[libvirt] LSN-2014-0010: CVE-2014-8136 deadlock on failed migration
by Eric Blake
Libvirt Security Notice: LSN-2014-0008
======================================
Summary: deadlock on failed migration
Reported on: 20141208
Published on: 20141208
Fixed on: 20141209
Reported by: Peter Krempa <pkrempa(a)redhat.com>
Patched by: Peter Krempa <pkrempa(a)redhat.com>
See also: CVE-2014-8136
Description
-----------
When using fine-grained ACLs to restrict users from migrating
domains, a logic bug could leave the domain locked and prevent
further operation on that domain.
Impact
------
A client that lacks the domain:migrate fine-grained ACL could use a
failed migration attempt to trigger a denial of service against a
more privileged user.
Workaround
----------
The bug is mitigated by the fact that the "perform" and "finish"
states of migration can generally be reached only after a successful
"begin" or "prepare" state, both of which also require the same
domain:migrate permission. Furthermore, the "prepare" state also
requires the domain:write permission, and any user which has been
granted that permission is already deemed to have full control over
the system; even if domain:migrate permission is dynamically denied
after migration has already started in order to trigger the flaw, an
attack by such a user generally does not constitute a denial of
service against a more privileged user. On the other hand, a
malicious client that has access to the read-write socket via only a
weaker privilege such as domain:read can send RPC commands out of
order, to attempt a "perform" without going through the
prerequisite states, and thereby trigger the bug in a manner that
forms a denial of service. Read-only clients cannot trigger the
problem, even via bad RPC commands. It is possible to avoid the bug
by not using the fine-grained access control mechanism.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Fixed in: v1.2.11
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 2bdcd29c713dfedd813c89f56ae98f6f3898313d
Branch: v1.1.0-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 540872ceae9d2850e42d3615f017feb46ab585aa
Branch: v1.1.1-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: fb1e0312f4cfc2375ee94d40e5f2999cd761337d
Branch: v1.1.2-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 12c35ca8e6a1dff79fe706b24edc094be7df9f93
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Broken in: v1.1.3.7
Broken in: v1.1.3.8
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 63934cae465f757c774db1fa4e86d3c8bda4591b
Branch: v1.1.4-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 995516ad3dc64fb5a5102ad0fbbea6e1701f0d8d
Branch: v1.2.0-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 0d365c6f707f55e77ff14d6a52a59b7d1c43f8a4
Branch: v1.2.1-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 75dfd58284de1fdc146b8aa3deb7d6a2057f0391
Branch: v1.2.2-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: f5a151754f2080598049baf5d68282f183a30f5c
Branch: v1.2.3-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: e0e2f7eafc5adfbac4343592def097cbe8a67653
Branch: v1.2.4-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 4ba560e050fa83a2ef2083fbfa0ad9484b9393d4
Branch: v1.2.5-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: cd3d695a6be8398b399d0d06c26a618b12ad8946
Branch: v1.2.6-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: bad50b7501ebfe8076a6f7809d7b44b7a94c38ef
Branch: v1.2.7-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 220759259bcbcc705a96dc1cbaeb2f2ce980c479
Branch: v1.2.8-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 372bfe63b501c7580400107682633ad421416f88
Branch: v1.2.9-maint
Broken in: v1.2.9.1
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 12496319a24dd923c5f321c84112fd0e73979413
Branch: v1.2.10-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 2a121c635306cd498cdabb63a806ae17821b245f
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10 years, 2 months
[libvirt] LSN-2014-0009: CVE-2014-8135 crash when using virStorageVolUpload
by Eric Blake
Libvirt Security Notice: LSN-2014-0009
======================================
Summary: crash when using virStorageVolUpload
Reported on: 20141202
Published on: 20141203
Fixed on: 20141203
Reported by: Pei Zhang <pzhang(a)redhat.com>
Patched by: Luyao Huang <lhuang(a)redhat.com>
See also: CVE-2014-8135
Description
-----------
Incorrect parameter validation of the virStorageVolUpload command
could cause libvirtd to attempt to dereference NULL.
