my editor's copyright update rule. The 'syntax-check' addition ensures that no one else makes the mistake. cfg.mk | 3 +++ src/util/files.c | 4 ++-- src/util/files.h | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cfg.mk b/cfg.mk index f98c94b..d243862 100644 --- a/cfg.mk +++ b/cfg.mk @@ -584,6 +584,9 @@ sc_copyright_format: @prohibit='Copyright [^(].*Red 'Hat \ halt='consistently use (C) in Red Hat copyright' \ $(_sc_search_regexp) + @prohibit='\<Red''Hat\>' \ + halt='spell Red Hat as two words' \ + $(_sc_search_regexp) # Some functions/macros produce messages intended solely for developers # and maintainers. Do not mark them for translation. diff --git a/src/util/files.c b/src/util/files.c index de4ae87..bef56b6 100644 --- a/src/util/files.c +++ b/src/util/files.c @@ -1,9 +1,9 @@ /* - * memory.c: safer file handling + * files.c: safer file handling * + * Copyright (C) 2010-2011 Red Hat, Inc. * Copyright (C) 2010 IBM Corporation * Copyright (C) 2010 Stefan Berger - * Copyright (C) 2010 RedHat, Inc. * Copyright (C) 2010 Eric Blake * * This library is free software; you can redistribute it and/or diff --git a/src/util/files.h b/src/util/files.h index 5137fb3..8b681eb 100644 --- a/src/util/files.h +++ b/src/util/files.h @@ -1,7 +1,7 @@ /* * files.h: safer file handling * - * Copyright (C) 2010-2011 RedHat, Inc. + * Copyright (C) 2010-2011 Red Hat, Inc. * Copyright (C) 2010 IBM Corporation * Copyright (C) 2010 Stefan Berger * Copyright (C) 2010 Eric Blake -- 1.7.4.4

1 0

[libvirt] [PATCH 0/8] Avoid filesystem cache pollution during virsh save
by Eric Blake 19 Jul '11

19 Jul '11

Saving a domain's state creates a large file, which risks polluting the filesystem cache and slowing down a system. If a system has a lot of domians simultaneously being saved (such as the libvirt-guests init script doing managed saves), then this can cause noticeable slowdown due to filesystem thrashing. This patch series has been successfully tested to do 'virsh save dom file --direct', with lsof(1) used to verify that O_DIRECT was in use, and the resulting file was successfully used with 'virsh restore file'. Still to come - wire up O_DIRECT on the 'virsh restore' path (yes, that means adding virDomainRestoreFlags - if only we had had the foresight to use flags everywhere). Wire up qemu.conf to allow the automatic use of --direct on automatic core dumps. Wire up libvirt-guests init script to allow the use of --direct. But I had enough in place to get the review started now. Also, this series demonstrates some of the points I was making about adding a new Flags API in this thread: https://www.redhat.com/archives/libvir-list/2011-July/msg00762.html This series requires and was tested on top of these (un-acked) patches: https://www.redhat.com/archives/libvir-list/2011-July/msg00670.html https://www.redhat.com/archives/libvir-list/2011-July/msg00675.html Eric Blake (8): save: document new public API save: wire up remote protocol save: wire up trivial saveFlags implementations save: add --direct flag to virsh save operations save: let iohelper handle inherited fd save: let iohelper work on O_DIRECT fds save: add virDirectFd wrapper type save: support O_DIRECT during qemu saves cfg.mk | 1 + configure.ac | 6 +- include/libvirt/libvirt.h.in | 14 +++ po/POTFILES.in | 1 + src/Makefile.am | 1 + src/driver.h | 6 ++ src/fdstream.c | 32 +++----- src/libvirt.c | 94 +++++++++++++++++++++- src/libvirt_private.syms | 6 ++ src/libvirt_public.syms | 5 + src/libxl/libxl_driver.c | 17 ++++- src/qemu/qemu_driver.c | 76 +++++++++++++----- src/remote/remote_driver.c | 1 + src/remote/remote_protocol.x | 11 +++- src/remote_protocol-structs | 6 ++ src/test/test_driver.c | 20 ++++- src/util/iohelper.c | 185 +++++++++++++++++++++++++++++++---------- src/util/virdirect.c | 149 +++++++++++++++++++++++++++++++++ src/util/virdirect.h | 37 +++++++++ src/vbox/vbox_tmpl.c | 19 ++++- src/xen/xen_driver.c | 17 ++++- tools/virsh.c | 12 +++- tools/virsh.pod | 17 +++- 23 files changed, 632 insertions(+), 101 deletions(-) create mode 100644 src/util/virdirect.c create mode 100644 src/util/virdirect.h -- 1.7.4.4

