September 2014 - Devel - libvirt List Archives

[libvirt] [PATCH 0/3] Add "rawio" for hostdev
by John Ferlan 19 Sep '14

19 Sep '14

The "rawio" setting for a <device.../> <disk.../> lun isn't duplicated in the scsi_host hostdev device for a lun. Rather than "requiring" some disk in the disk list to add the rawio, add the "rawio" property to the scsi_host hostdev lun. John Ferlan (3): hostdev: Add "rawio" attribute to _virDomainHostdevSubsysSCSI qemu: Process the hostdev "rawio" setting domain_conf: Process the "rawio" for a hostdev device docs/formatdomain.html.in | 12 ++++++-- docs/schemas/domaincommon.rng | 18 +++++++---- src/conf/domain_conf.c | 31 +++++++++++++++++++ src/conf/domain_conf.h | 2 ++ src/qemu/qemu_domain.c | 21 +++++++++++++ src/qemu/qemu_domain.h | 4 +++ src/qemu/qemu_driver.c | 1 + src/qemu/qemu_process.c | 20 ++++++++++++- .../qemuxml2argv-hostdev-scsi-rawio.xml | 35 ++++++++++++++++++++++ tests/qemuxml2xmltest.c | 1 + 10 files changed, 135 insertions(+), 10 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-rawio.xml -- 1.9.3

3 9

[libvirt] [PATCH] LXC: add HOME environment variable docs
by Chen Hanxiao 19 Sep '14

19 Sep '14

commit 3020594ac57c5e06e79f3db8c765f6bb18c40802 add HOME environment variable. Add a doc for this. Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com> --- docs/drvlxc.html.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index 403ce24..31da37c 100644 --- a/docs/drvlxc.html.in +++ b/docs/drvlxc.html.in @@ -88,6 +88,8 @@ to be provided by all container technologies on Linux. <dd>The fixed string <code>/bin:/usr/bin</code></dd> <dt>TERM</dt> <dd>The fixed string <code>linux</code></dd> +<dt>HOME</dt> +<dd>The fixed string <code>/</code></dd> </dl> <p> -- 1.9.0

2 1

[libvirt] [PATCH v2] Move the FIPS detection from capabilities
by Pavel Hrdina 19 Sep '14