Impact
------
When using fine-grained ACLs, a user that is permitted to modify
storage volumes but not create arbitrary domains can use bogus
parameters to cause a denial of service attack against more
privileged users.
Workaround
----------
Passing valid parameters to virStorageVolUpload will not trigger a
problem. It is also possible to prevent the denial of service by
stopping the use of the fine grained access control mechanism, or by
not granting users the storage_vol:data_write permission if they do
not also have the domain:write permission; doing this will not
prevent the crash for invalid parameters, but such a crash is no
longer a security attack.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Fixed in: v1.2.11
Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
Fixed by: 87b9437f8951f9d24f9a85c6bbfff0e54df8c984
Branch: v1.2.8-maint
Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
Fixed by: 05ba8c50b15f7078ba7981f550fc59c3dc74c469
Branch: v1.2.9-maint
Broken in: v1.2.9.1
Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
Fixed by: 584e876ba2057b472074dbf177d2397392d70363
Branch: v1.2.10-maint
Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
Fixed by: c89df3695b397d155ca15ac174c983ae9a77387e
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10 years, 2 months
[libvirt] LSN-2014-0008: CVE-2014-8131 deadlock or segfault in virConnectGetAllDomainStats
by Eric Blake
Libvirt Security Notice: LSN-2014-0008
======================================
Summary: deadlock or segfault in virConnectGetAllDomainStats
Reported on: 20141127
Published on: 20141205
Fixed on: 20141211
Reported by: Martin Kletzander <mkletzan(a)redhat.com>
Patched by: Martin Kletzander <mkletzan(a)redhat.com>,
Francesco Romani <fromani(a)redhat.com>
See also: CVE-2014-8131
Description
-----------
When using fine-grained ACLs to restrict users from accessing all
domains, a logic bug in the qemu implementation of
virConnectGetAllDomainStats could result in incorrect lock
management of the next domain inspected after a domain that was
skipped due to ACL restrictions.
Impact
------
A restricted client can trigger a denial of service against a more
privileged user when libvirtd goes into deadlock when trying to lock
an incorrectly locked domain, or crashes when trying to unlock a
domain that was not locked.
Workaround
----------
Stop use of the fine grained access control mechanism, or stop
trying to use access control to restrict the set of domains that an
authorized client can see.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Fixed in: v1.2.11
Broken by: d1bde8eda3b4027b38c7c1d5942a6388b0458803
Broken by: 1f4831ee6ecc17d0f2008d7db15bfd9bc3b1d685
Fixed by: 57023c0a3af4af1c547189c1f6712ed5edeb0c0b
Fixed by: cb104ef734dfea12cb8826dba7e2c98912c4b7e1
Branch: v1.2.8-maint
Broken by: d1bde8eda3b4027b38c7c1d5942a6388b0458803
Fixed by: 27431ec96e617f186bd3f5900aeb7d622770533a
Branch: v1.2.9-maint
Broken in: v1.2.9.1
Broken by: d1bde8eda3b4027b38c7c1d5942a6388b0458803
Broken by: 1f4831ee6ecc17d0f2008d7db15bfd9bc3b1d685
Fixed by: 5d8bee6d57cddf462912ad2fc544c8a57b1c2841
Fixed by: dfbdea7ea8fa36d9f27942c5b2882acfd86a3c3b
Branch: v1.2.10-maint
Broken by: d1bde8eda3b4027b38c7c1d5942a6388b0458803
Broken by: 1f4831ee6ecc17d0f2008d7db15bfd9bc3b1d685
Fixed by: a20e818cb3f46d2dce586327dcc49ffcd82d94cb
Fixed by: a9638ae975a1c784d958e3fb2f0aab36b3ebddeb
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10 years, 2 months
[libvirt] [PATCH] parallels: report, that cdrom image is raw
by Dmitry Guryanov
VIR_STORAGE_FILE_AUTO should be used only in xml provided to
libvirt by user, if I understood correctly. Driver should
set storage source format to specific disk format in
*DomainGetXMLDesc.
