The fix for CVE-2018-6764 introduced a potential deadlock scenario
that gets triggered by the NSS module when virGetHostname() calls
getaddrinfo to resolve the hostname:

 #0  0x00007f6e714b57e7 in futex_wait
 #1  futex_wait_simple
 #2  __pthread_once_slow
 #3  0x00007f6e71d16e7d in virOnce
 #4  0x00007f6e71d0997c in virLogInitialize
 #5  0x00007f6e71d0a09a in virLogVMessage
 #6  0x00007f6e71d09ffd in virLogMessage
 #7  0x00007f6e71d0db22 in virObjectNew
 #8  0x00007f6e71d0dbf1 in virObjectLockableNew
 #9  0x00007f6e71d0d3e5 in virMacMapNew
 #10 0x00007f6e71cdc50a in findLease
 #11 0x00007f6e71cdcc56 in _nss_libvirt_gethostbyname4_r
 #12 0x00007f6e724631fc in gaih_inet
 #13 0x00007f6e72464697 in __GI_getaddrinfo
 #14 0x00007f6e71d19e81 in virGetHostnameImpl
 #15 0x00007f6e71d1a057 in virGetHostnameQuiet
 #16 0x00007f6e71d09936 in virLogOnceInit
 #17 0x00007f6e71d09952 in virLogOnce
 #18 0x00007f6e714b5829 in __pthread_once_slow
 #19 0x00007f6e71d16e7d in virOnce
 #20 0x00007f6e71d0997c in virLogInitialize
 #21 0x00007f6e71d0a09a in virLogVMessage
 #22 0x00007f6e71d09ffd in virLogMessage
 #23 0x00007f6e71d0db22 in virObjectNew
 #24 0x00007f6e71d0dbf1 in virObjectLockableNew
 #25 0x00007f6e71d0d3e5 in virMacMapNew
 #26 0x00007f6e71cdc50a in findLease
 #27 0x00007f6e71cdc839 in _nss_libvirt_gethostbyname3_r
 #28 0x00007f6e71cdc724 in _nss_libvirt_gethostbyname2_r
 #29 0x00007f6e7248f72f in __gethostbyname2_r
 #30 0x00007f6e7248f494 in gethostbyname2
 #31 0x000056348c30c36d in hosts_keys
 #32 0x000056348c30b7d2 in main

Fortunately the extra stuff virGetHostname does is totally irrelevant to
the needs of the logging code, so we can just inline a call to the
native hostname() syscall directly.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

The floppy command formatting is special-cased since it does not
directly translate to a single '-device' argument.

Move the code from qemuBuildDiskDriveCommandLine to a new helper
function so that all the related code is together.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Chen Hanxiao authored 7 years ago and Michal Privoznik committed 7 years ago

We forgot to free alloced mem when failed to
dup ifname or macaddr.

Also use VIR_STEAL_PTR to simplify codes.

Signed-off-by: Chen Hanxiao <chenhanxiao@gmail.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

Chen Hanxiao authored 7 years ago and John Ferlan committed 7 years ago

Some of function comments don't have the right named parameters
and others are not consistent with the description alignment.
This patch fixes this.

Signed-off-by: Chen Hanxiao <chenhanxiao@gmail.com>

Several PCI controllers have the same options, and thus
can be handled together.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>

This is a hard error, and should be handled as such.
Introduced in 24614760.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>

Signed-off-by: Andrea Bolognani <abologna@redhat.com>

The Win32 symbol export file format can't do wildcards, so none of
the 'xdr_*' symbols are exported from the libvirt DLL. This doesn't
matter generally since the RPC client is built into the DLL and we
don't build libvirtd on Win32. The virnetmessagetest, however, does
require xdr_virNetMessageError to be exported, so just do a hack for
that.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Commit id 'ce7ae55e' added support for the lockd admin socket, but
forgot to add the socket to the make and spec files for installation
purposes.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>

Commit id '85d45ff0' added support for the logd admin socket, but
forgot to add the socket to the make and spec files for installation
purposes.

