June 2024 - Devel - Libvirt List Archives

[PATCH] Pass shutoff reason to release hook

by Swapnil Ingle

Sometimes in release hook it is useful to know if the VM shutdown was graceful or not. This is especially useful to do cleanup based on the VM shutdown failure reason in release hook. This patch proposes to use the last argument 'extra' to pass VM shutoff reason in the call to release hook. Signed-off-by: Swapnil Ingle <swapnil.ingle(a)nutanix.com> --- docs/hooks.rst | 24 +++++++++++++++++++++++- src/qemu/qemu_process.c | 2 +- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/docs/hooks.rst b/docs/hooks.rst index 1dbc492bd4..e76208021a 100644 --- a/docs/hooks.rst +++ b/docs/hooks.rst @@ -312,7 +312,29 @@ operation. There is no specific operation to indicate a "restart" is occurring. :: - /etc/libvirt/hooks/lxc guest_name release end - + /etc/libvirt/hooks/lxc guest_name release end <shutoff-reason> + + +-------------------+------------------------------------------------------------------+ + | Shutoff reason | Description | + +===================+==================================================================+ + | unknown | the reason is unknown | + +-------------------+------------------------------------------------------------------+ + | shutdown | normal shutdown | + +-------------------+------------------------------------------------------------------+ + | destroyed | forced poweroff | + +-------------------+------------------------------------------------------------------+ + | crashed | domain crashed | + +-------------------+------------------------------------------------------------------+ + | migrated | migrated to another host | + +-------------------+------------------------------------------------------------------+ + | saved | saved to a file | + +-------------------+------------------------------------------------------------------+ + | failed | domain failed to start | + +-------------------+------------------------------------------------------------------+ + | from snapshot | restored from a snapshot which was taken while domain was shutoff| + +-------------------+------------------------------------------------------------------+ + | daemon | daemon decides to kill domain during reconnection processing | + +-------------------+------------------------------------------------------------------+ - :since:`Since 0.9.13`, the lxc hook script is also called when the libvirtd daemon restarts and reconnects to previously running LXC processes. If the diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 7ef7040a85..0a03685ca7 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -8716,7 +8716,7 @@ void qemuProcessStop(virQEMUDriver *driver, /* we can't stop the operation even if the script raised an error */ virHookCall(VIR_HOOK_DRIVER_QEMU, vm->def->name, VIR_HOOK_QEMU_OP_RELEASE, VIR_HOOK_SUBOP_END, - NULL, xml, NULL); + virDomainShutoffReasonTypeToString(reason), xml, NULL); } virDomainObjRemoveTransientDef(vm); -- 2.45.2

4 months, 1 week

2
3
0 / 0

Plans for 10.5.0 release (freeze on Tuesday 25 Jun)

by Jiri Denemark

We are getting close to 10.5.0 release of libvirt. To aim for the release on Monday 01 Jul I suggest entering the freeze on Tuesday 25 Jun and tagging RC2 on Thursday 27 Jun. I hope this works for everyone. Jirka

4 months, 1 week

1
0
0 / 0

[PATCH 0/2] qemu: implement iommu coldplug/unplug

by Adam Julis

Adam Julis (2): syms: Properly export virDomainIOMMUDefFree() qemu: implement iommu coldplug/unplug src/libvirt_private.syms | 1 + src/qemu/qemu_driver.c | 20 ++++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) -- 2.45.0

4 months, 1 week

2
4
0 / 0

[PATCH v2] ci: fix CI package list and refresh with 'lcitool manifest'