CDROMs in PCS use raw image format.
Signed-off-by: Dmitry Guryanov <dguryanov(a)parallels.com>
---
src/parallels/parallels_sdk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/parallels/parallels_sdk.c b/src/parallels/parallels_sdk.c
index 05b1049..7aa50ee 100644
--- a/src/parallels/parallels_sdk.c
+++ b/src/parallels/parallels_sdk.c
@@ -471,7 +471,7 @@ prlsdkGetDiskInfo(PRL_HANDLE prldisk,
if (emulatedType == PDT_USE_IMAGE_FILE) {
virDomainDiskSetType(disk, VIR_STORAGE_TYPE_FILE);
if (isCdrom)
- virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_AUTO);
+ virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_RAW);
else
virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_PLOOP);
} else {
--
2.1.0
10 years, 2 months
[libvirt] [PATCH 0/6] qemu: Fix hotplugging cpus with strict memory pinning
by Martin Kletzander
Deatils are in the patches themselves, but the basic idea is this:
Setup:
$ grep DMA32 /proc/zoneinfo
Node 0, zone DMA32
$ virsh dumpxml domain | grep -C1 strict
<numatune>
<memory mode='strict' nodeset='1'/>
</numatune>
$ virsh start domain
Domain domain started
Before:
$ virsh setvcpus domain 2
error: Unable to read from monitor: Connection reset by peer
# Domain died
After:
$ virsh setvcpus domain 2
# hotplug successful
Martin
Martin Kletzander (6):
util: Add function virCgroupHasEmptyTasks
util: Add virNumaGetHostNodeset
qemu: Remove unnecessary qemuSetupCgroupPostInit function
qemu: Save numad advice into qemuDomainObjPrivate
qemu: Leave cpuset.mems in parent cgroup alone
qemu: Fix hotplugging cpus with strict memory pinning
src/libvirt_private.syms | 2 ++
src/qemu/qemu_cgroup.c | 94 +++++++++++++++++++++++++++++++++++++-----------
src/qemu/qemu_cgroup.h | 9 ++---
src/qemu/qemu_domain.c | 1 +
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_driver.c | 88 +++++++++++++++++++++++++--------------------
src/qemu/qemu_process.c | 21 ++++++-----
src/util/vircgroup.c | 23 ++++++++++++
src/util/vircgroup.h | 4 ++-
src/util/virnuma.c | 28 +++++++++++++++
src/util/virnuma.h | 1 +
11 files changed, 194 insertions(+), 78 deletions(-)
--
2.2.0
10 years, 2 months
[libvirt] [PATCH v2 0/2] Rework reference counting in QEMU
by Martin Kletzander
Our reference locking for objects is great and powerful thing. The
problem is that it was either not followed through completely or the
design was not complete, but it doesn't matter now. There are few
bugs in the code due to the reference counting and the daemon is
lacking some performance in specific scenarios.
This "series" tried to fix that using the following idea:
- Each API working with a domain object that has to get it from the
list will have its *own* reference, not borrowed one from the list.
- When adding a domain into the list, the reference counter is
increased (this is the reference that is there just for being in
the list) and when being removed, it is decreased. No
special-casing of "if this is was the last reference" and other
funny stuff.
- When job is created, there is no need to increase the reference
counter as there are at least two references for the domain:
1) The API that created the job has one, so if it's not async it
will be kept until the API ends and at that point the job won't
exist any more.
2) The domain list has one and even though I said nobody needs to
rely on that, async APIs probably will do that, but there's an
excuse for that. In order to remove the domain from the list,
you need a job and that won't succeed unless the async one
ended. So we're good in this case as well.