NB: Includes breaking up the long %systemd_ lists across multiple lines
    for ease of reading

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>

Daniel P. Berrangé authored 7 years ago and Daniel P. Berrangé committed 7 years ago

Document that contributors are required to assert compliance with the
Developers Certification of Origin 1.1, by providing Signed-off-by tags
for all commit messages. The DCO is formally stating what we have long
implicitly expected of contributors in terms of their legal rights to
make the contribution. This puts the project in a stronger position
should any questions around contributions be raised going forward in the
future.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Loadable drivers must never depend on each other. Over time some usage
mistakenly crept in for the storage and network drivers, but now this is
eliminated the syntax-check rules can enforce this separation once more.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Undefined symbols are a bad thing in general because they can get
resolved in unexpected ways at runtime if multiple sources provide the
same symbol name. For example both glibc and libtirpc may provide XDR
symbols and we want to ensure that we resolve to libtirpc if that's what
we originally built against.

The toolchain maintainers thus strongly recommend that all applications
use the '-z defs' linker flag to prevent undefined symbols. This is
shortly becoming part of the default linker flags for RPMs. As an added
benefit this aligns Linux builds with Windows builds, where the linker
has never permitted undefined symbols.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Dynamic loadable modules all need a common set of linker flags

  -module -avoid-version $(AM_LDFLAGS)

Bundle those up into a $(AM_LDFLAGS_MOD) to avoid repetition.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

The dlopened modules we currently build all use various symbols from
libvirt.so, but don't actually link to it. They rely on the libvirtd
daemon re-exporting the libvirt.so symbols. This means that at the
time the modules are linked, they contain a huge number of undefined
symbols. It also means that these undefined symbols are not versioned,
so despite us providing a LIBVIRT_PRIVATE_XXXX version that
intentionally changes on every release, the loadable modules could
actually be loaded into any libvirtd regardless of version.

This change explicitly links all modules against libvirt.so so
that they don't rely on the re-export behave and can be fully resolved
at build time. This will give us a stronger guarantee modules will
actually be loadable at runtime and that we're using modules from the
matched build.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

The storagePoolLookupByTargetPath() method in the storage driver is used
by the QEMU driver during block migration. If there's a valid use case
for this in the QEMU driver, then external apps likely have similar
needs. Exposing it in the public API removes the direct dependancy from
the QEMU driver to the storage driver.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

The virStorageTranslateDiskSourcePool method modifies a virDomainDiskDef
to resolve any storage pool reference. For some reason this was added
into the storage driver code, despite working entirely in terms of the
public APIs. Move it into the domain conf file and rename it to match the
object it modifies.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

The networkDnsmasqConfContents() method is only used by the test suite
and that's only built with WITH_NETWORK is set. So there is no longer
any reason to conditionalize the declaration of this method.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Currently the QEMU driver will call directly into the network driver
impl to modify resolve the atual type of NICs with type=network. It
has todo this before it has allocated the actual NIC. This introduces
a callback system to allow us to decouple the QEMU driver from the
network driver.

This is a short term step, as it ought to be possible to achieve the
same end goal by simply querying XML via the public network API. The
QEMU code in question though, has no virConnectPtr conveniently
available at this time.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

The QEMU driver calls into the network driver to get the first IP
address of the network. This information is readily available via the
formal public API by fetching the XML doc and then parsing it.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Currently the QEMU driver will call directly into the network driver
impl to modify network device bandwidth for interfaces with
type=network. This introduces a callback system to allow us to decouple
the QEMU driver from the network driver.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Currently virt drivers will call directly into the network driver impl
to allocate domain interface devices where type=network. This introduces
a callback system to allow us to decouple the virt drivers from the
network driver.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Rather than static linking in various of the helper libraries to
libvirt_lxc, just link against the main libvirt.so. This is more memory
and time efficient because it will already be cached in memory and
sharable between processes.

