[libvirt] [PATCH] selinux: Drop needless getfilecon()-s
by Michal Privoznik
When SELinux support was first introduced the libselinux library
wasn't that advanced and setfilecon_raw() or fsetfilecon_raw()
could fail even when the target context was set. Looking at the
current code [1][2] this is no longer the case. We can drop our
workarounds.
1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setf...
2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fset...
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/security/security_selinux.c | 22 ----------------------
1 file changed, 22 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e05ef7593e..0bfb6a7fa6 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1249,8 +1249,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
const char *tcon,
bool privileged)
{
- security_context_t econ;
-
/* Be aware that this function might run in a separate process.
* Therefore, any driver state changes would be thrown away. */
@@ -1259,15 +1257,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
if (setfilecon_raw(path, (const char *)tcon) < 0) {
int setfilecon_errno = errno;
- if (getfilecon_raw(path, &econ) >= 0) {
- if (STREQ(tcon, econ)) {
- freecon(econ);
- /* It's alright, there's nothing to change anyway. */
- return 1;
- }
- freecon(econ);
- }
-
/* If the error complaint is related to an image hosted on a (possibly
* read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
* labelling, then just ignore it & hope for the best. The user
@@ -1401,22 +1390,11 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
static int
virSecuritySELinuxFSetFilecon(int fd, char *tcon)
{
- security_context_t econ;
-
VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);
if (fsetfilecon_raw(fd, tcon) < 0) {
int fsetfilecon_errno = errno;
- if (fgetfilecon_raw(fd, &econ) >= 0) {
- if (STREQ(tcon, econ)) {
- freecon(econ);
- /* It's alright, there's nothing to change anyway. */
- return 0;
- }
- freecon(econ);
- }
-
/* if the error complaint is related to an image hosted on
* an nfs mount, or a usbfs/sysfs filesystem not supporting
* labelling, then just ignore it & hope for the best.
--
2.23.0
5 years
[libvirt] Change virQEMUDriverConfig defaults?
by Michal Privoznik
Dear list,
lately I was confronted with the way how KubeVirt uses libvirt. They run
it inside a docker container with UID mapping and some capabilities
dropped. See [1] for more info. Problem is that because of the way we
initialize our defaults they had to disable some features. Specifically,
virQEMUDriverConfigNew() is passed @privileged argument which equals
geteuid() == 0. Apparently, due to UID mapping this leads us to create
not valid defaults. For instance, rememberOwner will be set to true in
this case, but trying to write any XATTR is going to fail because the
container and subsequently libvirtd does have CAP_SYS_ADMIN (and writing
trusted.* XATTRs is reserve to CAP_SYS_ADMIN). Similarly,
dynamicOwnership won't work unless CAP_CHOWN is granted and if SELinux
driver is enabled then we will also need CAP_SYS_ADMIN because
setfilecon_raw() does nothing more than write XATTR [2].
So instead of using @privileged we could use capabilities to
enable/disable features by default. There is one problem with this
though - do we know the full set of capabilities we need for given
feature? For instance, does rememberOwner needs just CAP_SYS_ADMIN or
also some other capability?
Users could still override our defaults through qemu.conf, but I can see
us throwing a warning if they are trying to enable say rememberOwner
while the libvird lacks CAP_SYS_ADMIN.
What is your opinion?
Michal
1: https://bugzilla.redhat.com/show_bug.cgi?id=1774373#c17
2:
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setf...
