[PATCH] Pass shutoff reason to release hook
by Swapnil Ingle
Sometimes in release hook it is useful to know if the VM shutdown was graceful
or not. This is especially useful to do cleanup based on the VM shutdown failure
reason in release hook. This patch proposes to use the last argument 'extra'
to pass VM shutoff reason in the call to release hook.
Signed-off-by: Swapnil Ingle <swapnil.ingle(a)nutanix.com>
---
docs/hooks.rst | 24 +++++++++++++++++++++++-
src/qemu/qemu_process.c | 2 +-
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/docs/hooks.rst b/docs/hooks.rst
index 1dbc492bd4..e76208021a 100644
--- a/docs/hooks.rst
+++ b/docs/hooks.rst
@@ -312,7 +312,29 @@ operation. There is no specific operation to indicate a "restart" is occurring.
::
- /etc/libvirt/hooks/lxc guest_name release end -
+ /etc/libvirt/hooks/lxc guest_name release end <shutoff-reason>
+
+ +-------------------+------------------------------------------------------------------+
+ | Shutoff reason | Description |
+ +===================+==================================================================+
+ | unknown | the reason is unknown |
+ +-------------------+------------------------------------------------------------------+
+ | shutdown | normal shutdown |
+ +-------------------+------------------------------------------------------------------+
+ | destroyed | forced poweroff |
+ +-------------------+------------------------------------------------------------------+
+ | crashed | domain crashed |
+ +-------------------+------------------------------------------------------------------+
+ | migrated | migrated to another host |
+ +-------------------+------------------------------------------------------------------+
+ | saved | saved to a file |
+ +-------------------+------------------------------------------------------------------+
+ | failed | domain failed to start |
+ +-------------------+------------------------------------------------------------------+
+ | from snapshot | restored from a snapshot which was taken while domain was shutoff|
+ +-------------------+------------------------------------------------------------------+
+ | daemon | daemon decides to kill domain during reconnection processing |
+ +-------------------+------------------------------------------------------------------+
- :since:`Since 0.9.13`, the lxc hook script is also called when the libvirtd
daemon restarts and reconnects to previously running LXC processes. If the
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 7ef7040a85..0a03685ca7 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -8716,7 +8716,7 @@ void qemuProcessStop(virQEMUDriver *driver,
/* we can't stop the operation even if the script raised an error */
virHookCall(VIR_HOOK_DRIVER_QEMU, vm->def->name,
VIR_HOOK_QEMU_OP_RELEASE, VIR_HOOK_SUBOP_END,
- NULL, xml, NULL);
+ virDomainShutoffReasonTypeToString(reason), xml, NULL);
}
virDomainObjRemoveTransientDef(vm);
--
2.45.2
6 months, 1 week
Plans for 10.5.0 release (freeze on Tuesday 25 Jun)
by Jiri Denemark
We are getting close to 10.5.0 release of libvirt. To aim for the
release on Monday 01 Jul I suggest entering the freeze on Tuesday 25
Jun and tagging RC2 on Thursday 27 Jun.
I hope this works for everyone.
Jirka
6 months, 1 week
[PATCH 0/2] qemu: implement iommu coldplug/unplug
by Adam Julis
Adam Julis (2):
syms: Properly export virDomainIOMMUDefFree()
qemu: implement iommu coldplug/unplug
src/libvirt_private.syms | 1 +
src/qemu/qemu_driver.c | 20 ++++++++++++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
--
2.45.0
6 months, 1 week
[PATCH v2] ci: fix CI package list and refresh with 'lcitool manifest'
by Daniel P. Berrangé
The ci/manifest.yml file references a package 'libclang-rt-dev' that
does not exist in libvirt-ci mappings.yml. The latest refresh in
commit 0759cf3fa6ed8d12bd327c5752785c53e35c8483
Author: Michal Prívozník <mprivozn(a)redhat.com>
Date: Fri May 3 15:58:20 2024 +0200
ci: Introduce Ubuntu 24.04
was presumably done against a local change to libvirt-ci.git that
had not yet been merged, as the clang packages now appear on many
more build envs.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
ci/buildenv/almalinux-9.sh | 2 +-
ci/buildenv/debian-11-cross-aarch64.sh | 1 +
ci/buildenv/debian-11-cross-armv6l.sh | 1 +
ci/buildenv/debian-11-cross-armv7l.sh | 1 +
ci/buildenv/debian-11-cross-i686.sh | 1 +
ci/buildenv/debian-11-cross-mips64el.sh | 1 +
ci/buildenv/debian-11-cross-mipsel.sh | 1 +
ci/buildenv/debian-11-cross-ppc64le.sh | 1 +
ci/buildenv/debian-11-cross-s390x.sh | 1 +
ci/buildenv/debian-11.sh | 1 +
ci/buildenv/opensuse-leap-15.sh | 1 +
ci/buildenv/opensuse-tumbleweed.sh | 1 +
ci/buildenv/ubuntu-2204.sh | 1 +
ci/containers/almalinux-9.Dockerfile | 2 +-
ci/containers/debian-11-cross-aarch64.Dockerfile | 1 +
ci/containers/debian-11-cross-armv6l.Dockerfile | 1 +
ci/containers/debian-11-cross-armv7l.Dockerfile | 1 +
ci/containers/debian-11-cross-i686.Dockerfile | 1 +
ci/containers/debian-11-cross-mips64el.Dockerfile | 1 +
ci/containers/debian-11-cross-mipsel.Dockerfile | 1 +
ci/containers/debian-11-cross-ppc64le.Dockerfile | 1 +
ci/containers/debian-11-cross-s390x.Dockerfile | 1 +
ci/containers/debian-11.Dockerfile | 1 +
ci/containers/opensuse-leap-15.Dockerfile | 1 +
ci/containers/opensuse-tumbleweed.Dockerfile | 1 +
ci/containers/ubuntu-2204.Dockerfile | 1 +
ci/lcitool/projects/libvirt.yml | 2 +-
27 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/ci/buildenv/almalinux-9.sh b/ci/buildenv/almalinux-9.sh
index f0826e1313..5791a73d23 100644
--- a/ci/buildenv/almalinux-9.sh
+++ b/ci/buildenv/almalinux-9.sh
@@ -16,7 +16,7 @@ function install_buildenv() {
ca-certificates \
ccache \
clang \
- clang-devel \
+ compiler-rt \
cpp \
cyrus-sasl-devel \
device-mapper-devel \
diff --git a/ci/buildenv/debian-11-cross-aarch64.sh b/ci/buildenv/debian-11-cross-aarch64.sh
index 3afb09aee5..8540fb8d74 100644
--- a/ci/buildenv/debian-11-cross-aarch64.sh
+++ b/ci/buildenv/debian-11-cross-aarch64.sh
@@ -27,6 +27,7 @@ function install_buildenv() {
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/buildenv/debian-11-cross-armv6l.sh b/ci/buildenv/debian-11-cross-armv6l.sh
index ff78ec0b86..131a7019c0 100644
--- a/ci/buildenv/debian-11-cross-armv6l.sh
+++ b/ci/buildenv/debian-11-cross-armv6l.sh
@@ -27,6 +27,7 @@ function install_buildenv() {
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/buildenv/debian-11-cross-armv7l.sh b/ci/buildenv/debian-11-cross-armv7l.sh
index ff3ef03463..ba78ffcfac 100644
--- a/ci/buildenv/debian-11-cross-armv7l.sh
+++ b/ci/buildenv/debian-11-cross-armv7l.sh
@@ -27,6 +27,7 @@ function install_buildenv() {
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/buildenv/debian-11-cross-i686.sh b/ci/buildenv/debian-11-cross-i686.sh
index e68e2ffcbe..104eb20805 100644
--- a/ci/buildenv/debian-11-cross-i686.sh
+++ b/ci/buildenv/debian-11-cross-i686.sh
@@ -27,6 +27,7 @@ function install_buildenv() {
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/buildenv/debian-11-cross-mips64el.sh b/ci/buildenv/debian-11-cross-mips64el.sh
index 0653223a3d..7b1830453c 100644
--- a/ci/buildenv/debian-11-cross-mips64el.sh
