Re: [libvirt] [PATCH v2] util: netdevbridge: fall back to ioctl from sysfs

2018-11-25 Thread Christian Ehrhardt 
On Sun, Nov 25, 2018 at 10:01 PM Laine Stump  wrote:

> On 11/23/18 1:42 AM, Christian Ehrhardt wrote:
>
>
>
> On Tue, Nov 20, 2018 at 1:26 PM Daniel P. Berrangé 
> wrote:
>
>> On Tue, Nov 20, 2018 at 01:25:46PM +0100, Christian Ehrhardt wrote:
>> > There are certain cases e.g. containers where the sysfs path might
>> > exists, but might fail. Unfortunately the exact restrictions are only
>> > known to libvirt when trying to write to it so we need to try it.
>> >
>> > But in case it fails there is no need to fully abort, in those cases try
>> > to fall back to the older ioctl interface which can still work.
>> >
>> > That makes setting up a bridge in unprivileged LXD containers work.
>> >
>> > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1802906
>> >
>> > Signed-off-by: Christian Ehrhardt 
>> > Reported-by: Brian Candler 
>> > ---
>> >  src/util/virnetdevbridge.c | 48 +-
>> >  1 file changed, 26 insertions(+), 22 deletions(-)
>>
>> Reviewed-by: Daniel P. Berrangé 
>>
>
> Thanks for the review Daniel!
>
> Brian (on CC) also tested a Ubuntu build with the fix applied and it
> worked for him in unprivileged containers.
>
> There was no other feedback in the last three days.
> But this is no area I feel entitled to push the change on my own,
> therefore I wanted to ping on this - ping
>
>
> As long as you have commit privileges, feel free to push once there is a
> Reviewed-by: (unless we are in freeze).
>
 I wanted to be better safe than sorry, thanks for the confirmation.

> If it makes you feel any more confident about pushing - I had personally
> expressed misgivings about this patch in IRC to Dan because on first read
> it sounded like we might be exploiting a security flaw in LXC to modify
> networking when it shouldn't actually be allowed, but he convinced me that
> the situation isn't that "bridge and tap device management via sysfs is
> blocked because it should be, and ioctls are accidentally left enabled when
> they should have been disabled", but rather that "bridge/tap device
> management is acceptable in this situation, but sysfs is a huge can of
> worms that can only be made read-only on a global basis (and *must* be made
> read-only due to all the other things that shouldn't be allowed in this
> case)". Based on that, I'm okay with the patch as well.
>
> Ack to the can-of-worms being the reason :-)
Thanks !

... pushed to master now
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] Information sent in libvirt during the sasl usage and tls

2018-11-25 Thread Anastasiya Ruzhanskaya 
Hello everyone!

I am trying without any success to decipher traffic from client to server
in virt-manager in wireshark, but I don't know the sessioon key there, so
seems no chance to do this.

This is why I want to ask, is any info related to the certificate sent
through the connection? Or if I use kerberos protocol for authentication,
will the user id be sent in every message from client to server? Or only
during authentication?
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 1/7] util: refactor iptables APIs to share more code

2018-11-25 Thread Laine Stump 
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
> Most of the iptables APIs share code for the add/delete paths, but a
> couple were separated. Merge the remaining APIs to facilitate future
> changes.
>
> Signed-off-by: Daniel P. Berrangé 


Reviewed-by: Laine Stump 




pEpkey.asc
Description: application/pgp-keys
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 2/2] qemu: Add Default PCI Device for arm guests

2018-11-25 Thread infos 
From: Stefan Schallenberg 

Signed-off-by: Stefan Schallenberg 
---
 src/qemu/qemu_domain.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index acf351f878..c8157b6888 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -3267,6 +3267,15 @@ qemuDomainDefAddDefaultDevices(virDomainDefPtr def,
 addDefaultMemballoon = false;
 if (qemuDomainIsARMVirt(def))
 addPCIeRoot = virQEMUCapsGet(qemuCaps, QEMU_CAPS_OBJECT_GPEX);
+
+if (!ARCH_IS_RISCV(def->os.arch) ||
+STREQ(def->os.machine, "versatilepb"))
+addPCIRoot = true;
+
+if (qemuDomainIsARMVirt(def) &&
+virQEMUCapsGet(qemuCaps, QEMU_CAPS_OBJECT_GPEX))
+addPCIRoot = true;
+
 break;
 
 case VIR_ARCH_PPC64:
-- 
2.19.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 1/2] Add armv6l Support as guest

2018-11-25 Thread infos 
From: Stefan Schallenberg 

Support for armv6l qemu guests has been added.
Tested with arm1176 CPU on x86.

