[PATCHv2] storage: pool: Allow more intricate nfs protocol versions
by Peter Krempa
Treat the 'protocolVer' field as a string so that e.g. '4.1' can be
used. Forbid only ',' in the string as it's a separator of arguments for
mount options.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
v2:
- forbid ',' in the version string.
docs/formatstorage.rst | 2 +-
src/conf/schemas/storagepool.rng | 4 +---
src/conf/storage_conf.c | 17 ++++++++---------
src/conf/storage_conf.h | 2 +-
src/storage/storage_util.c | 4 ++--
.../pool-netfs-protocol-ver-linux.argv | 2 +-
.../pool-netfs-protocol-ver.xml | 2 +-
.../pool-netfs-protocol-ver.xml | 2 +-
8 files changed, 16 insertions(+), 19 deletions(-)
diff --git a/docs/formatstorage.rst b/docs/formatstorage.rst
index ef15c0ac5c..83d7d141ac 100644
--- a/docs/formatstorage.rst
+++ b/docs/formatstorage.rst
@@ -350,7 +350,7 @@ following child elements:
``protocol``
For a ``netfs`` Storage Pool provide a mechanism to define which NFS protocol
version number will be used to contact the server's NFS service. The
- attribute ``ver`` accepts an unsigned integer as the version number to use.
+ attribute ``ver`` accepts the version number to use.
:since:`Since 5.1.0`
``vendor``
Provides optional information about the vendor of the storage device. This
diff --git a/src/conf/schemas/storagepool.rng b/src/conf/schemas/storagepool.rng
index bd24b8b8d0..d81ead532a 100644
--- a/src/conf/schemas/storagepool.rng
+++ b/src/conf/schemas/storagepool.rng
@@ -577,9 +577,7 @@
<ref name="sourcefmtnetfs"/>
<optional>
<element name="protocol">
- <attribute name="ver">
- <ref name="unsignedInt"/>
- </attribute>
+ <attribute name="ver"/>
</element>
</optional>
<optional>
diff --git a/src/conf/storage_conf.c b/src/conf/storage_conf.c
index 5da0bf20dd..79f16aadf3 100644
--- a/src/conf/storage_conf.c
+++ b/src/conf/storage_conf.c
@@ -483,6 +483,7 @@ virStoragePoolSourceClear(virStoragePoolSource *source)
virStorageAuthDefFree(source->auth);
VIR_FREE(source->vendor);
VIR_FREE(source->product);
+ VIR_FREE(source->protocolVer);
}
@@ -526,7 +527,6 @@ virStoragePoolDefParseSource(xmlXPathContextPtr ctxt,
virStoragePoolOptions *options;
int n;
g_autoptr(virStorageAuthDef) authdef = NULL;
- g_autofree char *ver = NULL;
g_autofree xmlNodePtr *nodeset = NULL;
g_autofree char *sourcedir = NULL;
VIR_XPATH_NODE_AUTORESTORE(ctxt)
@@ -634,7 +634,7 @@ virStoragePoolDefParseSource(xmlXPathContextPtr ctxt,
}
/* Option protocol version string (NFSvN) */
- if ((ver = virXPathString("string(./protocol/@ver)", ctxt))) {
+ if ((source->protocolVer = virXPathString("string(./protocol/@ver)", ctxt))) {
if ((source->format != VIR_STORAGE_POOL_NETFS_NFS) &&
(source->format != VIR_STORAGE_POOL_NETFS_AUTO)) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
@@ -643,10 +643,11 @@ virStoragePoolDefParseSource(xmlXPathContextPtr ctxt,
virStoragePoolFormatFileSystemNetTypeToString(source->format));
return -1;
}
- if (virStrToLong_uip(ver, NULL, 0, &source->protocolVer) < 0) {
- virReportError(VIR_ERR_XML_ERROR,
- _("storage pool protocol ver '%s' is malformed"),
- ver);
+
+ if (strchr(source->protocolVer, ',')) {
+ virReportError(VIR_ERR_XML_DETAIL,
+ _("storage pool protocol ver '%s' must not contain ','"),
+ source->protocolVer);
return -1;
}
}
@@ -1099,9 +1100,7 @@ virStoragePoolSourceFormat(virBuffer *buf,
