July 2022 - Devel - libvirt List Archives

[libvirt PATCH] conf: fix error message for wrong thread_pool_size
by Ján Tomko 01 Jul '22

01 Jul '22

Fix the copy-and-paste error by referring to the correct variable. Fixes: 0df2e7df80452f81edbfeb0ee355235b533346a9 https://bugzilla.redhat.com/show_bug.cgi?id=2103132 Signed-off-by: Ján Tomko <jtomko(a)redhat.com> --- Pushed as trivial. src/conf/domain_conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index fb8bf4cfec..2c2f23242e 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -9949,7 +9949,7 @@ virDomainFSDefParseXML(virDomainXMLOption *xmlopt, virStrToLong_i(thread_pool_size, NULL, 10, &def->thread_pool_size) < 0) { virReportError(VIR_ERR_XML_ERROR, _("cannot parse thread pool size '%s' for virtiofs"), - queue_size); + thread_pool_size); goto error; } -- 2.35.3

1 0

[PATCH] storagepoolxml2argvtest: Fix output data for 'pool-netfs-protocol-ver'
by Peter Krempa 01 Jul '22

01 Jul '22

The storage pool tests have host-specific versions which I neglected to update in commit c44930d932203b4a58dccbbeaa814fff6cea8216 thus breaking the test-suite on non-linux OSes. Fixes: c44930d932203b4a58dccbbeaa814fff6cea8216 Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- Pushed as a build-fix. .../pool-netfs-protocol-ver-freebsd.argv | 2 +- tests/storagepoolxml2argvdata/pool-netfs-protocol-ver.argv | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-freebsd.argv b/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-freebsd.argv index 32cdaebcff..20954ef50c 100644 --- a/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-freebsd.argv +++ b/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-freebsd.argv @@ -1,5 +1,5 @@ mount \ --o nosuid,noexec,nfsvers=3 \ +-o nosuid,noexec,nfsvers=4.1 \ -t nfs \ localhost:/var/lib/libvirt/images \ /mnt diff --git a/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver.argv b/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver.argv index ed157883c0..9afc6090b8 100644 --- a/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver.argv +++ b/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver.argv @@ -1,5 +1,5 @@ mount \ --o nfsvers=3 \ +-o nfsvers=4.1 \ -t nfs \ localhost:/var/lib/libvirt/images \ /mnt -- 2.36.1

1 0

[PATCHv2] storage: pool: Allow more intricate nfs protocol versions
by Peter Krempa 01 Jul '22

