[libvirt] [PATCH] Report error when both live and offline flags are used for migration.
by Nitesh Konkar
---
src/libvirt-domain.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index 9491845..dc11945 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -3617,6 +3617,15 @@ virDomainMigrate(virDomainPtr domain,
error);
+ if (flags & VIR_MIGRATE_OFFLINE) {
+ if (flags & VIR_MIGRATE_LIVE) {
+ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+ _("Live and offline migration flags are "
+ "mutually exclusive"));
+ goto error;
+ }
+ }
+
if (flags & VIR_MIGRATE_OFFLINE) {
if (!VIR_DRV_SUPPORTS_FEATURE(domain->conn->driver, domain->conn,
VIR_DRV_FEATURE_MIGRATION_OFFLINE)) {
virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
@@ -3841,6 +3850,15 @@ virDomainMigrate2(virDomainPtr domain,
error);
+ if (flags & VIR_MIGRATE_OFFLINE) {
+ if (flags & VIR_MIGRATE_LIVE) {
+ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+ _("Live and offline migration flags are "
+ "mutually exclusive"));
+ goto error;
+ }
+ }
+
if (flags & VIR_MIGRATE_OFFLINE) {
if (!VIR_DRV_SUPPORTS_FEATURE(domain->conn->driver, domain->conn,
VIR_DRV_FEATURE_MIGRATION_OFFLINE)) {
virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
@@ -4014,6 +4032,15 @@ virDomainMigrate3(virDomainPtr domain,
VIR_MIGRATE_NON_SHARED_INC,
error);
+ if (flags & VIR_MIGRATE_OFFLINE) {
+ if (flags & VIR_MIGRATE_LIVE) {
+ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+ _("Live and offline migration flags are "
+ "mutually exclusive"));
+ goto error;
+ }
+ }
+
if (flags & VIR_MIGRATE_PEER2PEER) {
virReportInvalidArg(flags, "%s",
_("use virDomainMigrateToURI3 for peer-to-peer "
--
1.8.3.1
8 years, 9 months
[libvirt] [PATCH 0/2] qemu: Support for QXL heads
by Martin Kletzander
So this is an old, tiny series that was posted some time ago; actually
a lot of time ago. I complained because of two things. First one
being that there are no tests, so this series has them in. The second
one was that this could break migration from old code since the
parameter was not used before. So I coded up a migration flag,
handled all the special cases and then started testing it. And while
testing it, I've found out that QEMU doesn't care at all about this
parameter being there and there is no point in keeping it
super-stable, especially when it can be changed on the fly. So I
removed all that code and ended up with tiny series very similar to
previous attempts by various people.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1283207
Martin Kletzander (2):
qemu: Check for qxl's max_outputs parameter
qemu: Add support to QXL's max_outputs parameter
src/qemu/qemu_capabilities.c | 4 ++
src/qemu/qemu_capabilities.h | 2 +
src/qemu/qemu_command.c | 8 ++++
.../qemuxml2argv-video-qxl-heads.args | 28 +++++++++++++
.../qemuxml2argv-video-qxl-heads.xml | 47 ++++++++++++++++++++++
tests/qemuxml2argvtest.c | 8 ++++
.../qemuxml2xmlout-video-qxl-heads.xml | 47 ++++++++++++++++++++++
tests/qemuxml2xmltest.c | 2 +
8 files changed, 146 insertions(+)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-video-qxl-heads.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-video-qxl-heads.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-video-qxl-heads.xml
--
2.7.2
8 years, 9 months
[libvirt] User Behavior Tracking defenses in VMs
by bancfc@openmailbox.org
Intended for qemu-discuss
/cc/ libvir-list, whonix-devel, tor-dev
***
Hello. I work on WhonixOS an anonymity distro based on Tor. This feature
request is related to the topics of privacy and anonymity. Its a complex
topic and probably not in your area of focus but I think it has
important implications because security and privacy are very much
related in today's hostile computing environment.
Virtualization is useful in presenting an identical environment and set
of "hardware" for each user which goes a long way in creating an
anonymity set of systems. That way a system attacker, advertisers and
online trackers would not be able to fingerprint a user or their
hardware.