if (src->auth)
virStorageAuthDefFormat(buf, src->auth);
- if (src->protocolVer)
- virBufferAsprintf(buf, "<protocol ver='%u'/>\n", src->protocolVer);
-
+ virBufferEscapeString(buf, "<protocol ver='%s'/>\n", src->protocolVer);
virBufferEscapeString(buf, "<vendor name='%s'/>\n", src->vendor);
virBufferEscapeString(buf, "<product name='%s'/>\n", src->product);
diff --git a/src/conf/storage_conf.h b/src/conf/storage_conf.h
index de39c3f294..a1bf243935 100644
--- a/src/conf/storage_conf.h
+++ b/src/conf/storage_conf.h
@@ -213,7 +213,7 @@ struct _virStoragePoolSource {
int format;
/* Protocol version value for netfs */
- unsigned int protocolVer;
+ char *protocolVer;
};
typedef struct _virStoragePoolTarget virStoragePoolTarget;
diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c
index 6ed2078b65..3871718b09 100644
--- a/src/storage/storage_util.c
+++ b/src/storage/storage_util.c
@@ -4201,8 +4201,8 @@ virStorageBackendFileSystemMountCmd(const char *cmdstr,
virCommand *cmd = NULL;
g_autofree char *nfsVers = NULL;
- if (def->type == VIR_STORAGE_POOL_NETFS && def->source.protocolVer > 0)
- nfsVers = g_strdup_printf("nfsvers=%u", def->source.protocolVer);
+ if (def->type == VIR_STORAGE_POOL_NETFS && def->source.protocolVer)
+ nfsVers = g_strdup_printf("nfsvers=%s", def->source.protocolVer);
cmd = virCommandNew(cmdstr);
if (netauto)
diff --git a/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-linux.argv b/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-linux.argv
index dac46a074f..da3e0c5927 100644
--- a/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-linux.argv
+++ b/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-linux.argv
@@ -1,5 +1,5 @@
mount \
--o nodev,nosuid,noexec,nfsvers=3 \
+-o nodev,nosuid,noexec,nfsvers=4.1 \
-t nfs \
localhost:/var/lib/libvirt/images \
/mnt
diff --git a/tests/storagepoolxml2xmlin/pool-netfs-protocol-ver.xml b/tests/storagepoolxml2xmlin/pool-netfs-protocol-ver.xml
index 40f3f94e41..f35992e3c8 100644
--- a/tests/storagepoolxml2xmlin/pool-netfs-protocol-ver.xml
+++ b/tests/storagepoolxml2xmlin/pool-netfs-protocol-ver.xml
@@ -8,7 +8,7 @@
<host name='localhost'/>
<dir path='/var/lib/libvirt/images'/>
<format type='nfs'/>
- <protocol ver='3'/>
+ <protocol ver='4.1'/>
</source>
<target>
<path>/mnt</path>
diff --git a/tests/storagepoolxml2xmlout/pool-netfs-protocol-ver.xml b/tests/storagepoolxml2xmlout/pool-netfs-protocol-ver.xml
index 5fcad1305b..74c2f5edfe 100644
--- a/tests/storagepoolxml2xmlout/pool-netfs-protocol-ver.xml
+++ b/tests/storagepoolxml2xmlout/pool-netfs-protocol-ver.xml
@@ -8,7 +8,7 @@
<host name='localhost'/>
<dir path='/var/lib/libvirt/images'/>
<format type='nfs'/>
- <protocol ver='3'/>
+ <protocol ver='4.1'/>
</source>
<target>
<path>/mnt</path>
--
2.36.1
2 years, 5 months
[libvirt PATCH v2] tools: add virt-qmp-proxy for proxying QMP clients to libvirt QEMU guests
by Daniel P. Berrangé
Libvirt provides QMP passthrough APIs for the QEMU driver and these are
exposed in virsh. It is not especially pleasant, however, using the raw
QMP JSON syntax. QEMU has a tool 'qmp-shell' which can speak QMP and
exposes a human friendly interactive shell. It is not possible to use
this with libvirt managed guest, however, since only one client can
attach to he QMP socket at any point in time.
