December 2012 - Devel - libvirt List Archives

[libvirt] Important question
by Gene Czarcinski 18 Dec '12

18 Dec '12

OK, so maybe I an nuts but it seems to me that there is this 800 pound gorilla wondering around the Fedora 18 tent and its name is firewalld! Or it with respect to virtual guests and libvirt (since libvirt is a critical part of networking support). Maybe I am missing some critical information as to how to configure firewalld so that guests can perform functions which the same guest can do on a Fedora 17 host. She only firewalld configuration I have been able to come up with is to configure it disabled. https://bugzilla.redhat.com/show_bug.cgi?id=888288 I have test this problem on different hardware and with/without mu usual updates of libvirt-1.0.1 and NetworkManager-git20121130. Please tell me that there is just this little thing I need to do and everything will work. With Fedora 18 to be released "real soon now", this is a very big problem! I remember with SELinux first appeared ... most people disabled it. Is this what is going to happen with firewalld? A big part of my problem is that I see little notice that there is a problem. I do not like cross posting but this needs to be on a couple of lists so I will be sending each a copy of this message. Gene

1 0

[libvirt] [PATCH] spec: Fix script warning when uninstalling libvirt-client
by Cole Robinson 18 Dec '12

18 Dec '12

https://bugzilla.redhat.com/show_bug.cgi?id=888071 --- libvirt.spec.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 7457a48..a5dce14 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1605,8 +1605,9 @@ fi /sbin/chkconfig --add libvirt-guests %endif -%postun client -p /sbin/ldconfig +%postun client +/sbin/ldconfig %if %{with_systemd} %if %{with_systemd_macros} %systemd_postun_with_restart libvirt-guests.service -- 1.8.0.2

2 2

[libvirt] [PATCH 0/6 v8] Unprivleged SG_IO support
by Osier Yang 18 Dec '12

18 Dec '12

As a result of RFC [1], this implements the unprivleged SG_IO support. 1/6 and 2/6 are already acked. v7 - v8: * Change the XML tag name from "cdbfilter" to "sgio", and to leave enough room for future values, the values of "sgio" are "filtered" and "unfiltered" now. v6 - v7: * No restoring of unpriv_sgio per Daniel's thought. * Use "major:minor" as the hash key per Jirka's suggestion. Osier Yang (6): util: Prepare helpers for unpriv_sgio setting qemu: Add a hash table for the shared disks docs: Add docs and rng schema for new XML tag sgio conf: Parse and format the new XML qemu: qemu: set unpriv_sgio when starting domain and attaching disk qemu: Check if the shared disk's cdbfilter conflicts with others docs/formatdomain.html.in | 14 ++- docs/schemas/domaincommon.rng | 54 +++++--- src/conf/domain_conf.c | 55 ++++++-- src/conf/domain_conf.h | 10 ++ src/libvirt_private.syms | 4 + src/qemu/qemu_conf.c | 86 ++++++++++++ src/qemu/qemu_conf.h | 12 ++ src/qemu/qemu_driver.c | 30 ++++ src/qemu/qemu_process.c | 99 ++++++++++++++ src/qemu/qemu_process.h | 4 + src/util/util.c | 140 ++++++++++++++++++++ src/util/util.h | 13 ++ ...qemuxml2argv-disk-scsi-lun-passthrough-sgio.xml | 32 +++++ tests/qemuxml2xmltest.c | 1 + 14 files changed, 522 insertions(+), 32 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-scsi-lun-passthrough-sgio.xml [1] https://www.redhat.com/archives/libvir-list/2012-November/msg00988.html [2] https://www.redhat.com/archives/libvir-list/2012-December/msg00325.html Regards, Osier