After searching through the code for all things that needed to be
removed and fixing everything I could possibly think of, I tried a few
things on my setup and it looks like it works. However, I haven't
tried *every single API*, but I hope that's understandable. On the
other hand, I asked Pavel to try running virt-test with these patches
applied, hopefully we'll get an idea about how reliable this "series"
is.
I used "series" (with quotes) on purpose, because first patch just
adds two new wrappers for slightly modified function and the second
one changes the whole qemu driver at once. Unfortunately the second
patch couldn't be broken up to more parts due to the nature of the
fix.
Martin Kletzander (2):
conf: Rework virDomainObjListFindByUUID to allow more concurrent APIs
qemu: completely rework reference counting
src/conf/domain_conf.c | 29 +-
src/conf/domain_conf.h | 2 +
src/libvirt_private.syms | 1 +
src/qemu/THREADS.txt | 40 ++-
src/qemu/qemu_domain.c | 49 ++--
src/qemu/qemu_domain.h | 12 +-
src/qemu/qemu_driver.c | 708 ++++++++++++++++------------------------------
src/qemu/qemu_migration.c | 111 +++-----
src/qemu/qemu_migration.h | 10 +-
src/qemu/qemu_process.c | 77 ++---
10 files changed, 400 insertions(+), 639 deletions(-)
--
2.2.0
10 years, 2 months
Re: [libvirt] [openstack-dev] [nova] - 'nova reboot' causes console-log truncated
by Surojit Pathak
On 11/14/14 2:02 AM, Daniel P. Berrange wrote:
> On Thu, Nov 13, 2014 at 01:55:06PM -0800, Surojit Pathak wrote:
>> Hi all,
>>
>> [Issue observed]
>> If we issue 'nova reboot <server>', we get to have the console output of the
>> latest bootup of the server only. The console output of the previous boot
>> for the same server vanishes due to truncation[1]. If we do reboot from
>> within the VM instance [ #sudo reboot ], or reboot the instance with 'virsh
>> reboot <instance>' the behavior is not the same, where the console.log keeps
>> increasing, with the new output being appended.
>> This loss of history makes some debugging scenario difficult due to lack of
>> information being available.
>>
>> Please point me to any solution/blueprint for this issue, if already
>> planned. Otherwise, please comment on my analysis and proposals as solution,
>> below -
>>
>> [Analysis]
>> Nova's libvirt driver on compute node tries to do a graceful restart of the
>> server instance, by attempting a soft_reboot first. If soft_reboot fails, it
>> attempts a hard_reboot. As part of soft_reboot, it brings down the instance
>> by calling shutdown(), and then calls createWithFlags() to bring this up.
>> Because of this, qemu-kvm process for the instance gets terminated and new
>> process is launched. In QEMU, the chardev file is opened with O_TRUNC, and
>> thus we lose the previous content of the console.log file.
>> On the other-hand, during 'virsh reboot <instance>', the same qemu-kvm
>> process continues, and libvirt actually does a qemuDomainSetFakeReboot().
>> Thus the same file continues capturing the new console output as a
>> continuation into the same file.
> Nova and libvirt have support for issuing a graceful reboot via the QEMU
> guest agent. So if you make sure that is installed, and tell Nova to use
> it, then Nova won't have to stop & recreate the QEMU process and thus
> won't have the problem of overwriting the logs.
Hi Daniel,
Having GA to do graceful restart is nice option. But if it were to just
preserve the same console file, even 'virsh reboot' achieves the
purpose. As I explained in my original analysis, Nova seems to have not
taken the path, as it does not want to have a false positive, where the
GA does not respond or 'virDomain.reboot' fails later and the domain is
not really restarted. [ CC-ed vish, author of nova
<http://tripsgrips.corp.gq1.yahoo.com:8080/source/xref/nova/nova/>/virt
<http://tripsgrips.corp.gq1.yahoo.com:8080/source/xref/nova/nova/virt/>/libvirt
<http://tripsgrips.corp.gq1.yahoo.com:8080/source/xref/nova/nova/virt/libv...>/driver.py
<http://tripsgrips.corp.gq1.yahoo.com:8080/source/xref/nova/nova/virt/libv...>
]
IMHO, QEMU should preserve the console-log file for a given domain, if
it exists, by not opening with O_TRUNC option, instead opening with
O_APPEND. I would like to draw a comparison of a real computer to which
we might be connected over serial console, and the box gets powered down
and up with external button press, and we do not lose the console
history, if connected. And that's what is the experience console-log
intends to provide. If you think, this is agreeable, please let me know,
I will send the patch to qemu-devel@.
