[libvirt] Release of libvirt-1.1.0
by Daniel Veillard
As planned I released libvirt-1.1.0 a couple of hours ago after
a couple more patches and a fix for CVE-2013-2218 were applied. It
should be available on the server along with the rpms:
ftp://libvirt.org/libvirt/
The biggest feature leading to the bump in medium release number is
the adition of ACL for individual access control of each API, until now
there was only two classes of access read-only and read write, this
feature is a big enhancement we have been thinking about for years!
This version includes a relatively smaller amount of patches though,
around 200, with a balanced set of bug fixes and enhancements, plus
the fix for CVE-2013-2218 which is afftecting 1.0.6 release.
Features:
- Extensible migration APIs (Jiri Denemark)
- Fine grained ACL support for the API (Daniel P. Berrange)
- various improvements in the Xen driver (Jim Fehlig and Marek Marczykowski-Górecki)
- improve networking support on BSD (Roman Bogorodskiy)
- agent based vCPU hotplug support (Peter Krempa)
Security:
- CVE-2013-2218: Fix crash listing network interfaces with filters (Daniel P. Berrange)
Documentation:
- Document security reporting & handling process (Daniel P. Berrange)
- Fix reference to #elementsUSB (Philipp Hahn)
- Fix sample TPM XML (Stefan Berger)
- correct and update network vlan example (Laine Stump)
- add spaces to formatstorage.html (Ján Tomko)
Portability:
- spec: require xen-devel for libxl driver (Eric Blake)
- Conditionalize use of IF_MAXUNIT in virnetdevtap.c (Daniel P. Berrange)
- Replace use of 'in_addr_t' with 'struct in_addr' (Daniel P. Berrange)
- build: Fix VPATH build for access/* (Viktor Mihajlovski)
- util: fix build error on non-Linux systems (Laine Stump)
- conf: Swap order of AddImplicitControllers and DomainDefPostParse (Viktor Mihajlovski)
- S390: Testcase for console default target type (virtio) (Viktor Mihajlovski)
- Fix units in virNetDevBridgeSetSTPDelay on BSD (Roman Bogorodskiy)
- build: Fix check-aclrules in VPATH build (Jiri Denemark)
- build: Fix build with -Werror (Jim Fehlig)
- use net/if.h instead of linux/if.h (Roman Bogorodskiy)
- build: fix build without posix_fallocate (Eric Blake)
- spec: Explicitly require libgcrypt-devel (Jiri Denemark)
Bug Fixes:
- pci: initialize virtual_functions array pointer to avoid segfault (Laine Stump)
- node device driver: update driver name during dumpxml (Laine Stump)
- Resolve valgrind errors for nodedev cap parsing (John Ferlan)
- Resolve valgrind error in remoteConfigGetStringList() (John Ferlan)
- Resolve valgrind error in virStorageBackendCreateQemuImgCmd() (John Ferlan)
- Resolve valgrind error in virNetDevVlanParse() (John Ferlan)
- Fix vPort management: FC vHBA creation (Dennis Chen)
- bridge: don't crash on bandwidth unplug with no bandwidth (Ján Tomko)
- Plug leak in virCgroupMoveTask (Ján Tomko)
- Fix invalid read in virCgroupGetValueStr (Ján Tomko)
- qemu: fix infinite loop in OOM error path (Laine Stump)
- pci: fix dangling pointer in qemuDomainReAttachHostdevDevices (Laine Stump)
- pci: eliminate leak in OOM condition (Laine Stump)
- util: fix bug found by Coverity (Laine Stump)
- Fix possible NULL dereference during migration (Jiri Denemark)
- virsh: edit: don't leak XML string on reedit or redefine (Ján Tomko)
- qemu: don't reset PCI devices being assigned with VFIO (Laine Stump)
- pci: eliminate memory leak in virPCIDeviceReattach (Laine Stump)
- qemu: check if block I/O limits fit into long long (Ján Tomko)
- network: increase max number of routes (Laine Stump)
- lxc: Resolve issue with GetScheduler APIs for non running domain (John Ferlan)
- qemu: Resolve issue with GetScheduler APIs for non running domain (John Ferlan)
- qemu: Avoid leaking uri in qemuMigrationPrepareDirect (Jiri Denemark)
- udev: fix crash in libudev logging (Ján Tomko)
- remote: Fix client crash when URI path is empty when using ssh (Peter Krempa)
- remote: Forbid default "/session" connections when using ssh transport (Peter Krempa)
- nodedev: fix vport detection for FC HBA (Ján Tomko)
- qemu: Fix memory leak in Prepare phase (Jiri Denemark)
- virSocketAddrIsWildcard: Use IN6_IS_ADDR_UNSPECIFIED correctly (Michal Privoznik)
- Fix ordering of file open in virProcessGetNamespaces (Richard Weinberger)
- qemuDomainGetVcpusFlags: Initialize ncpuinfo (Michal Privoznik)
- virtlockd: fix socket path (Ján Tomko)
- nwfilter: grab driver lock earlier during init (bz96649) (Stefan Berger)
- Fix a invalid usage of virDomainNetDef in OpenVZ driver (Alvaro Polo)
- use virBitmapFree instead of VIR_FREE for cpumask (Ján Tomko)
- usb: don't spoil decimal addresses (Martin Kletzander)
Improvements:
- Allow RO connections to interface udev backend (Doug Goldstein)
- virsh: Add parenthesis into virsh nodedev-detach help (xuzhang)
- nodedev: add iommuGroup to node device object (Laine Stump)
- pci: new iommu_group functions (Laine Stump)
- network: allow <vlan> in type='hostdev' networks (Laine Stump)
- test: include qemuhotplugtest data files in source rpm (Laine Stump)
- pci: virPCIDeviceListAddCopy API (Laine Stump)
- pci: update stubDriver name in virPCIDeviceBindToStub (Laine Stump)