19 Sep '14

We are not detecting the presence of FIPS from QEMU, but from procfs and that means it's not QEMU capability. It was decided that we will pass this flag to QEMU even if it's not supported by old QEMU binaries. This patch also reverts changes done by commit a21cfb0f to qemucapabilitestest and implements a new test case in qemuxml2argvtest. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1135431 Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com> --- src/qemu/qemu_capabilities.c | 24 --------------- src/qemu/qemu_command.c | 34 ++++++++++++++++++++-- src/qemu/qemu_command.h | 6 +++- src/qemu/qemu_driver.c | 3 +- src/qemu/qemu_process.c | 3 +- tests/qemucapabilitiesdata/caps_1.2.2-1.caps | 1 - tests/qemucapabilitiesdata/caps_1.6.0-1.caps | 1 - tests/qemucapabilitiestest.c | 20 ++++--------- .../qemuxml2argv-fips-enabled.args | 6 ++++ .../qemuxml2argvdata/qemuxml2argv-fips-enabled.xml | 25 ++++++++++++++++ tests/qemuxml2argvtest.c | 9 +++++- tests/qemuxmlnstest.c | 2 +- 12 files changed, 86 insertions(+), 48 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-fips-enabled.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-fips-enabled.xml diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 9246813..5c3778d 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -3215,30 +3215,6 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps, config.data.nix.path = monpath; config.data.nix.listen = false; - /* Qemu 1.2 and later have a binary flag -enable-fips that must be - * used for VNC auth to obey FIPS settings; but the flag only - * exists on Linux, and with no way to probe for it via QMP. Our - * solution: if FIPS mode is required, then unconditionally use - * the flag, regardless of qemu version, for the following matrix: - * - * old QEMU new QEMU - * FIPS enabled doesn't start VNC auth disabled - * FIPS disabled/missing VNC auth enabled VNC auth enabled - * - * Setting the flag here instead of in virQEMUCapsInitQMPMonitor - * or virQEMUCapsInitHelp also allows the testsuite to be - * independent of FIPS setting. - */ - if (virFileExists("/proc/sys/crypto/fips_enabled")) { - char *buf = NULL; - - if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0) - goto cleanup; - if (STREQ(buf, "1\n")) - virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS); - VIR_FREE(buf); - } - VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps); /* diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index f2e6e5a..911d026 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -3293,6 +3293,35 @@ qemuCheckDiskConfig(virDomainDiskDefPtr disk) } +/* Qemu 1.2 and later have a binary flag -enable-fips that must be + * used for VNC auth to obey FIPS settings; but the flag only + * exists on Linux, and with no way to probe for it via QMP. Our + * solution: if FIPS mode is required, then unconditionally use + * the flag, regardless of qemu version, for the following matrix: + * + * old QEMU new QEMU + * FIPS enabled doesn't start VNC auth disabled + * FIPS disabled/missing VNC auth enabled VNC auth enabled + */ +bool +qemuCheckFips(void) +{ + bool ret = false; + + if (virFileExists("/proc/sys/crypto/fips_enabled")) { + char *buf = NULL; + + if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0) + return ret; + if (STREQ(buf, "1\n")) + ret = true; + VIR_FREE(buf); + } + + return ret; +} + + char * qemuBuildDriveStr(virConnectPtr conn, virDomainDiskDefPtr disk, @@ -7543,7 +7572,8 @@ qemuBuildCommandLine(virConnectPtr conn, virDomainSnapshotObjPtr snapshot, virNetDevVPortProfileOp vmop, qemuBuildCommandLineCallbacksPtr callbacks, - bool standalone) + bool standalone, + bool enableFips) { virErrorPtr originalError = NULL; size_t i, j; @@ -7656,7 +7686,7 @@ qemuBuildCommandLine(virConnectPtr conn, if (!standalone) virCommandAddArg(cmd, "-S"); /* freeze CPU */ - if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS)) + if (enableFips) virCommandAddArg(cmd, "-enable-fips"); if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0) diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index 633ff71..aa40c9e 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -78,7 +78,8 @@ virCommandPtr qemuBuildCommandLine(virConnectPtr conn, virDomainSnapshotObjPtr current_snapshot, virNetDevVPortProfileOp vmop, qemuBuildCommandLineCallbacksPtr callbacks, - bool forXMLToArgv) + bool forXMLToArgv, + bool enableFips) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(11); /* Generate '-device' string for chardev device */ @@ -273,4 +274,7 @@ int qemuGetDriveSourceString(virStorageSourcePtr src, char **source); int qemuCheckDiskConfig(virDomainDiskDefPtr disk); + +bool +qemuCheckFips(void); #endif /* __QEMU_COMMAND_H__*/ diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 5fd89a3..f1b3348 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -6127,7 +6127,8 @@ static char *qemuConnectDomainXMLToNative(virConnectPtr conn, NULL, -1, NULL, VIR_NETDEV_VPORT_PROFILE_OP_NO_OP, &buildCommandLineCallbacks, - true))) + true, + qemuCheckFips()))) goto cleanup; ret = virCommandToString(cmd); diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 8853d27..40b8576 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4304,7 +4304,8 @@ int qemuProcessStart(virConnectPtr conn, if (!