[libvirt] [PATCH v2 00/10] perf: Add software perf events
by Nitesh Konkar
This patch series adds software perf events.
The perl and go patches shall follow shortly.
Nitesh Konkar (10):
perf: add cpu_clock software perf event support
perf: add task_clock software perf event support
perf: add page_faults software perf event support
perf: add context_switches software perf event support
perf: add cpu_migrations software perf event support
perf: add page_faults_min software perf event support
perf: add page_faults_maj software perf event support
perf: add alignment_faults software perf event support
perf: add emulation_faults software perf event support
news: Update the news.xml about perf events added
docs/formatdomain.html.in | 74 +++++++++++++++++++++++
docs/news.xml | 11 ++++
docs/schemas/domaincommon.rng | 9 +++
include/libvirt/libvirt-domain.h | 92 +++++++++++++++++++++++++++++
src/libvirt-domain.c | 25 ++++++++
src/qemu/qemu_driver.c | 9 +++
src/util/virperf.c | 33 ++++++++++-
src/util/virperf.h | 9 +++
tests/genericxml2xmlindata/generic-perf.xml | 9 +++
tools/virsh.pod | 27 +++++++++
10 files changed, 297 insertions(+), 1 deletion(-)
--
1.9.3
7 years, 9 months
[libvirt] [PATCH 0/2] fix migration related graphics listen code bugs
by Pavel Hrdina
Pavel Hrdina (2):
conf: store "autoGenerated" for graphics listen in status XML
conf: properly skip graphics listen element in migratable XML
src/conf/domain_conf.c | 18 +++++++++++++++++-
src/qemu/qemu_domain.c | 3 ++-
2 files changed, 19 insertions(+), 2 deletions(-)
--
2.11.1
7 years, 9 months
[libvirt] [PATCH] Make use of PERF_COUNT_HW_REF_CPU_CYCLES conditional
by Daniel P. Berrange
The PERF_COUNT_HW_REF_CPU_CYCLES constant is not available
on all Linux distros libvirt targets, so its use must be
made conditional. Other constant have existed long enough
that we can assume they exist, as we don't support very
old distros like RHEL-5 any more.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/util/virperf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/util/virperf.c b/src/util/virperf.c
index 49ec258..f64692b 100644
--- a/src/util/virperf.c
+++ b/src/util/virperf.c
@@ -104,8 +104,14 @@ static struct virPerfEventAttr attrs[] = {
.attrType = PERF_TYPE_HARDWARE,
.attrConfig = PERF_COUNT_HW_STALLED_CYCLES_BACKEND},
{.type = VIR_PERF_EVENT_REF_CPU_CYCLES,
+# ifdef PERF_COUNT_HW_REF_CPU_CYCLES
.attrType = PERF_TYPE_HARDWARE,
- .attrConfig = PERF_COUNT_HW_REF_CPU_CYCLES},
+ .attrConfig = PERF_COUNT_HW_REF_CPU_CYCLES
+# else
+ .attrType = 0,
+ .attrConfig = 0,
+# endif
+ },
};
typedef struct virPerfEventAttr *virPerfEventAttrPtr;
--
2.9.3
7 years, 9 months
[libvirt] [PATCH] network: don't use dhcp-authoritative on static networks
by Martin Wilck
"Static" DHCP networks are those where no dynamic DHCP range is
defined, only a list of host entries is used to serve permanent
IP addresses. On such networks, we don't want dnsmasq to reply
to other requests than those statically defined. But
"dhcp-authoritative" will cause dnsmasq to do just that.
Therefore we can't use "dhcp-authoritative" for static networks.
Fixes: 4ac20b3ae "network: add dnsmasq option 'dhcp-authoritative'"
Signed-off-by: Martin Wilck <mwilck(a)suse.com>
---
src/network/bridge_driver.c | 9 ++++++++-
tests/networkxml2confdata/dhcp6host-routed-network.conf | 1 -
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index ae1589d8c..17c6f3a0f 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1355,7 +1355,14 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) {
if (ipdef->nranges || ipdef->nhosts) {
virBufferAddLit(&configbuf, "dhcp-no-override\n");
- virBufferAddLit(&configbuf, "dhcp-authoritative\n");
+ /*
+ * Use "dhcp-authoritative" only for dynamic DHCP.
+ * In a static-only network, it would cause dnsmasq
+ * to reply to requests from other hosts than those
+ * statically defined.
+ */
+ if (ipdef->nranges || !ipdef->nhosts)
+ virBufferAddLit(&configbuf, "dhcp-authoritative\n");
}
if (ipdef->tftproot) {
diff --git a/tests/networkxml2confdata/dhcp6host-routed-network.conf b/tests/networkxml2confdata/dhcp6host-routed-network.conf
index 87a149880..5728ee430 100644
--- a/tests/networkxml2confdata/dhcp6host-routed-network.conf
+++ b/tests/networkxml2confdata/dhcp6host-routed-network.conf
@@ -10,7 +10,6 @@ bind-dynamic
interface=virbr1
dhcp-range=192.168.122.1,static
dhcp-no-override
-dhcp-authoritative
dhcp-range=2001:db8:ac10:fd01::1,static,64
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/local.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/local.addnhosts
--
2.11.0
7 years, 9 months
[libvirt] [PATCH go v3] Add support for perf events
by Nitesh Konkar
Signed-off-by: Nitesh Konkar <nitkon12(a)linux.vnet.ibm.com>
---
connect.go | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
domain.go | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
domain_compat.h | 36 ++++++++++++++++++++++++++++++++++++
3 files changed, 144 insertions(+)
diff --git a/connect.go b/connect.go
