[libvirt] [libvirt-designer] Fix various memory leaks of libosinfo data
by Christophe Fergeau
---
libvirt-designer/libvirt-designer-domain.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libvirt-designer/libvirt-designer-domain.c b/libvirt-designer/libvirt-designer-domain.c
index 9dc1d7d..b1aa838 100644
--- a/libvirt-designer/libvirt-designer-domain.c
+++ b/libvirt-designer/libvirt-designer-domain.c
@@ -1066,6 +1066,7 @@ gvir_designer_domain_get_supported_disk_bus_types(GVirDesignerDomain *design)
ret = g_list_copy(ret);
cleanup:
+ g_list_free(devs);
if (dev_list != NULL)
g_object_unref(G_OBJECT(dev_list));
g_hash_table_destroy(bus_hash);
@@ -1623,6 +1624,7 @@ gvir_designer_domain_get_resources(OsinfoResourcesList *res_list,
break;
}
}
+ g_list_free(elem_list);
}
@@ -1678,5 +1680,11 @@ gboolean gvir_designer_domain_setup_resources(GVirDesignerDomain *design,
gvir_config_domain_set_memory(design->priv->config, ram);
cleanup:
+ if (res_list_min != NULL)
+ g_object_unref(G_OBJECT(res_list_min));
+ if (res_list_rec != NULL)
+ g_object_unref(G_OBJECT(res_list_rec));
+ g_object_unref(G_OBJECT(os));
+
return ret;
}
--
1.8.1.4
11 years, 6 months
[libvirt] [PATCH v3] nwfilter: probe for inverted ctdir
by Stefan Berger
Linux netfilter at some point inverted the meaning of the '--ctdir reply'
and newer netfilter implementations now expect '--ctdir original'
instead and vice-versa.
We probe for this netfilter change via a UDP message over loopback and 3
filtering rules applied to INPUT two times, one time with '--ctdir original'
which should then work on 'fixed' netfilter and one other time with
'--ctdir reply' which should only work on the 'old' netfilter.
If neither one of the tests gets the data through, then the loopback device
is probably not configured correctly. If both tests get the data through
something must be seriously wrong. In both of these two latter cases
no '--ctdir' will then be applied to the rules.
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
v2->v3:
- probing with --ctdir original and --ctdir reply
v1->v2:
- using virSocketAddrParseIPv4
---
src/nwfilter/nwfilter_ebiptables_driver.c | 169
++++++++++++++++++++++++++++++
1 file changed, 169 insertions(+)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -27,6 +27,10 @@
#include <string.h>
#include <sys/stat.h>
#include <fcntl.h>
+#include <arpa/inet.h>
+#include <sys/select.h>
+#include <sys/time.h>
+#include <unistd.h>
#include "internal.h"
@@ -85,6 +89,17 @@ static char *iptables_cmd_path;
static char *ip6tables_cmd_path;
static char *grep_cmd_path;
+/*
+ * --ctdir original vs. --ctdir reply's meaning was inverted in netfilter
+ * at some point. We probe for it.
+ */
+enum ctdirStatus {
+ CTDIR_STATUS_UNKNOWN = 0,
+ CTDIR_STATUS_CORRECTED = (1 << 0),
+ CTDIR_STATUS_OLD = (1 << 1),
+};
+static enum ctdirStatus iptables_ctdir_corrected;
+
#define PRINT_ROOT_CHAIN(buf, prefix, ifname) \
snprintf(buf, sizeof(buf), "libvirt-%c-%s", prefix, ifname)
#define PRINT_CHAIN(buf, prefix, ifname, suffix) \
@@ -1262,6 +1277,17 @@ iptablesEnforceDirection(int directionIn
virNWFilterRuleDefPtr rule,
virBufferPtr buf)
{
+ switch (iptables_ctdir_corrected) {
+ case CTDIR_STATUS_UNKNOWN:
+ /* could not be determined or s.th. is seriously wrong */
+ return;
+ case CTDIR_STATUS_CORRECTED:
+ directionIn = !directionIn;
+ break;
+ case CTDIR_STATUS_OLD:
+ break;
+ }
+
if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT)
virBufferAsprintf(buf, " -m conntrack --ctdir %s",
(directionIn) ? "Original"
@@ -4304,6 +4330,146 @@ ebiptablesDriverTestCLITools(void)
return ret;
}
+static void
+ebiptablesDriverProbeCtdir(void)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ static const char cmdline[] =
+ "$IPT -%c INPUT %c -i lo -p udp --dport %hu "
+ "-m state --state ESTABLISHED -j ACCEPT " CMD_SEPARATOR
+ "$IPT -%c INPUT %c -i lo -p udp --dport %hu "
+ "-m conntrack --ctdir %s -j ACCEPT " CMD_SEPARATOR
+ "$IPT -%c INPUT %c -i lo -p udp --dport %hu -j DROP";
+ /*
+ * Above '--ctdir original' gets this test to receive a message on
+ * 'fixed' netfilter.