(cmd = qemuBuildCommandLine(conn, driver, vm->def, priv->monConfig, priv->monJSON, priv->qemuCaps, migrateFrom, stdin_fd, snapshot, vmop, - &buildCommandLineCallbacks, false))) + &buildCommandLineCallbacks, false, + qemuCheckFips()))) goto cleanup; /* now that we know it is about to start call the hook if present */ diff --git a/tests/qemucapabilitiesdata/caps_1.2.2-1.caps b/tests/qemucapabilitiesdata/caps_1.2.2-1.caps index c8a379a..3b1b699 100644 --- a/tests/qemucapabilitiesdata/caps_1.2.2-1.caps +++ b/tests/qemucapabilitiesdata/caps_1.2.2-1.caps @@ -112,7 +112,6 @@ <flag name='usb-storage'/> <flag name='usb-storage.removable'/> <flag name='kvm-pit-lost-tick-policy'/> - <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='host-pci-multidomain'/> <flag name='usb-audio'/> diff --git a/tests/qemucapabilitiesdata/caps_1.6.0-1.caps b/tests/qemucapabilitiesdata/caps_1.6.0-1.caps index e10f030..21d4320 100644 --- a/tests/qemucapabilitiesdata/caps_1.6.0-1.caps +++ b/tests/qemucapabilitiesdata/caps_1.6.0-1.caps @@ -138,7 +138,6 @@ <flag name='boot-strict'/> <flag name='pvpanic'/> <flag name='reboot-timeout'/> - <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='spiceport'/> <flag name='usb-kbd'/> diff --git a/tests/qemucapabilitiestest.c b/tests/qemucapabilitiestest.c index 4e5f9e5..c52ec6c 100644 --- a/tests/qemucapabilitiestest.c +++ b/tests/qemucapabilitiestest.c @@ -31,7 +31,6 @@ typedef testQemuData *testQemuDataPtr; struct _testQemuData { virDomainXMLOptionPtr xmlopt; const char *base; - bool fips; }; static qemuMonitorTestPtr @@ -143,12 +142,6 @@ testQemuCaps(const void *opaque) qemuMonitorTestGetMonitor(mon)) < 0) goto cleanup; - /* So that our test does not depend on the contents of /proc, we - * hoisted the setting of ENABLE_FIPS to virQEMUCapsInitQMP. But - * we do want to test the effect of that flag. */ - if (data->fips) - virQEMUCapsSet(capsComputed, QEMU_CAPS_ENABLE_FIPS); - if (testQemuCapsCompare(capsProvided, capsComputed) < 0) goto cleanup; @@ -183,19 +176,16 @@ mymain(void) data.xmlopt = xmlopt; -#define DO_TEST_FULL(name, use_fips) \ - data.base = name; \ - data.fips = use_fips; \ - if (virtTestRun(name, testQemuCaps, &data) < 0) \ +#define DO_TEST(name) \ + data.base = name; \ + if (virtTestRun(name, testQemuCaps, &data) < 0) \ ret = -1 -#define DO_TEST(name) DO_TEST_FULL(name, false) - - DO_TEST_FULL("caps_1.2.2-1", true); + DO_TEST("caps_1.2.2-1"); DO_TEST("caps_1.3.1-1"); DO_TEST("caps_1.4.2-1"); DO_TEST("caps_1.5.3-1"); - DO_TEST_FULL("caps_1.6.0-1", true); + DO_TEST("caps_1.6.0-1"); DO_TEST("caps_1.6.50-1"); virObjectUnref(xmlopt); diff --git a/tests/qemuxml2argvdata/qemuxml2argv-fips-enabled.args b/tests/qemuxml2argvdata/qemuxml2argv-fips-enabled.args new file mode 100644 index 0000000..196f61f --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-fips-enabled.args @@ -0,0 +1,6 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ +/usr/bin/qemu \ +-S -enable-fips -M pc -m 214 -smp 1 -nographic -monitor \ +unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb \ +-hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none diff --git a/tests/qemuxml2argvdata/qemuxml2argv-fips-enabled.xml b/tests/qemuxml2argvdata/qemuxml2argv-fips-enabled.xml new file mode 100644 index 0000000..a6b041d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-fips-enabled.xml @@ -0,0 +1,25 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219100</memory> + <currentMemory unit='KiB'>219100</currentMemory> + <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu</emulator> + <disk type='block' device='disk'> + <source dev='/dev/HostVG/QEMUGuest1'/> + <target dev='hda' bus='ide'/> + <address type='drive' controller='0' bus='0' target='0' unit='0'/> + </disk> + <controller type='ide' index='0'/> + <memballoon model='virtio'/> + </devices> +</domain> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 275e699..ab923d0 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -259,6 +259,7 @@ typedef enum { FLAG_EXPECT_FAILURE = 1 << 1, FLAG_EXPECT_PARSE_ERROR = 1 << 2, FLAG_JSON = 1 << 3, + FLAG_FIPS = 1 << 4, } virQemuXML2ArgvTestFlags; static int testCompareXMLToArgvFiles(const char *xml, @@ -360,7 +361,8 @@ static int testCompareXMLToArgvFiles(const char *xml, (flags & FLAG_JSON), extraFlags, migrateFrom, migrateFd, NULL, VIR_NETDEV_VPORT_PROFILE_OP_NO_OP, - &testCallbacks, false))) { + &testCallbacks, false, + (flags & FLAG_FIPS)))) { if (!virtTestOOMActive() && (flags & FLAG_EXPECT_FAILURE)) { ret = 0; @@ -443,6 +445,9 @@ testCompareXMLToArgvHelper(const void *data) if (virQEMUCapsGet(info->extraFlags, QEMU_CAPS_MONITOR_JSON)) flags |= FLAG_JSON; + if (virQEMUCapsGet(info->extraFlags, QEMU_CAPS_ENABLE_FIPS)) + flags |= FLAG_FIPS; + result = testCompareXMLToArgvFiles(xml, args, info->extraFlags, info->migrateFrom, info->migrateFd, flags); @@ -1455,6 +1460,8 @@ mymain(void) DO_TEST("panic", QEMU_CAPS_DEVICE_PANIC, QEMU_CAPS_DEVICE, QEMU_CAPS_NODEFCONFIG); + DO_TEST("fips-enabled", QEMU_CAPS_ENABLE_FIPS); + virObjectUnref(driver.config); virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); diff --git a/tests/qemuxmlnstest.c b/tests/qemuxmlnstest.c index e8f70d6..b3a608c 100644 --- a/tests/qemuxmlnstest.c +++ b/tests/qemuxmlnstest.c @@ -119,7 +119,7 @@ static int testCompareXMLToArgvFiles(const char *xml, vmdef, &monitor_chr, json, extraFlags, migrateFrom, migrateFd, NULL, VIR_NETDEV_VPORT_PROFILE_OP_NO_OP, - &testCallbacks, false))) + &testCallbacks, false, false))) goto fail; if (!virtTestOOMActive()) { -- 1.8.5.5