01 Jul '22

Treat the 'protocolVer' field as a string so that e.g. '4.1' can be used. Forbid only ',' in the string as it's a separator of arguments for mount options. Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- v2: - forbid ',' in the version string. docs/formatstorage.rst | 2 +- src/conf/schemas/storagepool.rng | 4 +--- src/conf/storage_conf.c | 17 ++++++++--------- src/conf/storage_conf.h | 2 +- src/storage/storage_util.c | 4 ++-- .../pool-netfs-protocol-ver-linux.argv | 2 +- .../pool-netfs-protocol-ver.xml | 2 +- .../pool-netfs-protocol-ver.xml | 2 +- 8 files changed, 16 insertions(+), 19 deletions(-) diff --git a/docs/formatstorage.rst b/docs/formatstorage.rst index ef15c0ac5c..83d7d141ac 100644 --- a/docs/formatstorage.rst +++ b/docs/formatstorage.rst @@ -350,7 +350,7 @@ following child elements: ``protocol`` For a ``netfs`` Storage Pool provide a mechanism to define which NFS protocol version number will be used to contact the server's NFS service. The - attribute ``ver`` accepts an unsigned integer as the version number to use. + attribute ``ver`` accepts the version number to use. :since:`Since 5.1.0` ``vendor`` Provides optional information about the vendor of the storage device. This diff --git a/src/conf/schemas/storagepool.rng b/src/conf/schemas/storagepool.rng index bd24b8b8d0..d81ead532a 100644 --- a/src/conf/schemas/storagepool.rng +++ b/src/conf/schemas/storagepool.rng @@ -577,9 +577,7 @@ <ref name="sourcefmtnetfs"/> <optional> <element name="protocol"> - <attribute name="ver"> - <ref name="unsignedInt"/> - </attribute> + <attribute name="ver"/> </element> </optional> <optional> diff --git a/src/conf/storage_conf.c b/src/conf/storage_conf.c index 5da0bf20dd..79f16aadf3 100644 --- a/src/conf/storage_conf.c +++ b/src/conf/storage_conf.c @@ -483,6 +483,7 @@ virStoragePoolSourceClear(virStoragePoolSource *source) virStorageAuthDefFree(source->auth); VIR_FREE(source->vendor); VIR_FREE(source->product); + VIR_FREE(source->protocolVer); } @@ -526,7 +527,6 @@ virStoragePoolDefParseSource(xmlXPathContextPtr ctxt, virStoragePoolOptions *options; int n; g_autoptr(virStorageAuthDef) authdef = NULL; - g_autofree char *ver = NULL; g_autofree xmlNodePtr *nodeset = NULL; g_autofree char *sourcedir = NULL; VIR_XPATH_NODE_AUTORESTORE(ctxt) @@ -634,7 +634,7 @@ virStoragePoolDefParseSource(xmlXPathContextPtr ctxt, } /* Option protocol version string (NFSvN) */ - if ((ver = virXPathString("string(./protocol/@ver)", ctxt))) { + if ((source->protocolVer = virXPathString("string(./protocol/@ver)", ctxt))) { if ((source->format != VIR_STORAGE_POOL_NETFS_NFS) && (source->format != VIR_STORAGE_POOL_NETFS_AUTO)) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, @@ -643,10 +643,11 @@ virStoragePoolDefParseSource(xmlXPathContextPtr ctxt, virStoragePoolFormatFileSystemNetTypeToString(source->format)); return -1; } - if (virStrToLong_uip(ver, NULL, 0, &source->protocolVer) < 0) { - virReportError(VIR_ERR_XML_ERROR, - _("storage pool protocol ver '%s' is malformed"), - ver); + + if (strchr(source->protocolVer, ',')) { + virReportError(VIR_ERR_XML_DETAIL, + _("storage pool protocol ver '%s' must not contain ','"), + source->protocolVer); return -1; } } @@ -1099,9 +1100,7 @@ virStoragePoolSourceFormat(virBuffer *buf, if (src->auth) virStorageAuthDefFormat(buf, src->auth); - if (src->protocolVer) - virBufferAsprintf(buf, "<protocol ver='%u'/>\n", src->protocolVer); - + virBufferEscapeString(buf, "<protocol ver='%s'/>\n", src->protocolVer); virBufferEscapeString(buf, "<vendor name='%s'/>\n", src->vendor); virBufferEscapeString(buf, "<product name='%s'/>\n", src->product); diff --git a/src/conf/storage_conf.h b/src/conf/storage_conf.h index de39c3f294..a1bf243935 100644 --- a/src/conf/storage_conf.h +++ b/src/conf/storage_conf.h @@ -213,7 +213,7 @@ struct _virStoragePoolSource { int format; /* Protocol version value for netfs */ - unsigned int protocolVer; + char *protocolVer; }; typedef struct _virStoragePoolTarget virStoragePoolTarget; diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c index 6ed2078b65..3871718b09 100644 --- a/src/storage/storage_util.c +++ b/src/storage/storage_util.c @@ -4201,8 +4201,8 @@ virStorageBackendFileSystemMountCmd(const char *cmdstr, virCommand *cmd = NULL; g_autofree char *nfsVers = NULL; - if (def->type == VIR_STORAGE_POOL_NETFS && def->source.protocolVer > 0) - nfsVers = g_strdup_printf("nfsvers=%u", def->source.protocolVer); + if (def->type == VIR_STORAGE_POOL_NETFS && def->source.protocolVer) + nfsVers = g_strdup_printf("nfsvers=%s", def->source.protocolVer); cmd = virCommandNew(cmdstr); if (netauto) diff --git a/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-linux.argv b/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-linux.argv index dac46a074f..da3e0c5927 100644 --- a/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-linux.argv +++ b/tests/storagepoolxml2argvdata/pool-netfs-protocol-ver-linux.argv @@ -1,5 +1,5 @@ mount \ --o nodev,nosuid,noexec,nfsvers=3 \ +-o nodev,nosuid,noexec,nfsvers=4.1 \ -t nfs \ localhost:/var/lib/libvirt/images \ /mnt diff --git a/tests/storagepoolxml2xmlin/pool-netfs-protocol-ver.xml b/tests/storagepoolxml2xmlin/pool-netfs-protocol-ver.xml index 40f3f94e41..f35992e3c8 100644 --- a/tests/storagepoolxml2xmlin/pool-netfs-protocol-ver.xml +++ b/tests/storagepoolxml2xmlin/pool-netfs-protocol-ver.xml @@ -8,7 +8,7 @@ <host name='localhost'/> <dir path='/var/lib/libvirt/images'/> <format type='nfs'/> - <protocol ver='3'/> + <protocol ver='4.1'/> </source> <target> <path>/mnt</path> diff --git a/tests/storagepoolxml2xmlout/pool-netfs-protocol-ver.xml b/tests/storagepoolxml2xmlout/pool-netfs-protocol-ver.xml index 5fcad1305b..74c2f5edfe 100644 --- a/tests/storagepoolxml2xmlout/pool-netfs-protocol-ver.xml +++ b/tests/storagepoolxml2xmlout/pool-netfs-protocol-ver.xml @@ -8,7 +8,7 @@ <host name='localhost'/> <dir path='/var/lib/libvirt/images'/> <format type='nfs'/> - <protocol ver='3'/> + <protocol ver='4.1'/> </source> <target> <path>/mnt</path> -- 2.36.1