by Daniel P. Berrangé

The ci/manifest.yml file references a package 'libclang-rt-dev' that does not exist in libvirt-ci mappings.yml. The latest refresh in commit 0759cf3fa6ed8d12bd327c5752785c53e35c8483 Author: Michal Prívozník <mprivozn(a)redhat.com> Date: Fri May 3 15:58:20 2024 +0200 ci: Introduce Ubuntu 24.04 was presumably done against a local change to libvirt-ci.git that had not yet been merged, as the clang packages now appear on many more build envs. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- ci/buildenv/almalinux-9.sh | 2 +- ci/buildenv/debian-11-cross-aarch64.sh | 1 + ci/buildenv/debian-11-cross-armv6l.sh | 1 + ci/buildenv/debian-11-cross-armv7l.sh | 1 + ci/buildenv/debian-11-cross-i686.sh | 1 + ci/buildenv/debian-11-cross-mips64el.sh | 1 + ci/buildenv/debian-11-cross-mipsel.sh | 1 + ci/buildenv/debian-11-cross-ppc64le.sh | 1 + ci/buildenv/debian-11-cross-s390x.sh | 1 + ci/buildenv/debian-11.sh | 1 + ci/buildenv/opensuse-leap-15.sh | 1 + ci/buildenv/opensuse-tumbleweed.sh | 1 + ci/buildenv/ubuntu-2204.sh | 1 + ci/containers/almalinux-9.Dockerfile | 2 +- ci/containers/debian-11-cross-aarch64.Dockerfile | 1 + ci/containers/debian-11-cross-armv6l.Dockerfile | 1 + ci/containers/debian-11-cross-armv7l.Dockerfile | 1 + ci/containers/debian-11-cross-i686.Dockerfile | 1 + ci/containers/debian-11-cross-mips64el.Dockerfile | 1 + ci/containers/debian-11-cross-mipsel.Dockerfile | 1 + ci/containers/debian-11-cross-ppc64le.Dockerfile | 1 + ci/containers/debian-11-cross-s390x.Dockerfile | 1 + ci/containers/debian-11.Dockerfile | 1 + ci/containers/opensuse-leap-15.Dockerfile | 1 + ci/containers/opensuse-tumbleweed.Dockerfile | 1 + ci/containers/ubuntu-2204.Dockerfile | 1 + ci/lcitool/projects/libvirt.yml | 2 +- 27 files changed, 27 insertions(+), 3 deletions(-) diff --git a/ci/buildenv/almalinux-9.sh b/ci/buildenv/almalinux-9.sh index f0826e1313..5791a73d23 100644 --- a/ci/buildenv/almalinux-9.sh +++ b/ci/buildenv/almalinux-9.sh @@ -16,7 +16,7 @@ function install_buildenv() { ca-certificates \ ccache \ clang \ - clang-devel \ + compiler-rt \ cpp \ cyrus-sasl-devel \ device-mapper-devel \ diff --git a/ci/buildenv/debian-11-cross-aarch64.sh b/ci/buildenv/debian-11-cross-aarch64.sh index 3afb09aee5..8540fb8d74 100644 --- a/ci/buildenv/debian-11-cross-aarch64.sh +++ b/ci/buildenv/debian-11-cross-aarch64.sh @@ -27,6 +27,7 @@ function install_buildenv() { iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/buildenv/debian-11-cross-armv6l.sh b/ci/buildenv/debian-11-cross-armv6l.sh index ff78ec0b86..131a7019c0 100644 --- a/ci/buildenv/debian-11-cross-armv6l.sh +++ b/ci/buildenv/debian-11-cross-armv6l.sh @@ -27,6 +27,7 @@ function install_buildenv() { iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/buildenv/debian-11-cross-armv7l.sh b/ci/buildenv/debian-11-cross-armv7l.sh index ff3ef03463..ba78ffcfac 100644 --- a/ci/buildenv/debian-11-cross-armv7l.sh +++ b/ci/buildenv/debian-11-cross-armv7l.sh @@ -27,6 +27,7 @@ function install_buildenv() { iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/buildenv/debian-11-cross-i686.sh b/ci/buildenv/debian-11-cross-i686.sh index e68e2ffcbe..104eb20805 100644 --- a/ci/buildenv/debian-11-cross-i686.sh +++ b/ci/buildenv/debian-11-cross-i686.sh @@ -27,6 +27,7 @@ function install_buildenv() { iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/buildenv/debian-11-cross-mips64el.sh b/ci/buildenv/debian-11-cross-mips64el.sh index 0653223a3d..7b1830453c 100644 --- a/ci/buildenv/debian-11-cross-mips64el.sh +++ b/ci/buildenv/debian-11-cross-mips64el.sh @@ -27,6 +27,7 @@ function install_buildenv() { iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/buildenv/debian-11-cross-mipsel.sh b/ci/buildenv/debian-11-cross-mipsel.sh index cee2feff59..eef5cdbfab 100644 --- a/ci/buildenv/debian-11-cross-mipsel.sh +++ b/ci/buildenv/debian-11-cross-mipsel.sh @@ -27,6 +27,7 @@ function install_buildenv() { iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/buildenv/debian-11-cross-ppc64le.sh b/ci/buildenv/debian-11-cross-ppc64le.sh index 7193d4acd0..f2c2f60623 100644 --- a/ci/buildenv/debian-11-cross-ppc64le.sh +++ b/ci/buildenv/debian-11-cross-ppc64le.sh @@ -27,6 +27,7 @@ function install_buildenv() { iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/buildenv/debian-11-cross-s390x.sh b/ci/buildenv/debian-11-cross-s390x.sh index ca0fb54839..519d9c8b31 100644 --- a/ci/buildenv/debian-11-cross-s390x.sh +++ b/ci/buildenv/debian-11-cross-s390x.sh @@ -27,6 +27,7 @@ function install_buildenv() { iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/buildenv/debian-11.sh b/ci/buildenv/debian-11.sh index 18350321b0..5986682af8 100644 --- a/ci/buildenv/debian-11.sh +++ b/ci/buildenv/debian-11.sh @@ -36,6 +36,7 @@ function install_buildenv() { libblkid-dev \ libc6-dev \ libcap-ng-dev \ + libclang-dev \ libcurl4-gnutls-dev \ libdevmapper-dev \ libfuse-dev \ diff --git a/ci/buildenv/opensuse-leap-15.sh b/ci/buildenv/opensuse-leap-15.sh index bc7394839b..a59af136ca 100644 --- a/ci/buildenv/opensuse-leap-15.sh +++ b/ci/buildenv/opensuse-leap-15.sh @@ -14,6 +14,7 @@ function install_buildenv() { ca-certificates \ ccache \ clang \ + clang-devel \ codespell \ cpp \ cppi \ diff --git a/ci/buildenv/opensuse-tumbleweed.sh