+++ b/ci/buildenv/debian-11-cross-mips64el.sh
@@ -27,6 +27,7 @@ function install_buildenv() {
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/buildenv/debian-11-cross-mipsel.sh b/ci/buildenv/debian-11-cross-mipsel.sh
index cee2feff59..eef5cdbfab 100644
--- a/ci/buildenv/debian-11-cross-mipsel.sh
+++ b/ci/buildenv/debian-11-cross-mipsel.sh
@@ -27,6 +27,7 @@ function install_buildenv() {
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/buildenv/debian-11-cross-ppc64le.sh b/ci/buildenv/debian-11-cross-ppc64le.sh
index 7193d4acd0..f2c2f60623 100644
--- a/ci/buildenv/debian-11-cross-ppc64le.sh
+++ b/ci/buildenv/debian-11-cross-ppc64le.sh
@@ -27,6 +27,7 @@ function install_buildenv() {
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/buildenv/debian-11-cross-s390x.sh b/ci/buildenv/debian-11-cross-s390x.sh
index ca0fb54839..519d9c8b31 100644
--- a/ci/buildenv/debian-11-cross-s390x.sh
+++ b/ci/buildenv/debian-11-cross-s390x.sh
@@ -27,6 +27,7 @@ function install_buildenv() {
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/buildenv/debian-11.sh b/ci/buildenv/debian-11.sh
index 18350321b0..5986682af8 100644
--- a/ci/buildenv/debian-11.sh
+++ b/ci/buildenv/debian-11.sh
@@ -36,6 +36,7 @@ function install_buildenv() {
libblkid-dev \
libc6-dev \
libcap-ng-dev \
+ libclang-dev \
libcurl4-gnutls-dev \
libdevmapper-dev \
libfuse-dev \
diff --git a/ci/buildenv/opensuse-leap-15.sh b/ci/buildenv/opensuse-leap-15.sh
index bc7394839b..a59af136ca 100644
--- a/ci/buildenv/opensuse-leap-15.sh
+++ b/ci/buildenv/opensuse-leap-15.sh
@@ -14,6 +14,7 @@ function install_buildenv() {
ca-certificates \
ccache \
clang \
+ clang-devel \
codespell \
cpp \
cppi \
diff --git a/ci/buildenv/opensuse-tumbleweed.sh b/ci/buildenv/opensuse-tumbleweed.sh
index 88ccff99c6..ac566d349f 100644
--- a/ci/buildenv/opensuse-tumbleweed.sh
+++ b/ci/buildenv/opensuse-tumbleweed.sh
@@ -14,6 +14,7 @@ function install_buildenv() {
ca-certificates \
ccache \
clang \
+ clang-devel \
codespell \
cpp \
cppi \
diff --git a/ci/buildenv/ubuntu-2204.sh b/ci/buildenv/ubuntu-2204.sh
index 6bd67ba777..c71a0b5f47 100644
--- a/ci/buildenv/ubuntu-2204.sh
+++ b/ci/buildenv/ubuntu-2204.sh
@@ -36,6 +36,7 @@ function install_buildenv() {
libblkid-dev \
libc6-dev \
libcap-ng-dev \
+ libclang-dev \
libcurl4-gnutls-dev \
libdevmapper-dev \
libfuse-dev \
diff --git a/ci/containers/almalinux-9.Dockerfile b/ci/containers/almalinux-9.Dockerfile
index 68608b12a9..27ac990b22 100644
--- a/ci/containers/almalinux-9.Dockerfile
+++ b/ci/containers/almalinux-9.Dockerfile
@@ -17,7 +17,7 @@ RUN dnf update -y && \
ca-certificates \
ccache \
clang \
- clang-devel \
+ compiler-rt \
cpp \
cyrus-sasl-devel \
device-mapper-devel \
diff --git a/ci/containers/debian-11-cross-aarch64.Dockerfile b/ci/containers/debian-11-cross-aarch64.Dockerfile
index 0f971ff9cb..1cb573821f 100644
--- a/ci/containers/debian-11-cross-aarch64.Dockerfile
+++ b/ci/containers/debian-11-cross-aarch64.Dockerfile
@@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/containers/debian-11-cross-armv6l.Dockerfile b/ci/containers/debian-11-cross-armv6l.Dockerfile
index cfed7a7fc9..6989546ebf 100644
--- a/ci/containers/debian-11-cross-armv6l.Dockerfile
+++ b/ci/containers/debian-11-cross-armv6l.Dockerfile
@@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/containers/debian-11-cross-armv7l.Dockerfile b/ci/containers/debian-11-cross-armv7l.Dockerfile
index f703be3423..fcd6a6383b 100644
--- a/ci/containers/debian-11-cross-armv7l.Dockerfile
+++ b/ci/containers/debian-11-cross-armv7l.Dockerfile
@@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/containers/debian-11-cross-i686.Dockerfile b/ci/containers/debian-11-cross-i686.Dockerfile
index 58be733459..8d79934a52 100644
--- a/ci/containers/debian-11-cross-i686.Dockerfile
+++ b/ci/containers/debian-11-cross-i686.Dockerfile
@@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/containers/debian-11-cross-mips64el.Dockerfile b/ci/containers/debian-11-cross-mips64el.Dockerfile
index c3198e0470..d80f741311 100644
--- a/ci/containers/debian-11-cross-mips64el.Dockerfile
+++ b/ci/containers/debian-11-cross-mips64el.Dockerfile
@@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/containers/debian-11-cross-mipsel.Dockerfile b/ci/containers/debian-11-cross-mipsel.Dockerfile
index 21e9b0c7f9..dc674150f5 100644
--- a/ci/containers/debian-11-cross-mipsel.Dockerfile
+++ b/ci/containers/debian-11-cross-mipsel.Dockerfile
@@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/containers/debian-11-cross-ppc64le.Dockerfile b/ci/containers/debian-11-cross-ppc64le.Dockerfile
index 29be7997f8..fc3a9ee157 100644
--- a/ci/containers/debian-11-cross-ppc64le.Dockerfile
+++ b/ci/containers/debian-11-cross-ppc64le.Dockerfile
@@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/containers/debian-11-cross-s390x.Dockerfile b/ci/containers/debian-11-cross-s390x.Dockerfile
index fd1507b294..336694b2d3 100644
--- a/ci/containers/debian-11-cross-s390x.Dockerfile
+++ b/ci/containers/debian-11-cross-s390x.Dockerfile
@@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
iproute2 \
iptables \
kmod \
+ libclang-dev \
libxml2-utils \
locales \
lvm2 \
diff --git a/ci/containers/debian-11.Dockerfile b/ci/containers/debian-11.Dockerfile
index c16c43d407..6f08eb7448 100644
--- a/ci/containers/debian-11.Dockerfile
+++ b/ci/containers/debian-11.Dockerfile
@@ -38,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
libblkid-dev \
libc6-dev \
libcap-ng-dev \
+ libclang-dev \
libcurl4-gnutls-dev \
libdevmapper-dev \
libfuse-dev \
diff --git a/ci/containers/opensuse-leap-15.Dockerfile b/ci/containers/opensuse-leap-15.Dockerfile
index 6deaea0904..bf794d6929 100644
--- a/ci/containers/opensuse-leap-15.Dockerfile
+++ b/ci/containers/opensuse-leap-15.Dockerfile
@@ -15,6 +15,7 @@ RUN zypper update -y && \
ca-certificates \
ccache \
clang \
+ clang-devel \
codespell \
cpp \
cppi \
diff --git a/ci/containers/opensuse-tumbleweed.Dockerfile b/ci/containers/opensuse-tumbleweed.Dockerfile
index d4ebcd7176..2b7cdb4af5 100644
--- a/ci/containers/opensuse-tumbleweed.Dockerfile
+++ b/ci/containers/opensuse-tumbleweed.Dockerfile
@@ -15,6 +15,7 @@ RUN zypper dist-upgrade -y && \
ca-certificates \
ccache \
clang \
+ clang-devel \
codespell \
cpp \
cppi \
diff --git a/ci/containers/ubuntu-2204.Dockerfile b/ci/containers/ubuntu-2204.Dockerfile
index 8e32d992f3..5e8829bc2b 100644
--- a/ci/containers/ubuntu-2204.Dockerfile
+++ b/ci/containers/ubuntu-2204.Dockerfile
@@ -38,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
libblkid-dev \
libc6-dev \
libcap-ng-dev \
+ libclang-dev \
libcurl4-gnutls-dev \
libdevmapper-dev \
libfuse-dev \
diff --git a/ci/lcitool/projects/libvirt.yml b/ci/lcitool/projects/libvirt.yml
index a5d2248437..5e0bd66958 100644
--- a/ci/lcitool/projects/libvirt.yml
+++ b/ci/lcitool/projects/libvirt.yml
@@ -36,7 +36,7 @@ packages:
- libblkid
- libc
- libcap-ng
- - libclang-rt-dev
+ - libclang-rt
- libcurl
- libiscsi
- libnbd
--
2.45.1
6 months, 1 week
[PATCH v2 0/4] qemu: Use TPM 2.0 in most scenarios
by Andrea Bolognani
Changes from [v1]
* use TPM 2.0 more;
* reject TPM 1.2 more;
* add better comments to loongarch64 and s390x test cases.