2 2

[libvirt] How do I modify an existing network filter?
by duyahong＠kingsoft.com 19 Sep '14

19 Sep '14

Hi All, We have a requirement to allow more than one IP connect to external network through one mac address. We suppose we need to modify the network filter but we can't find the python API or anything else to change the existing network filter. Does anyone know what I should do? We tried another way to add a parameter to 'filterref' in the instance xml file like below blue part and it worked. But we have to restart the instance to make this configufation effective. Can I make the xml change effective without restart the instance? Any help will be appreciated. <interface type='bridge'> <mac address='fa:16:3e:2f:00:09'/> <source bridge='br_vm'/> <model type='virtio'/> <filterref filter='nova-instance-instance-00000018-fa163e2f0009'> <parameter name='DHCPSERVER' value='50.1.1.1'/> <parameter name='IP' value='50.1.1.223'/> <parameter name='IP' value='50.1.1.222'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> duyahong(a)kingsoft.com

1 0

[libvirt] [PATCH 1/1] apparmor: use TEMPLATE.qemu for kvm
by Serge Hallyn 18 Sep '14

18 Sep '14

virDomainVirtTypeToString() returns 'qemu' and 'kvm' separately. Don't require a separate apparmor profile for both, rather always look for TEMPLATE.qemu. Signed-off-by: Serge Hallyn <serge.hallyn(a)ubuntu.com> --- src/security/virt-aa-helper.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index a06ba44..0447248 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -341,15 +341,19 @@ create_profile(const char *profile, const char *profile_name, int tlen, plen; int fd; int rc = -1; + const char *virttype; if (virFileExists(profile)) { vah_error(NULL, 0, _("profile exists")); goto end; } + virttype = virDomainVirtTypeToString(virtType); + if (strcmp(virttype, "kvm") == 0) + virttype = "qemu"; if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", - virDomainVirtTypeToString(virtType)) < 0) { + virttype) < 0) { vah_error(NULL, 0, _("template name exceeds maximum length")); goto end; } -- 2.1.0

1 0

[libvirt] [PATCH] Move the FIPS detection from capabilities
by Pavel Hrdina 18 Sep '14

