[libvirt] [PATCH 0/2] Fix a couple issues found w/ vHBA logic
by John Ferlan
Patch 1 fixes something seen whilst working through patch 2. Long
description in patch 2 describes the problem.
John Ferlan (2):
storage: Alter check for default managed setting
conf: Fix vHBA checkParent logic for pool creation
src/conf/node_device_conf.c | 50 ++++++++++++++++++++++++++++++++------
src/storage/storage_backend_scsi.c | 6 ++---
2 files changed, 45 insertions(+), 11 deletions(-)
--
2.9.4
7 years, 5 months
[libvirt] [PATCH] wireshark: Adapt to tvb_new_subset() rename
by Michal Privoznik
In Wireshark commit of 7cd6906056922e4b8 (contained in v2.4.0)
the tvb_new_subset() function was renamed to
tvb_new_subset_length_caplen(). However, we can take the extra
step and rename to tvb_new_subset_remaining() directly (see
Wireshark commit 0ecfc7280cf3d7). The reasoning is that there is
no other protocol in the packet than libvirt. Therefore, from the
point that libvirt dissector takes over till the end of the
packet it's all libvirt packet.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
tools/wireshark/src/packet-libvirt.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c
index a1f5a34f4..c15e9c340 100644
--- a/tools/wireshark/src/packet-libvirt.c
+++ b/tools/wireshark/src/packet-libvirt.c
@@ -313,7 +313,12 @@ dissect_libvirt_payload_xdr_data(tvbuff_t *tvb, proto_tree *tree, gint payload_l
payload_length -= 4;
}
+#if WIRESHARK_VERSION < 200400
payload_tvb = tvb_new_subset(tvb, start, -1, payload_length);
+#else
+ payload_tvb = tvb_new_subset_remaining(tvb, start);
+#endif
+
#if WIRESHARK_VERSION < 1012000
payload_data = (caddr_t)tvb_memdup(payload_tvb, 0, payload_length);
#else
--
2.13.0
7 years, 5 months
[libvirt] [PATCH] nodedev: Fix call to virNodeDeviceObjListFree in nodeStateReload
by John Ferlan
Commit id '9c5d98fd8' missed changing this call to use driver->devs
rather than @driver->devs.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
Pushed under build breaker rule (debian-8 and centos-6)
src/node_device/node_device_hal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/node_device/node_device_hal.c b/src/node_device/node_device_hal.c
index b220798..7f246f0 100644
--- a/src/node_device/node_device_hal.c
+++ b/src/node_device/node_device_hal.c
@@ -744,7 +744,7 @@ nodeStateReload(void)
VIR_INFO("Reloading HAL device state");
nodeDeviceLock();
VIR_INFO("Removing existing objects");
- virNodeDeviceObjListFree(&driver->devs);
+ virNodeDeviceObjListFree(driver->devs);
nodeDeviceUnlock();
hal_ctx = DRV_STATE_HAL_CTX(driver);
--
2.9.4
7 years, 5 months
[libvirt] [PATCH] security: dac: relabel spice rendernode
by Cole Robinson
For a logged in user this a path like /dev/dri/renderD128 will have
default ownership root:video which won't work for the qemu:qemu user,
so we need to chown it.
Thankfully with the namespace work we don't need to worry about this
shutting out other legitimate users
https://bugzilla.redhat.com/show_bug.cgi?id=1460804
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
Sidenote: Not sure about security_selinux changes... Fedora selinux policy
doesn't require relabeling /dev/dri/* nowadays so it isn't required to get
qemu to startup, and infact will probably cause issues for qemu:///session
and non-namespace qemu:///system
src/security/security_dac.c | 61 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index ca7a6af6d..4c86e5fe8 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1371,6 +1371,57 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
static int
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainGraphicsDefPtr gfx)
+
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityLabelDefPtr seclabel;
+ uid_t user;
+ gid_t group;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+ if (seclabel && !seclabel->relabel)
+ return 0;
+
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+ return -1;
+
+ if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
+ gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
+ gfx->data.spice.rendernode) {
+ if (virSecurityDACSetOwnership(priv, NULL,
+ gfx->data.spice.rendernode,
+ user, group) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int
+virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ virDomainGraphicsDefPtr gfx)
+
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+
+ if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
+ gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
+ gfx->data.spice.rendernode) {
+ if (virSecurityDACRestoreFileLabel(priv,
+ gfx->data.spice.rendernode) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int
virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainInputDefPtr input)
@@ -1481,6 +1532,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
rc = -1;
}
+ for (i = 0; i < def->ngraphics; i++) {
+ if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+ return -1;
+ }
+
for (i = 0; i < def->ninputs; i++) {
if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
rc = -1;
@@ -1601,6 +1657,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
return -1;
}
+ for (i = 0; i < def->ngraphics; i++) {
+ if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+ return -1;
+ }
+
for (i = 0; i < def->ninputs; i++) {
if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
return -1;
--
2.13.3
7 years, 5 months
[libvirt] backingStore info adding late breaks virt-aa-helper
by Christian Ehrhardt
Hi,
there is a behavioral change I try to track down that affects
virt-aa-helper.