The problem: Tracking techniques have become more sophisticated with
time. They advanced from simple cookies to browser/device fingerprinting
(which Tor Browser focuses on defeating) to user behavior
fingerprinting. The latter is about profiling how a user types on a
keyboard or uses a mouse [2].
Keystroke dynamics is a super creepy way to track users based on how
long they press keys (dwell time) and the time between key presses (gap
time). This is extremely accurate at identifying individuals because of
how unique these measurements are. Advertising networks (Google,
Facebook...) that fingeprprint users on both the clearnet and Tor can
deanonymize users. This technique is already actively used in the wild
[6][7].
Potential Solutions:
Since input devices are all emulated its a great opportunity to stop
this profiling technique.
* A security researcher designed a proof of concept plugin for Chrome
browser that mitigates this. Implementing something like the PoC addon
in [1] known as KeyBoardPrivacy. Some random delay in milliseconds in a
50 millisecond range for dwell and gap times for the emulated keyboards
is enough to skew the values to render this attack useless while not
affecting performance.
* The changes made to Tor Borwser to make JS timers more coarse grained
but constant (250ms for keyboard events) were not enough to stop
keystroke dynamics fingerprinting because a malicious script can evict
the cache and allow extrapolation of true timing events within 1-5ms
accuracy .[3][5] Their goal is to instead add jitter to the timers [4].
A similar solution proposed in [4] can be implemented in all QEMU-KVM
timers to mitigate both attacks.
[1]
https://paul.reviews/behavioral-profiling-the-password-you-cant-change/
[2]
http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerpr...
[3]
https://www.lightbluetouchpaper.org/2015/07/30/double-bill-password-hashi...
[4] https://trac.torproject.org/projects/tor/ticket/16110
[5] https://trac.torproject.org/projects/tor/ticket/1517
[6] http://scraping.pro/no-captcha-recaptcha-challenge/
[7]
https://nakedsecurity.sophos.com/2013/11/01/facebook-to-silent-track-user...
8 years, 9 months
[libvirt] [PATCH] schema: support 'default' cache mode
by Jim Fehlig
The docs claims the cache attribute of the disk <driver>
element supports 'default' as one of its permissible values,
but such configuration fails virt-xml-validate. Add 'default'
as one of the cache attribute choices in domaincommon.rng.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
docs/schemas/domaincommon.rng | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 67af93a..d4e375f 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1596,6 +1596,7 @@
<define name="driverCache">
<attribute name="cache">
<choice>
+ <value>default</value>
<value>none</value>
<value>writeback</value>
<value>writethrough</value>
--
2.1.4
8 years, 9 months
[libvirt] Storage Backend - buildVolFrom Semantics
by Richard Laager
storage_backend_rbd.c uses an RBD clone operation to implement buildVolFrom.
If I'm understanding the RBD documentation correctly, you cannot delete
the parent until the clone has been deleted:
http://docs.ceph.com/docs/master/dev/rbd-layering/
"Before cloning a snapshot, you must mark it as protected, to prevent it
from being deleted while child images refer to it:"
&
"To delete the parent, you must first mark it unprotected, which checks
that there are no children left:"
Is libvirt okay with those semantics for volumes? That is, if you clone
a volume, is it acceptable that you cannot delete the parent until you
delete the clone?
The answer to this affects how I'll write a patch to implement
buildVolFrom for storage_backend_zfs.c.