2 1

[libvirt PATCH v2] tools: add virt-qmp-proxy for proxying QMP clients to libvirt QEMU guests
by Daniel P. Berrangé 01 Jul '22

01 Jul '22

Libvirt provides QMP passthrough APIs for the QEMU driver and these are exposed in virsh. It is not especially pleasant, however, using the raw QMP JSON syntax. QEMU has a tool 'qmp-shell' which can speak QMP and exposes a human friendly interactive shell. It is not possible to use this with libvirt managed guest, however, since only one client can attach to he QMP socket at any point in time. The virt-qmp-proxy tool aims to solve this problem. It opens a UNIX socket and listens for incoming client connections, speaking QMP on the connected socket. It will forward any QMP commands received onto the running libvirt QEMU guest, and forward any replies back to the QMP client. $ virsh start demo $ virt-qmp-proxy demo demo.qmp & $ qmp-shell demo.qmp Welcome to the QMP low-level shell! Connected to QEMU 6.2.0 (QEMU) query-kvm { "return": { "enabled": true, "present": true } } Note this tool of course has the same risks as the raw libvirt QMP passthrough. It is safe to run query commands to fetch information but commands which change the QEMU state risk disrupting libvirt's management of QEMU, potentially resulting in data loss/corruption in the worst case. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- Changed in v2: - Rewrote to not be such a gross hack, specifically - Wired up usage of libvirt event loop for sock I/O - Register with libvirt for QMP events - Incrementally read from socket & try json parsing until we get a full command, instead of assuming a full command in one read - Forwarding of passed FDs in both directions (libvirt -> client untested, since AFAIK, no QMP cmd returns FDs currently) Other thought.... This patch is against libvirt.git but has a dependancy on the libvirt-python.git APIs. If we put this in libvirt-client RPM then we get a new dep on python. Perhaps better to have this live in libvirt-python.git/examples, though I would like it present as a standard tool ? Another option is to bundle with virt-install which is a python app commonly present on virt hosts ? docs/manpages/meson.build | 1 + docs/manpages/virt-qmp-proxy.rst | 120 +++++++++++ tools/meson.build | 5 + tools/virt-qmp-proxy | 360 +++++++++++++++++++++++++++++++ 4 files changed, 486 insertions(+) create mode 100644 docs/manpages/virt-qmp-proxy.rst create mode 100755 tools/virt-qmp-proxy diff --git a/docs/manpages/meson.build b/docs/manpages/meson.build index ba673cf472..4162a9969a 100644 --- a/docs/manpages/meson.build +++ b/docs/manpages/meson.build @@ -18,6 +18,7 @@ docs_man_files = [ { 'name': 'virt-pki-query-dn', 'section': '1', 'install': true }, { 'name': 'virt-pki-validate', 'section': '1', 'install': true }, { 'name': 'virt-qemu-run', 'section': '1', 'install': conf.has('WITH_QEMU') }, + { 'name': 'virt-qmp-proxy', 'section': '1', 'install': conf.has('WITH_QEMU') }, { 'name': 'virt-xml-validate', 'section': '1', 'install': true }, { 'name': 'libvirt-guests', 'section': '8', 'install': conf.has('WITH_LIBVIRTD') }, diff --git a/docs/manpages/virt-qmp-proxy.rst b/docs/manpages/virt-qmp-proxy.rst new file mode 100644 index 0000000000..30b9f6699d --- /dev/null +++ b/docs/manpages/virt-qmp-proxy.rst @@ -0,0 +1,120 @@ +============== +virt-qmp-proxy +============== + +-------------------------------------------------- +Expose a QMP proxy server for a libvirt QEMU guest +-------------------------------------------------- + +:Manual section: 1 +:Manual group: Virtualization Support + +.. contents:: + + +SYNOPSIS +======== + +``virt-qmp-proxy`` [*OPTION*]... *DOMAIN* *QMP-SOCKET-PATH* + + +DESCRIPTION +=========== + +This tool provides a way to expose a QMP proxy server that communicates +with a QEMU guest managed by libvirt. This enables standard QMP client +tools to interact with libvirt managed guests. + +**NOTE: use of this tool will result in the running QEMU guest being +marked as tainted.