TL;DR:
- it seems backingStore info gets added "later" in recent versions which
causes issues in virt-aa-helper
Details:
For a guest containing a qcow2 disk like this:
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source
file='/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow'/>
<target dev='vda' bus='virtio'/>
</disk>
And said qcow disk having a backing file:
$ qemu-img info /var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow
image: /var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow
[...]
backing file:
/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTcuMTA6cHBjNjRlbCAyMDE3MDcxMw==
Now when instantiating the guest this gets the backingStore info added like:
<backingStore type='file' index='1'>
<format type='qcow2'/>
<source
file='/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTcuMTA6cHBjNjRlbCAyMDE3MDcxMw=='/>
<backingStore/>
</backingStore>
But this now seems to come in "too late" for virt-aa-helper.
That tool is reading the guest definition to create custom rules for that
guest that opens up the apparmor profile.
And in relation to the devices the following in
src/security/virt-aa-helper.c is the important part:
Loops over disks and in those "down" the chain of backing stores:
929 for (i = 0; i < ctl->def->ndisks; i++) {
[...]
947 if (virDomainDiskDefForeachPath(disk, true, add_file_path,
&buf) < 0)
If you pass virt-aa-helper as in libvirt 3.5 a full snippet with
backingStore info it behaves the same as back in 2.5 emmitting a rule for
the backing store.
But when starting a guest on libvirt 3.5 this does no more work, so it
seems that on instantiating the guest
Past (2.5)
1. add backingStore info to guest representation
2. virt-aa-helper parses guest representation and creates rules
3. guest starts fine
changed to now (3.5):
1. virt-aa-helper parses guest representation and creates rules
2. add backingStore info to guest representation
3. guest fails to start as the apparmor rule to allow it access to its
backing file is missing.
I've verified that recent libvirt properly adds the backingStore eventually
(by disabling the apparmor profile and then starting the guest). Once fully
started the live xml representation has the backing store info added.
But as outlined above, at the point virt-aa-helper runs now the necessary
backingStore data seems to be missing.
I couldn't find the related change or a way to fix it so far, so any hints
are welcome.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
7 years, 5 months
[libvirt] [PATCH v4 0/4] Host device isolation for pSeries guests
by Andrea Bolognani
Changes from [v3]:
* correctly handle interfaces connected to hostdev-backed
networks;
* drop patches implementing support for multiple PHBs, as
they have been merged already;
* some minor cleanups.
Changes from [v2]:
* support hot(un)plug properly;
* add documentation.
Changes from [v1]:
* address review comments;
* implement a much better isolation algorithm that doesn't
require parsing and formatting the isolation group and
can handle more dynamic scenarios, such as empty PHBs
changing their isolation groups to accomodate hotplugged
hostdevs;
* add more test cases.
[v3] https://www.redhat.com/archives/libvir-list/2017-June/msg01018.html
[v2] https://www.redhat.com/archives/libvir-list/2017-June/msg00695.html
[v1] https://www.redhat.com/archives/libvir-list/2017-June/msg00110.html
Andrea Bolognani (4):
conf: Introduce isolation groups
conf: Implement isolation rules
qemu: Isolate hostdevs on pSeries guests
news: Update for hostdev isolation
docs/news.xml | 10 +
src/bhyve/bhyve_device.c | 4 +-
src/conf/device_conf.h | 10 +
src/conf/domain_addr.c | 86 ++++++-
src/conf/domain_addr.h | 12 +-
src/conf/domain_conf.c | 2 +
src/qemu/qemu_domain_address.c | 276 +++++++++++++++++++--
src/qemu/qemu_domain_address.h | 4 +
src/qemu/qemu_hotplug.c | 7 +
tests/qemumemlocktest.c | 2 +-
.../qemuxml2argv-pseries-hostdevs-1.args | 8 +-
.../qemuxml2argv-pseries-hostdevs-2.args | 3 +-
.../qemuxml2argv-pseries-hostdevs-3.args | 2 +-
.../qemuxml2xmlout-pseries-hostdevs-1.xml | 14 +-
.../qemuxml2xmlout-pseries-hostdevs-2.xml | 6 +-
.../qemuxml2xmlout-pseries-hostdevs-3.xml | 2 +-
16 files changed, 410 insertions(+), 38 deletions(-)
--
2.7.5
7 years, 5 months
[libvirt] [v2 RESEND PATCH] qemu: reduce packet loss rate for vm with macvtap passthrough mode in migration
by ZhiPeng Lu
Before libvirt that calls virNetDevMacVLanCreateWithVPortProfile sets mac address
or vlan of a Virtual Function(VF) linked to a macvtap passthrough device of migration
destination host in migration start step. If we ping the migrating vm,
we get the network does not pass. Because VFs of migration source and destination
have the same MAC address. The patch later calling qemuMigrationVPAssociatePortProfiles
sets mac address of VF in migration finish step instead of start step.