2 44

Re: [libvirt] mingw: test-poll pipe part fails
by Eric Blake 19 Jul '11

19 Jul '11

[adding libvirt] On 06/04/2011 12:24 AM, Paolo Bonzini wrote: > On Sat, Jun 4, 2011 at 00:37, Matthias Bolte > <matthias.bolte(a)googlemail.com> wrote: >> After testing a while and reading MSDN docs the problem seems to be >> that MsgWaitForMultipleObjects doesn't work on pipes. It doesn't >> actually wait but just returns immediately. Digging MSDN and googling >> about this suggest that there is no simple solution to this. > > Yes, Windows pipes are that broken. :( > > Using socketpair is a possibly good idea, but I would do it on > libvirtd only. I don't know exactly how libvirtd uses this pipe, but > perhaps it can be changed to an eventfd-like abstraction that can be > used with both Windows and Unix. This is similar to Eric's > suggestion, but without the pipe at all. It would also be a > libvirtd-specific suggestion. I'm wondering if the problem here is that libvirt is trying to use the pipe-to-self mechanism as a fundamental event loop idiom. That is, the reason libvirt is calling poll is in order to minimize CPU until something interesting happens, where interesting includes needing to wake up a helper thread to do an action inside locks in response to the receipt of a signal. Maybe you are on to something, and replacing all uses of pipe() with virPipeToSelf() (which uses pipe() for efficiency on Linux, but socketpair() on mingw), would allow libvirt to continue to use the pipe-to-self idiom while also using fds that can actually be poll'd on mingw. -- Eric Blake eblake(a)redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org

4 6

[libvirt] enumerating disk devices
by Serge E. Hallyn 19 Jul '11

19 Jul '11

Hi, Some people appear to have autostart VMs residing on slow storage. If libvirtd starts too early, it'll simply fail trying to start those VMs. It'd be nice to know when all the storage on which autostart containers depend becomes available, so as to safely start libvirt. The python script appended below is one approach. It could be called as something like for f in /etc/libvirt/qemu/autostart/* /etc/libvirt/lxc/autostart/*; do for d in `libvirt_list_storage.py $f`; do if [ ! -r $d ]; then echo "storage not yet ready" exit 1 fi done done echo "starting libvirtd" libvirtd (Realistically I would have this running in an upstart job which is 'start on mounted' and, if all storage available, emits a 'libvirt-storage-up' event). Are there better ways to go about this? thanks, -serge #!/usr/bin/python import sys from xml.dom.minidom import parse dom = parse(sys.argv[1]) def getText(nodelist): rc = [] for node in nodelist: if node.nodeType == node.TEXT_NODE: rc.append(node.data) return ''.join(rc) def print_domname(dom): #return print "Domain %s\n" % getText(dom.childNodes) def liststorages(dom): print_domname(dom.getElementsByTagName("name")[0]) disks = dom.getElementsByTagName("disk") list_disks(disks) filesystems = dom.getElementsByTagName('filesystem') list_filesystems(filesystems) def list_filesystems(fslist): for fs in fslist: if not fs.hasAttribute('type'): continue if fs.getAttribute('type') != 'mount': continue dirs = fs.getElementsByTagName("source") if len(dirs) == 0: continue if not dirs[0].getAttribute('dir'): continue print "dir: %s\n" % dirs[0].getAttribute('dir') def list_disks(disks): for disk in disks: if not disk.hasAttribute('type'): continue if disk.getAttribute('type') == 'file': list_disk_type_file(disk) elif disk.getAttribute('type') == 'block': list_disk_type_block(disk) else: # not supported continue def list_disk_type_file(disk): disksrcs = disk.getElementsByTagName("source") if len(disksrcs) == 0: return if not disksrcs[0].hasAttribute('file'): return print "file: %s\n" % disksrcs[0].getAttribute('file') def list_disk_type_block(disk): devsrscs = disk.getElementsByTagName("source") if len(devsrscs) == 0: return if not devsrscs[0].hasAttribute('dev'): return print "dev: %s\n" % devsrscs[0].getAttribute('dev') liststorages(dom)