** It is strongly recommended that this tool *only be +used to send commands which query information* about the running guest. +If this tool is used to make changes to the state of the guest, this +may have negative interactions with the QEMU driver, resulting in an +inability to manage the guest operation thereafter, and in the worst +case **potentially lead to data loss or corruption**. + +The ``virt-qmp-proxy`` program will listen on a UNIX socket for incoming +client connections, and run the QMP protocol over the connection. Any +commands received will be sent to the running libvirt guest, and replies +sent back. + +The ``virt-qemu-proxy`` program may be interrupted (eg Ctrl-C) when it +is no longer required. The libvirt QEMU guest will continue running. + + +OPTIONS +======= + +*DOMAIN* + +The ID or UUID or Name of the libvirt QEMU guest. + +*QMP-SOCKET-PATH* + +The filesystem path at which to run the QMP server, listening for +incoming connections. + +``-c`` *CONNECTION-URI* +``--connect``\ =\ *CONNECTION-URI* + +The URI for the connection to the libvirt QEMU driver. If omitted, +a URI will be auto-detected. + +``-v``, ``--verbose`` + +Run in verbose mode, printing all QMP commands and replies that +are handled. + +``-h``, ``--help`` + +Display the command line help. + + +EXIT STATUS +=========== + +Upon successful shutdown, an exit status of 0 will be set. Upon +failure a non-zero status will be set. + + +AUTHOR +====== + +Daniel P. Berrangé + + +BUGS +==== + +Please report all bugs you discover. This should be done via either: + +#. the mailing list + + `https://libvirt.org/contact.html <https://libvirt.org/contact.html>`_ + +#. the bug tracker + + `https://libvirt.org/bugs.html <https://libvirt.org/bugs.html>`_ + +Alternatively, you may report bugs to your software distributor / vendor. + +COPYRIGHT +========= + +Copyright (C) 2022 by Red Hat, Inc. + + +LICENSE +======= + +``virt-qemu-proxy`` is distributed under the terms of the GNU LGPL v2+. +This is free software; see the source for copying conditions. There +is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR +PURPOSE + + +SEE ALSO +======== + +virsh(1), `https://libvirt.org/ <https://libvirt.org/>`_, +`QMP reference <https://www.qemu.org/docs/master/interop/qemu-qmp-ref.html>`_ diff --git a/tools/meson.build b/tools/meson.build index bb28a904dc..4e959ecf0b 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -320,6 +320,11 @@ if conf.has('WITH_LIBVIRTD') endif endif +if conf.has('WITH_QEMU') + install_data('virt-qmp-proxy', + install_dir: bindir) +endif + if bash_completion_dep.found() subdir('bash-completion') endif diff --git a/tools/virt-qmp-proxy b/tools/virt-qmp-proxy new file mode 100755 index 0000000000..d85342bd2b --- /dev/null +++ b/tools/virt-qmp-proxy @@ -0,0 +1,360 @@ +#!/usr/bin/env python3 + +import argparse +import array +import libvirt +import libvirt_qemu +import os +import re +import socket +import sys +import traceback +import json +import fcntl + + +debug = False + +def get_domain(uri, domstr): + conn = libvirt.open(uri) + + dom = None + saveex = None + + def try_lookup(cb): + try: + return cb() + except libvirt.libvirtError as ex: + nonlocal saveex + if saveex is None: + saveex = ex + + if re.match(r'^\d+$', domstr): + dom = try_lookup(lambda: conn.lookupByID(int(domstr))) + + if dom is None and re.match(r'^[-a-f0-9]{36}|[a-f0-9]{32}$', domstr): + dom = try_lookup(lambda: conn.lookupByUUIDString(domstr)) + + if dom is None: + dom = try_lookup(lambda: conn.lookupByName(domstr)) + + if dom is None: + raise saveex + + if not dom.isActive(): + raise Exception("Domain must be running to use QMP") + + return conn, dom + + +class QMPProxy(object): + + def __init__(self, conn, dom, serversock, verbose): + self.conn = conn + self.dom = dom + self.verbose = verbose + + self.serversock = serversock + self.serverwatch = 0 + + self.clientsock = None + self.clientwatch = 0 + + self.api2sock = bytes([]) + self.api2sockfds = [] + + self.sock2api = bytes([]) + self.sock2apifds = [] + + self.serverwatch = libvirt.virEventAddHandle( + self.serversock.fileno(), libvirt.VIR_EVENT_HANDLE_READABLE, + self.handle_server_io, self) + + libvirt_qemu.qemuMonitorEventRegister(self.conn, self.dom, + None, + self.handle_qmp_event, + self) + + + @staticmethod + def handle_qmp_event(conn, dom, event, secs, usecs, details, self): + evdoc = { + "event": event, + "timestamp": {"seconds": secs, "microseconds": usecs } + } + if details is not None: + evdoc["data"] = details + + ev = json.dumps(evdoc) + if self.verbose: + print(ev) + ev += "\r\n" + self.api2sock += ev.encode("utf-8") + self.update_client_events() + + + def recv_with_fds(self): + # Match VIR_NET_MESSAGE_NUM_FDS_MAX in virnetprotocol.x + maxfds = 32 + fds = array.array('i') + cmsgdatalen = socket.CMSG_LEN(maxfds * fds.itemsize) + + data, cmsgdata, flags, addr = self.clientsock.recvmsg(1024, + cmsgdatalen) + for cmsg_level, cmsg_type, cmsg_data in cmsgdata: + if (cmsg_level == socket.SOL_SOCKET and + cmsg_type == socket.SCM_RIGHTS): + fds.frombytes(cmsg_data[:len(cmsg_data) - + (len(cmsg_data) % fds.itemsize)]) + else: + raise Exception("Unexpected CMSGDATA level %d type %d" % ( + cmsg_level, cmsg_type)) + + return data, [self.make_file(fd) for fd in fds] + + + def send_with_fds(self, data, fds): + cfds = [fd.fileno() for fd in fds] + + cmsgdata = [(socket.SOL_SOCKET, socket.SCM_RIGHTS, + array.array("i", cfds))] + + return self.clientsock.sendmsg([data], cmsgdata) + + + @staticmethod + def make_file(fd): + flags = fcntl.fcntl(fd, fcntl.F_GETFL) + + mask = os.O_RDONLY | os.O_WRONLY | os.O_RDWR | os.O_APPEND + flags = flags & mask + mode = "" + if flags == os.O_RDONLY: + mode = "rb" + elif flags == os.O_WRONLY: + mode = "wb" + elif flags == os.O_RDWR: + mode = "r+b" + elif flags == (os.O_WRONLY | os.O_APPEND): + mode = "ab" + elif flags == (os.O_RDWR | os.O_APPEND): + mode = "a+b" + + return os.fdopen(fd, mode) + + + def add_client(self, sock): + ver = self.conn.getVersion() + major = int(ver / 1000000) % 1000 + minor = int(ver / 1000) % 1000 + micro = ver % 1000 + + greetingobj = { + "QMP": { + "version": { + "qemu": { + "major": major, + "minor": minor, + "micro": micro, + }, + "package": f"qemu-{major}.{minor}.{micro}", + }, + "capabilities": [ + "oob" + ], + } + } + greeting = json.dumps(greetingobj) + if self.verbose: + print(greeting) + greeting += "\r\n" + + self.clientsock = sock + self.clientwatch = libvirt.virEventAddHandle( + self.clientsock.fileno(), libvirt.VIR_EVENT_HANDLE_WRITABLE, + self.handle_client_io, self) + self.api2sock += greeting.encode("utf-8") + self.update_server_events() + + + def remove_client(self): + libvirt.virEventRemoveHandle(self.clientwatch) + self.clientsock.close() + self.clientsock = None + self.clientwatch = 0 + self.update_server_events() + + self.api2sock = bytes([]) + self.api2sockfds = [] + + self.sock2api = bytes([]) + self.sock2apifds = [] + + + def update_client_events(self): + # For simplicity of tracking distinct QMP cmds and their passed FDs + # we don't try to support "pipelining", only a single cmd may be + # inflight + if len(self.api2sock) > 0: + events = libvirt.VIR_EVENT_HANDLE_WRITABLE + else: + events = libvirt.VIR_EVENT_HANDLE_READABLE + + libvirt.virEventUpdateHandle(self.clientwatch, events) + + + def update_server_events(self): + if self.clientsock is not None: + libvirt.virEventUpdateHandle(self.serverwatch, 0) + else: + libvirt.virEventUpdateHandle(self.serverwatch, + libvirt.VIR_EVENT_HANDLE_READABLE) + + + def try_command(self): + try: + cmdstr = self.sock2api.decode("utf-8") + cmd = json.loads(cmdstr) + + if self.verbose: + cmdstr = cmdstr.strip() + print(cmdstr) + except Exception as ex: + if debug: + print("Incomplete %s: %s" % ( self.sock2api, ex)) + return + + id = None + if "id" in cmd: + id = cmd["id"] + del cmd["id"] + + if cmd.get("execute", "") == "qmp_capabilities": + resobj = { + "return": {}, + } + resfds = [] + else: + if hasattr(libvirt_qemu, "qemuMonitorCommandWithFiles"): + res, resfds = libvirt_qemu.qemuMonitorCommandWithFiles( + self.dom, json.dumps(cmd), [f.fileno() for f in self.sock2apifds]) + resobj = json.loads(res) + else: + if len(self.sock2apifds) > 0: + raise Exception("FD passing not supported") + res = libvirt_qemu.qemuMonitorCommand( + self.dom, json.dumps(cmd)) + resfds = [] + resobj = json.loads(res) + + if "id" in resobj: + del resobj["id"] + if id is not None: + resobj["id"] = id + + res = json.dumps(resobj) + if self.verbose: + print(res) + res += "\r\n" + + self.sock2api = bytes([]) + self.sock2apifds = [] + self.api2sock += res.encode("utf-8") + self.api2sockfds = resfds + + + @staticmethod + def handle_client_io(watch, fd, events, self): + error = False + try: + if events & libvirt.VIR_EVENT_HANDLE_WRITABLE: + done = self.send_with_fds(self.api2sock, self.api2sockfds) + if done > 0: + self.api2sock = self.api2sock[done:] + self.api2sockfds = [] + elif events & libvirt.VIR_EVENT_HANDLE_READABLE: + data, fds = self.recv_with_fds() + if len(data) == 0: + error = True + else: + self.sock2api += data + if len(fds): + self.sock2apifds += fds + + self.try_command() + else: + error = True + except Exception as e: + global debug + if debug: + print("%s: %s" % (sys.argv[0], str(e))) + print(traceback.format_exc()) + error = True + + if error: + self.remove_client() + else: + self.update_client_events() + + + @staticmethod + def handle_server_io(watch, fd, events, self): + if self.clientsock is None: + sock, addr = self.serversock.accept() + self.add_client(sock) + else: + self.update_server_events() + + +def parse_commandline(): + parser = argparse.ArgumentParser(description="Libvirt QMP proxy") + parser.add_argument("--connect", "-c", + help="Libvirt QEMU driver connection URI") + parser.add_argument("--debug", "-d", action='store_true', + help="Display debugging information") + parser.add_argument("--verbose", "-v", action='store_true', + help="Display QMP traffic") + parser.add_argument("domain", metavar="DOMAIN", + help="Libvirt guest domain ID/UUID/Name") + parser.add_argument("sockpath", metavar="QMP-SOCK-PATH", + help="UNIX socket path for QMP server") + + return parser.parse_args() + + +def main(): + args = parse_commandline() + global debug + debug = args.debug + + if not debug: + libvirt.registerErrorHandler(lambda opaque, error: None, None) + + libvirt.virEventRegisterDefaultImpl() + + conn, dom = get_domain(args.connect, args.domain) + + if conn.getType() != "QEMU": + raise Exception("QMP proxy requires a QEMU driver connection not %s" % + conn.getType()) + + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + if os.path.exists(args.sockpath): + os.unlink(args.sockpath) + sock.bind(args.sockpath) + sock.listen(1) + + proxy = QMPProxy(conn, dom, sock, args.verbose) + + while True: + libvirt.virEventRunDefaultImpl() + + +try: + main() + sys.exit(0) +except Exception as e: + print("%s: %s" % (sys.argv[0], str(e))) + if debug: + print(traceback.format_exc()) + sys.exit(1) -- 2.36.1