--
Richard
8 years, 9 months
[libvirt] [libvirt-perl][PATCH] Add VIR_ERR_NO_SERVER constant
by Michal Privoznik
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
Changes | 1 +
Virt.xs | 1 +
lib/Sys/Virt/Error.pm | 4 ++++
3 files changed, 6 insertions(+)
diff --git a/Changes b/Changes
index 4e343d5..aa71a1e 100644
--- a/Changes
+++ b/Changes
@@ -7,6 +7,7 @@ Revision history for perl module Sys::Virt
VIR_DOMAIN_TUNABLE_CPU_GLOBAL_PERIOD & VIR_DOMAIN_TUNABLE_CPU_GLOBAL_QUOTA
constants
- Add VIR_DOMAIN_EVENT_ID_JOB_COMPLETED constant and callback
+ - Add VIR_ERR_NO_SERVER constant
1.3.2 2016-03-01
diff --git a/Virt.xs b/Virt.xs
index 6059cdc..9cb80fa 100644
--- a/Virt.xs
+++ b/Virt.xs
@@ -8439,4 +8439,5 @@ BOOT:
REGISTER_CONSTANT(VIR_ERR_XML_INVALID_SCHEMA, ERR_INVALID_SCHEMA);
REGISTER_CONSTANT(VIR_ERR_MIGRATE_FINISH_OK, ERR_MIGRATE_FINISH_OK);
REGISTER_CONSTANT(VIR_ERR_AUTH_UNAVAILABLE, ERR_AUTH_UNAVAILABLE);
+ REGISTER_CONSTANT(VIR_ERR_NO_SERVER, ERR_NO_SERVER);
}
diff --git a/lib/Sys/Virt/Error.pm b/lib/Sys/Virt/Error.pm
index e1b2578..3f6b058 100644
--- a/lib/Sys/Virt/Error.pm
+++ b/lib/Sys/Virt/Error.pm
@@ -784,6 +784,10 @@ Migration finished but expected to return NULL domain.
Authentication services were not available
+=item Sys::Virt::Error::ERR_NO_SERVER
+
+Libvirt server was not found
+
=back
=head1 AUTHORS
--
2.4.10
8 years, 9 months
[libvirt] [PATCH] qemu: Restore error/cleanup logic for qemuBuildNetCommandLine
by John Ferlan
The virDomainConfVMNWFilterTeardown was called in the error path of
qemuBuildCommandLine once network setup was partially or fully completed
using the last_good_net as the basis to determine which filters needed
to be torn down. Commit id 'ef2ab8fd' moved that inside the new
qemuBuildNetCommandLine, so that lost the failure. Moving that cleanup
back outside the call to the more general failure case.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
Jan notes post push that the cleanup path after building the network
command line was there for any other failures and not just the failure
in building the network command line:
http://www.redhat.com/archives/libvir-list/2016-March/msg00561.html
Even though the teardown is called during qemuProcessStop from
virDomainConfVMNWFilterTeardown, the cleanup here could still be done.
The reason for moving it inside was based on a different patch where the
desire was to not leak anything that could have changed inside one of the
moved qemuBuild*CommandLine functions. In this case, though since it's
used more generally for cleanup, it seems a good idea to return it.
The other option would be to just let qemuProcessStop handle it and a
different patch to remove the error reset logic.
src/qemu/qemu_command.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index ba8c216..2e15c05 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7659,10 +7659,10 @@ qemuBuildNetCommandLine(virCommandPtr cmd,
bool emitBootindex,
size_t *nnicindexes,
int **nicindexes,
- int *bootHostdevNet)
+ int *bootHostdevNet,
+ int *last_good_net)
{
size_t i;
- int last_good_net = -1;
if (!def->nnets) {
/* If we have -device, then we set -nodefault already */
@@ -7697,9 +7697,9 @@ qemuBuildNetCommandLine(virCommandPtr cmd,
qemuCaps, vlan, bootNet, vmop,
standalone, nnicindexes,
nicindexes) < 0)
- goto error;
+ return -1;
- last_good_net = i;
+ *last_good_net = i;
/* if this interface is a type='hostdev' interface and we
* haven't yet added a "bootindex" parameter to an