index 3c53485..a4dd21b 100644
--- a/connect.go
+++ b/connect.go
@@ -2264,6 +2264,24 @@ type DomainStatsPerf struct {
StalledCyclesBackend uint64
RefCpuCyclesSet bool
RefCpuCycles uint64
+ CpuClockSet bool
+ CpuClock uint64
+ TaskClockSet bool
+ TaskClock uint64
+ PageFaultsSet bool
+ PageFaults uint64
+ ContextSwitchesSet bool
+ ContextSwitches uint64
+ CpuMigrationsSet bool
+ CpuMigrations uint64
+ PageFaultsMinSet bool
+ PageFaultsMin uint64
+ PageFaultsMajSet bool
+ PageFaultsMaj uint64
+ AlignmentFaultsSet bool
+ AlignmentFaults uint64
+ EmulationFaultsSet bool
+ EmulationFaults uint64
}
func getDomainStatsPerfFieldInfo(params *DomainStatsPerf) map[string]typedParamsFieldInfo {
@@ -2320,6 +2338,42 @@ func getDomainStatsPerfFieldInfo(params *DomainStatsPerf) map[string]typedParams
set: ¶ms.RefCpuCyclesSet,
ul: ¶ms.RefCpuCycles,
},
+ "perf.cpu_clock": typedParamsFieldInfo{
+ set: ¶ms.CpuClockSet,
+ ul: ¶ms.CpuClock,
+ },
+ "perf.task_clock": typedParamsFieldInfo{
+ set: ¶ms.TaskClockSet,
+ ul: ¶ms.TaskClock,
+ },
+ "perf.page_faults": typedParamsFieldInfo{
+ set: ¶ms.PageFaultsSet,
+ ul: ¶ms.PageFaults,
+ },
+ "perf.context_switches": typedParamsFieldInfo{
+ set: ¶ms.ContextSwitchesSet,
+ ul: ¶ms.ContextSwitches,
+ },
+ "perf.cpu_migrations": typedParamsFieldInfo{
+ set: ¶ms.CpuMigrationsSet,
+ ul: ¶ms.CpuMigrations,
+ },
+ "perf.page_faults_min": typedParamsFieldInfo{
+ set: ¶ms.PageFaultsMinSet,
+ ul: ¶ms.PageFaultsMin,
+ },
+ "perf.page_faults_maj": typedParamsFieldInfo{
+ set: ¶ms.PageFaultsMajSet,
+ ul: ¶ms.PageFaultsMaj,
+ },
+ "perf.alignment_faults": typedParamsFieldInfo{
+ set: ¶ms.AlignmentFaultsSet,
+ ul: ¶ms.AlignmentFaults,
+ },
+ "perf.emulation_faults": typedParamsFieldInfo{
+ set: ¶ms.EmulationFaultsSet,
+ ul: ¶ms.EmulationFaults,
+ },
}
}
diff --git a/domain.go b/domain.go
index 2bd9852..9f3ecc3 100644
--- a/domain.go
+++ b/domain.go
@@ -3195,6 +3195,24 @@ type DomainPerfEvents struct {
StalledCyclesBackend bool
RefCpuCyclesSet bool
RefCpuCycles bool
+ CpuClockSet bool
+ CpuClock bool
+ TaskClockSet bool
+ TaskClock bool
+ PageFaultsSet bool
+ PageFaults bool
+ ContextSwitchesSet bool
+ ContextSwitches bool
+ CpuMigrationsSet bool
+ CpuMigrations bool
+ PageFaultsMinSet bool
+ PageFaultsMin bool
+ PageFaultsMajSet bool
+ PageFaultsMaj bool
+ AlignmentFaultsSet bool
+ AlignmentFaults bool
+ EmulationFaultsSet bool
+ EmulationFaults bool
}
/* Remember to also update DomainStatsPerf in connect.go when adding to the stuct above */
@@ -3253,6 +3271,42 @@ func getDomainPerfEventsFieldInfo(params *DomainPerfEvents) map[string]typedPara
set: ¶ms.RefCpuCyclesSet,
b: ¶ms.RefCpuCycles,
},
+ C.VIR_PERF_PARAM_CPU_CLOCK: typedParamsFieldInfo{
+ set: ¶ms.CpuClockSet,
+ b: ¶ms.CpuClock,
+ },
+ C.VIR_PERF_PARAM_TASK_CLOCK: typedParamsFieldInfo{
+ set: ¶ms.TaskClockSet,
+ b: ¶ms.TaskClock,
+ },
+ C.VIR_PERF_PARAM_PAGE_FAULTS: typedParamsFieldInfo{
+ set: ¶ms.PageFaultsSet,
+ b: ¶ms.PageFaults,
+ },
+ C.VIR_PERF_PARAM_CONTEXT_SWITCHES: typedParamsFieldInfo{
+ set: ¶ms.ContextSwitchesSet,
+ b: ¶ms.ContextSwitches,
+ },
+ C.VIR_PERF_PARAM_CPU_MIGRATIONS: typedParamsFieldInfo{
+ set: ¶ms.CpuMigrationsSet,
+ b: ¶ms.CpuMigrations,
+ },
+ C.VIR_PERF_PARAM_PAGE_FAULTS_MIN: typedParamsFieldInfo{
+ set: ¶ms.PageFaultsMinSet,
+ b: ¶ms.PageFaultsMin,
+ },
+ C.VIR_PERF_PARAM_PAGE_FAULTS_MAJ: typedParamsFieldInfo{
+ set: ¶ms.PageFaultsMajSet,
+ b: ¶ms.PageFaultsMaj,
+ },
+ C.VIR_PERF_PARAM_ALIGNMENT_FAULTS: typedParamsFieldInfo{
+ set: ¶ms.AlignmentFaultsSet,
+ b: ¶ms.AlignmentFaults,
+ },
+ C.VIR_PERF_PARAM_REF_EMULATION_FAULTS: typedParamsFieldInfo{
+ set: ¶ms.EmulationFaultsSet,
+ b: ¶ms.EmulationFaults,
+ },
}
}
diff --git a/domain_compat.h b/domain_compat.h
index 9540435..a114173 100644
--- a/domain_compat.h
+++ b/domain_compat.h
@@ -45,6 +45,42 @@
#define VIR_PERF_PARAM_REF_CPU_CYCLES "ref_cpu_cycles"
#endif
+#ifndef VIR_PERF_PARAM_CPU_CLOCK
+#define VIR_PERF_PARAM_CPU_CLOCK "cpu_clock"
+#endif
+
+#ifndef VIR_PERF_PARAM_TASK_CLOCK
+#define VIR_PERF_PARAM_TASK_CLOCK "task_clock"
+#endif
+
+#ifndef VIR_PERF_PARAM_PAGE_FAULTS
+#define VIR_PERF_PARAM_PAGE_FAULTS "page_faults"
+#endif
+
+#ifndef VIR_PERF_PARAM_CONTEXT_SWITCHES
+#define VIR_PERF_PARAM_CONTEXT_SWITCHES "context_switches"
+#endif
+
+#ifndef VIR_PERF_PARAM_CPU_MIGRATIONS
+#define VIR_PERF_PARAM_CPU_MIGRATIONS "cpu_migrations"
+#endif
+
+#ifndef VIR_PERF_PARAM_PAGE_FAULTS_MIN
+#define VIR_PERF_PARAM_PAGE_FAULTS_MIN "page_faults_min"
+#endif
+
+#ifndef VIR_PERF_PARAM_PAGE_FAULTS_MAJ
+#define VIR_PERF_PARAM_PAGE_FAULTS_MAJ "page_faults_maj"
+#endif
+
+#ifndef VIR_PERF_PARAM_ALIGNMENT_FAULTS
+#define VIR_PERF_PARAM__ALIGNMENT_FAULTS "alignment_faults"
+#endif
+
+#ifndef VIR_PERF_PARAM_EMULATION_FAULTS
+#define VIR_PERF_PARAM_EMULATION_FAULTS "emulation_faults"
+#endif
+
#ifndef VIR_DOMAIN_EVENT_ID_METADATA_CHANGE
#define VIR_DOMAIN_EVENT_ID_METADATA_CHANGE 23
#endif
--
1.9.3
7 years, 9 months
[libvirt] [PATCH perl v2] Add constants for new perf event support