3 2

[PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets
by David Michael 01 Jul '22

01 Jul '22

This supports sockets created by libvirt and passed by FD using the same method as in security_dac.c. Signed-off-by: David Michael <david(a)bigbadwolfsecurity.com> --- Hi, Custom SELinux labels are not applied to sockets when they have mode="bind", but other security models (DAC) allow changing these sockets. Can the same method be used to support SELinux? Thanks. David src/security/security_selinux.c | 6 ++++-- tests/securityselinuxlabeldata/chardev.txt | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index e2f34a27dc..8b258c9e36 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2541,7 +2541,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr, break; case VIR_DOMAIN_CHR_TYPE_UNIX: - if (!dev_source->data.nix.listen) { + if (!dev_source->data.nix.listen || + (dev_source->data.nix.path && + virFileExists(dev_source->data.nix.path))) { if (virSecuritySELinuxSetFilecon(mgr, dev_source->data.nix.path, imagelabel, @@ -2618,7 +2620,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr, case VIR_DOMAIN_CHR_TYPE_UNIX: if (!dev_source->data.nix.listen) { if (virSecuritySELinuxRestoreFileLabel(mgr, - dev_source->data.file.path, + dev_source->data.nix.path, true) < 0) goto done; } diff --git a/tests/securityselinuxlabeldata/chardev.txt b/tests/securityselinuxlabeldata/chardev.txt index 3f4b6302b9..bdb367f7a5 100644 --- a/tests/securityselinuxlabeldata/chardev.txt +++ b/tests/securityselinuxlabeldata/chardev.txt @@ -2,6 +2,6 @@ /plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264 /plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264 /nolabel.sock; -/plain.sock; +/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264 /yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264 /altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264 -- 2.36.1