[v1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/YZ...
Andrea Bolognani (4):
tests: Add TPM coverage to default-models tests
tests: Delete some redundant test cases
qemu: Default to TPM 2.0 in most scenarios
qemu: Reject TPM 1.2 in most scenarios
src/qemu/qemu_domain.c | 13 ++--
src/qemu/qemu_validate.c | 22 +++---
...aarch64-tpm-wrong-model.aarch64-latest.err | 2 +-
.../aarch64-tpm.aarch64-latest.args | 34 ---------
.../aarch64-tpm.aarch64-latest.xml | 29 --------
tests/qemuxmlconfdata/aarch64-tpm.xml | 15 ----
...ault-models.aarch64-latest.abi-update.args | 3 +
...fault-models.aarch64-latest.abi-update.xml | 3 +
...64-virt-default-models.aarch64-latest.args | 3 +
...h64-virt-default-models.aarch64-latest.xml | 3 +
.../aarch64-virt-default-models.xml | 3 +
.../loongarch64-virt-default-models.xml | 3 +
...efault-models.ppc64-latest.abi-update.args | 3 +
...default-models.ppc64-latest.abi-update.xml | 4 ++
...4-pseries-default-models.ppc64-latest.args | 3 +
...64-pseries-default-models.ppc64-latest.xml | 4 ++
.../ppc64-pseries-default-models.xml | 3 +
...ault-models.riscv64-latest.abi-update.args | 3 +
...fault-models.riscv64-latest.abi-update.xml | 3 +
...64-virt-default-models.riscv64-latest.args | 3 +
...v64-virt-default-models.riscv64-latest.xml | 3 +
.../riscv64-virt-default-models.xml | 3 +
.../s390x-ccw-default-models.xml | 2 +
.../tpm-emulator-spapr.ppc64-latest.args | 45 ------------
.../tpm-emulator-spapr.ppc64-latest.xml | 1 -
tests/qemuxmlconfdata/tpm-emulator-spapr.xml | 70 -------------------
...fault-models.x86_64-latest.abi-update.args | 3 +
...efault-models.x86_64-latest.abi-update.xml | 3 +
...86_64-pc-default-models.x86_64-latest.args | 3 +
...x86_64-pc-default-models.x86_64-latest.xml | 3 +
.../x86_64-pc-default-models.xml | 3 +
...fault-models.x86_64-latest.abi-update.args | 3 +
...efault-models.x86_64-latest.abi-update.xml | 3 +
...6_64-q35-default-models.x86_64-latest.args | 3 +
...86_64-q35-default-models.x86_64-latest.xml | 3 +
.../x86_64-q35-default-models.xml | 3 +
tests/qemuxmlconftest.c | 2 -
37 files changed, 100 insertions(+), 215 deletions(-)
delete mode 100644 tests/qemuxmlconfdata/aarch64-tpm.aarch64-latest.args
delete mode 100644 tests/qemuxmlconfdata/aarch64-tpm.aarch64-latest.xml
delete mode 100644 tests/qemuxmlconfdata/aarch64-tpm.xml
delete mode 100644 tests/qemuxmlconfdata/tpm-emulator-spapr.ppc64-latest.args
delete mode 120000 tests/qemuxmlconfdata/tpm-emulator-spapr.ppc64-latest.xml
delete mode 100644 tests/qemuxmlconfdata/tpm-emulator-spapr.xml
--
2.45.1
6 months, 1 week
[PATCH 2/2] qemu: implement iommu coldplug/unplug
by Adam Julis
Resolves: https://issues.redhat.com/browse/RHEL-23833
Signed-off-by: Adam Julis <ajulis(a)redhat.com>
---
src/qemu/qemu_driver.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 67b9778c67..74d5e3bb86 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6847,6 +6847,15 @@ qemuDomainAttachDeviceConfig(virDomainDef *vmdef,
vmdef->vsock = g_steal_pointer(&dev->data.vsock);
break;
+ case VIR_DOMAIN_DEVICE_IOMMU:
+ if (vmdef->iommu) {
+ virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+ _("domain already has an iommu configuration"));
+ return -1;
+ }
+ vmdef->iommu = g_steal_pointer(&dev->data.iommu);
+ break;
+
case VIR_DOMAIN_DEVICE_VIDEO:
case VIR_DOMAIN_DEVICE_GRAPHICS:
case VIR_DOMAIN_DEVICE_HUB:
@@ -6856,7 +6865,6 @@ qemuDomainAttachDeviceConfig(virDomainDef *vmdef,
case VIR_DOMAIN_DEVICE_NONE:
case VIR_DOMAIN_DEVICE_TPM:
case VIR_DOMAIN_DEVICE_PANIC:
- case VIR_DOMAIN_DEVICE_IOMMU:
case VIR_DOMAIN_DEVICE_AUDIO:
case VIR_DOMAIN_DEVICE_CRYPTO:
case VIR_DOMAIN_DEVICE_LAST:
@@ -7057,6 +7065,15 @@ qemuDomainDetachDeviceConfig(virDomainDef *vmdef,
g_clear_pointer(&vmdef->vsock, virDomainVsockDefFree);
break;
+ case VIR_DOMAIN_DEVICE_IOMMU:
+ if (!vmdef->iommu) {
+ virReportError(VIR_ERR_OPERATION_FAILED, "%s",
+ _("matching iommu config not found"));
+ return -1;
+ }
+ g_clear_pointer(&vmdef->iommu, virDomainIOMMUDefFree);
+ break;
+
case VIR_DOMAIN_DEVICE_VIDEO:
case VIR_DOMAIN_DEVICE_GRAPHICS:
case VIR_DOMAIN_DEVICE_HUB:
@@ -7066,7 +7083,6 @@ qemuDomainDetachDeviceConfig(virDomainDef *vmdef,
case VIR_DOMAIN_DEVICE_NONE:
case VIR_DOMAIN_DEVICE_TPM:
case VIR_DOMAIN_DEVICE_PANIC:
- case VIR_DOMAIN_DEVICE_IOMMU:
case VIR_DOMAIN_DEVICE_AUDIO:
case VIR_DOMAIN_DEVICE_CRYPTO:
case VIR_DOMAIN_DEVICE_LAST:
--
2.44.0
6 months, 1 week
[PATCH] conf: add validation of potential dependencies
by Adam Julis
Although existing virDomainDefPostParse is called after modifying
the XML and it contains validating process for changed device,
the virDomainDefValidate function performs a more comprehensive
check. It should detect errors resulting from dependencies
between devices. Therefore, the virDomainDefValidate is added at
the end.
