Add dtrace static probes in libvirtd

Adds initial support for dtrace static probes in libvirtd
daemon, assuming use of systemtap dtrace compat shim on
Linux. The probes are inserted for network client connect,
disconnect, TLS handshake states and authentication protocol
states.

This can be tested by running the xample program and then
attempting to connect with any libvirt client (virsh,
virt-manager, etc).

 # stap examples/systemtap/client.stp
  Client fd=44 connected readonly=0
  Client fd=44 auth polkit deny pid:24997,uid:500
  Client fd=44 disconnected
  Client fd=46 connected readonly=1
  Client fd=46 auth sasl allow test
  Client fd=46 disconnected

The libvirtd.stp file should also really not be required,
since it is duplicated info that is already available in
the main probes.d definition file. A script to autogenerate
the .stp file is needed, either in libvirtd tree, or better
as part of systemtap itself.

* Makefile.am: Add examples/systemtap subdir
* autobuild.sh: Disable dtrace for mingw32
* configure.ac: Add check for dtrace
* daemon/.gitignore: Ignore generated dtrace probe file
* daemon/Makefile.am: Build dtrace probe header & object
  files
* daemon/libvirtd.stp: SystemTAP convenience probeset
* daemon/libvirtd.c: Add connect/disconnect & TLS probes
* daemon/remote.c: Add SASL and PolicyKit auth probes
* daemon/probes.d: Master probe definition
* daemon/libvirtd.h: Add convenience macro for probes
  so that compilation is a no-op when dtrace is not available
* examples/systemtap/Makefile.am, examples/systemtap/client.stp
  Example systemtap script using dtrace probe markers
* libvirt.spec.in: Enable dtrace on F13/RHEL6
* mingw32-libvirt.spec.in: Force disable dtrace
This commit is contained in:
Daniel P. Berrange 2010-09-14 17:30:32 +01:00
parent 9afa006082
commit 968eb4e5cd
14 changed files with 222 additions and 3 deletions

View File

@ -6,7 +6,7 @@ GENHTML = genhtml
SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
python tests po examples/domain-events/events-c examples/hellolibvirt \
examples/dominfo examples/domsuspend examples/python examples/apparmor \
examples/xml/nwfilter examples/openauth
examples/xml/nwfilter examples/openauth examples/systemtap
ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4

View File

@ -86,6 +86,7 @@ if [ -x /usr/bin/i686-pc-mingw32-gcc ]; then
--without-phyp \
--without-netcf \
--without-audit \
--without-dtrace \
--without-libvirtd
make

View File

@ -1107,6 +1107,29 @@ fi
AM_CONDITIONAL([WITH_SECDRIVER_APPARMOR], [test "$with_secdriver_apparmor" != "no"])
dnl DTrace static probes
AC_ARG_WITH([dtrace],
AC_HELP_STRING([--with-dtrace], [use dtrace for static probing @<:@default=check@:>@]),
[],
[with_dtrace=check])
if test "$with_dtrace" != "no" ; then
AC_PATH_PROG([DTRACE], [dtrace], [], [/bin:/usr/bin])
if test -z "$DTRACE" ; then
if test "$with_dtrace" = "check"; then
with_dtrace=no
else
AC_MSG_ERROR([You must install the 'dtrace' binary to enable libvirt static probes])
fi
else
with_dtrace=yes
fi
if test "$with_dtrace" = "yes"; then
AC_DEFINE_UNQUOTED([WITH_DTRACE], 1, [whether DTrace static probes are available])
fi
fi
AM_CONDITIONAL([WITH_DTRACE], [test "$with_dtrace" != "no"])
dnl NUMA lib
AC_ARG_WITH([numactl],
@ -2230,6 +2253,7 @@ AC_OUTPUT(Makefile src/Makefile include/Makefile docs/Makefile \
examples/openauth/Makefile \
examples/python/Makefile \
examples/hellolibvirt/Makefile \
examples/systemtap/Makefile \
examples/xml/nwfilter/Makefile)
AC_MSG_NOTICE([])
@ -2396,6 +2420,7 @@ AC_MSG_NOTICE([ Debug: $enable_debug])
AC_MSG_NOTICE([ Warnings: $enable_compile_warnings])
AC_MSG_NOTICE([ Readline: $lv_use_readline])
AC_MSG_NOTICE([ Python: $with_python])
AC_MSG_NOTICE([ DTrace: $with_dtrace])
AC_MSG_NOTICE([])
AC_MSG_NOTICE([Privileges])
AC_MSG_NOTICE([])

1
daemon/.gitignore vendored
View File

@ -10,3 +10,4 @@ libvirtd.init
libvirtd*.logrotate
libvirtd.pod
libvirtd.8
probes.h