b/ci/buildenv/opensuse-tumbleweed.sh index 88ccff99c6..ac566d349f 100644 --- a/ci/buildenv/opensuse-tumbleweed.sh +++ b/ci/buildenv/opensuse-tumbleweed.sh @@ -14,6 +14,7 @@ function install_buildenv() { ca-certificates \ ccache \ clang \ + clang-devel \ codespell \ cpp \ cppi \ diff --git a/ci/buildenv/ubuntu-2204.sh b/ci/buildenv/ubuntu-2204.sh index 6bd67ba777..c71a0b5f47 100644 --- a/ci/buildenv/ubuntu-2204.sh +++ b/ci/buildenv/ubuntu-2204.sh @@ -36,6 +36,7 @@ function install_buildenv() { libblkid-dev \ libc6-dev \ libcap-ng-dev \ + libclang-dev \ libcurl4-gnutls-dev \ libdevmapper-dev \ libfuse-dev \ diff --git a/ci/containers/almalinux-9.Dockerfile b/ci/containers/almalinux-9.Dockerfile index 68608b12a9..27ac990b22 100644 --- a/ci/containers/almalinux-9.Dockerfile +++ b/ci/containers/almalinux-9.Dockerfile @@ -17,7 +17,7 @@ RUN dnf update -y && \ ca-certificates \ ccache \ clang \ - clang-devel \ + compiler-rt \ cpp \ cyrus-sasl-devel \ device-mapper-devel \ diff --git a/ci/containers/debian-11-cross-aarch64.Dockerfile b/ci/containers/debian-11-cross-aarch64.Dockerfile index 0f971ff9cb..1cb573821f 100644 --- a/ci/containers/debian-11-cross-aarch64.Dockerfile +++ b/ci/containers/debian-11-cross-aarch64.Dockerfile @@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/containers/debian-11-cross-armv6l.Dockerfile b/ci/containers/debian-11-cross-armv6l.Dockerfile index cfed7a7fc9..6989546ebf 100644 --- a/ci/containers/debian-11-cross-armv6l.Dockerfile +++ b/ci/containers/debian-11-cross-armv6l.Dockerfile @@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/containers/debian-11-cross-armv7l.Dockerfile b/ci/containers/debian-11-cross-armv7l.Dockerfile index f703be3423..fcd6a6383b 100644 --- a/ci/containers/debian-11-cross-armv7l.Dockerfile +++ b/ci/containers/debian-11-cross-armv7l.Dockerfile @@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/containers/debian-11-cross-i686.Dockerfile b/ci/containers/debian-11-cross-i686.Dockerfile index 58be733459..8d79934a52 100644 --- a/ci/containers/debian-11-cross-i686.Dockerfile +++ b/ci/containers/debian-11-cross-i686.Dockerfile @@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/containers/debian-11-cross-mips64el.Dockerfile b/ci/containers/debian-11-cross-mips64el.Dockerfile index c3198e0470..d80f741311 100644 --- a/ci/containers/debian-11-cross-mips64el.Dockerfile +++ b/ci/containers/debian-11-cross-mips64el.Dockerfile @@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/containers/debian-11-cross-mipsel.Dockerfile b/ci/containers/debian-11-cross-mipsel.Dockerfile index 21e9b0c7f9..dc674150f5 100644 --- a/ci/containers/debian-11-cross-mipsel.Dockerfile +++ b/ci/containers/debian-11-cross-mipsel.Dockerfile @@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/containers/debian-11-cross-ppc64le.Dockerfile b/ci/containers/debian-11-cross-ppc64le.Dockerfile index 29be7997f8..fc3a9ee157 100644 --- a/ci/containers/debian-11-cross-ppc64le.Dockerfile +++ b/ci/containers/debian-11-cross-ppc64le.Dockerfile @@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/containers/debian-11-cross-s390x.Dockerfile b/ci/containers/debian-11-cross-s390x.Dockerfile index fd1507b294..336694b2d3 100644 --- a/ci/containers/debian-11-cross-s390x.Dockerfile +++ b/ci/containers/debian-11-cross-s390x.Dockerfile @@ -29,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ iproute2 \ iptables \ kmod \ + libclang-dev \ libxml2-utils \ locales \ lvm2 \ diff --git a/ci/containers/debian-11.Dockerfile b/ci/containers/debian-11.Dockerfile index c16c43d407..6f08eb7448 100644 --- a/ci/containers/debian-11.Dockerfile +++ b/ci/containers/debian-11.Dockerfile @@ -38,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ libblkid-dev \ libc6-dev \ libcap-ng-dev \ + libclang-dev \ libcurl4-gnutls-dev \ libdevmapper-dev \ libfuse-dev \ diff --git a/ci/containers/opensuse-leap-15.Dockerfile b/ci/containers/opensuse-leap-15.Dockerfile index 6deaea0904..bf794d6929 100644 --- a/ci/containers/opensuse-leap-15.Dockerfile +++ b/ci/containers/opensuse-leap-15.Dockerfile @@ -15,6 +15,7 @@ RUN zypper update -y && \ ca-certificates \ ccache \ clang \ + clang-devel \ codespell \ cpp \ cppi \ diff --git a/ci/containers/opensuse-tumbleweed.Dockerfile b/ci/containers/opensuse-tumbleweed.Dockerfile index d4ebcd7176..2b7cdb4af5 100644 --- a/ci/containers/opensuse-tumbleweed.Dockerfile +++ b/ci/containers/opensuse-tumbleweed.Dockerfile @@ -15,6 +15,7 @@ RUN zypper dist-upgrade -y && \ ca-certificates \ ccache \ clang \ + clang-devel \ codespell \ cpp \ cppi \ diff --git a/ci/containers/ubuntu-2204.Dockerfile b/ci/containers/ubuntu-2204.Dockerfile index 8e32d992f3..5e8829bc2b 100644 --- a/ci/containers/ubuntu-2204.Dockerfile +++ b/ci/containers/ubuntu-2204.Dockerfile @@ -38,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ libblkid-dev \ libc6-dev \ libcap-ng-dev \ + libclang-dev \ libcurl4-gnutls-dev \ libdevmapper-dev \ libfuse-dev \ diff --git a/ci/lcitool/projects/libvirt.yml b/ci/lcitool/projects/libvirt.yml index a5d2248437..5e0bd66958 100644 --- a/ci/lcitool/projects/libvirt.yml +++ b/ci/lcitool/projects/libvirt.yml @@ -36,7 +36,7 @@ packages: - libblkid - libc - libcap-ng - - libclang-rt-dev + - libclang-rt - libcurl - libiscsi - libnbd -- 2.45.1