by Nitesh Konkar
Signed-off-by: Nitesh Konkar <nitkon12(a)linux.vnet.ibm.com>
---
Changes | 9 +++++++++
Virt.xs | 9 +++++++++
lib/Sys/Virt/Domain.pm | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 72 insertions(+)
diff --git a/Changes b/Changes
index 842f21f..7d637f5 100644
--- a/Changes
+++ b/Changes
@@ -5,6 +5,15 @@ Revision history for perl module Sys::Virt
- Add VIR_CONNECT_LIST_STORAGE_POOLS_VSTORAGE constant
- Add VIR_CONNECT_LIST_NODE_DEVICES_CAP_DRM constant
- Add virDomainSetVcpu API
+ - Add PERF_PARAM_CPU_CLOCK constant
+ - Add PERF_PARAM_TASK_CLOCK constant
+ - Add PERF_PARAM_PAGE_FAULTS constant
+ - Add PERF_PARAM_CONTEXT_SWITCHES constant
+ - Add PERF_PARAM_CPU_MIGRATIONS constant
+ - Add PERF_PARAM_PAGE_FAULTS_MIN constant
+ - Add PERF_PARAM_PAGE_FAULTS_MAJ constant
+ - Add PERF_PARAM_ALIGNMENT_FAULTS constant
+ - Add PERF_PARAM_EMULATION_FAULTS constant
3.0.0 2017-01-19
diff --git a/Virt.xs b/Virt.xs
index 9728fb0..e80182f 100644
--- a/Virt.xs
+++ b/Virt.xs
@@ -8500,6 +8500,15 @@ BOOT:
REGISTER_CONSTANT_STR(VIR_PERF_PARAM_STALLED_CYCLES_FRONTEND, PERF_PARAM_STALLED_CYCLES_FRONTEND);
REGISTER_CONSTANT_STR(VIR_PERF_PARAM_STALLED_CYCLES_BACKEND, PERF_PARAM_STALLED_CYCLES_BACKEND);
REGISTER_CONSTANT_STR(VIR_PERF_PARAM_REF_CPU_CYCLES, PERF_PARAM_REF_CPU_CYCLES);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_CPU_CLOCK, PERF_PARAM_CPU_CLOCK);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_TASK_CLOCK, PERF_PARAM_TASK_CLOCK);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_PAGE_FAULTS, PERF_PARAM_PAGE_FAULTS);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_CONTEXT_SWITCHES, PERF_PARAM_CONTEXT_SWITCHES);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_CPU_MIGRATIONS, PERF_PARAM_CPU_MIGRATIONS);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_PAGE_FAULTS_MIN, PERF_PARAM_PAGE_FAULTS_MIN);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_PAGE_FAULTS_MAJ, PERF_PARAM_PAGE_FAULTS_MAJ);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_ALIGNMENT_FAULTS, PERF_PARAM_ALIGNMENT_FAULTS);
+ REGISTER_CONSTANT_STR(VIR_PERF_PARAM_EMULATION_FAULTS, PERF_PARAM_EMULATION_FAULTS);
REGISTER_CONSTANT_STR(VIR_DOMAIN_BANDWIDTH_IN_AVERAGE, BANDWIDTH_IN_AVERAGE);
REGISTER_CONSTANT_STR(VIR_DOMAIN_BANDWIDTH_IN_PEAK, BANDWIDTH_IN_PEAK);
diff --git a/lib/Sys/Virt/Domain.pm b/lib/Sys/Virt/Domain.pm
index 6b36e73..eea8b26 100644
--- a/lib/Sys/Virt/Domain.pm
+++ b/lib/Sys/Virt/Domain.pm
@@ -2814,6 +2814,60 @@ frequency scaling by applications running on the platform.
It corresponds to the "perf.ref_cpu_cycles" field in the
*Stats APIs.
+=item Sys::Virt::Domain::PERF_PARAM_CPU_CLOCK
+The cpu_clock perf event counter which can be used to
+measure the count of cpu clock time by applications
+running on the platform. It corresponds to the
+"perf.cpu_clock" field in the *Stats APIs.
+
+=item Sys::Virt::Domain::PERF_PARAM_TASK_CLOCK
+The task_clock perf event counter which can be used to
+measure the count of task clock time by applications
+running on the platform. It corresponds to the
+"perf.task_clock" field in the *Stats APIs.
+
+=item Sys::Virt::Domain::PERF_PARAM_PAGE_FAULTS
+The page_faults perf event counter which can be used to
+measure the count of page faults by applications running
+on the platform. It corresponds to the "perf.page_faults"
+field in the *Stats APIs.
+
+=item Sys::Virt::Domain::PERF_PARAM_CONTEXT_SWITCHES
+The context_switches perf event counter which can be used to
+measure the count of context switches by applications running
+on the platform. It corresponds to the "perf.context_switches"
+field in the *Stats APIs.
+
+=item Sys::Virt::Domain::PERF_PARAM_CPU_MIGRATIONS
+The cpu_migrations perf event counter which can be used to
+measure the count of cpu migrations by applications running
+on the platform. It corresponds to the "perf.cpu_migrations"
+field in the *Stats APIs.
+
+=item Sys::Virt::Domain::PERF_PARAM_PAGE_FAULTS_MIN
+The page_faults_min perf event counter which can be used to
+measure the count of minor page faults by applications running
+on the platform. It corresponds to the "perf.page_faults_min"
+field in the *Stats APIs.
+
+=item Sys::Virt::Domain::PERF_PARAM_PAGE_FAULTS_MAJ
+The page_faults_maj perf event counter which can be used to
+measure the count of major page faults by applications running
+on the platform. It corresponds to the "perf.page_faults_maj"
+field in the *Stats APIs.
+
+=item Sys::Virt::Domain::PERF_PARAM_ALIGNMENT_FAULTS
+The alignment_faults perf event counter which can be used to
+measure the count of alignment faults by applications running
+on the platform. It corresponds to the "perf.alignment_faults"
+field in the *Stats APIs.
+
+=item Sys::Virt::Domain::PERF_PARAM_EMULATION_FAULTS
+The emulation_faults perf event counter which can be used to
+measure the count of emulation faults by applications running
+on the platform. It corresponds to the "perf.emulation_faults"
+field in the *Stats APIs.