Signed-off-by: Adam Julis <ajulis(a)redhat.com>
---
src/qemu/qemu_driver.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index e2698c7924..67b9778c67 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6869,6 +6869,9 @@ qemuDomainAttachDeviceConfig(virDomainDef *vmdef,
if (virDomainDefPostParse(vmdef, parse_flags, xmlopt, qemuCaps) < 0)
return -1;
+ if (virDomainDefValidate(vmdef, parse_flags, xmlopt, qemuCaps) < 0)
+ return -1;
+
return 0;
}
--
2.44.0
6 months, 1 week
[PATCH v3] network: introduce a "none" firewall backend type
by Daniel P. Berrangé
There are two scenarios identified after the recent firewall backend
selection was introduced, which result in libvirtd failing to startup
due to an inability to find either iptables/nftables
- On Linux if running unprivileged with $PATH lacking the dir
containing iptables/nftables
- On non-Linux where iptables/nftables never existed
In the former case, it is preferrable to restore the behaviour whereby
the driver starts successfully. Users will get an error reported when
attempting to start any virtual network, due to the lack of permissions
needed to create bridge devices. This makes the missing firewall backend
irrelevant.
In the latter case, the network driver calls the 'nop' platform
implementation which does not attempt to implement any firewall logic,
just allowing the network to start without firewall rules.
To solve this are number of changes are required
* Introduce VIR_FIREWALL_BACKEND_NONE, which does nothing except
report a fatal error from virFirewallApply(). This code path
is unreachable, since we'll never create a virFirewall
object with with VIR_FIREWALL_BACKEND_NONE, so the error reporting
is just a sanity check.
* Ignore the compile time backend defaults and assume use of
the 'none' backend if running unprivileged.
This fixes the first regression, avoiding the failure to start
libvirtd on Linux in unprivileged context, instead allowing use
of the driver and expecting a permission denied when creating a
bridge.
* Reject the use of compile time backend defaults no non-Linux
and hardcode the 'none' backend. The non-Linux platforms have
no firewall implementation at all currently, so there's no
reason to permit the use of 'firewall_backend_priority'
meson option.
This fixes the second regression, avoiding the failure to start
libvirtd on non-Linux hosts due to non-existant Linux binaries.
* Change the Linux platform backend to raise an error if the
firewall backend is 'none'. Again this code path is unreachable
by default since we'll fail to create the bridge before getting
here, but if someone modified network.conf to request the 'none'
backend, this will stop further progress.
* Change the nop platform backend to raise an error if the
firewall backend is 'iptables' or 'nftables'. Again this code
path is unreachable, since we should already have failed to
find the iptables/nftables binaries on non-Linux hosts, so
this is just a sanity check.
* 'none' is not permited as a value in 'firewall_backend_priority'
meson option, since it is conceptually meaningless to ask for
that on Linux.
NB, 'firewall_backend_priority' allows repeated options temporarily,
which we don't want. Meson intends to turn this into a hard error
DEPRECATION: Duplicated values in array option is deprecated. This will become a hard error in the future.
and we can live with the reduced error checking until that happens.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
Changed in v3:
- Fix various syntax-check errors
- Added note about meson tightening up validation of duplicated
choices
meson.build | 26 +++++++++++++++++++-------
meson_options.txt | 2 +-
po/POTFILES | 1 +
src/network/bridge_driver_conf.c | 19 ++++++++++++++-----
src/network/bridge_driver_linux.c | 10 ++++++++++
src/network/bridge_driver_nop.c | 15 ++++++++++++++-
src/util/virfirewall.c | 6 ++++++
src/util/virfirewall.h | 1 +
8 files changed, 66 insertions(+), 14 deletions(-)
diff --git a/meson.build b/meson.build
index 5c7cd7ec2e..2e8b87280d 100644
--- a/meson.build
+++ b/meson.build
@@ -1647,15 +1647,27 @@ if not get_option('driver_network').disabled() and conf.has('WITH_LIBVIRTD')
conf.set('WITH_NETWORK', 1)
firewall_backend_priority = get_option('firewall_backend_priority')
- if (not firewall_backend_priority.contains('nftables') or
- not firewall_backend_priority.contains('iptables') or
- firewall_backend_priority.length() != 2)
- error('invalid value for firewall_backend_priority option')
+ if firewall_backend_priority.length() == 0
+ if host_machine.system() == 'linux'
+ firewall_backend_priority = ['nftables', 'iptables']
+ else
+ # No firewall impl on non-Linux so far, so force 'none'
+ # as placeholder
+ firewall_backend_priority = ['none']
+ endif
+ else
+ if host_machine.system() != 'linux'
+ error('firewall backend priority only supported on linux hosts')
+ endif
endif
- conf.set('FIREWALL_BACKEND_PRIORITY_0', 'VIR_FIREWALL_BACKEND_' + firewall_backend_priority[0].to_upper())
- conf.set('FIREWALL_BACKEND_PRIORITY_1', 'VIR_FIREWALL_BACKEND_' + firewall_backend_priority[1].to_upper())
- conf.set('FIREWALL_BACKEND_PRIORITY_NUM', firewall_backend_priority.length())
+ backends = []
+ foreach backend: firewall_backend_priority
+ backend = 'VIR_FIREWALL_BACKEND_' + backend.to_upper()
+ backends += backend
+ endforeach
+
+ conf.set('FIREWALL_BACKENDS', ', '.join(backends))
elif get_option('driver_network').enabled()
error('libvirtd must be enabled to build the network driver')
endif
diff --git a/meson_options.txt b/meson_options.txt
index 50d71427cb..2d440c63d8 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -117,7 +117,7 @@ option('dtrace', type: 'feature', value: 'auto', description: 'use dtrace for st
option('firewalld', type: 'feature', value: 'auto', description: 'firewalld support')
# dep:firewalld
option('firewalld_zone', type: 'feature', value: 'auto', description: 'whether to install firewalld libvirt zone')
-option('firewall_backend_priority', type: 'array', choices: ['nftables', 'iptables'], description: 'order in which to try firewall backends')
+option('firewall_backend_priority', type: 'array', choices: ['nftables', 'iptables'], value: [], description: 'order in which to try firewall backends')
option('host_validate', type: 'feature', value: 'auto', description: 'build virt-host-validate')
option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check', 'none'], value: 'check', description: 'Style of init script to install')
option('loader_nvram', type: 'string', value: '', description: 'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items are separated by a colon.')