4 months, 1 week

2
1
0 / 0

[PATCH v2 0/4] qemu: Use TPM 2.0 in most scenarios

by Andrea Bolognani

Changes from [v1] * use TPM 2.0 more; * reject TPM 1.2 more; * add better comments to loongarch64 and s390x test cases. [v1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/YZ... Andrea Bolognani (4): tests: Add TPM coverage to default-models tests tests: Delete some redundant test cases qemu: Default to TPM 2.0 in most scenarios qemu: Reject TPM 1.2 in most scenarios src/qemu/qemu_domain.c | 13 ++-- src/qemu/qemu_validate.c | 22 +++--- ...aarch64-tpm-wrong-model.aarch64-latest.err | 2 +- .../aarch64-tpm.aarch64-latest.args | 34 --------- .../aarch64-tpm.aarch64-latest.xml | 29 -------- tests/qemuxmlconfdata/aarch64-tpm.xml | 15 ---- ...ault-models.aarch64-latest.abi-update.args | 3 + ...fault-models.aarch64-latest.abi-update.xml | 3 + ...64-virt-default-models.aarch64-latest.args | 3 + ...h64-virt-default-models.aarch64-latest.xml | 3 + .../aarch64-virt-default-models.xml | 3 + .../loongarch64-virt-default-models.xml | 3 + ...efault-models.ppc64-latest.abi-update.args | 3 + ...default-models.ppc64-latest.abi-update.xml | 4 ++ ...4-pseries-default-models.ppc64-latest.args | 3 + ...64-pseries-default-models.ppc64-latest.xml | 4 ++ .../ppc64-pseries-default-models.xml | 3 + ...ault-models.riscv64-latest.abi-update.args | 3 + ...fault-models.riscv64-latest.abi-update.xml | 3 + ...64-virt-default-models.riscv64-latest.args | 3 + ...v64-virt-default-models.riscv64-latest.xml | 3 + .../riscv64-virt-default-models.xml | 3 + .../s390x-ccw-default-models.xml | 2 + .../tpm-emulator-spapr.ppc64-latest.args | 45 ------------ .../tpm-emulator-spapr.ppc64-latest.xml | 1 - tests/qemuxmlconfdata/tpm-emulator-spapr.xml | 70 ------------------- ...fault-models.x86_64-latest.abi-update.args | 3 + ...efault-models.x86_64-latest.abi-update.xml | 3 + ...86_64-pc-default-models.x86_64-latest.args | 3 + ...x86_64-pc-default-models.x86_64-latest.xml | 3 + .../x86_64-pc-default-models.xml | 3 + ...fault-models.x86_64-latest.abi-update.args | 3 + ...efault-models.x86_64-latest.abi-update.xml | 3 + ...6_64-q35-default-models.x86_64-latest.args | 3 + ...86_64-q35-default-models.x86_64-latest.xml | 3 + .../x86_64-q35-default-models.xml | 3 + tests/qemuxmlconftest.c | 2 - 37 files changed, 100 insertions(+), 215 deletions(-) delete mode 100644 tests/qemuxmlconfdata/aarch64-tpm.aarch64-latest.args delete mode 100644 tests/qemuxmlconfdata/aarch64-tpm.aarch64-latest.xml delete mode 100644 tests/qemuxmlconfdata/aarch64-tpm.xml delete mode 100644 tests/qemuxmlconfdata/tpm-emulator-spapr.ppc64-latest.args delete mode 120000 tests/qemuxmlconfdata/tpm-emulator-spapr.ppc64-latest.xml delete mode 100644 tests/qemuxmlconfdata/tpm-emulator-spapr.xml -- 2.45.1

4 months, 1 week

3
9
0 / 0

[PATCH 2/2] qemu: implement iommu coldplug/unplug

by Adam Julis

Resolves: https://issues.redhat.com/browse/RHEL-23833 Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- src/qemu/qemu_driver.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 67b9778c67..74d5e3bb86 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -6847,6 +6847,15 @@ qemuDomainAttachDeviceConfig(virDomainDef *vmdef, vmdef->vsock = g_steal_pointer(&dev->data.vsock); break; + case VIR_DOMAIN_DEVICE_IOMMU: + if (vmdef->iommu) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("domain already has an iommu configuration")); + return -1; + } + vmdef->iommu = g_steal_pointer(&dev->data.iommu); + break; + case VIR_DOMAIN_DEVICE_VIDEO: case VIR_DOMAIN_DEVICE_GRAPHICS: case VIR_DOMAIN_DEVICE_HUB: @@ -6856,7 +6865,6 @@ qemuDomainAttachDeviceConfig(virDomainDef *vmdef, case VIR_DOMAIN_DEVICE_NONE: case VIR_DOMAIN_DEVICE_TPM: case VIR_DOMAIN_DEVICE_PANIC: - case VIR_DOMAIN_DEVICE_IOMMU: case VIR_DOMAIN_DEVICE_AUDIO: case VIR_DOMAIN_DEVICE_CRYPTO: case VIR_DOMAIN_DEVICE_LAST: @@ -7057,6 +7065,15 @@ qemuDomainDetachDeviceConfig(virDomainDef *vmdef, g_clear_pointer(&vmdef->vsock, virDomainVsockDefFree); break; + case VIR_DOMAIN_DEVICE_IOMMU: + if (!vmdef->iommu) { + virReportError(VIR_ERR_OPERATION_FAILED, "%s", + _("matching iommu config not found")); + return -1; + } + g_clear_pointer(&vmdef->iommu, virDomainIOMMUDefFree); + break; + case VIR_DOMAIN_DEVICE_VIDEO: case VIR_DOMAIN_DEVICE_GRAPHICS: case VIR_DOMAIN_DEVICE_HUB: @@ -7066,7 +7083,6 @@ qemuDomainDetachDeviceConfig(virDomainDef *vmdef, case VIR_DOMAIN_DEVICE_NONE: case VIR_DOMAIN_DEVICE_TPM: case VIR_DOMAIN_DEVICE_PANIC: - case VIR_DOMAIN_DEVICE_IOMMU: case VIR_DOMAIN_DEVICE_AUDIO: case VIR_DOMAIN_DEVICE_CRYPTO: case VIR_DOMAIN_DEVICE_LAST: -- 2.44.0