18 Sep '14

We are not detecting the presence of FIPS from QEMU, but from procfs and that means it's not QEMU capability. It was decided that we will pass this flag to QEMU even if it's not supported by old QEMU binaries. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1135431 Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com> --- Note: The original bug is that we are not detecting whether libvirtd binary has been updated, we detect that only for QEMU binary. So you could update libvirt without updating QEMU and new capabilities that could already exists in QEMU, but was recently implemented in libvirt wasn't enabled. I'll post a patch to fix this bug. src/qemu/qemu_capabilities.c | 24 ------------------------ src/qemu/qemu_command.c | 25 +++++++++++++++++++++++-- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 9246813..5c3778d 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -3215,30 +3215,6 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps, config.data.nix.path = monpath; config.data.nix.listen = false; - /* Qemu 1.2 and later have a binary flag -enable-fips that must be - * used for VNC auth to obey FIPS settings; but the flag only - * exists on Linux, and with no way to probe for it via QMP. Our - * solution: if FIPS mode is required, then unconditionally use - * the flag, regardless of qemu version, for the following matrix: - * - * old QEMU new QEMU - * FIPS enabled doesn't start VNC auth disabled - * FIPS disabled/missing VNC auth enabled VNC auth enabled - * - * Setting the flag here instead of in virQEMUCapsInitQMPMonitor - * or virQEMUCapsInitHelp also allows the testsuite to be - * independent of FIPS setting. - */ - if (virFileExists("/proc/sys/crypto/fips_enabled")) { - char *buf = NULL; - - if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0) - goto cleanup; - if (STREQ(buf, "1\n")) - virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS); - VIR_FREE(buf); - } - VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps); /* diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index f2e6e5a..3532518 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7656,8 +7656,29 @@ qemuBuildCommandLine(virConnectPtr conn, if (!standalone) virCommandAddArg(cmd, "-S"); /* freeze CPU */ - if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS)) - virCommandAddArg(cmd, "-enable-fips"); + /* Qemu 1.2 and later have a binary flag -enable-fips that must be + * used for VNC auth to obey FIPS settings; but the flag only + * exists on Linux, and with no way to probe for it via QMP. Our + * solution: if FIPS mode is required, then unconditionally use + * the flag, regardless of qemu version, for the following matrix: + * + * old QEMU new QEMU + * FIPS enabled doesn't start VNC auth disabled + * FIPS disabled/missing VNC auth enabled VNC auth enabled + * + * Setting the flag here instead of in virQEMUCapsInitQMPMonitor + * or virQEMUCapsInitHelp also allows the testsuite to be + * independent of FIPS setting. + */ + if (virFileExists("/proc/sys/crypto/fips_enabled")) { + char *buf = NULL; + + if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0) + goto error; + if (STREQ(buf, "1\n")) + virCommandAddArg(cmd, "-enable-fips"); + VIR_FREE(buf); + } if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0) goto error; -- 1.8.5.5

2 5

[libvirt] [PATCH] virSecuritySELinuxSetTapFDLabel: Temporarily revert to old behavior
by Michal Privoznik 18 Sep '14

18 Sep '14

https://bugzilla.redhat.com/show_bug.cgi?id=1141879 A long time ago I've implemented support for so called multiqueue net. The idea was to let guest network traffic be processed by multiple host CPUs and thus increasing performance. However, this behavior is enabled by QEMU via special ioctl() iterated over the all tap FDs passed in by libvirt. Unfortunately, SELinux comes in and disallows the ioctl() call because the /dev/net/tun has label system_u:object_r:tun_tap_device_t:s0 and 'attach_queue' ioctl() is not allowed on tun_tap_device_t type. So after discussion with a SELinux developer we've decided that the FDs passed to the QEMU should be labelled with svirt_t type and SELinux policy will allow the ioctl(). Therefore I've made a patch (cf976d9dcf4e592261b14f03572) that does exactly this. However, things are not that easy - even though the API to label FD is called (fsetfilecon_raw) the underlying file is labelled too! So effectively we are mangling /dev/net/tun label. Yes, that broke dozen of other application from openvpn, or boxes, to qemu running other domains. The best solution would be if SELinux provides a way to label an FD only, which could be then labeled when passed to the qemu. However that's a long path to go and we should fix this regression AQAP. So I went to talk to the SELinux developer again and we agreed on temporary solution that: 1) my patch is reverted 2) SELinux temporarily allows 'attach_queue' on the tun_tap_device_t Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- src/security/security_selinux.c | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 3db2b27..c69eeb9 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2343,17 +2343,47 @@ virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, } static int -virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, +virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, int fd) { + struct stat buf; + security_context_t fcon = NULL; virSecurityLabelDefPtr secdef; + char *str = NULL; + int rc = -1; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (!secdef || !secdef->imagelabel) + if (!secdef || !secdef->label) return 0; - return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel); + if (fstat(fd, &buf) < 0) { + virReportSystemError(errno, _("cannot stat tap fd %d"), fd); + goto cleanup; + } + + if ((buf.st_mode & S_IFMT) != S_IFCHR) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("tap fd %d is not character device"), fd); + goto cleanup; + } + + if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("cannot lookup default selinux label for tap fd %d"), fd); + goto cleanup; + } + + if (!(str = virSecuritySELinuxContextAddRange(secdef->label, fcon))) { + goto cleanup; + } else { + rc = virSecuritySELinuxFSetFilecon(fd, str); + } + + cleanup: + freecon(fcon); + VIR_FREE(str); + return rc; } static char * -- 1.8.5.5