The virt-qmp-proxy tool aims to solve this problem. It opens a UNIX
socket and listens for incoming client connections, speaking QMP on
the connected socket. It will forward any QMP commands received onto
the running libvirt QEMU guest, and forward any replies back to the
QMP client.
$ virsh start demo
$ virt-qmp-proxy demo demo.qmp &
$ qmp-shell demo.qmp
Welcome to the QMP low-level shell!
Connected to QEMU 6.2.0
(QEMU) query-kvm
{
"return": {
"enabled": true,
"present": true
}
}
Note this tool of course has the same risks as the raw libvirt
QMP passthrough. It is safe to run query commands to fetch information
but commands which change the QEMU state risk disrupting libvirt's
management of QEMU, potentially resulting in data loss/corruption in
the worst case.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
Changed in v2:
- Rewrote to not be such a gross hack, specifically
- Wired up usage of libvirt event loop for sock I/O
- Register with libvirt for QMP events
- Incrementally read from socket & try json parsing
until we get a full command, instead of assuming
a full command in one read
- Forwarding of passed FDs in both directions
(libvirt -> client untested, since AFAIK, no
QMP cmd returns FDs currently)
Other thought....
This patch is against libvirt.git but has a dependancy on the
libvirt-python.git APIs. If we put this in libvirt-client RPM
then we get a new dep on python.
Perhaps better to have this live in libvirt-python.git/examples,
though I would like it present as a standard tool ? Another
option is to bundle with virt-install which is a python app
commonly present on virt hosts ?
docs/manpages/meson.build | 1 +
docs/manpages/virt-qmp-proxy.rst | 120 +++++++++++
tools/meson.build | 5 +
tools/virt-qmp-proxy | 360 +++++++++++++++++++++++++++++++
4 files changed, 486 insertions(+)
create mode 100644 docs/manpages/virt-qmp-proxy.rst
create mode 100755 tools/virt-qmp-proxy
diff --git a/docs/manpages/meson.build b/docs/manpages/meson.build
index ba673cf472..4162a9969a 100644
--- a/docs/manpages/meson.build
+++ b/docs/manpages/meson.build
@@ -18,6 +18,7 @@ docs_man_files = [
{ 'name': 'virt-pki-query-dn', 'section': '1', 'install': true },
{ 'name': 'virt-pki-validate', 'section': '1', 'install': true },
{ 'name': 'virt-qemu-run', 'section': '1', 'install': conf.has('WITH_QEMU') },
+ { 'name': 'virt-qmp-proxy', 'section': '1', 'install': conf.has('WITH_QEMU') },
{ 'name': 'virt-xml-validate', 'section': '1', 'install': true },
{ 'name': 'libvirt-guests', 'section': '8', 'install': conf.has('WITH_LIBVIRTD') },
diff --git a/docs/manpages/virt-qmp-proxy.rst b/docs/manpages/virt-qmp-proxy.rst
new file mode 100644
index 0000000000..30b9f6699d
--- /dev/null
+++ b/docs/manpages/virt-qmp-proxy.rst
@@ -0,0 +1,120 @@
+==============
+virt-qmp-proxy
+==============
+
+--------------------------------------------------
+Expose a QMP proxy server for a libvirt QEMU guest
+--------------------------------------------------
+
+:Manual section: 1
+:Manual group: Virtualization Support
+
+.. contents::
+
+
+SYNOPSIS
+========
+
+``virt-qmp-proxy`` [*OPTION*]... *DOMAIN* *QMP-SOCKET-PATH*
+
+
+DESCRIPTION
+===========
+
+This tool provides a way to expose a QMP proxy server that communicates
+with a QEMU guest managed by libvirt. This enables standard QMP client
+tools to interact with libvirt managed guests.