- pci: eliminate repetitive path constructions in virPCIDeviceBindToStub (Laine Stump)
- pci: rename virPCIParseDeviceAddress and make it public (Laine Stump)
- pci: rename virPCIDeviceGetVFIOGroupDev to virPCIDeviceGetIOMMUGroupDev (Laine Stump)
- pci: eliminate unused driver arg from virPCIDeviceDetach (Laine Stump)
- tests: Introduce qemuhotplugtest (Michal Privoznik)
- qemu: Implement support for VIR_MIGRATE_PARAM_GRAPHICS_URI (Jiri Denemark)
- Implement extensible migration APIs in qemu driver (Jiri Denemark)
- qemu: Move internals of Confirm phase to qemu_migration.c (Jiri Denemark)
- qemu: Move common parts of Prepare phase to qemu_migration.c (Jiri Denemark)
- qemu: Move internals of Begin phase to qemu_migration.c (Jiri Denemark)
- Use 1.1.0 everywhere in the documentation (Ján Tomko)
- Add polkit policy for API checks to rpm spec (Daniel Veillard)
- Configure native vlan modes on Open vSwitch ports (james robson)
- Introduce VIR_MIGRATE_PARAM_GRAPHICS_URI parameter (Jiri Denemark)
- virsh: Use extensible migration APIs (Jiri Denemark)
- python: Add bindings for extensible migration APIs (Jiri Denemark)
- Adapt virDomainMigratePeer2Peer for extensible migration APIs (Jiri Denemark)
- Adapt virDomainMigrateVersion3 for extensible migration APIs (Jiri Denemark)
- Implement extensible migration APIs in remote driver (Jiri Denemark)
- New internal migration APIs with extensible parameters (Jiri Denemark)
- Introduce migration parameters (Jiri Denemark)
- Introduce virTypedParamsCopy internal API (Jiri Denemark)
- Log input type parameters in API entry points (Jiri Denemark)
- Introduce VIR_TYPED_PARAMS_DEBUG macro for dumping typed params (Jiri Denemark)
- Introduce virTypedParamsReplaceString internal API (Jiri Denemark)
- Introduce virTypedParamsCheck internal API (Jiri Denemark)
- util: Emit proper error code in virTypedParamsValidate (Jiri Denemark)
- Rename virTypedParameterArrayValidate as virTypedParamsValidate (Jiri Denemark)
- pci: make virPCIDeviceDetach consistent in behavior (Laine Stump)
- pci: new utility functions (Laine Stump)
- pci: change stubDriver from const char* to char* (Laine Stump)
- syntax: virPCIDeviceFree is also a NOP for NULL args (Laine Stump)
- libxl: support qdisk backend (Jim Fehlig)
- libxl: Fix disk format error message (Jim Fehlig)
- Add validation that all APIs contain ACL checks (Daniel P. Berrange)
- Set process ID in system identity (Daniel P. Berrange)
- Add ACL checks into the secrets driver (Daniel P. Berrange)
- Add ACL checks into the nwfilter driver (Daniel P. Berrange)
- Add ACL checks into the node device driver (Daniel P. Berrange)
- Add ACL checks into the interface driver (Daniel P. Berrange)
- Add ACL checks into the network driver (Daniel P. Berrange)
- Add ACL checks into the storage driver (Daniel P. Berrange)
- Add ACL checks into the libxl driver (Daniel P. Berrange)
- Add ACL checks into the Xen driver (Daniel P. Berrange)
- Add ACL checks into the UML driver (Daniel P. Berrange)
- Add ACL checks into the LXC driver (Daniel P. Berrange)
- Add ACL checks into the QEMU driver (Daniel P. Berrange)
- Auto-generate helpers for checking access control rules (Daniel P. Berrange)
- Add ACL annotations to all RPC messages (Daniel P. Berrange)
- Setup default access control manager in libvirtd (Daniel P. Berrange)
- Set conn->driver before running driver connectOpen method (Daniel P. Berrange)
- Define basic internal API for access control (Daniel P. Berrange)
- netdev: accept NULL in virNetDevSetupControl (Ján Tomko)
- xen: Implement virConnectGetSysinfo (Jim Fehlig)
- libxl: Implement virConnectGetSysinfo (Jim Fehlig)
- libxl: Allow libxl to set NIC devid (Jim Fehlig)
- storage: add support for creating qcow2 images with extensions (Ján Tomko)
- conf: add features to volume target XML (Ján Tomko)
- util: add support for qcow2v3 image detection (Ján Tomko)
- qemu: add hv_vapic and hv_spinlocks support (Ján Tomko)
- conf: add vapic and spinlocks to hyperv features (Ján Tomko)
- BSD: implement bridge add/remove port and set STP (Roman Bogorodskiy)
- BSD: implement virNetDevBridgeCreate() and virNetDevBridgeDelete() (Roman Bogorodskiy)
- conf: Requires either uuid or usage of secret (Osier Yang)
- qemu: Make probing for commands declarative (Jiri Denemark)
- qemu: Make probing for events declarative (Jiri Denemark)
- libxl: support paused domain restore in virDomainRestoreFlags (Marek Marczykowski-Górecki)
- qemuDomainChangeGraphics: Check listen address change by listen type (Michal Privoznik)
- libxl: initialize device structures (Marek Marczykowski-Górecki)
- libxl: populate xenstore memory entries at startup, handle dom0_mem (Marek Marczykowski-Górecki)
- conf: split out snapshot disk XML formatting (Ján Tomko)
- storage: rework qemu-img command line generation (Ján Tomko)
- util: switch virBufferTrim to void (Ján Tomko)
- migration: Don't propagate VIR_MIGRATE_ABORT_ON_ERROR (Peter Krempa)
- migration: Make erroring out on I/O error controllable by flag (Peter Krempa)
- qemu_migration: Move waiting for SPICE migration (Michal Privoznik)
- spec: Enable KVM support on ARM (Cole Robinson)
- virsh: Support SCSI_GENERIC cap flag for nodedev-list (Osier Yang)