3 3

Re: [libvirt] [virt-tools-list] [PATCH virt-manager] details: Add UI for enabling UEFI via 'customize before install'
by Eric Blake 18 Sep '14

18 Sep '14

[adding libvirt] On 09/18/2014 06:28 AM, Cole Robinson wrote: > - Say you are connecting from a new libvirt UNDEFINE_NVRAM support (say Fedora > 21 GA), to an old libvirt without it, like F20 or RHEL7.0. If we specify the > flag unconditionally, the undefineFlags call will fail, which also means that > we lose the benefit of the other UNDEFINE flags. So if the VM had managedsave > data, the undefine will fail saying we need to remove it first. > > - Not all drivers support the UNDEFINE_NVRAM flag, like the 'test' driver > which we use heavily for virt-manager development. If we pass the flag > unconditionally, then the current code loses the benefit of all UNDEFINE > flags, and trying to delete a VM with managedsave data will fail. > > The existing code has similar problems as well though, since we lump all the > UNDEFINE flags together, so it certainly isn't perfect. However my hack of > checking for nvram in the XML avoids some of the common issues, so I'll extend > it with the logic you pointed out. > > Trying to figure out if an API or flag is supported with an arbitrary libvirt > connection is a pain: it's a factor of host libvirt version, host > libvirt-python version, remote libvirt version, libvirt hv driver, hv version. > Some readonly APIs you can get away with just testing first, but undefine > isn't one of them :) Maybe we can get a libvirt API exposing the driver > function table at least? Hmm, I've been thinking about that too. It would indeed be nice to introspect what APIs are available, and for those APIs with a flags parameter, what flag(s) bits are supported. What signature would we want? Thinking aloud here... Maybe: struct virAPI { const char *name; /* Name of the C API call */ unsigned int flags; /* The flag bits that are understood, if the C API includes a flags argument */ }; /* Allocate a list of supported API information into *list, and return the length of the list. User must call free() on the array when done. flags is 0 for now */ int virConnectListAPI(virConnectPtr conn, virAPIPtr *list, unsigned int flags); Or even having an enum mapping of C API names, instead of passing around char*. But the enum would not quite match the RPC call numbers. Implementation-wise, we've got a lot of driver calls that manually call virCheckFlags() at the front; maybe what we would do is modify the driver.h callback list to have a struct that contains both a callback pointer AND a flags value, rather than the current use of just a callback pointer; then we can make the rejection of unsupported flags in common code instead of manual virCheckFlags() everywhere, and we could also use the population of that registration as our point of documentation for when support for given bits in the flags argument is added. There's still the question of how dynamic this can be - for example, some qemu driver APIs accept a flag in name, but then fail if the underlying qemu binary is too old. Is it sufficient to document that the API knows about the flag, or do we really want the more complex solution of getting the exact subset of flags that have a chance of succeeding based on the underlying qemu binary? I'm leaning towards having the introspection API just report a flag if the driver plans on handling it; and in the cases where the underlying binary can cause the flag to succeed or fail, we can then use virConnectGetDomainCapabilities to advertise that sort of runtime difference (in other words, the API I'm thinking about adding is static and won't change answers based on a qemu upgrade; anything that depends on the actual running qemu affects is reflected through existing API). What about APIs that accept more than just a flags argument, such as the recent virConnectGetAllDomainStats, which as both a stats and flags parameter? Should the virAPI return struct contain a virTypedParameters or similar thing that can let us describe multiple details about a given API? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