--
Regards,
SURO
10 years, 2 months
Re: [libvirt] [PATCH 2/2] Add tests to xmconfigtest
by Jim Fehlig
Chun Yan Liu wrote:
>
>>>> On 12/23/2014 at 09:42 AM, in message <5498C888.6000903(a)suse.com>, Jim Fehlig
>>>>
> <jfehlig(a)suse.com> wrote:
>
>> Chunyan Liu wrote:
>>
>> Hi Chunyan,
>>
>> Thanks for the fix, and the test! But I have a few questions regarding
>> the latter...
>>
>>
>>> Add tests to testing HVM default features (pae, acpi, apic)
>>> conversion from xm config to libvirt xml and from libvirt
>>> xml to xm config.
>>>
>>> Signed-off-by: Chunyan Liu <cyliu(a)suse.com>
>>> ---
>>> .../xmconfigdata/test-fullvirt-default-feature.cfg | 23 +++++++++++
>>> .../test-fullvirt-default-feature.cfg.out | 26 ++++++++++++
>>> .../xmconfigdata/test-fullvirt-default-feature.xml | 48
>>>
>> ++++++++++++++++++++++
>>
>>> tests/xmconfigtest.c | 9 +++-
>>> 4 files changed, 105 insertions(+), 1 deletion(-)
>>> create mode 100644 tests/xmconfigdata/test-fullvirt-default-feature.cfg
>>> create mode 100644 tests/xmconfigdata/test-fullvirt-default-feature.cfg.out
>>> create mode 100644 tests/xmconfigdata/test-fullvirt-default-feature.xml
>>>
>>> diff --git a/tests/xmconfigdata/test-fullvirt-default-feature.cfg
>>>
>> b/tests/xmconfigdata/test-fullvirt-default-feature.cfg
>>
>>> new file mode 100644
>>> index 0000000..5ce234f
>>> --- /dev/null
>>> +++ b/tests/xmconfigdata/test-fullvirt-default-feature.cfg
>>>
>>>
>>
>> Why is this file needed?
>>
> "
> Here we are testing default value conversion. That is:
> if there is no apci/pae/apic specified in xm config, after conversion,
> libvirt xml should include:
> <features>
> <apic/>
> <acpi/>
> <pae/>
> </features>
>
Ah, ok. Agreed that this test is missing.
> So, from xm config -> xml, the cfg file should be like this.
>
>>
>>
>>> @@ -0,0 +1,23 @@
>>> +name = "XenGuest2"
>>> +uuid = "c7a5fdb2-cdaf-9455-926a-d65c16db1809
>>> +maxmem = 579
>>> +memory = 394
>>> +vcpus = 1
>>> +builder = "hvm"
>>> +kernel = "/usr/lib/xen/boot/hvmloader"
>>> +boot = "d"
>>> +hpet = 1
>>> +localtime = 0
>>> +on_poweroff = "destroy"
>>> +on_reboot = "restart"
>>> +on_crash = "restart"
>>> +device_model = "/usr/lib/xen/bin/qemu-dm"
>>> +sdl = 0
>>> +vnc = 1
>>> +vncunused = 1
>>> +vnclisten = "127.0.0.1"
>>> +vncpasswd = "123poi"
>>> +vif = [
>>>
>> "mac=00:16:3e:66:92:9c,bridge=xenbr1,script=vif-bridge,model=e1000,type=ioem
>> u" ]
>>
>>> +parallel = "none"
>>> +serial = "none"
>>> +disk = [ "phy:/dev/HostVG/XenGuest2,hda,w",
>>>
>> "file:/root/boot.iso,hdc:cdrom,r" ]
>>
>>> diff --git a/tests/xmconfigdata/test-fullvirt-default-feature.cfg.out
>>>
>> b/tests/xmconfigdata/test-fullvirt-default-feature.cfg.out
>>
>>> new file mode 100644
>>> index 0000000..97a9827
>>> --- /dev/null
>>> +++ b/tests/xmconfigdata/test-fullvirt-default-feature.cfg.out
>>>
>>>
>>
>> IMO, this file should be renamed to 'test-fullvirt-default-feature.cfg'.