- nodedev: Support SCSI_GENERIC cap flag for listAllNodeDevices (Osier Yang)
- nodedev_hal: Enumerate scsi generic device (Osier Yang)
- nodedev_udev: Enumerate scsi generic device (Osier Yang)
- qemu: set QEMU_CAPS_DEVICE_VIDEO_PRIMARY cap flag in QMP detection (Guannan Ren)
- nodedev_udev: changes missed by commit 1aa0ba3cef (Osier Yang)
- nodedev_udev: Refactor udevGetDeviceType (Osier Yang)
- nodedev: Expose sysfs path of device (Osier Yang)
- Move virGetUserEnt() to where its needed (Doug Goldstein)
- BSD: implement virNetDevTapCreate() and virNetDevTapDelete() (Roman Bogorodskiy)
- Make virNetDevSetupControl() public. (Roman Bogorodskiy)
- LXC: s/chroot/chdir in lxcContainerPivotRoot() (Richard Weinberger)
- Implement dispose method for libxlDomainObjPrivate (Frediano Ziglio)
- libxl: allow only 'ethernet' and 'bridge' interfaces, allow script there (Marek Marczykowski-Górecki)
- qemu: allow restore with non-migratable XML input (Ján Tomko)
- libxl: set bootloader for PV domains if not specified (Jim Fehlig)
- libxl: Report connect type as Xen (Jim Fehlig)
- schema: simplify RNG pattern, remove superfluous <optional> (Claudio Bley)
- libvirt_private.syms: add virProcessGetStartTime (Ján Tomko)
- qemu: Forbid migration of machines with I/O errors (Peter Krempa)
- qemu: Cancel migration if guest encoutners I/O error while migrating (Peter Krempa)
- qemu_migrate: Dispose listen address if set from config (Michal Privoznik)
- selinux: assume 's0' if the range is empty (Ján Tomko)
- storage: fix description of versionOffset (Martin Kletzander)
- spec: Drop Requires: vbox (Cole Robinson)
- Prefer VIR_STRDUP over virAsprintf(&dst, "%s", str) (Michal Privoznik)
- qemu: Implement new QMP command for cpu hotplug (Peter Krempa)
- qemu: Implement support for VIR_DOMAIN_VCPU_AGENT in qemuDomainSetVcpusFlags (Peter Krempa)
- qemu: Implement request of vCPU state using the guest agent (Peter Krempa)
- API: Introduce VIR_DOMAIN_VCPU_AGENT, for agent based CPU hot(un)plug (Peter Krempa)
- qemu_agent: Introduce helpers for agent based CPU hot(un)plug (Peter Krempa)
- qemu: Use bool instead of int in qemuMonitorSetCPU APIs (Peter Krempa)
- virsh-domain-monitor: Remove ATTRIBUTE_UNUSED from a argument (Peter Krempa)
- Add support for VirtualBox 4.2 APIs (ryan woodsmall)
- qemuDomainMigrateGraphicsRelocate: Use then new virSocketAddrIsWildcard (Michal Privoznik)
- virsocket: Introduce virSocketAddrIsWildcard (Michal Privoznik)
- iscsi: pass hostnames to iscsiadm instead of resolving them (Ján Tomko)
- qemu: Report the offset from host UTC for RTC_CHANGE event (Osier Yang)
- qemu: simplify CPU command line parsing (Ján Tomko)
- qemu: change two-state int parameters to bool (Ján Tomko)
- nwfilter: change two-state int parameters to bool (Ján Tomko)
- Remove redundant two-state integers (Ján Tomko)
- Replace two-state local integers with bool (Ján Tomko)
- storage: Avoid unnecessary ternary operators and refactor the code (Peter Krempa)
- openvz: Fix code coverage issue in OpenVZ driver (Alvaro Polo)
- qemu: Reformat listen address prior to checking (Michal Privoznik)
- Ensure non-root can read /proc/meminfo file in LXC containers (Daniel P. Berrange)
- storage: Provide better error message if metadata pre-alloc is unsupported (Peter Krempa)
- storage: Clean up function header and reflow error message (Peter Krempa)
- storagevolxml2argvtest: Report better error messages on test failure (Peter Krempa)
- maint: don't use config.h in .h files (Eric Blake)
- qemu: Abstract code for the cpu controller setting into a helper (Osier Yang)
- storage: Forbid to shrink the vol's capacity if no --shrink is specified (Osier Yang)
- storage: Support preallocate the new capacity for vol-resize (Osier Yang)
- snapshot: remove mutually exclusive memory and disk-only duplicate check (Guannan Ren)
- virsh: Allow attach-disk to specify disk wwn (Osier Yang)
- tests: fix typo in securityselinuxtest (Ján Tomko)
- virsh: Obey pool-or-uuid spec when creating volumes (Jiri Denemark)
- libvirt-qemu: Dispatch errors from virDomainQemuAgentCommand() (Peter Krempa)
- qemu: Properly report guest agent errors on command passthrough (Peter Krempa)
- virsh-domain: Report errors and don't deref NULL in qemu-agent-command (Peter Krempa)
- RPC: Support up to 16384 cpus on the host and 4096 in the guest (Peter Krempa)
- virsh iface-bridge: Ignore delay if stp is turned off (Jiri Denemark)
- Fix warning about using an uninitialized next_unit value (Jiri Denemark)
- virsh-domain: Add --live, --config, --current logic to cmdAttachInterface (Peter Krempa)
- virsh-domain: Add --live, --config, --current logic to cmdAttachDisk (Peter Krempa)
- virsh-domain: Add --live, --config, --current logic to cmdAttachDevice (Peter Krempa)
Cleanups:
- Get rid of useless VIR_STORAGE_FILE_FEATURE_NONE (Ján Tomko)
- configure: Remove unused brctl check (Cole Robinson)
- storage_backend: Drop unused code (Cole Robinson)
- Remove legacy code for single-instance devpts filesystem (Daniel P. Berrange)
Thanks everybody for your contributions to this release, with ideas,
reports, patches, documentation or localizations !
