[libvirt] [PATCHv2 0/2] fix segfault in virSecuritySELinuxMCSGetProcessRange
by Ján Tomko
Diff to v2:
Changed char * to const char * after actually compiling it with selinux.
Added a test.
James Gilliland (1):
selinux: fix segfault in virSecuritySELinuxMCSGetProcessRange
Ján Tomko (1):
tests: add test for a selinux label without a range
src/security/security_selinux.c | 9 ++++++++-
tests/securityselinuxtest.c | 44 ++++++++++++++++++++++++++++++++++++++---
2 files changed, 49 insertions(+), 4 deletions(-)
--
1.8.1.5
11 years, 4 months
[libvirt] NBD drives with literal IPv6 addresses or hostnames starting with a digit
by Ján Tomko
Hello,
since qemu's commit v1.4.0-736-gf17c90b [1]:
nbd: Keep hostname and port separate
* literal IPv6 addresses no longer work in nbd URIs, because getaddrinfo is
called with the surrounding brackets:
$ qemu-system-x86_64 -drive file=nbd://[::1]:1234/quack
qemu-system-x86_64: -drive file=nbd://[::1]:1234/quack: address resolution
failed for [::1]:1234: Name or service not known
* hostnames starting with a digit now work in nbd URIs.
Before that, or with the non-URI syntax, they fail because inet_parse assumes
them to be literal IPv4 addresses:
$ qemu-system-x86_64 -drive file=nbd:123flour:1234:exportname=gashunk
qemu-system-x86_64: -drive file=nbd:123flour:1234:exportname=gashunk: error
parsing IPv4 address '123flour:1234'
In libvirt, we use the URI format on the command line only if the host
contains ':', so hostnames starting with a digit still don't work.
Migration with NBD and a literal IPv6 address doesn't work either, but that's
purely libvirt's fault, as we don't escape it with brackets. I've just posted
a patch for that. [2]
Jan
[1] http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f17c90b
[2] https://www.redhat.com/archives/libvir-list/2013-May/msg02022.html
11 years, 4 months
[libvirt] Authoritative source for logging filters descriptions ?
by Kashyap Chamarthy
Heya,
So I usually use these two resources, when tracing/debugging:
-
https://www.berrange.com/posts/2011/10/03/troubleshooting-libvirt-with-th...
- http://libvirt.org/logging.html
For instance, for filters to know what QMP commands libvirt is sending to QEMU:
I use:
- log_filters="1:qemu_monitor"
- log_outputs="1:file:/var/log/libvirt/libvirtd.log"
But, from
https://www.berrange.com/posts/2011/10/03/troubleshooting-libvirt-with-th...
I notice, we could also use these variations of filters QEMU/QMP filters:
# QEMU JSON/QMP monitor commands
- log_filters="1:qemu_monitor_json"
# QEMU text monitor commands
- log_filters="1:qemu_monitor_text"
Is there any place where these are comprehensively documented, has anything changed from
what's mentioned in the above blog & the logging wiki page ?
Furthermore, from /etc/libvirt/libvirtd.conf, I see:
===========================================
[...]
# Logging filters:
# A filter allows to select a different logging level for a given category
# of logs
# The format for a filter is one of:
# x:name
# x:+name
# where name is a string which is matched against source file name,
# e.g., "remote", "qemu", or "util/json", the optional "+" prefix
# tells libvirt to log stack trace for each message matching name,
# and x is the minimal level where matching messages should be logged:
# 1: DEBUG
# 2: INFO
# 3: WARNING
# 4: ERROR
#
# Multiple filter can be defined in a single @filters, they just need to be
# separated by spaces.
#
# e.g. to only get warning or errors from the remote layer and only errors
# from the event layer:
#log_filters="3:remote 4:event"
[...]
===========================================
Is the above list of strings describe all possible "name" values for filters ?
If I'm missing some obvious resource on the inter-webs, please point me to it.
Thanks.
--
/kashyap
11 years, 4 months
[libvirt] [PATCH] virsh: Allow attach-disk to specify disk wwn
by Osier Yang
Commit 6e73850b01ee support to set wwn for disks, but it was not
exposed to attach-disk.