CAPNG flags need adding because the LXC code directly calls various
libcapng APIs and no longer inherits the CAPNG flags via the statically
linked .a libs.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

The libvirt_driver_remote.la static library is linked into the
libvirt.so dynamic library, providing both the generic RPC layer code
and the remote protocol client driver. The libvirtd daemon the itself
links to libvirt_driver_remote.la, in order to get access to the generic
RPC layer code and the XDR functions for the remote driver. This means
we get multiple copies of the same code in libvirtd, one direct and one
indirect via libvirt.so. The same mistake affects the lockd plugin.

The libvirtd daemon should instead just link aganist the generic RPC
layer code that's in libvirt.so. This is easily doable if we add exports
for the few symbols we've previously missed, and wildcard export xdr_*
to expose the auto-generated XDR marshallers.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

The QEMU driver loadable module needs to be able to resolve all ELF
symbols it references against libvirt.so. Some of its symbols can only
be resolved against the storage_driver.so loadable module which creates
a hard dependancy between them. By moving the storage file backend
framework into the util directory, this gets included directly in the
libvirt.so library. The actual backend implementations are still done as
loadable modules, so this doesn't re-add deps on gluster libraries.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

The storage driver backends are serving the public storage pools API,
while the storage file backends are serving the internal QEMU driver and
/ or libvirt utility code.

To prep for moving this storage file backend framework into the utility
code, split out the backend definitions.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Tiago M. Vieira authored 7 years ago and Andrea Bolognani committed 7 years ago

Currently when the script validates the PKI files and
the certificate 'Subject:' field contains RDNs after
the Common Name (CN), these values are also included,
creating a false result that the CN is not correct.

A small change to the sed regex fixes this issue, by
extracting only the value for CN and nothing else. The
regex is replaced with the exact same regex used to
extract the CN value from the client certificate.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Broken by 759b4d1b.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>

Lubomir Rintel authored 7 years ago and Daniel P. Berrangé committed 7 years ago

At later point it might not be possible or even safe to use getaddrinfo(). It
can in turn result in a load of NSS module.

Notably, on a LXC container startup we may find ourselves with the guest
filesystem already having replaced the host one. Loading a NSS module
from the guest tree would allow a malicous guest to escape the
confinement of its container environment because libvirt will not yet
have locked it down.

Viktor Mihajlovski authored 7 years ago and Peter Krempa committed 7 years ago

Refreshing the halted state can cause VM performance issues. Since
s390 is currently the only architecture with a known interest in
the halted state, we're avoiding to call QEMU on other platforms.

Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>

Since it may be possible that the state is unknown in some cases we
should store it as a tristate so that other code using it can determine
whether the state was updated.

The halted state is no longer extracted using this helper so the
argument can be removed.

Don't extract the halted state into a separate array, but rater access
the vcpu structures directly. We still need to call the vcpu helper to
retrieve the performance statistics though.

NUMA distances are part of guest ABI (guests can read it
directly!) and therefore as such shouldn't change throughout the
lifetime of domain.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

Guido Günther authored 7 years ago and Michal Privoznik committed 7 years ago

Otherwise stopping domains with qemu://session fails like

[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"

Shivaprasad G Bhat authored 7 years ago and Peter Krempa committed 7 years ago

The virt-aa-helper fails to parse the xmls with the memory/cpu
hotplug features or user assigned aliases. Set the features in
xmlopt->config for the parsing to succeed.

Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com>
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Fix for a CI build failure

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=916061



If the QEMU version running is new enough (based on the DUMP_COMPLETED
event), then we can add a 'detach' boolean to the dump-guest-memory
command in order to tell QEMU to run in a thread. This ensures that we
don't lock out other commands while the potentially long running dump
memory is completed.

This allows the usage of a qemuDumpWaitForCompletion which will wait
for the event while the qemuDomainGetJobInfoDumpStats can be used via
qemuDomainGetJobInfo in order to query QEMU to determine how far along
the job is.

Now that we have a true async job, we'll only set the dump_memory_only
flag only when @detach=false; otherwise, we note that the job is a
for stats dump this allows the opposite end for job info to determine
what to copy.

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>