+
+**NOTE: use of this tool will result in the running QEMU guest being
+marked as tainted.** It is strongly recommended that this tool *only be
+used to send commands which query information* about the running guest.
+If this tool is used to make changes to the state of the guest, this
+may have negative interactions with the QEMU driver, resulting in an
+inability to manage the guest operation thereafter, and in the worst
+case **potentially lead to data loss or corruption**.
+
+The ``virt-qmp-proxy`` program will listen on a UNIX socket for incoming
+client connections, and run the QMP protocol over the connection. Any
+commands received will be sent to the running libvirt guest, and replies
+sent back.
+
+The ``virt-qemu-proxy`` program may be interrupted (eg Ctrl-C) when it
+is no longer required. The libvirt QEMU guest will continue running.
+
+
+OPTIONS
+=======
+
+*DOMAIN*
+
+The ID or UUID or Name of the libvirt QEMU guest.
+
+*QMP-SOCKET-PATH*
+
+The filesystem path at which to run the QMP server, listening for
+incoming connections.
+
+``-c`` *CONNECTION-URI*
+``--connect``\ =\ *CONNECTION-URI*
+
+The URI for the connection to the libvirt QEMU driver. If omitted,
+a URI will be auto-detected.
+
+``-v``, ``--verbose``
+
+Run in verbose mode, printing all QMP commands and replies that
+are handled.
+
+``-h``, ``--help``
+
+Display the command line help.
+
+
+EXIT STATUS
+===========
+
+Upon successful shutdown, an exit status of 0 will be set. Upon
+failure a non-zero status will be set.
+
+
+AUTHOR
+======
+
+Daniel P. Berrangé
+
+
+BUGS
+====
+
+Please report all bugs you discover. This should be done via either:
+
+#. the mailing list
+
+ `https://libvirt.org/contact.html <https://libvirt.org/contact.html>`_
+
+#. the bug tracker
+
+ `https://libvirt.org/bugs.html <https://libvirt.org/bugs.html>`_
+
+Alternatively, you may report bugs to your software distributor / vendor.
+
+COPYRIGHT
+=========
+
+Copyright (C) 2022 by Red Hat, Inc.
+
+
+LICENSE
+=======
+
+``virt-qemu-proxy`` is distributed under the terms of the GNU LGPL v2+.
+This is free software; see the source for copying conditions. There
+is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
+PURPOSE
+
+
+SEE ALSO
+========
+
+virsh(1), `https://libvirt.org/ <https://libvirt.org/>`_,
+`QMP reference <https://www.qemu.org/docs/master/interop/qemu-qmp-ref.html>`_
diff --git a/tools/meson.build b/tools/meson.build
index bb28a904dc..4e959ecf0b 100644
--- a/tools/meson.build
+++ b/tools/meson.build
@@ -320,6 +320,11 @@ if conf.has('WITH_LIBVIRTD')
endif
endif
+if conf.has('WITH_QEMU')
+ install_data('virt-qmp-proxy',
+ install_dir: bindir)
+endif
+
if bash_completion_dep.found()
subdir('bash-completion')
endif
diff --git a/tools/virt-qmp-proxy b/tools/virt-qmp-proxy
new file mode 100755
index 0000000000..d85342bd2b
--- /dev/null
+++ b/tools/virt-qmp-proxy
@@ -0,0 +1,360 @@
+#!/usr/bin/env python3
+
+import argparse
+import array
+import libvirt
+import libvirt_qemu
+import os
+import re
+import socket
+import sys
+import traceback
+import json
+import fcntl
+
+
+debug = False
+
+def get_domain(uri, domstr):
+ conn = libvirt.open(uri)
+
+ dom = None
+ saveex = None
+
+ def try_lookup(cb):
+ try:
+ return cb()
+ except libvirt.libvirtError as ex:
+ nonlocal saveex
+ if saveex is None:
+ saveex = ex
+