View File

@ -1,5 +1,7 @@
## Process this file with automake to produce Makefile.in
CLEANFILES =
DAEMON_SOURCES = \
event.c event.h \
libvirtd.c libvirtd.h \
@ -36,6 +38,7 @@ EXTRA_DIST = \
test_libvirtd.aug \
THREADING.txt \
libvirtd.pod.in \
libvirtd.stp \
$(AVAHI_SOURCES) \
$(DAEMON_SOURCES)
@ -161,6 +164,25 @@ libvirtd_CFLAGS += $(AVAHI_CFLAGS)
libvirtd_LDADD += $(AVAHI_LIBS)
endif
EXTRA_DIST += probes.d libvirtd.stp
if WITH_DTRACE
libvirtd_LDADD += probes.o
libvirtd_SOURCES += probes.h
BUILT_SOURCES += probes.h
tapsetdir = $(datadir)/systemtap/tapsets
tapset_DATA = libvirtd.stp
probes.h: probes.d
$(AM_V_GEN)$(DTRACE) -o $@ -h -s $<
probes.o: probes.d
$(AM_V_GEN)$(DTRACE) -o $@ -G -s $<
CLEANFILES += probes.h probes.o
endif
install-data-local: install-init install-data-sasl install-data-polkit \
install-logrotate
@ -317,5 +339,5 @@ uninstall-data-sasl:
endif
CLEANFILES = $(BUILT_SOURCES) $(man_MANS) libvirtd.pod
CLEANFILES += $(BUILT_SOURCES) $(man_MANS) libvirtd.pod
CLEANFILES += *.cov *.gcov .libs/*.gcda .libs/*.gcno *.gcno *.gcda

View File

@ -1240,12 +1240,15 @@ remoteCheckCertificate(struct qemud_client *client)
}
}
PROBE(CLIENT_TLS_ALLOW, "fd=%d, name=%s", client->fd, name);
return 0;
authdeny:
PROBE(CLIENT_TLS_DENY, "fd=%d, name=%s", client->fd, name);
return -1;
authfail:
PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd);
return -1;
}
@ -1327,6 +1330,8 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket
return -1;
}
PROBE(CLIENT_CONNECT, "fd=%d, readonly=%d", fd, sock->readonly);
if (server->nclients >= max_clients) {
VIR_ERROR(_("Too many active clients (%d), dropping connection"), max_clients);
goto error;
@ -1445,6 +1450,7 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket
if (qemudRegisterClientEvent (server, client) < 0)
goto error;
} else {
PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd);
VIR_ERROR(_("TLS handshake failed: %s"),
gnutls_strerror (ret));
goto error;
@ -1476,6 +1482,7 @@ error:
VIR_FREE(client);
}
close (fd);
PROBE(CLIENT_DISCONNECT, "fd=%d", fd);
return -1;
}
@ -1519,6 +1526,7 @@ void qemudDispatchClientFailure(struct qemud_client *client) {
client->tlssession = NULL;
}
if (client->fd != -1) {
PROBE(CLIENT_DISCONNECT, "fd=%d", client->fd);
close(client->fd);
client->fd = -1;
}
@ -2079,6 +2087,7 @@ qemudDispatchClientHandshake(struct qemud_client *client) {
direction has changed */
qemudUpdateClientEvent (client);
} else {
PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd);
/* Fatal error in handshake */
VIR_ERROR(_("TLS handshake failed: %s"),
gnutls_strerror (ret));

View File

@ -49,6 +49,23 @@
# include "logging.h"
# include "threads.h"
# if WITH_DTRACE
# ifndef LIBVIRTD_PROBES_H
# define LIBVIRTD_PROBES_H
# include "probes.h"
# endif /* LIBVIRTD_PROBES_H */
# define PROBE(NAME, FMT, ...) \
VIR_DEBUG_INT("trace." __FILE__ , __func__, __LINE__, \
#NAME ": " FMT, __VA_ARGS__); \
if (LIBVIRTD_ ## NAME ## _ENABLED()) { \
LIBVIRTD_ ## NAME(__VA_ARGS__); \
}
# else
# define PROBE(NAME, FMT, ...) \
VIR_DEBUG_INT("trace." __FILE__, __func__, __LINE__, \
#NAME ": " FMT, __VA_ARGS__);
# endif
# ifdef __GNUC__
# ifdef HAVE_ANSIDECL_H
# include <ansidecl.h>