1 6

[libvirt] [RFC] qcow2v3 features support
by Ján Tomko 18 Dec '12

18 Dec '12

Since 1.1 [1], QEMU supports qcow2 version 3 images. These are still reffered to as qcow2 everywhere (qmp, qemu/qemu-img command line). This format (besides some internal improvements) includes a bitfield of compatible/incompatible/auto-clear features. [2] The only feature so far is delayed refcount updating (since 1.2 [3]), which is compatible with 1.1 if the file has been closed properly, if not it has the dirty flag set. For qcow2v3 images, -o compat=1.1 has to be passed to qemu-img. (compat=0.10 means qcow2 which is the default at the moment) For delayed refcount updates it's -o lazy_refcounts=on. Using these options would require parsing 'qemu-img create -f qcow2 -o ? /dev/null' output, or assuming they are supported. Do we need a new format type (qcow2v3) that translates to qcow2 for qemu, or would XML like this be enough? <target> <path>/var/lib/libvirt/images/image</path> <format type='qcow2'/> <features version='1.1'> <lazy_refcounts compatible="no"/> </features> ... </target> Jan [1] http://git.qemu.org/?p=qemu.git;a=commitdiff;h=6744cbab8 [2] http://lists.gnu.org/archive/html/qemu-devel/2012-04/msg03077.html [3] http://git.qemu.org/?p=qemu.git;a=commitdiff;h=bfe8043e9

2 1

[libvirt] libvirt domcument question
by zhijun liu 18 Dec '12

18 Dec '12

hi,all when I read the document at http://libvirt.org/formatdomain.html about the domain's xml format ,"disk" element has a optional subelment is "readonly",when I read the paragraph:readonlyIf present, this indicates the device cannot be modified by the guest. For now, this is the default for disks with attribute type='cdrom'. it's say type='cdrom',I'm not sure that is correct or not,I think this is a slips of pen and a possible writting maybe device='cdrom'.forgive me if I misundestanded it. also I'm not sure should send this question to libvirt-list or libvirt-user or others?liuzhijun

2 1

[libvirt] [PATCH] docs: Fix documentation for readonly element
by Jiri Denemark 18 Dec '12

18 Dec '12

--- Pushed as trivial. docs/formatdomain.html.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 8d9ab9e..94df6f8 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -1631,7 +1631,7 @@ <dt><code>readonly</code></dt> <dd>If present, this indicates the device cannot be modified by the guest. For now, this is the default for disks with - attribute <code>type='cdrom'</code>. + attribute <code>device='cdrom'</code>. </dd> <dt><code>shareable</code></dt> <dd>If present, this indicates the device is expected to be shared -- 1.8.0.2

1 0

[libvirt] [PATCH] Fix parsing of vendor_id
by Ken ICHIKAWA 17 Dec '12

17 Dec '12

I have a problem about parsing vendor_id of domain XML. When define vendor_id attribute, why definition of fallback attribute is needed? I explain below for example. (I used virsh edit.) Current domain xml state is like below, <domain> <cpu> </cpu> </domain> And I redefine domain xml like below, <domain> <cpu> <model vendor_id='aaaabbbbcccc'>core2duo</model> </cpu> </domain> Then, do dumpxml, vendor_id is not reflected like below. <domain> <cpu mode='custom' match='exact'> <model fallback='allow'>core2duo</model> </cpu> </domain> I think this is not right behavior. It should be defined like below. <domain> <cpu mode='custom' match='exact'> <model fallback='allow' vendor_id='aaaabbbbcccc'>core2duo</model> </cpu> </domain> And if I define fallback attribute and vendor_id attribute at the same time, or define vendor_id attribute after fallback attribute is defined, vendor_id attribute is reflected normally. Is it a bug? or is there some reason? I read past mailing list's thread about the patch adding vendor_id but I could not find the reason. https://www.redhat.com/archives/libvir-list/2012-June/thread.html#00917 It seems that patch v1 doesn't need definition of fallback attribute but v2 needs it. If it's a bug, please consider to apply this patch. This patch fixes a problem that vendor_id attribute can not be defined when fallback attribute is not defined. Signed-off-by: Ken ICHIKAWA <ichikawa.ken(a)jp.fujitsu.com> --- src/conf/cpu_conf.c | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/src/conf/cpu_conf.c b/src/conf/cpu_conf.c index 8cb54a3..6157ed7 100644 --- a/src/conf/cpu_conf.c +++ b/src/conf/cpu_conf.c @@ -300,32 +300,32 @@ virCPUDefParseXML(const xmlNodePtr node, goto error; } } + } - if (virXPathBoolean("boolean(./model[1]/@vendor_id)", ctxt)) { - char *vendor_id; - - vendor_id = virXPathString("string(./model[1]/@vendor_id)", - ctxt); - if (!vendor_id || - strlen(vendor_id) != VIR_CPU_VENDOR_ID_LENGTH) { - virReportError(VIR_ERR_XML_ERROR, - _("vendor_id must be exactly" - " %d characters long"), - VIR_CPU_VENDOR_ID_LENGTH); + if (virXPathBoolean("boolean(./model[1]/@vendor_id)", ctxt)) { + char *vendor_id; + + vendor_id = virXPathString("string(./model[1]/@vendor_id)", + ctxt); + if (!vendor_id || + strlen(vendor_id) != VIR_CPU_VENDOR_ID_LENGTH) { + virReportError(VIR_ERR_XML_ERROR, + _("vendor_id must be exactly" + " %d characters long"), + VIR_CPU_VENDOR_ID_LENGTH); + VIR_FREE(vendor_id); + goto error; + } + /* ensure that the string can be passed to qemu*/ + for (i = 0; i < strlen(vendor_id); i++) { + if (vendor_id[i]==',') { + virReportError(VIR_ERR_XML_ERROR, "%s", + _("vendor id is invalid")); VIR_FREE(vendor_id); goto error; } - /* ensure that the string can be passed to qemu*/ - for (i = 0; i < strlen(vendor_id); i++) { - if (vendor_id[i]==',') { - virReportError(VIR_ERR_XML_ERROR, "%s", - _("vendor id is invalid")); - VIR_FREE(vendor_id); - goto error; - } - } - def->vendor_id = vendor_id; } + def->vendor_id = vendor_id; } } -- 1.7.11.7