diff --git a/po/POTFILES b/po/POTFILES
index 4bfbb91164..1ed4086d2c 100644
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -143,6 +143,7 @@ src/lxc/lxc_process.c
src/network/bridge_driver.c
src/network/bridge_driver_conf.c
src/network/bridge_driver_linux.c
+src/network/bridge_driver_nop.c
src/network/leaseshelper.c
src/network/network_iptables.c
src/network/network_nftables.c
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index e2f3613a41..9da5e790b7 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -61,6 +61,7 @@ networkGetDnsmasqCaps(virNetworkDriverState *driver)
static int
virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
+ bool privileged,
const char *filename)
{
g_autoptr(virConf) conf = NULL;
@@ -68,13 +69,17 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
bool fwBackendSelected = false;
size_t i;
int fwBackends[] = {
- FIREWALL_BACKEND_PRIORITY_0,
- FIREWALL_BACKEND_PRIORITY_1,
+ FIREWALL_BACKENDS
};
- G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST);
- G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == FIREWALL_BACKEND_PRIORITY_NUM);
+ G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) > 0 &&
+ G_N_ELEMENTS(fwBackends) <= VIR_FIREWALL_BACKEND_LAST);
int nFwBackends = G_N_ELEMENTS(fwBackends);
+ if (!privileged) {
+ fwBackends[0] = VIR_FIREWALL_BACKEND_NONE;
+ nFwBackends = 1;
+ }
+
if (access(filename, R_OK) == 0) {
conf = virConfReadFile(filename, 0);
@@ -104,6 +109,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
for (i = 0; i < nFwBackends && !fwBackendSelected; i++) {
switch ((virFirewallBackend)fwBackends[i]) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ fwBackendSelected = true;
+ break;
+
case VIR_FIREWALL_BACKEND_IPTABLES: {
g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES);
@@ -187,7 +196,7 @@ virNetworkDriverConfigNew(bool privileged)
configfile = g_strconcat(configdir, "/network.conf", NULL);
- if (virNetworkLoadDriverConfig(cfg, configfile) < 0)
+ if (virNetworkLoadDriverConfig(cfg, privileged, configfile) < 0)
return NULL;
if (g_mkdir_with_parents(cfg->stateDir, 0777) < 0) {
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 35e6bd1154..fe7c6e193c 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -47,6 +47,11 @@ networkFirewallSetupPrivateChains(virFirewallBackend backend,
virFirewallLayer layer)
{
switch (backend) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ virReportError(VIR_ERR_NO_SUPPORT, "%s",
+ _("No firewall backend is available"));
+ return -1;
+
case VIR_FIREWALL_BACKEND_IPTABLES:
return iptablesSetupPrivateChains(layer);
@@ -417,6 +422,11 @@ networkAddFirewallRules(virNetworkDef *def,
}
switch (firewallBackend) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ virReportError(VIR_ERR_NO_SUPPORT, "%s",
+ _("No firewall backend is available"));
+ return -1;
+
case VIR_FIREWALL_BACKEND_IPTABLES:
return iptablesAddFirewallRules(def, fwRemoval);
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c
index 537b9234f8..8bf3367bff 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -19,6 +19,8 @@
#include <config.h>
+#define VIR_FROM_THIS VIR_FROM_NETWORK
+
void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED,
bool startup G_GNUC_UNUSED,
bool force G_GNUC_UNUSED)
@@ -37,9 +39,20 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
}
int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
- virFirewallBackend firewallBackend G_GNUC_UNUSED,
+ virFirewallBackend firewallBackend,
virFirewall **fwRemoval G_GNUC_UNUSED)
{
+ /*
+ * Shouldn't be possible, since virNetworkLoadDriverConfig
+ * ought to fail to find the required binaries when loading,
+ * so this is just a sanity check
+ */
+ if (firewallBackend != VIR_FIREWALL_BACKEND_NONE) {
+ virReportError(VIR_ERR_NO_SUPPORT,
+ _("Firewall backend '%1$s' not available on this platform"),
+ virFirewallBackendTypeToString(firewallBackend));
+ return -1;
+ }
return 0;
}
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 2219506b18..090dbcdbed 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -37,6 +37,7 @@ VIR_LOG_INIT("util.firewall");
VIR_ENUM_IMPL(virFirewallBackend,
VIR_FIREWALL_BACKEND_LAST,
+ "none",
"iptables",
"nftables");
@@ -815,6 +816,11 @@ virFirewallApplyCmd(virFirewall *firewall,
}
switch (virFirewallGetBackend(firewall)) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ virReportError(VIR_ERR_NO_SUPPORT, "%s",
+ _("Firewall backend is not implemented"));
+ return -1;
+
case VIR_FIREWALL_BACKEND_IPTABLES:
if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0)
return -1;
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 302a6a4e5b..bce51259d2 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -44,6 +44,7 @@ typedef enum {
} virFirewallLayer;
typedef enum {
+ VIR_FIREWALL_BACKEND_NONE, /* Always fails */
VIR_FIREWALL_BACKEND_IPTABLES,
VIR_FIREWALL_BACKEND_NFTABLES,
--
2.45.1
6 months, 1 week
[PATCH] conf: Drop needless NULL checks guarding virBufferEscapeString()
by Michal Privoznik
There's no need to guard virBufferEscapeString() with a call to
NULL as the very first thing the function does is check all three
arguments for NULL.
This patch was generated using the following spatch:
@@
expression X, Y, E;
@@
- if (E)
virBufferEscapeString(X, Y, E);
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/conf/capabilities.c | 6 ++--
src/conf/domain_conf.c | 57 +++++++++++-------------------
src/conf/network_conf.c | 6 ++--
src/conf/node_device_conf.c | 57 ++++++++++++------------------
src/conf/snapshot_conf.c | 5 ++-
src/conf/storage_encryption_conf.c | 9 ++---
src/conf/storage_source_conf.c | 3 +-
src/conf/virnwfilterbindingdef.c | 3 +-
8 files changed, 55 insertions(+), 91 deletions(-)
diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c
index fe5e42c167..74e6293766 100644
--- a/src/conf/capabilities.c
+++ b/src/conf/capabilities.c
@@ -693,10 +693,8 @@ virCapabilitiesDomainDataLookupInternal(virCaps *caps,
if (domaintype > VIR_DOMAIN_VIRT_NONE)
virBufferAsprintf(&buf, "domaintype=%s ",
virDomainVirtTypeToString(domaintype));
- if (emulator)
- virBufferEscapeString(&buf, "emulator=%s ", emulator);
- if (machinetype)
- virBufferEscapeString(&buf, "machine=%s ", machinetype);
+ virBufferEscapeString(&buf, "emulator=%s ", emulator);
+ virBufferEscapeString(&buf, "machine=%s ", machinetype);
if (virBufferCurrentContent(&buf) &&
!virBufferCurrentContent(&buf)[0])
virBufferAsprintf(&buf, "%s", _("any configuration"));
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index fde594f811..2f1e99865b 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -5394,8 +5394,7 @@ virDomainDeviceInfoFormat(virBuffer *buf,
if (rombar)
virBufferAsprintf(buf, " bar='%s'", rombar);
}
- if (info->romfile)
- virBufferEscapeString(buf, " file='%s'", info->romfile);
+ virBufferEscapeString(buf, " file='%s'", info->romfile);
virBufferAddLit(buf, "/>\n");
}
@@ -22175,8 +22174,7 @@ virSecurityDeviceLabelDefFormat(virBuffer *buf,
virBufferAddLit(buf, "<seclabel");
- if (def->model)
- virBufferEscapeString(buf, " model='%s'", def->model);
+ virBufferEscapeString(buf, " model='%s'", def->model);
if (def->labelskip)
virBufferAddLit(buf, " labelskip='yes'");
