Signed-off-by: Josh Durgin josh.dur...@dreamhost.com
---
src/qemu/qemu_driver.c | 14 ++
1 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 78899a4..86e82d6 100644
--- a/src/qemu/qemu_driver.c
+++
This works with newer qemu that doesn't allow escaping spaces.
It's backwards compatible as well.
Signed-off-by: Josh Durgin josh.dur...@dreamhost.com
---
src/qemu/qemu_command.c|2 +-
.../qemuxml2argv-disk-drive-network-rbd-auth.args |2 +-
2 files changed,
On Mon, Apr 30, 2012 at 10:56:08PM -0700, Josh Durgin wrote:
This works with newer qemu that doesn't allow escaping spaces.
It's backwards compatible as well.
Signed-off-by: Josh Durgin josh.dur...@dreamhost.com
---
src/qemu/qemu_command.c|2 +-
On Mon, Apr 30, 2012 at 10:55:22PM -0700, Josh Durgin wrote:
Signed-off-by: Josh Durgin josh.dur...@dreamhost.com
---
src/qemu/qemu_driver.c | 14 ++
1 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index
https://bugzilla.redhat.com/show_bug.cgi?id=815755
The set of patch tries to fix the issue when multiple usb devices with
same idVendor, idProduct are availible on host, the usb device with
lowest bus:device will be attached to guest if usb xml file is given like
this:
hostdev mode='subsystem'
refactor qemuPrepareHostdevUSBDevices function, make it focus on
adding usb device to activeUsbHostdevs after check. After that,
the usb hotplug function qemuDomainAttachHostDevice also could use
it.
expand qemuPrepareHostUSBDevices to perform the usb search,
rollback on failure.
---
usbFindDevice():get usb device according to
idVendor, idProduct, bus, device
it is the most strict search
usbFindDevByBus():get usb device according to bus, device
it returns only one usb device same as usbFindDevice
usbFindDevByVendor():get usb
On 04/30/2012 04:00 PM, Martin Kletzander wrote:
On 04/28/2012 12:13 PM, Guannan Ren wrote:
usbFindDevice():get usb device according to
idVendor, idProduct, bus, device
it is the most strict search
usbFindDevByBus():get usb device according to bus, device
One usb device could be allowed to hotplug in at a time. If user
give a xml as follows. Probably there are two usb devices avaiable
but with different value of bus, device
we give a error to let user use address to specify the desired one.
hostdev mode='subsystem' type='usb' managed='yes'
On 04/30/2012 09:55 PM, Osier Yang wrote:
On 2012年04月28日 18:13, Guannan Ren wrote:
usbFindDevice():get usb device according to
idVendor, idProduct, bus, device
it is the most strict search
usbFindDevByBus():get usb device according to bus, device
On Mon, Apr 30, 2012 at 02:55:06PM -0400, William Jon McCann wrote:
Hi,
New to the list so hopefully I'm following the correct protocol.
Almost - we tend to like the commit messages for patches to be
fairly verbose about the change, so your description of advantages
here is actually better
From: Daniel P. Berrange berra...@redhat.com
Once lxcContainerSetStdio is invoked, logging will not work as
expected in libvirt_lxc. So make sure this is the last thing to
be called, in particular after setting the security process label
---
src/lxc/lxc_container.c |8
1 file
This series fixes a startup problem with LXC and improves debugging
capabilities
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
This fixes a startup problem with LXC and security drivers, and
adds / improves debugging.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: Daniel P. Berrange berra...@redhat.com
The driver-securityDriverName field may be NULL, if automatic
probing is used to determine security driver. This meant that
unless selinux was explicitly requested in lxc.conf, it was
not being sent to the libvirt_lxc process.
The
From: Daniel P. Berrange berra...@redhat.com
The virLogSetFromEnv call was done too late in startup to
catch many log messages (eg from security driver initialization).
To assist debugging also explicitly log the security details
at startup
---
src/lxc/lxc_controller.c | 12 +---
1
On 04/30/2012 05:57 PM, Eric Blake wrote:
Otherwise, a string such as _(Don't use \ VAR \.) would
complain about unmarked diagnostics.
* cfg.mk (sc_libvirt_unmarked_diagnostics): Handle \ in message.