---
tools/virsh-domain.c | 14 +++++++++++++-
tools/virsh.pod | 8 ++++----
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
index 9ea5ffc..767e288 100644
--- a/tools/virsh-domain.c
+++ b/tools/virsh-domain.c
@@ -307,6 +307,10 @@ static const vshCmdOptDef opts_attach_disk[] = {
.type = VSH_OT_STRING,
.help = N_("serial of disk device")
},
+ {.name = "wwn",
+ .type = VSH_OT_STRING,
+ .help = N_("wwn of disk device")
+ },
{.name = "shareable",
.type = VSH_OT_BOOL,
.help = N_("shareable between domains")
@@ -499,7 +503,8 @@ cmdAttachDisk(vshControl *ctl, const vshCmd *cmd)
virDomainPtr dom = NULL;
const char *source = NULL, *target = NULL, *driver = NULL,
*subdriver = NULL, *type = NULL, *mode = NULL,
- *cache = NULL, *serial = NULL, *straddr = NULL;
+ *cache = NULL, *serial = NULL, *straddr = NULL,
+ *wwn = NULL;
struct DiskAddress diskAddr;
bool isFile = false, functionReturn = false;
int ret;
@@ -538,6 +543,7 @@ cmdAttachDisk(vshControl *ctl, const vshCmd *cmd)
vshCommandOptStringReq(ctl, cmd, "mode", &mode) < 0 ||
vshCommandOptStringReq(ctl, cmd, "cache", &cache) < 0 ||
vshCommandOptStringReq(ctl, cmd, "serial", &serial) < 0 ||
+ vshCommandOptStringReq(ctl, cmd, "wwn", &wwn) < 0 ||
vshCommandOptStringReq(ctl, cmd, "address", &straddr) < 0 ||
vshCommandOptStringReq(ctl, cmd, "sourcetype", &stype) < 0)
goto cleanup;
@@ -564,6 +570,9 @@ cmdAttachDisk(vshControl *ctl, const vshCmd *cmd)
}
}
+ if (wwn && !virValidateWWN(wwn))
+ goto cleanup;
+
/* Make XML of disk */
virBufferAsprintf(&buf, "<disk type='%s'",
(isFile) ? "file" : "block");
@@ -597,6 +606,9 @@ cmdAttachDisk(vshControl *ctl, const vshCmd *cmd)
if (serial)
virBufferAsprintf(&buf, " <serial>%s</serial>\n", serial);
+ if (wwn)
+ virBufferAsprintf(&buf, " <wwn>%s</wwn>\n", wwn);
+
if (vshCommandOptBool(cmd, "shareable"))
virBufferAddLit(&buf, " <shareable/>\n");
diff --git a/tools/virsh.pod b/tools/virsh.pod
index 047c241..69c290f 100644
--- a/tools/virsh.pod
+++ b/tools/virsh.pod
@@ -1849,8 +1849,8 @@ expected.
[[[I<--live>] [I<--config>] | [I<--current>]] | [I<--persistent>]]
[I<--driver driver>] [I<--subdriver subdriver>] [I<--cache cache>]
[I<--type type>] [I<--mode mode>] [I<--config>] [I<--sourcetype soucetype>]
-[I<--serial serial>] [I<--shareable>] [I<--rawio>] [I<--address address>]
-[I<--multifunction>] [I<--print-xml>]
+[I<--serial serial>] [I<--wwn wwn>] [I<--shareable>] [I<--rawio>]
+[I<--address address>] [I<--multifunction>] [I<--print-xml>]
Attach a new disk device to the domain.
I<source> is path for the files and devices. I<target> controls the bus or
@@ -1870,8 +1870,8 @@ I<mode> can specify the two specific mode I<readonly> or I<shareable>.
I<sourcetype> can indicate the type of source (block|file)
I<cache> can be one of "default", "none", "writethrough", "writeback",
"directsync" or "unsafe".
-I<serial> is the serial of disk device. I<shareable> indicates the disk device
-is shareable between domains.
+I<serial> is the serial of disk device. I<wwn> is the wwn of disk device.
+I<shareable> indicates the disk device is shareable between domains.
I<rawio> indicates the disk needs rawio capability.
I<address> is the address of disk device in the form of pci:domain.bus.slot.function,
scsi:controller.bus.unit or ide:controller.bus.unit.