5 years
[libvirt] [PATCH for 5.10.0] docs: don't run xmllint when generating API HTML files
by Daniel P. Berrangé
After generating the API HTML files we run xmllint in docs/html/*.html
to validate the correctness. Since
commit 0aa8536f14b08dfb5188d0bb3aba532680500d38
Author: Daniel P. Berrangé <berrange(a)redhat.com>
Date: Wed Nov 20 14:49:26 2019 +0000
docs: generate API reference pages for admin, qemu & lxc libraries
we have many rules generating files into docs/html/. The xmllint
calls for each rule are picking up files which are part-generated by
other parallel build rules resulting in transient errors like:
GEN html/index.html
GEN html/index-admin.html
GEN html/index-qemu.html
GEN html/index-lxc.html
GEN hvsupport.html.in
html/index-lxc.html:1: parser error : Document is empty
^
make[4]: *** [Makefile:2407: html/index-qemu.html] Error 1
The easiest solution is to move the xmllint rules to the 'make check'
phase of the build.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
docs/Makefile.am | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/docs/Makefile.am b/docs/Makefile.am
index 2a104bc837..0e43f382b1 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -311,16 +311,19 @@ html/index.html: libvirt-api.xml newapi.xsl page.xsl $(APIBUILD_STAMP)
$(AM_V_GEN)$(XSLTPROC) --nonet -o ./ \
--stringparam builddir '$(abs_top_builddir)' \
--stringparam timestamp $(timestamp) \
- $(srcdir)/newapi.xsl libvirt-api.xml && \
- $(XMLLINT) --nonet --noout html/*.html
+ $(srcdir)/newapi.xsl libvirt-api.xml
html/index-%.html: libvirt-%-api.xml newapi.xsl page.xsl $(APIBUILD_STAMP)
$(AM_V_GEN)$(XSLTPROC) --nonet -o ./ \
--stringparam builddir '$(abs_top_builddir)' \
--stringparam timestamp $(timestamp) \
--stringparam indexfile $(@:html/%=%) \
- $(srcdir)/newapi.xsl $< && \
- $(XMLLINT) --nonet --noout html/*.html
+ $(srcdir)/newapi.xsl $<
+
+check-html:
+ $(XMLLINT) --nonet --noout html/*.html
+
+check-local: check-html
python_generated_files = \
html/libvirt-libvirt-lxc.html \
--
2.23.0
5 years
[libvirt] [python PATCH] generator.py: add mapping for VIR_DOMAIN_QEMU_AGENT_COMMAND_*
by Pavel Hrdina
Libvirt commit <95f5ac9ae52455e9da47afc95fa31c9456ac27ae> changed the
VIR_DOMAIN_QEMU_AGENT_COMMAND_* enum values to use different enum values
instead of direct numbers. We need to translate it back.
Traceback (most recent call last):
File "generator.py", line 2143, in <module>
qemuBuildWrappers(sys.argv[1])
File "generator.py", line 2008, in qemuBuildWrappers
items.sort(key=lambda i: (int(i[1]), i[0]))
File "generator.py", line 2008, in <lambda>
items.sort(key=lambda i: (int(i[1]), i[0]))
ValueError: invalid literal for int() with base 10: 'VIR_DOMAIN_AGENT_RESPONSE_TIMEOUT_BLOCK'
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
generator.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/generator.py b/generator.py
index 913dab8..3352521 100755
--- a/generator.py
+++ b/generator.py
@@ -261,6 +261,12 @@ def lxc_enum(type, name, value):
def qemu_enum(type, name, value):
if type not in qemu_enums:
qemu_enums[type] = {}
+ if value == 'VIR_DOMAIN_AGENT_RESPONSE_TIMEOUT_BLOCK':
+ value = -2
+ elif value == 'VIR_DOMAIN_AGENT_RESPONSE_TIMEOUT_DEFAULT':
+ value = -1
+ elif value == 'VIR_DOMAIN_AGENT_RESPONSE_TIMEOUT_NOWAIT':
+ value = 0
if onlyOverrides and name not in qemu_enums[type]:
return
qemu_enums[type][name] = value
--
2.23.0
5 years
[libvirt] [PATCH] Fix bug libvirt daemon segfault when new force console vm session break down existed console session. When force console vm command arrived, libvirtd will break down existed console session, and in this procedure, it will call daemonStreamEvent() to release resources , so daemonStreamFilter() need to check if stream filter existed when get client object lock and client->privData's lock, if not existed, just return -1
by LanceLiu
---
src/libvirt_remote.syms | 1 +
src/remote/remote_daemon_stream.c | 10 +++++++++-
src/rpc/virnetserverclient.c | 12 ++++++++++++
src/rpc/virnetserverclient.h | 2 ++
4 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/src/libvirt_remote.syms b/src/libvirt_remote.syms
index 0493467..c32e234 100644
--- a/src/libvirt_remote.syms
+++ b/src/libvirt_remote.syms
@@ -173,6 +173,7 @@ virNetServerClientPreExecRestart;