+
=back
=head2 VCPU FLAGS
--
1.9.3
7 years, 9 months
[libvirt] [PATCH] vz: correct error message
by Mikhail Feoktistov
---
src/vz/vz_sdk.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/vz/vz_sdk.c b/src/vz/vz_sdk.c
index e16bb0c..84e89a5 100644
--- a/src/vz/vz_sdk.c
+++ b/src/vz/vz_sdk.c
@@ -2601,8 +2601,10 @@ prlsdkCheckUnsupportedParams(PRL_HANDLE sdkdom, virDomainDefPtr def)
def->onCrash != VIR_DOMAIN_LIFECYCLE_CRASH_DESTROY) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("on_reboot, on_poweroff and on_crash parameters "
- "are not supported by vz driver"));
+ _("The following parameters must be "
+ "on_reboot = restart, on_poweroff = destroy, "
+ "on_crash = destroy. "
+ "Different actions are not supported by vz driver"));
return -1;
}
--
1.8.3.1
7 years, 9 months
[libvirt] [PATCH v2] Don't print extra newline in virsh domstats output
by Nitesh Konkar
Signed-off-by: Nitesh Konkar <nitkon12(a)linux.vnet.ibm.com>
---
virsh domstats --perf
Domain: 'Fedora123'
perf.cache_misses=394986
Domain: 'Fedora'
perf.cache_misses=447017
virsh domstats
Domain: 'Fedora123'
state.state=1
state.reason=1
cpu.time=562472167198
cpu.user=228340000000
cpu.system=303250000000
balloon.current=1048576
balloon.maximum=1048576
perf.cache_misses=634012
Domain: 'Fedora'
state.state=1
state.reason=1
cpu.time=19303277561180
cpu.user=5634250000000
cpu.system=9536140000000
balloon.current=1048576
balloon.maximum=1048576
perf.cache_misses=699207
tools/virsh-domain-monitor.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/virsh-domain-monitor.c b/tools/virsh-domain-monitor.c
index 77aa272..901a6eb 100644
--- a/tools/virsh-domain-monitor.c
+++ b/tools/virsh-domain-monitor.c
@@ -2047,7 +2047,6 @@ virshDomainStatsPrintRecord(vshControl *ctl ATTRIBUTE_UNUSED,
VIR_FREE(param);
}
- vshPrint(ctl, "\n");
return true;
}
@@ -2145,9 +2144,13 @@ cmdDomstats(vshControl *ctl, const vshCmd *cmd)
goto cleanup;
}
- for (next = records; *next; next++) {
+ next = records;
+ while (*next) {
if (!virshDomainStatsPrintRecord(ctl, *next, raw))
goto cleanup;
+
+ if (*(++next))
+ vshPrint(ctl, "\n");
}
ret = true;
--
1.9.3
7 years, 9 months
[libvirt] [PATCH] qemu: Enforce qemuSecurity wrappers
by Michal Privoznik
Now that we have some qemuSecurity wrappers over
virSecurityManager APIs, lets make sure everybody sticks with
them. We have them for a reason and calling virSecurityManager
API directly instead of wrapper may lead into accidentally
labelling a file on the host instead of namespace.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
This is an alternative approach to:
https://www.redhat.com/archives/libvir-list/2017-February/msg00271.html
cfg.mk | 5 ++++
src/qemu/qemu_command.c | 7 +++---
src/qemu/qemu_conf.c | 9 ++++---
src/qemu/qemu_domain.c | 17 ++++++-------
src/qemu/qemu_driver.c | 63 ++++++++++++++++++++++-------------------------
src/qemu/qemu_hotplug.c | 4 +--
src/qemu/qemu_migration.c | 13 +++++-----
src/qemu/qemu_process.c | 61 ++++++++++++++++++++++-----------------------
src/qemu/qemu_security.h | 32 ++++++++++++++++++++++++
9 files changed, 122 insertions(+), 89 deletions(-)
diff --git a/cfg.mk b/cfg.mk
index 69e3f3a1a..489fda8ea 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -983,6 +983,11 @@ sc_prohibit_sysconf_pagesize:
halt='use virGetSystemPageSize[KB] instead of sysconf(_SC_PAGESIZE)' \
$(_sc_search_regexp)
+sc_prohibit_virSecurity:
+ @grep -P 'virSecurityManager(?!Ptr)' $$($(VC_LIST_EXCEPT) | grep '^src/qemu/' | \
+ grep -v '^src/qemu/qemu_security') && \
+ { echo '$(ME): prefer qemuSecurity wrappers' 1>&2; exit 1; } || :
+
sc_prohibit_pthread_create:
@prohibit='\bpthread_create\b' \
exclude='sc_prohibit_pthread_create' \
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index c00a47a91..110540ba7 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -28,6 +28,7 @@
#include "qemu_capabilities.h"
#include "qemu_interface.h"
#include "qemu_alias.h"
+#include "qemu_security.h"
#include "cpu/cpu.h"
#include "dirname.h"
#include "viralloc.h"
@@ -8321,8 +8322,8 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
}
for (i = 0; i < tapfdSize; i++) {
- if (virSecurityManagerSetTapFDLabel(driver->securityManager,
- def, tapfd[i]) < 0)
+ if (qemuSecuritySetTapFDLabel(driver->securityManager,
+ def, tapfd[i]) < 0)
goto cleanup;
virCommandPassFD(cmd, tapfd[i],
VIR_COMMAND_PASS_FD_CLOSE_PARENT);
@@ -8403,7 +8404,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
/* NOTE: Not using const virDomainDef here since eventually a call is made
- * into virSecurityManagerSetTapFDLabel which calls it's driver
+ * into qemuSecuritySetTapFDLabel which calls it's driver
* API domainSetSecurityTapFDLabel that doesn't use the const format.