---
I needed this patch to let me verify Stefan's DHCP Snooping series.
cfg.mk |2 +-
On 05/01/2012 03:27 AM, Eric Blake wrote:
On 04/20/2012 10:01 AM, Dmitry Guryanov wrote:
Add driver, which can report node info only.
Since this is the first commit in the series, can you please add more
information about pvs? This content from your 0/9 message would be
useful here:
Hi,
Thanks for the quick review!
On Tue, May 1, 2012 at 4:25 AM, Daniel P. Berrange berra...@redhat.com wrote:
On Mon, Apr 30, 2012 at 02:55:06PM -0400, William Jon McCann wrote:
...
+ if (!virFileIsDir(old_base) || virFileExists(config_dir)) {
+ goto error;
+ }
+
+ /* test
---
daemon/libvirtd-config.c | 10 +--
daemon/libvirtd.c | 110 +++---
daemon/libvirtd.pod.in |2 +-
docs/auth.html.in |2 +-
docs/uri.html.in |2 +-
src/libvirt.c |4 +-
As defined in:
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
This offers a number of advantages:
* Allows sharing a home directory between different machines, or
sessions (eg. using NFS)
* Cleanly separates cache, runtime (eg. sockets), or app data from
user settings
*
Sorry for the noise. Please disregard. Apparently I don't know how to
use git-email.
On Tue, May 1, 2012 at 9:39 AM, William Jon McCann
william.jon.mcc...@gmail.com wrote:
---
daemon/libvirtd-config.c | 10 +--
daemon/libvirtd.c | 110 +++---
On 04/30/2012 07:14 PM, Eric Blake wrote:
On 04/25/2012 06:59 AM, Stefan Berger wrote:
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
On 05/01/2012 08:04 AM, Stefan Berger wrote:
I've run out of review time today. Here's what I had to add to get
'make syntax-check' to be happy, but there are a lot of other cleanups
I've mentioned above.
Thanks for the review so far. I would have caught the make syntax-check
stuff
On 05/01/2012 07:03 AM, Dmitry Guryanov wrote:
On 05/01/2012 03:27 AM, Eric Blake wrote:
On 04/20/2012 10:01 AM, Dmitry Guryanov wrote:
Add driver, which can report node info only.
Since this is the first commit in the series, can you please add more
information about pvs? This content from
On 05/01/2012 04:10 AM, Daniel P. Berrange wrote:
This fixes a startup problem with LXC and security drivers, and
adds / improves debugging.
ACK series.
--
Eric Blake ebl...@redhat.com+1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP
On 05/01/2012 05:34 AM, Stefan Berger wrote:
On 04/30/2012 05:57 PM, Eric Blake wrote:
Otherwise, a string such as _(Don't use \ VAR \.) would
complain about unmarked diagnostics.
* cfg.mk (sc_libvirt_unmarked_diagnostics): Handle \ in message.
---
I needed this patch to let me verify
On 05/01/2012 06:10 AM, Daniel P. Berrange wrote:
From: Daniel P. Berrangeberra...@redhat.com
The virLogSetFromEnv call was done too late in startup to
catch many log messages (eg from security driver initialization).
To assist debugging also explicitly log the security details
at startup
---
On 05/01/2012 06:10 AM, Daniel P. Berrange wrote:
From: Daniel P. Berrangeberra...@redhat.com
The driver-securityDriverName field may be NULL, if automatic
probing is used to determine security driver. This meant that
unless selinux was explicitly requested in lxc.conf, it was
not being sent to
On 05/01/2012 06:10 AM, Daniel P. Berrange wrote:
From: Daniel P. Berrangeberra...@redhat.com
Once lxcContainerSetStdio is invoked, logging will not work as
expected in libvirt_lxc. So make sure this is the last thing to
be called, in particular after setting the security process label
---
On 05/01/2012 10:44 AM, Eric Blake wrote:
Otherwise, a string such as _(Don't use \ VAR \.) would
complain about unmarked diagnostics.
* cfg.mk (sc_libvirt_unmarked_diagnostics): Handle \ in message.
---
v2: fix regex to skip all \ escape sequences, and put \+ in right place.
cfg.mk |2
Otherwise, a string such as _(Don't use \ VAR \.) would
complain about unmarked diagnostics.
* cfg.mk (sc_libvirt_unmarked_diagnostics): Handle \ in message.
