This new security driver is responsible for managing UID/GID changes
to the QEMU process, and any files/disks/devices assigned to it.
* qemu/qemu_conf.h: Add flag for disabling automatic file permission
changes
* qemu/qemu_security_dac.h, qemu/qemu_security_dac.c: New DAC driver
for QEMU guests
* Makefile.am: Add new files
Based off how QEMU does it, look through /sys/bus/usb/devices/* for
matching vendor:product info, and if found, use info from the surrounding
files to build the device's /dev/bus/usb path.
This fixes USB device assignment by vendor:product when running qemu
as non-root (well, it should, but for some reason I couldn't reproduce
the failure people are seeing in [1], but it appears to work properly)
[1] https://bugzilla.redhat.com/show_bug.cgi?id=542450
Each driver supporting CPU selection must fill in host CPU capabilities.
When filling them, drivers for hypervisors running on the same node as
libvirtd can use cpuNodeData() to obtain raw CPU data. Other drivers,
such as VMware, need to implement their own way of getting such data.
Raw data can be decoded into virCPUDefPtr using cpuDecode() function.
When implementing virConnectCompareCPU(), a hypervisor driver can just
call cpuCompareXML() function with host CPU capabilities.
For each guest for which a driver supports selecting CPU models, it must
set the appropriate feature in guest's capabilities:
virCapabilitiesAddGuestFeature(guest, "cpuselection", 1, 0)
Actions needed when a domain is being created depend on whether the
hypervisor understands raw CPU data (currently CPUID for i686, x86_64
architectures) or symbolic names has to be used.
Typical use by hypervisors which prefer CPUID (such as VMware and Xen):
- convert guest CPU configuration from domain's XML into a set of raw
data structures each representing one of the feature policies:
cpuEncode(conn, architecture, guest_cpu_config,
&forced_data, &required_data, &optional_data,
&disabled_data, &forbidden_data)
- create a mask or whatever the hypervisor expects to see and pass it
to the hypervisor
Typical use by hypervisors with symbolic model names (such as QEMU):
- get raw CPU data for a computed guest CPU:
cpuGuestData(conn, host_cpu, guest_cpu_config, &data)
- decode raw data into virCPUDefPtr with a possible restriction on
allowed model names:
cpuDecode(conn, guest, data, n_allowed_models, allowed_models)
- pass guest->model and guest->features to the hypervisor
* src/cpu/cpu.c src/cpu/cpu.h src/cpu/cpu_generic.c
src/cpu/cpu_generic.h src/cpu/cpu_map.c src/cpu/cpu_map.h
src/cpu/cpu_x86.c src/cpu/cpu_x86.h src/cpu/cpu_x86_data.h
* configure.in: check for CPUID instruction
* src/Makefile.am: glue the new files in
* src/libvirt_private.syms: add new private symbols
* po/POTFILES.in: add new cpu files containing translatable strings
Initial support for the new QEMU monitor protocol using JSON
as the data encoding format instead of plain text
* po/POTFILES.in: Add src/qemu/qemu_monitor_json.c
* src/qemu/qemu_conf.c, src/qemu/qemu_conf.h: Hack to turn on QMP
mode. Replace with a version number check on >= 0.12 later
* src/qemu/qemu_monitor.c: Delegate to json monitor if enabled
* src/qemu/qemu_monitor_json.c, src/qemu/qemu_monitor_json.h: Add
impl of QMP protocol
* src/Makefile.am: Add src/qemu/qemu_monitor_json.{c,h}
This introduces simple API for handling JSON data. There is
an internal data structure 'virJSONValuePtr' which stores a
arbitrary nested JSON value (number, string, array, object,
nul, etc). There are APIs for constructing/querying objects
and APIs for parsing/formatting string formatted JSON data.
