January 2018 - Devel - libvirt List Archives

[libvirt] [PATCH V2] nodedev: Fix failing to parse PCI address for non-PCI network devices
by Jim Fehlig 17 Jan '18

17 Jan '18

Based loosely on a patch from Fei Li <fli(a)suse.com>. Commit 8708ca01c added virNetDevSwitchdevFeature() to check if a network device has Switchdev capabilities. virNetDevSwitchdevFeature() attempts to retrieve the PCI device associated with the network device, ignoring non-PCI devices. It does so via the following call chain virNetDevSwitchdevFeature()->virNetDevGetPCIDevice()-> virPCIGetDeviceAddressFromSysfsLink() For non-PCI network devices (qeth, Xen vif, etc), virPCIGetDeviceAddressFromSysfsLink() will report an error when virPCIDeviceAddressParse() fails. virPCIDeviceAddressParse() also logs an error. After commit 8708ca01c there are now two errors reported for each non-PCI network device even though the errors are harmless. To avoid changing virPCIGetDeviceAddressFromSysfsLink(), virPCIDeviceAddressParse() and related code that has quite a few call sites, add a function to check if a network device is a PCI device and use it in virNetDevSwitchdevFeature() before attempting to retrieve the PCI device. --- Suggestions welcome on a better name for virPCIIsPCIDevice, or even a better approach to solving this issue. Currently virPCIIsPCIDevice assumes the device is PCI if its subsystem starts with 'pci'. I'd be happy to hear if there is a better way to determine if a network device is PCI. src/libvirt_private.syms | 1 + src/util/virnetdev.c | 25 ++++++++++++++++++++++--- src/util/virpci.c | 32 ++++++++++++++++++++++++++++++++ src/util/virpci.h | 3 +++ 4 files changed, 58 insertions(+), 3 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index a705fa846..bdf98ded1 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2458,6 +2458,7 @@ virPCIGetVirtualFunctionInfo; virPCIGetVirtualFunctions; virPCIHeaderTypeFromString; virPCIHeaderTypeToString; +virPCIIsPCIDevice; virPCIIsVirtualFunction; virPCIStubDriverTypeFromString; virPCIStubDriverTypeToString; diff --git a/src/util/virnetdev.c b/src/util/virnetdev.c index eb2d119bf..a9af08797 100644 --- a/src/util/virnetdev.c +++ b/src/util/virnetdev.c @@ -1148,6 +1148,21 @@ virNetDevSysfsDeviceFile(char **pf_sysfs_device_link, const char *ifname, } +static bool +virNetDevIsPCIDevice(const char *devName) +{ + char *vfSysfsDevicePath = NULL; + bool ret; + + if (virNetDevSysfsFile(&vfSysfsDevicePath, devName, "device/subsystem") < 0) + return false; + + ret = virPCIIsPCIDevice(vfSysfsDevicePath); + VIR_FREE(vfSysfsDevicePath); + return ret; +} + + static virPCIDevicePtr virNetDevGetPCIDevice(const char *devName) { @@ -3236,14 +3251,18 @@ virNetDevSwitchdevFeature(const char *ifname, if (is_vf == 1 && virNetDevGetPhysicalFunction(ifname, &pfname) < 0) goto cleanup; - pci_device_ptr = pfname ? virNetDevGetPCIDevice(pfname) : - virNetDevGetPCIDevice(ifname); + if (pfname == NULL && VIR_STRDUP(pfname, ifname) < 0) + goto cleanup; + /* No PCI device, then no feature bit to check/add */ - if (pci_device_ptr == NULL) { + if (!virNetDevIsPCIDevice(pfname)) { ret = 0; goto cleanup; } + if ((pci_device_ptr = virNetDevGetPCIDevice(pfname)) == NULL) + goto cleanup; + if (!(nl_msg = nlmsg_alloc_simple(family_id, NLM_F_REQUEST | NLM_F_ACK))) { virReportOOMError(); diff --git a/src/util/virpci.c b/src/util/virpci.c index fe57bef32..f22d89cd7 100644 --- a/src/util/virpci.c +++ b/src/util/virpci.c @@ -2651,6 +2651,38 @@ virPCIGetDeviceAddressFromSysfsLink(const char *device_link) return bdf; } +/** + * virPCIIsPCIDevice: + * @device_link: sysfs path for the device + * + * Returns true if the device specified in @device_link sysfs + * path is a PCI device, otherwise returns false. + */ +bool +virPCIIsPCIDevice(const char *device_link) +{ + char *device_path = NULL; + char *subsys = NULL; + bool ret; + + if (!virFileExists(device_link)) { + VIR_DEBUG("'%s' does not exist", device_link); + return false; + } + + device_path = canonicalize_file_name(device_link); + if (device_path == NULL) { + VIR_DEBUG("Failed to resolve device link '%s'", device_link); + return false; + } + + subsys = last_component(device_path); + ret = STRPREFIX(subsys, "pci"); + + VIR_FREE(device_path); + return ret; +} + /** * virPCIGetPhysicalFunction: * @vf_sysfs_path: sysfs path for the virtual function diff --git a/src/util/virpci.h b/src/util/virpci.h index f1fbe39e6..489d8a777 100644 --- a/src/util/virpci.h +++ b/src/util/virpci.h @@ -190,6 +190,9 @@ int virPCIDeviceWaitForCleanup(virPCIDevicePtr dev, const char *matcher); virPCIDeviceAddressPtr virPCIGetDeviceAddressFromSysfsLink(const char *device_link); +bool +virPCIIsPCIDevice(const char *device_link); + int virPCIGetPhysicalFunction(const char *vf_sysfs_path, virPCIDeviceAddressPtr *pf); -- 2.15.1