@@ -22371,8 +22369,7 @@ virDomainDiskSourceFormatNetwork(virBuffer *attrBuf,
virBufferAsprintf(childBuf, "<timeout seconds='%llu'/>\n", src->timeout);
if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH) {
- if (src->ssh_known_hosts_file)
- virBufferEscapeString(childBuf, "<knownHosts path='%s'/>\n", src->ssh_known_hosts_file);
+ virBufferEscapeString(childBuf, "<knownHosts path='%s'/>\n", src->ssh_known_hosts_file);
if (src->ssh_keyfile || src->ssh_agent) {
virBufferAddLit(childBuf, "<identity");
@@ -23162,8 +23159,7 @@ virDomainControllerDefFormat(virBuffer *buf,
" type='%s' index='%d'",
type, def->idx);
- if (model)
- virBufferEscapeString(&attrBuf, " model='%s'", model);
+ virBufferEscapeString(&attrBuf, " model='%s'", model);
switch (def->type) {
case VIR_DOMAIN_CONTROLLER_TYPE_VIRTIO_SERIAL:
@@ -24581,8 +24577,7 @@ virDomainChrTargetDefFormat(virBuffer *buf,
case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_XEN:
case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO:
- if (def->target.name)
- virBufferEscapeString(buf, " name='%s'", def->target.name);
+ virBufferEscapeString(buf, " name='%s'", def->target.name);
if (def->targetType == VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO &&
def->state != VIR_DOMAIN_CHR_DEVICE_STATE_DEFAULT &&
@@ -26004,9 +25999,8 @@ virDomainGraphicsDefFormat(virBuffer *buf,
break;
}
- if (def->data.vnc.keymap)
- virBufferEscapeString(buf, " keymap='%s'",
- def->data.vnc.keymap);
+ virBufferEscapeString(buf, " keymap='%s'",
+ def->data.vnc.keymap);
if (def->data.vnc.sharePolicy)
virBufferAsprintf(buf, " sharePolicy='%s'",
@@ -26021,13 +26015,11 @@ virDomainGraphicsDefFormat(virBuffer *buf,
break;
case VIR_DOMAIN_GRAPHICS_TYPE_SDL:
- if (def->data.sdl.display)
- virBufferEscapeString(buf, " display='%s'",
- def->data.sdl.display);
+ virBufferEscapeString(buf, " display='%s'",
+ def->data.sdl.display);
- if (def->data.sdl.xauth)
- virBufferEscapeString(buf, " xauth='%s'",
- def->data.sdl.xauth);
+ virBufferEscapeString(buf, " xauth='%s'",
+ def->data.sdl.xauth);
if (def->data.sdl.fullscreen)
virBufferAddLit(buf, " fullscreen='yes'");
@@ -26066,9 +26058,8 @@ virDomainGraphicsDefFormat(virBuffer *buf,
break;
case VIR_DOMAIN_GRAPHICS_TYPE_DESKTOP:
- if (def->data.desktop.display)
- virBufferEscapeString(buf, " display='%s'",
- def->data.desktop.display);
+ virBufferEscapeString(buf, " display='%s'",
+ def->data.desktop.display);
if (def->data.desktop.fullscreen)
virBufferAddLit(buf, " fullscreen='yes'");
@@ -26121,9 +26112,8 @@ virDomainGraphicsDefFormat(virBuffer *buf,
break;
}
- if (def->data.spice.keymap)
- virBufferEscapeString(buf, " keymap='%s'",
- def->data.spice.keymap);
+ virBufferEscapeString(buf, " keymap='%s'",
+ def->data.spice.keymap);
if (def->data.spice.defaultMode != VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY)
virBufferAsprintf(buf, " defaultMode='%s'",
@@ -26503,11 +26493,9 @@ virDomainResourceDefFormat(virBuffer *buf,
if (!def)
return;
- if (def->partition)
- virBufferEscapeString(&childBuf, "<partition>%s</partition>\n", def->partition);
+ virBufferEscapeString(&childBuf, "<partition>%s</partition>\n", def->partition);
- if (def->appid)
- virBufferEscapeString(&childBuf, "<fibrechannel appid='%s'/>\n", def->appid);
+ virBufferEscapeString(&childBuf, "<fibrechannel appid='%s'/>\n", def->appid);
virXMLFormatElement(buf, "resource", NULL, &childBuf);
}
@@ -26680,11 +26668,9 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
virBufferAsprintf(&childBuf, "<reducedPhysBits>%d</reducedPhysBits>\n",
sev->reduced_phys_bits);
virBufferAsprintf(&childBuf, "<policy>0x%04x</policy>\n", sev->policy);
- if (sev->dh_cert)
- virBufferEscapeString(&childBuf, "<dhCert>%s</dhCert>\n", sev->dh_cert);
+ virBufferEscapeString(&childBuf, "<dhCert>%s</dhCert>\n", sev->dh_cert);
- if (sev->session)
- virBufferEscapeString(&childBuf, "<session>%s</session>\n", sev->session);
+ virBufferEscapeString(&childBuf, "<session>%s</session>\n", sev->session);
break;
}
@@ -27910,9 +27896,8 @@ virDomainDefFormatInternalSetRootName(virDomainDef *def,
for (i = 0; def->os.initenv && def->os.initenv[i]; i++)
virBufferAsprintf(buf, "<initenv name='%s'>%s</initenv>\n",
def->os.initenv[i]->name, def->os.initenv[i]->value);
- if (def->os.initdir)
- virBufferEscapeString(buf, "<initdir>%s</initdir>\n",
- def->os.initdir);
+ virBufferEscapeString(buf, "<initdir>%s</initdir>\n",
+ def->os.initdir);
if (def->os.inituser)
virBufferAsprintf(buf, "<inituser>%s</inituser>\n", def->os.inituser);
if (def->os.initgroup)
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index cc92ed0b03..f5ccf4bd12 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -2004,10 +2004,8 @@ virNetworkDNSDefFormat(virBuffer *buf,
def->srvs[i].service);
virBufferEscapeString(buf, "protocol='%s'", def->srvs[i].protocol);
- if (def->srvs[i].domain)
- virBufferEscapeString(buf, " domain='%s'", def->srvs[i].domain);
- if (def->srvs[i].target)
- virBufferEscapeString(buf, " target='%s'", def->srvs[i].target);
+ virBufferEscapeString(buf, " domain='%s'", def->srvs[i].domain);
+ virBufferEscapeString(buf, " target='%s'", def->srvs[i].target);
if (def->srvs[i].port)
virBufferAsprintf(buf, " port='%d'", def->srvs[i].port);
if (def->srvs[i].priority)
diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
index fe6d9a36b2..d2b578178b 100644
--- a/src/conf/node_device_conf.c
+++ b/src/conf/node_device_conf.c
@@ -176,20 +176,16 @@ virNodeDeviceCapSystemDefFormat(virBuffer *buf,
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
- if (data->system.product_name)
- virBufferEscapeString(buf, "<product>%s</product>\n",
- data->system.product_name);
+ virBufferEscapeString(buf, "<product>%s</product>\n",
+ data->system.product_name);
virBufferAddLit(buf, "<hardware>\n");
virBufferAdjustIndent(buf, 2);
- if (data->system.hardware.vendor_name)
- virBufferEscapeString(buf, "<vendor>%s</vendor>\n",
- data->system.hardware.vendor_name);
- if (data->system.hardware.version)
- virBufferEscapeString(buf, "<version>%s</version>\n",
- data->system.hardware.version);
- if (data->system.hardware.serial)
- virBufferEscapeString(buf, "<serial>%s</serial>\n",
- data->system.hardware.serial);
+ virBufferEscapeString(buf, "<vendor>%s</vendor>\n",
+ data->system.hardware.vendor_name);
+ virBufferEscapeString(buf, "<version>%s</version>\n",
+ data->system.hardware.version);
+ virBufferEscapeString(buf, "<serial>%s</serial>\n",
+ data->system.hardware.serial);
virUUIDFormat(data->system.hardware.uuid, uuidstr);
virBufferAsprintf(buf, "<uuid>%s</uuid>\n", uuidstr);
virBufferAdjustIndent(buf, -2);
@@ -197,15 +193,12 @@ virNodeDeviceCapSystemDefFormat(virBuffer *buf,
virBufferAddLit(buf, "<firmware>\n");
virBufferAdjustIndent(buf, 2);
- if (data->system.firmware.vendor_name)
- virBufferEscapeString(buf, "<vendor>%s</vendor>\n",
- data->system.firmware.vendor_name);
- if (data->system.firmware.version)
- virBufferEscapeString(buf, "<version>%s</version>\n",
- data->system.firmware.version);
- if (data->system.firmware.release_date)
- virBufferEscapeString(buf, "<release_date>%s</release_date>\n",
- data->system.firmware.release_date);