1 0

[libvirt] [PATCH 0/4] Some RPC event handler ref counting fixes
by Daniel P. Berrange 19 Jul '11

19 Jul '11

Wen previously posted a report of a crash with migration. I could not reproduce it at the time, but since then someone else did and pointed out that it only occurs when TLS is in use https://www.redhat.com/archives/libvir-list/2011-July/msg00547.html This series of patches make the event handler reference counting more robust to avoid this problem

2 9

[libvirt] [PATCH 1/2] Add some basic sanity checking of certificates before use
by Daniel P. Berrange 19 Jul '11

19 Jul '11

If the libvirt daemon or libvirt client is configured with bogus certificates, it is very unhelpful to only find out about this when a TLS connection is actually attempted. Not least because the error messages you get back for failures are incredibly obscure. This adds some basic sanity checking of certificates at the time the virNetTLSContext object is created. This is at libvirt startup, or when creating a virNetClient instance. This checks that the certificate expiry/start dates are valid and that the certificate is actually signed by the CA that is loaded. * src/rpc/virnettlscontext.c: Add certificate sanity checks --- src/rpc/virnettlscontext.c | 149 ++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 145 insertions(+), 4 deletions(-) diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 4fa6fbb..b0dcfe5 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -67,6 +67,7 @@ struct _virNetTLSSession { bool handshakeComplete; + bool isServer; char *hostname; gnutls_session_t session; virNetTLSSessionWriteFunc writeFunc; @@ -95,6 +96,134 @@ static void virNetTLSLog(int level, const char *str) { VIR_DEBUG("%d %s", level, str); } + +static gnutls_x509_crt_t virNetTLSContextSanityCheckCert(bool isServer, + const char *certFile) +{ + gnutls_datum_t data; + gnutls_x509_crt_t cert = NULL; + char *buf = NULL; + int ret = -1; + time_t now; + + if ((now = time(NULL)) == ((time_t)-1)) { + virReportSystemError(errno, "%s", + _("cannot get current time")); + goto cleanup; + } + + if (gnutls_x509_crt_init(&cert) < 0) { + virNetError(VIR_ERR_SYSTEM_ERROR, "%s", + _("Unable to initialize certificate")); + goto cleanup; + } + + if (virFileReadAll(certFile, (1<<16), &buf) < 0) + goto cleanup; + + data.data = (unsigned char *)buf; + data.size = strlen(buf); + + if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) { + virNetError(VIR_ERR_SYSTEM_ERROR, isServer ? + _("Unable to import server certificate %s") : + _("Unable to import client certificate %s"), + certFile); + goto cleanup; + } + + if (gnutls_x509_crt_get_expiration_time(cert) < now) { + virNetError(VIR_ERR_SYSTEM_ERROR, isServer ? + _("The server certificate %s has expired") : + _("The client certificate %s has expired"), + certFile); + goto cleanup; + } + + if (gnutls_x509_crt_get_activation_time(cert) > now) { + virNetError(VIR_ERR_SYSTEM_ERROR, isServer ? + _("The server certificate %s is not yet active") : + _("The client certificate %s is not yet active"), + certFile); + goto cleanup; + } + + ret = 0; + +cleanup: + if (ret != 0) { + gnutls_x509_crt_deinit(cert); + cert = NULL; + } + VIR_FREE(buf); + return cert; +} + + +static int virNetTLSContextSanityCheckCredentials(bool isServer, + const char *cacertFile, + const char *certFile) +{ + gnutls_x509_crt_t cert = NULL; + gnutls_x509_crt_t cacert = NULL; + int ret = -1; + unsigned int status; + + if (access(certFile, R_OK) == 0) { + if (!(cert = virNetTLSContextSanityCheckCert(isServer, certFile))) + goto cleanup; + } + if (access(cacertFile, R_OK) == 0) { + if (!