The patch aims to reduce packet loss rate.
Signed-off-by: ZhiPeng Lu <lu.zhipeng(a)zte.com.cn>
---
src/qemu/qemu_migration.c | 18 ++++++++++++++++--
src/util/virnetdevmacvlan.c | 17 +++++++++++------
2 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 09adb04..795ed71 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -5004,7 +5004,7 @@ qemuMigrationPerform(virQEMUDriverPtr driver,
}
static int
-qemuMigrationVPAssociatePortProfiles(virDomainDefPtr def)
+qemuMigrationVPAssociatePortProfiles(virDomainDefPtr def, const char *stateDir)
{
size_t i;
int last_good_net = -1;
@@ -5013,6 +5013,20 @@ qemuMigrationVPAssociatePortProfiles(virDomainDefPtr def)
for (i = 0; i < def->nnets; i++) {
net = def->nets[i];
if (virDomainNetGetActualType(net) == VIR_DOMAIN_NET_TYPE_DIRECT) {
+ if ((!virDomainNetGetActualVirtPortProfile(net) || (virDomainNetGetActualVirtPortProfile(net) &&
+ virDomainNetGetActualVirtPortProfile(net)->virtPortType != VIR_NETDEV_VPORT_PROFILE_8021QBG &&
+ virDomainNetGetActualVirtPortProfile(net)->virtPortType != VIR_NETDEV_VPORT_PROFILE_8021QBH)) &&
+ virDomainNetGetActualDirectMode(net) ==
+ VIR_NETDEV_MACVLAN_MODE_PASSTHRU) {
+ if (virNetDevSaveNetConfig(virDomainNetGetActualDirectDev(net),
+ -1, stateDir, false) < 0) {
+ goto err_exit;
+ }
+ if (virNetDevSetNetConfig(virDomainNetGetActualDirectDev(net),
+ -1, NULL, virDomainNetGetActualVlan(net), &net->mac, false) < 0) {
+ goto err_exit;
+ }
+ }
if (virNetDevVPortProfileAssociate(net->ifname,
virDomainNetGetActualVirtPortProfile(net),
&net->mac,
@@ -5187,7 +5201,7 @@ qemuMigrationFinish(virQEMUDriverPtr driver,
goto endjob;
}
- if (qemuMigrationVPAssociatePortProfiles(vm->def) < 0)
+ if (qemuMigrationVPAssociatePortProfiles(vm->def, cfg->stateDir) < 0)
goto endjob;
if (mig->network && qemuDomainMigrateOPDRelocate(driver, vm, mig) < 0)
diff --git a/src/util/virnetdevmacvlan.c b/src/util/virnetdevmacvlan.c
index 7222b0f..682dcd1 100644
--- a/src/util/virnetdevmacvlan.c
+++ b/src/util/virnetdevmacvlan.c
@@ -1020,12 +1020,17 @@ virNetDevMacVLanCreateWithVPortProfile(const char *ifnameRequested,
*/
setVlan = false;
}
-
- if (virNetDevSaveNetConfig(linkdev, -1, stateDir, setVlan) < 0)
- return -1;
-
- if (virNetDevSetNetConfig(linkdev, -1, NULL, vlan, macaddress, setVlan) < 0)
- return -1;
+ if (vmOp != VIR_NETDEV_VPORT_PROFILE_OP_MIGRATE_IN_START &&
+ virtPortProfile && (virtPortProfile->virtPortType == VIR_NETDEV_VPORT_PROFILE_8021QBH ||
+ virtPortProfile->virtPortType == VIR_NETDEV_VPORT_PROFILE_8021QBG)) {
+ if (virNetDevSaveNetConfig(linkdev, -1, stateDir, setVlan) < 0) {
+ return -1;
+ }
+ if (virNetDevSetNetConfig(linkdev, -1, NULL, vlan, macaddress,
+ setVlan) < 0) {
+ return -1;
+ }
+ }
}
if (ifnameRequested) {
--
1.8.3.1
7 years, 5 months
[libvirt] [PATCH] Revert "nwfilter: Move save of config until after successful assign"
by John Ferlan
This reverts commit b3e71a8830b2683ee88fa10cb048eabb99a446c0.