1 0

[libvirt] [PATCH] qemu_capabilities: fix issue with discarding old capabilities
by Pavel Hrdina 18 Sep '14

18 Sep '14

There was a bug that if libvirtd binary has been updated than the capability file wasn't reloaded therefore new capabilities introduced in libvirt cannot be used because the cached version was loaded. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1135431 Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com> --- src/qemu/qemu_capabilities.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 81ada48..dae89aa 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -286,6 +286,7 @@ struct _virQEMUCaps { char *binary; time_t ctime; + time_t selfctime; virBitmapPtr flags; @@ -2689,7 +2690,7 @@ virQEMUCapsSaveCache(virQEMUCapsPtr qemuCaps, const char *filename) virBufferAsprintf(&buf, "<qemuctime>%llu</qemuctime>\n", (long long)qemuCaps->ctime); virBufferAsprintf(&buf, "<selfctime>%llu</selfctime>\n", - (long long)virGetSelfLastChanged()); + (long long)qemuCaps->selfctime); if (qemuCaps->usedQMP) virBufferAddLit(&buf, "<usedQMP/>\n"); @@ -2743,7 +2744,7 @@ virQEMUCapsSaveCache(virQEMUCapsPtr qemuCaps, const char *filename) VIR_DEBUG("Saved caps '%s' for '%s' with (%lld, %lld)", filename, qemuCaps->binary, (long long)qemuCaps->ctime, - (long long)virGetSelfLastChanged()); + (long long)qemuCaps->selfctime); ret = 0; cleanup: @@ -2871,12 +2872,12 @@ virQEMUCapsInitCached(virQEMUCapsPtr qemuCaps, const char *cacheDir) /* Discard if cache is older that QEMU binary */ if (qemuctime != qemuCaps->ctime || - selfctime < virGetSelfLastChanged()) { + selfctime < qemuCaps->selfctime) { VIR_DEBUG("Outdated cached capabilities '%s' for '%s' " "(%lld vs %lld, %lld vs %lld)", capsfile, qemuCaps->binary, (long long)qemuctime, (long long)qemuCaps->ctime, - (long long)selfctime, (long long)virGetSelfLastChanged()); + (long long)selfctime, (long long)qemuCaps->selfctime); ignore_value(unlink(capsfile)); virQEMUCapsReset(qemuCaps); ret = 0; @@ -3371,6 +3372,7 @@ virQEMUCapsPtr virQEMUCapsNewForBinary(const char *binary, goto error; } qemuCaps->ctime = sb.st_ctime; + qemuCaps->selfctime = virGetSelfLastChanged(); /* Make sure the binary we are about to try exec'ing exists. * Technically we could catch the exec() failure, but that's @@ -3420,7 +3422,8 @@ bool virQEMUCapsIsValid(virQEMUCapsPtr qemuCaps) if (stat(qemuCaps->binary, &sb) < 0) return false; - return sb.st_ctime == qemuCaps->ctime; + return sb.st_ctime == qemuCaps->ctime && + virGetSelfLastChanged() >= qemuCaps->selfctime; } -- 1.8.5.5

2 6

[libvirt] LSN-2014-0004: Querying blkiotune after disk hotplug can lead to libvirtd crash
by Daniel P. Berrange 18 Sep '14