+ */
+ unsigned short port;
+ int ssockfd = -1, csockfd = -1;
+ virSocketAddr saddr;
+ struct sockaddr_in *serveraddr = &saddr.data.inet4;
+ fd_set readfds;
+ struct timeval timeout = {
+ .tv_sec = 0,
+ .tv_usec = 1000 * 200,
+ };
+ int n, i, results = 0;
+ const char *ctdiropts[2] = { "original", "reply" };
+ unsigned char data[10];
+
+ if (virSocketAddrParseIPv4(&saddr, "127.0.0.1") < 0) {
+ VIR_ERROR(_("Could not parse IP address"));
+ goto cleanup;
+ }
+
+ if ((ssockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0 ||
+ (csockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+ VIR_ERROR(_("Could not open UDP socket"));
+ goto cleanup;
+ }
+
+ for (port = 0xffff; port > 1024; port--) {
+ serveraddr->sin_port = htons(port);
+ if (bind(ssockfd, (struct sockaddr *)serveraddr,
+ sizeof(*serveraddr)) == 0)
+ break;
+ }
+ if (port == 1024) {
+ VIR_ERROR(_("Could not bind to any UDP socket"));
+ goto cleanup;
+ }
+
+ i = 0;
+ while (true) {
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+ virBufferAsprintf(&buf, cmdline,
+ 'I', '1', port,
+ 'I', '2', port, ctdiropts[i],
+ 'I', '3', port);
+
+ if (virBufferError(&buf)) {
+ virReportOOMError();
+ goto cleanup;
+ }
+
+ if (ebiptablesExecCLI(&buf, NULL, NULL) < 0) {
+ VIR_ERROR(_("Could not apply iptables rules"));
+ goto cleanup_iptables;
+ }
+
+ virBufferFreeAndReset(&buf);
+
+ if (sendto(csockfd, cmdline, 1, 0, (struct sockaddr *)serveraddr,
+ sizeof(*serveraddr)) < 0) {
+ VIR_ERROR(_("Could not send to UDP socket"));
+ goto cleanup_iptables;
+ }
+
+ FD_ZERO(&readfds);
+ FD_SET(ssockfd, &readfds);
+
+ while (true) {
+ n = select(ssockfd + 1, &readfds, NULL, NULL, &timeout);
+ if (n < 0) {
+ if (errno == EINTR)
+ continue;
+ VIR_ERROR(_("Select failed"));
+ goto cleanup_iptables;
+ }
+ if (n == 0) {
+ VIR_INFO("Ctdir probing received no data");
+ break;
+ }
+ VIR_INFO("Ctdir probing received data");
+ results |= (1 << i);
+ read(ssockfd, data, sizeof(data));
+ break;
+ }
+
+ if (i + 1 == ARRAY_CARDINALITY(ctdiropts))
+ break;
+
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+ virBufferAsprintf(&buf, cmdline,
+ 'D', ' ', port,
+ 'D', ' ', port, ctdiropts[i],
+ 'D', ' ', port);
+ ebiptablesExecCLI(&buf, NULL, NULL);
+
+ i++;
+ }
+
+ switch (results) {
+ case 0x0:
+ /* no test passed -- loopback device not setup? */
+ case 0x3:
+ /* both test passed -- s.th. is wrong */
+ iptables_ctdir_corrected = CTDIR_STATUS_UNKNOWN;
+ break;
+ case 0x1:
+ iptables_ctdir_corrected = CTDIR_STATUS_CORRECTED;
+ break;
+ case 0x2:
+ iptables_ctdir_corrected = CTDIR_STATUS_OLD;
+ break;
+ }
+
+cleanup_iptables:
+ virBufferFreeAndReset(&buf);
+
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+ virBufferAsprintf(&buf, cmdline,
+ 'D', ' ', port,
+ 'D', ' ', port, ctdiropts[i],
+ 'D', ' ', port);
+ ebiptablesExecCLI(&buf, NULL, NULL);
+
+cleanup:
+ virBufferFreeAndReset(&buf);
+ VIR_FORCE_CLOSE(ssockfd);
+ VIR_FORCE_CLOSE(csockfd);