*/
static int
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 0223a95d2..4fc0dee39 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -38,6 +38,7 @@
#include "qemu_conf.h"
#include "qemu_capabilities.h"
#include "qemu_domain.h"
+#include "qemu_security.h"
#include "viruuid.h"
#include "virbuffer.h"
#include "virconf.h"
@@ -904,7 +905,7 @@ virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
}
/* access sec drivers and create a sec model for each one */
- if (!(sec_managers = virSecurityManagerGetNested(driver->securityManager)))
+ if (!(sec_managers = qemuSecurityGetNested(driver->securityManager)))
goto error;
/* calculate length */
@@ -917,14 +918,14 @@ virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
for (i = 0; sec_managers[i]; i++) {
virCapsHostSecModelPtr sm = &caps->host.secModels[i];
- doi = virSecurityManagerGetDOI(sec_managers[i]);
- model = virSecurityManagerGetModel(sec_managers[i]);
+ doi = qemuSecurityGetDOI(sec_managers[i]);
+ model = qemuSecurityGetModel(sec_managers[i]);
if (VIR_STRDUP(sm->model, model) < 0 ||
VIR_STRDUP(sm->doi, doi) < 0)
goto error;
for (j = 0; j < ARRAY_CARDINALITY(virtTypes); j++) {
- lbl = virSecurityManagerGetBaseLabel(sec_managers[i], virtTypes[j]);
+ lbl = qemuSecurityGetBaseLabel(sec_managers[i], virtTypes[j]);
type = virDomainVirtTypeToString(virtTypes[j]);
if (lbl &&
virCapabilitiesHostSecModelAddBaseLabel(sm, type, lbl) < 0)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index f62bf8f1d..2c827ea2c 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -588,8 +588,8 @@ qemuDomainWriteMasterKeyFile(virQEMUDriverPtr driver,
goto cleanup;
}
- if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
- vm->def, path) < 0)
+ if (qemuSecurityDomainSetPathLabel(driver->securityManager,
+ vm->def, path) < 0)
goto cleanup;
ret = 0;
@@ -2688,7 +2688,7 @@ qemuDomainDefPostParse(virDomainDefPtr def,
if (qemuDomainRecheckInternalPaths(def, cfg, parseFlags) < 0)
goto cleanup;
- if (virSecurityManagerVerify(driver->securityManager, def) < 0)
+ if (qemuSecurityVerify(driver->securityManager, def) < 0)
goto cleanup;
if (qemuDomainDefVcpusPostParse(def) < 0)
@@ -7257,8 +7257,7 @@ qemuDomainSetupDev(virQEMUDriverPtr driver,
VIR_DEBUG("Setting up /dev/ for domain %s", vm->def->name);
- mount_options = virSecurityManagerGetMountOptions(driver->securityManager,
- vm->def);
+ mount_options = qemuSecurityGetMountOptions(driver->securityManager, vm->def);
if (!mount_options &&
VIR_STRDUP(mount_options, "") < 0)
@@ -7679,7 +7678,7 @@ qemuDomainAttachDeviceMknodHelper(pid_t pid ATTRIBUTE_UNUSED,
bool delDevice = false;
bool isLink = S_ISLNK(data->sb.st_mode);
- virSecurityManagerPostFork(data->driver->securityManager);
+ qemuSecurityPostFork(data->driver->securityManager);
if (virFileMakeParentPath(data->file) < 0) {
virReportSystemError(errno,
@@ -7841,16 +7840,16 @@ qemuDomainAttachDeviceMknodRecursive(virQEMUDriverPtr driver,
#endif
if (STRPREFIX(file, DEVPREFIX)) {
- if (virSecurityManagerPreFork(driver->securityManager) < 0)
+ if (qemuSecurityPreFork(driver->securityManager) < 0)
goto cleanup;
if (virProcessRunInMountNamespace(vm->pid,
qemuDomainAttachDeviceMknodHelper,
&data) < 0) {
- virSecurityManagerPostFork(driver->securityManager);
+ qemuSecurityPostFork(driver->securityManager);
goto cleanup;
}
- virSecurityManagerPostFork(driver->securityManager);
+ qemuSecurityPostFork(driver->securityManager);
}
if (isLink &&
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 89bc833de..096fe36fe 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -405,26 +405,26 @@ qemuSecurityInit(virQEMUDriverPtr driver)
cfg->securityDriverNames[0]) {
names = cfg->securityDriverNames;
while (names && *names) {
- if (!(mgr = virSecurityManagerNew(*names,
- QEMU_DRIVER_NAME,
- flags)))
+ if (!(mgr = qemuSecurityNew(*names,
+ QEMU_DRIVER_NAME,
+ flags)))
goto error;
if (!stack) {
- if (!(stack = virSecurityManagerNewStack(mgr)))
+ if (!(stack = qemuSecurityNewStack(mgr)))
goto error;
} else {
- if (virSecurityManagerStackAddNested(stack, mgr) < 0)
+ if (qemuSecurityStackAddNested(stack, mgr) < 0)
goto error;
}
mgr = NULL;
names++;
}
} else {
- if (!(mgr = virSecurityManagerNew(NULL,
- QEMU_DRIVER_NAME,
- flags)))
+ if (!(mgr = qemuSecurityNew(NULL,
+ QEMU_DRIVER_NAME,
+ flags)))
goto error;
- if (!(stack = virSecurityManagerNewStack(mgr)))
+ if (!(stack = qemuSecurityNewStack(mgr)))
goto error;
mgr = NULL;
}
@@ -432,17 +432,17 @@ qemuSecurityInit(virQEMUDriverPtr driver)
if (virQEMUDriverIsPrivileged(driver)) {
if (cfg->dynamicOwnership)
flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
- if (!(mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
- cfg->user,
- cfg->group,
- flags,
- qemuSecurityChownCallback)))
+ if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
+ cfg->user,
+ cfg->group,
+ flags,
+ qemuSecurityChownCallback)))
goto error;
if (!stack) {
- if (!(stack = virSecurityManagerNewStack(mgr)))
+ if (!(stack = qemuSecurityNewStack(mgr)))
goto error;
} else {
- if (virSecurityManagerStackAddNested(stack, mgr) < 0)
+ if (qemuSecurityStackAddNested(stack, mgr) < 0)
goto error;
}
mgr = NULL;
@@ -3088,7 +3088,7 @@ qemuDomainSaveMemory(virQEMUDriverPtr driver,
if (fd < 0)
goto cleanup;
- if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, fd) < 0)
+ if (qemuSecuritySetImageFDLabel(driver->securityManager, vm->def, fd) < 0)
goto cleanup;
if (!(wrapperFd = virFileWrapperFdNew(&fd, path, wrapperFlags)))
@@ -3553,8 +3553,7 @@ static int qemuDumpToFd(virQEMUDriverPtr driver, virDomainObjPtr vm,
return -1;
}
- if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
- fd) < 0)
+ if (qemuSecuritySetImageFDLabel(driver->securityManager, vm->def, fd) < 0)
return -1;
VIR_FREE(priv->job.current);
@@ -3846,7 +3845,7 @@ qemuDomainScreenshot(virDomainPtr dom,
}
unlink_tmp = true;
- virSecurityManagerSetSavedStateLabel(driver->securityManager, vm->def, tmp);
+ qemuSecuritySetSavedStateLabel(driver->securityManager, vm->def, tmp);
qemuDomainObjEnterMonitor(driver, vm);
if (qemuMonitorScreendump(priv->mon, tmp) < 0) {
@@ -5928,8 +5927,8 @@ static int qemuDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr secl
* QEMU monitor hasn't seen SIGHUP/ERR on poll().