+ if re.match(r'^\d+$', domstr):
+ dom = try_lookup(lambda: conn.lookupByID(int(domstr)))
+
+ if dom is None and re.match(r'^[-a-f0-9]{36}|[a-f0-9]{32}$', domstr):
+ dom = try_lookup(lambda: conn.lookupByUUIDString(domstr))
+
+ if dom is None:
+ dom = try_lookup(lambda: conn.lookupByName(domstr))
+
+ if dom is None:
+ raise saveex
+
+ if not dom.isActive():
+ raise Exception("Domain must be running to use QMP")
+
+ return conn, dom
+
+
+class QMPProxy(object):
+
+ def __init__(self, conn, dom, serversock, verbose):
+ self.conn = conn
+ self.dom = dom
+ self.verbose = verbose
+
+ self.serversock = serversock
+ self.serverwatch = 0
+
+ self.clientsock = None
+ self.clientwatch = 0
+
+ self.api2sock = bytes([])
+ self.api2sockfds = []
+
+ self.sock2api = bytes([])
+ self.sock2apifds = []
+
+ self.serverwatch = libvirt.virEventAddHandle(
+ self.serversock.fileno(), libvirt.VIR_EVENT_HANDLE_READABLE,
+ self.handle_server_io, self)
+
+ libvirt_qemu.qemuMonitorEventRegister(self.conn, self.dom,
+ None,
+ self.handle_qmp_event,
+ self)
+
+
+ @staticmethod
+ def handle_qmp_event(conn, dom, event, secs, usecs, details, self):
+ evdoc = {
+ "event": event,
+ "timestamp": {"seconds": secs, "microseconds": usecs }
+ }
+ if details is not None:
+ evdoc["data"] = details
+
+ ev = json.dumps(evdoc)
+ if self.verbose:
+ print(ev)
+ ev += "\r\n"
+ self.api2sock += ev.encode("utf-8")
+ self.update_client_events()
+
+
+ def recv_with_fds(self):
+ # Match VIR_NET_MESSAGE_NUM_FDS_MAX in virnetprotocol.x
+ maxfds = 32
+ fds = array.array('i')
+ cmsgdatalen = socket.CMSG_LEN(maxfds * fds.itemsize)
+
+ data, cmsgdata, flags, addr = self.clientsock.recvmsg(1024,
+ cmsgdatalen)
+ for cmsg_level, cmsg_type, cmsg_data in cmsgdata:
+ if (cmsg_level == socket.SOL_SOCKET and
+ cmsg_type == socket.SCM_RIGHTS):
+ fds.frombytes(cmsg_data[:len(cmsg_data) -
+ (len(cmsg_data) % fds.itemsize)])
+ else:
+ raise Exception("Unexpected CMSGDATA level %d type %d" % (
+ cmsg_level, cmsg_type))
+
+ return data, [self.make_file(fd) for fd in fds]
+
+
+ def send_with_fds(self, data, fds):
+ cfds = [fd.fileno() for fd in fds]
+
+ cmsgdata = [(socket.SOL_SOCKET, socket.SCM_RIGHTS,
+ array.array("i", cfds))]
+
+ return self.clientsock.sendmsg([data], cmsgdata)
+
+
+ @staticmethod
+ def make_file(fd):
+ flags = fcntl.fcntl(fd, fcntl.F_GETFL)
+
+ mask = os.O_RDONLY | os.O_WRONLY | os.O_RDWR | os.O_APPEND
+ flags = flags & mask
+ mode = ""
+ if flags == os.O_RDONLY:
+ mode = "rb"
+ elif flags == os.O_WRONLY:
+ mode = "wb"
+ elif flags == os.O_RDWR:
+ mode = "r+b"
+ elif flags == (os.O_WRONLY | os.O_APPEND):
+ mode = "ab"
+ elif flags == (os.O_RDWR | os.O_APPEND):
+ mode = "a+b"
+
+ return os.fdopen(fd, mode)
+
+
+ def add_client(self, sock):
+ ver = self.conn.getVersion()
+ major = int(ver / 1000000) % 1000
+ minor = int(ver / 1000) % 1000
+ micro = ver % 1000
+
+ greetingobj = {
+ "QMP": {
+ "version": {
+ "qemu": {
+ "major": major,
+ "minor": minor,
+ "micro": micro,
+ },
+ "package": f"qemu-{major}.{minor}.{micro}",
+ },
+ "capabilities": [
+ "oob"
+ ],
+ }
+ }
+ greeting = json.dumps(greetingobj)
+ if self.verbose:
+ print(greeting)
+ greeting += "\r\n"
+
+ self.clientsock = sock
+ self.clientwatch = libvirt.virEventAddHandle(
+ self.clientsock.fileno(), libvirt.VIR_EVENT_HANDLE_WRITABLE,
+ self.handle_client_io, self)