4 7

Release of libvirt-8.5.0
by Jiri Denemark 01 Jul '22

01 Jul '22

The 8.5.0 release of both libvirt and libvirt-python is tagged and signed tarballs and source RPMs are available at https://libvirt.org/sources/ https://libvirt.org/sources/python/ Thanks everybody who helped with this release by sending patches, reviewing, testing, or providing feedback. Your work is greatly appreciated. * New features * qemu: Introduce support for network backed NVRAM Users can now use remote store NVRAM image by specifying newly introduced attribute `type='network'` with `<nvram>` element. * qemu: Add support for post-copy migration recovery A new ``VIR_MIGRATE_POSTCOPY_RESUME`` flag (``virsh migrate --postcopy-resume``) was introduced for recovering from a failed post-copy migration. * Introduce thread_pool_min and thread_pool_max attributes to IOThread New attributes ``thread_pool_min`` and ``thread_pool_max`` were introduced to ``<iothread/>`` as well as new ``<defaultiothread/>`` element with the same attributes. This way it's possible to instruct QEMU to spawn enough worker threads for an IOThread upfront, resulting in predictable time needed to process an I/O request. * Improvements * Define a TFTP server without a DHCP server in network configuration It's now possible to define a network with no DHCP server but with a TFTP server. This may be useful when DHCP service is provided by other entity on the network than libvirt spawned dnsmasq. * Bug fixes * qemu: Restore label to temp file in qemuDomainScreenshot() When virDomainScreenshot() is called, libvirt instructs QEMU to save the screenshot into a temporary file. This file needs to be labelled correctly, so that QEMU can access it. And since the file is temporary (it's deleted after the screenshot was taken) the corresponding label restore was missing. This proven to be problematic for profile based models, like AppArmor, where the temporary files were added into the profile but never removed, which resulted in longer profile recalculation times. * qemuBuildInterfaceConnect: Initialize @tapfd array Due to an uninitialized array, unsuccessful attempt to start a guest with an ``<interface/>`` might have resulted in closing of a random FD and thus sudden disconnect of a client or other random failures. * qemu: Fix hotplug of network interfaces A logic bug introduced in a recent refactor was fixed. The bug caused a problem when hot-adding a network interface, which failed with the following error:: error: internal error: unable to execute QEMU command 'netdev_add': File descriptor named '(null)' has not been found * Fix ``startupPolicy`` validation for ``block`` disks Setting of ``startupPolicy`` for a block disk would result in an error due to a logic bug in a recent refactor. * qemu: Fix crash when overriding device properties via ``<qemu:override>`` element Adding an override for a device property would result in a crash of the qemu driver. Enjoy. Jirka

1 0

[PATCH for 8.5.0] qemu_hotplug: Don't skip cleanup in qemuDomainAttachNetDevice()
by Michal Privoznik 01 Jul '22

01 Jul '22

Introduced in v8.4.0-rc1~183 but the first real problem introduced in v8.4.0-rc1~170, there's a qemuBuildInterfaceConnect() call inside of qemuDomainAttachNetDevice(). If the former fails, then the function is immediately returned from instead of jumping onto the cleanup label. This is crucial, because at this point the domain definition contains 'borrowed' net definition, which is then freed, since an error was met. The domain definition is then left with a dangling pointer which leads to all sorts of different crashes. Fixes: 29d022b1eb7b2330ed224a08509e6d3a5eeecc53 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2102009 Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- src/qemu/qemu_hotplug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index ee44649d48..27e68370cf 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1265,7 +1265,7 @@ qemuDomainAttachNetDevice(virQEMUDriver *driver, VIR_APPEND_ELEMENT_COPY(vm->def->nets, vm->def->nnets, net); if (qemuBuildInterfaceConnect(vm, net, VIR_NETDEV_VPORT_PROFILE_OP_CREATE) < 0) - return -1; + goto cleanup; iface_connected = true; -- 2.35.1

3 2