---
v2: fix regex to skip all \ escape sequences, and put \+ in right place.
cfg.mk |2 +-
1 files changed, 1 insertions(+), 1
On 05/01/2012 08:46 AM, Stefan Berger wrote:
On 05/01/2012 10:44 AM, Eric Blake wrote:
Otherwise, a string such as _(Don't use \ VAR \.) would
complain about unmarked diagnostics.
* cfg.mk (sc_libvirt_unmarked_diagnostics): Handle \ in message.
---
v2: fix regex to skip all \ escape
On 05/01/2012 01:45 AM, Daniel P. Berrange wrote:
On Mon, Apr 30, 2012 at 10:55:22PM -0700, Josh Durgin wrote:
Signed-off-by: Josh Durgin josh.dur...@dreamhost.com
---
src/qemu/qemu_driver.c | 14 ++
1 files changed, 10 insertions(+), 4 deletions(-)
ACK
Pushed.
--
Eric
On 05/01/2012 01:44 AM, Daniel P. Berrange wrote:
On Mon, Apr 30, 2012 at 10:56:08PM -0700, Josh Durgin wrote:
This works with newer qemu that doesn't allow escaping spaces.
It's backwards compatible as well.
Signed-off-by: Josh Durgin josh.dur...@dreamhost.com
---
ACK
Pushed.
--
Eric
On 05/01/2012 06:29 PM, Eric Blake wrote:
On 05/01/2012 07:03 AM, Dmitry Guryanov wrote:
On 05/01/2012 03:27 AM, Eric Blake wrote:
On 04/20/2012 10:01 AM, Dmitry Guryanov wrote:
Add driver, which can report node info only.
Since this is the first commit in the series, can you please add more
On 04/30/2012 06:27 PM, Eric Blake wrote:
The recent push to use correct scaling terms (kB for 1000, KiB for
1024 - such as commit 9dfdead) missed some places in virsh.
ACK
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: Anthony Liguori aligu...@us.ibm.com
Signed-off-by: Anthony Liguori aligu...@us.ibm.com
Signed-off-by: Stefan Hajnoczi stefa...@linux.vnet.ibm.com
---
block.c |5 +
block/raw-posix.c | 16
block/raw-win32.c |2 +-
block/vdi.c |2 +-
From: Anthony Liguori aligu...@us.ibm.com
Implement the open hook UNIX domain socket protocol and accept passed
file descriptors.
Signed-off-by: Anthony Liguori aligu...@us.ibm.com
Signed-off-by: Stefan Hajnoczi stefa...@linux.vnet.ibm.com
---
block.c | 107
Usually we need to set O_CLOEXEC, which is platform-specific. Add a
wrapper like qemu_open() but for qemu_recvmsg().
Signed-off-by: Stefan Hajnoczi stefa...@linux.vnet.ibm.com
---
block.c |5 +
osdep.c | 46 ++
qemu-common.h |
Libvirt can take advantage of SELinux to restrict the QEMU process and prevent
it from opening files that it should not have access to. This improves
security because it prevents the attacker from escaping the QEMU process if
they manage to gain control.
NFS has been a pain point for SELinux
This patch implements a demo server for the new -open-hook-fd feature.
It opens any filename given to it by QEMU and therefore adds no true
security. But it serves as a good debugging tool to see what requests
QEMU is making.
$ gcc -o test-fd-passing -Wall test-fd-passing.c
$
From: Anthony Liguori aligu...@us.ibm.com
Signed-off-by: Anthony Liguori aligu...@us.ibm.com
Signed-off-by: Stefan Hajnoczi stefa...@linux.vnet.ibm.com
---
qemu-options.hx | 42 ++
1 file changed, 42 insertions(+)
diff --git a/qemu-options.hx
On Tue, May 1, 2012 at 4:31 PM, Stefan Hajnoczi
stefa...@linux.vnet.ibm.com wrote:
This patch implements a demo server for the new -open-hook-fd feature.