+ self.api2sock += greeting.encode("utf-8")
+ self.update_server_events()
+
+
+ def remove_client(self):
+ libvirt.virEventRemoveHandle(self.clientwatch)
+ self.clientsock.close()
+ self.clientsock = None
+ self.clientwatch = 0
+ self.update_server_events()
+
+ self.api2sock = bytes([])
+ self.api2sockfds = []
+
+ self.sock2api = bytes([])
+ self.sock2apifds = []
+
+
+ def update_client_events(self):
+ # For simplicity of tracking distinct QMP cmds and their passed FDs
+ # we don't try to support "pipelining", only a single cmd may be
+ # inflight
+ if len(self.api2sock) > 0:
+ events = libvirt.VIR_EVENT_HANDLE_WRITABLE
+ else:
+ events = libvirt.VIR_EVENT_HANDLE_READABLE
+
+ libvirt.virEventUpdateHandle(self.clientwatch, events)
+
+
+ def update_server_events(self):
+ if self.clientsock is not None:
+ libvirt.virEventUpdateHandle(self.serverwatch, 0)
+ else:
+ libvirt.virEventUpdateHandle(self.serverwatch,
+ libvirt.VIR_EVENT_HANDLE_READABLE)
+
+
+ def try_command(self):
+ try:
+ cmdstr = self.sock2api.decode("utf-8")
+ cmd = json.loads(cmdstr)
+
+ if self.verbose:
+ cmdstr = cmdstr.strip()
+ print(cmdstr)
+ except Exception as ex:
+ if debug:
+ print("Incomplete %s: %s" % ( self.sock2api, ex))
+ return
+
+ id = None
+ if "id" in cmd:
+ id = cmd["id"]
+ del cmd["id"]
+
+ if cmd.get("execute", "") == "qmp_capabilities":
+ resobj = {
+ "return": {},
+ }
+ resfds = []
+ else:
+ if hasattr(libvirt_qemu, "qemuMonitorCommandWithFiles"):
+ res, resfds = libvirt_qemu.qemuMonitorCommandWithFiles(
+ self.dom, json.dumps(cmd), [f.fileno() for f in self.sock2apifds])
+ resobj = json.loads(res)
+ else:
+ if len(self.sock2apifds) > 0:
+ raise Exception("FD passing not supported")
+ res = libvirt_qemu.qemuMonitorCommand(
+ self.dom, json.dumps(cmd))
+ resfds = []
+ resobj = json.loads(res)
+
+ if "id" in resobj:
+ del resobj["id"]
+ if id is not None:
+ resobj["id"] = id
+
+ res = json.dumps(resobj)
+ if self.verbose:
+ print(res)
+ res += "\r\n"
+
+ self.sock2api = bytes([])
+ self.sock2apifds = []
+ self.api2sock += res.encode("utf-8")
+ self.api2sockfds = resfds
+
+
+ @staticmethod
+ def handle_client_io(watch, fd, events, self):
+ error = False
+ try:
+ if events & libvirt.VIR_EVENT_HANDLE_WRITABLE:
+ done = self.send_with_fds(self.api2sock, self.api2sockfds)
+ if done > 0:
+ self.api2sock = self.api2sock[done:]
+ self.api2sockfds = []
+ elif events & libvirt.VIR_EVENT_HANDLE_READABLE:
+ data, fds = self.recv_with_fds()
+ if len(data) == 0:
+ error = True
+ else:
+ self.sock2api += data
+ if len(fds):
+ self.sock2apifds += fds
+
+ self.try_command()
+ else:
+ error = True
+ except Exception as e:
+ global debug
+ if debug:
+ print("%s: %s" % (sys.argv[0], str(e)))
+ print(traceback.format_exc())
+ error = True
+
+ if error:
+ self.remove_client()
+ else:
+ self.update_client_events()
+
+
+ @staticmethod
+ def handle_server_io(watch, fd, events, self):
+ if self.clientsock is None:
+ sock, addr = self.serversock.accept()
+ self.add_client(sock)
+ else:
+ self.update_server_events()
+
+
+def parse_commandline():
+ parser = argparse.ArgumentParser(description="Libvirt QMP proxy")
+ parser.add_argument("--connect", "-c",
+ help="Libvirt QEMU driver connection URI")
+ parser.add_argument("--debug", "-d", action='store_true',
+ help="Display debugging information")
+ parser.add_argument("--verbose", "-v", action='store_true',