(cacert = virNetTLSContextSanityCheckCert(isServer, cacertFile))) + goto cleanup; + } + + if (cert && cacert) { + if (gnutls_x509_crt_list_verify(&cert, 1, + &cacert, 1, + NULL, 0, + 0, &status) < 0) { + virNetError(VIR_ERR_SYSTEM_ERROR, "%s", isServer ? + _("Unable to verify server certificate against CA certificate") : + _("Unable to verify client certificate against CA certificate")); + goto cleanup; + } + + if (status != 0) { + const char *reason = _("Invalid certificate"); + + if (status & GNUTLS_CERT_INVALID) + reason = _("The certificate is not trusted."); + + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + reason = _("The certificate hasn't got a known issuer."); + + if (status & GNUTLS_CERT_REVOKED) + reason = _("The certificate has been revoked."); + +#ifndef GNUTLS_1_0_COMPAT + if (status & GNUTLS_CERT_INSECURE_ALGORITHM) + reason = _("The certificate uses an insecure algorithm"); +#endif + + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Our own certificate %s failed validation against %s: %s"), + certFile, cacertFile, reason); + goto cleanup; + } + } + + ret = 0; + +cleanup: + if (cert) + gnutls_x509_crt_deinit(cert); + if (cacert) + gnutls_x509_crt_deinit(cacert); + return ret; +} + + static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt, bool isServer, const char *cacert, @@ -217,6 +346,10 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert, goto error; } + if (requireValidCert && + virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0) + goto error; + if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0) goto error; @@ -574,15 +707,21 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt, } if (gnutls_x509_crt_get_expiration_time(cert) < now) { - virNetError(VIR_ERR_SYSTEM_ERROR, "%s", - _("The client certificate has expired")); + /* Warning is reversed from what you expect, since with + * this code it is the Server checking the client and + * vica-verca */ + virNetError(VIR_ERR_SYSTEM_ERROR, "%s", sess->isServer ? + _("The client certificate has expired") : + _("The server certificate has expired")); gnutls_x509_crt_deinit(cert); goto authdeny; } if (gnutls_x509_crt_get_activation_time(cert) > now) { - virNetError(VIR_ERR_SYSTEM_ERROR, "%s", - _("The client certificate is not yet active")); + /* client/server order reversed. see above */ + virNetError(VIR_ERR_SYSTEM_ERROR, "%s", sess->isServer ? + _("The client certificate is not yet active") : + _("The server certificate is not yet active")); gnutls_x509_crt_deinit(cert); goto authdeny; } @@ -756,6 +895,8 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt, gnutls_transport_set_pull_function(sess->session, virNetTLSSessionPull); + sess->isServer = ctxt->isServer; + return sess; error: -- 1.7.4.4

2 4

Re: [libvirt] [virt-tools-list] [PATCH virt-manager v4] Add inspection to virt-manager
by Richard W.M. Jones 19 Jul '11

19 Jul '11

On Tue, Jul 19, 2011 at 10:46:49AM -0400, Cole Robinson wrote: > Maybe we can cache the png data per detected OS value rather than per > VM? Not sure if that collides with licensing issues, but would likely > mean storing less data on disk. You can't do that without getting into trademark issues. The icon that is displayed must have come from precisely the same guest. The icons are not large anyhow. One thing I meant to ask about Dan's proposal: > > $HOME/.local/libvirt/$CONN_URI/$DOMAIN_UUID/screenshot.png > > $HOME/.local/libvirt/$CONN_URI/$DOMAIN_UUID/icon.png > > $HOME/.local/libvirt/$CONN_URI/$DOMAIN_UUID/osinfo.json Do we need the connection URI? Isn't the dom UUID unique enough? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora

3 2