It opens any filename given to it by QEMU and therefore adds no true
security. But it serves as a good debugging tool to see what requests
On 04/30/2012 04:31 PM, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=817244 mentions that
unlike most other tools, where --help or --version prevent all
further parsing of all later options, virsh was strange in that
--version stopped parsing but --help tried to plow on to the
From: Zeeshan Ali (Khattak) zeesha...@gnome.org
---
libvirt-gconfig/libvirt-gconfig-domain.c |1 +
libvirt-gobject/libvirt-gobject-domain-snapshot.c |1 +
libvirt-gobject/libvirt-gobject-domain.c |3 +++
libvirt-gobject/libvirt-gobject-interface.c |2 ++
From: Zeeshan Ali (Khattak) zeesha...@gnome.org
Not quite complete but its a good start.
---
libvirt-gconfig/Makefile.am| 11 ++-
...libvirt-gconfig-capabilities-cpu-arch-private.h | 39 +
.../libvirt-gconfig-capabilities-cpu-arch.c| 135 +
From: Zeeshan Ali (Khattak) zeesha...@gnome.org
Not quite complete but its a good start.
---
libvirt-gconfig/Makefile.am| 11 ++-
...virt-gconfig-capabilities-cpu-feature-private.h | 39 ++
.../libvirt-gconfig-capabilities-cpu-feature.c | 77
The two following patches fix the same problem (described in
https://bugzilla.redhat.com/show_bug.cgi?id=816465) in two alternate
ways - one by retrying the failing operation after a delay, the other by
using knowledge of how libnl works internally to artificially reserve
a particular address so
This patch is one alternative to solve the problem detailed in:
https://bugzilla.redhat.com/show_bug.cgi?id=816465
Some other unidentified library in use by libvirtd (in another thread)
is apparently temporarily binding to a NETLINK_ROUTE raw socket with
an address of pid of libvirtd during
This is an alternate method of solving the problem detailed in:
https://bugzilla.redhat.com/show_bug.cgi?id=816465
Testing has shown that if we reserve the bind address of pid of
libvirtd so that libnl never tries to bind it, our bind of pid of
libnl + (1 22) (which is what libnl ends up
From: Zeeshan Ali (Khattak) zeesha...@gnome.org
---
libvirt-gconfig/libvirt-gconfig-capabilities.c |4 ---
libvirt-gobject/libvirt-gobject-connection.c | 32
libvirt-gobject/libvirt-gobject-connection.h |3 ++
libvirt-gobject/libvirt-gobject.sym
On 05/01/2012 01:05 PM, Laine Stump wrote:
The two following patches fix the same problem (described in
https://bugzilla.redhat.com/show_bug.cgi?id=816465) in two alternate
ways - one by retrying the failing operation after a delay, the other by
using knowledge of how libnl works internally to
On 05/01/2012 03:16 PM, Eric Blake wrote:
On 05/01/2012 01:05 PM, Laine Stump wrote:
The two following patches fix the same problem (described in
https://bugzilla.redhat.com/show_bug.cgi?id=816465) in two alternate
ways - one by retrying the failing operation after a delay, the other by
using
On 04/30/2012 06:59 PM, Serge Hallyn wrote:
configure.ac:
Check for libnl-3. If found, find libnl-route-3. If not found,
do the original check to look for libnl-1.
[...]
--- a/src/util/virnetlink.c
+++ b/src/util/virnetlink.c
@@ -67,7 +67,11 @@ struct _virNetlinkEventSrvPrivate {
Thanks for sending this out Stefan.
On 05/01/2012 10:31 AM, Stefan Hajnoczi wrote:
Libvirt can take advantage of SELinux to restrict the QEMU process and prevent
it from opening files that it should not have access to. This improves
security because it prevents the attacker from escaping the
On 04/26/2012 08:57 AM, Eric Blake wrote:
On 04/26/2012 12:56 AM, Laine Stump wrote:
The ATTRIBUTE_NONNULL(m) macro normally resolves to the gcc builtin
__attribute__((__nonnull__(m))). The effect of this in gcc is
unfortunately only to make gcc believe that m can never possibly be
NULL,
On 04/20/2012 10:01 AM, Dmitry Guryanov wrote:
Add function virJSONValueObjectKeysNumber, virJSONValueObjectGetKey
and virJSONValueObjectGetValue, which allow you to iterate over all
fields of json object: you can get number of fields and then get
name and value, stored in field with that name
On 05/01/2012 02:25 PM, Anthony Liguori wrote:
Thanks for sending this out Stefan.
Indeed.