+ help="Display QMP traffic")
+ parser.add_argument("domain", metavar="DOMAIN",
+ help="Libvirt guest domain ID/UUID/Name")
+ parser.add_argument("sockpath", metavar="QMP-SOCK-PATH",
+ help="UNIX socket path for QMP server")
+
+ return parser.parse_args()
+
+
+def main():
+ args = parse_commandline()
+ global debug
+ debug = args.debug
+
+ if not debug:
+ libvirt.registerErrorHandler(lambda opaque, error: None, None)
+
+ libvirt.virEventRegisterDefaultImpl()
+
+ conn, dom = get_domain(args.connect, args.domain)
+
+ if conn.getType() != "QEMU":
+ raise Exception("QMP proxy requires a QEMU driver connection not %s" %
+ conn.getType())
+
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ if os.path.exists(args.sockpath):
+ os.unlink(args.sockpath)
+ sock.bind(args.sockpath)
+ sock.listen(1)
+
+ proxy = QMPProxy(conn, dom, sock, args.verbose)
+
+ while True:
+ libvirt.virEventRunDefaultImpl()
+
+
+try:
+ main()
+ sys.exit(0)
+except Exception as e:
+ print("%s: %s" % (sys.argv[0], str(e)))
+ if debug:
+ print(traceback.format_exc())
+ sys.exit(1)
--
2.36.1
2 years, 5 months
[PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets
by David Michael
This supports sockets created by libvirt and passed by FD using the
same method as in security_dac.c.
Signed-off-by: David Michael <david(a)bigbadwolfsecurity.com>
---
Hi,
Custom SELinux labels are not applied to sockets when they have
mode="bind", but other security models (DAC) allow changing these
sockets. Can the same method be used to support SELinux?
Thanks.
David
src/security/security_selinux.c | 6 ++++--
tests/securityselinuxlabeldata/chardev.txt | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e2f34a27dc..8b258c9e36 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2541,7 +2541,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,
break;
case VIR_DOMAIN_CHR_TYPE_UNIX:
- if (!dev_source->data.nix.listen) {
+ if (!dev_source->data.nix.listen ||
+ (dev_source->data.nix.path &&
+ virFileExists(dev_source->data.nix.path))) {
if (virSecuritySELinuxSetFilecon(mgr,
dev_source->data.nix.path,
imagelabel,
@@ -2618,7 +2620,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
case VIR_DOMAIN_CHR_TYPE_UNIX:
if (!dev_source->data.nix.listen) {
if (virSecuritySELinuxRestoreFileLabel(mgr,
- dev_source->data.file.path,
+ dev_source->data.nix.path,
true) < 0)
goto done;
}
diff --git a/tests/securityselinuxlabeldata/chardev.txt b/tests/securityselinuxlabeldata/chardev.txt
index 3f4b6302b9..bdb367f7a5 100644
--- a/tests/securityselinuxlabeldata/chardev.txt
+++ b/tests/securityselinuxlabeldata/chardev.txt
@@ -2,6 +2,6 @@
/plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
/plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
/nolabel.sock;
-/plain.sock;
+/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264
/yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
/altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264
--
2.36.1
2 years, 5 months
Release of libvirt-8.5.0
by Jiri Denemark
The 8.5.0 release of both libvirt and libvirt-python is tagged and
signed tarballs and source RPMs are available at
https://libvirt.org/sources/
https://libvirt.org/sources/python/
Thanks everybody who helped with this release by sending patches,
reviewing, testing, or providing feedback. Your work is greatly
appreciated.