virNetServerClientRemoteAddrStringSASL;
virNetServerClientRemoteAddrStringURI;
virNetServerClientRemoveFilter;
+virNetServerClientCheckFilterExist;
virNetServerClientSendMessage;
virNetServerClientSetAuthLocked;
virNetServerClientSetAuthPendingLocked;
diff --git a/src/remote/remote_daemon_stream.c b/src/remote/remote_daemon_stream.c
index 82cadb6..de0dca3 100644
--- a/src/remote/remote_daemon_stream.c
+++ b/src/remote/remote_daemon_stream.c
@@ -292,10 +292,18 @@ daemonStreamFilter(virNetServerClientPtr client,
{
daemonClientStream *stream = opaque;
int ret = 0;
+ daemonClientPrivatePtr priv = NULL;
+ int filter_id = stream->filterID;
virObjectUnlock(client);
+ priv = virNetServerClientGetPrivateData(client);
virMutexLock(&stream->priv->lock);
virObjectLock(client);
+ if (!virNetServerClientCheckFilterExist(client, filter_id)) {
+ VIR_WARN("this daemon stream filter: %d have been deleted!", filter_id);
+ ret = -1;
+ goto cleanup;
+ }
if (msg->header.type != VIR_NET_STREAM &&
msg->header.type != VIR_NET_STREAM_HOLE)
@@ -317,7 +325,7 @@ daemonStreamFilter(virNetServerClientPtr client,
ret = 1;
cleanup:
- virMutexUnlock(&stream->priv->lock);
+ virMutexUnlock(&priv->lock);
return ret;
}
diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
index 67b3bf9..f80f493 100644
--- a/src/rpc/virnetserverclient.c
+++ b/src/rpc/virnetserverclient.c
@@ -287,6 +287,18 @@ void virNetServerClientRemoveFilter(virNetServerClientPtr client,
virObjectUnlock(client);
}
+int virNetServerClientCheckFilterExist(virNetServerClientPtr client,
+ int filterID)
+{
+ virNetServerClientFilterPtr tmp;
+
+ tmp = client->filters;
+ while(tmp && tmp->id != filterID) {
+ tmp = tmp->next;
+ }
+
+ return (tmp != NULL);
+}
/* Check the client's access. */
static int
diff --git a/src/rpc/virnetserverclient.h b/src/rpc/virnetserverclient.h
index 7a3061d..85fda39 100644
--- a/src/rpc/virnetserverclient.h
+++ b/src/rpc/virnetserverclient.h
@@ -93,6 +93,8 @@ int virNetServerClientAddFilter(virNetServerClientPtr client,
void virNetServerClientRemoveFilter(virNetServerClientPtr client,
int filterID);
+int virNetServerClientCheckFilterExist(virNetServerClientPtr client,
+ int filterID);
int virNetServerClientGetAuth(virNetServerClientPtr client);
void virNetServerClientSetAuthLocked(virNetServerClientPtr client, int auth);
--
1.8.3.1
5 years
[libvirt] [PATCH] travis: explicitly require xcode 10.3 image for macOS
by Daniel P. Berrangé
The default macOS image in travis is broken, throwing python
exceptions when trying to install glib. Explicitly ask for the
newer 10.3 image which works correctly.
We now need to also point to the homebrew installed libxml2
rather than the OS distro provided one, since the OS distro
one has a pkg-config file present, but no actual header
files.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
.travis.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.travis.yml b/.travis.yml
index 75f32e53b9..80f3be5490 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -62,8 +62,10 @@ matrix:
- compiler: clang
language: c
os: osx
+ osx_image: xcode10.3
env:
- PATH="/usr/local/opt/gettext/bin:/usr/local/opt/ccache/libexec:/usr/local/opt/rpcgen/bin:$PATH"
+ - PKG_CONFIG_PATH="/usr/local/opt/libxml2/lib/pkgconfig"
script:
# We can't run 'distcheck' or 'syntax-check' because they fail on
# macOS, but doing 'install' and 'dist' gives us some useful coverage
--
2.21.0
5 years
[libvirt] [PATCH for 5.10.0] news: Update for 5.10.0 release
by Michal Privoznik
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
docs/news.xml | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 124 insertions(+)
diff --git a/docs/news.xml b/docs/news.xml
index 72c0edb317..b6782df136 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -81,8 +81,132 @@
</change>
</section>
<section title="Improvements">
+ <change>
+ <summary>
+ Devices CGroup v2 support
+ </summary>
+ <description>
+ Libvirt supported all controllers of CGroup v2 but the devices
+ controller which is implemented in this release.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Cold plug of sound device
+ </summary>
+ <description>
+ The QEMU driver now can handle cold plug of
+ <code><sound/></code> devices.