4 months, 1 week

2
1
0 / 0

[PATCH] conf: add validation of potential dependencies

by Adam Julis

Although existing virDomainDefPostParse is called after modifying the XML and it contains validating process for changed device, the virDomainDefValidate function performs a more comprehensive check. It should detect errors resulting from dependencies between devices. Therefore, the virDomainDefValidate is added at the end. Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- src/qemu/qemu_driver.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index e2698c7924..67b9778c67 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -6869,6 +6869,9 @@ qemuDomainAttachDeviceConfig(virDomainDef *vmdef, if (virDomainDefPostParse(vmdef, parse_flags, xmlopt, qemuCaps) < 0) return -1; + if (virDomainDefValidate(vmdef, parse_flags, xmlopt, qemuCaps) < 0) + return -1; + return 0; } -- 2.44.0

4 months, 1 week

2
1
0 / 0

[PATCH v3] network: introduce a "none" firewall backend type

by Daniel P. Berrangé

There are two scenarios identified after the recent firewall backend selection was introduced, which result in libvirtd failing to startup due to an inability to find either iptables/nftables - On Linux if running unprivileged with $PATH lacking the dir containing iptables/nftables - On non-Linux where iptables/nftables never existed In the former case, it is preferrable to restore the behaviour whereby the driver starts successfully. Users will get an error reported when attempting to start any virtual network, due to the lack of permissions needed to create bridge devices. This makes the missing firewall backend irrelevant. In the latter case, the network driver calls the 'nop' platform implementation which does not attempt to implement any firewall logic, just allowing the network to start without firewall rules. To solve this are number of changes are required * Introduce VIR_FIREWALL_BACKEND_NONE, which does nothing except report a fatal error from virFirewallApply(). This code path is unreachable, since we'll never create a virFirewall object with with VIR_FIREWALL_BACKEND_NONE, so the error reporting is just a sanity check. * Ignore the compile time backend defaults and assume use of the 'none' backend if running unprivileged. This fixes the first regression, avoiding the failure to start libvirtd on Linux in unprivileged context, instead allowing use of the driver and expecting a permission denied when creating a bridge. * Reject the use of compile time backend defaults no non-Linux and hardcode the 'none' backend. The non-Linux platforms have no firewall implementation at all currently, so there's no reason to permit the use of 'firewall_backend_priority' meson option. This fixes the second regression, avoiding the failure to start libvirtd on non-Linux hosts due to non-existant Linux binaries. * Change the Linux platform backend to raise an error if the firewall backend is 'none'. Again this code path is unreachable by default since we'll fail to create the bridge before getting here, but if someone modified network.conf to request the 'none' backend, this will stop further progress. * Change the nop platform backend to raise an error if the firewall backend is 'iptables' or 'nftables'. Again this code path is unreachable, since we should already have failed to find the iptables/nftables binaries on non-Linux hosts, so this is just a sanity check. * 'none' is not permited as a value in 'firewall_backend_priority' meson option, since it is conceptually meaningless to ask for that on Linux. NB, 'firewall_backend_priority' allows repeated options temporarily, which we don't want. Meson intends to turn this into a hard error DEPRECATION: Duplicated values in array option is deprecated. This will become a hard error in the future. and we can live with the reduced error checking until that happens. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- Changed in v3: - Fix various syntax-check errors - Added note about meson tightening up validation of duplicated choices meson.build | 26 +++++++++++++++++++------- meson_options.txt | 2 +- po/POTFILES | 1 + src/network/bridge_driver_conf.c | 19 ++++++++++++++----- src/network/bridge_driver_linux.c | 10 ++++++++++ src/network/bridge_driver_nop.c | 15 ++++++++++++++- src/util/virfirewall.c | 6 ++++++ src/util/virfirewall.h | 1 + 8 files changed, 66 insertions(+), 14 deletions(-) diff --git a/meson.build b/meson.build index 5c7cd7ec2e..2e8b87280d 100644 --- a/meson.build +++ b/meson.build @@ -1647,15 +1647,27 @@ if not get_option('driver_network').disabled() and conf.has('WITH_LIBVIRTD') conf.set('WITH_NETWORK', 1) firewall_backend_priority = get_option('firewall_backend_priority') - if (not firewall_backend_priority.contains('nftables') or - not firewall_backend_priority.contains('iptables') or - firewall_backend_priority.length() != 2) - error('invalid value for firewall_backend_priority option') + if firewall_backend_priority.length() == 0 + if host_machine.system() == 'linux' + firewall_backend_priority = ['nftables', 'iptables'] + else + # No firewall impl on non-Linux so far, so force 'none' + # as placeholder + firewall_backend_priority = ['none'] + endif + else + if host_machine.system() != 'linux' + error('firewall backend priority only supported on linux hosts') + endif endif - conf.set('FIREWALL_BACKEND_PRIORITY_0', 'VIR_FIREWALL_BACKEND_' + firewall_backend_priority[0].to_upper()) - conf.set('FIREWALL_BACKEND_PRIORITY_1', 'VIR_FIREWALL_BACKEND_' + firewall_backend_priority[1].to_upper()) - conf.set('FIREWALL_BACKEND_PRIORITY_NUM', firewall_backend_priority.length()) + backends = [] + foreach backend: firewall_backend_priority + backend = 'VIR_FIREWALL_BACKEND_' + backend.to_upper() + backends += backend + endforeach + + conf.set('FIREWALL_BACKENDS', ', '.join(backends)) elif get_option('driver_network').enabled() error('libvirtd must be enabled to build the network driver') endif diff --git a/meson_options.txt b/meson_options.txt index 50d71427cb..2d440c63d8 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -117,7 +117,7 @@ option('dtrace', type: 'feature', value: 'auto', description: 'use dtrace for st option('firewalld', type: 'feature', value: 'auto', description: 'firewalld support') # dep:firewalld option('firewalld_zone', type: 'feature', value: 'auto', description: 'whether to install firewalld libvirt zone') -option('firewall_backend_priority', type: 'array', choices: ['nftables', 'iptables'], description: 'order in which to try firewall backends') +option('firewall_backend_priority', type: 'array', choices: ['nftables', 'iptables'], value: [], description: 'order in which to try firewall backends') option('host_validate', type: 'feature', value: 'auto', description: 'build virt-host-validate') option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check', 'none'], value: 'check', description: 'Style of init script to install') option('loader_nvram', type: 'string', value: '', description: 'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items are separated by a colon.') diff --git a/po/POTFILES b/po/POTFILES index 4bfbb91164..1ed4086d2c 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -143,6 +143,7 @@ src/lxc/lxc_process.c src/network/bridge_driver.c src/network/bridge_driver_conf.c src/network/bridge_driver_linux.c +src/network/bridge_driver_nop.c src/network/leaseshelper.c src/network/network_iptables.c src/network/network_nftables.c diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index e2f3613a41..9da5e790b7 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -61,6 +61,7 @@ networkGetDnsmasqCaps(virNetworkDriverState *driver) static int virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, + bool privileged, const char *filename) { g_autoptr(virConf) conf = NULL; @@ -68,13 +69,17 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, bool fwBackendSelected = false; size_t i; int fwBackends[] = { - FIREWALL_BACKEND_PRIORITY_0, - FIREWALL_BACKEND_PRIORITY_1, + FIREWALL_BACKENDS }; - G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST); - G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == FIREWALL_BACKEND_PRIORITY_NUM); + G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) > 0 && + G_N_ELEMENTS(fwBackends) <= VIR_FIREWALL_BACKEND_LAST); int nFwBackends = G_N_ELEMENTS(fwBackends); + if (!privileged) { + fwBackends[0] = VIR_FIREWALL_BACKEND_NONE; + nFwBackends = 1; + } + if (access(filename, R_OK) == 0) { conf = virConfReadFile(filename, 0); @@ -104,6 +109,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, for (i = 0; i < nFwBackends && !fwBackendSelected; i++) { switch ((virFirewallBackend)fwBackends[i]) { + case VIR_FIREWALL_BACKEND_NONE: + fwBackendSelected = true; + break; + case VIR_FIREWALL_BACKEND_IPTABLES: { g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES); @@ -187,7 +196,7 @@ virNetworkDriverConfigNew(bool privileged) configfile = g_strconcat(configdir, "/network.conf", NULL); - if (virNetworkLoadDriverConfig(cfg, configfile) < 0) + if (virNetworkLoadDriverConfig(cfg, privileged, configfile) < 0) return NULL; if (g_mkdir_with_parents(cfg->stateDir, 0777) < 0) { diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index 35e6bd1154..fe7c6e193c 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -47,6 +47,11 @@ networkFirewallSetupPrivateChains(virFirewallBackend backend, virFirewallLayer layer) { switch (backend) { + case VIR_FIREWALL_BACKEND_NONE: + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("No firewall backend is available")); + return -1; + case VIR_FIREWALL_BACKEND_IPTABLES: return iptablesSetupPrivateChains(layer); @@ -417,6 +422,11 @@ networkAddFirewallRules(virNetworkDef *def, } switch (firewallBackend) { + case VIR_FIREWALL_BACKEND_NONE: + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("No firewall backend is available")); + return -1; + case VIR_FIREWALL_BACKEND_IPTABLES: return iptablesAddFirewallRules(def, fwRemoval); diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c index 537b9234f8..8bf3367bff 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -19,6 +19,8 @@ #include <config.h> +#define VIR_FROM_THIS VIR_FROM_NETWORK + void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED, bool startup G_GNUC_UNUSED, bool force G_GNUC_UNUSED) @@ -37,9 +39,20 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) } int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend G_GNUC_UNUSED, + virFirewallBackend firewallBackend, virFirewall **fwRemoval G_GNUC_UNUSED) { + /* + * Shouldn't be possible, since virNetworkLoadDriverConfig + * ought to fail to find the required binaries when loading, + * so this is just a sanity check + */ + if (firewallBackend != VIR_FIREWALL_BACKEND_NONE) { + virReportError(VIR_ERR_NO_SUPPORT, + _("Firewall backend '%1$s' not available on this platform"), + virFirewallBackendTypeToString(firewallBackend)); + return -1; + } return 0; } diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 2219506b18..090dbcdbed 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -37,6 +37,7 @@ VIR_LOG_INIT("util.firewall"); VIR_ENUM_IMPL(virFirewallBackend, VIR_FIREWALL_BACKEND_LAST, + "none", "iptables", "nftables"); @@ -815,6 +816,11 @@ virFirewallApplyCmd(virFirewall *firewall, } switch (virFirewallGetBackend(firewall)) { + case VIR_FIREWALL_BACKEND_NONE: + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("Firewall backend is not implemented")); + return -1; + case VIR_FIREWALL_BACKEND_IPTABLES: if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0) return -1; diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 302a6a4e5b..bce51259d2 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -44,6 +44,7 @@ typedef enum { } virFirewallLayer; typedef enum { + VIR_FIREWALL_BACKEND_NONE, /* Always fails */ VIR_FIREWALL_BACKEND_IPTABLES, VIR_FIREWALL_BACKEND_NFTABLES, -- 2.45.1