This uses the YAJL library for parsing/formatting from
http://lloyd.github.com/yajl/
* src/util/json.h, src/util/json.c: Data structures and APIs
for representing JSON data, and parsing/formatting it
* configure.in: Add check for yajl library
* libvirt.spec.in: Add build requires for yajl
* src/Makefile.am: Add json.c/h
* src/libvirt_private.syms: Export JSON symbols to drivers
* src/Makefile.am: Add processinfo.h/processinfo.c
* src/util/processinfo.c, src/util/processinfo.h: Module providing
APIs for getting/setting process CPU affinity
* src/qemu/qemu_driver.c: Switch over to new APIs for schedular
affinity
* src/libvirt_private.syms: Export virProcessInfoSetAffinity
and virProcessInfoGetAffinity to internal drivers
* configure.in: add new --with-udev, disabled by default, and requiring
libudev > 145
* src/node_device/node_device_udev.c src/node_device/node_device_udev.h:
the new node device backend
* src/node_device/node_device_linux_sysfs.c: moved node_device_hal_linux.c
to a better file name
* src/conf/node_device_conf.c src/conf/node_device_conf.h: add a couple
of fields in node device definitions, and an API to look them up,
remove a couple of unused fields from previous patch.
* src/node_device/node_device_driver.c src/node_device/node_device_driver.h:
plug the new driver
* po/POTFILES.in src/Makefile.am src/libvirt_private.syms: add the new
files and symbols
* src/util/util.h src/util/util.c: add a new convenience macro
virBuildPath and virBuildPathInternal() function
The qemu_driver.c code should not contain any code that interacts
with the QEMU monitor at a low level. A previous commit moved all
the command invocations out. This change moves out the code which
actually opens the monitor device.
* src/qemu/qemu_driver.c: Remove qemudOpenMonitor & methods called
from it.
* src/Makefile.am: Add qemu_monitor.{c,h}
* src/qemu/qemu_monitor.h: Add qemuMonitorOpen()
* src/qemu/qemu_monitor.c: All code for opening the monitor
* src/qemu/qemu.conf src/qemu/qemu_conf.c src/qemu/qemu_conf.h: there is
a new config type option for mac filtering
* src/qemu/qemu_bridge_filter.[ch]: new module for the ebtable entry points
* src/qemu/qemu_driver.c: plug the MAC filtering at the right places
in the domain life cycle
* src/Makefile.am po/POTFILES.in: add the new module
* configure.in: look for AppArmor and devel
* src/security/security_apparmor.[ch] src/security/security_driver.c
src/Makefile.am: add and plug the new driver
* src/security/virt-aa-helper.c: new binary which is used exclusively by
the AppArmor security driver to manipulate AppArmor.
* po/POTFILES.in: registers the new files
* tests/Makefile.am tests/secaatest.c tests/virt-aa-helper-test:
tests for virt-aa-helper and the security driver, secaatest.c is
identical to seclabeltest.c except it initializes the 'apparmor'
driver instead of 'selinux'
Pull out all the QEMU monitor interaction code to a separate
file. This will make life easier when we need to drop in a
new implementation for the forthcoming QMP machine friendly
monitor support.
Next step is to add formal APIs for each monitor command,
and remove direct commands for sending/receiving generic
data.
* src/Makefile.am: Add qemu_monitor.c to build
* src/qemu/qemu_driver.c: Remove code for monitor interaction
* src/qemu/qemu_monitor_text.c, src/qemu/qemu_monitor_text.h: New
file for monitor interaction
* po/POTFILES.in: Add src/qemu/qemu_monitor_text.c
This implementation stores the secrets in an unencrypted text file,
for simplicity in implementation and debugging.
(Symmetric encryption, e.g. using gpgme, will not be difficult to add.
Because the TLS private key used by libvirtd is stored unencrypted,
encrypting the secrets file does not currently provide much additional
security.)
* include/libvirt/virterror.h, src/virterror.c (VIR_ERR_NO_SECRET): New
error number.
* po/POTFILES.in, src/Makefile.am: Add secret_driver.
* bootstrap: Use gnulib's base64 module.
* src/secret_driver.c, src.secret_driver.h, src/libvirt_private.syms:
Add local secret driver.
* qemud/qemud.c (qemudInitialize): Use the local secret driver.
Add a <secret> XML handling API, separate from the local driver, to
avoid manually generating XML in other parts of libvirt.
* src/secret_conf.c, src/secret_conf.h: New files.