2 2

[libvirt] [PATCH] hostusb: Move USB_DEVFS define to hostusb.h to fix the build
by Cole Robinson 17 Dec '12

17 Dec '12

--- Pushed since it's a trivial build breaker src/util/hostusb.c | 1 - src/util/hostusb.h | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/util/hostusb.c b/src/util/hostusb.c index 24f925b..2eb80a0 100644 --- a/src/util/hostusb.c +++ b/src/util/hostusb.c @@ -38,7 +38,6 @@ #include "virterror_internal.h" #define USB_SYSFS "/sys/bus/usb" -#define USB_DEVFS "/dev/bus/usb/" #define USB_ID_LEN 10 /* "1234 5678" */ #define USB_ADDR_LEN 8 /* "123:456" */ diff --git a/src/util/hostusb.h b/src/util/hostusb.h index aee1526..ad2476d 100644 --- a/src/util/hostusb.h +++ b/src/util/hostusb.h @@ -25,6 +25,8 @@ # include "internal.h" +# define USB_DEVFS "/dev/bus/usb/" + typedef struct _usbDevice usbDevice; typedef struct _usbDeviceList usbDeviceList; -- 1.8.0.2

2 1

[libvirt] libvirt-1.0.1 and F18 problem
by Gene Czarcinski 17 Dec '12

17 Dec '12

I am sure this not just a 1.0.1 problem and there appears to be a bugzilla report on it: https://bugzilla.redhat.com/show_bug.cgi?id=869625 Given a F17 host and a F18 host, there is significantly different behavior when running a guest (in my case a F18 guest). On F18, I cannot ssh or scp to the host let alone any other system. Also, although DHCPv6 is working and I am getting an IPv6 DHCP address assigned. Also, I can use firefox to access an Internet website. Oh, and host returns no response. I am not sure what is wrong but I hope this is easy to fix. Gene

1 1

[libvirt] [PATCH] network: don't require private addresses if dnsmasq uses SO_BINDTODEVICE
by Laine Stump 17 Dec '12