+}
+
static int
ebiptablesDriverInit(bool privileged)
{
@@ -4341,6 +4507,9 @@ ebiptablesDriverInit(bool privileged)
return -ENOTSUP;
}
+ if (iptables_cmd_path)
+ ebiptablesDriverProbeCtdir();
+
ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;
return 0;
11 years, 6 months
[libvirt] [PATCH] security_manager.c: Append seclabel iff generated
by Michal Privoznik
With my previous patches, we unconditionally appended a seclabel,
even if it wasn't generated but found in array of defined seclabels.
This resulted in double free later when doing virDomainDefFree
and iterating over the array of defined seclabels.
Moreover, there was another possibility of double free, if the
seclabel was generated in the last iteration of the process of
walking trough security managers array.
---
src/security/security_manager.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index b55af69..b671a91 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -463,6 +463,7 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
} else if (vm->nseclabels && generated) {
VIR_DEBUG("Skipping auto generated seclabel of type none");
virSecurityLabelDefFree(seclabel);
+ seclabel = NULL;
continue;
}
}
@@ -472,8 +473,8 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
} else {
/* The seclabel must be added to @vm prior calling domainGenSecurityLabel
* which may require seclabel to be presented already */
-
- if (VIR_APPEND_ELEMENT(vm->seclabels, vm->nseclabels, seclabel) < 0) {
+ if (generated &&
+ VIR_APPEND_ELEMENT(vm->seclabels, vm->nseclabels, seclabel) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -484,6 +485,8 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
vm->nseclabels--;
goto cleanup;
}
+
+ seclabel = NULL;
}
}
--
1.8.1.5
11 years, 6 months
[libvirt] [PATCH] util: Fix the conflict type for virIsCapableFCHost
by Osier Yang
---
Pushed under build-breaker rule.
---
src/util/virutil.c | 3 ++-
src/util/virutil.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/util/virutil.c b/src/util/virutil.c
index 557225c..d5f122f 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@@ -3582,7 +3582,8 @@ virReadFCHost(const char *sysfs_prefix ATTRIBUTE_UNUSED,
}
int
-virIsCapableFCHost(int host ATTRIBUTE_UNUSED)
+virIsCapableFCHost(const char *sysfs_prefix ATTRIBUTE_UNUSED,
+ int host ATTRIBUTE_UNUSED)
{
virReportSystemError(ENOSYS, "%s", _("Not supported on this platform"));
return -1;
diff --git a/src/util/virutil.h b/src/util/virutil.h
index 47357fa..2a797cb 100644
--- a/src/util/virutil.h
+++ b/src/util/virutil.h
@@ -314,7 +314,7 @@ enum {
int virManageVport(const int parent_host,
const char *wwpn,
const char *wwnn,
- int operation)
+ int operation)
ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
#endif /* __VIR_UTIL_H__ */
--
1.8.1.4
11 years, 6 months
[libvirt] [PATCH] virutil: Fix compilation on non-linux platforms
by Michal Privoznik
There has been a typo in virIsCapbleVport function name.