+ </description>
+ </change>
+ <change>
+ <summary>
+ More GLib integration
+ </summary>
+ <description>
+ More patches were merged that replace our internal functions with
+ GLib ones. Also some effort was invested in replacing gnulib modules
+ with GLib functions.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Rewrite of Perl scripts into Python
+ </summary>
+ <description>
+ Libvirt used Perl scripts to check for coding style, generate some
+ code and things like that. To bring the number of languages used
+ down, these scripts were rewritten into Python.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Probe for default CPU types
+ </summary>
+ <description>
+ With QEMU 4.2.0 we can probe for the default CPU model used by QEMU
+ for a particular machine type and store it in the domain XML. This
+ way the chosen CPU model is more visible to users and libvirt will
+ make sure the guest will see the exact same CPU after migration.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Adaptation to qemu's blockdev
+ </summary>
+ <description>
+ QEMU introduced a new way of specifying disks on the command line
+ which enables fine-grained control over the block stack. Libvirt has
+ adapted to this.
+ </description>
+ </change>
</section>
<section title="Bug fixes">
+ <change>
+ <summary>
+ Warn verbosely if using old loader:nvram pairs
+ </summary>
+ <description>
+ Some distributions still use <code>--with-loader-nvram</code> or
+ <code>nvram</code> variable in qemu.conf. This is now discouraged in
+ favour of FW descriptors. However, instead of silently ignoring user's
+ config, libvirt warns if outdated config is detected.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Drop pconfig from Icelake-Server CPU model
+ </summary>
+ <description>
+ The pconfig feature was enabled in QEMU by accident in 3.1.0. All
+ other newer versions do not support it and it was removed from the
+ Icelake-Server CPU model in QEMU.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Wait longer for device removal confirmation on PPC64
+ </summary>
+ <description>
+ After sending device hot unplug request to QEMU, libvirt waits up to
+ 5 seconds for qemu to confirm the device removal. On some
+ architectures (like PPC64) this can take longer time and libvirt now
+ reflects that.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Forcibly create nodes in domain's namespace
+ </summary>
+ <description>
+ The QEMU driver starts a domain in a namepsace with private
+ <code>/dev</code> and creates only those nodes there which the domain
+ is configured to have. However, it may have happened that if a node
+ changed its minor number this change wasn't propagated to the
+ namespace.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Various AppArmor bugfixes
+ </summary>
+ <description>
+ The AppArmor driver now knows how to handle
+ <code><shmem/></code> devices and also snapshotting more disks
+ at once.
+ </description>
+ </change>
+ <change>
+ <summary>
+ Improved video model autoselection
+ </summary>
+ <description>
+ If a graphics device was added to XML that had no video device,
+ libvirt automatically added a video device which was always of type
+ 'cirrus' on x86_64, even if the underlying qemu didn't support
+ cirrus. Libvirt now bases the decision on qemu's capabilities.
+ </description>
+ </change>
</section>
</release>
<release version="v5.9.0" date="2019-11-05">
--
2.23.0
5 years
[libvirt] [PATCH for 5.10] Revert "qemu: Don't repeat virDomainObjEndAPI in qemuDomainBlockPull"
by Peter Krempa
This reverts commit 421c9550f5446729b513ee50f5c44e6f6969b5a2.
qemuDomainBlockPullCommon calls virDomainObjEndAPI internally so the
original commit made us shed two references of @vm instead of one
getting us into a premature free of @vm.