Signed-off-by: Stefan Schallenberg 
---
 docs/news.xml|  9 +
 docs/schemas/basictypes.rng  |  1 +
 src/qemu/qemu_capabilities.c |  5 ++-
 src/qemu/qemu_command.c  |  4 +-
 src/qemu/qemu_domain.c   | 11 --
 src/qemu/qemu_domain_address.c   |  6 ++-
 tests/capabilityschemadata/caps-qemu-kvm.xml | 10 +
 tests/testutilsqemu.c| 40 +++-
 8 files changed, 75 insertions(+), 11 deletions(-)

diff --git a/docs/news.xml b/docs/news.xml
index 4406aeb775..e3ec371876 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -25,6 +25,15 @@
 
 
 
+  
+
+  Add armv6l Support as guest
+
+
+  Support for armv6l qemu guests has been added.
+  Tested with arm1176 CPU on x86.
+
+  
 
 
 
diff --git a/docs/schemas/basictypes.rng b/docs/schemas/basictypes.rng
index 71a6db3bb4..9a651a4564 100644
--- a/docs/schemas/basictypes.rng
+++ b/docs/schemas/basictypes.rng
@@ -407,6 +407,7 @@
   aarch64
   alpha
   armv7l
+  armv6l
   cris
   i686
   ia64
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index fde27010e4..70ecc5bf21 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -624,7 +624,7 @@ static const char *virQEMUCapsArchToString(virArch arch)
 {
 if (arch == VIR_ARCH_I686)
 return "i386";
-else if (arch == VIR_ARCH_ARMV7L)
+else if (arch == VIR_ARCH_ARMV6L || arch == VIR_ARCH_ARMV7L)
 return "arm";
 else if (arch == VIR_ARCH_OR32)
 return "or32";
@@ -2199,7 +2199,7 @@ static const char *preferredMachines[] =
 {
 NULL, /* VIR_ARCH_NONE (not a real arch :) */
 "clipper", /* VIR_ARCH_ALPHA */
-NULL, /* VIR_ARCH_ARMV6L (no QEMU impl) */
+"versatilepb", /* VIR_ARCH_ARMV6L */
 "integratorcp", /* VIR_ARCH_ARMV7L */
 "integratorcp", /* VIR_ARCH_ARMV7B */
 
@@ -4177,6 +4177,7 @@ virQEMUCapsInitQMPMonitor(virQEMUCapsPtr qemuCaps,
 
 /* GIC capabilities, eg. available GIC versions */
 if ((qemuCaps->arch == VIR_ARCH_AARCH64 ||
+ qemuCaps->arch == VIR_ARCH_ARMV6L ||
  qemuCaps->arch == VIR_ARCH_ARMV7L) &&
 virQEMUCapsProbeQMPGICCapabilities(qemuCaps, mon) < 0)
 goto cleanup;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 23a6661c10..db0ff6da4d 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9203,7 +9203,9 @@ static bool
 qemuChrIsPlatformDevice(const virDomainDef *def,
 virDomainChrDefPtr chr)
 {
-if (def->os.arch == VIR_ARCH_ARMV7L || def->os.arch == VIR_ARCH_AARCH64) {
+if (def->os.arch == VIR_ARCH_ARMV6L ||
+def->os.arch == VIR_ARCH_ARMV7L ||
+def->os.arch == VIR_ARCH_AARCH64) {
 
 /* pl011 (used on mach-virt) is a platform device */
 if (chr->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_SERIAL &&
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 2f65bbe34e..acf351f878 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -3260,6 +3260,7 @@ qemuDomainDefAddDefaultDevices(virDomainDefPtr def,
 addPCIRoot = true;
 break;
 
+case VIR_ARCH_ARMV6L:
 case VIR_ARCH_ARMV7L:
 case VIR_ARCH_AARCH64:
 addDefaultUSB = false;
@@ -3305,7 +3306,6 @@ qemuDomainDefAddDefaultDevices(virDomainDefPtr def,
 addPCIRoot = true;
 break;
 
-case VIR_ARCH_ARMV6L:
 case VIR_ARCH_ARMV7B:
 case VIR_ARCH_CRIS:
 case VIR_ARCH_ITANIUM:
@@ -6035,7 +6035,8 @@ qemuDomainDefaultNetModel(const virDomainDef *def,
 if (ARCH_IS_S390(def->os.arch))
 return "virtio";
 