>>
>
> And from xml -> xm config, if in xml there is:
> <features>
> <apic/>
> <acpi/>
> <pae/>
> </features>
> Then after conversion, in xm config out file there will be explicitly:
> acpi=1
> apic=1
> pae=1
>
> So, thlis is a little different from test-fullvirt-default-feature.cfg.
>
This is actually tested in all of the other test-fullvirt-* tests. I
don't think we need an explicit test for it.
>
>>
>>
>>> @@ -0,0 +1,26 @@
>>> +name = "XenGuest2"
>>> +uuid = "c7a5fdb2-cdaf-9455-926a-d65c16db1809"
>>> +maxmem = 579
>>> +memory = 394
>>> +vcpus = 1
>>> +builder = "hvm"
>>> +kernel = "/usr/lib/xen/boot/hvmloader"
>>> +boot = "d"
>>> +pae = 1
>>> +acpi = 1
>>> +apic = 1
>>> +hpet = 1
>>> +localtime = 0
>>> +on_poweroff = "destroy"
>>> +on_reboot = "restart"
>>> +on_crash = "restart"
>>> +device_model = "/usr/lib/xen/bin/qemu-dm"
>>> +sdl = 0
>>> +vnc = 1
>>> +vncunused = 1
>>> +vnclisten = "127.0.0.1"
>>> +vncpasswd = "123poi"
>>> +vif = [
>>>
>> "mac=00:16:3e:66:92:9c,bridge=xenbr1,script=vif-bridge,model=e1000,type=ioem
>> u" ]
>>
>>> +parallel = "none"
>>> +serial = "none"
>>> +disk = [ "phy:/dev/HostVG/XenGuest2,hda,w",
>>>
>> "file:/root/boot.iso,hdc:cdrom,r" ]
>>
>>> diff --git a/tests/xmconfigdata/test-fullvirt-default-feature.xml
>>>
>> b/tests/xmconfigdata/test-fullvirt-default-feature.xml
>>
>>> new file mode 100644
>>> index 0000000..57a6531
>>> --- /dev/null
>>> +++ b/tests/xmconfigdata/test-fullvirt-default-feature.xml
>>> @@ -0,0 +1,48 @@
>>> +<domain type='xen'>
>>> + <name>XenGuest2</name>
>>> + <uuid>c7a5fdb2-cdaf-9455-926a-d65c16db1809</uuid>
>>> + <memory unit='KiB'>592896</memory>
>>> + <currentMemory unit='KiB'>403456</currentMemory>
>>> + <vcpu placement='static'>1</vcpu>
>>> + <os>
>>> + <type arch='i686' machine='xenfv'>hvm</type>
>>> + <loader type='rom'>/usr/lib/xen/boot/hvmloader</loader>
>>> + <boot dev='cdrom'/>
>>> + </os>
>>> + <features>
>>> + <acpi/>
>>> + <apic/>
>>> + <pae/>
>>> + </features>
>>> + <clock offset='utc' adjustment='reset'>
>>> + <timer name='hpet' present='yes'/>
>>> + </clock>
>>> + <on_poweroff>destroy</on_poweroff>
>>> + <on_reboot>restart</on_reboot>
>>> + <on_crash>restart</on_crash>
>>> + <devices>
>>> + <emulator>/usr/lib/xen/bin/qemu-dm</emulator>
>>> + <disk type='block' device='disk'>
>>> + <driver name='phy'/>
>>> + <source dev='/dev/HostVG/XenGuest2'/>
>>> + <target dev='hda' bus='ide'/>
>>> + </disk>
>>> + <disk type='file' device='cdrom'>
>>> + <driver name='file'/>
>>> + <source file='/root/boot.iso'/>
>>> + <target dev='hdc' bus='ide'/>
>>> + <readonly/>
>>> + </disk>
>>> + <interface type='bridge'>