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
11 years, 6 months
[libvirt] [PATCH v2 0/5]Atomic API to delete snapshot object
by Guannan Ren
v1: https://www.redhat.com/archives/libvir-list/2013-June/msg00573.html
v1->v2: Remove VIR_DOMAIN_SNAPSHOT_DELETE_CURRENT flag
(name == NULL) means deleting current snapshot object
Rebase work
Add a new snapshot API to delete snapshot object atomically
int virDomainSnapshotDeleteByName(virDomainPtr domain,
const char *name,
unsigned int flags);
The existing virDomainSnapshotDelete API accepts the snapshot
object being deleted as an argument that would be not API atomic.
Guannan Ren(5)
[PATCH v2 1/5] snapshot: define new API virDomainSnapshotDeleteByName
[PATCH v2 2/5] auto generate RPC calls for remoteDomainSnapshotDeleteByName
[PATCH v2 3/5] qemu: implement SnapshotDeleteByName
[PATCH v2 4/5] python: make auto-generated function name nicer
[PATCH v2 5/5] virsh: use virDomainSnapshotDeleteByName in virsh
include/libvirt/libvirt.h.in | 4 ++++
python/generator.py | 3 +++
src/driver.h | 6 ++++++
src/libvirt.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/libvirt_public.syms | 5 +++++
src/qemu/qemu_driver.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------
src/remote/remote_driver.c | 1 +
src/remote/remote_protocol.x | 14 +++++++++++++-
src/remote_protocol-structs | 6 ++++++
tools/virsh-snapshot.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++----------
10 files changed, 245 insertions(+), 33 deletions(-)
11 years, 6 months
[libvirt] [PATCH v5] qemu: Implement CPUs check against machine type's cpu-max
by Michal Novotny
Implement check whether (maximum) vCPUs doesn't exceed machine
type's cpu-max settings.
Differences between v4 and v5 (this one):
- Changed type to unsigned int
- Renamed variable to maxCpus to match previous naming
- When machines types are parsed from command line set maxCpus = 0 to don't show
Differences between v3 and v4:
- Rebased to latest libvirt version
- Capability XML output extended by maxCpus field
- Extended caps-qemu-kvm.xml test by maxCpus for one of test emulators
On older versions of QEMU the check is disabled.
Signed-off-by: Michal Novotny <minovotn(a)redhat.com>
---
docs/schemas/capability.rng | 5 ++++
src/conf/capabilities.c | 4 +++
src/conf/capabilities.h | 1 +
src/qemu/qemu_capabilities.c | 40 +++++++++++++++++++++++++++-
src/qemu/qemu_capabilities.h | 3 ++-
src/qemu/qemu_monitor.h | 1 +
src/qemu/qemu_monitor_json.c | 6 +++++
src/qemu/qemu_process.c | 21 +++++++++++++++
tests/capabilityschemadata/caps-qemu-kvm.xml | 16 +++++------
9 files changed, 87 insertions(+), 10 deletions(-)
diff --git a/docs/schemas/capability.rng b/docs/schemas/capability.rng
index 106ca73..65c7c72 100644
--- a/docs/schemas/capability.rng
+++ b/docs/schemas/capability.rng
@@ -290,6 +290,11 @@
<text/>
</attribute>
</optional>
+ <optional>
+ <attribute name='maxCpus'>
+ <ref name='unsignedInt'/>
+ </attribute>
+ </optional>
<text/>
</element>
</define>
diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c
index da92c78..5aeb2ab 100644
--- a/src/conf/capabilities.c
+++ b/src/conf/capabilities.c
@@ -853,6 +853,8 @@ virCapabilitiesFormatXML(virCapsPtr caps)
virBufferAddLit(&xml, " <machine");
if (machine->canonical)
virBufferAsprintf(&xml, " canonical='%s'", machine->canonical);
+ if (machine->maxCpus > 0)
+ virBufferAsprintf(&xml, " maxCpus='%d'", machine->maxCpus);
virBufferAsprintf(&xml, ">%s</machine>\n", machine->name);
}
@@ -871,6 +873,8 @@ virCapabilitiesFormatXML(virCapsPtr caps)
virBufferAddLit(&xml, " <machine");
if (machine->canonical)
virBufferAsprintf(&xml, " canonical='%s'", machine->canonical);
+ if (machine->maxCpus > 0)
+ virBufferAsprintf(&xml, " maxCpus='%d'", machine->maxCpus);
virBufferAsprintf(&xml, ">%s</machine>\n", machine->name);
}
virBufferAddLit(&xml, " </domain>\n");
diff --git a/src/conf/capabilities.h b/src/conf/capabilities.h
index abcf6de..6c7efde 100644
--- a/src/conf/capabilities.h
+++ b/src/conf/capabilities.h
@@ -46,6 +46,7 @@ typedef virCapsGuestMachine *virCapsGuestMachinePtr;
struct _virCapsGuestMachine {
char *name;
char *canonical;
+ unsigned int maxCpus;
};
typedef struct _virCapsGuestDomainInfo virCapsGuestDomainInfo;
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index c4e076a..969b001 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -256,6 +256,7 @@ struct _virQEMUCaps {
size_t nmachineTypes;
char **machineTypes;
char **machineAliases;
+ unsigned int *machineMaxCpus;
};
struct _virQEMUCapsCache {
@@ -335,6 +336,7 @@ virQEMUCapsSetDefaultMachine(virQEMUCapsPtr qemuCaps,
{
char *name = qemuCaps->machineTypes[defIdx];
char *alias = qemuCaps->machineAliases[defIdx];
+ unsigned int maxCpus = qemuCaps->machineMaxCpus[defIdx];
memmove(qemuCaps->machineTypes + 1,
qemuCaps->machineTypes,
@@ -342,8 +344,12 @@ virQEMUCapsSetDefaultMachine(virQEMUCapsPtr qemuCaps,