2 2

[libvirt] [PATCH] news: Update for 4.0.0
by Andrea Bolognani 17 Jan '18

17 Jan '18

As usual, a bunch of changes slipped through the cracks during the development cycle. Update the release notes to include at least the most notable. Signed-off-by: Andrea Bolognani <abologna(a)redhat.com> --- I'll push this tomorrow morning under the "can't possibly be worse than leaving it alone" rule, so that it makes it into the release, unless I get feedback earlier. docs/news.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/docs/news.xml b/docs/news.xml index 064b9ae83..d034be99a 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -35,8 +35,48 @@ <libvirt> <release version="v4.0.0" date="unreleased"> <section title="New features"> + <change> + <summary> + tools: Provide bash completion support + </summary> + <description> + Both <code>virsh</code> and <code>virt-admin</code> now implement + basic bash completion support. + </description> + </change> + <change> + <summary> + qemu: Refresh capabilities on host microcode update + </summary> + <description> + A microcode update can cause the CPUID bits to change; therefore, + the capabilities cache should be rebuilt when such an update is + detected on the host. + </description> + </change> + <change> + <summary> + lxc: Set hostname based on container name + </summary> + </change> </section> <section title="Improvements"> + <change> + <summary> + CPU frequency reporting improvements + </summary> + <description> + The CPU frequency will now be reported by <code>virsh nodeinfo</code> + and other tools for s390 hosts; at the same time; CPU frequency has + been disabled on aarch64 hosts because there's no way to detect it + reliably. + </description> + </change> + <change> + <summary> + libxl: Mark domain0 as persistent + </summary> + </change> <change> <summary> Xen: Add support for multiple IP addresses on interface devices @@ -49,6 +89,16 @@ </change> </section> <section title="Bug fixes"> + <change> + <summary> + qemu: Enforce vCPU hotplug granularity constraints + </summary> + <description> + QEMU 2.7 and newer don't allow guests to start unless the initial + vCPUs count is a multiple of the vCPU hotplug granularity, so + validate it and report an error if needed. + </description> + </change> </section> </release> <release version="v3.10.0" date="2017-12-04"> -- 2.14.3

2 3

[libvirt] [PATCH] qemu: avoid denial of service reading from QEMU monitor (CVE-2018-xxxx)
by Daniel P. Berrange 17 Jan '18

17 Jan '18

We read from QEMU until seeing a \r\n pair to indicate a completed reply or event. To avoid memory denial-of-service though, we must have a size limit on amount of data we buffer. 10 MB is large enough that it ought to cope with normal QEMU replies, and small enough that we're not consuming unreasonable mem. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- src/qemu/qemu_monitor.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index 046caf001c..85c7d68a13 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor"); #define DEBUG_IO 0 #define DEBUG_RAW_IO 0 +/* We read from QEMU until seeing a \r\n pair to indicate a + * completed reply or event. To avoid memory denial-of-service + * though, we must have a size limit on amount of data we + * buffer. 10 MB is large enough that it ought to cope with + * normal QEMU replies, and small enough that we're not + * consuming unreasonable mem. + */ +#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024) + struct _qemuMonitor { virObjectLockable parent; @@ -575,6 +584,12 @@ qemuMonitorIORead(qemuMonitorPtr mon) int ret = 0; if (avail < 1024) { + if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) { + virReportSystemError(ERANGE, + _("No complete monitor response found in %d bytes"), + QEMU_MONITOR_MAX_RESPONSE); + return -1; + } if (VIR_REALLOC_N(mon->buffer, mon->bufferLength + 1024) < 0) return -1; -- 2.14.3