>>> + <mac address='00:16:3e:66:92:9c'/>
>>> + <source bridge='xenbr1'/>
>>> + <script path='vif-bridge'/>
>>> + <model type='e1000'/>
>>> + </interface>
>>> + <input type='mouse' bus='ps2'/>
>>> + <input type='keyboard' bus='ps2'/>
>>> + <graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1'
>>>
>> passwd='123poi'>
>>
>>> + <listen type='address' address='127.0.0.1'/>
>>> + </graphics>
>>> + </devices>
>>> +</domain>
>>> diff --git a/tests/xmconfigtest.c b/tests/xmconfigtest.c
>>> index 0c6f803..b0b7b30 100644
>>> --- a/tests/xmconfigtest.c
>>> +++ b/tests/xmconfigtest.c
>>> @@ -176,21 +176,26 @@ testCompareHelper(const void *data)
>>> const struct testInfo *info = data;
>>> char *xml = NULL;
>>> char *cfg = NULL;
>>> + char *cfgout = NULL;
>>>
>>> if (virAsprintf(&xml, "%s/xmconfigdata/test-%s.xml",
>>> abs_srcdir, info->name) < 0 ||
>>> virAsprintf(&cfg, "%s/xmconfigdata/test-%s.cfg",
>>> + abs_srcdir, info->name) < 0 ||
>>> + virAsprintf(&cfgout, "%s/xmconfigdata/test-%s.cfg.out",
>>> abs_srcdir, info->name) < 0)
>>> goto cleanup;
>>>
>>> if (info->mode == 0)
>>> - result = testCompareParseXML(cfg, xml, info->version);
>>> + result = testCompareParseXML(virFileExists(cfgout) ? cfgout : cfg,
>>> + xml, info->version);
>>> else
>>> result = testCompareFormatXML(cfg, xml, info->version);
>>>
>>> cleanup:
>>> VIR_FREE(xml);
>>> VIR_FREE(cfg);
>>> + VIR_FREE(cfgout);
>>>
>>>
>>
>> With the change suggested above, this hunk can be removed from
>> xmconfigtest.c. 'make check' passes for me with these changes.
>>
>
> 'make check' could pass, since it explicitly specify acpi|pae|apic=1 in
> xm config, and explicitly include those features in xml. But our interested
> case is not tested, what we are trying to test is: if user doesn't specify
> acpi|pae|apic, xml should by default include those features.
>
Yep, understood. Unlike the existing tests, in this case we only want
to test xm -> xml conversion. I think a better solution would be to
introduce DO_TEST_PARSE and DO_TEST_FORMAT macros, calling those in
DO_TEST and individually when only needing to test one conversion.
Regards,
Jim
10 years, 2 months
[libvirt] [PATCH 0/2] fix xen HVM pae|apic|acpi features parser
by Chunyan Liu
According to xm.config manual, HVM pae|apic|acpi feature default
is 1 (enabled). But in conversion from xm config to libvirt xml,
if xm config doesn't contain pae|apic|acpi, it sets default value
to 0, this causes some problems in HVM guest.
Update parser codes to set HVM pae|apic|acpi default value to 1
to match xm config convension.
Add tests data to test it.