*/
if (virDomainObjIsActive(vm)) {
- if (virSecurityManagerGetProcessLabel(driver->securityManager,
- vm->def, vm->pid, seclabel) < 0) {
+ if (qemuSecurityGetProcessLabel(driver->securityManager,
+ vm->def, vm->pid, seclabel) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("Failed to get security label"));
goto cleanup;
@@ -5973,8 +5972,7 @@ static int qemuDomainGetSecurityLabelList(virDomainPtr dom,
ret = 0;
} else {
int len = 0;
- virSecurityManagerPtr* mgrs = virSecurityManagerGetNested(
- driver->securityManager);
+ virSecurityManagerPtr* mgrs = qemuSecurityGetNested(driver->securityManager);
if (!mgrs)
goto cleanup;
@@ -5990,8 +5988,8 @@ static int qemuDomainGetSecurityLabelList(virDomainPtr dom,
/* Fill the array */
for (i = 0; i < len; i++) {
- if (virSecurityManagerGetProcessLabel(mgrs[i], vm->def, vm->pid,
- &(*seclabels)[i]) < 0) {
+ if (qemuSecurityGetProcessLabel(mgrs[i], vm->def, vm->pid,
+ &(*seclabels)[i]) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("Failed to get security label"));
VIR_FREE(mgrs);
@@ -6369,8 +6367,8 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
cleanup:
virCommandFree(cmd);
VIR_FREE(errbuf);
- if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
- vm->def, path) < 0)
+ if (qemuSecurityRestoreSavedStateLabel(driver->securityManager,
+ vm->def, path) < 0)
VIR_WARN("failed to restore save state label on %s", path);
virObjectUnref(cfg);
return ret;
@@ -11196,7 +11194,7 @@ qemuDomainMemoryPeek(virDomainPtr dom,
goto endjob;
}
- virSecurityManagerSetSavedStateLabel(driver->securityManager, vm->def, tmp);
+ qemuSecuritySetSavedStateLabel(driver->securityManager, vm->def, tmp);
priv = vm->privateData;
qemuDomainObjEnterMonitor(driver, vm);
@@ -17064,8 +17062,7 @@ qemuDomainOpenGraphics(virDomainPtr dom,
goto endjob;
}
- if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
- fd) < 0)
+ if (qemuSecuritySetImageFDLabel(driver->securityManager, vm->def, fd) < 0)
goto endjob;
qemuDomainObjEnterMonitor(driver, vm);
@@ -17129,13 +17126,13 @@ qemuDomainOpenGraphicsFD(virDomainPtr dom,
goto cleanup;
}
- if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
+ if (qemuSecuritySetSocketLabel(driver->securityManager, vm->def) < 0)
goto cleanup;
if (socketpair(PF_UNIX, SOCK_STREAM, 0, pair) < 0)
goto cleanup;
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0)
+ if (qemuSecurityClearSocketLabel(driver->securityManager, vm->def) < 0)
goto cleanup;
if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 2f209f12b..b99b0e9fb 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1134,8 +1134,8 @@ qemuDomainAttachNetDevice(virQEMUDriverPtr driver,
}
for (i = 0; i < tapfdSize; i++) {
- if (virSecurityManagerSetTapFDLabel(driver->securityManager,
- vm->def, tapfd[i]) < 0)
+ if (qemuSecuritySetTapFDLabel(driver->securityManager,
+ vm->def, tapfd[i]) < 0)
goto cleanup;
}
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 0f4a6cf21..c40cb1391 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -40,6 +40,7 @@
#include "qemu_cgroup.h"
#include "qemu_hotplug.h"
#include "qemu_blockjob.h"
+#include "qemu_security.h"
#include "domain_audit.h"
#include "virlog.h"
@@ -4597,7 +4598,7 @@ qemuMigrationConnect(virQEMUDriverPtr driver,
spec->destType = MIGRATION_DEST_FD;
spec->dest.fd.qemu = -1;
- if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
+ if (qemuSecuritySetSocketLabel(driver->securityManager, vm->def) < 0)
goto cleanup;
if (virNetSocketNewConnectTCP(host, port,
AF_UNSPEC,
@@ -4605,7 +4606,7 @@ qemuMigrationConnect(virQEMUDriverPtr driver,
spec->dest.fd.qemu = virNetSocketDupFD(sock, true);
virObjectUnref(sock);
}
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 ||
+ if (qemuSecurityClearSocketLabel(driver->securityManager, vm->def) < 0 ||
spec->dest.fd.qemu == -1)
goto cleanup;
@@ -5076,8 +5077,8 @@ static int doTunnelMigrate(virQEMUDriverPtr driver,
spec.dest.fd.local = fds[0];
}
if (spec.dest.fd.qemu == -1 ||
- virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
- spec.dest.fd.qemu) < 0) {
+ qemuSecuritySetImageFDLabel(driver->securityManager, vm->def,
+ spec.dest.fd.qemu) < 0) {
virReportSystemError(errno, "%s",
_("cannot create pipe for tunnelled migration"));
goto cleanup;
@@ -6463,8 +6464,8 @@ qemuMigrationToFile(virQEMUDriverPtr driver, virDomainObjPtr vm,
* doesn't have to open() the file, so while we still have to
* grant SELinux access, we can do it on fd and avoid cleanup
* later, as well as skip futzing with cgroup. */
- if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
- compressor ? pipeFD[1] : fd) < 0)
+ if (qemuSecuritySetImageFDLabel(driver->securityManager, vm->def,
+ compressor ? pipeFD[1] : fd) < 0)
goto cleanup;
if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 92fa69b3c..5c44e565b 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -221,8 +221,7 @@ qemuConnectAgent(virQEMUDriverPtr driver, virDomainObjPtr vm)
return 0;
}
- if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager,
- vm->def) < 0) {
+ if (qemuSecuritySetDaemonSocketLabel(driver->securityManager, vm->def) < 0) {
VIR_ERROR(_("Failed to set security context for agent for %s"),
vm->def->name);
goto cleanup;
@@ -250,8 +249,7 @@ qemuConnectAgent(virQEMUDriverPtr driver, virDomainObjPtr vm)
return -1;
}
- if (virSecurityManagerClearSocketLabel(driver->securityManager,
- vm->def) < 0) {
+ if (qemuSecurityClearSocketLabel(driver->securityManager, vm->def) < 0) {
VIR_ERROR(_("Failed to clear security context for agent for %s"),
vm->def->name);
qemuAgentClose(agent);
@@ -1657,8 +1655,7 @@ qemuConnectMonitor(virQEMUDriverPtr driver, virDomainObjPtr vm, int asyncJob,
int ret = -1;
qemuMonitorPtr mon = NULL;
- if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager,
- vm->def) < 0) {
+ if (qemuSecuritySetDaemonSocketLabel(driver->securityManager, vm->def) < 0) {
VIR_ERROR(_("Failed to set security context for monitor for %s"),
vm->def->name);
return -1;
@@ -1695,7 +1692,7 @@ qemuConnectMonitor(virQEMUDriverPtr driver, virDomainObjPtr vm, int asyncJob,
}
priv->mon = mon;
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
+ if (qemuSecurityClearSocketLabel(driver->securityManager, vm->def) < 0) {
VIR_ERROR(_("Failed to clear security context for monitor for %s"),
vm->def->name);
return -1;
@@ -2638,7 +2635,7 @@ static int qemuProcessHook(void *data)
* protected across fork()
*/
- virSecurityManagerPostFork(h->driver->securityManager);
+ qemuSecurityPostFork(h->driver->securityManager);
/* Some later calls want pid present */
h->vm->pid = getpid();
@@ -2651,7 +2648,7 @@ static int qemuProcessHook(void *data)
* sockets the lock driver opens that we don't want
* labelled. So far we're ok though.