As it turns out this ends up very badly as the @def could be Free'd
even though it's owned by @obj as a result of the AssignDef.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/conf/virnwfilterobj.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/conf/virnwfilterobj.c b/src/conf/virnwfilterobj.c
index b5aaa6b..b36eda1 100644
--- a/src/conf/virnwfilterobj.c
+++ b/src/conf/virnwfilterobj.c
@@ -501,14 +501,14 @@ virNWFilterObjListLoadConfig(virNWFilterObjListPtr nwfilters,
goto error;
}
- if (!(obj = virNWFilterObjListAssignDef(nwfilters, def)))
- goto error;
-
/* We generated a UUID, make it permanent by saving the config to disk */
if (!def->uuid_specified &&
virNWFilterSaveConfig(configDir, def) < 0)
goto error;
+ if (!(obj = virNWFilterObjListAssignDef(nwfilters, def)))
+ goto error;
+
VIR_FREE(configFile);
return obj;
--
2.9.4
7 years, 5 months
[libvirt] [PATCH] security: Use VIR_DEBUG instead of VIR_INFO in virSecurityDACSetOwnershipInternal
by xinhua.Cao
virSecurityDACSetOwnershipInternal was called by libvirt child process,
so if we log message by VIR_INFO at normal scene, it would probability occurs dead lock sence,
then libvirtd will also by dead lock because libvirtd is waitting for child message.
so our suggest is use VIR_DEBUG instead of VIR_INFO to avoid this sence.
---
src/security/security_dac.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index ca7a6af..7bfd090 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -552,8 +552,8 @@ virSecurityDACSetOwnershipInternal(const virSecurityDACData *priv,
else if (rc > 0)
return 0;
- VIR_INFO("Setting DAC user and group on '%s' to '%ld:%ld'",
- NULLSTR(src ? src->path : path), (long) uid, (long) gid);
+ VIR_DEBUG("Setting DAC user and group on '%s' to '%ld:%ld'",
+ NULLSTR(src ? src->path : path), (long) uid, (long) gid);
if (priv && src && priv->chownCallback) {
rc = priv->chownCallback(src, uid, gid);
@@ -591,17 +591,17 @@ virSecurityDACSetOwnershipInternal(const virSecurityDACData *priv,
if (rc < 0) {
if (errno == EOPNOTSUPP || errno == EINVAL) {
- VIR_INFO("Setting user and group to '%ld:%ld' on '%s' not "
- "supported by filesystem",
- (long) uid, (long) gid, path);
+ VIR_DEBUG("Setting user and group to '%ld:%ld' on '%s' not "
+ "supported by filesystem",
+ (long) uid, (long) gid, path);
} else if (errno == EPERM) {
- VIR_INFO("Setting user and group to '%ld:%ld' on '%s' not "
- "permitted",
- (long) uid, (long) gid, path);
+ VIR_DEBUG("Setting user and group to '%ld:%ld' on '%s' not "
+ "permitted",
+ (long) uid, (long) gid, path);
} else if (errno == EROFS) {
- VIR_INFO("Setting user and group to '%ld:%ld' on '%s' not "
- "possible on readonly filesystem",
- (long) uid, (long) gid, path);
+ VIR_DEBUG("Setting user and group to '%ld:%ld' on '%s' not "
+ "possible on readonly filesystem",
+ (long) uid, (long) gid, path);
} else {
virReportSystemError(errno,
_("unable to set user and group to '%ld:%ld' "
--
2.8.3
7 years, 5 months
[libvirt] [PATCH] qemu: Use the proper string in qemuBlock...JSONSocketAddress()
by Martin Kletzander
Recent refactors made it so that the function may use uninitialized
pointer, but it actually wanted to use a different variable and value
at all.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/qemu/qemu_block.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index ccaf3261101d..93124c5ba486 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -482,7 +482,7 @@ qemuBlockStorageSourceBuildHostsJSONSocketAddress(virStorageSourcePtr src,
case VIR_STORAGE_NET_HOST_TRANS_LAST:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("transport protocol '%s' is not yet supported"),
- transport);
+ virStorageNetHostTransportTypeToString(host->transport));
goto cleanup;
}
--
2.13.3
7 years, 5 months