+ virBufferEscapeString(buf, "<vendor>%s</vendor>\n",
+ data->system.firmware.vendor_name);
+ virBufferEscapeString(buf, "<version>%s</version>\n",
+ data->system.firmware.version);
+ virBufferEscapeString(buf, "<release_date>%s</release_date>\n",
+ data->system.firmware.release_date);
virBufferAdjustIndent(buf, -2);
virBufferAddLit(buf, "</firmware>\n");
}
@@ -225,9 +218,8 @@ virNodeDeviceCapMdevTypesFormat(virBuffer *buf,
virMediatedDeviceType *type = mdev_types[i];
virBufferEscapeString(buf, "<type id='%s'>\n", type->id);
virBufferAdjustIndent(buf, 2);
- if (type->name)
- virBufferEscapeString(buf, "<name>%s</name>\n",
- type->name);
+ virBufferEscapeString(buf, "<name>%s</name>\n",
+ type->name);
virBufferEscapeString(buf, "<deviceAPI>%s</deviceAPI>\n",
type->device_api);
virBufferAsprintf(buf,
@@ -454,10 +446,9 @@ virNodeDeviceCapUSBInterfaceDefFormat(virBuffer *buf,
data->usb_if.subclass);
virBufferAsprintf(buf, "<protocol>%d</protocol>\n",
data->usb_if.protocol);
- if (data->usb_if.description)
- virBufferEscapeString(buf,
- "<description>%s</description>\n",
- data->usb_if.description);
+ virBufferEscapeString(buf,
+ "<description>%s</description>\n",
+ data->usb_if.description);
}
@@ -469,9 +460,8 @@ virNodeDeviceCapNetDefFormat(virBuffer *buf,
virBufferEscapeString(buf, "<interface>%s</interface>\n",
data->net.ifname);
- if (data->net.address)
- virBufferEscapeString(buf, "<address>%s</address>\n",
- data->net.address);
+ virBufferEscapeString(buf, "<address>%s</address>\n",
+ data->net.address);
virInterfaceLinkFormat(buf, &data->net.lnk);
if (data->net.features) {
for (i = 0; i < VIR_NET_DEV_FEAT_LAST; i++) {
@@ -533,9 +523,8 @@ virNodeDeviceCapSCSIDefFormat(virBuffer *buf,
virBufferAsprintf(buf, "<target>%d</target>\n",
data->scsi.target);
virBufferAsprintf(buf, "<lun>%d</lun>\n", data->scsi.lun);
- if (data->scsi.type)
- virBufferEscapeString(buf, "<type>%s</type>\n",
- data->scsi.type);
+ virBufferEscapeString(buf, "<type>%s</type>\n",
+ data->scsi.type);
}
diff --git a/src/conf/snapshot_conf.c b/src/conf/snapshot_conf.c
index d7fcded302..039ed77b84 100644
--- a/src/conf/snapshot_conf.c
+++ b/src/conf/snapshot_conf.c
@@ -819,9 +819,8 @@ virDomainSnapshotDefFormatInternal(virBuffer *buf,
virBufferAdjustIndent(buf, 2);
virBufferEscapeString(buf, "<name>%s</name>\n", def->parent.name);
- if (def->parent.description)
- virBufferEscapeString(buf, "<description>%s</description>\n",
- def->parent.description);
+ virBufferEscapeString(buf, "<description>%s</description>\n",
+ def->parent.description);
if (def->state)
virBufferAsprintf(buf, "<state>%s</state>\n",
virDomainSnapshotStateTypeToString(def->state));
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 1849df5c6c..b86001ec50 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -317,16 +317,13 @@ virStorageEncryptionInfoDefFormat(virBuffer *buf,
{
virBufferEscapeString(buf, "<cipher name='%s'", enc->cipher_name);
virBufferAsprintf(buf, " size='%u'", enc->cipher_size);
- if (enc->cipher_mode)
- virBufferEscapeString(buf, " mode='%s'", enc->cipher_mode);
- if (enc->cipher_hash)
- virBufferEscapeString(buf, " hash='%s'", enc->cipher_hash);
+ virBufferEscapeString(buf, " mode='%s'", enc->cipher_mode);
+ virBufferEscapeString(buf, " hash='%s'", enc->cipher_hash);
virBufferAddLit(buf, "/>\n");
if (enc->ivgen_name) {
virBufferEscapeString(buf, "<ivgen name='%s'", enc->ivgen_name);
- if (enc->ivgen_hash)
- virBufferEscapeString(buf, " hash='%s'", enc->ivgen_hash);
+ virBufferEscapeString(buf, " hash='%s'", enc->ivgen_hash);
virBufferAddLit(buf, "/>\n");
}
}
diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c
index 959ec5ed40..908bc5fab2 100644
--- a/src/conf/storage_source_conf.c
+++ b/src/conf/storage_source_conf.c
@@ -1347,8 +1347,7 @@ int
virStorageSourcePrivateDataFormatRelPath(virStorageSource *src,
virBuffer *buf)
{
- if (src->relPath)
- virBufferEscapeString(buf, "<relPath>%s</relPath>\n", src->relPath);
+ virBufferEscapeString(buf, "<relPath>%s</relPath>\n", src->relPath);
return 0;
}
diff --git a/src/conf/virnwfilterbindingdef.c b/src/conf/virnwfilterbindingdef.c
index 423ed7a392..fe45c84347 100644
--- a/src/conf/virnwfilterbindingdef.c
+++ b/src/conf/virnwfilterbindingdef.c
@@ -203,8 +203,7 @@ virNWFilterBindingDefFormatBuf(virBuffer *buf,
virBufferAddLit(buf, "</owner>\n");
virBufferEscapeString(buf, "<portdev name='%s'/>\n", def->portdevname);
- if (def->linkdevname)
- virBufferEscapeString(buf, "<linkdev name='%s'/>\n", def->linkdevname);
+ virBufferEscapeString(buf, "<linkdev name='%s'/>\n", def->linkdevname);
virMacAddrFormat(&def->mac, mac);
virBufferAsprintf(buf, "<mac address='%s'/>\n", mac);
--
2.44.2
6 months, 1 week
[PATCH v2] network: introduce a "none" firewall backend type
by Daniel P. Berrangé
There are two scenarios identified after the recent firewall backend
selection was introduced, which result in libvirtd failing to startup
due to an inability to find either iptables/nftables
- On Linux if running unprivileged with $PATH lacking the dir
containing iptables/nftables
- On non-Linux where iptables/nftables never existed
In the former case, it is preferrable to restore the behaviour whereby
the driver starts successfully. Users will get an error reported when
attempting to start any virtual network, due to the lack of permissions
needed to create bridge devices. This makes the missing firewall backend
irrelevant.
In the latter case, the network driver calls the 'nop' platform
implementation which does not attempt to implement any firewall logic,
just allowing the network to start without firewall rules.
To solve this are number of changes are required
* Introduce VIR_FIREWALL_BACKEND_NONE, which does nothing except
report a fatal error from virFirewallApply(). This code path
is unreachable, since we'll never create a virFirewall
object with with VIR_FIREWALL_BACKEND_NONE, so the error reporting
is just a sanity check.
* Ignore the compile time backend defaults and assume use of
the 'none' backend if running unprivileged.
This fixes the first regression, avoiding the failure to start
libvirtd on Linux in unprivileged context, instead allowing use
of the driver and expecting a permission denied when creating a
bridge.
* Reject the use of compile time backend defaults no non-Linux
and hardcode the 'none' backend. The non-Linux platforms have
no firewall implementation at all currently, so there's no
reason to permit the use of 'firewall_backend_priority'
meson option.
This fixes the second regression, avoiding the failure to start
libvirtd on non-Linux hosts due to non-existant Linux binaries.
* Change the Linux platform backend to raise an error if the
firewall backend is 'none'. Again this code path is unreachable
by default since we'll fail to create the bridge before getting
here, but if someone modified network.conf to request the 'none'
backend, this will stop further progress.
* Change the nop platform backend to raise an error if the
firewall backend is 'iptables' or 'nftables'. Again this code
path is unreachable, since we should already have failed to
find the iptables/nftables binaries on non-Linux hosts, so
this is just a sanity check.