3 3

[libvirt] [PATCH] qemu: qemuDomainNamespaceUnlinkPaths: Return 0 in case of success
by Marc Hartmayer 17 Jan '18

17 Jan '18

Commit 7a931a4204af refactored the code and probably forgot to add this line. Signed-off-by: Marc Hartmayer <mhartmay(a)linux.vnet.ibm.com> Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com> --- src/qemu/qemu_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 5c171e4cbd6c..441bf5935b14 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -10212,7 +10212,7 @@ qemuDomainNamespaceUnlinkPaths(virDomainObjPtr vm, goto cleanup; } - + ret = 0; cleanup: virStringListFreeCount(devMountsPath, ndevMountsPath); virObjectUnref(cfg); -- 2.13.4

2 1

[libvirt] [PATCH] AppArmor: Allow libvirtd to kill unconfined processes
by intrigeri+libvirt＠boum.org 17 Jan '18

17 Jan '18

From: intrigeri <intrigeri+libvirt(a)boum.org> On startup libvirtd runs a number of QEMU processes unconfined such as: /usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize libvirtd needs to be allowed to kill these processes, otherwise they remain running. --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index a1083b0410..0ddec3f6e2 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,6 +63,7 @@ signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, + signal (send) set=("kill") peer=unconfined, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. -- 2.15.1

4 3

[libvirt] [PATCH libvirt] qemu: Fix segmentation fault when attaching a non iSCSI host device
by Marc Hartmayer 17 Jan '18

17 Jan '18

Add a check if it's a iSCSI hostdev and if it's not then don't use the union member 'iscsi'. The segmentation fault occured when accessing secinfo->type, but this can vary from case to case. Signed-off-by: Marc Hartmayer <mhartmay(a)linux.vnet.ibm.com> Reviewed-by: Bjoern Walk <bwalk(a)linux.vnet.ibm.com> Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com> --- src/qemu/qemu_hotplug.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 6dc16a1054af..83d0e1c71a8e 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -2343,8 +2343,7 @@ qemuDomainAttachHostSCSIDevice(virConnectPtr conn, bool secobjAdded = false; virJSONValuePtr secobjProps = NULL; virDomainHostdevSubsysSCSIPtr scsisrc = &hostdev->source.subsys.u.scsi; - virDomainHostdevSubsysSCSIiSCSIPtr iscsisrc = &scsisrc->u.iscsi; - qemuDomainStorageSourcePrivatePtr srcPriv; + qemuDomainStorageSourcePrivatePtr srcPriv = NULL; qemuDomainSecretInfoPtr secinfo = NULL; if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE_SCSI_GENERIC)) { @@ -2386,7 +2385,8 @@ qemuDomainAttachHostSCSIDevice(virConnectPtr conn, if (qemuDomainSecretHostdevPrepare(conn, priv, hostdev) < 0) goto cleanup; - srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(iscsisrc->src); + if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(scsisrc->u.iscsi.src); if (srcPriv) secinfo = srcPriv->secinfo; if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) { -- 2.13.4

2 2

[libvirt] [PATCH] remove bogus casts of arg to g_object_ref
by Daniel P. Berrange 17 Jan '18

17 Jan '18

Latest version of glib uses typeof() magic to cast the return value of g_object_ref to match its argument, instead of returning a 'void *'. A few places in the code were casting the arg to G_OBJECT() which was then incompatible with the variable we assigned the result to. The parameter casts were always redundant so just remove them. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- libvirt-gconfig/libvirt-gconfig-object.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libvirt-gconfig/libvirt-gconfig-object.c b/libvirt-gconfig/libvirt-gconfig-object.c index 851e35c..ca2c6e6 100644 --- a/libvirt-gconfig/libvirt-gconfig-object.c +++ b/libvirt-gconfig/libvirt-gconfig-object.c @@ -572,7 +572,7 @@ gvir_config_object_set_node_content(GVirConfigObject *object, node = gvir_config_object_replace_child(object, node_name); g_return_if_fail(node != NULL); } else { - node = g_object_ref(G_OBJECT(object)); + node = g_object_ref(object); } encoded_data = xmlEncodeEntitiesReentrant(node->priv->node->doc, (xmlChar *)value); @@ -896,7 +896,7 @@ gvir_config_object_attach(GVirConfigObject *parent, GVirConfigObject *child, gbo child->priv->doc = NULL; } if (parent->priv->doc != NULL) { - child->priv->doc = g_object_ref(G_OBJECT(parent->priv->doc)); + child->priv->doc = g_object_ref(parent->priv->doc); } } -- 2.14.3