* New features
* qemu: Introduce support for network backed NVRAM
Users can now use remote store NVRAM image by specifying newly introduced
attribute `type='network'` with `<nvram>` element.
* qemu: Add support for post-copy migration recovery
A new ``VIR_MIGRATE_POSTCOPY_RESUME`` flag (``virsh migrate --postcopy-resume``)
was introduced for recovering from a failed post-copy migration.
* Introduce thread_pool_min and thread_pool_max attributes to IOThread
New attributes ``thread_pool_min`` and ``thread_pool_max`` were introduced
to ``<iothread/>`` as well as new ``<defaultiothread/>`` element with the
same attributes. This way it's possible to instruct QEMU to spawn enough
worker threads for an IOThread upfront, resulting in predictable time
needed to process an I/O request.
* Improvements
* Define a TFTP server without a DHCP server in network configuration
It's now possible to define a network with no DHCP server but with a TFTP
server. This may be useful when DHCP service is provided by other entity on
the network than libvirt spawned dnsmasq.
* Bug fixes
* qemu: Restore label to temp file in qemuDomainScreenshot()
When virDomainScreenshot() is called, libvirt instructs QEMU to save the
screenshot into a temporary file. This file needs to be labelled correctly,
so that QEMU can access it. And since the file is temporary (it's deleted
after the screenshot was taken) the corresponding label restore was
missing. This proven to be problematic for profile based models, like
AppArmor, where the temporary files were added into the profile but never
removed, which resulted in longer profile recalculation times.
* qemuBuildInterfaceConnect: Initialize @tapfd array
Due to an uninitialized array, unsuccessful attempt to start a guest with
an ``<interface/>`` might have resulted in closing of a random FD and thus
sudden disconnect of a client or other random failures.
* qemu: Fix hotplug of network interfaces
A logic bug introduced in a recent refactor was fixed. The bug caused a
problem when hot-adding a network interface, which failed with the
following error::
error: internal error: unable to execute QEMU command 'netdev_add': File descriptor named '(null)' has not been found
* Fix ``startupPolicy`` validation for ``block`` disks
Setting of ``startupPolicy`` for a block disk would result in an error due
to a logic bug in a recent refactor.
* qemu: Fix crash when overriding device properties via ``<qemu:override>`` element
Adding an override for a device property would result in a crash of the qemu
driver.
Enjoy.
Jirka
2 years, 5 months
[PATCH for 8.5.0] qemu_hotplug: Don't skip cleanup in qemuDomainAttachNetDevice()
by Michal Privoznik
Introduced in v8.4.0-rc1~183 but the first real problem
introduced in v8.4.0-rc1~170, there's a
qemuBuildInterfaceConnect() call inside of
qemuDomainAttachNetDevice(). If the former fails, then the
function is immediately returned from instead of jumping onto the
cleanup label. This is crucial, because at this point the domain
definition contains 'borrowed' net definition, which is then
freed, since an error was met. The domain definition is then left
with a dangling pointer which leads to all sorts of different
crashes.
Fixes: 29d022b1eb7b2330ed224a08509e6d3a5eeecc53
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2102009
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_hotplug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index ee44649d48..27e68370cf 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1265,7 +1265,7 @@ qemuDomainAttachNetDevice(virQEMUDriver *driver,
VIR_APPEND_ELEMENT_COPY(vm->def->nets, vm->def->nnets, net);
if (qemuBuildInterfaceConnect(vm, net, VIR_NETDEV_VPORT_PROFILE_OP_CREATE) < 0)
- return -1;
+ goto cleanup;
iface_connected = true;
--
2.35.1
2 years, 5 months