*/
- if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0)
+ if (qemuSecuritySetSocketLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup;
if (virDomainLockProcessStart(h->driver->lockManager,
h->cfg->uri,
@@ -2660,7 +2657,7 @@ static int qemuProcessHook(void *data)
true,
&fd) < 0)
goto cleanup;
- if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0)
+ if (qemuSecurityClearSocketLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup;
if (qemuDomainBuildNamespace(h->driver, h->vm) < 0)
@@ -3260,8 +3257,8 @@ qemuProcessBuildDestroyHugepagesPath(virQEMUDriverPtr driver,
goto cleanup;
}
- if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
- vm->def, hugepagePath) < 0) {
+ if (qemuSecurityDomainSetPathLabel(driver->securityManager,
+ vm->def, hugepagePath) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("Unable to set huge path in security driver"));
goto cleanup;
@@ -3437,13 +3434,13 @@ qemuProcessReconnect(void *opaque)
/* if domain requests security driver we haven't loaded, report error, but
* do not kill the domain
*/
- ignore_value(virSecurityManagerCheckAllLabel(driver->securityManager,
- obj->def));
+ ignore_value(qemuSecurityCheckAllLabel(driver->securityManager,
+ obj->def));
if (qemuDomainRefreshVcpuInfo(driver, obj, QEMU_ASYNC_JOB_NONE, true) < 0)
goto error;
- if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0)
+ if (qemuSecurityReserveLabel(driver->securityManager, obj->def, obj->pid) < 0)
goto error;
if (qemuProcessNotifyNets(obj->def) < 0)
@@ -4451,8 +4448,8 @@ qemuProcessMakeDir(virQEMUDriverPtr driver,
goto cleanup;
}
- if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
- vm->def, path) < 0)
+ if (qemuSecurityDomainSetPathLabel(driver->securityManager,
+ vm->def, path) < 0)
goto cleanup;
ret = 0;
@@ -4647,7 +4644,7 @@ qemuProcessStartValidate(virQEMUDriverPtr driver,
}
VIR_DEBUG("Checking domain and device security labels");
- if (virSecurityManagerCheckAllLabel(driver->securityManager, vm->def) < 0)
+ if (qemuSecurityCheckAllLabel(driver->securityManager, vm->def) < 0)
return -1;
}
@@ -5202,7 +5199,7 @@ qemuProcessPrepareDomain(virConnectPtr conn,
/* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */
VIR_DEBUG("Generating domain security label (if required)");
- if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
+ if (qemuSecurityGenLabel(driver->securityManager, vm->def) < 0) {
virDomainAuditSecurityLabel(vm, false);
goto cleanup;
}
@@ -5513,8 +5510,8 @@ qemuProcessLaunch(virConnectPtr conn,
virCommandSetUmask(cmd, 0x002);
VIR_DEBUG("Setting up security labelling");
- if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
- vm->def, cmd) < 0)
+ if (qemuSecuritySetChildProcessLabel(driver->securityManager,
+ vm->def, cmd) < 0)
goto cleanup;
virCommandSetOutputFD(cmd, &logfile);
@@ -5524,10 +5521,10 @@ qemuProcessLaunch(virConnectPtr conn,
virCommandDaemonize(cmd);
virCommandRequireHandshake(cmd);
- if (virSecurityManagerPreFork(driver->securityManager) < 0)
+ if (qemuSecurityPreFork(driver->securityManager) < 0)
goto cleanup;
rv = virCommandRun(cmd, NULL);
- virSecurityManagerPostFork(driver->securityManager);
+ qemuSecurityPostFork(driver->securityManager);
/* wait for qemu process to show up */
if (rv == 0) {
@@ -5604,8 +5601,8 @@ qemuProcessLaunch(virConnectPtr conn,
goto cleanup;
}
if (S_ISFIFO(stdin_sb.st_mode) &&
- virSecurityManagerSetImageFDLabel(driver->securityManager,
- vm->def, incoming->fd) < 0)
+ qemuSecuritySetImageFDLabel(driver->securityManager,
+ vm->def, incoming->fd) < 0)
goto cleanup;
}
@@ -6122,7 +6119,7 @@ void qemuProcessStop(virQEMUDriverPtr driver,
qemuSecurityRestoreAllLabel(driver, vm,
!!(flags & VIR_QEMU_PROCESS_STOP_MIGRATED));
- virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
+ qemuSecurityReleaseLabel(driver->securityManager, vm->def);
for (i = 0; i < vm->def->ndisks; i++) {
virDomainDeviceDef dev;
@@ -6366,13 +6363,13 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED,
vm->pid = pid;
VIR_DEBUG("Detect security driver config");
- sec_managers = virSecurityManagerGetNested(driver->securityManager);
+ sec_managers = qemuSecurityGetNested(driver->securityManager);
if (sec_managers == NULL)
goto error;
for (i = 0; sec_managers[i]; i++) {
seclabelgen = false;
- model = virSecurityManagerGetModel(sec_managers[i]);
+ model = qemuSecurityGetModel(sec_managers[i]);
seclabeldef = virDomainDefGetSecurityLabelDef(vm->def, model);
if (seclabeldef == NULL) {
if (!(seclabeldef = virSecurityLabelDefNew(model)))
@@ -6382,8 +6379,8 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED,
seclabeldef->type = VIR_DOMAIN_SECLABEL_STATIC;
if (VIR_ALLOC(seclabel) < 0)
goto error;
- if (virSecurityManagerGetProcessLabel(sec_managers[i],
- vm->def, vm->pid, seclabel) < 0)
+ if (qemuSecurityGetProcessLabel(sec_managers[i], vm->def,
+ vm->pid, seclabel) < 0)
goto error;
if (VIR_STRDUP(seclabeldef->model, model) < 0)
@@ -6400,9 +6397,9 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED,
}
}
- if (virSecurityManagerCheckAllLabel(driver->securityManager, vm->def) < 0)
+ if (qemuSecurityCheckAllLabel(driver->securityManager, vm->def) < 0)
goto error;
- if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0)
+ if (qemuSecurityGenLabel(driver->securityManager, vm->def) < 0)
goto error;
if (qemuDomainPerfRestart(vm) < 0)
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index 54638908d..d86db3f6b 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -28,6 +28,7 @@
# include "qemu_conf.h"
# include "domain_conf.h"
+# include "security/security_manager.h"
int qemuSecuritySetAllLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
@@ -60,4 +61,35 @@ int qemuSecuritySetHostdevLabel(virQEMUDriverPtr driver,
int qemuSecurityRestoreHostdevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainHostdevDefPtr hostdev);
+
+/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
+ * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
+ */
+# define qemuSecurityCheckAllLabel virSecurityManagerCheckAllLabel
+# define qemuSecurityClearSocketLabel virSecurityManagerClearSocketLabel
+# define qemuSecurityDomainSetPathLabel virSecurityManagerDomainSetPathLabel
+# define qemuSecurityGenLabel virSecurityManagerGenLabel
+# define qemuSecurityGetBaseLabel virSecurityManagerGetBaseLabel
+# define qemuSecurityGetDOI virSecurityManagerGetDOI
+# define qemuSecurityGetModel virSecurityManagerGetModel
+# define qemuSecurityGetMountOptions virSecurityManagerGetMountOptions
+# define qemuSecurityGetNested virSecurityManagerGetNested
+# define qemuSecurityGetProcessLabel virSecurityManagerGetProcessLabel
+# define qemuSecurityNew virSecurityManagerNew
+# define qemuSecurityNewDAC virSecurityManagerNewDAC
+# define qemuSecurityNewStack virSecurityManagerNewStack
+# define qemuSecurityPostFork virSecurityManagerPostFork
+# define qemuSecurityPreFork virSecurityManagerPreFork
+# define qemuSecurityReleaseLabel virSecurityManagerReleaseLabel
+# define qemuSecurityReserveLabel virSecurityManagerReserveLabel
+# define qemuSecurityRestoreSavedStateLabel virSecurityManagerRestoreSavedStateLabel
+# define qemuSecuritySetChildProcessLabel virSecurityManagerSetChildProcessLabel
+# define qemuSecuritySetDaemonSocketLabel virSecurityManagerSetDaemonSocketLabel
+# define qemuSecuritySetImageFDLabel virSecurityManagerSetImageFDLabel
+# define qemuSecuritySetSavedStateLabel virSecurityManagerSetSavedStateLabel
+# define qemuSecuritySetSocketLabel virSecurityManagerSetSocketLabel
+# define qemuSecuritySetTapFDLabel virSecurityManagerSetTapFDLabel
+# define qemuSecurityStackAddNested virSecurityManagerStackAddNested
+# define qemuSecurityVerify virSecurityManagerVerify
+
#endif /* __QEMU_SECURITY_H__ */
--
2.11.0
7 years, 9 months
[libvirt] [PATH v9 00/12] Support cache tune in libvirt
by Eli Qiao
Addressed comment from v9 -> v8
Marcelo:
* New public API to query cache usage
Eli:
* Fix core dump while multiple tasks are added.