63
daemon/libvirtd.stp Normal file
View File

@ -0,0 +1,63 @@
probe libvirt.daemon.client.connect = process("libvirtd").mark("client_connect")
{
fd = $arg1;
readonly = $arg2;
}
probe libvirt.daemon.client.disconnect = process("libvirtd").mark("client_disconnect")
{
fd = $arg1;
}
probe libvirt.daemon.client.tls_allow = process("libvirtd").mark("client_tls_allow")
{
fd = $arg1;
x509dname = user_string($arg2);
}
probe libvirt.daemon.client.tls_deny = process("libvirtd").mark("client_tls_deny")
{
fd = $arg1;
x509dname = user_string($arg2);
}
probe libvirt.daemon.client.tls_fail = process("libvirtd").mark("client_tls_fail")
{
fd = $arg1;
}
function authtype_to_string(authtype) {
if (authtype == 0)
return "none"
if (authtype == 1)
return "sasl"
if (authtype == 2)
return "polkit"
return "unknown"
}
probe libvirt.daemon.client.auth_allow = process("libvirtd").mark("client_auth_allow")
{
fd = $arg1;
authtype = $arg2;
authname = authtype_to_string($arg2);
identity = user_string($arg3);
}
probe libvirt.daemon.client.auth_deny = process("libvirtd").mark("client_auth_deny")
{
fd = $arg1;
authtype = $arg2;
authname = authtype_to_string($arg2);
identity = user_string($arg3);
}
probe libvirt.daemon.client.auth_fail = process("libvirtd").mark("client_auth_fail")
{
fd = $arg1;
authtype = $arg2;
authname = authtype_to_string($arg2);
}

12
daemon/probes.d Normal file
View File

@ -0,0 +1,12 @@
provider libvirtd {
probe client_connect(int fd, int readonly);
probe client_disconnect(int fd);
probe client_auth_allow(int fd, int authtype, const char *identity);
probe client_auth_deny(int fd, int authtype, const char *identity);
probe client_auth_fail(int fd, int authtype);
probe client_tls_allow(int fd, const char *x509dname);
probe client_tls_deny(int fd, const char *x509dname);
probe client_tls_fail(int fd);
};

View File

@ -3791,6 +3791,7 @@ remoteDispatchAuthSaslInit (struct qemud_server *server,
authfail:
remoteDispatchAuthError(rerr);
error:
PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
virMutexUnlock(&client->lock);
return -1;
}
@ -3977,6 +3978,8 @@ remoteDispatchAuthSaslStart (struct qemud_server *server,
}
REMOTE_DEBUG("Authentication successful %d", client->fd);
PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s",
client->fd, REMOTE_AUTH_SASL, client->saslUsername);
ret->complete = 1;
client->auth = REMOTE_AUTH_NONE;
}
@ -3985,10 +3988,13 @@ remoteDispatchAuthSaslStart (struct qemud_server *server,
return 0;
authfail:
PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
remoteDispatchAuthError(rerr);
goto error;
authdeny:
PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s",
client->fd, REMOTE_AUTH_SASL, client->saslUsername);
goto error;
error:
@ -4073,6 +4079,8 @@ remoteDispatchAuthSaslStep (struct qemud_server *server,
}
REMOTE_DEBUG("Authentication successful %d", client->fd);
PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s",
client->fd, REMOTE_AUTH_SASL, client->saslUsername);
ret->complete = 1;
client->auth = REMOTE_AUTH_NONE;
}
@ -4081,10 +4089,13 @@ remoteDispatchAuthSaslStep (struct qemud_server *server,
return 0;
authfail:
PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
remoteDispatchAuthError(rerr);
goto error;
authdeny:
PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s",
client->fd, REMOTE_AUTH_SASL, client->saslUsername);
goto error;
error:
@ -4104,6 +4115,7 @@ remoteDispatchAuthSaslInit (struct qemud_server *server ATTRIBUTE_UNUSED,
remote_auth_sasl_init_ret *ret ATTRIBUTE_UNUSED)
{
VIR_ERROR0(_("client tried unsupported SASL init request"));
PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
remoteDispatchAuthError(rerr);
return -1;
}
@ -4118,6 +4130,7 @@ remoteDispatchAuthSaslStart (struct qemud_server *server ATTRIBUTE_UNUSED,
remote_auth_sasl_start_ret *ret ATTRIBUTE_UNUSED)
{
VIR_ERROR0(_("client tried unsupported SASL start request"));
PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
remoteDispatchAuthError(rerr);
return -1;
}
@ -4132,6 +4145,7 @@ remoteDispatchAuthSaslStep (struct qemud_server *server ATTRIBUTE_UNUSED,
remote_auth_sasl_step_ret *ret ATTRIBUTE_UNUSED)
{
VIR_ERROR0(_("client tried unsupported SASL step request"));
PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL);
remoteDispatchAuthError(rerr);
return -1;
}
@ -4208,6 +4222,8 @@ remoteDispatchAuthPolkit (struct qemud_server *server,
action, callerPid, callerUid, status);
goto authdeny;
}
PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s",
client->fd, REMOTE_AUTH_POLKIT, ident);
VIR_INFO(_("Policy allowed action %s from pid %d, uid %d"),
action, callerPid, callerUid);
ret->complete = 1;
@ -4217,9 +4233,12 @@ remoteDispatchAuthPolkit (struct qemud_server *server,
return 0;
authfail:
PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_POLKIT);
goto error;
authdeny:
PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s",
client->fd, REMOTE_AUTH_POLKIT, ident);
goto error;
error:
@ -4333,6 +4352,8 @@ remoteDispatchAuthPolkit (struct qemud_server *server,
polkit_result_to_string_representation(pkresult));
goto authdeny;
}
PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s",
client->fd, REMOTE_AUTH_POLKIT, ident);
VIR_INFO(_("Policy allowed action %s from pid %d, uid %d, result %s"),
action, callerPid, callerUid,
polkit_result_to_string_representation(pkresult));
@ -4343,9 +4364,12 @@ remoteDispatchAuthPolkit (struct qemud_server *server,
return 0;
authfail:
PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_POLKIT);
goto error;
authdeny:
PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s",
client->fd, REMOTE_AUTH_POLKIT, ident);
goto error;
error:

View File

@ -0,0 +1,2 @@
EXTRA_DIST = client.stp

View File

@ -0,0 +1,28 @@
#!/usr/bin/stap
probe libvirt.daemon.client.connect {
printf("Client fd=%d connected readonly=%d\n", fd, readonly);
}
probe libvirt.daemon.client.disconnect {
printf("Client fd=%d disconnected\n", fd);
}
probe libvirt.daemon.client.tls_allow {
printf("Client fd=%d tls allow %s\n", fd, x509dname);
}
probe libvirt.daemon.client.tls_deny {
printf("Client fd=%d tls deny %s\n", fd, x509dname);
}
probe libvirt.daemon.client.tls_fail {
printf("Client fd=%d tls fail\n", fd);
}
probe libvirt.daemon.client.auth_allow {
printf("Client fd=%d auth %s allow %s\n", fd, authname, identity);
}
probe libvirt.daemon.client.auth_deny {
printf("Client fd=%d auth %s deny %s\n", fd, authname, identity);
}
probe libvirt.daemon.client.auth_fail {
printf("Client fd=%d auth %s fail\n", fd, authname);
}

View File

@ -67,6 +67,7 @@
%define with_macvtap 0%{!?_without_macvtap:0}
%define with_libnl 0%{!?_without_libnl:0}
%define with_audit 0%{!?_without_audit:0}
%define with_dtrace 0%{!?_without_dtrace:0}
# Non-server/HV driver defaults which are always enabled
%define with_python 0%{!?_without_python:1}
@ -170,6 +171,10 @@
%define with_audit 0%{!?_without_audit:1}
%endif
%if 0%{?fedora} >= 13 || 0%{?rhel} >= 6
%define with_dtrace 1
%endif
# Force QEMU to run as non-root
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
%define qemu_user qemu
@ -564,6 +569,10 @@ of recent versions of Linux (and other OSes).
%define _without_audit --without-audit
%endif
%if ! %{with_dtrace}
%define _without_dtrace --without-dtrace
%endif
%configure %{?_without_xen} \
%{?_without_qemu} \
%{?_without_openvz} \
@ -596,6 +605,7 @@ of recent versions of Linux (and other OSes).
%{?_without_libpcap} \
%{?_without_macvtap} \
%{?_without_audit} \
%{?_without_dtrace} \
--with-qemu-user=%{qemu_user} \
--with-qemu-group=%{qemu_group} \
--with-init-script=redhat \
@ -607,7 +617,7 @@ gzip -9 ChangeLog
rm -fr %{buildroot}
%makeinstall
for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth python xml/nwfilter
for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth python xml/nwfilter systemtap
do
(cd examples/$i ; make clean ; rm -rf .deps .libs Makefile Makefile.in)
done
@ -763,6 +773,9 @@ fi
%{_sysconfdir}/rc.d/init.d/libvirtd
%config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
%config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
%if %{with_dtrace}
%{_datadir}/systemtap/tapsets/libvirtd.stp
%endif
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
@ -909,6 +922,7 @@ fi
%doc examples/domsuspend
%doc examples/openauth
%doc examples/xml
%doc examples/systemtap
%if %{with_python}
%files python

View File

@ -58,6 +58,7 @@ MinGW Windows libvirt virtualization library.
--without-phyp \
--without-netcf \
--without-audit \
--without-dtrace \
--without-libvirtd
make