--
1.8.1.4
11 years, 4 months
[libvirt] [PATCH] tests: fix typo in securityselinuxtest
by Ján Tomko
---
Pushed as trivial.
tests/securityselinuxtest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c
index f276e6d..bdf248b 100644
--- a/tests/securityselinuxtest.c
+++ b/tests/securityselinuxtest.c
@@ -231,7 +231,7 @@ testSELinuxGenLabel(const void *opaque)
if (virSecurityManagerGenLabel(data->mgr, def) < 0) {
virErrorPtr err = virGetLastError();
- fprintf(stderr, "Cannot generated label %s\n", err->message);
+ fprintf(stderr, "Cannot generate label: %s\n", err->message);
goto cleanup;
}
--
1.8.1.5
11 years, 4 months
[libvirt] [PATCH] selinux: fix segfault in virSecuritySELinuxMCSGetProcessRange
by Ján Tomko
From: James Gilliland <neclimdul(a)gmail.com>
https://bugzilla.redhat.com/show_bug.cgi?id=969878
---
src/security/security_selinux.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b862fbf..3d8195c 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -189,6 +189,7 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
context_t ourContext = NULL;
char *cat = NULL;
char *tmp;
+ char *contextRange;
int ret = -1;
if (getcon_raw(&ourSecContext) < 0) {
@@ -202,8 +203,14 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
ourSecContext);
goto cleanup;
}
+ if (!(contextRange = context_range_get(ourContext))) {
+ virReportSystemError(errno,
+ _("Unable to parse current SELinux context range '%s'"),
+ ourSecContext);
+ goto cleanup;
+ }
- if (VIR_STRDUP(*sens, context_range_get(ourContext)) < 0)
+ if (VIR_STRDUP(*sens, contextRange) < 0)
goto cleanup;
/* Find and blank out the category part (if any) */
--
1.8.1.5
11 years, 4 months
[libvirt] [PATCH] virsh: Obey pool-or-uuid spec when creating volumes
by Jiri Denemark
Our documentation says a pool may be referenced by its name or UUID
anywhere if it makes sense (pool-name and pool-uuid are the only
exceptions). However, vol-create and vol-create-as commands did not obey
this.
---
tools/virsh-volume.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/tools/virsh-volume.c b/tools/virsh-volume.c
index e16a385..35fb762 100644
--- a/tools/virsh-volume.c
+++ b/tools/virsh-volume.c
@@ -177,8 +177,7 @@ cmdVolCreateAs(vshControl *ctl, const vshCmd *cmd)
if (vshCommandOptBool(cmd, "prealloc-metadata"))
flags |= VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA;
- if (!(pool = vshCommandOptPoolBy(ctl, cmd, "pool", NULL,
- VSH_BYNAME)))
+ if (!(pool = vshCommandOptPool(ctl, cmd, "pool", NULL)))
return false;
if (vshCommandOptStringReq(ctl, cmd, "name", &name) < 0)
@@ -345,8 +344,7 @@ cmdVolCreate(vshControl *ctl, const vshCmd *cmd)
if (vshCommandOptBool(cmd, "prealloc-metadata"))
flags |= VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA;
- if (!(pool = vshCommandOptPoolBy(ctl, cmd, "pool", NULL,
- VSH_BYNAME)))
+ if (!(pool = vshCommandOptPool(ctl, cmd, "pool", NULL)))
return false;
if (vshCommandOptStringReq(ctl, cmd, "file", &from) < 0)
--
1.8.2.1
11 years, 4 months
[libvirt] nwfilter: grab driver lock earlier during init (bz96649)
by Stefan Berger
This patch is in relation to Bug 966449:
https://bugzilla.redhat.com/show_bug.cgi?id=966449
Below is a possible patch addressing the coredump.
Thread 1 must be calling nwfilterDriverRemoveDBusMatches(). It does so
with nwfilterDriverLock held. In the patch below I am now moving the
nwfilterDriverLock(driverState) further up so that the initialization,
which seems to either take a long time or is entirely stuck, occurs with
the lock held and the shutdown cannot occur at the same time.
To avoid having to make the nwfilterDriverLock lockable multiple times /
recursive I changed the virNWFilterDriverIsWatchingFirewallD to take as
an argument whether it has to grab that lock. There's only a single
caller at the moment that calls this function during initialization. We
could remove this lock entirely and maybe append to the name of the
function NoLock (?).