4 months, 1 week

2
1
0 / 0

[PATCH] conf: Drop needless NULL checks guarding virBufferEscapeString()

by Michal Privoznik

There's no need to guard virBufferEscapeString() with a call to NULL as the very first thing the function does is check all three arguments for NULL. This patch was generated using the following spatch: @@ expression X, Y, E; @@ - if (E) virBufferEscapeString(X, Y, E); Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- src/conf/capabilities.c | 6 ++-- src/conf/domain_conf.c | 57 +++++++++++------------------- src/conf/network_conf.c | 6 ++-- src/conf/node_device_conf.c | 57 ++++++++++++------------------ src/conf/snapshot_conf.c | 5 ++- src/conf/storage_encryption_conf.c | 9 ++--- src/conf/storage_source_conf.c | 3 +- src/conf/virnwfilterbindingdef.c | 3 +- 8 files changed, 55 insertions(+), 91 deletions(-) diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c index fe5e42c167..74e6293766 100644 --- a/src/conf/capabilities.c +++ b/src/conf/capabilities.c @@ -693,10 +693,8 @@ virCapabilitiesDomainDataLookupInternal(virCaps *caps, if (domaintype > VIR_DOMAIN_VIRT_NONE) virBufferAsprintf(&buf, "domaintype=%s ", virDomainVirtTypeToString(domaintype)); - if (emulator) - virBufferEscapeString(&buf, "emulator=%s ", emulator); - if (machinetype) - virBufferEscapeString(&buf, "machine=%s ", machinetype); + virBufferEscapeString(&buf, "emulator=%s ", emulator); + virBufferEscapeString(&buf, "machine=%s ", machinetype); if (virBufferCurrentContent(&buf) && !virBufferCurrentContent(&buf)[0]) virBufferAsprintf(&buf, "%s", _("any configuration")); diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index fde594f811..2f1e99865b 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -5394,8 +5394,7 @@ virDomainDeviceInfoFormat(virBuffer *buf, if (rombar) virBufferAsprintf(buf, " bar='%s'", rombar); } - if (info->romfile) - virBufferEscapeString(buf, " file='%s'", info->romfile); + virBufferEscapeString(buf, " file='%s'", info->romfile); virBufferAddLit(buf, "/>\n"); } @@ -22175,8 +22174,7 @@ virSecurityDeviceLabelDefFormat(virBuffer *buf, virBufferAddLit(buf, "<seclabel"); - if (def->model) - virBufferEscapeString(buf, " model='%s'", def->model); + virBufferEscapeString(buf, " model='%s'", def->model); if (def->labelskip) virBufferAddLit(buf, " labelskip='yes'"); @@ -22371,8 +22369,7 @@ virDomainDiskSourceFormatNetwork(virBuffer *attrBuf, virBufferAsprintf(childBuf, "<timeout seconds='%llu'/>\n", src->timeout); if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH) { - if (src->ssh_known_hosts_file) - virBufferEscapeString(childBuf, "<knownHosts path='%s'/>\n", src->ssh_known_hosts_file); + virBufferEscapeString(childBuf, "<knownHosts path='%s'/>\n", src->ssh_known_hosts_file); if (src->ssh_keyfile || src->ssh_agent) { virBufferAddLit(childBuf, "<identity"); @@ -23162,8 +23159,7 @@ virDomainControllerDefFormat(virBuffer *buf, " type='%s' index='%d'", type, def->idx); - if (model) - virBufferEscapeString(&attrBuf, " model='%s'", model); + virBufferEscapeString(&attrBuf, " model='%s'", model); switch (def->type) { case VIR_DOMAIN_CONTROLLER_TYPE_VIRTIO_SERIAL: @@ -24581,8 +24577,7 @@ virDomainChrTargetDefFormat(virBuffer *buf, case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_XEN: case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO: - if (def->target.name) - virBufferEscapeString(buf, " name='%s'", def->target.name); + virBufferEscapeString(buf, " name='%s'", def->target.name); if (def->targetType == VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO && def->state != VIR_DOMAIN_CHR_DEVICE_STATE_DEFAULT && @@ -26004,9 +25999,8 @@ virDomainGraphicsDefFormat(virBuffer *buf, break; } - if (def->data.vnc.keymap) - virBufferEscapeString(buf, " keymap='%s'", - def->data.vnc.keymap); + virBufferEscapeString(buf, " keymap='%s'", + def->data.vnc.keymap); if (def->data.vnc.sharePolicy) virBufferAsprintf(buf, " sharePolicy='%s'", @@ -26021,13 +26015,11 @@ virDomainGraphicsDefFormat(virBuffer *buf, break; case VIR_DOMAIN_GRAPHICS_TYPE_SDL: - if (def->data.sdl.display) - virBufferEscapeString(buf, " display='%s'", - def->data.sdl.display); + virBufferEscapeString(buf, " display='%s'", + def->data.sdl.display); - if (def->data.sdl.xauth) - virBufferEscapeString(buf, " xauth='%s'", - def->data.sdl.xauth); + virBufferEscapeString(buf, " xauth='%s'", + def->data.sdl.xauth); if (def->data.sdl.fullscreen) virBufferAddLit(buf, " fullscreen='yes'"); @@ -26066,9 +26058,8 @@ virDomainGraphicsDefFormat(virBuffer *buf, break; case VIR_DOMAIN_GRAPHICS_TYPE_DESKTOP: - if (def->data.desktop.display) - virBufferEscapeString(buf, " display='%s'", - def->data.desktop.display); + virBufferEscapeString(buf, " display='%s'", + def->data.desktop.display); if (def->data.desktop.fullscreen) virBufferAddLit(buf, " fullscreen='yes'"); @@ -26121,9 +26112,8 @@ virDomainGraphicsDefFormat(virBuffer *buf, break; } - if (def->data.spice.keymap) - virBufferEscapeString(buf, " keymap='%s'", - def->data.spice.keymap); + virBufferEscapeString(buf, " keymap='%s'", + def->data.spice.keymap); if (def->data.spice.defaultMode != VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY) virBufferAsprintf(buf, " defaultMode='%s'", @@ -26503,11 +26493,9 @@ virDomainResourceDefFormat(virBuffer *buf, if (!def) return; - if (def->partition) - virBufferEscapeString(&childBuf, "<partition>%s</partition>\n", def->partition); + virBufferEscapeString(&childBuf, "<partition>%s</partition>\n", def->partition); - if (def->appid) - virBufferEscapeString(&childBuf, "<fibrechannel appid='%s'/>\n", def->appid); + virBufferEscapeString(&childBuf, "<fibrechannel appid='%s'/>\n", def->appid); virXMLFormatElement(buf, "resource", NULL, &childBuf); } @@ -26680,11 +26668,9 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec) virBufferAsprintf(&childBuf, "<reducedPhysBits>%d</reducedPhysBits>\n", sev->reduced_phys_bits); virBufferAsprintf(&childBuf, "<policy>0x%04x</policy>\n", sev->policy); - if (sev->dh_cert) - virBufferEscapeString(&childBuf, "<dhCert>%s</dhCert>\n", sev->dh_cert); + virBufferEscapeString(&childBuf, "<dhCert>%s</dhCert>\n", sev->dh_cert); - if (sev->session) - virBufferEscapeString(&childBuf, "<session>%s</session>\n", sev->session); + virBufferEscapeString(&childBuf, "<session>%s</session>\n", sev->session); break; } @@ -27910,9 +27896,8 @@ virDomainDefFormatInternalSetRootName(virDomainDef *def, for (i = 0; def->os.initenv && def->os.initenv[i]; i++) virBufferAsprintf(buf, "<initenv name='%s'>%s</initenv>\n", def->os.initenv[i]->name, def->os.initenv[i]->value); - if (def->os.initdir) - virBufferEscapeString(buf, "<initdir>%s</initdir>\n", - def->os.initdir); + virBufferEscapeString(buf, "<initdir>%s</initdir>\n", + def->os.initdir); if (def->os.inituser) virBufferAsprintf(buf, "<inituser>%s</inituser>\n", def->os.inituser); if (def->os.initgroup) diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index cc92ed0b03..f5ccf4bd12 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -2004,10 +2004,8 @@ virNetworkDNSDefFormat(virBuffer *buf, def->srvs[i].service); virBufferEscapeString(buf, "protocol='%s'", def->srvs[i].protocol); - if (def->srvs[i].domain) - virBufferEscapeString(buf, " domain='%s'", def->srvs[i].domain); - if (def->srvs[i].target) - virBufferEscapeString(buf, " target='%s'", def->srvs[i].target); + virBufferEscapeString(buf, " domain='%s'", def->srvs[i].domain); + virBufferEscapeString(buf, " target='%s'", def->srvs[i].target); if (def->srvs[i].port) virBufferAsprintf(buf, " port='%d'", def->srvs[i].port); if (def->srvs[i].priority) diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c index fe6d9a36b2..d2b578178b 100644 --- a/src/conf/node_device_conf.c +++ b/src/conf/node_device_conf.c @@ -176,20 +176,16 @@ virNodeDeviceCapSystemDefFormat(virBuffer *buf, { char uuidstr[VIR_UUID_STRING_BUFLEN]; - if (data->system.product_name) - virBufferEscapeString(buf, "<product>%s</product>\n", - data->system.product_name); + virBufferEscapeString(buf, "<product>%s</product>\n", + data->system.product_name); virBufferAddLit(buf, "<hardware>\n"); virBufferAdjustIndent(buf, 2); - if (data->system.hardware.vendor_name) - virBufferEscapeString(buf, "<vendor>%s</vendor>\n", - data->system.hardware.vendor_name); - if (data->system.hardware.version) - virBufferEscapeString(buf, "<version>%s</version>\n", - data->system.hardware.version); - if (data->system.hardware.serial) - virBufferEscapeString(buf, "<serial>%s</serial>\n", - data->system.hardware.serial); + virBufferEscapeString(buf, "<vendor>%s</vendor>\n", + data->system.hardware.vendor_name); + virBufferEscapeString(buf, "<version>%s</version>\n", + data->system.hardware.version); + virBufferEscapeString(buf, "<serial>%s</serial>\n", + data->system.hardware.serial); virUUIDFormat(data->system.hardware.uuid, uuidstr); virBufferAsprintf(buf, "<uuid>%s</uuid>\n", uuidstr); virBufferAdjustIndent(buf, -2); @@ -197,15 +193,12 @@ virNodeDeviceCapSystemDefFormat(virBuffer *buf, virBufferAddLit(buf, "<firmware>\n"); virBufferAdjustIndent(buf, 2); - if (data->system.firmware.vendor_name) - virBufferEscapeString(buf, "<vendor>%s</vendor>\n", - data->system.firmware.vendor_name); - if (data->system.firmware.version) - virBufferEscapeString(buf, "<version>%s</version>\n", - data->system.firmware.version); - if (data->system.firmware.release_date) - virBufferEscapeString(buf, "<release_date>%s</release_date>\n", - data->system.firmware.release_date); + virBufferEscapeString(buf, "<vendor>%s</vendor>\n", + data->system.firmware.vendor_name); + virBufferEscapeString(buf, "<version>%s</version>\n", + data->system.firmware.version); + virBufferEscapeString(buf, "<release_date>%s</release_date>\n", + data->system.firmware.release_date); virBufferAdjustIndent(buf, -2); virBufferAddLit(buf, "</firmware>\n"); } @@ -225,9 +218,8 @@ virNodeDeviceCapMdevTypesFormat(virBuffer *buf, virMediatedDeviceType *type = mdev_types[i]; virBufferEscapeString(buf, "<type id='%s'>\n", type->id); virBufferAdjustIndent(buf, 2); - if (type->name) - virBufferEscapeString(buf, "<name>%s</name>\n", - type->name); + virBufferEscapeString(buf, "<name>%s</name>\n", + type->name); virBufferEscapeString(buf, "<deviceAPI>%s</deviceAPI>\n", type->device_api); virBufferAsprintf(buf, @@ -454,10 +446,9 @@ virNodeDeviceCapUSBInterfaceDefFormat(virBuffer *buf, data->usb_if.subclass); virBufferAsprintf(buf, "<protocol>%d</protocol>\n", data->usb_if.protocol); - if (data->usb_if.description) - virBufferEscapeString(buf, - "<description>%s</description>\n", - data->usb_if.description); + virBufferEscapeString(buf, + "<description>%s</description>\n", + data->usb_if.description); } @@ -469,9 +460,8 @@ virNodeDeviceCapNetDefFormat(virBuffer *buf, virBufferEscapeString(buf, "<interface>%s</interface>\n", data->net.ifname); - if (data->net.address) - virBufferEscapeString(buf, "<address>%s</address>\n", - data->net.address); + virBufferEscapeString(buf, "<address>%s</address>\n", + data->net.address); virInterfaceLinkFormat(buf, &data->net.lnk); if (data->net.features) { for (i = 0; i < VIR_NET_DEV_FEAT_LAST; i++) { @@ -533,9 +523,8 @@ virNodeDeviceCapSCSIDefFormat(virBuffer *buf, virBufferAsprintf(buf, "<target>%d</target>\n", data->scsi.target); virBufferAsprintf(buf, "<lun>%d</lun>\n", data->scsi.lun); - if (data->scsi.type) - virBufferEscapeString(buf, "<type>%s</type>\n", - data->scsi.type); + virBufferEscapeString(buf, "<type>%s</type>\n", + data->scsi.type); } diff --git a/src/conf/snapshot_conf.c b/src/conf/snapshot_conf.c index d7fcded302..039ed77b84 100644 --- a/src/conf/snapshot_conf.c +++ b/src/conf/snapshot_conf.c @@ -819,9 +819,8 @@ virDomainSnapshotDefFormatInternal(virBuffer *buf, virBufferAdjustIndent(buf, 2); virBufferEscapeString(buf, "<name>%s</name>\n", def->parent.name); - if (def->parent.description) - virBufferEscapeString(buf, "<description>%s</description>\n", - def->parent.description); + virBufferEscapeString(buf, "<description>%s</description>\n", + def->parent.description); if (def->state) virBufferAsprintf(buf, "<state>%s</state>\n", virDomainSnapshotStateTypeToString(def->state)); diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c index 1849df5c6c..b86001ec50 100644 --- a/src/conf/storage_encryption_conf.c +++ b/src/conf/storage_encryption_conf.c @@ -317,16 +317,13 @@ virStorageEncryptionInfoDefFormat(virBuffer *buf, { virBufferEscapeString(buf, "<cipher name='%s'", enc->cipher_name); virBufferAsprintf(buf, " size='%u'", enc->cipher_size); - if (enc->cipher_mode) - virBufferEscapeString(buf, " mode='%s'", enc->cipher_mode); - if (enc->cipher_hash) - virBufferEscapeString(buf, " hash='%s'", enc->cipher_hash); + virBufferEscapeString(buf, " mode='%s'", enc->cipher_mode); + virBufferEscapeString(buf, " hash='%s'", enc->cipher_hash); virBufferAddLit(buf, "/>\n"); if (enc->ivgen_name) { virBufferEscapeString(buf, "<ivgen name='%s'", enc->ivgen_name); - if (enc->ivgen_hash) - virBufferEscapeString(buf, " hash='%s'", enc->ivgen_hash); + virBufferEscapeString(buf, " hash='%s'", enc->ivgen_hash); virBufferAddLit(buf, "/>\n"); } } diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c index 959ec5ed40..908bc5fab2 100644 --- a/src/conf/storage_source_conf.c +++ b/src/conf/storage_source_conf.c @@ -1347,8 +1347,7 @@ int virStorageSourcePrivateDataFormatRelPath(virStorageSource *src, virBuffer *buf) { - if (src->relPath) - virBufferEscapeString(buf, "<relPath>%s</relPath>\n", src->relPath); + virBufferEscapeString(buf, "<relPath>%s</relPath>\n", src->relPath); return 0; } diff --git a/src/conf/virnwfilterbindingdef.c b/src/conf/virnwfilterbindingdef.c index 423ed7a392..fe45c84347 100644 --- a/src/conf/virnwfilterbindingdef.c +++ b/src/conf/virnwfilterbindingdef.c @@ -203,8 +203,7 @@ virNWFilterBindingDefFormatBuf(virBuffer *buf, virBufferAddLit(buf, "</owner>\n"); virBufferEscapeString(buf, "<portdev name='%s'/>\n", def->portdevname); - if (def->linkdevname) - virBufferEscapeString(buf, "<linkdev name='%s'/>\n", def->linkdevname); + virBufferEscapeString(buf, "<linkdev name='%s'/>\n", def->linkdevname); virMacAddrFormat(&def->mac, mac); virBufferAsprintf(buf, "<mac address='%s'/>\n", mac); -- 2.44.2