memmove(qemuCaps->machineAliases + 1,
qemuCaps->machineAliases,
sizeof(qemuCaps->machineAliases[0]) * defIdx);
+ memmove(qemuCaps->machineMaxCpus + 1,
+ qemuCaps->machineMaxCpus,
+ sizeof(qemuCaps->machineMaxCpus[0]) * defIdx);
qemuCaps->machineTypes[0] = name;
qemuCaps->machineAliases[0] = alias;
+ qemuCaps->machineMaxCpus[0] = maxCpus;
}
/* Format is:
@@ -390,7 +396,8 @@ virQEMUCapsParseMachineTypesStr(const char *output,
}
if (VIR_REALLOC_N(qemuCaps->machineTypes, qemuCaps->nmachineTypes + 1) < 0 ||
- VIR_REALLOC_N(qemuCaps->machineAliases, qemuCaps->nmachineTypes + 1) < 0) {
+ VIR_REALLOC_N(qemuCaps->machineAliases, qemuCaps->nmachineTypes + 1) < 0 ||
+ VIR_REALLOC_N(qemuCaps->machineMaxCpus, qemuCaps->nmachineTypes + 1) < 0) {
VIR_FREE(name);
VIR_FREE(canonical);
virReportOOMError();
@@ -404,6 +411,8 @@ virQEMUCapsParseMachineTypesStr(const char *output,
qemuCaps->machineTypes[qemuCaps->nmachineTypes-1] = name;
qemuCaps->machineAliases[qemuCaps->nmachineTypes-1] = NULL;
}
+ /* When parsing from command line we don't have information about maxCpus */
+ qemuCaps->machineMaxCpus[qemuCaps->nmachineTypes-1] = 0;
} while ((p = next));
@@ -1764,11 +1773,14 @@ virQEMUCapsPtr virQEMUCapsNewCopy(virQEMUCapsPtr qemuCaps)
goto no_memory;
if (VIR_ALLOC_N(ret->machineAliases, qemuCaps->nmachineTypes) < 0)
goto no_memory;
+ if (VIR_ALLOC_N(ret->machineMaxCpus, qemuCaps->nmachineTypes) < 0)
+ goto no_memory;
ret->nmachineTypes = qemuCaps->nmachineTypes;
for (i = 0; i < qemuCaps->nmachineTypes; i++) {
if (VIR_STRDUP(ret->machineTypes[i], qemuCaps->machineTypes[i]) < 0 ||
VIR_STRDUP(ret->machineAliases[i], qemuCaps->machineAliases[i]) < 0)
goto error;
+ ret->machineMaxCpus[i] = qemuCaps->machineMaxCpus[i];
}
return ret;
@@ -1792,6 +1804,7 @@ void virQEMUCapsDispose(void *obj)
}
VIR_FREE(qemuCaps->machineTypes);
VIR_FREE(qemuCaps->machineAliases);
+ VIR_FREE(qemuCaps->machineMaxCpus);
for (i = 0; i < qemuCaps->ncpuDefinitions; i++) {
VIR_FREE(qemuCaps->cpuDefinitions[i]);
@@ -1932,6 +1945,7 @@ int virQEMUCapsGetMachineTypesCaps(virQEMUCapsPtr qemuCaps,
if (VIR_STRDUP(mach->name, qemuCaps->machineTypes[i]) < 0)
goto error;
}
+ mach->maxCpus = qemuCaps->machineMaxCpus[i];
(*machines)[i] = mach;
}
@@ -1966,6 +1980,25 @@ const char *virQEMUCapsGetCanonicalMachine(virQEMUCapsPtr qemuCaps,
}
+int virQEMUCapsGetMachineMaxCpus(virQEMUCapsPtr qemuCaps,
+ const char *name)
+{
+ size_t i;
+
+ if (!name)
+ return 0;
+
+ for (i = 0; i < qemuCaps->nmachineTypes; i++) {
+ if (!qemuCaps->machineMaxCpus[i])
+ continue;
+ if (STREQ(qemuCaps->machineTypes[i], name))
+ return qemuCaps->machineMaxCpus[i];
+ }
+
+ return 0;
+}
+
+
static int
virQEMUCapsProbeQMPCommands(virQEMUCapsPtr qemuCaps,
qemuMonitorPtr mon)
@@ -2083,6 +2116,10 @@ virQEMUCapsProbeQMPMachineTypes(virQEMUCapsPtr qemuCaps,
virReportOOMError();
goto cleanup;
}
+ if (VIR_ALLOC_N(qemuCaps->machineMaxCpus, nmachines) < 0) {
+ virReportOOMError();
+ goto cleanup;
+ }
for (i = 0; i < nmachines; i++) {
if (VIR_STRDUP(qemuCaps->machineAliases[i], machines[i]->alias) < 0 ||
@@ -2090,6 +2127,7 @@ virQEMUCapsProbeQMPMachineTypes(virQEMUCapsPtr qemuCaps,
goto cleanup;
if (machines[i]->isDefault)
defIdx = i;
+ qemuCaps->machineMaxCpus[i] = machines[i]->maxCpus;
}
qemuCaps->nmachineTypes = nmachines;
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 64a4b1d..7088747 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -234,7 +234,8 @@ size_t virQEMUCapsGetMachineTypes(virQEMUCapsPtr qemuCaps,
char ***names);
const char *virQEMUCapsGetCanonicalMachine(virQEMUCapsPtr qemuCaps,
const char *name);
-
+int virQEMUCapsGetMachineMaxCpus(virQEMUCapsPtr qemuCaps,
+ const char *name);
int virQEMUCapsGetMachineTypesCaps(virQEMUCapsPtr qemuCaps,
size_t *nmachines,
virCapsGuestMachinePtr **machines);
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index 3d9afa3..86ef635 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -654,6 +654,7 @@ struct _qemuMonitorMachineInfo {
char *name;
bool isDefault;
char *alias;
+ unsigned int maxCpus;
};
int qemuMonitorGetMachines(qemuMonitorPtr mon,
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index 88a0dc9..c0d7960 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -4042,6 +4042,12 @@ int qemuMonitorJSONGetMachines(qemuMonitorPtr mon,
if (VIR_STRDUP(info->alias, tmp) < 0)
goto cleanup;
}
+ if (virJSONValueObjectHasKey(child, "cpu-max") &&
+ virJSONValueObjectGetNumberUint(child, "cpu-max", &info->maxCpus) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("query-machines reply has malformed 'cpu-max' data"));
+ goto cleanup;
+ }
}
ret = n;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 5a0f18b..ac5ffcf 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -3330,6 +3330,24 @@ error:
}
+static bool
+qemuValidateCpuMax(virDomainDefPtr def, virQEMUCapsPtr qemuCaps)