* po/POTFILES.in, src/Makefile.am: Add secret_conf.
* configure.in src/Makefile.am src/storage_backend.[ch]
src/storage_conf.[ch] src/storage_backend_mpath.[ch] po/POTFILES.in:
add a new module for storage multipath, it requires device-mapper
Define an <encryption> tag specifying volume encryption format and
format-depenedent parameters (e.g. passphrase, cipher name, key
length, key).
Currently the only defined parameter is a reference to a "secret"
(passphrase/key) managed using the virSecret* API.
Only the qcow/qcow2 encryption format, and a "default" format used to
let libvirt choose the format during volume creation, is currently
supported.
This patch does not add any users; the <encryption> tag is added in
the following patches to both volumes (to support encrypted volume
creation) and domains.
* docs/*.html: Re-generate
* docs/formatstorageencryption.html.in, docs/sitemap.html.in:
Add page describing storage encryption data format
* docs/schemas/Makefile.am, docs/schemas/storageencryption.rng:
Add RNG schema for storage encryption format
* po/POTFILES.in: Add src/storage_encryption_conf.c
* src/libvirt_private.syms: Export virStorageEncryption* functions
* src/storage_encryption_conf.h, src/storage_encryption_conf.c: Internal
helper APIs for dealing with storage encryption format
* libvirt.spec.in, mingw32-libvirt.spec.in: Add storageencryption.rng
RNG schema
* src/libvirt.c src/logging.c: Don't convert high priority levels to the
debug level. Don't parse LIBVIRT_LOG_FILTERS and LIBVIRT_LOG_OUTPUTS
when they're set to the empty string. Warn when the user specifies an
invalid value (empty string remains a noop).
* po/POTFILES.in: src/logging.c now include translatable strings
* src/libvirt.c: activate the interface drivers
* po/POTFILES.in: add the netcf driver as a source of localization strings
* src/interface_driver.c: NETCF_ENOMEM -> VIR_ERR_NO_MEMORY mapping was
breaking syntax checking
* src/interface_conf.c src/interface_conf.h: the import and export
routines and the internal APIs
* src/Makefile.am: hook the new file in the makefiles
* src/libvirt_private.syms: export a few private symbols internally
* po/POTFILES.in: the new file contains translatable strings
This makes it so we record (via a git submodule)
a snapshot of whatever version of gnulib we're using,
and none of gnulib sources are in the libvirt repository.
The result is that we have as much reproducibility as when
we version-controlled imported copies of the gnulib sources,
but without the hassle of the manual process we used when
syncing with upstream.
Note that when you clone libvirt, you get only the libvirt
repository, but when you first run ./bootstrap, it clones
gnulib (at the SHA1 recorded via the submodule), creating
the .gnulib/ hierarchy. Then, the bootstrap script runs
gnulib-tool to populate gnulib/ with the files that make
up the selected modules.
Put the following in your ~/.gitconfig file.
[alias]
syncsub = submodule foreach git pull origin master
The update procedure is simple:
git syncsub
...build & test...
git commit -m 'gnulib: sync submodule to latest' .gnulib
* .gitmodules: New file.
* .gnulib: Initialize.
* bootstrap: Set up to use the new submodule.
Stop using --no-vc-files.
Don't remove .gitignore files.
Don't use or create .cvsignore.
Diagnose an invalid --gnulib-srcdir=DIR argument.
* build-aux/vc-list-files: Delete file, now pulled from gnulib.
* build-aux/useless-if-before-free: Likewise.
* po/POTFILES.in: Remove gnulib/lib/gai_strerror.c, since
it no longer contains translatable strings.
* gnulib/*: Remove gnulib/ hierarchy.
* src/libvirt.c src/virterror.c: fix some missing comments in public
modules.