This series adds the -open-hook-fd command-line option. Whenever QEMU
needs to
open an image file it sends a request over the given UNIX domain
socket. The
response includes the file descriptor or
From: Zeeshan Ali (Khattak) zeesha...@gnome.org
---
libvirt-gconfig/tests/Makefile.am |4 +-
libvirt-gconfig/tests/test-capabilities-parse.c | 159 +++
libvirt-gconfig/tests/test-capabilities-parse.xml | 294 +
3 files changed, 456
On 05/01/2012 09:21 AM, Stefan Berger wrote:
On 04/30/2012 06:27 PM, Eric Blake wrote:
The recent push to use correct scaling terms (kB for 1000, KiB for
1024 - such as commit 9dfdead) missed some places in virsh.
ACK
Thanks; series pushed.
--
Eric Blake ebl...@redhat.com
On 05/01/2012 01:10 PM, Laine Stump wrote:
This patch is one alternative to solve the problem detailed in:
https://bugzilla.redhat.com/show_bug.cgi?id=816465
Some other unidentified library in use by libvirtd (in another thread)
is apparently temporarily binding to a NETLINK_ROUTE raw
On 05/01/2012 04:25 PM, Anthony Liguori wrote:
Thanks for sending this out Stefan.
On 05/01/2012 10:31 AM, Stefan Hajnoczi wrote:
Libvirt can take advantage of SELinux to restrict the QEMU process and
prevent
it from opening files that it should not have access to. This improves
security
On 05/01/2012 01:11 PM, Laine Stump wrote:
This is an alternate method of solving the problem detailed in:
https://bugzilla.redhat.com/show_bug.cgi?id=816465
Testing has shown that if we reserve the bind address of pid of
libvirtd so that libnl never tries to bind it, our bind of pid of
On 05/01/2012 03:56 PM, Eric Blake wrote:
On 05/01/2012 02:25 PM, Anthony Liguori wrote:
Thanks for sending this out Stefan.
Indeed.
This series adds the -open-hook-fd command-line option. Whenever QEMU
needs to
open an image file it sends a request over the given UNIX domain
socket. The
On 05/01/2012 04:45 PM, Corey Bryant wrote:
On 05/01/2012 04:25 PM, Anthony Liguori wrote:
Thanks for sending this out Stefan.
On 05/01/2012 10:31 AM, Stefan Hajnoczi wrote:
Libvirt can take advantage of SELinux to restrict the QEMU process and
prevent
it from opening files that it should
On 05/01/2012 03:53 PM, Anthony Liguori wrote:
I think (correct me if I'm wrong) libvirt should be aware of any file
that qemu
asks it to open. So from a security point of view, libvirt can prevent
opening a
file if it isn't affiliated with the guest.
Right, libvirt can maintain a
On 05/01/2012 05:15 PM, Eric Blake wrote:
On 05/01/2012 03:53 PM, Anthony Liguori wrote:
I think (correct me if I'm wrong) libvirt should be aware of any file
that qemu
asks it to open. So from a security point of view, libvirt can prevent
opening a
file if it isn't affiliated with the guest.
On 04/20/2012 10:01 AM, Dmitry Guryanov wrote:
PVS driver is 'stateless', like vmware or openvz drivers.
It collects information about domains during startup using
command-line utility prlctl. VMs in PVS identified by UUIDs
s/identified/are identified/
or unique names, which can be used as
On 04/20/2012 10:01 AM, Dmitry Guryanov wrote:
Add functions for create/shutdown/destroy and suspend/resume domain.
Signed-off-by: Dmitry Guryanov dgurya...@parallels.com
---
po/POTFILES.in |1 +
src/pvs/pvs_driver.c | 148
++
On 04/20/2012 10:01 AM, Dmitry Guryanov wrote:
Add support of collecting information about serial
ports. This change is needed mostly as an example,
support of other devices will be added later.
Signed-off-by: Dmitry Guryanov dgurya...@parallels.com
---
src/pvs/pvs_driver.c | 115
On Mon, Apr 30, 2012 at 11:43:32AM -0700, Jason Helfman wrote:
On Mon, Apr 30, 2012 at 01:38:27PM -0500, Doug Goldstein thus spake:
On Sat, Apr 28, 2012 at 10:35 PM, Jason Helfman jhelf...@e-e.com wrote:
Okay, I screwed up the tarball for the first stable release, due to not
building it from a
72 matches
Mail list logo