+{
+ unsigned int maxCpus;
+
+ maxCpus = virQEMUCapsGetMachineMaxCpus(qemuCaps, def->os.machine);
+ if (!maxCpus)
+ return true;
+
+ if (def->maxvcpus > maxCpus) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ "%s", _("Maximum CPUs greater than specified machine type limit"));
+ return false;
+ }
+
+ return true;
+}
+
int qemuProcessStart(virConnectPtr conn,
virQEMUDriverPtr driver,
virDomainObjPtr vm,
@@ -3519,6 +3537,9 @@ int qemuProcessStart(virConnectPtr conn,
vm->def->emulator)))
goto cleanup;
+ if (!qemuValidateCpuMax(vm->def, priv->qemuCaps))
+ goto cleanup;
+
if (qemuAssignDeviceAliases(vm->def, priv->qemuCaps) < 0)
goto cleanup;
diff --git a/tests/capabilityschemadata/caps-qemu-kvm.xml b/tests/capabilityschemadata/caps-qemu-kvm.xml
index 36c4b49..1fbc22b 100644
--- a/tests/capabilityschemadata/caps-qemu-kvm.xml
+++ b/tests/capabilityschemadata/caps-qemu-kvm.xml
@@ -33,18 +33,18 @@
<arch name='i686'>
<wordsize>32</wordsize>
<emulator>/usr/bin/qemu</emulator>
- <machine>pc-0.11</machine>
- <machine canonical='pc-0.11'>pc</machine>
- <machine>pc-0.10</machine>
- <machine>isapc</machine>
+ <machine maxCpus='255'>pc-0.11</machine>
+ <machine canonical='pc-0.11' maxCpus='255'>pc</machine>
+ <machine maxCpus='255'>pc-0.10</machine>
+ <machine maxCpus='1'>isapc</machine>
<domain type='qemu'>
</domain>
<domain type='kvm'>
<emulator>/usr/bin/qemu-kvm</emulator>
- <machine>pc-0.11</machine>
- <machine canonical='pc-0.11'>pc</machine>
- <machine>pc-0.10</machine>
- <machine>isapc</machine>
+ <machine maxCpus='255'>pc-0.11</machine>
+ <machine canonical='pc-0.11' maxCpus='255'>pc</machine>
+ <machine maxCpus='255'>pc-0.10</machine>
+ <machine maxCpus='1'>isapc</machine>
</domain>
</arch>
<features>
--
1.7.11.7
11 years, 6 months
[libvirt] [RFC PATCH 1/2] LXC: Drop capabilities only if we're not within a user namespace
by Richard Weinberger
Dropping capabilities within a user namespace makes no sense
because any uid 0 process will regain all caps upon execve().
Signed-off-by: Richard Weinberger <richard(a)nod.at>
---
src/lxc/lxc_container.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 958e20d..4f00420 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1896,6 +1896,15 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
return 0;
}
+static int userns_supported(void)
+{
+ return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
+}
+
+static int userns_required(virDomainDefPtr def)
+{
+ return def->idmap.uidmap && def->idmap.gidmap;
+}
/**
* lxcContainerChild:
@@ -1992,7 +2001,7 @@ static int lxcContainerChild(void *data)
}
/* drop a set of root capabilities */
- if (lxcContainerDropCapabilities(!!hasReboot) < 0)
+ if (!userns_required(vmDef) && lxcContainerDropCapabilities(!!hasReboot) < 0)
goto cleanup;
if (lxcContainerSendContinue(argv->handshakefd) < 0) {
@@ -2025,16 +2034,6 @@ cleanup:
return ret;
}
-static int userns_supported(void)
-{
- return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
-}
-
-static int userns_required(virDomainDefPtr def)
-{
- return def->idmap.uidmap && def->idmap.gidmap;
-}
-
virArch lxcContainerGetAlt32bitArch(virArch arch)
{
/* Any Linux 64bit arch which has a 32bit
--
1.8.1.4
11 years, 6 months
[libvirt] [PATCH] Document security reporting & handling process
by Daniel P. Berrange
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Historically security issues in libvirt have been primarily
triaged & fixed by the Red Hat libvirt members & Red Hat
security team, who then usually notify other vendors via
appropriate channels. There have been a number of times
when vendors have not been properly notified ahead of
announcement. It has also disadvantaged community members
who have to backport fixes to releases for which there are
no current libvirt stable branches.
To address this, we want to make the libvirt security process
entirely community focused / driven. To this end I have setup
a new email address "libvirt-security(a)redhat.com" for end
users to report bugs which have (possible) security implications.
This email addr is backed by an invitation only, private
archive, mailing list. The intent is for the list membership
to comprise a subset of the libvirt core team, along with any
vendor security team engineers who wish to participate in a
responsible disclosure process for libvirt. Members of the
list will be responsible for analysing the problem to determine
if a security issue exists and then issue fixes for all current
official stable branches & git master.
I am proposing the following libvirt core team people as
members of the security team / list (all cc'd):
Daniel Berrange (Red Hat)
Eric Blake (Red Hat)
Jiri Denemar (Red Hat)
Daniel Veillard (Red Hat)
Jim Fehlig (SUSE)
Doug Goldstein (Gentoo)
Guido Günther (Debian)
We don't have anyone from Ubuntu on the libvirt core team.