18 Sep '14

Libvirt Security Notice: LSN-2014-0004 ====================================== Summary: Querying blkiotune after disk hotplug can lead to libvirtd crash Reported on: 20140911 Published on: 20140917 Fixed on: 20140917 Reported by: Luyao Huang <lhuang(a)redhat.com> Patched by: Peter Krempa <pkrempa(a)redhat.com> See also: CVE-2014-3633 Description ----------- The qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition. If management had hot-plugged disks to the live definition, the two arrays are not necessarily the same length, and this could result in the persistent definition dereferencing an out-of-bounds pointer. Impact ------ A read-only client can cause a denial of service attack against a privileged client if the out-of-bounds dereference causes libvirtd to crash, or possibly gain read access to sensitive information residing in the heap. Workaround ---------- The out-of-bounds access is only possible on domains that have had disks hot-plugged or removed from the live image without also updating the persistent definition to match; keeping the two definitions matched or using only transient domains will avoid the problem. Denying access to the readonly libvirt socket will avoid the potential for a denial of service attack, but will not prevent the out-of-bounds access from causing a crash for a privileged client, although such a crash is no longer a security problem. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v0.9.8 Broken in: v0.9.9 Broken in: v0.9.10 Broken in: v0.9.11 Broken in: v0.9.12 Broken in: v0.9.13 Broken in: v1.0.0 Broken in: v1.0.1 Broken in: v1.0.2 Broken in: v1.0.3 Broken in: v1.0.4 Broken in: v1.0.5 Broken in: v1.0.6 Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Broken in: v1.2.1 Broken in: v1.2.2 Broken in: v1.2.3 Broken in: v1.2.4 Broken in: v1.2.5 Broken in: v1.2.6 Broken in: v1.2.7 Broken in: v1.2.8 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b Branch: v0.9.11-maint Broken in: v0.9.11.1 Broken in: v0.9.11.2 Broken in: v0.9.11.3 Broken in: v0.9.11.4 Broken in: v0.9.11.5 Broken in: v0.9.11.6 Broken in: v0.9.11.7 Broken in: v0.9.11.8 Broken in: v0.9.11.9 Broken in: v0.9.11.10 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Branch: v0.9.12-maint Broken in: v0.9.12.1 Broken in: v0.9.12.2 Broken in: v0.9.12.3 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 750280023cc0896b05f86e292857ceef5eee3a72 Branch: v0.10.2-maint Broken in: v0.10.2.1 Broken in: v0.10.2.2 Broken in: v0.10.2.3 Broken in: v0.10.2.4 Broken in: v0.10.2.5 Broken in: v0.10.2.6 Broken in: v0.10.2.7 Broken in: v0.10.2.8 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 0fa54204f264e3d39387f5762f810d31cce770b2 Branch: v1.0.2-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: d30fea03a545a2d9f5f228cd3292484ce7850256 Branch: v1.0.3-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 35a802639d713054503f7243e39be0503fe19ec3 Branch: v1.0.4-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: a45c8466fa3531d35728575a1facc0406f97079a Branch: v1.0.5-maint Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken in: v1.0.5.8 Broken in: v1.0.5.9 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: cc05c6d5d2f7a577a1a365fbc5451fb6b5f57445 Branch: v1.0.6-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: cc19d1c08f49acdcfd5eb0e26561ea88e800f177 Branch: v1.1.0-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: dd8a348e4747a59c60991f3b41567ab0a1dcca0e Branch: v1.1.1-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: ed071fee073bc5a439ec64f0e501d5f90c41dec5 Branch: v1.1.2-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: d4360edd1ca88cb1f144bf77f7df23ebf1f90632 Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Broken in: v1.1.3.3 Broken in: v1.1.3.4 Broken in: v1.1.3.5 Broken in: v1.1.3.6 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: eefe2e013820a76dfe5132431db72aade911eeab Branch: v1.1.4-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 92430a6942fc0f4dceea4957f688430f093676ab Branch: v1.2.0-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: e8f6971e3f29a7392224d7056b05b2acf133e58d Branch: v1.2.1-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: fdde9d6a1b8a559f5fa18a68cc8e8a35354b3ae9 Branch: v1.2.2-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 111855e82429249ccd98f9ed0c8c72116e241959 Branch: v1.2.3-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 81edcbb3ca1061d5b54945a7e1e9e2e03891307b Branch: v1.2.4-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 8a07faf3377c4b1e9f4ded59882f305426d02e6c Branch: v1.2.5-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 7156bd0ce2dc92231c393fc7bd493e7aa383d966 Branch: v1.2.6-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 4e701c06c54ec007041e20e5ef085711f38a0266 Branch: v1.2.7-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: cf7a69bc08e79c254f1accd939f4746ca94fe7e7 Branch: v1.2.8-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 6bdf14150e99ca8921a4017bb9502325e200815b Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

1 0