---
Pushed under build breaker rule.
src/util/virutil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/util/virutil.c b/src/util/virutil.c
index d5f122f..87a97c9 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@@ -3590,8 +3590,8 @@ virIsCapableFCHost(const char *sysfs_prefix ATTRIBUTE_UNUSED,
}
int
-virIsCapbleVport(const char *sysfs_prefix ATTRIBUTE_UNUSED,
- int host ATTRIBUTE_UNUSED)
+virIsCapableVport(const char *sysfs_prefix ATTRIBUTE_UNUSED,
+ int host ATTRIBUTE_UNUSED)
{
virReportSystemError(ENOSYS, "%s", _("Not supported on this platform"));
return -1;
--
1.8.1.5
11 years, 6 months
[libvirt] [PATCH v2 0/2] Correctly treat seclabel of type none
by Michal Privoznik
Don't forget other seclabels when adding a <seclabel type='none'/>.
Michal Privoznik (2):
security_manager: Don't manipulate domain XML in
virDomainDefGetSecurityLabelDef
security: Don't add seclabel of type none if there's already a
seclabel
src/conf/domain_conf.c | 56 +++++++++++------------------------------
src/conf/domain_conf.h | 7 ++++--
src/libvirt_private.syms | 1 -
src/security/security_manager.c | 55 +++++++++++++++++++++++++++-------------
src/security/security_selinux.c | 8 ++++--
5 files changed, 63 insertions(+), 64 deletions(-)
--
1.8.1.5
11 years, 6 months
[libvirt] [libvirt-sandbox][PATCH] Sync lxc-enter-namespace options with libvirt
by Alex Jia
The option 'nolabel' has been changed by current libvirt upstream, it should
be 'noseclabel' now, so need to sync the option change with libvirt.
# ./tools/virsh -c lxc:/// lxc-enter-namespace --help | grep label
lxc-enter-namespace <domain> [--noseclabel] {[--cmd] <string>}...
--noseclabel Do not change process security label
Signed-off-by: Alex Jia <ajia(a)redhat.com>
---
bin/virt-sandbox-service | 6 +++---
bin/virt-sandbox-service-bash-completion.sh | 2 +-
bin/virt-sandbox-service-execute.pod | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index c05e13f..478769d 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -838,8 +838,8 @@ def fullpath(cmd):
def execute(args):
myexec = [ "virsh", "-c", "lxc:///", "lxc-enter-namespace" ]
# myexec = [ "virt-sandbox-service-util", "execute" ]
- if args.nolabel:
- myexec.append("--nolabel")
+ if args.noseclabel:
+ myexec.append("--noseclabel")
myexec.extend([ args.name, "--", fullpath(args.command[0])] + args.command[1:])
os.execv("/usr/bin/virsh", myexec)
# myexec.extend( "-e", cmd, args.name ]
@@ -966,7 +966,7 @@ def gen_connect_args(subparser):
def gen_execute_args(subparser):
parser = subparser.add_parser("execute",
help=("Execute a command within a sandbox container"))
- parser.add_argument("-N", "--nolabel", dest="nolabel",
+ parser.add_argument("-N", "--noseclabel", dest="noseclabel",
default=False, action="store_true",
help=_("do not modify the label of the executable process. By default all commands execute with the label of the sandbox"))
requires_name(parser)
diff --git a/bin/virt-sandbox-service-bash-completion.sh b/bin/virt-sandbox-service-bash-completion.sh
index a886cf4..c855fd2 100755
--- a/bin/virt-sandbox-service-bash-completion.sh
+++ b/bin/virt-sandbox-service-bash-completion.sh
@@ -57,7 +57,7 @@ _virt_sandbox_service () {
[ALL]='-h --help'
[CREATE]='-u --unitfile -p --path -t --type -l --level -d --dynamic -n --clone -i --image -s --size'
[LIST]='-r --running'
- [EXECUTE]='-N --nolabel'
+ [EXECUTE]='-N --noseclabel'
)
for ((i=0; $i <= $COMP_CWORD; i++)); do
diff --git a/bin/virt-sandbox-service-execute.pod b/bin/virt-sandbox-service-execute.pod
index 46a3b2b..f79ce73 100644
--- a/bin/virt-sandbox-service-execute.pod
+++ b/bin/virt-sandbox-service-execute.pod
@@ -31,7 +31,7 @@ Display help message
The connection URI for the hypervisor (only LXC or QEMU are
supported currently).