---
src/nwfilter/nwfilter_driver.c | 18 +++++++++++++-----
src/nwfilter/nwfilter_driver.h | 2 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 7 ++++++-
3 files changed, 20 insertions(+), 7 deletions(-)
Index: libvirt/src/nwfilter/nwfilter_driver.c
===================================================================
--- libvirt.orig/src/nwfilter/nwfilter_driver.c
+++ libvirt/src/nwfilter/nwfilter_driver.c
@@ -191,6 +191,8 @@ nwfilterStateInitialize(bool privileged,
if (!privileged)
return 0;
+ nwfilterDriverLock(driverState);
+
if (virNWFilterIPAddrMapInit() < 0)
goto err_free_driverstate;
if (virNWFilterLearnInit() < 0)
@@ -203,8 +205,6 @@ nwfilterStateInitialize(bool privileged,
if (virNWFilterConfLayerInit(virNWFilterDomainFWUpdateCB) < 0)
goto err_techdrivers_shutdown;
- nwfilterDriverLock(driverState);
-
/*
* startup the DBus late so we don't get a reload signal while
* initializing
@@ -309,21 +309,29 @@ nwfilterStateReload(void) {
/**
* virNWFilterIsWatchingFirewallD:
*
+ * @needDriverLock: Provide 'true' if this function needs to grab
+ * the nwfilter driver lock, 'false' otherwise,
+ * which may be the case during initialization
+ *
* Checks if the nwfilter has the DBus watches for FirewallD installed.
*
* Returns true if it is watching firewalld, false otherwise
*/
bool
-virNWFilterDriverIsWatchingFirewallD(void)
+virNWFilterDriverIsWatchingFirewallD(bool needDriverLock)
{
bool ret;
if (!driverState)
return false;
- nwfilterDriverLock(driverState);
+ if (needDriverLock)
+ nwfilterDriverLock(driverState);
+
ret = driverState->watchingFirewallD;
- nwfilterDriverUnlock(driverState);
+
+ if (needDriverLock)
+ nwfilterDriverUnlock(driverState);
return ret;
}
Index: libvirt/src/nwfilter/nwfilter_driver.h
===================================================================
--- libvirt.orig/src/nwfilter/nwfilter_driver.h
+++ libvirt/src/nwfilter/nwfilter_driver.h
@@ -33,6 +33,6 @@
int nwfilterRegister(void);
-bool virNWFilterDriverIsWatchingFirewallD(void);
+bool virNWFilterDriverIsWatchingFirewallD(bool needDriverLock);
#endif /* __VIR_NWFILTER_DRIVER_H__ */
Index: libvirt/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -4191,7 +4191,12 @@ ebiptablesDriverInitWithFirewallD(void)
int status;
int ret = -1;
- if (!virNWFilterDriverIsWatchingFirewallD())
+ /*
+ * check whether we are watching firewalld
+ * Since we call this function during initialization we won't need
+ * to have it get the lock, so we pass 'false'.
+ */
+ if (!virNWFilterDriverIsWatchingFirewallD(false))
return -1;
firewall_cmd_path = virFindFileInPath("firewall-cmd");
11 years, 4 months
[libvirt] need custom /dev entries in LXC
by Michael R. Hines
Hi,
We run nvidia devices inside libvirt-managed LXC containers.
It used to be that simply doing:
$ echo 'c 195:* rwm' > /sys/fs/cgroup/devices/libvirt/lxc
Then, after booting the container, we would do:
$ mknod -m 666 /dev/nvidia0 c 195 0
.... would be good enough to run our CUDA applications.
But, according to:
$ cat src/lxc/lxc_container.c
The CAP_MKNOD capability is being dropped and only a specific
set of devices is being created before booting the container.
Is there any reason why this is not per-device configurable?
Thanks,
- Michael R. Hines
11 years, 4 months
[libvirt] [PATCH 0/3] Fix error reporting of virsh qemu-agent-command and underlying API's.
by Peter Krempa
The code was horribly broken in multiple ways. This series fixes dispatching of errors
from the API, null dereference in virsh and shadowed error messages.
Peter Krempa (3):
virsh-domain: Report errors and don't deref NULL in qemu-agent-command
qemu: Properly report guest agent errors on command passthrough
libvirt-qemu: Dispatch errors from virDomainQemuAgentCommand()
src/libvirt-qemu.c | 9 +++++++--
src/qemu/qemu_agent.c | 31 +++++++++++++++++++------------
src/qemu/qemu_driver.c | 10 +++-------
tools/virsh-domain.c | 3 +++
4 files changed, 32 insertions(+), 21 deletions(-)
--
1.8.2.1
11 years, 4 months