This is not a straight revert as qemuDomainBlockPull was modified
meanwhile. I've also added a warning comment that @vm is consumed.
https://bugzilla.redhat.com/show_bug.cgi?id=1777230
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
/me hides in shame
src/qemu/qemu_driver.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 669c12d6ca..8c2670d377 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -18443,24 +18443,23 @@ qemuDomainBlockPull(virDomainPtr dom, const char *path, unsigned long bandwidth,
unsigned int flags)
{
virDomainObjPtr vm;
- int ret = -1;
-
virCheckFlags(VIR_DOMAIN_BLOCK_PULL_BANDWIDTH_BYTES, -1);
if (!(vm = qemuDomainObjFromDomain(dom)))
return -1;
- if (virDomainBlockPullEnsureACL(dom->conn, vm->def) < 0)
- goto cleanup;
-
- if (qemuDomainSupportsCheckpointsBlockjobs(vm) < 0)
- goto cleanup;
+ if (virDomainBlockPullEnsureACL(dom->conn, vm->def) < 0) {
+ virDomainObjEndAPI(&vm);
+ return -1;
+ }
- ret = qemuDomainBlockPullCommon(vm, path, NULL, bandwidth, flags);
+ if (qemuDomainSupportsCheckpointsBlockjobs(vm) < 0) {
+ virDomainObjEndAPI(&vm);
+ return -1;
+ }
- cleanup:
- virDomainObjEndAPI(&vm);
- return ret;
+ /* qemuDomainBlockPullCommon consumes the reference on @vm */
+ return qemuDomainBlockPullCommon(vm, path, NULL, bandwidth, flags);
}
--
2.23.0
5 years
[libvirt] configuraton error while configuring libvirt
by Billa Surendra
HI all,
I am trying to install libvirt-5.4.0 in fedora 31 host pc, but I am
> getting error like *configure: error: You must install the gnutls >=
> 3.2.0 pkg-config module to compile libvirt*. I have higher version of
> gnutls avilable in my host pc already. Any one tell me how to install
> libvirt in fedora and how to resolve above error. Is there any perfect
> steps for installation of libvirt.
>
Thanks In Advance
5 years
[libvirt] [PATCH 0/4] replace setenv and unsetenv by Glib functions (kill-a-gnulib-module-a-day initiative)
by Pavel Hrdina
Pavel Hrdina (4):
replace use of gnulib setenv by g_setenv
replace use of gnulib unsetenv by g_unsetenv
syntax-check: forbid usage of setenv and unsetenv
bootstrap.conf: remove usage of setenv and unsetenv gnulib modules
bootstrap.conf | 2 --
build-aux/syntax-check.mk | 11 ++++++
src/security/virt-aa-helper.c | 4 +--
src/util/virsystemd.c | 4 +--
src/vbox/vbox_XPCOMCGlue.c | 4 +--
tests/libxlxml2domconfigtest.c | 4 +--
tests/lxcxml2xmltest.c | 2 +-
tests/qemudomaincheckpointxml2xmltest.c | 2 +-
tests/qemudomainsnapshotxml2xmltest.c | 2 +-
tests/qemufirmwaretest.c | 2 +-
tests/qemuhotplugtest.c | 2 +-
tests/qemumemlocktest.c | 2 +-
tests/qemusecuritytest.c | 4 +--
tests/qemuvhostusertest.c | 2 +-
tests/qemuxml2argvtest.c | 24 ++++++-------
tests/qemuxml2xmltest.c | 4 +--
tests/securityselinuxhelper.c | 4 +--
tests/testutils.c | 8 ++---
tests/testutils.h | 4 +--
tests/testutilsqemu.c | 4 +--
tests/vircgrouptest.c | 16 ++++-----
tests/virfiletest.c | 4 +--
tests/virhostdevtest.c | 2 +-
tests/virnettlscontexttest.c | 2 +-
tests/virnettlssessiontest.c | 2 +-
tests/virpcitest.c | 2 +-
tests/virportallocatortest.c | 2 +-
tests/virsystemdtest.c | 46 ++++++++++++-------------
tests/virtimetest.c | 4 +--
tools/virt-login-shell-helper.c | 12 +++----
30 files changed, 98 insertions(+), 89 deletions(-)
--
2.23.0
5 years