* emulated network device, save the bootindex - hostdev
@@ -7714,11 +7714,6 @@ qemuBuildNetCommandLine(virCommandPtr cmd,
}
}
return 0;
-
- error:
- for (i = 0; last_good_net != -1 && i <= last_good_net; i++)
- virDomainConfNWFilterTeardown(def->nets[i]);
- return -1;
}
@@ -8604,6 +8599,7 @@ qemuBuildCommandLine(virConnectPtr conn,
bool emitBootindex = false;
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
int bootHostdevNet = 0;
+ int last_good_net = -1;
VIR_DEBUG("conn=%p driver=%p def=%p mon=%p json=%d "
@@ -8725,7 +8721,7 @@ qemuBuildCommandLine(virConnectPtr conn,
if (qemuBuildNetCommandLine(cmd, driver, def, qemuCaps, vmop, standalone,
emitBootindex, nnicindexes, nicindexes,
- &bootHostdevNet) < 0)
+ &bootHostdevNet, &last_good_net) < 0)
goto error;
if (qemuBuildSmartcardCommandLine(logManager, cmd, def, qemuCaps) < 0)
@@ -9280,6 +9276,8 @@ qemuBuildCommandLine(virConnectPtr conn,
/* free up any resources in the network driver
* but don't overwrite the original error */
originalError = virSaveLastError();
+ for (i = 0; last_good_net != -1 && i <= last_good_net; i++)
+ virDomainConfNWFilterTeardown(def->nets[i]);
virSetError(originalError);
virFreeError(originalError);
virCommandFree(cmd);
--
2.5.0
8 years, 9 months
[libvirt] [PATCH] vz: fix active domain listing
by Maxim Nestratov
Since commit 9c14a9ab we have broken active domain listing
because reworked prlsdkLoadDomain doesn't set dom->def->id
propely. It just looses it when a new def structure is set.
Now we make prlsdkConvertDomainState function return void
and move calling it after an old dom->def is replaces with
a new one within prlsdkLoadDomain function.
Signed-off-by: Maxim Nestratov <mnestratov(a)virtuozzo.com>
---
src/vz/vz_sdk.c | 20 +++++++-------------
1 file changed, 7 insertions(+), 13 deletions(-)
diff --git a/src/vz/vz_sdk.c b/src/vz/vz_sdk.c
index de73c31..f7d769b 100644
--- a/src/vz/vz_sdk.c
+++ b/src/vz/vz_sdk.c
@@ -1051,7 +1051,7 @@ prlsdkAddVNCInfo(PRL_HANDLE sdkdom, virDomainDefPtr def)
return -1;
}
-static int
+static void
prlsdkConvertDomainState(VIRTUAL_MACHINE_STATE domainState,
PRL_UINT32 envId,
virDomainObjPtr dom)
@@ -1121,17 +1121,12 @@ prlsdkConvertDomainState(VIRTUAL_MACHINE_STATE domainState,
dom->def->id = envId;
break;
case VMS_UNKNOWN:
+ default:
virDomainObjSetState(dom, VIR_DOMAIN_NOSTATE,
VIR_DOMAIN_NOSTATE_UNKNOWN);
- break;
- default:
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Unknown domain state: %X"), domainState);
- return -1;
+ dom->def->id = -1;
break;
}
-
- return 0;
}
static int
@@ -1374,9 +1369,6 @@ prlsdkLoadDomain(vzConnPtr privconn, virDomainObjPtr dom)
goto error;
}
- if (prlsdkConvertDomainState(domainState, envId, dom) < 0)
- goto error;
-
/* assign new virDomainDef without any checks
* we can't use virDomainObjAssignDef, because it checks
* for state and domain name */
@@ -1386,6 +1378,8 @@ prlsdkLoadDomain(vzConnPtr privconn, virDomainObjPtr dom)
VIR_FREE(pdom->home);
pdom->home = home;
+ prlsdkConvertDomainState(domainState, envId, dom);
+
if (!pdom->sdkdom) {
PrlHandle_AddRef(sdkdom);
pdom->sdkdom = sdkdom;
@@ -1532,8 +1526,8 @@ prlsdkHandleVmStateEvent(vzConnPtr privconn,
prlsdkCheckRetGoto(pret, cleanup);
pdom = dom->privateData;
- if (prlsdkConvertDomainState(domainState, pdom->id, dom) < 0)
- goto cleanup;
+
+ prlsdkConvertDomainState(domainState, pdom->id, dom);
prlsdkNewStateToEvent(domainState,
&lvEventType,
--
2.4.3
8 years, 9 months