17 Dec '12

This is yet another refinement to the fix for CVE-2012-3411: https://bugzilla.redhat.com/show_bug.cgi?id=833033 It turns out that it would be very intrusive to correctly backport the entire --bind-dynamic option to older dnsmasq versions (e.g. dnsmasq-2.48 that is used on RHEL6.x and CentOS 6.x), but very simple to patch those versions to just use SO_BINDTODEVICE on all their listening sockets (SO_BINDTODEVICE also has the desired effect of permitting only traffic that was received on the interface(s) where dnsmasq was set to listen.) This patch modifies the dnsmasq capabilities detection to detect the string: --bind-interfaces with SO_BINDTODEVICE in the output of "dnsmasq --version", and in that case realize that using the old --bind-interfaces option is just as safe as --bind-dynamic (and therefore *not* forbid creation of networks that use public IP address ranges). If -bind-dynamic is available, it is still preferred over --bind-interfaces. Note that this patch does no harm in upstream, or in any distro's downstream if it happens to end up there, but builds for distros that have a new enough dnsmasq to support --bind-dynamic do *NOT* need to specifically backport this patch; it's only required for distro releases that have dnsmasq too old to have --bind-dynamic (and those distros will need to add the SO_BINDTODEVICE patch to dnsmasq, *including the extra string in the --version output*, as well. --- src/network/bridge_driver.c | 6 ++++-- src/util/dnsmasq.c | 15 ++++++++++++--- src/util/dnsmasq.h | 1 + 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index c62e729..fdd9382 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -725,13 +725,15 @@ networkDnsmasqConfContents(virNetworkObjPtr network, * dnsmasq doesn't have bind-dynamic, only allow listening on * private/local IP addresses (see RFC1918/RFC3484/RFC4193) */ - if (!virSocketAddrIsPrivate(&tmpipdef->address)) { + if (!dnsmasqCapsGet(caps, DNSMASQ_CAPS_BINDTODEVICE) && + !virSocketAddrIsPrivate(&tmpipdef->address)) { unsigned long version = dnsmasqCapsGetVersion(caps); virReportError(VIR_ERR_CONFIG_UNSUPPORTED, _("Publicly routable address %s is prohibited. " "The version of dnsmasq on this host (%d.%d) doesn't " - "support the bind-dynamic option, which is required " + "support the bind-dynamic option or use SO_BINDTODEVICE " + "on listening sockets, one of which is required " "for safe operation on a publicly routable subnet " "(see CVE-2012-3411). You must either upgrade dnsmasq, " "or use a private/local subnet range for this network " diff --git a/src/util/dnsmasq.c b/src/util/dnsmasq.c index e8eab1e..ba51447 100644 --- a/src/util/dnsmasq.c +++ b/src/util/dnsmasq.c @@ -664,10 +664,19 @@ dnsmasqCapsSetFromBuffer(dnsmasqCapsPtr caps, const char *buf) if (strstr(buf, "--bind-dynamic")) dnsmasqCapsSet(caps, DNSMASQ_CAPS_BIND_DYNAMIC); - VIR_INFO("dnsmasq version is %d.%d, --bind-dynamic is %s", + /* if this string is a part of the --version output, dnsmasq + * has been patched to use SO_BINDTODEVICE when listening, + * so that it will only accept requests that arrived on the + * listening interface(s) + */ + if (strstr(buf, "--bind-interfaces with SO_BINDTODEVICE")) + dnsmasqCapsSet(caps, DNSMASQ_CAPS_BINDTODEVICE); + + VIR_INFO("dnsmasq version is %d.%d, --bind-dynamic is %spresent, " + "SO_BINDTODEVICE is %sin use", (int)caps->version / 1000000, (int)(caps->version % 1000000) / 1000, - dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC) - ? "present" : "NOT present"); + dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC) ? "" : "NOT ", + dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC) ? "" : "NOT "); return 0; fail: diff --git a/src/util/dnsmasq.h b/src/util/dnsmasq.h index 7a39232..b83bc96 100644 --- a/src/util/dnsmasq.h +++ b/src/util/dnsmasq.h @@ -68,6 +68,7 @@ typedef struct typedef enum { DNSMASQ_CAPS_BIND_DYNAMIC = 0, /* support for --bind-dynamic */ + DNSMASQ_CAPS_BINDTODEVICE = 1, /* uses SO_BINDTODEVICE for --bind-interfaces */ DNSMASQ_CAPS_LAST, /* this must always be the last item */ } dnsmasqCapsFlags; -- 1.7.11.7

2 1