Chunyan Liu (2):
xenconfig: set HVM pae/apic/acpi/ default to 1
Add tests to xmconfigtest
src/xenconfig/xen_common.c | 6 +--
.../xmconfigdata/test-fullvirt-default-feature.cfg | 23 +++++++++++
.../test-fullvirt-default-feature.cfg.out | 26 ++++++++++++
.../xmconfigdata/test-fullvirt-default-feature.xml | 48 ++++++++++++++++++++++
tests/xmconfigtest.c | 9 +++-
5 files changed, 108 insertions(+), 4 deletions(-)
create mode 100644 tests/xmconfigdata/test-fullvirt-default-feature.cfg
create mode 100644 tests/xmconfigdata/test-fullvirt-default-feature.cfg.out
create mode 100644 tests/xmconfigdata/test-fullvirt-default-feature.xml
--
1.8.4.5
10 years, 2 months
[libvirt] [PATCH v2] test: fix nwfilter tests following changes in virfirewall.c
by Stefan Berger
Some of the nwfilter tests are now failing since --concurrent shows
up in the ebtables command. To avoid this, implement a function
preventing the probing for lock support in the eb/iptables tools
and use it in the tests.
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
src/libvirt_private.syms | 1 +
src/util/virfirewall.c | 9 +++++++++
src/util/virfirewall.h | 2 ++
tests/nwfilterebiptablestest.c | 3 +++
tests/nwfilterxml2firewalltest.c | 2 ++
5 files changed, 17 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 2647d36..22d9116 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1362,6 +1362,7 @@ virFirewallRuleAddArgList;
virFirewallRuleAddArgSet;
virFirewallRuleGetArgCount;
virFirewallSetBackend;
+virFirewallSetLockOverride;
virFirewallStartRollback;
virFirewallStartTransaction;
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 8496062..b536912 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -107,6 +107,13 @@ VIR_ONCE_GLOBAL_INIT(virFirewall)
static bool iptablesUseLock;
static bool ip6tablesUseLock;
static bool ebtablesUseLock;
+static bool lockOverride; /* true to avoid lock probes */
+
+void
+virFirewallSetLockOverride(bool avoid)
+{
+ lockOverride = avoid;
+}
static void
virFirewallCheckUpdateLock(bool *lockflag,
@@ -135,6 +142,8 @@ virFirewallCheckUpdateLocking(void)
const char *ebtablesArgs[] = {
EBTABLES_PATH, "--concurrent", "-L", NULL,
};
+ if (lockOverride)
+ return;
virFirewallCheckUpdateLock(&iptablesUseLock,
iptablesArgs);
virFirewallCheckUpdateLock(&ip6tablesUseLock,
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 1129219..dbf3975 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -106,4 +106,6 @@ void virFirewallStartRollback(virFirewallPtr firewall,
int virFirewallApply(virFirewallPtr firewall);
+void virFirewallSetLockOverride(bool avoid);
+
#endif /* __VIR_FIREWALL_H__ */
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
index e04bc21..e1330ef 100644
--- a/tests/nwfilterebiptablestest.c
+++ b/tests/nwfilterebiptablestest.c
@@ -24,6 +24,7 @@
#include "testutils.h"
#include "nwfilter/nwfilter_ebiptables_driver.h"
#include "virbuffer.h"
+#include "virfirewall.h"
#define __VIR_FIREWALL_PRIV_H_ALLOW__
#include "virfirewallpriv.h"
@@ -522,6 +523,8 @@ mymain(void)
{
int ret = 0;
+ virFirewallSetLockOverride(true);
+
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
ret = -1;
goto cleanup;
diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewalltest.c
index 01527f4..167ad42 100644
--- a/tests/nwfilterxml2firewalltest.c
+++ b/tests/nwfilterxml2firewalltest.c
@@ -474,6 +474,8 @@ mymain(void)
ret = -1; \
} while (0)
+ virFirewallSetLockOverride(true);
+
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
ret = -1;
goto cleanup;
--
1.9.3
10 years, 2 months