* 'none' is not permited as a value in 'firewall_backend_priority'
meson option, since it is conceptually meaningless to ask for
that on Linux.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
Changed in v2:
- Fix build problems on FreeBSD (changes proposed by Roman)
meson.build | 26 +++++++++++++++++++-------
meson_options.txt | 2 +-
src/network/bridge_driver_conf.c | 19 ++++++++++++++-----
src/network/bridge_driver_linux.c | 10 ++++++++++
src/network/bridge_driver_nop.c | 15 ++++++++++++++-
src/util/virfirewall.c | 6 ++++++
src/util/virfirewall.h | 1 +
7 files changed, 65 insertions(+), 14 deletions(-)
diff --git a/meson.build b/meson.build
index 5c7cd7ec2e..2e8b87280d 100644
--- a/meson.build
+++ b/meson.build
@@ -1647,15 +1647,27 @@ if not get_option('driver_network').disabled() and conf.has('WITH_LIBVIRTD')
conf.set('WITH_NETWORK', 1)
firewall_backend_priority = get_option('firewall_backend_priority')
- if (not firewall_backend_priority.contains('nftables') or
- not firewall_backend_priority.contains('iptables') or
- firewall_backend_priority.length() != 2)
- error('invalid value for firewall_backend_priority option')
+ if firewall_backend_priority.length() == 0
+ if host_machine.system() == 'linux'
+ firewall_backend_priority = ['nftables', 'iptables']
+ else
+ # No firewall impl on non-Linux so far, so force 'none'
+ # as placeholder
+ firewall_backend_priority = ['none']
+ endif
+ else
+ if host_machine.system() != 'linux'
+ error('firewall backend priority only supported on linux hosts')
+ endif
endif
- conf.set('FIREWALL_BACKEND_PRIORITY_0', 'VIR_FIREWALL_BACKEND_' + firewall_backend_priority[0].to_upper())
- conf.set('FIREWALL_BACKEND_PRIORITY_1', 'VIR_FIREWALL_BACKEND_' + firewall_backend_priority[1].to_upper())
- conf.set('FIREWALL_BACKEND_PRIORITY_NUM', firewall_backend_priority.length())
+ backends = []
+ foreach backend: firewall_backend_priority
+ backend = 'VIR_FIREWALL_BACKEND_' + backend.to_upper()
+ backends += backend
+ endforeach
+
+ conf.set('FIREWALL_BACKENDS', ', '.join(backends))
elif get_option('driver_network').enabled()
error('libvirtd must be enabled to build the network driver')
endif
diff --git a/meson_options.txt b/meson_options.txt
index 50d71427cb..2d440c63d8 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -117,7 +117,7 @@ option('dtrace', type: 'feature', value: 'auto', description: 'use dtrace for st
option('firewalld', type: 'feature', value: 'auto', description: 'firewalld support')
# dep:firewalld
option('firewalld_zone', type: 'feature', value: 'auto', description: 'whether to install firewalld libvirt zone')
-option('firewall_backend_priority', type: 'array', choices: ['nftables', 'iptables'], description: 'order in which to try firewall backends')
+option('firewall_backend_priority', type: 'array', choices: ['nftables', 'iptables'], value: [], description: 'order in which to try firewall backends')
option('host_validate', type: 'feature', value: 'auto', description: 'build virt-host-validate')
option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check', 'none'], value: 'check', description: 'Style of init script to install')
option('loader_nvram', type: 'string', value: '', description: 'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items are separated by a colon.')
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index e2f3613a41..9da5e790b7 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -61,6 +61,7 @@ networkGetDnsmasqCaps(virNetworkDriverState *driver)
static int
virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
+ bool privileged,
const char *filename)
{
g_autoptr(virConf) conf = NULL;
@@ -68,13 +69,17 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
bool fwBackendSelected = false;
size_t i;
int fwBackends[] = {
- FIREWALL_BACKEND_PRIORITY_0,
- FIREWALL_BACKEND_PRIORITY_1,
+ FIREWALL_BACKENDS
};
- G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST);
- G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == FIREWALL_BACKEND_PRIORITY_NUM);
+ G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) > 0 &&
+ G_N_ELEMENTS(fwBackends) <= VIR_FIREWALL_BACKEND_LAST);
int nFwBackends = G_N_ELEMENTS(fwBackends);
+ if (!privileged) {
+ fwBackends[0] = VIR_FIREWALL_BACKEND_NONE;
+ nFwBackends = 1;
+ }
+
if (access(filename, R_OK) == 0) {
conf = virConfReadFile(filename, 0);
@@ -104,6 +109,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
for (i = 0; i < nFwBackends && !fwBackendSelected; i++) {
switch ((virFirewallBackend)fwBackends[i]) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ fwBackendSelected = true;
+ break;
+
case VIR_FIREWALL_BACKEND_IPTABLES: {
g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES);
@@ -187,7 +196,7 @@ virNetworkDriverConfigNew(bool privileged)
configfile = g_strconcat(configdir, "/network.conf", NULL);
- if (virNetworkLoadDriverConfig(cfg, configfile) < 0)
+ if (virNetworkLoadDriverConfig(cfg, privileged, configfile) < 0)
return NULL;
if (g_mkdir_with_parents(cfg->stateDir, 0777) < 0) {
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 35e6bd1154..fe7c6e193c 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -47,6 +47,11 @@ networkFirewallSetupPrivateChains(virFirewallBackend backend,
virFirewallLayer layer)
{
switch (backend) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ virReportError(VIR_ERR_NO_SUPPORT, "%s",
+ _("No firewall backend is available"));
+ return -1;
+
case VIR_FIREWALL_BACKEND_IPTABLES:
return iptablesSetupPrivateChains(layer);
@@ -417,6 +422,11 @@ networkAddFirewallRules(virNetworkDef *def,
}
switch (firewallBackend) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ virReportError(VIR_ERR_NO_SUPPORT, "%s",
+ _("No firewall backend is available"));
+ return -1;
+
case VIR_FIREWALL_BACKEND_IPTABLES:
return iptablesAddFirewallRules(def, fwRemoval);
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c
index 537b9234f8..2114d521d1 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -19,6 +19,8 @@
#include <config.h>
+#define VIR_FROM_THIS VIR_FROM_NETWORK
+
void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED,
bool startup G_GNUC_UNUSED,
bool force G_GNUC_UNUSED)
@@ -37,9 +39,20 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
}
int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
- virFirewallBackend firewallBackend G_GNUC_UNUSED,
+ virFirewallBackend firewallBackend,
virFirewall **fwRemoval G_GNUC_UNUSED)
{
+ /*
+ * Shouldn't be possible, since virNetworkLoadDriverConfig
+ * ought to fail to find the required binaries when loading,
+ * so this is just a sanity check
+ */
+ if (firewallBackend != VIR_FIREWALL_BACKEND_NONE) {
+ virReportError(VIR_ERR_NO_SUPPORT,
+ _("Firewall backend '%s' not available on this platform"),
+ virFirewallBackendTypeToString(firewallBackend));
+ return -1;
+ }
return 0;
}
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 2219506b18..d374f54b64 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -37,6 +37,7 @@ VIR_LOG_INIT("util.firewall");
VIR_ENUM_IMPL(virFirewallBackend,
VIR_FIREWALL_BACKEND_LAST,
+ "none",
"iptables",
"nftables");
@@ -815,6 +816,11 @@ virFirewallApplyCmd(virFirewall *firewall,
}
switch (virFirewallGetBackend(firewall)) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ virReportError(VIR_ERR_NO_SUPPORT,
+ _("Firewall backend is not implemented"));
+ return -1;
+
case VIR_FIREWALL_BACKEND_IPTABLES:
if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0)
return -1;
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 302a6a4e5b..bce51259d2 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -44,6 +44,7 @@ typedef enum {
} virFirewallLayer;
typedef enum {
+ VIR_FIREWALL_BACKEND_NONE, /* Always fails */
VIR_FIREWALL_BACKEND_IPTABLES,
VIR_FIREWALL_BACKEND_NFTABLES,
--
2.45.1
6 months, 1 week