1 1

[libvirt] New GIT repos for libvirt wiki & virt tools planet
by Daniel P. Berrange 17 Jan '18

17 Jan '18

Hi Folks, Just let you all know that I've moved various libvirt related websites over to hosting on Red Hat's OpenShift v3 infrastructure. With the new v3 that is based on Kubernetes, I'm able to publish the GIT repos containing the core content & software setup. For wiki.libvirt.org: https://libvirt.org/git/?p=libvirt-wiki.git;a=summary For planet.virt-tools.org: https://libvirt.org/git/?p=virttools-planet.git;a=summary For www.virt-tools.org: https://libvirt.org/git/?p=virttools-web.git;a=summary These are setup to mirror to github, and with a github webhook installed. So if when changes to the *content*, it will get automatically deployed to the live site by OpenShift. NB, auto-deploy doesn't apply to the actual OpenShift configuration, only the static config. I still need to manualy deploy OpenShift config changes for security reasons :-) The key benefit here is that adding people to the blog aggregator on planet.virt-tools.org is now easier. Just send a patch for this file: https://libvirt.org/git/?p=virttools-planet.git;a=blob;f=updater/virt-tools… Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

1 0

[libvirt] [PATCH] rpm: updates wrt min required fedora version
by Daniel P. Berrange 17 Jan '18

17 Jan '18

Update the min fedora to 25. Use a macro to record the min versions so that the later error message is always in sync with the earlier version check. Clarify the comment that refers to guessing of dist which does not actually happen. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- libvirt.spec.in | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 7e1b6a27d3..713961573a 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1,10 +1,12 @@ # -*- rpm-spec -*- # This spec file assumes you are building on a Fedora or RHEL version -# that's still supported by the vendor: that means Fedora 23 or newer, -# or RHEL 6 or newer. It may need some tweaks for other distros. -# If neither fedora nor rhel was defined, try to guess them from dist -%if (0%{?fedora} && 0%{?fedora} >= 23) || (0%{?rhel} && 0%{?rhel} >= 6) +# that's still supported by the vendor. It may work on other distros +# or versions, but no effort will be made to ensure that going forward. +%define min_rhel 6 +%define min_fedora 25 + +%if (0%{?fedora} && 0%{?fedora} >= %{min_fedora}) || (0%{?rhel} && 0%{?rhel} >= %{min_rhel}) %define supported_platform 1 %else %define supported_platform 0 @@ -1132,7 +1134,7 @@ rm -rf .git %build %if ! %{supported_platform} -echo "This RPM requires either Fedora >= 20 or RHEL >= 6" +echo "This RPM requires either Fedora >= %{min_fedora} or RHEL >= %{min_rhel}" exit 1 %endif -- 2.14.3

3 2

[libvirt] [PATCH] spec: enable bash completion only on new enough distros
by Pavel Hrdina 17 Jan '18

17 Jan '18

RHEL-6 doesn't have bash-completion package by default, it has to be installed from EPEL. Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com> --- libvirt.spec.in | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libvirt.spec.in b/libvirt.spec.in index d4ef116b2d..ef96888d09 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -87,6 +87,7 @@ %define with_libssh2 0%{!?_without_libssh2:0} %define with_wireshark 0%{!?_without_wireshark:0} %define with_libssh 0%{!?_without_libssh:0} +%define with_bash_completion 0%{!?_without_bash_completion:0} %define with_pm_utils 1 # Finally set the OS / architecture specific special cases @@ -190,6 +191,11 @@ %define with_libssh 0%{!?_without_libssh:1} %endif +# Enable bash-completion for new enough distros +%if 0%{?fedora} || 0%{?rhel} >= 7 + %define with_bash_completion 0%{!?_without_bash_completion:1} +%endif + %if %{with_qemu} || %{with_lxc} || %{with_uml} # numad is used to manage the CPU and memory placement dynamically, @@ -306,7 +312,9 @@ BuildRequires: xen-devel BuildRequires: libxml2-devel BuildRequires: libxslt BuildRequires: readline-devel +%if %{with_bash_completion} BuildRequires: bash-completion >= 2.0 +%endif BuildRequires: ncurses-devel BuildRequires: gettext BuildRequires: libtasn1-devel @@ -2048,7 +2056,9 @@ exit 0 %{_datadir}/systemtap/tapset/libvirt_qemu_probes*.stp %{_datadir}/systemtap/tapset/libvirt_functions.stp +%if %{with_bash_completion} %{_datadir}/bash-completion/completions/vsh +%endif %if %{with_systemd} -- 2.14.3

2 1