* docs/libvirt-api.xml docs/libvirt-refs.xml
docs/devhelp/libvirt-libvirt.html docs/html/libvirt-libvirt.html:
regenerated documentation
* po/*: updated the polish localization and regenerated
Daniel
* src/Makefile.am src/node_device.[ch] src/node_device_conf.[ch]
src/node_device_hal.[ch] src/node_device_hal_linux.c
src/qemu_driver.c src/remote_internal.c src/storage_backend.c
src/virsh.c src/xen_unified.c tests/nodedevxml2xmltest.c
po/POTFILES.in: implementation for node device create and destroy
in NPIV support, patch by David Allan
Daniel
* configure.in po/POTFILES.in src/Makefile.am src/libvirt_private.syms
src/pci.c src/pci.h: Add implementations of dettach, reattach and
reset for PCI devices, patch by Mark McLoughlin
Daniel
docs/devhelp/libvirt-virterror.html docs/html/libvirt-virterror.html:
regenerated the APIs and documentation.
* po/*: updated the polish translation, regenerated.
daniel
* configure.in docs/* NEWS: release of 0.5.0
* po/*: updated from the translators and merged
* docs/apibuild.py src/libvirt.c: avoid some warnings at doc
generation time
daniel
* Makefile.maint (sync-vcs-ignore-files): New target.
Prompted by a patch from James Morris.
http://thread.gmane.org/gmane.comp.emulators.libvirt/8619/focus=8773
Add all (now-generated) .gitignore files.
* .gitignore: New file.
* build-aux/.gitignore: New file.
* docs/.gitignore: New file.
* docs/devhelp/.gitignore: New file.
* docs/examples/.gitignore: New file.
* docs/examples/python/.gitignore: New file.
* gnulib/lib/.gitignore: New file.
* gnulib/lib/arpa/.gitignore: New file.
* gnulib/lib/netinet/.gitignore: New file.
* gnulib/lib/sys/.gitignore: New file.
* gnulib/tests/.gitignore: New file.
* include/.gitignore: New file.
* include/libvirt/.gitignore: New file.
* po/.gitignore: New file.
* proxy/.gitignore: New file.
* python/.gitignore: New file.
* python/tests/.gitignore: New file.
* qemud/.gitignore: New file.
* src/.gitignore: New file.
* tests/.gitignore: New file.
* tests/confdata/.gitignore: New file.
* tests/sexpr2xmldata/.gitignore: New file.
* tests/virshdata/.gitignore: New file.
* tests/xencapsdata/.gitignore: New file.
* tests/xmconfigdata/.gitignore: New file.
* tests/xml2sexprdata/.gitignore: New file.
POTFILES.in. Add it there, and then fix up one warning about included
c-ctypes.h that wasn't being used.
Signed-off-by: Chris Lalancette <clalance@redhat.com>
* src/qemu_conf.c: patch from Cole Robinson to report in the
capabilities only the ones where the emulators is actually found
* po/libvirt.pot: regenerated
* src/libvirt.c: small typo fix
Daniel
release
* src/xm_internal.c: fix xm driver serialization escapes
* tests/xmconfigtest.c tests/xmconfigdata/test-escape-paths.cfg
tests/xmconfigdata/test-escape-paths.xml: add test for previous
problem
Daniel
new function virBufferEscapeString() to format a string while
escaping its content for XML, and apply it to a couple of
obvious places, should fix bug #206653
* po/*: updated strings, and added new bosnian localization.
Daniel
erroneous value of the hypercall XEN_V2_OP_SETMAXMEM
* libvirt.spec.in: applies changes from Jeremy Katz for libvirt
spec and also another fix from Michael Schwendt fixing rhbz#233874
Daniel
include/libvirt/libvirt.h: preparing libvirt-0.1.9 release
* po/*.po: more updates and fix all the .po to not barf when msgfmt
tries to process them
Daniel
to the XML description and handle its serialization back and
forth between XML and S-Expr
* tests/sexpr2xmltest.c tests/xml2sexprtest.c
tests/sexpr2xmldata/sexpr2xml-curmem.*
tests/xml2sexprdata/xml2sexpr-curmem.*: added specific regression
tests for this, this didn't disturb any of the other tests.
Daniel
* proxy/libvirt_proxy.c src/libvirt.c src/proxy_internal.[ch]
src/xs_internal.[ch]: the virtGetOsType entry point was calling
the xenstore directly instead of going though driver, refactored
and implemented a specific new RPC with the proxy when this is
called as non-root fixes rhbz#214264 .
Daniel