Serge Hallyn is the most frequent submitter of patches from
Ubuntu in recent history, so I'd like to invite him to join.
Alternatively, Serge, feel free to suggest someone else to
represent Ubuntu's interests.
If any other vendors/distros have security people who are
responsible for dealing with libvirt security issues, and
want to join to get early disclosure of issues, they can
suggest people. Existing security team members will vet /
approve such requests to ensure they are genuine.
Anyone on the team / list will be **required** to honour any
embargo period agreed between members for non-public issues
that are reported. The aim will be to have a maximum 2 week
embargo period in the common case, extendable to 1 month if
there is sufficient justification made. If anyone feels they
are unable to follow such an embargo process for whatever
reason, please decline membership of the security list/team.
The patch which follows puts up some docs on the website
about all of this....
Document how to report security bugs and the process that
will be used for addressing them.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
docs/bugs.html.in | 12 +++++
docs/contact.html.in | 12 +++++
docs/securityprocess.html.in | 113 +++++++++++++++++++++++++++++++++++++++++++
docs/sitemap.html.in | 4 ++
4 files changed, 141 insertions(+)
create mode 100644 docs/securityprocess.html.in
diff --git a/docs/bugs.html.in b/docs/bugs.html.in
index 3d79b32..71e43e4 100644
--- a/docs/bugs.html.in
+++ b/docs/bugs.html.in
@@ -7,6 +7,18 @@
<ul id="toc"></ul>
+ <h2><a name="security">Security Issues</a></h2>
+
+ <p>
+ If you think that an issue with libvirt may have security
+ implications, <strong>please do not</strong> publically
+ report it in the bug tracker, mailing lists, or irc. Libvirt
+ has <a href="securityprocess.html">a dedicated process for handling (potential) security issues</a>
+ that should be used instead. So if your issue has security
+ implications, ignore the rest of this page and follow the
+ <a href="securityprocess.html">security process</a> instead.
+ </p>
+
<h2><a name="bugzilla">Bug Tracking</a></h2>
<p>
diff --git a/docs/contact.html.in b/docs/contact.html.in
index e34de67..51cc775 100644
--- a/docs/contact.html.in
+++ b/docs/contact.html.in
@@ -6,6 +6,18 @@
<ul id="toc"></ul>
+ <h2><a name="security">Security Issues</a></h2>
+
+ <p>
+ If you think that an issue with libvirt may have security
+ implications, <strong>please do not</strong> publically
+ report it in the bug tracker, mailing lists, or irc. Libvirt
+ has <a href="securityprocess.html">a dedicated process for handling (potential) security issues</a>
+ that should be used instead. So if your issue has security
+ implications, ignore the rest of this page and follow the
+ <a href="securityprocess.html">security process</a> instead.
+ </p>
+
<h2><a name="email">Mailing lists</a></h2>
<p>
diff --git a/docs/securityprocess.html.in b/docs/securityprocess.html.in
new file mode 100644
index 0000000..c29ae80
--- /dev/null
+++ b/docs/securityprocess.html.in
@@ -0,0 +1,113 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+
+ <h1>Security Process</h1>
+
+ <ul id="toc"></ul>
+
+ <p>
+ The libvirt project believes in responsible disclosure of
+ security problems, to allow vendors time to prepare and
+ distribute patches for problems ahead of their publication.
+ This page describes how the process works and how to report
+ potential security issues.
+ </p>
+
+ <h2><a name="reporting">Reporting security issues</a></h2>
+
+ <p>
+ In the event that a bug in libvirt is found which is
+ believed to have (potential) security implications there
+ is a dedicated contact to which a bug report / notification
+ should be directed. Send an email with as many details of
+ the problem as possible (ideally with steps to reproduce)
+ to the following email address:
+ </p>
+
+ <pre>
+<a href="mailto:libvirt-security@redhat.com">libvirt-security(a)redhat.com</a></pre>
+
+ <p>
+ NB. while this email address is backed by a mailing list, it
+ is invitation only and moderated for non-members. As such you
+ will receive an auto-reply indicating the report is held for
+ moderation. Postings by non-members will be approved by a
+ moderator and the reporter copied on any replies.
+ </p>
+
+ <h2><a name="seclist">Security team</a></h2>
+
+ <p>
+ The libvirt security team is made up of a subset of the libvirt
+ core development team which covers the various distro maintainers
+ of libvirt, along with nominated security engineers representing
+ the various vendors who distribute libvirt. The team is responsible
+ for analysing incoming reports from users to identify whether a
+ security problem exists and its severity. It then works to produce
+ a fix for all official stable branches of libvirt and co-ordinate
+ embargo dates between vendors to allow simultaneous release of the
+ fix by all affected parties.
+ </p>
+
+ <p>
+ If you are a security representative of a vendor distributing
+ libvirt and would like to join the security team, send an email
+ to the afore-mentioned security address. Typically an existing
+ member of the security team will have to vouch for your credentials
+ before membership is approved. All members of the security team
+ are <strong>required to respect the embargo policy</strong>
+ described below.
+ </p>
+
+ <h2><a name="embargo">Publication embargo policy</a></h2>
+
+ <p>
+ The libvirt security team operates a policy of
+ <a href="http://en.wikipedia.org/wiki/Responsible_disclosure">responsible disclosure</a>.
+ As such any security issue reported, that is not already publically disclosed
+ elswhere, will have an embargo date assigned. Members of the security team agree
+ not to publically disclose any details of the security issue until the embargo
+ date expires.
+ </p>
+
+ <p>
+ The general aim of the team is to have embargo dates which
+ are two weeks or less in duration. If a problem is identified
+ with a proposed patch for a security issue, requiring further
+ investigation and bug fixing, the embargo clock may be restarted.