4 months, 1 week

2
1
0 / 0

[PATCH v2] network: introduce a "none" firewall backend type

by Daniel P. Berrangé

There are two scenarios identified after the recent firewall backend selection was introduced, which result in libvirtd failing to startup due to an inability to find either iptables/nftables - On Linux if running unprivileged with $PATH lacking the dir containing iptables/nftables - On non-Linux where iptables/nftables never existed In the former case, it is preferrable to restore the behaviour whereby the driver starts successfully. Users will get an error reported when attempting to start any virtual network, due to the lack of permissions needed to create bridge devices. This makes the missing firewall backend irrelevant. In the latter case, the network driver calls the 'nop' platform implementation which does not attempt to implement any firewall logic, just allowing the network to start without firewall rules. To solve this are number of changes are required * Introduce VIR_FIREWALL_BACKEND_NONE, which does nothing except report a fatal error from virFirewallApply(). This code path is unreachable, since we'll never create a virFirewall object with with VIR_FIREWALL_BACKEND_NONE, so the error reporting is just a sanity check. * Ignore the compile time backend defaults and assume use of the 'none' backend if running unprivileged. This fixes the first regression, avoiding the failure to start libvirtd on Linux in unprivileged context, instead allowing use of the driver and expecting a permission denied when creating a bridge. * Reject the use of compile time backend defaults no non-Linux and hardcode the 'none' backend. The non-Linux platforms have no firewall implementation at all currently, so there's no reason to permit the use of 'firewall_backend_priority' meson option. This fixes the second regression, avoiding the failure to start libvirtd on non-Linux hosts due to non-existant Linux binaries. * Change the Linux platform backend to raise an error if the firewall backend is 'none'. Again this code path is unreachable by default since we'll fail to create the bridge before getting here, but if someone modified network.conf to request the 'none' backend, this will stop further progress. * Change the nop platform backend to raise an error if the firewall backend is 'iptables' or 'nftables'. Again this code path is unreachable, since we should already have failed to find the iptables/nftables binaries on non-Linux hosts, so this is just a sanity check. * 'none' is not permited as a value in 'firewall_backend_priority' meson option, since it is conceptually meaningless to ask for that on Linux. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- Changed in v2: - Fix build problems on FreeBSD (changes proposed by Roman) meson.build | 26 +++++++++++++++++++------- meson_options.txt | 2 +- src/network/bridge_driver_conf.c | 19 ++++++++++++++----- src/network/bridge_driver_linux.c | 10 ++++++++++ src/network/bridge_driver_nop.c | 15 ++++++++++++++- src/util/virfirewall.c | 6 ++++++ src/util/virfirewall.h | 1 + 7 files changed, 65 insertions(+), 14 deletions(-) diff --git a/meson.build b/meson.build index 5c7cd7ec2e..2e8b87280d 100644 --- a/meson.build +++ b/meson.build @@ -1647,15 +1647,27 @@ if not get_option('driver_network').disabled() and conf.has('WITH_LIBVIRTD') conf.set('WITH_NETWORK', 1) firewall_backend_priority = get_option('firewall_backend_priority') - if (not firewall_backend_priority.contains('nftables') or - not firewall_backend_priority.contains('iptables') or - firewall_backend_priority.length() != 2) - error('invalid value for firewall_backend_priority option') + if firewall_backend_priority.length() == 0 + if host_machine.system() == 'linux' + firewall_backend_priority = ['nftables', 'iptables'] + else + # No firewall impl on non-Linux so far, so force 'none' + # as placeholder + firewall_backend_priority = ['none'] + endif + else + if host_machine.system() != 'linux' + error('firewall backend priority only supported on linux hosts') + endif endif - conf.set('FIREWALL_BACKEND_PRIORITY_0', 'VIR_FIREWALL_BACKEND_' + firewall_backend_priority[0].to_upper()) - conf.set('FIREWALL_BACKEND_PRIORITY_1', 'VIR_FIREWALL_BACKEND_' + firewall_backend_priority[1].to_upper()) - conf.set('FIREWALL_BACKEND_PRIORITY_NUM', firewall_backend_priority.length()) + backends = [] + foreach backend: firewall_backend_priority + backend = 'VIR_FIREWALL_BACKEND_' + backend.to_upper() + backends += backend + endforeach + + conf.set('FIREWALL_BACKENDS', ', '.join(backends)) elif get_option('driver_network').enabled() error('libvirtd must be enabled to build the network driver') endif diff --git a/meson_options.txt b/meson_options.txt index 50d71427cb..2d440c63d8 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -117,7 +117,7 @@ option('dtrace', type: 'feature', value: 'auto', description: 'use dtrace for st option('firewalld', type: 'feature', value: 'auto', description: 'firewalld support') # dep:firewalld option('firewalld_zone', type: 'feature', value: 'auto', description: 'whether to install firewalld libvirt zone') -option('firewall_backend_priority', type: 'array', choices: ['nftables', 'iptables'], description: 'order in which to try firewall backends') +option('firewall_backend_priority', type: 'array', choices: ['nftables', 'iptables'], value: [], description: 'order in which to try firewall backends') option('host_validate', type: 'feature', value: 'auto', description: 'build virt-host-validate') option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check', 'none'], value: 'check', description: 'Style of init script to install') option('loader_nvram', type: 'string', value: '', description: 'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items are separated by a colon.') diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index e2f3613a41..9da5e790b7 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -61,6 +61,7 @@ networkGetDnsmasqCaps(virNetworkDriverState *driver) static int virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, + bool privileged, const char *filename) { g_autoptr(virConf) conf = NULL; @@ -68,13 +69,17 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, bool fwBackendSelected = false; size_t i; int fwBackends[] = { - FIREWALL_BACKEND_PRIORITY_0, - FIREWALL_BACKEND_PRIORITY_1, + FIREWALL_BACKENDS }; - G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST); - G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == FIREWALL_BACKEND_PRIORITY_NUM); + G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) > 0 && + G_N_ELEMENTS(fwBackends) <= VIR_FIREWALL_BACKEND_LAST); int nFwBackends = G_N_ELEMENTS(fwBackends); + if (!privileged) { + fwBackends[0] = VIR_FIREWALL_BACKEND_NONE; + nFwBackends = 1; + } + if (access(filename, R_OK) == 0) { conf = virConfReadFile(filename, 0); @@ -104,6 +109,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, for (i = 0; i < nFwBackends && !fwBackendSelected; i++) { switch ((virFirewallBackend)fwBackends[i]) { + case VIR_FIREWALL_BACKEND_NONE: + fwBackendSelected = true; + break; + case VIR_FIREWALL_BACKEND_IPTABLES: { g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES); @@ -187,7 +196,7 @@ virNetworkDriverConfigNew(bool privileged) configfile = g_strconcat(configdir, "/network.conf", NULL); - if (virNetworkLoadDriverConfig(cfg, configfile) < 0) + if (virNetworkLoadDriverConfig(cfg, privileged, configfile) < 0) return NULL; if (g_mkdir_with_parents(cfg->stateDir, 0777) < 0) { diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index 35e6bd1154..fe7c6e193c 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -47,6 +47,11 @@ networkFirewallSetupPrivateChains(virFirewallBackend backend, virFirewallLayer layer) { switch (backend) { + case VIR_FIREWALL_BACKEND_NONE: + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("No firewall backend is available")); + return -1; + case VIR_FIREWALL_BACKEND_IPTABLES: return iptablesSetupPrivateChains(layer); @@ -417,6 +422,11 @@ networkAddFirewallRules(virNetworkDef *def, } switch (firewallBackend) { + case VIR_FIREWALL_BACKEND_NONE: + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("No firewall backend is available")); + return -1; + case VIR_FIREWALL_BACKEND_IPTABLES: return iptablesAddFirewallRules(def, fwRemoval); diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c index 537b9234f8..2114d521d1 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -19,6 +19,8 @@ #include <config.h> +#define VIR_FROM_THIS VIR_FROM_NETWORK + void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED, bool startup G_GNUC_UNUSED, bool force G_GNUC_UNUSED) @@ -37,9 +39,20 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) } int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend G_GNUC_UNUSED, + virFirewallBackend firewallBackend, virFirewall **fwRemoval G_GNUC_UNUSED) { + /* + * Shouldn't be possible, since virNetworkLoadDriverConfig + * ought to fail to find the required binaries when loading, + * so this is just a sanity check + */ + if (firewallBackend != VIR_FIREWALL_BACKEND_NONE) { + virReportError(VIR_ERR_NO_SUPPORT, + _("Firewall backend '%s' not available on this platform"), + virFirewallBackendTypeToString(firewallBackend)); + return -1; + } return 0; } diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 2219506b18..d374f54b64 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -37,6 +37,7 @@ VIR_LOG_INIT("util.firewall"); VIR_ENUM_IMPL(virFirewallBackend, VIR_FIREWALL_BACKEND_LAST, + "none", "iptables", "nftables"); @@ -815,6 +816,11 @@ virFirewallApplyCmd(virFirewall *firewall, } switch (virFirewallGetBackend(firewall)) { + case VIR_FIREWALL_BACKEND_NONE: + virReportError(VIR_ERR_NO_SUPPORT, + _("Firewall backend is not implemented")); + return -1; + case VIR_FIREWALL_BACKEND_IPTABLES: if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0) return -1; diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 302a6a4e5b..bce51259d2 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -44,6 +44,7 @@ typedef enum { } virFirewallLayer; typedef enum { + VIR_FIREWALL_BACKEND_NONE, /* Always fails */ VIR_FIREWALL_BACKEND_IPTABLES, VIR_FIREWALL_BACKEND_NFTABLES, -- 2.45.1

4 months, 1 week

4
9
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel June 2024