-if (def->os.arch == VIR_ARCH_ARMV7L ||
+if (def->os.arch == VIR_ARCH_ARMV6L ||
+def->os.arch == VIR_ARCH_ARMV7L ||
 def->os.arch == VIR_ARCH_AARCH64) {
 if (STREQ(def->os.machine, "versatilepb"))
 return "smc91c111";
@@ -9818,7 +9819,8 @@ bool
 qemuDomainMachineIsARMVirt(const char *machine,
const virArch arch)
 {
-if (arch != VIR_ARCH_ARMV7L &&
+if (arch != VIR_ARCH_ARMV6L &&
+arch != VIR_ARCH_ARMV7L &&
 arch != VIR_ARCH_AARCH64)
 return false;
 
@@ -10624,7 +10626,8 @@ qemuDomainSupportsNicdev(virDomainDefPtr def,
  virDomainNetDefPtr net)
 {
 /* non-virtio ARM nics require legacy -net nic */
-if (((def->os.arch == VIR_ARCH_ARMV7L) ||
+if (((def->os.arch == VIR_ARCH_ARMV6L) ||
+(def->os.arch == VIR_ARCH_ARMV7L) ||
 (def->os.arch == VIR_ARCH_AARCH64)) &&
 net->info.type != VIR_DOMAIN_DEVICE_ADDRESS_TYPE_VIRTIO_MMIO &&
 net->info.type != VIR_DOMAIN_DEVICE_ADDRESS_TYPE_PCI)
diff --git

[libvirt] [PATCH 0/2] qemu: arm guest on x86

2018-11-25 Thread infos 
From: Stefan Schallenberg 

*** BLURB HERE ***

Stefan Schallenberg (2):
  Add armv6l Support as guest
  qemu: Add Default PCI Device for arm guests

 docs/news.xml|  9 +
 docs/schemas/basictypes.rng  |  1 +
 src/qemu/qemu_capabilities.c |  5 ++-
 src/qemu/qemu_command.c  |  4 +-
 src/qemu/qemu_domain.c   | 20 --
 src/qemu/qemu_domain_address.c   |  6 ++-
 tests/capabilityschemadata/caps-qemu-kvm.xml | 10 +
 tests/testutilsqemu.c| 40 +++-
 8 files changed, 84 insertions(+), 11 deletions(-)

-- 
2.19.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2] util: netdevbridge: fall back to ioctl from sysfs

2018-11-25 Thread Laine Stump 
On 11/23/18 1:42 AM, Christian Ehrhardt wrote:
>
>
> On Tue, Nov 20, 2018 at 1:26 PM Daniel P. Berrangé
> mailto:berra...@redhat.com>> wrote:
>
> On Tue, Nov 20, 2018 at 01:25:46PM +0100, Christian Ehrhardt wrote:
> > There are certain cases e.g. containers where the sysfs path might
> > exists, but might fail. Unfortunately the exact restrictions are
> only
> > known to libvirt when trying to write to it so we need to try it.
> >
> > But in case it fails there is no need to fully abort, in those
> cases try
> > to fall back to the older ioctl interface which can still work.
> >
> > That makes setting up a bridge in unprivileged LXD containers work.
> >
> > Fixes:
> https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1802906
> >
> > Signed-off-by: Christian Ehrhardt
>  >
> > Reported-by: Brian Candler  >
> > ---
> >  src/util/virnetdevbridge.c | 48
> +-
> >  1 file changed, 26 insertions(+), 22 deletions(-)
>
> Reviewed-by: Daniel P. Berrangé  >
>
>
> Thanks for the review Daniel!
>
> Brian (on CC) also tested a Ubuntu build with the fix applied and it
> worked for him in unprivileged containers.
>
> There was no other feedback in the last three days.
> But this is no area I feel entitled to push the change on my own,
> therefore I wanted to ping on this - ping


As long as you have commit privileges, feel free to push once there is a
Reviewed-by: (unless we are in freeze).


If it makes you feel any more confident about pushing - I had personally
expressed misgivings about this patch in IRC to Dan because on first
read it sounded like we might be exploiting a security flaw in LXC to
modify networking when it shouldn't actually be allowed, but he
convinced me that the situation isn't that "bridge and tap device
management via sysfs is blocked because it should be, and ioctls are
accidentally left enabled when they should have been disabled", but
rather that "bridge/tap device management is acceptable in this
situation, but sysfs is a huge can of worms that can only be made
read-only on a global basis (and *must* be made read-only due to all the
other things that shouldn't be allowed in this case)". Based on that,
I'm okay with the patch as well.

 


>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list




pEpkey.asc
Description: application/pgp-keys
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list