+ In exceptional circumstances longer initial embargos may be
+ negotiated by mutual agreement between members of the security
+ team and other relevant parties to the problem. Any such extended
+ embargoes will aim to be at most one month in duration.
+ </p>
+
+
+ <h2><a name="cve">CVE allocation</a></h2>
+
+ <p>
+ The libvirt security team will associate each security issue with
+ a CVE number. The CVE numbers will usually be allocated by one of
+ the vendor security engineers on the security team.
+ </p>
+
+ <h2><a name="branches">Branch fixing policy</a></h2>
+
+ <p>
+ The libvirt community maintains one or more stable release branches
+ at any given point in time. The security team will aim to publish
+ fixes for GIT master (which will become the next major release) and
+ each currently maintained stable release branch. The distro maintainers
+ will be responsible for backporting the officially published fixes to
+ other release branches where applicable.
+ </p>
+
+ <h2><a name="notification">Notification of issues</a></h2>
+
+ <p>
+ When an embargo expires, security issues will be announced on both
+ the libvirt development and announcement <a href="http://libvirt.org/contact.html#email">mailing lists</a>.
+ </p>
+ </body>
+</html>
diff --git a/docs/sitemap.html.in b/docs/sitemap.html.in
index cb7cc5b..fd10caf 100644
--- a/docs/sitemap.html.in
+++ b/docs/sitemap.html.in
@@ -349,6 +349,10 @@
<span>How and where to report bugs and request features</span>
<ul>
<li>
+ <a href="securityprocess.html">Security Process</a>
+ <span>Security bug reporting and resolution process</span>
+ </li>
+ <li>
<a href="todo.html">Todo list</a>
<span>Main feature request list</span>
</li>
--
1.8.1.4
11 years, 6 months
[libvirt] [PATCH] node device driver: update driver name during dumpxml
by Laine Stump
This fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=979290
https://bugzilla.redhat.com/show_bug.cgi?id=979330
The node device driver was written with the assumption that udev would
use a "change" event to notify libvirt of any change to device status
(including the name of the driver it was bound to). It turns out this
is not the case (see Comment 4 of BZ 979290). That means that a
dumpxml for a device would always show whatever driver happened to be
bound at the time libvirt was started (when the node device cache was
built).
There was already code in the driver (for the benefit of the HAL
backend) that updated the driver name from sysfs each time a device's
info was retrieved from the cache. This patch just enables that manual
update for the udev backend as well.
---
src/node_device/node_device_driver.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
index 67e90a1..8e6911a 100644
--- a/src/node_device/node_device_driver.c
+++ b/src/node_device/node_device_driver.c
@@ -60,10 +60,15 @@ static int update_caps(virNodeDeviceObjPtr dev)
}
-#if defined (__linux__) && defined (WITH_HAL)
-/* Under libudev changes to the driver name should be picked up as
- * "change" events, so we don't call update driver name unless we're
- * using the HAL backend. */
+#if defined (__linux__) && ( defined (WITH_HAL) || defined(WITH_UDEV))
+/* NB: It was previously believed that changes in driver name were
+ * relayed to libvirt as "change" events by udev, and the udev event
+ * notification is setup to recognize such events and effectively
+ * recreate the device entry in the cache. However, neither the kernel
+ * nor udev sends such an event, so it is necessary to manually update
+ * the driver name for a device each time its entry is used, both for
+ * udev *and* HAL backends.
+ */
static int update_driver_name(virNodeDeviceObjPtr dev)
{
char *driver_link = NULL;
--
1.7.11.7
11 years, 6 months
[libvirt] [PATCH] pci: initialize virtual_functions array pointer to avoid segfault
by Laine Stump
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=971325
The problem was that if virPCIGetVirtualFunctions was given the name
of a non-existent interface, it would return to its caller without
initializing the pointer to the array of virtual functions to NULL,
and the caller (virNetDevGetVirtualFunctions) would try to VIR_FREE()
the invalid pointer.
The final error message before the crash would be:
virPCIGetVirtualFunctions:2088 :
Failed to open dir '/sys/class/net/eth2/device':
No such file or directory
In this patch I move the initialization in virPCIGetVirtualFunctions()
to the begining of the function, and also do an explicit
initialization in virNetDevGetVirtualFunctions, just in case someone
in the future adds code into that function prior to the call to
virPCIGetVirtualFunctions.
---
src/util/virnetdev.c | 3 +++
src/util/virpci.c | 5 +++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/util/virnetdev.c b/src/util/virnetdev.c
index ebe20d0..5e8dffb 100644
--- a/src/util/virnetdev.c
+++ b/src/util/virnetdev.c
@@ -1100,6 +1100,9 @@ virNetDevGetVirtualFunctions(const char *pfname,
char *pci_sysfs_device_link = NULL;
char *pciConfigAddr = NULL;
+ *virt_fns = NULL;
+ *n_vfname = 0;
+
if (virNetDevSysfsFile(&pf_sysfs_device_link, pfname, "device") < 0)
return ret;
diff --git a/src/util/virpci.c b/src/util/virpci.c
index 2acab1a..15de3f9 100644
--- a/src/util/virpci.c
+++ b/src/util/virpci.c
@@ -2449,6 +2449,9 @@ virPCIGetVirtualFunctions(const char *sysfs_path,
VIR_DEBUG("Attempting to get SR IOV virtual functions for device"
"with sysfs path '%s'", sysfs_path);
+ *virtual_functions = NULL;
+ *num_virtual_functions = 0;
+
dir = opendir(sysfs_path);
if (dir == NULL) {
memset(errbuf, '\0', sizeof(errbuf));
@@ -2458,8 +2461,6 @@ virPCIGetVirtualFunctions(const char *sysfs_path,
return ret;
}
- *virtual_functions = NULL;
- *num_virtual_functions = 0;
while ((entry = readdir(dir))) {
if (STRPREFIX(entry->d_name, "virtfn")) {
virPCIDeviceAddress *config_addr = NULL;
--
1.7.11.7
11 years, 6 months