Addressed comment from v8 -> v7
Martin:
* Patch subject prefix.
* Move some of cpu related information to virhostcpu.c.
* Fix some memory leak in src/utils/resctrl.c
Martin & Marcelo:
* Don't remove directories which are not maintained by libvirt.
Addressed comment from v7 -> v6
Marcelo:
* Fix flock usage while VM initialization.
Addressed comment from v6 -> v5
Marcelo:
* Support other APPs to operate /sys/fs/resctrl at same time
Libvirt will scan /sys/fs/resctrl again before doing cache allocation.
patch 10 will address this.
Addressed comment from v4 -> v5:
Marcelo:
* Several typos
* Use flock instead of virFileLock
Addressed comment from v3 -> v4:
Daniel & Marcelo:
* Added concurrence support
Addressed comment from v2 -> v3:
Daniel:
* Fixed coding style, passed `make check` and `make syntax-check`
* Variables renaming and move from header file to c file.
* For locking/mutex support, no progress.
There are some discussion from mailing list, but I can not find a better
way to add locking support without performance impact.
I'll explain the process and please help to advice what shoud we do.
VM create:
1) Get the cache left value on each bank of the host. This should be
shared amount all VMs.
2) Calculate the schemata on the bank based on all created resctrl
domain's schemata
3) Calculate the default schemata by scaning all domain's schemata.
4) Flush default schemata to /sys/fs/resctrl/schemata
VM destroy:
1) Remove the resctrl domain of that VM
2) Recalculate default schemata
3) Flush default schemata to /sys/fs/resctrl/schemata
The key point is that all VMs shares /sys/fs/resctrl/schemata, and
when a VM create a resctrl domain, the schemata of that VM depends on
the default schemata and all other exsited schematas. So a global
mutex is reqired.
Before calculate a schemata or update default schemata, libvirt
should gain this global mutex.
I will try to think more about how to support this gracefully in next
patch set.
Marcelo:
* Added vcpu support for cachetune, this will allow user to define which
vcpu using which cache allocation bank.
<cachetune id='0' host_id=0 size='3072' unit='KiB' vcpus='0,1'/>
vcpus is a cpumap, the vcpu pids will be added to tasks file
* Added cdp compatible, user can specify l3 cache even host enable cdp.
See patch 8.
On a cdp enabled host, specify l3code/l3data by
<cachetune id='0' host_id='0' type='l3' size='3072' unit='KiB'/>
This will create a schemata like:
L3data:0=0xff00;...
L3code:0=0xff00;...
* Would you please help to test if the functions work.
Martin:
* Xml test case, I have no time to work on this yet, would you please
show me an example, would like to amend it later.
This series patches are for supportting CAT featues, which also
called cache tune in libvirt.
First to expose cache information which could be tuned in capabilites XML.
Then add new domain xml element support to add cacahe bank which will apply
on this libvirt domain.
This series patches add a util file `resctrl.c/h`, an interface to talk with
linux kernel's system fs.
There are still one TODO left:
1. Expose a new public interface to set cachetune lively.
Some discussion about this feature support can be found from:
https://www.redhat.com/archives/libvir-list/2017-January/msg00644.html
Eli Qiao (12):
Resctrl: Add some utils functions
Resctrl: expose cache information to capabilities
Resctrl: Add new xml element to support cache tune
Resctrl: Add private interfaces to operate cache bank
Qemu: Set cache tune while booting a new domain.
Resctrl: enable l3code/l3data
Resctrl: Make sure l3data/l3code are pairs
Resctrl: Compatible mode for cdp enabled
Resctrl: concurrence support
Resctrl: Scan resctrl before doing cache allocation
Resctrl: Add Public API for nodecachestats
Resctrl: Add nodecachestats
daemon/remote.c | 67 +++
docs/schemas/domaincommon.rng | 46 ++
include/libvirt/libvirt-host.h | 32 ++
include/libvirt/virterror.h | 1 +
po/POTFILES.in | 1 +
src/Makefile.am | 1 +
src/conf/capabilities.c | 56 +++
src/conf/capabilities.h | 23 +
src/conf/domain_conf.c | 182 +++++++
src/conf/domain_conf.h | 19 +
src/driver-hypervisor.h | 7 +
src/libvirt-host.c | 41 ++
src/libvirt_private.syms | 12 +
src/libvirt_public.syms | 1 +
src/nodeinfo.c | 64 +++
src/nodeinfo.h | 1 +
src/qemu/qemu_capabilities.c | 8 +
src/qemu/qemu_driver.c | 18 +
src/qemu/qemu_process.c | 54 ++
src/remote/remote_driver.c | 52 ++
src/remote/remote_protocol.x | 25 +-
src/remote_protocol-structs | 16 +
src/util/virerror.c | 1 +
src/util/virhostcpu.c | 186 ++++++-
src/util/virhostcpu.h | 6 +
src/util/virresctrl.c | 1082 ++++++++++++++++++++++++++++++++++++++++
src/util/virresctrl.h | 96 ++++
tools/virsh-host.c | 49 ++
28 files changed, 2129 insertions(+), 18 deletions(-)
create mode 100644 src/util/virresctrl.c
create mode 100644 src/util/virresctrl.h
--
1.9.1
7 years, 9 months