-=item B<-N>, B<--nolabel>
+=item B<-N>, B<--noseclabel>
Execute command within the container.
--
1.7.1
11 years, 6 months
[libvirt] [PATCH] net: use newer iptables syntax
by Stefan Seyfried
Hi all,
iptables-1.4.18 removed the long deprecated "state" match.
Use "conntrack" instead in forwarding rules.
Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it
up otherwise :(
Basically it's
s/--match state/--match conntrack/
s/--state /--ctstate/
in src/til/viriptables.c
Best regards,
Stefan
--
Stefan Seyfried
Linux Consultant & Developer
Mail: seyfried(a)b1-systems.de GPG Key: 0x731B665B
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
11 years, 6 months
[libvirt] [PATCH] conf: fix memory leak of class_id bitmap
by Guannan Ren
When libvirtd loads active network configs from network state directory,
it should release the class_id memory block which was allocated
at the time of loading xml from network config directory.
virBitmapParse will create a new memory block of bitmap class_id which
causes a memory leak.
This happens when at least one virtual network is active before.
==12234== 8,216 (24 direct, 8,192 indirect) bytes in 1 blocks are definitely \
lost in loss record 702 of 709
==12234== at 0x4A06B2F: calloc (vg_replace_malloc.c:593)
==12234== by 0x37AB04D77D: virAlloc (in /usr/lib64/libvirt.so.0.1000.3)
==12234== by 0x37AB04EF89: virBitmapNew (in /usr/lib64/libvirt.so.0.1000.3)
==12234== by 0x37AB0BFB37: virNetworkAssignDef (in /usr/lib64/libvirt.so.0.1000.3)
==12234== by 0x37AB0BFD31: ??? (in /usr/lib64/libvirt.so.0.1000.3)
==12234== by 0x37AB0BFE92: virNetworkLoadAllConfigs (in /usr/lib64/libvirt.so.0.1000.3)
==12234== by 0x10650E5A: ??? (in /usr/lib64/libvirt/connection-driver/libvirt_driver_network.so)
==12234== by 0x37AB0EB72F: virStateInitialize (in /usr/lib64/libvirt.so.0.1000.3)
==12234== by 0x40DE04: ??? (in /usr/sbin/libvirtd)
==12234== by 0x37AB0832E8: ??? (in /usr/lib64/libvirt.so.0.1000.3)
==12234== by 0x3796807D14: start_thread (in /usr/lib64/libpthread-2.16.so)
==12234== by 0x37960F246C: clone (in /usr/lib64/libc-2.16.so)
---
src/conf/network_conf.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index c022fe4..7a45414 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1995,14 +1995,16 @@ virNetworkObjUpdateParseFile(const char *filename,
ctxt->node = node;
class_id = virXPathString("string(./class_id[1]/@bitmap)", ctxt);
- if (class_id &&
- virBitmapParse(class_id, 0,
+ if (class_id) {
+ virBitmapFree(net->class_id);
+ if (virBitmapParse(class_id, 0,
&net->class_id, CLASS_ID_BITMAP_SIZE) < 0) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Malformed 'class_id' attribute: %s"),
- class_id);
- VIR_FREE(class_id);
- goto cleanup;
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Malformed 'class_id' attribute: %s"),
+ class_id);
+ VIR_FREE(class_id);
+ goto cleanup;
+ }
}
VIR_FREE(class_id);
--
1.7.11.2
11 years, 6 months
[libvirt] [PATCH 1/2] qemu:release qemu config object when qemu driver shutdown
by Guannan Ren
---
src/qemu/qemu_driver.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 1f9b8b2..96bf235 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -950,6 +950,7 @@ qemuShutdown(void) {
return -1;
virNWFilterUnRegisterCallbackDriver(&qemuCallbackDriver);
+ virObjectUnref(qemu_driver->config);
virObjectUnref(qemu_driver->activePciHostdevs);
virObjectUnref(qemu_driver->inactivePciHostdevs);
virObjectUnref(qemu_driver->activeUsbHostdevs);
--
1.7.11.2
11 years, 6 months